diff --git a/docs/README.md b/docs/README.md
index 87b6db57c..1325101c6 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -103,18 +103,27 @@ product documentation, organized as follows:
 - [kotlin/](../kotlin/android): Android / ChromeOS clients.
 - [website/](../website): Marketing website and product documentation.
 - [terraform/](../terraform): Terraform files for various example deployments.
-  - [terraform/examples/google-cloud/nat-gateway](../terraform/examples/google-cloud/nat-gateway):
-    Example Terraform configuration for deploying a cluster of Firezone Gateways
-    behind a NAT gateway on GCP with single egress IP.
   - [terraform/examples/aws/nat-gateway](../terraform/examples/aws/nat-gateway):
     Example Terraform configuration for deploying a cluster of Firezone Gateways
-    behind a NAT gateway on AWS with single egress IP.
+    behind a NAT gateway on AWS with a single egress IP.
+  - [terraform/examples/google-cloud/nat-gateway](../terraform/examples/google-cloud/nat-gateway):
+    Example Terraform configuration for deploying a cluster of Firezone Gateways
+    behind a NAT gateway on GCP with a single egress IP.
+  - [terraform/examples/azure/nat-gateway](../terraform/examples/azure/nat-gateway):
+    Example Terraform configuration for deploying a cluster of Firezone Gateways
+    behind a NAT gateway on Azure with a single egress IP.
+  - [terraform/modules/aws/firezone-gateway](../terraform/modules/aws/firezone-gateway):
+    Production-ready Terraform module for deploying Firezone Gateways to AWS
+    using Auto Scaling Groups.
   - [terraform/modules/google-cloud/apps/gateway-region-instance-group](../terraform/modules/google-cloud/apps/gateway-region-instance-group):
     Production-ready Terraform module for deploying regional Firezone Gateways
     to Google Cloud Compute using Regional Instance Groups.
   - [terraform/modules/aws/firezone-gateway](../terraform/modules/aws/firezone-gateway):
     Production-ready Terraform module for deploying Firezone Gateways to AWS
     using Auto Scaling Groups.
+  - [terraform/modules/azure/firezone-gateway](../terraform/modules/azure/firezone-gateway):
+    Production-ready Terraform module for deploying Firezone Gateways to Azure
+    using Azure Orchestrated Virtual Machine Scale Sets.
 
 ## Quickstart
 
diff --git a/terraform/examples/README.md b/terraform/examples/README.md
index 3e77a0bfd..04726b179 100644
--- a/terraform/examples/README.md
+++ b/terraform/examples/README.md
@@ -21,3 +21,10 @@ instructions on how to deploy the example.
   one or more Firezone Gateways in a single GCP VPC that is configured with a
   Cloud NAT for egress. Read this if you're looking to deploy Firezone Gateways
   behind a single, shared static IP address on GCP.
+
+### Azure
+
+- [NAT Gateway](./azure/nat-gateway): This example shows how to deploy one or
+  more Firezone Gateways in a single Azure Vnet that is configured with a NAT
+  gateway for egress. Read this if you're looking to deploy Firezone Gateways
+  behind a single, shared static IP address on Azure.
diff --git a/terraform/examples/aws/nat-gateway/.terraform.lock.hcl b/terraform/examples/aws/nat-gateway/.terraform.lock.hcl
deleted file mode 100644
index 5461a445e..000000000
--- a/terraform/examples/aws/nat-gateway/.terraform.lock.hcl
+++ /dev/null
@@ -1,24 +0,0 @@
-# This file is maintained automatically by "terraform init".
-# Manual edits may be lost in future updates.
-
-provider "registry.terraform.io/hashicorp/aws" {
-  version = "5.55.0"
-  hashes = [
-    "h1:vChl08zNYLVzuSzfxz3wp3wNSx+vjwl/jPuyPbg59Ks=",
-    "zh:06fbb1cc4b61b9d6370d391bf7538aa6ef8b60b91c67d125a6be60a70b1d49f0",
-    "zh:1d52acd2184f379433a0fce2c29d5ed8fc7958d6a9d1b403310dcc36b2a3f626",
-    "zh:290bbce092f8836a1db530ac86d933cfea27d52b827639974a81bc48dfba8c34",
-    "zh:3531f2822c2de3ba837381c4ee4816c5b437fd204c07d659526a04d9154a65e8",
-    "zh:56d70db4c8c6c0ec1b665380b87726275f4ab3665b4b78ac86dc90e1010c0fe3",
-    "zh:8251d713c0b2c8c51b6858e51c70d083b484342ff9782a88c39e7eaa966c3da2",
-    "zh:9a7d1f7207e51382a7dd139dfd5786e7e905edf9bf89bbee4b59ad41365e87be",
-    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
-    "zh:a529c78dfc60063289524690af78794e99a768835b88e27cdfec15bc85439f7c",
-    "zh:b6da1843355db05c5d412126406fd97db2a6ff9edc166b81c1cea2994535b4eb",
-    "zh:bfc08cd23b1556b3287d1b28ac7f12c7d459471d97a0592bf2579ea68d11bae7",
-    "zh:c382088faf05894191636b57861069a21de10a5ff4eb8f7cc122e764ccf7a4a8",
-    "zh:e27f99f389921314ee428b24990d3a829057ce532b2beb33c69387458722edd9",
-    "zh:ef11285eedb45ffc3fb2ecdfefa206e64eb2760a87fff15c44dee42de9703436",
-    "zh:fedc4ebee0d6fe196691127004db5d1ff8bd22e3b667a74026bb92c607589b6c",
-  ]
-}
diff --git a/terraform/examples/aws/nat-gateway/main.tf b/terraform/examples/aws/nat-gateway/main.tf
index 551da8a91..208015ce9 100644
--- a/terraform/examples/aws/nat-gateway/main.tf
+++ b/terraform/examples/aws/nat-gateway/main.tf
@@ -1,4 +1,10 @@
-module "gateway_aws_example" {
+# Change these to match your environment
+locals {
+  region         = "us-east-1"
+  firezone_token = "YOUR_FIREZONE_TOKEN"
+}
+
+module "aws_firezone_gateway" {
   source = "github.com/firezone/firezone/terraform/modules/aws/firezone-gateway"
 
