This procedure assumes you've already created a Google Cloud VMware Engine
private cloud, deployed Google Cloud VMware Engine, and have the VMware VMs
that you want to back up. If you haven't yet deployed Google Cloud VMware Engine,
see Create a Google Cloud VMware Engine private cloud.
Google Cloud VMware Engine private cloud and the VPC connection
Set administrator permissions to manage VMware Engine instances
To manage VMware Engine instances with administrator privileges:
Elevate the permissions first.
Create a user that is not associated with any group.
Create a role with the permissions in the following list.
Assign the role to the newly-created user.
Assign the role in the vCenter Server Appliance.
Required permissions
Datastore
Allocate space
Browse datastore
Low level file operations
Removefile
Update virtual machine files
Folder
Create folder
Global
Cancel task
Disable methods
Enable methods
Licenses
Log event
Host
Configuration
Storage partition configuration
Local operations
Create virtual machine
Delete virtual machine
Reconfigure virtual machine
Network
Assign network
Host profile
Clear
Create
Delete
Edit
Export
View
Resource
Assign virtual machine to resource pool
Tasks
Create task
Update task
vApp
Export
View OVF environment
vApp application configuration
vApp instance configuration
vApp managedBy configuration
vApp resource configuration
Virtual machine
Change Configuration
Acquire disk lease
Add existing disk
Add new disk
Add or remove device
Advanced configuration
Change Settings
Change resource
Configure Raw device
Modify device settings
Query unowned files
Remove disk
Rename
Toggle disk change tracking
Edit Inventory
Create from existing
Create new
Remove
Guest operations
Guest operation modifications
Guest operation program execution
Guest operation queries
Interaction
Configure CD media
Connect devices
Power off
Power on
Suspend
Provisioning
Allow disk access
Allow read-only disk access
Allow virtual machine download
Clone virtual machine
Deploy template
Snapshot management
Create snapshot
Remove snapshot
Rename snapshot
Revert to snapshot
Configure Backup and DR to use Google Cloud VMware Engine DNS
During VMware VM backup jobs, the backup/recovery appliance needs to
resolve the fully qualified names of the ESX servers running in your
Google Cloud VMware Engine private cloud. The easiest way to achieve this is to add a DNS
from your private cloud to the backup/recovery appliance. If you don't want
to do this, you need to manually add a host entry for each ESX
host in the Host Resolution tab on the System Management page which is
accessed as defined in step two.
On Google Cloud VMware Engine, complete the following:
Select Resources, then select your private cloud.
Under Private Cloud DNS Servers copy either one or both IPs.
In the management console, complete the following:
Go to Manage and select Appliances.
Right-click the appliance and choose Configure Appliance Networking.
The System Management page opens in a new window.
Under DNS,NTP page, complete the following:
Add the DNS as either primary or secondary.
Remove any unneeded DNS suffix searches.
Under Troubleshooting, complete the following:
Click Utility and select Test DNS.
Click Resolve and select IP, then enter the IP in
the IP to resolve field. It resolves to a name. If it doesn't,
validate the connectivity between Google Cloud VMware Engine private cloud and the
Backup and DR VPC.
Set NFS ingress firewall rules for the backup/recovery appliance
When you perform VMware VM mounts using NFS, the backup/recovery appliance
provides access to the VMDKs using an NFS datastore. You need to
set the ingress firewall rules for the backup appliance to ensure NFS mounts
don't encounter unexpected errors.
In the Google Cloud console, go to the Firewall page.
Find the VPC firewall rule for your backup/recovery appliance.
It contains the following:
Target: Service account for your backup appliance.
For example: my-service-account@my-project.iam.gserviceaccount.com
tcp ports:
26
443
3260
5107
Edit the firewall rules and add the following:
In the Source IPv4 range, add the system management subnet of your
Google Cloud VMware Engine private cloud. You can find the system management
subnet in Google Cloud VMware Engine portal by navigating to Resources, then
Select your private cloud, then Subnets.
tcp:
26
111
443
756
2049
3260
4001
4045
5107
udp:
111
756
2049
4001
4045
Click Save.
