Back up Compute Engine instances to a backup vault

This page describes how to back up Compute Engine instances to a backup vault using the Google Cloud console. Sending backups to a backup vault provides immutability and enforced retention. With a backup vault, you can store backups in a single region. If you have any of the following backup requirements, you can use the management console to back up Compute Engine instances:

  • Multi-region or cross-region backups
  • VM backup retention for more than 90 days
  • Backups of specific disks attached to a VM
  • Automated protection of Google Compute Engine VMs based on tags
  • If the Google Cloud console-based backup plans and backup vaults are not supported in the region where your VMs are running

In the Google Cloud console, you can back up Compute Engine instances to a backup vault by applying backup plans. You can back up in either of these two ways. Both methods allow you to store your backups securely in a backup vault, providing a reliable way to recover your Compute Engine instances in case of data loss or other unexpected events.

  • Scheduled backups. You can automatically back up Compute Engine instances at specific intervals, such as daily, weekly, monthly, or yearly.
  • On-demand backups. You can create on-demand backups whenever needed. On-demand backups are useful for creating backups before making significant changes to your instances or for ad hoc data protection.

Before you begin

  1. Enable the Backup and DR Service API where the Compute Engine instances are located.
  2. Enable the API
  3. Create a backup vault
  4. Create a backup plan
  5. Assign IAM roles and permission to the backup user
  6. Grant backup vault access in the Compute Engine project
  7. Set up Log Analytics on your bucket to monitor Backup and DR backup jobs.

IAM roles and permissions for the backup user

To get the permissions that you need to configure scheduled backups or run on-demand backups, ask your administrator to grant you the Backup and DR Backup User (roles/backupdr.backupUser) IAM role on your backup vault project. For more information about granting roles, see Manage access to projects, folders, and organizations.

This predefined role contains the permissions required to configure scheduled backups or run on-demand backups. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to configure scheduled backups or run on-demand backups:

  • backupdr.backupPlanAssociations.createForComputeInstance
  • backupdr.backupPlanAssociations.list
  • backupdr.backupPlanAssociations.get
  • backupdr.backupPlanAssociations.triggerBackupForComputeInstance
  • backupdr.backupPlanAssociations.deleteForComputeInstance
  • backupdr.backupPlans.useForComputeInstance

You might also be able to get these permissions with custom roles or other predefined roles.

Grant backup vault access in the Compute Engine project

To back up a Compute Engine VM instance in a project different from where the backup vault is created, you must grant the Backup and DR Compute Engine Operator (roles/backupdr.computeEngineOperator) IAM role to the backup vault service agent within the Compute Engine project.

To back up a Compute Engine VM instance in the project same as where the backup vault is created, no roles are required to be granted.

For information about granting roles to the backup vault service agent within the project you intend to back up, see Grant a role to the service agent.

Configure a scheduled backup

Use the following instructions to configure a scheduled backup for Compute Engine instances.

Console

  1. In the Google Cloud console, go to the Vaulted backups page.

    Go to Vaulted backups

  2. Click Schedule backups.

  3. From the Projects list, click Browse and select a project where the Compute Engine instances are located.

  4. From the Region list, select the region where your instances are located.

  5. From the Resources list, click Browse.

  6. Choose the Compute Engine instance that you want to back up and click Done.

  7. Click Continue.

  8. From the Backup plan list, click Select.

  9. Choose a backup plan that you want to protect the Compute Engine instance with.

  10. Click Done.

  11. Review the backup details and click Schedule.

gcloud

  1. Get the instance ID.

      gcloud compute instances describe VM_NAME --zone=VM_ZONE --format="value(id)"
    

    Replace the following:

    • VM_NAME: the name of the VM instance.
    • VM_ZONE: the location where the VM is located.
  2. Configure a scheduled backup.

