This guide is only for V2 assemblers being deployed with a virtual machine in Microsoft Azure. The V1 assembler is no longer supported as of June 30, 2024.


Each assembler you create must be deployed via a virtual machine, and then you can add your technology as a security device in Workbench to complete the full integration. For more information about the Expel Assembler or how it works, see the About the Expel Assembler guide.


  • You must have completed all of the steps in Add a New Assembler for each assembler you wish to deploy.
    • For the Firewall Configuration portion, please ensure your Network Security Group is in a Resource Group, and that you store the Storage Account, Image, and Virtual Machine you configure in this guide in that same Resource Group.
    • Be sure you have extracted the Fedora CoreOS image file you downloaded. You will need to upload the.vhd file, not the compressed .xz file in a later step.

Quick Start

  1. Download the Ignition File
  2. Upload the Virtual Hard Disk (VHD) to Azure
  3. Create a Virtual Machine From the VHD
  4. Verify a “Connected” Status in Workbench

Step 1: Download the Ignition File

The ignition file enables the virtual machine to read a configuration file and to provision the Fedora CoreOS system based on the contents of that file. You will use this file when you configure the virtual machine in Azure.

  1. Log in to Workbench.
  2. In the side menu, navigate to Organization Settings > Assemblers.
  3. Find the assembler you created, and select Download the CoreOS Ignition File. This action will download a JSON file that you will need in the next section.
  1. Repeat this process for any additional assemblers.

    You must keep track of the files, and which file came from which assembler, because each assembler has its own unique ignition file.

Step 2: Upload the Virtual Hard Disk (VHD) to Azure

In this step we create a place to store the CoreOS image in Microsoft Azure.


If you prefer using the Azure CLI, see Microsoft article Upload a VHD to Azure or copy a managed disk to another region - Azure CLI. Or, follow these steps to upload the VHD through the Azure Portal:

  1. Log in to
  2. Select Storage Accounts.
  3. Select Create.
  4. Select the appropriate Subscription and the Resource Group that your Network Security Group resides in.
  5. Select a region. (This should be the same region as your Resource group.) 
  6. For Performance and Redundancy, leave set to defaults.
  7. Select Review.
  8. Scroll down and select Create.
  9. After the deployment completes, select Go to resource.
  10. Under the Properties section, select Blob service.
  11. Select Container to create a new storage container.
  12. Give the new container a name and select Create.
  13. The new container is added to the list. Select the Container name.
  14. Select Upload and choose the choose the Fedora CoreOS image file you downloaded when completing the Add a New Assembler documentation.

    Be sure you have extracted the file and are uploading the .vhd file, not the compressed .xz file.
  15. Once the upload completes, a new blob appears in the list with the name of your VHD file. Note that this upload may take a while as it is a large file.

Step 3: Create a virtual machine from the VHD

In this step we will configure our image, VM, provide the contents of our ignition file, and deploy the VM.

  1. In Azure, type "Images" into the main search bar to quickly navigate to the Images service.
  2. Select Create.
  3. Configure the following:
    • Subscription / Resource Group - ensure these match what you selected for your Storage Account.
    • Name - enter a name for your image.
    • Region - select same region as your previous resources.
    • Zone Resiliency - leave unchecked.
    • OS type - Linux.
    • VM Generation -  Gen 1.
    • Storage blob -  browse to the Storage Account, Container, and select the image file you uploaded. Click Select.
    • Account type -  your choice. This is the storage location of the image, not your VM itself, so Standard HDD performance is acceptable.
    • Host caching -  leave as Read/write.
    • Key management - leave set to default.
    • Data disk - no action needed.
  4. Select Review + Create.
  5. After the image validates, select Create.
  6. After the deployment completes, select Go to resource.
  7. Select Create VM.
  8. Configure the Basics section as follows:
    1. Subscription / Resource Group - these should default to your previously selected options.
    2. Virtual machine name - enter a name for your VM.
    3. Region - this defaults to the region you previously selected.
    4. Availability options - no infrastructure redundancy required.
    5. Image - if it is not preselected, choose the image you created earlier.
    6. Size - select a VM with at least 2 virtual CPUs, 8GB RAM, and 20 GB disk space. 
    7. Authentication type - SSH public key.
    8. Username / SSH public key source / Key pair name - leave at defaults.

      Azure requires you to have an SSH key, but SSH is disabled by default on all Expel assemblers. If you require SSH access to this VM in the future, please contact support.
    9. Public inbound ports - none.
    10. License type -  other (the assembler is CentOS-based, which doesn't require a license).
  9. Select Next : Disks.
  10. Configure the Disks section as follows:
    1. OS disk size - select an option of at least 20 GiB.
    2. OS disk type - select an SSD option of your choice.
    3. Leave the rest of the options at the default values.
  11. Select Next : Networking.
  12. Virtual network / Subnet / Public IP - verify the network settings that Azure populates here are appropriate for your environment.
  13. NIC network security group - advanced.
  14. Configure network security group appears. Select the network security group you created when you edited your firewall settings.

    If you haven't already updated your firewall configuration, you can do it now by selecting Create new and adding the Outbound connections provided in Add a New Assembler.
  1. Select Next : Management.
  2. Select Next : Monitoring.
  3. Select Next : Advanced.
  4. Under User data, select Enable user data and paste the contents of your ignition file into the text box that appears.
  5. Select Next : Tags.
  6. Select Next : Review + Create.
  7. Review your configuration and select Create.
  8. A Generate new key pair screen appears. Select Download private key and create resource.
  9. Delete the .pem file that downloads, as SSH is disabled for assemblers by default, and you won't need this file. If you require SSH access to this VM in the future, please contact support.
  10. Wait for the VM to deploy successfully.

Step 4: Verify a “Connected” Status in Workbench

It can take 10 to 15 minutes for the assembler’s status to update in Workbench.


  1. Log in to Workbench.
  2. In the side menu, navigate to Organization Settings > Assemblers (or, refresh the page if you never logged out).
  3. Find your newly created assembler(s) and verify that the status has changed from “Not Yet Connected” to “Connected.”

    If the status has not updated yet, make sure you have waited at least 15 minutes, then refresh the page and check again.


If your assembler is still not showing as “Connected” after 15 minutes:

  • Make sure your have the proper firewall configurations to allow our outbound ports as specified in Add a New Assembler.
  • Make sure your chosen machine’s size meets the required minimums (2 virtual CPUs, 8 GB RAM, and 20 GB disk space).
  • For additional troubleshooting, access the Serial Console of your VM in Azure and check for errors.

If all firewall and machine size settings are correct and you are still unable to connect the assembler, contact support for help.