   ###################
@@ -7,7 +13,7 @@ module "gateway_aws_example" {
 
   # Generate a token from the admin portal in Sites -> <site> -> Deploy Gateway.
   # Only one token is needed for the cluster.
-  firezone_token = "YOUR_FIREZONE_TOKEN"
+  firezone_token = local.firezone_token
 
   # Pick an AMI to use. We recommend Ubuntu LTS or Amazon Linux 2.
   base_ami = data.aws_ami_ids.ubuntu.ids[0]
@@ -51,7 +57,7 @@ data "aws_ami_ids" "ubuntu" {
 
 provider "aws" {
   # Change this to your desired region
-  region = "us-east-1"
+  region = local.region
 }
 
 resource "aws_vpc" "main" {
diff --git a/terraform/examples/azure/nat-gateway/README.md b/terraform/examples/azure/nat-gateway/README.md
new file mode 100644
index 000000000..3df24f849
--- /dev/null
+++ b/terraform/examples/azure/nat-gateway/README.md
@@ -0,0 +1,4 @@
+# Deploy Firezone on Azure with Terraform
+
+See [our docs for a detailed guide](/kb/automate/terraform/azure) on deploying
+Firezone on Azure with Terraform using this example.
diff --git a/terraform/examples/azure/nat-gateway/main.tf b/terraform/examples/azure/nat-gateway/main.tf
new file mode 100644
index 000000000..2ed0bbdde
--- /dev/null
+++ b/terraform/examples/azure/nat-gateway/main.tf
@@ -0,0 +1,213 @@
+# Change these to match your environment
+locals {
+  location       = "East US"
+  admin_ssh_key  = file("~/.ssh/id_rsa.azure.pub")
+  firezone_token = "YOUR_FIREZONE_TOKEN"
+}
+
+module "azure_firezone_gateway" {
+  source = "github.com/firezone/firezone/terraform/modules/azure/firezone-gateway"
+
+  ###################
+  # Required inputs #
+  ###################
+
+  # Azure resource group information
+  resource_group_location = azurerm_resource_group.firezone.location
+  resource_group_name     = azurerm_resource_group.firezone.name
+
+  # Generate a token from the admin portal in Sites -> <site> -> Deploy Gateway.
+  # Only one token is needed for the cluster.
+  firezone_token = local.firezone_token
+
+  # Attach the Gateways to your subnet.
+  private_subnet = azurerm_subnet.private.id
+
+  # Admin SSH public key. Must be RSA.
+  admin_ssh_key = local.admin_ssh_key
+
+  # Attach the Gateways to your NSG.
+  network_security_group_id = azurerm_network_security_group.firezone.id
+
+  # Attach the NAT Gateway
+  nat_gateway_id = azurerm_nat_gateway.firezone.id
+
+  ###################
+  # Optional inputs #
+  ###################
+
+  # Pick an image to use. Defaults to Ubuntu 22.04 LTS.
+  # source_image_reference {
+  #   publisher = "Canonical"
+  #   offer     = "0001-com-ubuntu-server-jammy"
+  #   sku       = "22_04-lts"
+  #   version   = "latest"
+  # }
+
+  # Deploy a specific version of the Gateway. Generally, we recommend using the latest version.
+  # firezone_version    = "latest"
+
+  # Override the default API URL. This should almost never be needed.
+  # firezone_api_url = "wss://api.firezone.dev"
+
+  # Gateways are very lightweight. In general it's preferable to deploy
+  # more smaller Gateways than fewer larger Gateways if you need to scale
+  # horizontally.
+  # See https://www.firezone.dev/kb/deploy/gateways#sizing-recommendations.
+  # instance_type       = "Standard_B1ls"
+
+  # We recommend a minimum of 3 instances for high availability.
+  # desired_capacity    = 3
+}
+
+# Configure the Azure provider
+provider "azurerm" {
+  features {}
+}
+
+# Create a resource group in your preferred region
+resource "azurerm_resource_group" "firezone" {
+  name     = "firezone-resources"
+  location = local.location
+}
+
+# Create a virtual network
+resource "azurerm_virtual_network" "firezone" {
+  name                = "firezone-vnet"
+  address_space       = ["172.16.0.0/16"]
+  location            = azurerm_resource_group.firezone.location
+  resource_group_name = azurerm_resource_group.firezone.name
+}
+
+# Create a public subnet
+resource "azurerm_subnet" "public" {
+  name                 = "firezone-public-subnet"
+  resource_group_name  = azurerm_resource_group.firezone.name
+  virtual_network_name = azurerm_virtual_network.firezone.name
+  address_prefixes     = ["172.16.0.0/24"]
+}
+
+# Create a private subnet
+resource "azurerm_subnet" "private" {
+  name                 = "firezone-private-subnet"
+  resource_group_name  = azurerm_resource_group.firezone.name
+  virtual_network_name = azurerm_virtual_network.firezone.name
+  address_prefixes     = ["172.16.1.0/24"]
+}
+
+# Create a public IP for the NAT gateway
+resource "azurerm_public_ip" "firezone" {
+  name                = "firezone-pip"
+  location            = azurerm_resource_group.firezone.location
+  resource_group_name = azurerm_resource_group.firezone.name
+  allocation_method   = "Static"
+  sku                 = "Standard"
+}
+
+# OPTIONAL: Create a bastion to allow SSH access to the VMs which
+# can be helpful for debugging when setting up the Gateways.
+# After you're sure this configuration works, you can remove the bastion.
+resource "azurerm_bastion_host" "firezone" {
+  name                = "firezone-bastion"
+  location            = azurerm_resource_group.firezone.location
+  resource_group_name = azurerm_resource_group.firezone.name
+  sku                 = "Standard"
+  tunneling_enabled   = true
+
+  ip_configuration {
+    name                 = "firezone-bastion-ip"
+    subnet_id            = azurerm_subnet.bastion.id
+    public_ip_address_id = azurerm_public_ip.firezone-bastion.id
+  }
+}
+resource "azurerm_public_ip" "firezone-bastion" {