      gcloud alpha backup-dr backup-plan-associations create BACKUP_PLAN_ASSOCIATION_NAME \
      --location=VM_REGION \
      --resource=projects/VM_PROJECT_ID/zones/VM_ZONE/instances/VM_ID \
      --backup-plan=projects/PROJECT_ID/locations/LOCATION/backupPlans/BACKUP_PLAN
    

    Replace the following:

    • BACKUP_PLAN_ASSOCIATION_NAME: the name of the backup plan association.
    • VM_REGION: the region where the Compute Engine instance is located.
    • VM_PROJECT_ID: the name of the project where the Compute Engine instances are located.
    • VM_ZONE: the zone where the Compute Engine instance is located.
    • VM_ID: the Compute Engine instance ID.
    • PROJECT_ID: the name of the project where backup plans exist.
    • LOCATION: the region where your backup plans exist.
    • BACKUP_PLAN: the name of the backup plan that you want to associate the Compute Engine instance with.

List scheduled backups

Use the following instructions to list the backed up Compute Engine instances.

Console

  1. In the Google Cloud console, go to the Vaulted backups page.

    Go to Vaulted backups

    The Vaulted backups page lists only the instances that have backup plans applied and their backups stored in a backup vault within a project.

gcloud

  1. List scheduled backups.

      gcloud alpha backup-dr backup-plan-associations list \
      --location=LOCATION \
      --project=PROJECT_ID
    

    Replace the following:

    • PROJECT_ID: the name of the project.
    • LOCATION: the location of the scheduled backups.

Create an on-demand backup

You can initiate an on-demand backup for a Compute Engine instance with a backup plan by triggering the backup rule of your choice to run immediately. On-demand backups are incremental and capture only the changed data since the last backup.

When creating an on-demand backup, you can choose a rule from the backup plan associated with the Compute Engine instance. This rule determines when the on-demand backup gets deleted. You can check the backup job status from the Jobs page. For more information, see Monitor backup and restore jobs in Google Cloud console.

Use the following instructions to create an on-demand backup.

Console

  1. Go to the VM instances > Details > Backup Plan to create an on-demand backup.
  2. Click Create On-Demand Backup. Ensure you have the correct permissions to make an on-demand backup.
  3. Choose a backup rule.
  4. Click Create to start the on-demand backup creation process.
  5. To view the status of the on-demand backup job, click Notifications.

gcloud

  1. Create an on-demand backup.

      gcloud alpha backup-dr backup-plan-associations trigger-backup BACKUP_PLAN_ASSOCIATION_NAME \
      --project=PROJECT_ID --location=LOCATION \
      --backup-rule-id=RULE_ID
    

    Replace the following:

    • BACKUP_PLAN_ASSOCIATION_NAME: the name of the backup plan association. Run the command gcloud alpha backup-dr backup-plan-associations list --location=LOCATION --project=PROJECT_ID to get the list of the backup plans associated with the Compute Engine instance.
    • PROJECT_ID: the name of the project.
    • LOCATION: the location of the scheduled backups.
    • RULE_ID: the backup rule name that you want to associate to run on-demand backups.

Unprotect a Compute Engine instance

You can unprotect a Compute Engine instance by removing the backup plan applied to the instance. Removing a backup plan from a Compute Engine instance doesn't delete the backup plan or any backups created while the instance was in use. You can still access and manage these existing backups.

Use the following instructions to unprotect a Compute Engine instance.

Console

  1. In the Google Cloud console, go to the Vaulted backups page.

    Go to Vaulted backups

  2. Click the name of the instance that you want to remove a backup plan.

  3. Select Remove backup plan.

gcloud

  1. Unprotect a Compute Engine instance.

      gcloud alpha backup-dr backup-plan-associations delete BACKUP_PLAN_ASSOCIATION_NAME\
      --project=PROJECT_ID \
      --location=LOCATION
    

    Replace the following:

    • BACKUP_PLAN_ASSOCIATION_NAME: the name of the backup you want to delete.
    • PROJECT_ID: the name of the project.
    • LOCATION: the location of the scheduled backup.

What's next