Quickstart: Protect and recover a Compute Engine instance to a backup vault

Learn how to protect and restore your Compute Engine instance to a backup vault.

In this quickstart, you perform the following tasks:

Create a backup vault.
Create a backup plan.
Back up a Compute Engine instance into a backup vault.
Restore a Compute Engine instance from a backup.

Before you begin

Enable the Backup and DR Service API in your Google Cloud project.

Enable the API
If you don't have a VM, Create and start a Compute Engine instance in a region where the backup vault is supported. For the purpose of this quickstart, create a Compute Engine instance in the us-central1 region.
Have the Backup and DR Admin (roles/backupdr.admin) IAM role assigned to you in your project.

Create a backup vault

A backup vault is a container to store backups in, similar to self-managed storage. Backup vaults provide protection for backups by storing them in secure, isolated, and specialized storage. For more information about backup vault, see Backup vault for immutable and indelible backups.

If you need to store your backups in the regions where the backup vault is not supported, you can use the self-managed storage based solution to protect their VMs. For more information, see Protect and recover a Compute Engine instance using management console.

Use the following instructions to create a backup vault.

In the Google Cloud console, go to the Backup vaults page.

Go to Backup vaults
Click Create backup vault.
On the Create a backup vault page, enter your backup vault information.
1. In the Name your backup vault field, enter a name for the backup vault—for example, production-vault.
2. Click Continue.
3. From the Choose where to store your data list, select the location of the backup vault—for example, us-central1.
4. Click Continue.
5. In the Prevent backup deletion field, enter the minimum enforced retention period defining how long backups to be protected against deletion—for example, one day.
6. If you want to lock the value of the minimum enforced retention period, select the Lock the enforced retention checkbox, and then select the date from the calendar. For more information, see minimum enforced retention.
Click Create.

Grant a role to the backup vault service agent

Every backup vault created has a unique service agent linked to it. For Compute Engine instances, the service agent performs actions on behalf of the Backup and DR Service, so it needs appropriate permissions on the projects it needs to access.

Use the following instructions to grant a role to the service agent.

In the Google Cloud console, go to the Backup vaults page.

Go to Backup vaults
Click the backup vault name and copy the service agent's email address.
In the Google Cloud console, go to the IAM page.

Go to IAM
In the New principles field, enter the service agent's email address.
From the Select a role list, select the Compute instance admin (v1) (roles/compute.instanceAdmin.v1) role.
Click Add another role.
From the Select a role list, select the Service Account User (roles/iam.serviceAccountUser) role.
Click Save.

Create a backup plan

A backup plan lets you define advanced backup strategies to back up your Compute Engine instances. In a backup plan, you can define when and how to back up a Compute Engine instance. You must create the backup plan in the same region where the backup vault is located. Also, a backup plan can only backup Compute Engine instances that are in the same region. For more information, see Backup plans in Google Cloud console.

Use the following instructions to create a backup plan. In this procedure, you'll create a backup plan for hourly backup of the Compute Engine instances and use the backup vault that you have created in the us-central1 region.

In the Google Cloud console, go to the Backup plans page.

Go to Backup plans
Click Create Backup plan.
Enter a name for the backup plan—for example, production-vm-backup-plan.
From the Regions list, select us-central1.
From the backup vault list, select production-vault.
Click Add rule.
In the Add a backup rule pane, enter your backup rule information and click Save.
- Name your backup rule: Enter a name for the backup rule—for example, backup-hourly.
- Choose when to create backups: Specify the recurrence as Hourly and frequency of the backup as six hours.
- Window: Select the timezone for the backup window—for example, UTC.
- Start time: Enter the backup plan start time in hours—for example, 18 hours.
- End time: Enter the backup plan end time in hours—for example, 24 hours.
- Choose how long backups are kept before they are deleted: Enter the duration that the backups to be retained before they are deleted—for example, one day.
Click Create.

