OpenClaw on Azure: Deploy AI Agents Inside Microsoft's Cloud

Azure is Microsoft's dominant cloud, and 63% of enterprise AI workloads ran on it as of Q4 2024 according to Synergy Research Group data. That matters because your OpenClaw agents almost certainly need to call services — storage, identity, queues — that are already inside Azure. Running the agent there too eliminates a full network hop and slashes latency on every tool call.

The mistake most people make: they spin up an Azure VM, SSH in, and run OpenClaw directly as a process. That works for testing. It breaks in production when the VM restarts, when you need to update the image, or when traffic spikes. This guide does it properly — containerized, observable, and scalable.

Prerequisites — What You Need Before You Start

Don't skip this section. Missing one item here means hitting a wall thirty minutes in.

• An active Azure subscription — free tier works for testing, but you'll need at least Pay-As-You-Go for B2 App Service
• Azure CLI installed locally (az --version should return 2.55 or higher)
• Docker Desktop running locally — you need it to build and test the OpenClaw image before pushing
• An OpenClaw account with your agent configuration exported or noted
• API keys for your chosen AI provider (Anthropic, OpenAI, or local model endpoint)
• A basic understanding of environment variables — you'll use them throughout

We'll get to the exact Key Vault setup in a moment — but first you need to understand why this step breaks 80% of first deployments: teams skip secret management entirely, embed API keys directly in App Service configuration, and then rotate keys manually six months later after a security audit flags it. Set Key Vault up now. It takes five minutes and saves hours later.

Azure Account and Resource Group Setup

Every Azure deployment starts with a Resource Group. Think of it as a folder — every resource you create for this OpenClaw deployment goes inside it. When you're done testing or want to tear everything down, delete the group and Azure cleans up everything inside.

Log into Azure CLI first:

az login
az account set --subscription "YOUR_SUBSCRIPTION_ID"

Create your resource group and the supporting services:

# Create resource group
az group create \
  --name openclaw-rg \
  --location eastus2

# Create Azure Container Registry
az acr create \
  --resource-group openclaw-rg \
  --name openclawregistry \
  --sku Basic \
  --admin-enabled true

# Create Key Vault for secrets
az keyvault create \
  --name openclaw-kv \
  --resource-group openclaw-rg \
  --location eastus2

Store your AI provider key in Key Vault immediately:

az keyvault secret set \
  --vault-name openclaw-kv \
  --name "AI-PROVIDER-KEY" \
  --value "your_actual_api_key_here"

Sound familiar? This is the same pattern used by every Fortune 500 Azure deployment. The reason is simple: Key Vault gives you audit logs, automatic rotation hooks, and zero hardcoded secrets. Start here even on a side project.

Installing OpenClaw on Azure

Pull the OpenClaw Docker image and push it to your private Azure Container Registry. This eliminates Docker Hub rate limits and keeps your image inside the Microsoft network.

# Pull the OpenClaw image
docker pull openclaw/openclaw:latest

# Tag for ACR
docker tag openclaw/openclaw:latest \
  openclawregistry.azurecr.io/openclaw:latest

# Login to ACR
az acr login --name openclawregistry

# Push to ACR
docker push openclawregistry.azurecr.io/openclaw:latest

Now create the App Service Plan and Web App. Use the B2 tier as a minimum — the B1 tier runs out of memory once the model context grows beyond a few thousand tokens.

# Create App Service Plan (B2 minimum for production)
az appservice plan create \
  --name openclaw-plan \
  --resource-group openclaw-rg \
  --is-linux \
  --sku B2

# Create Web App with container
az webapp create \
  --resource-group openclaw-rg \
  --plan openclaw-plan \
  --name openclaw-agent \
  --deployment-container-image-name \
    openclawregistry.azurecr.io/openclaw:latest

# Grant Web App access to ACR
az webapp config container set \
  --name openclaw-agent \
  --resource-group openclaw-rg \
  --docker-registry-server-url \
    https://openclawregistry.azurecr.io \
  --docker-registry-server-user \
    $(az acr credential show \
      --name openclawregistry \
      --query username -o tsv) \
  --docker-registry-server-password \
    $(az acr credential show \
      --name openclawregistry \
      --query passwords[0].value -o tsv)

Configuration and First Run

Set environment variables for the Web App. Pull secrets from Key Vault using Key Vault references rather than pasting raw values.

