Restore a Compute Engine instance from a backup vault

This page helps you to restore a Compute Engine instance from a backup vault in the Google Cloud console.

Before you begin

Grant the following roles for the backup vault service agent of the vault in the target project where restore is being performed.

  • Compute instance admin (v1) (roles/compute.instanceAdmin.v1)
  • Service Account User (roles/iam.serviceAccountUser)

Grant the following roles for the user who performs the restore in the backup vault project.

  • Backup and DR Restore User (roles/backupdr.restoreUser) for both backup vault and target project.
  • Compute Viewer (roles/compute.viewer) for only the target.

These predefined roles contain the permissions required to access the backup vault in the Compute Engine project. For specific permissions, see the following list.

  • backupdr.bvbackups.restore
  • backupdr.compute.restoreFromBackupVault
  • backupdr.backupVaults.get
  • backupdr.backupVaults.list
  • backupdr.bvbackups.list
  • backupdr.bvdataSources.get
  • backupdr.bvdataSources.list
  • backupdr.bvbackups.get

For more information about granting roles, see Manage access to projects, folders, and organizations.

Restore a Compute Engine instance

Use the following instructions to restore a VM instance.

Console

  1. In the Google Cloud console, go to the Vaulted Resources page. All Compute Engine instances with vaulted backups are listed here.
  2. Click the action icon to select the Restore action. The Restore page displays where you select the following restore options:
    • Select a Resource name.
    • Select a Backup creation time.
    • Select the Project name into which you want to restore the VM.
  3. Click Proceed.
    • The next page Create a new VM instance from a backup appears, where the VM properties are pre-populated based on the source VM properties. You can modify the properties to create a new VM, for example: change the Region, or Machine Type.

  4. Click Create to create a new VM from the selected backup.

gcloud

  1. If not already granted, add the roles compute.instanceAdmin.v1 and serviceAccountUser role to the backup vault service account in the recovery project where the VM is being recovered.

    gcloud alpha projects add-iam-policy-binding --member=MEMBER
    --role=ROLE
    Replace the following:

    • MEMBER: the name of service account user who will be assigned the service account role.
    • ROLE: the service account role.

  2. To get the backup vault service account, use the following command.

    gcloud alpha backup-dr backup-vaults describe BACKUPVAULT_NAME --location=LOCATION \

    Replace the following:

    • LOCATION: the location of the backup vault.

Example: Restore a VM in the same project as the workload project with backup ID:

gcloud alpha backup-dr backups restore compute test-backup-id
    --project=PROJECT \ --location=LOCATION \
    --backup-vault=BACKUPVAULT_NAME \ --data-source=DATA_SOURCE\
    --name=NAME \ --target-zone=TARGET_ZONE \
    --target-project=TARGET_PROJECT \

Example: Restore a VM in the same project as the workload project with backup full resource UR

gcloud alpha backup-dr backups restore compute projects/test-project-id/locations/us-central1/
     backupVaults/test-vault/dataSources/test-ds/backups/test-backup-id
    --name=NAME \ --target-zone=TARGET_ZONE \
    --target-project=TARGET_PROJECT \

Example: Restore a VM instance with custom service-account and network configuration.

gcloud alpha backup-dr backups restore compute test-backup-id \
    --project=PROJECT \ --location=LOCATION \
    --backup-vault=BACKUPVAULT_NAME \ --data-source=DATA_SOURCE\
    --name=NAME \ --target-zone=TARGET_ZONE \
    --target-project=TARGET_PROJECT \
    --network-interface network=NETWORK \ --subnet=SUBNET \ --service-account=SERVICE_ACCOUNT \
    --scopes=SCOPE \

s Replace the following:

  • PROJECT: the name of the backup vault project.
  • LOCATION: the location of the backup vault.
  • BACKUP-VAULT: the backup vault name from which you want to restore data.
  • DATA-SOURCE: the data source name from which you want to restore data.
  • NAME: the name of the restored VM.
  • TARGET-ZONE: the region in which the VM is restored.
  • TARGET-PROJECT: the project in which the VM is restored.
  • NETWORK: the network URI of the VM.
  • SUBNET: the subnet URI of the VM.
  • SERVICE ACCOUNT: the service account of the restored VM.
  • SCOPES: the authorization scope of the service account.

To override other VM properties, see Overview of Backup and DR Service Google Cloud CLI commands.

The Backup and DR Compute Engine guide