Launch Ubuntu images on Azure

This documentation is based on the official Azure documentation for creating Linux virtual machines with the Azure CLI.

Prerequisites

Launch an Ubuntu image

To launch an Ubuntu image, you’ll need to create a resource group and a virtual machine using the selected image.

Create a resource group

Define variables to set the resource group name and location for deployment:

RESOURCE_GROUP_NAME="ubuntu-vm-rg"
LOCATION="eastus"

Create a resource group using the group create command:

az group create \
    -n $RESOURCE_GROUP_NAME \
    -l $LOCATION

Create a Virtual Machine

Create a virtual machine using the vm create command.

Depending on the type of Ubuntu image selected, additional arguments may be required to correctly launch the image. However, most Ubuntu images can be launched with the default arguments:

az vm create \
    --name $VIRTUAL_MACHINE_NAME \
    --resource-group $RESOURCE_GROUP_NAME \
    --image $UBUNTU_IMAGE_URN \
    --generate-ssh-keys

If you want to launch images with security features enabled, refer to the following sections.

With Trusted Launch

All Ubuntu images from Ubuntu 20.04 LTS (Focal Fossa) forward support Trusted Launch on Hyper-V Gen2 SKUs. Example definitions of Ubuntu image URNs for Hyper-V Gen2 include:

UBUNTU_IMAGE_URN="Canonical:ubuntu-24_04-lts:server:latest"
# or
UBUNTU_IMAGE_URN="Canonical:0001-com-ubuntu-server-jammy:22_04-lts-gen2:latest"

Define the variables to set the security type:

SECURITY_TYPE=TrustedLaunch

Create the virtual machine:

az vm create \
    --name $VIRTUAL_MACHINE_NAME \
    --resource-group $RESOURCE_GROUP_NAME \
    --image $UBUNTU_IMAGE_URN \
    --security-type $SECURITY_TYPE \
    --generate-ssh-keys

With Confidential VM

Select one of the two URNs for Ubuntu images which support CVM on Azure:

UBUNTU_IMAGE_URN="Canonical:ubuntu-24_04-lts:cvm:latest"
# or
UBUNTU_IMAGE_URN="Canonical:0001-com-ubuntu-confidential-vm-jammy:22_04-lts-cvm:latest"

Define variables to set the security type and encryption type:

SECURITY_TYPE=ConfidentialVm
OS_ENCRYPTION_TYPE=DiskWithVMGuestState

Select a virtual machine size which supports CVM on Azure. Note that not all regions will contain the selected virtual machine size, and you may need to specify the region if your default region does not have the selected size:

VM_SIZE=Standard_DC2as_v5

# Standard_DC2as_v5 is available in eastus
LOCATION=eastus

Create the virtual machine:

az vm create \
    --name $VIRTUAL_MACHINE_NAME \
    --resource-group $RESOURCE_GROUP_NAME \
    --image $UBUNTU_IMAGE_URN \
    --security-type $SECURITY_TYPE \
    --os-disk-security-encryption-type $OS_ENCRYPTION_TYPE \
    --size $VM_SIZE \
    --location $LOCATION \
    --generate-ssh-keys

With Ubuntu Pro

To tackle vulnerabilities related to the guest OS and the internal software stack, you can use Ubuntu Pro by adding UBUNTU_PRO as the license-type of the OS. For instance, create a Confidential VM with Ubuntu Pro using:

az vm create \
     --name $VIRTUAL_MACHINE_NAME \
     --resource-group $RESOURCE_GROUP_NAME \
     --image $UBUNTU_IMAGE_URN \
     --security-type $SECURITY_TYPE \
     --os-disk-security-encryption-type $OS_ENCRYPTION_TYPE \
     --size $VM_SIZE \
     --location $LOCATION \
     --generate-ssh-keys \
     --license-type UBUNTU_PRO

For more information on Ubuntu Pro and how to get it, refer to Get Ubuntu Pro on Azure.