CHR: Installing on Microsoft Azure
CHR: Installing on Microsoft Azure
Section titled “CHR: Installing on Microsoft Azure”RouterOS CHR can be deployed on Microsoft Azure by uploading the MikroTik VHD disk image and creating a virtual machine from it. Azure does not currently list CHR in the Azure Marketplace, so manual image upload is required.
Prerequisites
Section titled “Prerequisites”- Azure account with an active subscription
azCLI installed and logged in (az login)- Resource group created in your target region
Step 1: Download the CHR Image
Section titled “Step 1: Download the CHR Image”Azure uses VHD images. MikroTik provides a VHDX image which must be converted to fixed-size VHD format:
# Download MikroTik CHR VHDXwget https://download.mikrotik.com/routeros/7.x/chr-7.x.vhdx
# Convert VHDX to fixed-size VHD (Azure requirement)qemu-img convert -f vhdx -O vpc -o subformat=fixed chr-7.x.vhdx chr-7.x.vhdAzure requires fixed-size VHD format (not dynamic). Dynamic VHDs will be rejected during upload. Use subformat=fixed with qemu-img.
Step 2: Create Azure Resources
Section titled “Step 2: Create Azure Resources”# Set variablesRESOURCE_GROUP="chr-resources"LOCATION="eastus"STORAGE_ACCOUNT="chrimagestorage$RANDOM"CONTAINER="vhds"VHD_NAME="chr-7.x.vhd"
# Create resource groupaz group create --name $RESOURCE_GROUP --location $LOCATION
# Create storage account for VHD uploadaz storage account create \ --name $STORAGE_ACCOUNT \ --resource-group $RESOURCE_GROUP \ --location $LOCATION \ --sku Standard_LRS
# Create blob containeraz storage container create \ --name $CONTAINER \ --account-name $STORAGE_ACCOUNTStep 3: Upload the VHD
Section titled “Step 3: Upload the VHD”# Get storage account keySTORAGE_KEY=$(az storage account keys list \ --resource-group $RESOURCE_GROUP \ --account-name $STORAGE_ACCOUNT \ --query '[0].value' -o tsv)
# Upload VHD to blob storageaz storage blob upload \ --account-name $STORAGE_ACCOUNT \ --account-key $STORAGE_KEY \ --container-name $CONTAINER \ --name $VHD_NAME \ --file chr-7.x.vhd \ --type pageStep 4: Create a Managed Disk from the VHD
Section titled “Step 4: Create a Managed Disk from the VHD”# Get the VHD blob URIVHD_URI=$(az storage blob url \ --account-name $STORAGE_ACCOUNT \ --container-name $CONTAINER \ --name $VHD_NAME \ --output tsv)
# Create a managed disk from the VHDaz disk create \ --resource-group $RESOURCE_GROUP \ --name chr-os-disk \ --location $LOCATION \ --source $VHD_URI \ --os-type Linux \ --hyper-v-generation V1Step 5: Create the Virtual Machine
Section titled “Step 5: Create the Virtual Machine”# Create VM from the managed diskaz vm create \ --resource-group $RESOURCE_GROUP \ --name chr-router \ --attach-os-disk chr-os-disk \ --os-type Linux \ --size Standard_B2s \ --location $LOCATION \ --nics chr-nicCreate Network Interface with IP Forwarding
Section titled “Create Network Interface with IP Forwarding”CHR must forward packets between interfaces. Azure requires IP forwarding to be enabled on each NIC:
# Create a public IPaz network public-ip create \ --resource-group $RESOURCE_GROUP \ --name chr-public-ip \ --allocation-method Static \ --sku Standard
# Create NIC with IP forwarding enabledaz network nic create \ --resource-group $RESOURCE_GROUP \ --name chr-nic \ --vnet-name chr-vnet \ --subnet chr-subnet \ --public-ip-address chr-public-ip \ --ip-forwarding true
# Create VM using the NICaz vm create \ --resource-group $RESOURCE_GROUP \ --name chr-router \ --attach-os-disk chr-os-disk \ --os-type Linux \ --size Standard_B2s \ --nics chr-nic \ --location $LOCATIONIP forwarding must be enabled on the Azure NIC (not just in RouterOS) for CHR to forward packets between subnets or to the internet. Without this, Azure drops forwarded packets at the NIC level.