+  name                = "firezone-bastion-pip"
+  location            = azurerm_resource_group.firezone.location
+  resource_group_name = azurerm_resource_group.firezone.name
+  allocation_method   = "Static"
+  sku                 = "Standard"
+}
+resource "azurerm_subnet" "bastion" {
+  name                 = "AzureBastionSubnet"
+  resource_group_name  = azurerm_resource_group.firezone.name
+  virtual_network_name = azurerm_virtual_network.firezone.name
+  address_prefixes     = ["172.16.2.0/24"]
+}
+
+# Create a NAT gateway
+resource "azurerm_nat_gateway" "firezone" {
+  name                = "firezone-nat-gateway"
+  location            = azurerm_resource_group.firezone.location
+  resource_group_name = azurerm_resource_group.firezone.name
+}
+
+# Create a NAT gateway association
+resource "azurerm_nat_gateway_public_ip_association" "firezone" {
+  nat_gateway_id       = azurerm_nat_gateway.firezone.id
+  public_ip_address_id = azurerm_public_ip.firezone.id
+}
+
+# Associate the NAT gateway with the public subnet
+resource "azurerm_subnet_nat_gateway_association" "public" {
+  nat_gateway_id = azurerm_nat_gateway.firezone.id
+  subnet_id      = azurerm_subnet.public.id
+}
+
+# Associate the NAT gateway with the private subnet
+resource "azurerm_subnet_nat_gateway_association" "private" {
+  nat_gateway_id = azurerm_nat_gateway.firezone.id
+  subnet_id      = azurerm_subnet.private.id
+}
+
+# Create a network security group
+resource "azurerm_network_security_group" "firezone" {
+  name                = "firezone-nsg"
+  location            = azurerm_resource_group.firezone.location
+  resource_group_name = azurerm_resource_group.firezone.name
+
+  security_rule {
+    name                       = "allow-ssh"
+    priority                   = 1001
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = "22"
+    source_address_prefix      = "172.16.0.0/24"
+    destination_address_prefix = "*"
+  }
+
+  security_rule {
+    name                       = "allow-all-outbound"
+    priority                   = 1002
+    direction                  = "Outbound"
+    access                     = "Allow"
+    protocol                   = "*"
+    source_port_range          = "*"
+    destination_port_range     = "0-65535"
+    source_address_prefix      = "*"
+    destination_address_prefix = "0.0.0.0/0"
+  }
+}
+
+# Attach the NSG to the public subnet
+resource "azurerm_subnet_network_security_group_association" "public" {
+  subnet_id                 = azurerm_subnet.public.id
+  network_security_group_id = azurerm_network_security_group.firezone.id
+}
+
+# Attach the NSG to the private subnet
+resource "azurerm_subnet_network_security_group_association" "private" {
+  subnet_id                 = azurerm_subnet.private.id
+  network_security_group_id = azurerm_network_security_group.firezone.id
+}
+
+output "nat_public_ip" {
+  description = "The public IP of the NAT gateway"
+  value       = azurerm_public_ip.firezone.ip_address
+}
+
+output "bastion_public_ip" {
+  description = "The public IP of the bastion host"
+  value       = azurerm_public_ip.firezone-bastion.ip_address
+}
diff --git a/terraform/examples/google-cloud/nat-gateway/main.tf b/terraform/examples/google-cloud/nat-gateway/main.tf
index b26ce6232..9eb183a58 100644
--- a/terraform/examples/google-cloud/nat-gateway/main.tf
+++ b/terraform/examples/google-cloud/nat-gateway/main.tf
@@ -1,4 +1,4 @@
-module "gateway_gcp_example" {
+module "google_firezone_gateway" {
   source = "github.com/firezone/firezone/terraform/modules/google-cloud/apps/gateway-region-instance-group"
   # If you are changing this example along with the module, you should use the local path:
   # source = "../../../modules/google-cloud/apps/gateway-region-instance-group"
diff --git a/terraform/modules/azure/firezone-gateway/main.tf b/terraform/modules/azure/firezone-gateway/main.tf
new file mode 100644
index 000000000..b17e16d3e
--- /dev/null
+++ b/terraform/modules/azure/firezone-gateway/main.tf
@@ -0,0 +1,61 @@
+resource "azurerm_orchestrated_virtual_machine_scale_set" "firezone" {
+  name                        = "firezone-vmss"
+  location                    = var.resource_group_location
+  resource_group_name         = var.resource_group_name
+  sku_name                    = var.instance_type
+  instances                   = var.desired_capacity
+  platform_fault_domain_count = var.platform_fault_domain_count
+
+  source_image_reference {
+    publisher = var.source_image_reference.publisher
+    offer     = var.source_image_reference.offer
+    sku       = var.source_image_reference.sku
+    version   = var.source_image_reference.version
+  }
+
+  network_interface {
+    name    = "firezone-nic"
+    primary = true
+
+    # Required to egress traffic
+    enable_ip_forwarding = true
+
+    network_security_group_id = var.network_security_group_id
+
+    ip_configuration {
+      name      = "internal"
+      primary   = true
+      subnet_id = var.private_subnet
+    }
+  }
+
+  os_profile {
+    linux_configuration {
+      admin_username = var.admin_username
+
+      admin_ssh_key {
+        username   = var.admin_username
+        public_key = var.admin_ssh_key
+      }
+    }
+
+    custom_data = base64encode(<<-EOF
+    #!/bin/bash
+    set -e
+
+    sudo apt-get update
+    sudo apt-get install -y curl uuid-runtime
+
+    FIREZONE_TOKEN="${var.firezone_token}" \
+    FIREZONE_VERSION="${var.firezone_version}" \
+    FIREZONE_NAME="${var.firezone_name}" \
