Restore disks from a backup vault

This page helps you to restore disks from a backup vault in the Google Cloud console.

Before you begin

  • Grant the Backup and DR Disk Operator (roles/backupdr.diskOperator) IAM role for the backup vault service agent of the vault in the target project where restore is being performed.

  • Grant the following IAM roles for the user who performs the restore in the backup vault project.

    • Backup and DR Restore User (roles/backupdr.restoreUser) for both backup vault and target project.
    • Compute Viewer (roles/compute.viewer) for only the target.

    These predefined roles contain the permissions required to access the backup vault in the project where the disks are located. For specific permissions, see the following list.

    • backupdr.bvbackups.restore
    • backupdr.compute.restoreFromBackupVault
    • backupdr.backupVaults.get
    • backupdr.backupVaults.list
    • backupdr.bvbackups.list
    • backupdr.bvdataSources.get
    • backupdr.bvdataSources.list
    • backupdr.bvbackups.get

    For more information about granting roles, see Manage access to projects, folders, and organizations.

Restore disks

Use the following instructions to restore disks used by a Compute Engine instance.

Console

  1. In the Google Cloud console, go to the Vaulted backups page.

    Go to Vaulted backups

    All Compute Engine instances with vaulted backups are listed here.

  2. Select the backup to restore. Either from the backup details page for the backup, or from the menu for the disk:

    1. Select the disk Resource type.
    2. Select a Resource name.
    3. Browse to select the backup to restore.
    4. The Restore project name is prepopulated with the current project, but you can browse to a different project if you want to restore elsewhere.
    5. Click Restore. You can view and monitor the restore job from the Notifications bell.
    6. The restored disk appears in the Compute Engine Storage > Disks list, with the original name followed by a time and date stamp.

gcloud

  1. If not already granted, grant the Backup and DR Disk Operator (roles/backupdr.DiskOperator) IAM role to the backup vault service agent in the recovery project where the VM is being recovered.

  2. To get the backup vault service account, use the following command.

      gcloud backup-dr backup-vaults describe BACKUPVAULT_NAME
      --location=LOCATION
    

    Replace the following:

    • BACKUPVAULT_NAME: the backup vault name you want to restore data from.
    • LOCATION: the location of the backup vault.
  3. To restore a disk, use the following commands.

    • Restore a disk in the same project as the workload project with backup ID.

        gcloud backup-dr backups restore compute test-backup-id \
        --project=PROJECT --location=LOCATION \
        --backup-vault=BACKUPVAULT_NAME --data-source=DATA_SOURCE\
        --name=NAME --target-zone=TARGET_ZONE \
        --target-project=TARGET_PROJECT
      
    • Restore a disk in the same project as the workload project with backup full resource URL.

        gcloud backup-dr backups restore compute projects/test-project-id/locations/us-central1/backupVaults/test-vault/dataSources/test-ds/backups/test-backup-id \
        --name=NAME --target-zone=TARGET_ZONE \
        --target-project=TARGET_PROJECT
      
    • Restore a VM instance with custom service-account and network configuration.

        gcloud backup-dr backups restore compute test-backup-id \
        --project=PROJECT --location=LOCATION \
        --backup-vault=BACKUPVAULT_NAME --data-source=DATA_SOURCE\
        --name=NAME --target-zone=TARGET_ZONE \
        --target-project=TARGET_PROJECT \
        --network-interface=network=NETWORK,subnet=SUBNET \
        --service-account=SERVICE_ACCOUNT \
        --scopes=SCOPE
      

      Replace the following:

      • PROJECT: the name of the backup vault project.
      • LOCATION: the location of the backup vault.
      • BACKUPVAULT_NAME: the backup vault name you want to restore data from.
      • DATA_SOURCE: the data source name you want to restore data from.
      • NAME: the name of the restored VM.
      • TARGET_ZONE: the region the VM is restored in.
      • TARGET_PROJECT: the project the VM is restored in.
      • NETWORK: the network URI of the VM.
      • SUBNET: the subnet URI of the VM.
      • SERVICE_ACCOUNT: the service account of the restored VM.
      • SCOPE: the authorization scope of the service account.

To override other VM properties, see Overview of Backup and DR Service Google Cloud CLI commands.

The Backup and DR Compute Engine guide