Restore a disk from an instant snapshot


To access data captured in an instant snapshot, you must restore, or create a new disk from the instant snapshot.

This page explains how to create a disk from an instant snapshot. After you create the disk, you can use it by attaching it to a virtual machine (VM).

Before you begin

  • If you haven't already, then set up authentication. Authentication is the process by which your identity is verified for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:

    Select the tab for how you plan to use the samples on this page:

    Console

    When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.

    gcloud

    1. Install the Google Cloud CLI, then initialize it by running the following command:

      gcloud init
    2. Set a default region and zone.

    REST

    To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.

      Install the Google Cloud CLI, then initialize it by running the following command:

      gcloud init

    For more information, see Authenticate for using REST in the Google Cloud authentication documentation.

Required roles and permissions

To get the permissions that you need to create a disk from an instant snapshot, ask your administrator to grant you the following IAM roles on the project:

For more information about granting roles, see Manage access to projects, folders, and organizations.

These predefined roles contain the permissions required to create a disk from an instant snapshot. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to create a disk from an instant snapshot:

  • To create a disk:
    • compute.disks.create on the destination project for the new disk
    • compute.instantSnapshots.useReadOnly on the source instant snapshot

You might also be able to get these permissions with custom roles or other predefined roles.

Restrictions

The following restrictions apply:

  • When you create a disk from an instant snapshot, the new disk always has the same type, storage location, and encryption as the source disk of the snapshot.

  • You can't create a VM directly from an instant snapshot. You must create a disk from the instant snapshot and then use the new disk to create a VM.

  • If the source disk of the instant snapshot uses customer-managed or customer-supplied encryption keys, you must provide the same encryption key when you create a new disk from the instant snapshot.

    Consider this example. Imagine you have a disk, DISK-1 encrypted with a customer-supplied encryption key (CSEK), KEY-1. You also have an instant snapshot, IS-1, created from DISK-1. To create a new disk from IS-1, you must provide the same key, KEY-1, when you create the new disk.

    If the disk is encrypted with customer-managed encryption keys (CMEK), you only have to provide the key if you use the REST or the gcloud CLI to create the disk. If you use the Google Cloud console, you don't need to specify the encryption key.

Create a disk from an instant snapshot

An instant snapshot is encrypted with the same encryption as its source disk. The steps to create a disk from an instant snapshot depend on how the instant snapshot's source disk is encrypted.

Each source disk is encrypted with one of the following methods:

  • Google-owned and Google-managed encryption keys. This is the default.
  • Customer-managed encryption keys (CMEK)
  • Customer-supplied encryption keys (CSEK).

To find out how a particular disk is encrypted, see View information about a disk's encryption.

Create a disk from an instant snapshot encrypted with default encryption

You can create a disk from an instant snapshot with the gcloud CLI, the Google Cloud console, or the REST.

Console

  1. Find the instant snapshot that you want to restore:

    1. In the Google Cloud console, go to the Snapshots page.

      Go to Snapshots

    2. Click the Instant snapshots tab.

    3. In the Name column, click the name of the instant snapshot you want to restore.

  2. Click Create disk.

  3. In the Name field, enter a new name for the disk.

  4. Optional: In the Description field, enter additional details.

  5. Verify that the Disk source type is Instant snapshot.

  6. In the Source instant snapshot list, choose the instant snapshot.

  7. Optional: Configure additional customizations for the disk.

    • Enter a size: In the Size field, specify a size for the disk in GB. The size must be equal to or larger than the size of the source disk for the snapshot.
    • Schedule backups: If you want Compute Engine to create standard snapshots of this new disk on a schedule, select the Enable snapshot schedule checkbox and choose a snapshot schedule. Otherwise, clear the checkbox.
  8. Optional: To organize your project, add one or more labels.

  9. To create the disk, click Create.

gcloud

Use the gcloud compute disks create command. The arguments you specify depend on whether you're creating a zonal or regional disk.

Create a zonal disk

Specify the zone with the --zone flag:

gcloud compute disks create DISK_NAME --zone=ZONE \
  --source-instant-snapshot=SOURCE_INSTANT_SNAPSHOT_NAME

Replace the following:

  • DISK_NAME: the name of the new disk.
  • ZONE: the zone for the new disk, for example, europe-west1-a.
  • SOURCE_INSTANT_SNAPSHOT_NAME: the name of the source instant snapshot.

Create a regional disk

Specify the region with --region and the new disk's target replication zones zones with --replica-zones.

gcloud compute disks create DISK_NAME \
 --region=REGION \
 --source-instant-snapshot=SOURCE_INSTANT_SNAPSHOT_NAME \
 --replica-zones=ZONE1,ZONE2

Replace the following:

  • DISK_NAME: the name of the new disk.
  • REGION: the region for the regional disk to reside in, for example: europe-west1.
  • SOURCE_INSTANT_SNAPSHOT_NAME: the name of the source instant snapshot.
  • ZONE1,ZONE2: the zones within the region where the two disk replicas are located, for example: europe-west1-b,europe-west1-c.

REST

To create a zonal or regional disk from an instant snapshot, use the disks.insert method. The new disk must be the same type as that of the source disk of the instant snapshot. For example, you can't create a regional disk from a snapshot of a zonal disk.

