diff --git a/data/hostname/indexer-worker01.euwest.azure.internal.softwareheritage.org.yaml b/data/hostname/indexer-worker01.euwest.azure.internal.softwareheritage.org.yaml
--- a/data/hostname/indexer-worker01.euwest.azure.internal.softwareheritage.org.yaml
+++ b/data/hostname/indexer-worker01.euwest.azure.internal.softwareheritage.org.yaml
@@ -17,3 +17,5 @@
       - relatime
       - rw
 
+swh::deploy::waagent::swap::enable: y
+swh::deploy::waagent::swap::size_mb: 14336
diff --git a/data/hostname/indexer-worker02.euwest.azure.internal.softwareheritage.org.yaml b/data/hostname/indexer-worker02.euwest.azure.internal.softwareheritage.org.yaml
--- a/data/hostname/indexer-worker02.euwest.azure.internal.softwareheritage.org.yaml
+++ b/data/hostname/indexer-worker02.euwest.azure.internal.softwareheritage.org.yaml
@@ -17,3 +17,5 @@
       - relatime
       - rw
 
+swh::deploy::waagent::swap::enable: y
+swh::deploy::waagent::swap::size_mb: 14336
diff --git a/data/hostname/indexer-worker03.euwest.azure.internal.softwareheritage.org.yaml b/data/hostname/indexer-worker03.euwest.azure.internal.softwareheritage.org.yaml
--- a/data/hostname/indexer-worker03.euwest.azure.internal.softwareheritage.org.yaml
+++ b/data/hostname/indexer-worker03.euwest.azure.internal.softwareheritage.org.yaml
@@ -17,3 +17,5 @@
       - relatime
       - rw
 
+swh::deploy::waagent::swap::enable: y
+swh::deploy::waagent::swap::size_mb: 14336
diff --git a/data/hostname/indexer-worker04.euwest.azure.internal.softwareheritage.org.yaml b/data/hostname/indexer-worker04.euwest.azure.internal.softwareheritage.org.yaml
--- a/data/hostname/indexer-worker04.euwest.azure.internal.softwareheritage.org.yaml
+++ b/data/hostname/indexer-worker04.euwest.azure.internal.softwareheritage.org.yaml
@@ -16,3 +16,5 @@
       - relatime
       - rw
 
+swh::deploy::waagent::swap::enable: y
+swh::deploy::waagent::swap::size_mb: 14336
diff --git a/data/hostname/indexer-worker05.euwest.azure.internal.softwareheritage.org.yaml b/data/hostname/indexer-worker05.euwest.azure.internal.softwareheritage.org.yaml
--- a/data/hostname/indexer-worker05.euwest.azure.internal.softwareheritage.org.yaml
+++ b/data/hostname/indexer-worker05.euwest.azure.internal.softwareheritage.org.yaml
@@ -16,3 +16,5 @@
       - relatime
       - rw
 
+swh::deploy::waagent::swap::enable: y
+swh::deploy::waagent::swap::size_mb: 14336
diff --git a/data/hostname/indexer-worker06.euwest.azure.internal.softwareheritage.org.yaml b/data/hostname/indexer-worker06.euwest.azure.internal.softwareheritage.org.yaml
--- a/data/hostname/indexer-worker06.euwest.azure.internal.softwareheritage.org.yaml
+++ b/data/hostname/indexer-worker06.euwest.azure.internal.softwareheritage.org.yaml
@@ -16,3 +16,5 @@
       - relatime
       - rw
 