+    FIREZONE_ID="$(uuidgen)" \
+    FIREZONE_API_URL="${var.firezone_api_url}" \
+    bash <(curl -fsSL https://raw.githubusercontent.com/firezone/firezone/main/scripts/gateway-systemd-install.sh)
+
+    EOF
+    )
+  }
+
+  tags = var.extra_tags
+}
diff --git a/terraform/modules/azure/firezone-gateway/variables.tf b/terraform/modules/azure/firezone-gateway/variables.tf
new file mode 100644
index 000000000..2a0d4c277
--- /dev/null
+++ b/terraform/modules/azure/firezone-gateway/variables.tf
@@ -0,0 +1,100 @@
+variable "resource_group_location" {
+  description = "The location for the resource group"
+  type        = string
+}
+
+variable "resource_group_name" {
+  description = "The name of the resource group"
+  type        = string
+}
+
+variable "source_image_reference" {
+  description = "The source image reference for the instances"
+  type = object({
+    publisher = string
+    offer     = string
+    sku       = string
+    version   = string
+  })
+
+  default = {
+    publisher = "Canonical"
+    offer     = "0001-com-ubuntu-server-jammy"
+    sku       = "22_04-lts"
+    version   = "latest"
+  }
+}
+
+variable "instance_type" {
+  description = "The instance type"
+  type        = string
+  default     = "Standard_B1ls"
+}
+
+variable "desired_capacity" {
+  description = "The desired number of instances"
+  type        = number
+  default     = 3
+}
+
+variable "admin_username" {
+  description = "The admin username"
+  type        = string
+  default     = "firezone"
+}
+
+variable "admin_ssh_key" {
+  description = "The admin SSH public key"
+  type        = string
+}
+
+variable "firezone_token" {
+  description = "The Firezone token"
+  type        = string
+  sensitive   = true
+}
+
+variable "firezone_version" {
+  description = "The Gateway version to deploy"
+  type        = string
+  default     = "latest"
+}
+
+variable "firezone_name" {
+  description = "Name for the Gateways used in the admin portal"
+  type        = string
+  default     = "$(hostname)"
+}
+
+variable "firezone_api_url" {
+  description = "The Firezone API URL"
+  type        = string
+  default     = "wss://api.firezone.dev"
+}
+
+variable "private_subnet" {
+  description = "The private subnet ID"
+  type        = string
+}
+
+variable "network_security_group_id" {
+  description = "The network security group id to attach to the instances"
+  type        = string
+}
+
+variable "extra_tags" {
+  description = "Extra tags to attach to the instances"
+  type        = map(string)
+  default     = { "Name" = "firezone-gateway-instance" }
+}
+
+variable "platform_fault_domain_count" {
+  description = "The number of fault domains"
+  type        = number
+  default     = 3
+}
+
+variable "nat_gateway_id" {
+  description = "The NAT gateway ID"
+  type        = string
+}
diff --git a/website/public/images/kb/automate/azure-logo.svg b/website/public/images/kb/automate/azure-logo.svg
new file mode 100644
index 000000000..0b6479f8e
--- /dev/null
+++ b/website/public/images/kb/automate/azure-logo.svg
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+<svg xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cc="http://creativecommons.org/ns#" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd" xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape" width="52.91666mm" height="15.244921mm" viewBox="0 0 52.91666 15.244921" version="1.1" id="svg8" inkscape:version="0.92.1 r15371" sodipodi:docname="Azurey.svg">
+  <defs id="defs2"/>
+  <sodipodi:namedview id="base" pagecolor="#ffffff" bordercolor="#666666" borderopacity="1.0" inkscape:pageopacity="0.0" inkscape:pageshadow="2" inkscape:zoom="6.5246067" inkscape:cx="67.4659" inkscape:cy="38.024323" inkscape:document-units="mm" inkscape:current-layer="layer1" showgrid="false" inkscape:pagecheckerboard="true" fit-margin-top="0" fit-margin-left="0" fit-margin-right="0" fit-margin-bottom="0" inkscape:window-width="930" inkscape:window-height="781" inkscape:window-x="667" inkscape:window-y="117" inkscape:window-maximized="0"/>
+  <metadata id="metadata5">
+    <rdf:RDF>
+      <cc:Work rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type rdf:resource="http://purl.org/dc/dcmitype/StillImage"/>
+        <dc:title/>
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <g inkscape:label="Layer 1" inkscape:groupmode="layer" id="layer1" transform="translate(677.9313,-313.85407)">
+    <g transform="matrix(0.03978217,0,0,0.03978217,-658.51488,317.36166)" id="layer1-1" inkscape:label="Layer 1">
+      <path inkscape:connector-curvature="0" id="path21" d="m -259.18627,274.57516 c 63.5635,-11.22863 116.06332,-20.52032 116.66629,-20.64819 l 1.09632,-0.2325 -60.01021,-71.38026 c -33.00559,-39.25915 -60.01018,-71.53249 -60.01018,-71.71853 0,-0.35223 61.96561,-170.992127 62.31396,-171.599207 0.11647,-0.20297 42.28595,72.60148 102.221586,176.482797 56.11284,97.25555 102.3751556,177.4431 102.8051496,178.19452 l 0.78184,1.36624 -190.7173956,-0.0246 -190.71736,-0.0245 115.57,-20.4157 z m 731.37889,-17.26291 c -29.03093,-1.86128 -45.91544,-18.39214 -50.38974,-49.33422 -1.19021,-8.2311 -1.19476,-8.44466 -1.31656,-61.88078 l -0.11789,-51.717227 h 12.84834 12.8483 l 0.10118,50.023887 c 0.0912,45.08514 0.14842,50.37131 0.57946,53.54292 1.74935,12.87168 5.23201,21.5276 11.16124,27.74067 4.74528,4.97242 10.30038,7.8839 17.99011,9.42882 3.62783,0.72884 13.94813,0.7303 17.25569,0.003 7.79588,-1.7156 14.0442,-5.10811 19.55617,-10.61799 6.28249,-6.28012 10.93015,-15.1903 13.17899,-25.26595 l 