Recommended VM Sizes
Section titled “Recommended VM Sizes”| Use Case | VM Size | vCPUs | RAM |
|---|---|---|---|
| Lab / testing | Standard_B1s | 1 | 1 GB |
| Small router | Standard_B2s | 2 | 4 GB |
| Production | Standard_D2s_v3 | 2 | 8 GB |
| High throughput | Standard_F4s_v2 | 4 | 8 GB |
Step 6: Configure Network Security Group
Section titled “Step 6: Configure Network Security Group”Azure NSG rules control inbound and outbound traffic. Create rules for CHR management access:
# Create NSGaz network nsg create \ --resource-group $RESOURCE_GROUP \ --name chr-nsg
# Allow SSHaz network nsg rule create \ --resource-group $RESOURCE_GROUP \ --nsg-name chr-nsg \ --name allow-ssh \ --priority 100 \ --direction Inbound \ --access Allow \ --protocol Tcp \ --destination-port-ranges 22 \ --source-address-prefixes 203.0.113.0/24
# Allow WinBoxaz network nsg rule create \ --resource-group $RESOURCE_GROUP \ --nsg-name chr-nsg \ --name allow-winbox \ --priority 110 \ --direction Inbound \ --access Allow \ --protocol Tcp \ --destination-port-ranges 8291 \ --source-address-prefixes 203.0.113.0/24
# Associate NSG with the NICaz network nic update \ --resource-group $RESOURCE_GROUP \ --name chr-nic \ --network-security-group chr-nsgCommon ports required for MikroTik CHR:
| Service | Port | Protocol |
|---|---|---|
| SSH | 22 | TCP |
| WinBox | 8291 | TCP |
| API | 8728 | TCP |
| BGP | 179 | TCP |
| IPsec IKE | 500 | UDP |
| IPsec NAT-T | 4500 | UDP |
Initial Login and Configuration
Section titled “Initial Login and Configuration”Get the public IP address:
az vm show \ --resource-group $RESOURCE_GROUP \ --name chr-router \ --show-details \ --query publicIps -o tsvConnect via SSH:
ssh admin@<public-ip>Default credentials are admin with no password. Change the password immediately.
# Set admin password/user set admin password=StrongPassword123!
# Verify interface detection/interface print
# Configure static IP if DHCP is not used/ip address add address=10.0.1.4/24 interface=ether1/ip route add dst-address=0.0.0.0/0 gateway=10.0.1.1
# Set DNS/ip dns set servers=168.63.129.16,8.8.8.8
# Enable SSH and restrict access/ip service set ssh address=203.0.113.0/24
# Set identity/system identity set name=azure-chr-01Multiple Network Interfaces
Section titled “Multiple Network Interfaces”Azure supports multiple NICs for CHR to enable routing between subnets. Add interfaces at VM creation time:
# Create second NIC (internal, no public IP)az network nic create \ --resource-group $RESOURCE_GROUP \ --name chr-nic-internal \ --vnet-name chr-vnet \ --subnet internal-subnet \ --ip-forwarding true
# Create VM with both NICsaz vm create \ --resource-group $RESOURCE_GROUP \ --name chr-router \ --attach-os-disk chr-os-disk \ --os-type Linux \ --size Standard_D2s_v3 \ --nics chr-nic chr-nic-internal \ --location $LOCATIONInside RouterOS:
# ether1 = first NIC (WAN/public)# ether2 = second NIC (internal/LAN)/interface printLicensing
Section titled “Licensing”Apply a CHR license after deployment:
/system/license renewaccount=your-mikrotik-accountpassword=your-passwordlevel=p1VMs cloned from the same managed disk image may share a system ID. Run /system license generate-new-id on each new instance before requesting a license.
Troubleshooting
Section titled “Troubleshooting”VM Cannot Forward Traffic Between NICs
Section titled “VM Cannot Forward Traffic Between NICs”Verify IP forwarding is enabled on each Azure NIC:
az network nic show \ --resource-group $RESOURCE_GROUP \ --name chr-nic \ --query enableIPForwarding# Should return: trueIf false, update the NIC:
az network nic update \ --resource-group $RESOURCE_GROUP \ --name chr-nic \ --ip-forwarding trueCannot Connect via SSH or WinBox
Section titled “Cannot Connect via SSH or WinBox”- Verify the NSG inbound rule allows your source IP on the required port
- Confirm the public IP is associated with the NIC
- Use Azure Serial Console (portal → VM → Serial Console) for out-of-band access
VHD Upload Rejected
Section titled “VHD Upload Rejected”Ensure the VHD is fixed-size (not dynamic):
qemu-img info chr-7.x.vhd | grep "virtual size\|disk size\|format"# Format should be: vpc# Check it was converted with subformat=fixed