General
We would like to deploy a service that sends e-mail notifications. Do you have any relay servers that we can use?
Yes we do provide a SMTP relaying service. Kindly raise a request via eRFS “SMTP Relaying” where you will need to provide the VM IPs that you will be using.
Once the request is complete, you will then be provided with the necessary information and settings to use.
I cannot access the Billing Portal. I am getting an error that the browser is not supported!
The Billing Portal is supported on:
- Chrome (Version 63 or later)
- Edge (Version 16 or later)
- Opera (Version 50 or later)
- FireFox is not supported on the Billing Portal
How are Operating System updates/hotfixes managed?
MITA endeavors to provide the consumer with the latest operating system images for the purposes of VM provisioning. However, MITA will not be managing any updates, hotfixes, or anti-malware definitions of VMs – The VM owner wholly responsible for this.
I made a mistake – Can I rename my resources?
You will have to recreate your resources again.
My Windows VM has unexpectedly restarted last night! Did you perform any maintenance?
Kindly check your Windows Update settings and configure the maintenance windows accordingly. MITA does not manage, nor has any control over any of the VMs, and their OS settings.
Can I make specific changes to memory or vCPU?
You can only choose the VM sizes that are available.
I can only find three sizes when provisioning a VM. Are there more sizes available?
You can choose any VM size to start with, and then go to VM Settings -> Size to find the full range of VM sizes available.
My VM is corrupted / I lost my VM, etc.. How can I recover it?
*** This only applies to VMs that have Backups enabled ***
*** VM disks will no longer be managed and will be saved on the Storage Account of your Resource Group ***
Please raise a task with the call centre. We have the ability to recreate the VM using the backup point of your choice. Once the recreation operation is complete, you will find your VM within your resource group with the disks saved within your storage account.
I requested one Resource Group on Azure Stack but i have another one on Azure Cloud. What is this second Resource Group for? Will i be charged for it?
Due to the limitations of the on-premises Microsoft Azure Stack, a separate Azure Monitor & Automation Resource Group is created for you on the off-premises Microsoft Azure Cloud’s West Europe datacentre and all logs are automatically shipped from Azure Stack to this extra Resource Group. You must access the public Azure via https://portal.azure.com in order to view the Monitoring Dashboard and consume the necessary features.
However, if you have only requested to have a Resource Group on the off-premises Azure Cloud, then all Azure Monitor features can be consumed within the same Resource Group.
You will be charged at the rate indicated within the billing calculator only if you choose to create resources on the second Resource Group
Network
I want to link my resources on the MAGNET with my Azure VM. I created an NSG rule from the MAGNET IP towards the VM, but access is still blocked
Firstly, create a NSG rule that would allow access from any sources and test again. If it works:
- Try to find out the exact outgoing IP and ports that are being used to connect to the Azure VM by either checking documentation, or using a network analysis tool
- Amend your NSG rules using the accurate IP and/or ports
If you still cannot connect to your VM even with an NSG rule allowing all sources, then please raise an eRFS for Network Access Configuration stating the source ip/subnet, destination ip/subnet, and ports used. Once access is granted, test the above again and amend your NSG rules accordingly.
I added multiple IP addresses to my VM's NIC but i cannot use them / I added multiple IP addresses to my frontend VM and now i cannot connect!
Please note that Azure does not configure the OS NICs for you when you add extra IPs on the portal. You will have to do this yourself.
Therefore, once you add extra IP addresses to your NIC, you will have to:
- Change the IP to Static instead of Dynamic
- Configure the static IPs manually within your OS
For more information please follow the Microsoft User Guide:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-multiple-ip-addresses-portal
**** IMPORTANT NOTES ****
If the VM is on the frontend using a public IP, then please add the extra IP address to the NIC within the Operating System BEFORE you add it in the Azure Portal. Otherwise, you will have to proxyjump from another VM hosted on the frontend as the VM will be disconnected
Ubuntu 18.04 uses NETPLAN instead of legacy ifup and ifdown. Therefore, you will need to add the IP addresses in the file /etc/netplan/50-cloud-init.yaml instead of /etc/network/interfaces
Once there, add the IP addresses similarly to below:
network:
version: 2
ethernets:
eth0:
dhcp4: true *** Keep this True – Doesn’t work when you disable it***
addresses: [YOUR.IP.ADDRESS.HERE/28, YOUR.IP.ADDRESS.HERE/28] *** This is the new addition ***
Once done, run “netplan try” to ensure that there are no syntax errors. If all is well then run “netplan apply”
Can I have a public IP on the backend?
