This page describes how to back up Compute Engine instances to a backup vault using the Google Cloud console. Sending backups to a backup vault provides immutability and enforced retention. With a backup vault, you can store backups in a single region. If you have any of the following backup requirements, you can use the management console to back up Compute Engine instances:
- Multi-region or cross-region backups
- VM backup retention for more than 90 days
- Backups of specific disks attached to a VM
- Automated protection of Google Compute Engine VMs based on tags
- If the Google Cloud Console-based backup plans and backup vaults are not supported in the region where your VMs are running
In the Google Cloud console, you can back up Compute Engine instances to a backup vault by applying backup plans. You can back up in either of these two ways. Both methods allow you to store your backups securely in a backup vault, providing a reliable way to recover your Compute Engine instances in case of data loss or other unexpected events.
- Scheduled backups. You can automatically back up Compute Engine instances at specific intervals, such as daily, weekly, monthly, or yearly.
- On-demand backups. You can create on-demand backups whenever needed. On-demand backups are useful for creating backups before making significant changes to your instances or for ad hoc data protection.
Before you begin
Enable the Backup and DR Service API where the Compute Engine instances are located.
IAM roles and permission for the backup user
To get the permissions that you need to configure scheduled backups or run on-demand backups,
ask your administrator to grant you the
Backup and DR Backup User (roles/backupdr.backupUser) IAM role on your backup vault project.
For more information about granting roles, see Manage access to projects, folders, and organizations.
This predefined role contains the permissions required to configure scheduled backups or run on-demand backups. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to configure scheduled backups or run on-demand backups:
-
backupdr.backupPlanAssociations.create -
backupdr.backupPlanAssociations.list -
backupdr.backupPlanAssociations.get -
backupdr.backupPlanAssociations.triggerBackup -
backupdr.backupPlanAssociations.delete -
backupdr.backupPlans.useComputeInstanceOnly
You might also be able to get these permissions with custom roles or other predefined roles.
Grant backup vault access in the Compute Engine project
To back up a Compute Engine VM instance, you need to grant the backup vault
service agent the Compute instance admin (v1) (roles/compute.instanceAdmin.v1)
IAM role in the Compute Engine project.
For information about granting roles to the backup vault service agent within the project you intend to back up, see Grant a role to the service agent.
Configure a scheduled backup
Use the following instructions to configure a scheduled backup for Compute Engine instances.
Console
In the Google Cloud console, go to the Vaulted resources page.
Click Schedule backups.
From the Projects list, click Browse and select a project where the Compute Engine instances are located.
From the Region list, select the region where your instances are located.
From the Resources list, click Browse.
Choose the Compute Engine instance that you want to back up and click Done.
Click Continue.
From the Backup plan list, click Select.
Choose a backup plan that you want to protect the Compute Engine instance with.
Click Done.
Review the backup details and click Schedule.
gcloud
Get the instance ID.
gcloud compute instances describe VM_NAME --zone=VM_ZONE --format="value(id)"Replace the following:
VM_NAME: the name of the VM instance.VM_ZONE: the location where the VM is located.
Configure a scheduled backup.
gcloud alpha backup-dr backup-plan-associations create BACKUP_PLAN_ASSOCIATION_NAME \ --location=VM_REGION \ --resource=projects/VM_PROJECT_ID/zones/VM_ZONE/instances/VM_ID \ --backup-plan=projects/PROJECT_ID/locations/LOCATION/backupPlans/BACKUP_PLANReplace the following:
BACKUP_PLAN_ASSOCIATION_NAME: the name of the backup plan association.VM_REGION: the region where the Compute Engine instance is located.VM_PROJECT_ID: the name of the project where the Compute Engine instances are located.VM_ZONE: the zone where the Compute Engine instance is located.VM_ID: the Compute Engine instance ID.PROJECT_ID: the name of the project where backup plans exist.LOCATION: the region where your backup plans exist.BACKUP_PLAN: the name of the backup plan that you want to associate the Compute Engine instance with.
Create an on-demand backup
You can initiate an on-demand backup for a Compute Engine instance with a backup plan by triggering the backup rule of your choice to run immediately. On-demand backups are incremental and capture only the changed data since the last backup.
When creating an on-demanding backup, you can choose a rule from the backup plan associated with the Compute Engine instance. This rule determines when the on-demand backup gets deleted. You can check the backup job status from the Jobs page. For more information, see Monitor backup and restore jobs in Google Cloud console.
Use the following instructions to create an on-demand backup.
gcloud
Create an on-demand backup.
gcloud alpha backup-dr backup-plan-associations trigger-backup BACKUP_PLAN_ASSOCIATION_NAME \ --project=PROJECT_ID --location=LOCATION \ --backup-rule-id=RULE_IDReplace the following:
BACKUP_PLAN_ASSOCIATION_NAME: the name of the backup plan association. Run the commandgcloud alpha backup-dr backup-plan-associations list --location=LOCATION --project=PROJECT_IDto get the list of the backup plans associated with the Compute Engine instance.PROJECT_ID: the name of the project.LOCATION: the location of the scheduled backups.RULE_ID: the backup rule name that you want to associate to run on-demand backups.
List scheduled backups
Use the following instructions to list the backed up Compute Engine instances.
Console
In the Google Cloud console, go to the Vaulted resources page.
The Vaulted resources page lists only the instances that have backup plans applied and their backups stored in a backup vault within a project.
gcloud
List scheduled backups.
gcloud alpha backup-dr backup-plan-associations list \ --location=LOCATION \ --project=PROJECT_IDReplace the following:
PROJECT_ID: the name of the project.LOCATION: the location of the scheduled backups.
Unprotect a Compute Engine instance
You can unprotect a Compute Engine instance by removing the backup plan applied to the instance. Removing a backup plan from a Compute Engine instance doesn't delete the backup plan or any backups created while the instance was in use. You can still access and manage these existing backups.
Use the following instructions to unprotect a Compute Engine instance.
Console
In the Google Cloud console, go to the Vaulted resources page.
Click the name of the instance that you want to remove a backup plan.
Select Remove backup plan.
gcloud
Unprotect a Compute Engine instance.
gcloud alpha backup-dr backup-plan-associations delete BACKUP_PLAN_ASSOCIATION_NAME\ --project=PROJECT_ID \ --location=LOCATIONReplace the following:
BACKUP_PLAN_ASSOCIATION_NAME: the name of the backup you want to delete.PROJECT_ID: the name of the project.LOCATION: the location of the scheduled backup.