0.75793,-3.39586 0.0844,-50.44723 0.0844,-50.447217 h 13.11732 13.11735 v 79.304447 79.30444 h -12.98222 -12.98222 v -12.5824 c 0,-8.54933 -0.0937,-12.55118 -0.29222,-12.485 -0.16069,0.0536 -0.82744,1.07357 -1.48166,2.26667 -4.47373,8.15896 -11.92745,15.62029 -20.09501,20.1155 -9.79024,5.38827 -19.60858,7.30422 -33.02333,6.44412 z m 294.66636,-0.12816 c -10.24795,-0.7703 -21.03846,-4.29359 -29.85796,-9.74908 -18.58873,-11.49853 -29.58761,-30.45184 -32.80805,-56.53499 -1.11441,-9.02575 -1.24835,-21.14964 -0.3184,-28.81907 2.07786,-17.13682 8.81185,-33.95976 18.40106,-45.96982 2.45824,-3.07883 8.03495,-8.65553 11.11365,-11.11361 8.31379,-6.637877 18.03843,-11.279617 28.36334,-13.538327 6.01579,-1.31603 16.60968,-1.93394 23.00111,-1.34159 16.05576,1.48805 30.77105,9.04765 40.77267,20.945887 10.1615,12.08847 15.74681,28.98006 16.46007,49.77987 0.11179,3.25966 0.13889,8.97466 0.0603,12.7 l -0.143,6.77333 -56.23278,0.0712 -56.23278,0.0712 v 2.5094 c 0,7.63915 1.85722,16.33991 5.06795,23.74265 2.76877,6.38373 7.53485,13.35462 11.43714,16.72802 8.00131,6.91687 17.79386,11.05701 28.50936,12.05334 3.97318,0.3694 14.09889,-0.0195 18.62666,-0.7152 12.91802,-1.98524 25.19946,-7.052 35.11745,-14.48783 1.16688,-0.87486 2.28357,-1.69223 2.48152,-1.81635 0.28968,-0.18164 0.35814,2.10408 0.35081,11.71222 l -0.009,11.93792 -2.65743,1.64355 c -11.21971,6.93911 -24.07305,11.39481 -37.68211,13.06277 -4.06135,0.49775 -18.96443,0.71949 -23.82142,0.35441 z m 48.93919,-100.68528 c 0,-12.79609 -5.39245,-27.01096 -13.02337,-34.3305 -5.44587,-5.22367 -12.02921,-8.41603 -19.85552,-9.62822 -3.70264,-0.5735 -11.50631,-0.35262 -15.41004,0.43617 -8.25234,1.66748 -15.07811,5.29536 -21.03154,11.17821 -6.26561,6.19133 -10.96323,13.71122 -13.91756,22.27909 -1.06234,3.08091 -2.30488,8.13901 -2.69056,10.95257 l -0.18376,1.34056 h 43.05616 43.05619 z M 53.010852,253.20058 c 0.06587,-0.19403 19.161194,-50.3586 42.434086,-111.47682 l 42.314342,-111.124037 13.59583,-8.5e-4 13.5958,-8.4e-4 1.12805,2.89278 c 3.4472,8.84008 84.71032,219.821587 84.71032,219.931197 0,0.0722 -6.50875,0.13039 -14.46389,0.12923 l -14.46389,-0.003 -11.71222,-31.18282 -11.71222,-31.18281 -47.15885,-5.7e-4 -47.15886,-5.6e-4 -0.40982,1.05833 c -0.22538,0.58208 -5.229376,14.61335 -11.120031,31.18062 l -10.710221,30.12225 -14.494087,0.005 c -11.4727,0.004 -14.469109,-0.0686 -14.374339,-0.34784 z M 189.82928,167.38571 c 0,-0.0494 -7.88187,-21.41719 -17.51527,-47.48389 -18.02243,-48.766297 -19.03061,-51.700447 -20.45454,-59.529577 -0.66771,-3.67122 -1.00556,-3.77324 -1.40188,-0.42333 -0.2833,2.39448 -1.51167,7.75245 -2.45866,10.72445 -0.46988,1.47461 -8.58577,23.74972 -18.03533,49.500237 -9.44954,25.75052 -17.18099,46.92777 -17.18099,47.06055 0,0.13279 17.33551,0.24143 38.52334,0.24143 21.18783,0 38.52333,-0.0404 38.52333,-0.0899 z m 69.70889,82.10639 v -4.06127 l 46.98461,-64.58929 46.98461,-64.5893 -42.53961,-0.14111 -42.53961,-0.14111 -0.0739,-10.795 -0.0739,-10.794997 h 61.52781 61.5278 v 3.64606 3.646057 l -46.99,64.94153 c -25.8445,35.71785 -46.99,65.00162 -46.99,65.07506 0,0.0734 20.8915,0.13352 46.42555,0.13352 h 46.42556 v 10.86555 10.86556 h -65.33447 -65.33445 z m 344.78149,3.8731 c -0.10349,-0.10346 -0.18816,-35.91746 -0.18816,-79.58666 V 94.380023 h 12.84112 12.84111 v 16.368887 c 0,9.00289 0.10947,16.36889 0.2433,16.36889 0.13383,0 0.75881,-1.47368 1.38884,-3.27484 2.88711,-8.2536 7.89393,-15.96572 14.34443,-22.09509 5.81095,-5.521657 12.45235,-8.823637 20.28898,-10.087287 2.20134,-0.35497 4.064,-0.42274 8.46667,-0.30806 5.52924,0.14402 8.42001,0.54819 11.78278,1.64738 l 1.05833,0.34594 v 13.328937 13.32893 l -3.03389,-1.51868 c -5.3592,-2.68267 -10.64714,-3.74429 -17.00389,-3.41375 -4.13707,0.21513 -6.85252,0.74636 -10.16,1.98766 -6.80519,2.55399 -12.32518,7.06198 -16.18228,13.2155 -5.58374,8.90817 -9.56612,20.35873 -10.7407,30.88287 -0.21079,1.88864 -0.33508,17.27019 -0.38459,47.59327 l -0.0731,44.80278 H 617.1582 c -6.95771,0 -12.73506,-0.0847 -12.83852,-0.18816 z M -488.0685,252.80762 c 0,-0.1005 28.27652,-49.18632 62.83671,-109.07964 l 62.8367,-108.896937 73.22891,-61.45385 c 40.2759,-33.79961 73.33737,-61.49516 73.46992,-61.54567 0.13255,-0.0505 -0.39727,1.28299 -1.17738,2.96333 -0.78011,1.68034 -36.56244,78.4296699 -79.51629,170.55406 l -78.09789,167.498887 -56.79034,0.0712 c -31.23468,0.0392 -56.79034,-0.011 -56.79034,-0.11142 z" style="fill:#0089d6;fill-opacity:1;stroke-width:0.28222221"/>
+    </g>
+  </g>
+</svg>
\ No newline at end of file
diff --git a/website/public/images/kb/automate/terraform/aws/gateways.png b/website/public/images/kb/automate/terraform/aws/gateways.png
new file mode 100644
index 000000000..c82f337ab
Binary files /dev/null and b/website/public/images/kb/automate/terraform/aws/gateways.png differ
diff --git a/website/public/images/kb/automate/terraform/azure/gateways.png b/website/public/images/kb/automate/terraform/azure/gateways.png
new file mode 100644
index 000000000..c82f337ab
Binary files /dev/null and b/website/public/images/kb/automate/terraform/azure/gateways.png differ
diff --git a/website/src/app/kb/administer/troubleshooting/readme.mdx b/website/src/app/kb/administer/troubleshooting/readme.mdx
index 787381b22..4667c5caa 100644
--- a/website/src/app/kb/administer/troubleshooting/readme.mdx
+++ b/website/src/app/kb/administer/troubleshooting/readme.mdx
@@ -13,7 +13,25 @@ If you're trying to deploy a new Gateway and it's not connecting, try running
 some of the troubleshooting commands below to diagnose the issue.
 