Configure a solution user account
To perform backup, the backup/recovery appliance needs to connect to the
vCenter server using an authenticated user that has the correct permissions.
The easiest way to set this up is by using a
solution user account.
You need to set the solution user account password beforehand:
From the main panel, select the gve.local domain and select the solution user account.
Click Edit.
Enter a strong password in the Password and Confirm Password fields
for the solution user account. Optionally, add the description. Take a note
of which solution user you use, for example solution-user-01, and the password
you set, as you need to use it when configuring the vCenter host.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eBefore backing up VMware VMs, you must create a Google Cloud VMware Engine private cloud, configure its connection to your VPC, and set up necessary firewall rules.\u003c/p\u003e\n"],["\u003cp\u003eTo manage VMware Engine instances, you need to create a user with specific administrative permissions, including datastore, folder, global, host, network, resource, tasks, vApp, and virtual machine privileges.\u003c/p\u003e\n"],["\u003cp\u003eThe backup/recovery appliance requires access to the fully qualified names of ESX servers, which can be achieved by adding a DNS from your private cloud or manually adding host entries.\u003c/p\u003e\n"],["\u003cp\u003eNFS ingress firewall rules must be configured to allow the backup appliance to access VMDKs via an NFS datastore, with specific tcp and udp ports enabled for communication.\u003c/p\u003e\n"],["\u003cp\u003eA solution user account with the correct permissions needs to be configured in vCenter to allow the backup/recovery appliance to authenticate and connect to the vCenter server.\u003c/p\u003e\n"]]],[],null,["# Configure Google Cloud VMware Engine for Backup and DR protection\n\nBefore you begin, it's a good idea to review [Backup and DR for VMware VMs](/backup-disaster-recovery/docs/concepts/vmware-intro).\n\nBefore you add, discover, and protect a VMware VM, you must do the following in\nthe Google Cloud VMware Engine:\n\n- [Create a Google Cloud VMware Engine private cloud](#private)\n\n- [Configure Google Cloud VMware Engine private cloud and the VPC connection](#connection)\n\n- [Set NFS ingress firewall rules for the backup/recovery appliance](#firewall)\n\n- [Set permissions to manage VMware Engine instances](#list)\n\nCreate a Google Cloud VMware Engine private cloud\n-------------------------------------------------\n\nThis procedure assumes you've already created a Google Cloud VMware Engine\nprivate cloud, deployed Google Cloud VMware Engine, and have the VMware VMs\nthat you want to back up. If you haven't yet deployed Google Cloud VMware Engine,\nsee [Create a Google Cloud VMware Engine private cloud](/vmware-engine/docs/private-clouds/howto-create-private-cloud).\n\nGoogle Cloud VMware Engine private cloud and the VPC connection\n---------------------------------------------------------------\n\nAfter you create a Google Cloud VMware Engine private cloud, you need to add a\nprivate connection between your Google Cloud VMware Engine private cloud and the\nVPC where your backup/recovery appliance is deployed. See\n[Complete private connection creation in the Google Cloud VMware Engine portal](/vmware-engine/docs/networking/howto-setup-private-service-access#complete-private-connection-creation-in-the-vmware-engine-portal).\n\nSet administrator permissions to manage VMware Engine instances\n---------------------------------------------------------------\n\nTo manage VMware Engine instances with administrator privileges:\n\n1. Elevate the permissions first.\n2. Create a user that is not associated with any group.\n3. Create a role with the permissions in the [following list](#list).\n4. Assign the role to the newly-created user.