You can only have a public IP on the frontend
I want to create a NSG rule to only allow my VPN subnet to connect via RDP. How can I do this?
All government and contractor VPN profiles have dedicated subnets. To find your subnet range:
- Send a request for your VPN profile’s subnet information to callcentre.mita@gov.mt
- Once you receive the subnet (e.g 88.203.17.0/28) enter the subnet exactly as given into the “Source IP/Subnet” section of the NSG rule whilst remembering to keep the source port as * . You can now also enter multiple subnets in the source field in a comma-delimited list rather than having to create multiple rules.
Once done, you should be able to connect to your VMs.
My VM has internet access, but I cannot connect using ports other than 80 & 443
All provisioned VMs fall under MITA’s general internet package which blocks non-standard internet ports. Therefore, an eRFS for network access stating the source IP/subnet, destination IP/subnet, and the ports used. This request will then be vetted by MITA’s security centre who will then direct it to the MITA network’s team to open access accordingly.
I provisioned a VM but cannot connect to it!
By default, all Network Security Groups are configured to block all incoming traffic until you specifically create an incoming rule to allow it. Follow the steps outlined in the User Guide to configure your NSG.
I provisioned a VM on the frontend subnet. How do I connect to it?
VMs on the frontend must have a Public IP and all incoming and outgoing traffic must go through the public IP. The private IP on the frontend is only used for server to server traffic.
You can easily create a public IP by clicking on “Add a Resource” on the left menu bar and finding “Public IP Address”. You must then associate this public IP to your VM in order to get an IP assigned. Once the IP is assigned please set it to “static” instead of “dynamic” to keep any firewall rules (NSG and/or MITA) accurate.
I have a VM provisioned on the frontend subnet with a public IP, but i cannot connect to it
By default no ports are allowed incoming into the frontend VM from the Internet. From MAGNET and VPN, you may use any ports deemed necessary so as long as there is a rule created for them on the NSG.
To allow incoming traffic from the Internet , an eRFS is required for network access stating the source IP/subnet, destination IP/subnet, and the ports used. This request will then be vetted by MITA’s security centre who will then direct it to the MITA network’s team to open access accordingly.
You can also make use of MITA’s Web-Application Firewall service (WAF) instead of the above where traffic will hit the WAF before being safely directed to your VM. Please raise an eRFS with the MITA Internet & Web Hosting team to benefit from this service.
I have a VM provisioned on the backend subnet, but I cannot connect to my servers within MAGNET. How can I establish communication between them?
My project does not need any resources from MAGNET and will be strictly serving Internet clients. How shall I go about doing this?
You may provision all of your VMs on the Frontend subnet and use the NSG to filter any traffic as you see fit. Incoming traffic is blocked by MITA and requires an eRFS to be raised should you wish traffic to be directed at the VM. If you would like to make use of our WAF server then you can raise an eRFS with the MITA Internet & Web Hosting team.
I created multiple containers using Docker/Kubernetes on my VM with virtual NICs but now i cannot connect to my VM from the VPN! Other VMs work fine/ I can connect to the VM from my MAGNET PC.
You have created a virtual NIC with a subnet that has overlapped the subnet of the VPN. Whilst this does not disrupt anything outside of your VM, Docker has edited the routetable of the VM to route outgoing traffic meant for VPN to go to the Docker container interface rather than the main VM NIC. You will need to do the following:
- Open the Forticlient Console to find your VPN IP and subnet
- ProxyJump from another VM to the affected VM
- Find the container VNIC that is disrupting communication and change the IP address making sure not to use the same subnet as your VPN connection
You can also follow this guide: https://www.lullabot.com/articles/fixing-docker-and-vpn-ip-address-conflicts
I want to host a Website On-Premise. Do you have a WAF that i can use?
