CHR on Azure

I’ve noted there isn’t a lot of up-to-date “CHR on Azure” documentation so I am attempting to create some here.

Maybe someone can copy to: https://wiki.mikrotik.com/wiki/Manual:CHR

It would be optimal for Mikrotik to create an azure marketplace CHR image. That would make this post mostly redundant.

step 1: download CHR vhdx and convert to vhd
example powershell:
Convert-VHD -Path C:\chr-6.45.6.vhdx -DestinationPath C:\chr-6.45.6.vhd -vhdtype fixed

step 2: upload vhd to a blob container:
Upload the VHD file using the Azure Portal.
In the Azure Portal, select Storage Accounts.

• Select the storage account where the CHR VHD file will be uploaded to.
  Under BLOB SERVICE, select Containers.
  Select a container to upload the CHR VHD file to.

If you do not have a storage container, click Add Container to create one.
Click Upload and select the CHR VHD file to upload.
Ensure that the Blob type is set to Page Blob.

step 3: 2. Create an image using the Azure Portal.
In the Azure Portal, select “Images”. (note this is different than “virtual machines”)
Click Add to create a new image.
Give the image a name. Remember that this image is a template that will later be deployed to a virtual machine with a different name.
Ensure that the location is the same as the location of your storage account.
iIn the OS disk section:
Select Linux and the OS type.
Click Browse on the Storage Blob field. A new panel will list your storage accounts. Using this panel, navigate through the storage account and container to locate the CHR VHD that was uploaded.
(os type linux)
(vm generation 1)

Click Create to begin the image creation process. This process typically takes minutes to complete.
When the process has completed, return to the Images panel and verify that the new image was created.

step 4: create the vm
In the Azure Portal, select “virtual machines”.
Click Add to create a new VM.
Under image, click “browse all public and private images”, and in the “my items tab” you should see the CHR vhd image you created in step 3.
I used the smallest size B1ls.

Note: you will need to set the “enable ip forwarding” parameter in the resulting azure vm network interface.

Note: the azure serial console feature works.

step 5: (optional) create a S2S vpn
note: profiles must have “nat traversal” enabled.
note: you will have to create a route table to direct vnet traffic over the vpn tunnel.

Tnx for this guidance! Complete success following it. Only one thing that you are mentioning I can not find: “Note: you will need to set the “enable ip forwarding” parameter in the resulting azure vm network interface.”

Thanks for the step by step, it worked.

Out of curiosity, does anyone know :

1. Why does it take so long to build the image?
2. Does anyone know why Mikrotik has not built an Microsoft Azure Marketplace version of their CHR, I can say there is a demand for it on my end for it?

If they are building on and they need a tester I volunteer

After trying several times to deploy CHR 6.47.9 on azure it continues to fail with:

OS Provisioning did not finish in the allotted time.

I have followed this guide step by step several times and even tried different versions of CHR with the same outcome.

My settings are identical to the settings in this post. I can’t seem to find any other person with this same issue.

I’ve tried reconverting from vhdx to vhd because I figured it might be some kind of corruption but that is not the issue.

Has anyone else seen this same problem before?

This seems to be an issue that was either in RouterOS or Azure, but found this tidbit -

Version 6.49beta36 has been released.

Before an upgrade:

1. Remember to make backup/export files before an upgrade and save them on another storage device;
2. Make sure the device will not lose power during upgrade process;
3. Device has enough free storage space for all RouterOS packages to be downloaded.

What’s new in 6.49beta36 (2021-Apr-23 05:56):

Changes in this release:

*) bridge - improved system stability when using IGMP snooping and changing bridge MAC address;
*) chr - fixed OS provisioning on Azure;

Tried just now with the latest beta image of CHR - 6.49beta38 (Testing)
And it provisioned instantly with no issues.

In my opinion, you described the update process in sufficient detail. I used to update the system without creating backups, and then one time I almost lost all the information, because the formatting did not go according to plan.

EDIT: It is not relevant, please ignore

Dear all,
I would like to draw attention to this thread that seems as a problem specifically related to CHR on Azure.
http://forum.mikrotik.com/t/l2tp-interface-to-bridge-not-working-on-chr/150931/1
Maybe even a moderator could change the location of my post to this Virtualisation section. My apologies for posting it in General

Has anyone tried this recently? I can’t seem to get one to work – just sits there, “Creating”…

If i look at last screenshot, it says

“Boot Failure. Reboot and select proper boot device
or insert boot media in selected boot device”.

Completely dead on serial console?

Got it to work. Had to use real microsoft tools to convert the hard drive over.

Very cool setup now. With CHR running, and a bit of routing/vxlan very easy to extend subnets in azure home to test PA fw!

I configured mikrotik on Azure but the only thing that I can do is connecting via WinBox, S2S VPN not working, GRE tunnel not working, i´m using version 7.


Note: Remember configuring Azure Network Security Group like this.


Finally you need to configure a route table for your VMs.

CHR ip config

ether1: 10.29.0.4/24

ether2: 10.20.1.4/24


IPsec configured but not working

I configured mikrotik on Azure but the only thing that I can do is connecting via WinBox, S2S VPN not working, GRE tunnel not working, i´m using version 7.


Note: Remember configuring Azure Network Security Group like this.


Finally you need to configure a route table for your VMs.

CHR ip config

ether1: 10.29.0.4/24

ether2: 10.20.1.4/24


IPsec configured but not working

Late reply, but IPSec/GRE tunneling is not allowed within Azure’s private vNET’s .

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#what-protocols-can-i-use-within-vnets%22https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#what-protocols-can-i-use-within-vnets%22:~:text=Multicast%2C%20broadcast%2C%20IP%2Din%2DIP%20encapsulated%20packets%2C%20and%20Generic%20Routing%20Encapsulation%20(GRE)%20packets%20are%20blocked%20in%20virtual%20networks

However, if you are creating a public facing IPSEC tunnel that is support, but internally, if you wish to tunnel, VxLAN is possible.

In case you arrive here wondering how to configure a CHR in Azure, here is an easy how-to:

https://miltech.helpjuice.com/en_US/routeros-azure-setup