 <TabsGroup>
-<TabsItem title="Docker" active>
+<TabsItem title="Terraform" active>
+
+If you deployed the Gateway using one of our [Terraform examples](/kb/automate),
+the Gateways are configured using the systemd deployment method.
+
+Obtain a shell on the affected Gateway and check the status of the service:
+
+```bash
+sudo systemctl status firezone-gateway
+```
+
+Check the logs with:
+
+```bash
+sudo journalctl -u firezone-gateway.service
+```
+
+</TabsItem>
+<TabsItem title="Docker">
 
 Check that the container is running:
 
diff --git a/website/src/app/kb/automate/readme.mdx b/website/src/app/kb/automate/readme.mdx
index c84f9b7db..c52193bf5 100644
--- a/website/src/app/kb/automate/readme.mdx
+++ b/website/src/app/kb/automate/readme.mdx
@@ -45,6 +45,19 @@ Firezone on your infrastructure.
 
   </KbCard>
   <KbCard
+    title="Deploy Firezone on Azure"
+    href="/kb/automate/terraform/azure"
+    logo={
+    <div>
+      <Image width={200} height={200} alt="Terraform" src="/images/kb/automate/terraform-logo.svg" className="mx-auto mb-8" />
+      <FaPlus size={32} className="mx-auto mb-8" />
+      <Image width={150} height={150} alt="Azure" src="/images/kb/automate/azure-logo.svg" className="mx-auto mb-8" />
+    </div>
+    }>
+    Deploy a scalable cluster of Firezone Gateways behind a NAT gateway on Azure
+    with a single egress IP.
+    </KbCard>
+    <KbCard
     title="Deploy with Compose"
     href="/kb/automate/docker-compose"
     logo={
diff --git a/website/src/app/kb/automate/terraform/aws/readme.mdx b/website/src/app/kb/automate/terraform/aws/readme.mdx
index 044ad22ca..b8a1eb597 100644
--- a/website/src/app/kb/automate/terraform/aws/readme.mdx
+++ b/website/src/app/kb/automate/terraform/aws/readme.mdx
@@ -1,5 +1,6 @@
 import SupportOptions from "@/components/SupportOptions";
 import Alert from "@/components/DocsAlert";
+import Image from "next/image";
 
 # Deploy Firezone on AWS with Terraform
 
@@ -13,6 +14,8 @@ Use this guide to give your Firezone Clients a static, public IP address for
 egress traffic to particular Resource(s). Here are some common use cases for
 this example:
 
+- Access your AWS resources using more cost-effective, higher performance
+  alternative to AWS Client VPN.
 - Use an IP allowlist to access a third-party or partner application such as a
   client's DB or third-party API.
 - Use an IP allowlist with your identity provider to lock down access to a
@@ -33,10 +36,10 @@ load balance for each other.
 1. A [Firezone Site](https://www.firezone.dev/kb/deploy/sites) dedicated to use
    for this example. This Site should contain **only** the Firezone Gateway(s)
    deployed in this example and any associated Resources.
-1. A Firezone Gateway token. See
-   [Multiple Gateways](/kb/deploy/gateways#deploy-multiple-gateways) for
-   instructions on how to obtain a Firezone Gateway token that can be used
-   across multiple instances.
+1. A Firezone Gateway token. This can be obtained by viewing your Site in the
+   admin portal, clicking the `Deploy Gateway` button, and navigating to the
+   instructions for the `AWS` tab. Gateway tokens support multi-use, so only a
+   single token is needed to provision the Firezone Gateways in this guide.
 
 ## Sizing
 
@@ -65,11 +68,35 @@ You can see the IP addresses assigned to the NAT Gateway in the Terraform
 output. These are the IP addresses that your Firezone Gateway(s) will share to
 egress traffic.
 