+swh::deploy::waagent::swap::enable: y
+swh::deploy::waagent::swap::size_mb: 14336
diff --git a/site-modules/profile/manifests/swh/deploy/waagent.pp b/site-modules/profile/manifests/swh/deploy/waagent.pp
new file mode 100644
--- /dev/null
+++ b/site-modules/profile/manifests/swh/deploy/waagent.pp
@@ -0,0 +1,17 @@
+class profile::swh::deploy::waagent {
+  $filepath = '/etc/waagent.conf'
+
+  $swap = lookup('swh::deploy::waagent::swap::enable', default_value => 'n')
+  $swap_size = lookup('swh::deploy::waagent::swap::size_mb', default_value => '0')
+
+  # Template uses:
+  # $swap
+  # $swap_size
+  file {$filepath:
+    ensure => present,
+    owner => 'root',
+    group => 'root',
+    mode   => '0644',
+    content => template('profile/swh/deploy/waagent/waagent.conf.erb'),
+  }
+}
diff --git a/site-modules/profile/templates/swh/deploy/waagent/waagent.conf.erb b/site-modules/profile/templates/swh/deploy/waagent/waagent.conf.erb
new file mode 100644
--- /dev/null
+++ b/site-modules/profile/templates/swh/deploy/waagent/waagent.conf.erb
@@ -0,0 +1,135 @@
+##
+# File managed by puppet (class profile::swh::deploy::waagent), changes will be lost.
+
+#
+# Microsoft Azure Linux Agent Configuration
+#
+
+# Enable instance creation
+Provisioning.Enabled=y
+
+# Enable extension handling. Do not disable this unless you do not need password reset,
+# backup, monitoring, or any extension handling whatsoever.
+Extensions.Enabled=y
+
+# Rely on cloud-init to provision
+Provisioning.UseCloudInit=n
+
+# Password authentication for root account will be unavailable.
+Provisioning.DeleteRootPassword=y
+
+# Generate fresh host key pair.
+Provisioning.RegenerateSshHostKeyPair=y
+
+# Supported values are "rsa", "dsa", "ecdsa", "ed25519", and "auto".
+# The "auto" option is supported on OpenSSH 5.9 (2011) and later.
+Provisioning.SshHostKeyPairType=auto
+
+# Monitor host name changes and publish changes via DHCP requests.
+Provisioning.MonitorHostName=y
+
+# Decode CustomData from Base64.
+Provisioning.DecodeCustomData=n
+
+# Execute CustomData after provisioning.
+Provisioning.ExecuteCustomData=n
+
+# Algorithm used by crypt when generating password hash.
+#Provisioning.PasswordCryptId=6
+
+# Length of random salt used when generating password hash.
+#Provisioning.PasswordCryptSaltLength=10
+
+# Allow reset password of sys user
+Provisioning.AllowResetSysUser=n
+
+# Format if unformatted. If 'n', resource disk will not be mounted.
+ResourceDisk.Format=y
+
+# File system on the resource disk
+# Typically ext3 or ext4. FreeBSD images should use 'ufs2' here.
+ResourceDisk.Filesystem=ext4
+
+# Mount point for the resource disk
+ResourceDisk.MountPoint=/mnt/resource
+
+# Create and use swapfile on resource disk.
+ResourceDisk.EnableSwap=<%= @swap %>
+
+# Size of the swapfile.
+ResourceDisk.SwapSizeMB=<%= @swap_size %>
+
+# Comma-seperated list of mount options. See man(8) for valid options.
+ResourceDisk.MountOptions=None
+
+# Enable verbose logging (y|n)
+Logs.Verbose=n
+
+# Enable Console logging, default is y
+# Logs.Console=y
+
+# Is FIPS enabled
+OS.EnableFIPS=n
+
+# Root device timeout in seconds.
+OS.RootDeviceScsiTimeout=300
+
+# If "None", the system default version is used.
+OS.OpensslPath=None
+
+# Set the SSH ClientAliveInterval
+# OS.SshClientAliveInterval=180
+
+# Set the path to SSH keys and configuration files
+OS.SshDir=/etc/ssh
+
+# If set, agent will use proxy server to access internet
+#HttpProxy.Host=None
+#HttpProxy.Port=None
+
+# Detect Scvmm environment, default is n
+# DetectScvmmEnv=n
+
+#
+# Lib.Dir=/var/lib/waagent
+
+#
+# DVD.MountPoint=/mnt/cdrom/secure
+
+#
+# Pid.File=/var/run/waagent.pid
+
+#
+# Extension.LogDir=/var/log/azure
+
+#
+# Home.Dir=/home
+
+# Enable RDMA management and set up, should only be used in HPC images
+# OS.EnableRDMA=y
+
+# Enable or disable goal state processing auto-update, default is enabled
+AutoUpdate.Enabled=n
+
+# Determine the update family, this should not be changed
+# AutoUpdate.GAFamily=Prod
+
+# Determine if the overprovisioning feature is enabled. If yes, hold extension
+# handling until inVMArtifactsProfile.OnHold is false.
+# Default is enabled
+# EnableOverProvisioning=y
+
+# Allow fallback to HTTP if HTTPS is unavailable
+# Note: Allowing HTTP (vs. HTTPS) may cause security risks
+# OS.AllowHTTP=n
+
+# Add firewall rules to protect access to Azure host node services
+# Note:
+# - The default is false to protect the state of existing VMs
+OS.EnableFirewall=n
+
+# Enforce control groups limits on the agent and extensions
+CGroups.EnforceLimits=n
+
+# CGroups which are excluded from limits, comma separated
+CGroups.Excluded=customscript,runcommand
diff --git a/site-modules/role/manifests/swh_worker_azure.pp b/site-modules/role/manifests/swh_worker_azure.pp
--- a/site-modules/role/manifests/swh_worker_azure.pp
+++ b/site-modules/role/manifests/swh_worker_azure.pp
@@ -2,4 +2,5 @@
 
 class role::swh_worker_azure inherits role::swh_worker {
   include ::profile::swh::deploy::objstorage_cloud
+  include ::profile::swh::deploy::waagent
 }