A step-by-step guide to deploying a personal AI health agent on Microsoft Azure using OpenClaw, accessible through Telegram. Written during a real deployment session, including every error encountered and how it was resolved.
Time required: 60 to 90 minutes
Estimated cost: Approximately $30 to $50 per month (Azure VM plus API tokens)
Prerequisites: Basic comfort with a command line. No Linux experience required. This guide was written by a Windows Server administrator of 25 years deploying his first Linux server.
Ensure you have the following accounts and tools ready:
- A Microsoft Azure account with a payment method (free trial works)
- A Telegram account on your phone
- An Anthropic account for Claude API access at console.anthropic.com
- A Google account for Gemini API access at aistudio.google.com/apikeys
- A computer with PowerShell or Terminal for SSH
- Optionally: Termius or JuiceSSH on your phone for mobile SSH access
- Log into the Azure Portal at portal.azure.com.
- Click "Create a resource" and select "Virtual Machine."
- Image: Select Ubuntu Server 24.04 LTS. Do not select Windows Server.
- Size: Select B2s (2 vCPUs, 4 GB RAM). This costs approximately $30/month and is sufficient for an AI orchestration agent. The heavy computation happens at the API provider level, not on your VM.
- Authentication: Choose SSH public key. Azure will generate a key pair. Download the
.pemprivate key file and save it in a secure location (for example, a folder calledkeychainon your local drive). - Networking: Leave defaults. Ensure SSH (port 22) is allowed in the inbound port rules.
- Click "Review + Create" and then "Create." Wait for the deployment to complete.
- Note your VM's public IP address from the Azure portal overview page.
Tip: Choose a region close to you for lower latency. East US or West US 2 are good defaults for US-based users.
SSH refuses to use a private key file that other users can read. Before connecting, you must restrict permissions on your .pem file. Open PowerShell and run the following commands, replacing the path with your actual key location:
# Remove inherited permissions
icacls "C:\path\to\your-key.pem" /inheritance:r
# Grant read access only to your user account
icacls "C:\path\to\your-key.pem" /grant:r "YOUR_USERNAME:(R)"
# Remove all other accounts
icacls "C:\path\to\your-key.pem" /remove "BUILTIN\Users"
icacls "C:\path\to\your-key.pem" /remove "BUILTIN\Administrators"
icacls "C:\path\to\your-key.pem" /remove "NT AUTHORITY\SYSTEM"Verify that only your account has access:
icacls "C:\path\to\your-key.pem"The output should show only your username with (R) permission.
Important: Azure cloud-init configuration files in
/etc/ssh/sshd_config.d/may override SSH settings. If you encounter permission issues later, this is likely the cause. See the Troubleshooting section.
ssh -i C:\path\to\your-key.pem azureuser@YOUR_VM_IP_ADDRESSType yes when asked about the host fingerprint. You should see an Ubuntu welcome message with system statistics. You are now on your Linux server.
Update all system packages. This is the Linux equivalent of running Windows Update on a fresh machine:
sudo apt update && sudo apt upgrade -yThis may take several minutes. When it completes, install Node.js. OpenClaw requires Node.js 22.16 or newer. Node.js 24 is recommended:
curl -fsSL https://deb.nodesource.com/setup_24.x | sudo -E bash -
sudo apt-get install -y nodejsVerify the installation:
node --versionExpected output: v24.x.x (or v22.x.x minimum).
Note: The
sudocommand runs a command with administrator privileges. It is the Linux equivalent of "Run as Administrator" in Windows. It is pronounced "sue-doo" and stands for "superuser do."
Install OpenClaw globally using npm:
sudo npm install -g openclaw@latestThis takes approximately one minute. You may see warnings about deprecated packages. These are safe to ignore.
Verify the installation:
openclaw --versionCommon error: If you run
npm install -g openclaw@latestwithoutsudo, you will receive anEACCES: permission deniederror. Thesudoprefix is required for global npm installations.
Before running the OpenClaw setup wizard, create your Telegram bot so you have the token ready.
- Open Telegram on your phone.
- Search for @BotFather and start a chat.