Please raise an eRFS with the MITA Internet & Web-Hosting Team to have your website hosted behind the MITA WAF to protect incoming Internet Traffic. Note that in this case you can have all VMs placed on the Backend rather than on the frontend as the WAF securely directs the traffic from the public towards your private VM.
Can I move resources from the backend to the frontend and vice-versa, or to another resource group?
You cannot move resources outside of your Resource Group.
Access
I want to give my suppliers/contractors access to configure the servers and setup the applications, BUT I do not want them to access my resource group. What can i do?
You can create the resources yourself on the portal, logon to the server, and create local or AD accounts giving access to the server. Remember to create an NSG rule to allow them to connect to the servers as well!
I have suppliers/contractors that I want to give access to my Resource Group. What kind of accesses can I give them?
There are two types of permissions that you can raise an eRFS for:
Contributor Permissions – This gives the permission to create and edit all resources within the Resource Group, but not to assign or change permissions.
Read-Only – This gives the permission to view all the resources within the Resource Group without the ability to make any changes.
I gave contributor access to my suppliers/contractors. How will I know what is currently being used, and how much I will be charged?
You may logon to Billing.Cloud.Gov.Mt, or click on “Billing” above to get a full view of your resource group’s consumption.
I have a new employee/supplier/contractor, and I would like to give them access to my resource group. How can i do this?
You must raise an eRFS to grant access to your resource group whilst making sure to include the CORP accounts to be added. If these individuals do not have a CORP and/or VPN account (to be able to connect to VMs), then an additional eRFS must be raised.
I want to create VMs that are only consumed from within the MAGNET. How shall I go about doing this?
You may create all of your VMs within the Backend subnet and create the NSG rules accordingly.
I want to use an application account/SPN to access my resource group, but I don't have permissions.
You cannot create RunAs accounts or assign permissions on your resources without an eRFS being raised and approved. Please raise a request to create and/or add an application account to your Resource Group and it will be configured accordingly.
If you’re attempting to create RunAs accounts via Azure Automation you will most likely end up with a permissions error as it will attempt to create an account and assign it permissions which is not permitted.
I tried to create a RunAs account using Azure Automation but it failed!
You cannot create RunAs accounts or assign permissions on your resources without an eRFS being raised and approved. Please raise a request to create and/or add an application account to your Resource Group and it will be configured accordingly.
If you’re attempting to create RunAs accounts via Azure Automation you will most likely end up with a permissions error as it will attempt to create an account and assign it permissions which is not permitted.
Storage
I stored my files on the D: Temporary Drive but i cannot find them after i restarted my VM. Where have they gone?
The D: Temporary/Ephemeral drive is only meant for storing non-essential files and is used mainly for the OS’s memory paging file. All files stored on this volume will be erased once the VM is restarted.
I would like to configure a VM Data Disk with a size larger than 1TB but it is not allowing me. What can I do?
We advise to create multiple VM disks of 1TB and using Microsoft Storage Spaces Direct to create a storage pool, and virtual disks, or creating a Spanned Volume that would then present the combined size.
How can I change the drive letter of the temporary drive?
*** These steps will require a system restart as the temporary drive holds the pagefile***
You need to move the pagefile out of the drive temporarily (Via System -> Performance Options -> Advanced -> Change Virtual Memory), change the drive letter, and then move back the pagefile to temporary drive with the new letter.
I created a new data disk on the portal but i cannot see it within my operating system. How can i make use of it?
Once you create and attach a new disk to the VM, you must create (or extend if changing the size) the volume on the Operating System as this is not done automatically. From Windows this can be achieved by going to Disk Management via either:
- Command Prompt as Admin -> diskmgmt
- Right-Click on Start-Menu -> Disk Managment
Once there:
- Click on the Actions Menu -> Rescan Disks
- You should now be able to see the new volume & format it accordingly.
Backup
Are my VMs backed up? How can I know?
All VMs provisioned with the Backup option enabled have a 3rd party Backup Agent installed, and a schedule automatically created to cover all files and volumes on the VM. Check out the User Guide for more information.