\n5. Assign the role in the vCenter Server Appliance.\n\n### Required permissions\n\n**Datastore**\n\n- Allocate space\n- Browse datastore\n- Low level file operations\n- Removefile\n- Update virtual machine files\n\n**Folder**\n\n- Create folder\n\n**Global**\n\n- Cancel task\n- Disable methods\n- Enable methods\n- Licenses\n- Log event\n\n**Host**\n\n- Configuration\n\n - Storage partition configuration\n- Local operations\n\n - Create virtual machine\n - Delete virtual machine\n - Reconfigure virtual machine\n\n**Network**\n\n- Assign network\n\n- Host profile\n\n - Clear\n - Create\n - Delete\n - Edit\n - Export\n - View\n\n**Resource**\n\n- Assign virtual machine to resource pool\n\n**Tasks**\n\n- Create task\n- Update task\n\n**vApp**\n\n- Export\n- View OVF environment\n- vApp application configuration\n- vApp instance configuration\n- vApp managedBy configuration\n- vApp resource configuration\n\n**Virtual machine**\n\n- Change Configuration\n\n - Acquire disk lease\n - Add existing disk\n - Add new disk\n - Add or remove device\n - Advanced configuration\n - Change Settings\n - Change resource\n - Configure Raw device\n - Modify device settings\n - Query unowned files\n - Remove disk\n - Rename\n - Toggle disk change tracking\n- Edit Inventory\n\n - Create from existing\n - Create new\n - Remove\n- Guest operations\n\n - Guest operation modifications\n - Guest operation program execution\n - Guest operation queries\n- Interaction\n\n - Configure CD media\n - Connect devices\n - Power off\n - Power on\n - Suspend\n- Provisioning\n\n - Allow disk access\n - Allow read-only disk access\n - Allow virtual machine download\n - Clone virtual machine\n - Deploy template\n- Snapshot management\n\n - Create snapshot\n - Remove snapshot\n - Rename snapshot\n - Revert to snapshot\n\nConfigure Backup and DR to use Google Cloud VMware Engine DNS\n-------------------------------------------------------------\n\nDuring VMware VM backup jobs, the backup/recovery appliance needs to\nresolve the fully qualified names of the ESX servers running in your\nGoogle Cloud VMware Engine private cloud. The easiest way to achieve this is to add a DNS\nfrom your private cloud to the backup/recovery appliance. If you don't want\nto do this, you need to manually add a host entry for each ESX\nhost in the **Host Resolution** tab on the **System Management** page which is\naccessed as defined in step two.\n\n1. On Google Cloud VMware Engine, complete the following:\n\n 1. Select **Resources**, then select your private cloud.\n 2. Under **Private Cloud DNS Servers** copy either one or both IPs.\n2. In the management console, complete the following:\n\n 1. Go to **Manage** and select **Appliances**.\n 2. Right-click the appliance and choose **Configure Appliance Networking**.\n\n The **System Management** page opens in a new window.\n 3. Under **DNS,NTP** page, complete the following:\n\n - Add the DNS as either primary or secondary.\n - Remove any unneeded DNS suffix searches.\n 4. Under **Troubleshooting**, complete the following:\n\n 5. Click **Utility** and select **Test DNS**.\n\n 6. Click **Resolve** and select **IP** , then enter the IP in\n the **IP to resolve** field. It resolves to a name. If it doesn't,\n validate the connectivity between Google Cloud VMware Engine private cloud and the\n Backup and DR VPC.\n\nSet NFS ingress firewall rules for the backup/recovery appliance\n----------------------------------------------------------------\n\nWhen you perform VMware VM mounts using NFS, the backup/recovery appliance\nprovides access to the VMDKs using an NFS datastore. You need to\nset the ingress firewall rules for the backup appliance to ensure NFS mounts\ndon't encounter unexpected errors.\n\n1. In the Google Cloud console, go to the **Firewall** page.\n\n [Firewalls](https://console.cloud.google.com/networking/firewalls/list)\n2. Find the VPC firewall rule for your backup/recovery appliance.