- Send:
/newbot - When asked for a display name, enter the name you want for your agent (e.g., "Tula").
- When asked for a username, enter a unique name ending in
bot(e.g.,tula_health_bot). - BotFather will reply with a bot token. It looks like:
7123456789:AAH1234abcd5678efgh9012ijkl - Save this token securely. You will need it during the OpenClaw onboarding wizard.
Warning: Your bot token is equivalent to a password. Never share it in a chat, post it online, or paste it in any public location. If you accidentally expose it, message @BotFather with
/revoketo invalidate the old token and generate a new one.
You need API keys for the AI models your agent will use. Obtain these in your local computer's browser before starting the onboarding wizard.
- Go to console.anthropic.com and sign up or log in.
- Navigate to API Keys in the left sidebar.
- Click Create Key and name it (e.g., "Tula").
- Copy the key and save it securely.
- Add billing. For personal use, $10 to $20 of initial credits is sufficient.
- Go to aistudio.google.com/apikeys and sign in with your Google account.
- Click Create API Key.
- Copy the key and save it securely.
Tip: Store API keys in a password manager. Enter them directly into the terminal during setup. Never share them in any chat or document.
In your SSH session, run the onboarding wizard:
openclaw onboardThe wizard walks through the configuration step by step. The following sections describe the recommended selections at each prompt.
Select Anthropic. Then choose Anthropic API key (not the setup-token option). Paste your Anthropic API key when prompted.
Select Claude Sonnet 4.6. This model provides the best balance of reasoning capability and cost efficiency for a personal health agent. Claude Opus is more capable but significantly more expensive and can be added as a routing target later.
Select Gemini (Google Search). Paste your Google API key when prompted.
The wizard presents a list of installable skills. Recommended starting selections:
- himalaya - Email client integration for sending and receiving email
- nano-pdf - PDF parsing for reading laboratory reports and health documents
- clawhub - Skill registry that allows your agent to discover and install new skills as needed
All other skills can be added later. Select only these three to keep the initial setup straightforward.
Enable the following:
- command-logger - Logs agent actions for debugging and auditing
- session-memory - Enables context retention across conversations, essential for a health agent that needs to recall prior biomarker data and journal entries
Skip boot-md and bootstrap-extra-files.
Select Hatch in TUI to launch the agent in the terminal for immediate testing.
The wizard prompts for a name, creature type, and personality description. Enter whatever is appropriate for your use case. This shapes how the agent communicates and can be changed later.
After the wizard finishes and your agent is running in the TUI, open Telegram on your phone and message your bot. Send:
/start
The bot will reply with a pairing code (e.g., U6RXEU2P).
Exit the TUI by pressing Ctrl+C or typing /exit. Then run the pairing approval command, replacing the code with your own:
openclaw pairing approve telegram YOUR_PAIRING_CODEReturn to Telegram and send your bot a message. It should respond with an AI-generated reply.
Note: If your commands are being intercepted by the agent rather than executing on the system, you are still inside the OpenClaw TUI. Press
Ctrl+Cor type/exitto return to the standard terminal prompt.
Without the daemon, your agent only runs while the TUI is open in a terminal session. Closing the SSH connection terminates the agent. The daemon registers OpenClaw as a systemd service that starts automatically on boot, survives SSH disconnections, and restarts automatically if it crashes.
sudo openclaw daemon installThis is the Linux equivalent of setting a Windows Service to "Automatic" startup type.
Verify the service is running:
sudo systemctl status openclawTest it: close your SSH session entirely, then send a message to your bot on Telegram. It should still respond.
To manage your server from a mobile device, install an SSH application such as Termius (Android/iOS) or JuiceSSH (Android).
Azure VMs default to SSH key authentication only. To enable password-based authentication for convenience on mobile:
sudo passwd azureuserAzure's cloud-init configuration overrides the main SSH config. You must update the override files directly:
sudo sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config.d/50-cloud-init.conf
sudo sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config.d/60-cloudimg-settings.conf
sudo systemctl restart sshImportant: Ubuntu 24.04 uses
sshas the service name, notsshd. Runningsudo systemctl restart sshdwill fail with "Unit sshd.service not found."