# Get the Key Vault URI
KV_URI=$(az keyvault show \
  --name openclaw-kv \
  --query properties.vaultUri -o tsv)

# Set required environment variables
az webapp config appsettings set \
  --name openclaw-agent \
  --resource-group openclaw-rg \
  --settings \
    WEBSITES_PORT=3000 \
    OPENCLAW_PORT=3000 \
    OPENCLAW_HOST=0.0.0.0 \
    AI_PROVIDER_KEY="@Microsoft.KeyVault(SecretUri=${KV_URI}secrets/AI-PROVIDER-KEY/)" \
    NODE_ENV=production

# Enable system-assigned Managed Identity
az webapp identity assign \
  --name openclaw-agent \
  --resource-group openclaw-rg

# Grant identity access to Key Vault
IDENTITY_ID=$(az webapp identity show \
  --name openclaw-agent \
  --resource-group openclaw-rg \
  --query principalId -o tsv)

az keyvault set-policy \
  --name openclaw-kv \
  --object-id $IDENTITY_ID \
  --secret-permissions get list

Restart the app and check logs:

az webapp restart \
  --name openclaw-agent \
  --resource-group openclaw-rg

# Stream logs to verify startup
az webapp log tail \
  --name openclaw-agent \
  --resource-group openclaw-rg

You should see OpenClaw's startup banner in the log stream within 60 seconds. If the container fails to start, the next section covers the most common failure modes.

Performance Tuning and Cost Optimization

Azure charges by tier and compute time. Here's how the main hosting options compare for OpenClaw workloads:

For most teams running a single OpenClaw agent, App Service B2 is the sweet spot. Enable autoscale to add instances when CPU exceeds 70%:

# Enable autoscale on App Service Plan
az monitor autoscale create \
  --resource-group openclaw-rg \
  --resource openclaw-plan \
  --resource-type Microsoft.Web/serverfarms \
  --name openclaw-autoscale \
  --min-count 1 \
  --max-count 3 \
  --count 1

# Add scale-out rule (CPU > 70%)
az monitor autoscale rule create \
  --resource-group openclaw-rg \
  --autoscale-name openclaw-autoscale \
  --condition "Percentage CPU > 70 avg 5m" \
  --scale out 1

Common Issues and Fixes

Here's where most Azure deployments break — and how to fix each one fast.

502 Bad Gateway on First Request

Almost always a port mismatch. Verify WEBSITES_PORT is set to 3000 in App Settings. Check that your Dockerfile EXPOSE directive matches. Run az webapp log tail to see the actual error.

Container Fails to Start — OOMKilled

You're on B1. Upgrade to B2 minimum. OpenClaw's base memory footprint is 512MB before model context loads. B1 provides only 1.75GB which leaves no room for traffic spikes.

Key Vault Reference Not Resolving

Check two things: the Managed Identity is assigned to the Web App, and the Key Vault access policy includes the identity's object ID with get permission. Verify with az keyvault secret show --vault-name openclaw-kv --name AI-PROVIDER-KEY from a CLI logged in as the identity.

Slow Response Times on First Request After Idle

App Service idles containers after 20 minutes with no traffic by default. Set Always On to true in App Service configuration — this keeps the container warm. Only available on B1 tier and above.

Docker Pull Failing in CI/CD

ACR admin credentials rotate. Use a Service Principal with ACR pull role instead of admin credentials for CI/CD pipelines. Admin credentials are fine for manual pushes but shouldn't live in pipeline secrets.

Frequently Asked Questions

Can I run OpenClaw on Azure App Service?

Yes. Azure App Service supports Docker containers, which means OpenClaw deploys cleanly. Use the B2 or B3 tier for production agents — the free and B1 tiers hit memory limits fast once models load.

What Azure region should I choose for OpenClaw?

Pick the region closest to your users and your AI provider's API endpoints. East US and West Europe are the most cost-effective for most deployments as of early 2025.

How do I store OpenClaw secrets on Azure?

Use Azure Key Vault and reference secrets via environment variables in your container definition. Never hardcode API keys in your Dockerfile or app settings directly.

Is Azure Container Instances cheaper than App Service for OpenClaw?

ACI costs less for sporadic workloads since you pay per second of execution. App Service makes more sense for always-on agents that serve continuous traffic throughout the day.

How do I scale OpenClaw horizontally on Azure?

Use Azure Kubernetes Service or App Service autoscale rules. Set CPU threshold at 70% to trigger scale-out. OpenClaw supports multiple instances behind a load balancer natively.

What are the Azure networking requirements for OpenClaw?

OpenClaw needs outbound HTTPS on port 443 for API provider calls. If using a VNet, ensure the subnet has a NAT gateway or service endpoint configured for external internet access.

Can I use Azure Managed Identity with OpenClaw?

Managed Identity works for authenticating to Azure services like Key Vault and Storage. For external AI provider keys, you still need explicit credentials stored in Key Vault or environment variables.