+<Image
+  src="/images/kb/automate/terraform/azure/gateways.png"
+  alt="Firezone Gateways in the Azure portal"
+  width={800}
+  height={600}
+/>
+
+<Alert color="info">
+  It can take a few minutes for the Firezone Gateway(s) to provision and connect
+  to the portal. If you suspect the Gateway(s) are not connecting, follow the
+  instructions in the [troubleshooting guide](/kb/administer/troubleshooting) to
+  diagnose the issue.
+</Alert>
+
+After a few minutes, you should see the Firezone Gateway(s) appear in the
+Firezone admin portal. You can now configure your Resources to use the new
+Firezone Gateway(s) you just provisioned.
+
 ## Upgrading
 
-To upgrade the Firezone Gateway(s) to the latest version, simply update the
-`token` and issue a `terraform apply` which will trigger a redeployment of the
-Firezone Gateway(s).
+To upgrade the Firezone Gateway(s) to the latest version, we recommend setting a
+version to deploy with the `firezone_version` variable. Then, whenever you want
+to upgrade, update this variable and run `terraform apply`, which will trigger a
+new deployment of the Firezone Gateway(s) with the new version.
+
+<Alert color="info">
+  You can follow the latest releases of the Gateway at our [changelog
+  page](https://www.firezone.dev/changelog).
+</Alert>
 
 This will incur a few minutes of downtime as Terraform destroys the existing
 Firezone Gateway(s) and deploys new ones in their place.
diff --git a/website/src/app/kb/automate/terraform/azure/_page.tsx b/website/src/app/kb/automate/terraform/azure/_page.tsx
new file mode 100644
index 000000000..8f8abd30f
--- /dev/null
+++ b/website/src/app/kb/automate/terraform/azure/_page.tsx
@@ -0,0 +1,6 @@
+"use client";
+import Content from "./readme.mdx";
+
+export default function _Page() {
+  return <Content />;
+}
diff --git a/website/src/app/kb/automate/terraform/azure/page.tsx b/website/src/app/kb/automate/terraform/azure/page.tsx
new file mode 100644
index 000000000..4d9c4b368
--- /dev/null
+++ b/website/src/app/kb/automate/terraform/azure/page.tsx
@@ -0,0 +1,17 @@
+import { Metadata } from "next";
+import _Page from "./_page";
+import LastUpdated from "@/components/LastUpdated";
+
+export const metadata: Metadata = {
+  title: "Deploy Firezone on Azure • Firezone Docs",
+  description: "Example Terraform configuration to deploy Firezone on Azure.",
+};
+
+export default function Page() {
+  return (
+    <>
+      <_Page />
+      <LastUpdated dirname={__dirname} />
+    </>
+  );
+}
diff --git a/website/src/app/kb/automate/terraform/azure/readme.mdx b/website/src/app/kb/automate/terraform/azure/readme.mdx
new file mode 100644
index 000000000..6b7cd383e
--- /dev/null
+++ b/website/src/app/kb/automate/terraform/azure/readme.mdx
@@ -0,0 +1,123 @@
+import SupportOptions from "@/components/SupportOptions";
+import Alert from "@/components/DocsAlert";
+import Image from "next/image";
+
+# Deploy Firezone on Azure with Terraform
+
+In this guide, we'll deploy a cluster of Firezone Gateways in a private subnet
+on Azure that are configured to egress traffic to the internet through an
+[Azure NAT Gateway](https://azure.microsoft.com/en-us/products/azure-nat-gateway).
+
+## Common use cases
+
+Use this guide to give your Firezone Clients a static, public IP address for
+egress traffic to particular Resource(s). Here are some common use cases for
+this example:
+
+- Access your protected Azure workloads using with scalable, high-performance
+  WireGuard tunnels.
+- Use an IP allowlist to access a third-party or partner application such as a
+  client's DB or third-party API.
+- Use an IP allowlist with your identity provider to lock down access to a
+  public application.
+- Enabling a team of remote contractors access to a regionally-locked
+  application or service.
+
+## High availability
+
+All Firezone Gateways deployed in this example will automatically failover and
+load balance for each other.
+
+## Prerequisites
+
+1. [Terraform](https://www.terraform.io/downloads.html)
+1. [Azure account](https://portal.azure.com) with the necessary permissions to
+   create the resources.
+1. Set up your Terraform environment to work with Azure. See
+   [this tutorial](https://developer.hashicorp.com/terraform/tutorials/azure-get-started/azure-build)
+   if you haven't yet done so.
+1. A [Firezone Site](https://www.firezone.dev/kb/deploy/sites) dedicated to use
+   for this example. This Site should contain **only** the Firezone Gateway(s)
+   deployed in this example and any associated Resources.
+1. A Firezone Gateway token. This can be obtained by viewing your Site in the
+   admin portal, clicking the `Deploy Gateway` button, and navigating to the
+   instructions for the `Azure` tab. Gateway tokens support multi-use, so only a
+   single token is needed to provision the Firezone Gateways in this guide.
+
+## Sizing
+
+Simply update the number of `desired_capacity` to deploy more or fewer Firezone
+Gateways. There's no limit to the number of Firezone Gateways you can deploy in
+a single Vnet. A basic Azure Autoscale configuration is provisioned as part of
+the linked module.
+
+We've tested with `Standard_B1ls` instances which still work quite well for most
+applications. However, you may want to consider a larger instance type if you
+have a high volume of traffic or lots of concurrent connections.
+
+## Deployment
+
+1. [Download](https://raw.githubusercontent.com/firezone/firezone/main/terraform/examples/azure/nat-gateway/main.tf)
+   the `main.tf` from the example module.
+1. Customize it as desired. At a minimum, you will need to set the
+   `firezone_token` and change `admin_ssh_key` to match your environment.
+1. Run `terraform init` to initialize the working directory and download the
+   required providers.
+1. Run `terraform apply` to deploy the Firezone Gateway(s) into your AWS
+   project.
+
+You can see the IP address assigned to the NAT Gateway in the Terraform output.
+These are the IP address that your Firezone Gateway(s) will share to egress
+traffic.
+
+<Image
+  src="/images/kb/automate/terraform/azure/gateways.png"
+  alt="Firezone Gateways in the Azure portal"
+  width={800}
+  height={600}
+/>
+
+<Alert color="info">
+  It can take a few minutes for the Firezone Gateway(s) to provision and connect
+  to the portal. If you suspect the Gateway(s) are not connecting, follow the
+  instructions in the [troubleshooting guide](/kb/administer/troubleshooting) to
+  diagnose the issue.
+</Alert>
+
+<Alert color="warning">
+  Azure disables ICMP for VMs without a public IP attached, so you won't be able
+  to ping internet hosts from the Firezone Gateway(s) or vice versa. This is
+  normal and expected. TCP and UDP traffic will work as expected using the
+  example configuration in this guide.
+</Alert>
+
+After a few minutes, you should see the Firezone Gateway(s) appear in the
+Firezone admin portal. You can now configure your Resources to use the new
+Firezone Gateway(s) you just provisioned.
+
+## Upgrading
+
+To upgrade the Firezone Gateway(s) to the latest version, we recommend setting a
+version to deploy with the `firezone_version` variable. Then, whenever you want
+to upgrade, update this variable and run `terraform apply`, which will trigger a
+new deployment of the Firezone Gateway(s) with the new version.
+
+<Alert color="info">
+  You can follow the latest releases of the Gateway at our [changelog
+  page](https://www.firezone.dev/changelog).
+</Alert>
+
+This will incur a few minutes of downtime as Terraform destroys the existing
+Firezone Gateway(s) and deploys new ones in their place.
+
+## Output
+
+`nat_public_ip` will contain the public IP address of the NAT Gateway you can
+use to whitelist your Firezone Gateway(s) in your third-party or partner
+application.
+
+# Cleanup
+
+To clean up the resources created by this example, run `terraform destroy`.
+
+<SupportOptions />
diff --git a/website/src/app/kb/automate/terraform/gcp/readme.mdx b/website/src/app/kb/automate/terraform/gcp/readme.mdx
index 2307df127..88de75908 100644
--- a/website/src/app/kb/automate/terraform/gcp/readme.mdx
+++ b/website/src/app/kb/automate/terraform/gcp/readme.mdx
@@ -38,10 +38,10 @@ load balance for each other. No other configuration is necessary.
 1. A [Firezone Site](/kb/deploy/sites) dedicated to use for this example. This
    Site should contain **only** the Firezone Gateway(s) deployed in this example
    and any associated Resources.
-1. A Firezone Gateway token. See
-   [Multiple Gateways](/kb/deploy/gateways#deploy-multiple-gateways) for
-   instructions on how to obtain a Firezone Gateway token that can be used
-   across multiple instances.
+1. A Firezone Gateway token. This can be obtained by viewing your Site in the
+   admin portal, clicking the `Deploy Gateway` button, and navigating to the
+   instructions for the `GCP` tab. Gateway tokens support multi-use, so only a
+   single token is needed to provision the Firezone Gateways in this guide.
 