In your SSH application, create a new host with:
- Hostname: Your VM's public IP address
- Port: 22
- Username: azureuser
- Password: The password you set above
Security consideration: Enabling password authentication on a public IP address allows brute-force login attempts. Use a strong, unique password. For production deployments, consider using Tailscale for private VPN access or configuring fail2ban for brute-force protection.
Message your bot in Telegram. Conversations are natural language. The agent remembers context within a session if the session-memory hook is enabled.
openclaw updateThis pulls the latest stable release, syncs plugins, and restarts the gateway.
openclaw gateway status
sudo systemctl status openclawjournalctl -u openclaw --since '1 hour ago'Run this weekly to keep your server patched:
sudo apt update && sudo apt upgrade -yopenclaw backup create| Item | Monthly Estimate |
|---|---|
| Azure B2s VM (Ubuntu 24.04 LTS) | ~$30 |
| Anthropic API (Claude Sonnet 4.6) | ~$5 - $15 |
| Gemini API (Web Search) | ~$0 - $5 |
| Total | ~$35 - $50 |
Costs increase with image-intensive skills (DICOM interpretation, genomic analysis). See the cost guide for detailed breakdowns.
The .pem file permissions are too open. Additional users or groups have read access. Run icacls on the file to check permissions, then remove all accounts except your own. See Step 2 for the complete commands.
Azure VMs default to key-only authentication. Password authentication must be explicitly enabled in the cloud-init override files located in /etc/ssh/sshd_config.d/. See Step 10 for the specific files and commands.
The sudo prefix is missing. Run:
sudo npm install -g openclaw@latestUbuntu 24.04 uses ssh as the service name, not sshd. Run:
sudo systemctl restart sshThe daemon has not been installed. Run:
sudo openclaw daemon installThe pairing has not been approved. Run the following command with your pairing code:
openclaw pairing approve telegram YOUR_PAIRING_CODEYou are inside the OpenClaw TUI (the interactive chat interface). Press Ctrl+C or type /exit to return to the standard terminal prompt.
Azure cloud-init creates override files in /etc/ssh/sshd_config.d/ that take precedence over /etc/ssh/sshd_config. Check these files:
sudo grep -i "PasswordAuthentication" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*If any file in sshd_config.d/ contains PasswordAuthentication no, it will override settings in the main config file.
| Concept | Windows | Linux (Ubuntu) |
|---|---|---|
| Run as administrator | Right-click, Run as Admin | sudo command |
| Install software | winget install / MSI |
sudo apt install package |
| Update system | Windows Update | sudo apt update && sudo apt upgrade |
| Manage services | services.msc / sc.exe |
sudo systemctl status/start/stop service |
| View service logs | Event Viewer | journalctl -u servicename |
| Remote access | RDP (mstsc) |
SSH (ssh user@ip) |
| File permissions | NTFS ACLs / icacls |
chmod / chown |
| Edit a text file | Notepad | nano filename |
| List files | dir |
ls -la |
| File path format | C:\Users\you |
/home/you |
| Background service | Windows Service (Automatic) | systemd daemon |
| Task scheduler | Task Scheduler | cron |
With your agent running and accessible through Telegram, consider the following:
- Configure email integration using the email router setup guide. The guide walks through creating a dedicated M365 mailbox, locking it down with Exchange transport rules, configuring himalaya with OAuth2, and setting up automated inbox polling.
- Build custom health skills for laboratory parsing, journaling, and biomarker tracking. See the community skill ideas for inspiration.
- Set up scheduled tasks using OpenClaw's cron system for daily check-ins, weekly research synthesis, and automated health summaries.
- Configure healthcare AI models for medical image interpretation, laboratory report extraction, and medical speech recognition. Tula supports purpose-built healthcare models from Google (MedGemma, MedASR) and Microsoft (MedImageInsight, CXRReportGen). See the model routing reference for configuration details.
- Review security hardening including firewall configuration (
ufw), fail2ban for brute-force protection, and Tailscale for private VPN access.
This guide is maintained by the Tula community. If you encounter an issue not covered here, please open an issue so we can improve the documentation for everyone.