\n\n It contains the following:\n - **Target**: Service account for your backup appliance.\n\n For example: my-service-account@my-project.iam.gserviceaccount.com\n - **tcp ports** :\n - 26\n - 443\n - 3260\n - 5107\n3. Edit the firewall rules and add the following:\n\n - In the **Source IPv4 range** , add the system management subnet of your\n Google Cloud VMware Engine private cloud. You can find the system management\n subnet in Google Cloud VMware Engine portal by navigating to **Resources** , then\n **Select your private cloud** , then **Subnets**.\n\n - **tcp**:\n\n - 26\n - 111\n - 443\n - 756\n - 2049\n - 3260\n - 4001\n - 4045\n - 5107\n - **udp**:\n\n - 111\n - 756\n - 2049\n - 4001\n - 4045\n4. Click **Save**.\n\n### Configure a solution user account\n\nTo perform backup, the backup/recovery appliance needs to connect to the\nvCenter server using an authenticated user that has the correct permissions.\nThe easiest way to set this up is by using a\n[solution user account](/vmware-engine/docs/vmware-platform/howto-solution-user-accounts).\n\nYou need to set the solution user account password beforehand:\n\n1. [Access the VMware Engine portal](/vmware-engine/docs/howto-access-portal)\n\n2. Select **Resources**, then select your private cloud.\n\n3. Select **Change your vSphere privileges**.\n\n4. Leave the user type and time interval to the default option, and select\n **I Understand**.\n\n5. Click **Confirm**.\n\n6. Click [Launch vSphere client (HTML5)](/vmware-engine/docs/vmware-platform/howto-access-vsphere-client).\n\n7. Go to **Menu** and click **Administration**.\n\n8. Click **Single Sign On**.\n\n9. Click **Users and Groups**.\n\n10. From the main panel, select the `gve.local` domain and select the solution user account.\n\n11. Click **Edit**.\n\n12. Enter a strong password in the **Password** and **Confirm Password** fields\n for the solution user account. Optionally, add the description. Take a note\n of which solution user you use, for example solution-user-01, and the password\n you set, as you need to use it when [configuring the vCenter host](/backup-disaster-recovery/docs/configuration/add-vcenter-host).\n\n13. Click **Save**.\n\nWhat's next\n-----------\n\n- [Add vCenter/ESX server hosts to the management console](/backup-disaster-recovery/docs/configuration/add-vcenter-host)\n\n- [Discover and protect VMware VMs](/backup-disaster-recovery/docs/configuration/discover-and-protect-vms)\n\nThe VMware administrator's guide\n--------------------------------\n\nThis page is one in a series of pages specific to protecting and recovering\nVMware VMs with Backup and DR.\nYou can find additional information at:\n\n- [Backup and DR for VMware VMs](/backup-disaster-recovery/docs/concepts/vmware-intro)\n\n- [Configure Google Cloud VMware Engine for Backup and DR protection](/backup-disaster-recovery/docs/configuration/prepare-vmware)\n\n- [Add vCenter and ESX server hosts to the management console](/backup-disaster-recovery/docs/configuration/add-vcenter-host)\n\n- [Discover and protect VMware VMs](/backup-disaster-recovery/docs/configuration/discover-and-protect-vms)\n\n- [Apply a backup template to protect a VM](/backup-disaster-recovery/docs/create-plan/apply-backup-template-to-manage-a-VM)\n\n- [Configure application settings for VMware VMs](/backup-disaster-recovery/docs/backup/configure-application-settings-for-vmware-vm)\n\n- [Restore a VMware VM](/backup-disaster-recovery/docs/restore-data/restore-vm)\n\n- [Mount a VMware image](/backup-disaster-recovery/docs/access-data/mount-vmware-image)\n\n- [Clone an image of a VMware VM](/backup-disaster-recovery/docs/access-data/clone-image-of-a-vm)\n\n- [Create LiveClone workflows](/backup-disaster-recovery/docs/access-data/create-liveclone-workflows)\n\n- [Move VM management between two backup/recovery appliances](/backup-disaster-recovery/docs/configuration/supported-vmware)"]]