 ## Sizing
 
@@ -94,12 +94,18 @@ listed as `Online`.
 
 ## Upgrading
 
-To upgrade the Firezone Gateway(s) to the latest version, simply update the
-`token` and issue a `terraform apply` which will trigger a redeployment of the
-Firezone Gateway(s).
+To upgrade the Firezone Gateway(s) to the latest version, we recommend setting a
+version to deploy with the `vsn` variable. Then, whenever you want to upgrade,
+update this variable and run `terraform apply`, which will trigger a new
+deployment of the Firezone Gateway(s) with the new version.
 
-This will incur about a minute or two of downtime as Terraform destroys the
-existing Firezone Gateway(s) and deploys new ones in their place.
+<Alert color="info">
+  You can follow the latest releases of the Gateway at our [changelog
+  page](https://www.firezone.dev/changelog).
+</Alert>
+
+This will incur a few minutes of downtime as Terraform destroys the existing
+Firezone Gateway(s) and deploys new ones in their place.
 
 ## Output
 
diff --git a/website/src/app/kb/use-cases/saas-app-access/readme.mdx b/website/src/app/kb/use-cases/saas-app-access/readme.mdx
index 9e3573e7c..4a00f4e15 100644
--- a/website/src/app/kb/use-cases/saas-app-access/readme.mdx
+++ b/website/src/app/kb/use-cases/saas-app-access/readme.mdx
@@ -27,9 +27,8 @@ into an **app connector** for SaaS applications that support IP allowlists.
   haven't already.
 - One or more Gateways deployed within the Site in a NAT Gateway configuration.
   See [Route traffic through a public IP](/kb/use-cases/nat-gateway) for how to
-  deploy a single NAT Gateway, or see our
-  [Terraform examples](https://www.github.com/firezone/firezone/tree/main/terraform/examples)
-  for examples on how to automate deploying multiple Gateways to various cloud
+  deploy a single NAT Gateway, or see our [Terraform examples](/kb/automate) for
+  examples on how to automate deploying multiple Gateways to various cloud
   providers.
 - Any SaaS app that supports IP allowlists, configured to allow the public IP
   address(es) of the Gateway(s) you want to use.
diff --git a/website/src/app/kb/use-cases/scale-vpc-access/readme.mdx b/website/src/app/kb/use-cases/scale-vpc-access/readme.mdx
index 60d908a5b..4b4ccfd56 100644
--- a/website/src/app/kb/use-cases/scale-vpc-access/readme.mdx
+++ b/website/src/app/kb/use-cases/scale-vpc-access/readme.mdx
@@ -31,10 +31,8 @@ balanced across multiple Gateways for high availability.
   [Deploy a Gateway](/kb/deploy/gateways) if you haven't done so yet.
 
 <Alert color="info">
-  See our [Terraform
-  examples](https://www.github.com/firezone/firezone/tree/main/terraform/examples)
-  for examples on how to automate deploying multiple Gateways to various cloud
-  providers.
+  See our [Terraform examples](/kb/automate) to learn how to automate
+  deployments to various cloud providers.
 </Alert>
 
 ## Step 1: Create a Resource
diff --git a/website/src/components/KbSidebar/index.tsx b/website/src/components/KbSidebar/index.tsx
index da4c16b10..590b68636 100644
--- a/website/src/components/KbSidebar/index.tsx
+++ b/website/src/components/KbSidebar/index.tsx
@@ -68,6 +68,9 @@ export default function KbSidebar() {
             <SidebarItem href="/kb/automate/terraform/gcp">
               Terraform + GCP
             </SidebarItem>
+            <SidebarItem href="/kb/automate/terraform/azure">
+              Terraform + Azure
+            </SidebarItem>
             <SidebarItem href="/kb/automate/docker-compose">
               Docker Compose
             </SidebarItem>