Back up a Compute Engine instance into a backup vault

In the Google Cloud console, you can back up Compute Engine instances to a backup vault by applying backup plans. You can back up in either of these two ways: Scheduled backups and On-demand backups.

Configure a scheduled backup

Use the following instructions to configure a scheduled backup.

In the Google Cloud console, go to the Vaulted resources page.

Go to Vaulted resources
Click Schedule backups.
Leave the project to the default.
From the Region list, select the instance region us-central1.
From the Resources list, click Browse.
Choose the Compute Engine instance that you want to back up and click Done.
Click Continue.
From the Backup plan list, click Select, and select production-vm-backup-plan.
Click Done.
Review the backup details and click Schedule.

As the backup window is set to six hours, you can take an on-demand backup of the Compute Engine instance.

Note: The first backup is automatically triggered when the current time is within the backup window.

Take on-demand backup

Initiate an on-demand backup for a Compute Engine instance with a backup plan by triggering the backup rule of your choice to run immediately. In Preview, you can only create on-demand backups using gcloud commands.

Use the following instructions to create an on-demand backup.

gcloud

Take an on-demand backup.
```
  gcloud alpha backup-dr backup-plan-associations trigger-backup BACKUP_PLAN_ASSOCIATION_NAME \
  --project=PROJECT_ID --location=LOCATION \
  --backup-rule-id=RULE_ID
```
Replace the following:
- BACKUP_PLAN_ASSOCIATION_NAME: the name of the backup plan association. Run the command gcloud alpha backup-dr backup-plan-associations list --location=LOCATION --project=PROJECT_ID to get the list of the backup plans associated with the Compute Engine instance.
- PROJECT_ID: the name of the project.
- LOCATION: the location of the scheduled backups.
- RULE_ID: the backup rule name that you want to associate to run on-demand backups.
In the Google Cloud console, go to the Jobs page to view the backup operation status.

Go to Jobs

Restore a Compute Engine instance from a backup

You can restore a Compute Engine instance to the same project or to a different project. This quickstart guides you to restore the VM in the same project.

Use the following instructions to restore a Compute Engine instance into a backup vault from a backup.

In the Google Cloud console, go to the Vaulted resources page.

Go to Vaulted resources
Click the instances that are protected by the backup plan.
Select a backup, click the icon, and then select Restore.
In the Restore a backup page, review the restore details and click Proceed.
In the Create a VM instance from a backup page, leave the instance configuration to the default and click Create.
In the Google Cloud console, go to the Jobs page to view the restore operation status.

Go to Jobs

Clean up

To avoid incurring charges to your Google Cloud account for the instances used on this page, follow these steps.

Use the following instructions to delete the restored VM.

In the Google Cloud console, go to the VM instances page.

Go to the VM instances page
Select the row containing the VM instance that you've created as part of the restore.
Click Delete and click Delete to confirm.

Use the following instructions to remove the backup plan from the backed up Compute Engine instance.

In the Google Cloud console, go to the Vaulted resources page.

Go to Vaulted resources
Select the backed up instance.
Click Remove backup plan.

Note: The backup automatically expires and gets deleted after one day retention period.

Use the following instructions to delete the backup plan. Deleting the backup plan is an optional step.

In the Google Cloud console, go to the Backup plans page.

Go to Backup plans
Select the backup plan and click Delete.

This deletes the backup plan and related contents.

Use the following instructions to delete the backup vault. Deleting the backup vault is an optional step.

In the Google Cloud console, go to the Backup vaults page.

Go to Backup vaults
Click the backup vault and click Delete.

This deletes the backup vault and related contents.

Note: The backup vault incurs a cost only when the backup vault stores data. The existence of a backup plan doesn't incur any cost.

Use the following instructions to delete a VM if you have created a VM to use as part of this quickstart. Deleting the VM is an optional step.

In the Google Cloud console, go to the VM instances page.

Go to the VM instances page
Select the row containing the VM instance that you've created in this quickstart.
Click Delete and then click Delete to confirm.

This deletes the instance created as part of this quickstart.