Create a zonal disk

Make a POST request, specifying the source instant snapshot.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT/zones/SOURCE_ZONE/disks/insert
{
"name": "NEW_DISK_NAME",
"sourceInstantSnapshot": "projects/PROJECT/zones/SOURCE_ZONE/instantSnapshots/SOURCE_INSTANT_SNAPSHOT_NAME"
}

Replace the following:

  • PROJECT: the project in which to create the new disk.
  • SOURCE_ZONE: the zone where the instant snapshot is located, for example, us-central1-a. The disk is created in this zone.
  • NEW_DISK_NAME: a unique name for the new disk.
  • SOURCE_INSTANT_SNAPSHOT_NAME: the name of the source instant snapshot.

Create a regional disk

Make a POST request, specifying the source instant snapshot and the zones where the disk should be replicated to.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT/region/SOURCE_REGION/disks/insert

{
"name": "NEW_DISK_NAME",
"sourceInstantSnapshot": "projects/PROJECT/regions/SOURCE_REGION/instantSnapshots/SOURCE_INSTANT_SNAPSHOT_NAME",
"replicaZones": [
  "projects/PROJECT/zones/ZONE1",
  "projects/PROJECT/zones/ZONE2"
]
}

Replace the following:

  • PROJECT: the project in which to create the new disk.
  • SOURCE_REGION: the region where the instant snapshot is located. The disk is created in this region.
  • NEW_DISK_NAME: a unique name for the new disk.
  • SOURCE_INSTANT_SNAPSHOT_NAME: the name of the source instant snapshot.
  • ZONE1,ZONE2: the zones within the region for the two disk replicas, for example, europe-west1-b,europe-west1-c.

API request response

If the POST request is successful, the response body will be an object that you can poll to get the status of the disk's creation. See Handling API responses for more information.

Create a disk from a CMEK- or CSEK-encrypted instant snapshot

Console

If the instant snapshot uses Google default or CMEK encryption, Google Cloud console automatically provides the encryption key when you create a disk from the instant snapshot. Otherwise, if the instant snapshot is CSEK-encrypted, you must provide the encryption key to create a disk.

Follow the steps in the Google-managed encryption section, specifying the encryption key using these instructions:

  1. In the Decryption section, enter the encryption key in the Encryption key field.
  2. If the key is wrapped with the public RSA key, select Wrapped key.

gcloud

Use the gcloud compute disks create command.

If the source disk is CMEK-encrypted, use the --kms-key parameter to provide the name of the key.

If the source disk is CSEK-encrypted, use the --csek-key-file parameter to specify the source disk's encryption key.

CMEK

To create a zonal disk from a CMEK encrypted instant snapshot, use the following command:

     gcloud compute disks create NEW_DISK_NAME \
       --zone=SOURCE_ZONE \
       --source-instant-snapshot=SOURCE_INSTANT_SNAPSHOT_NAME \
       --kms-key=projects/KMS_PROJECT_NAME/locations/KEYRING_LOCATION/keyRings/KEY_RING_NAME/cryptoKeys/KEY_NAME

Replace the following:

  • NEW_DISK_NAME: the name of the new disk.
  • SOURCE_ZONE: the zone where the instant snapshot is stored, for example, europe-west1-a.
  • SOURCE_INSTANT_SNAPSHOT_NAME: the name of the source instant snapshot.
  • KMS_PROJECT_NAME: the project containing the key.
  • KEYRING_LOCATION: the location of the key ring that the key belongs to. If the key ring is global, specify global. Otherwise, specify the name of the region where the key ring is located, for example, us-west1.
  • KEY_RING_NAME: the name of the key ring that includes the key, for example, key-ring-1.
  • KEY_NAME: the name of the key used to encrypt the disk.

CSEK

To create a zonal disk from a CSEK-encrypted instant snapshot, use the following command:

     gcloud compute disks create NEW_DISK_NAME \
       --zone=SOURCE_ZONE \
       --source-instant-snapshot=SOURCE_INSTANT_SNAPSHOT_NAME \
       --csek-key-file=PATH_TO_CSEK_JSON_FILE
 

Replace the following:

  • NEW_DISK_NAME: the name of the new disk.
  • SOURCE_ZONE: the zone where the instant snapshot is stored, for example, europe-west1-a.
  • SOURCE_INSTANT_SNAPSHOT_NAME: the name of the source instant snapshot.
  • CSEK_JSON_FILE: Path to a JSON file containing the key. See an example of the CSEK file format.

To create a regional disk, replace the --zone flag in the preceding example with the following flags:

  • --region: the region for the new disk
  • --replica-zones: the zones within the region for the two disk replicas.

REST

To create a zonal or regional disk from a CMEK- or CSEK-encrypted instant snapshot, make a POST request to the disks.insert method using the properties listed in the Google-managed encryption section.

Additionally, provide the source disk's encryption key with the diskEncryptionKey field. The properties of the diskEncryptionKey field depend on whether or not the disk is CMEK- or CSEK-encrypted.

The following examples show how to create a new zonal disk for each encryption type.

CMEK

In the request body, specify the name of the key with the diskEncryptionKey.kmsKeyName property:

{
"name": "NEW_DISK_NAME",
"sourceInstantSnapshot": "projects/PROJECT/zones/SOURCE_ZONE/instantSnapshots/SOURCE_INSTANT_SNAPSHOT_NAME",
"diskEncryptionKey": {
      "kmsKeyName": "projects/KMS_PROJECT/locations/LOCATION/keyRings/KEYRING_LOCATION/cryptoKeys/KEY_NAME"
  }
}

Replace the following:

  • NEW_DISK_NAME: a unique name for the new disk.
  • PROJECT: the project in which to create the new disk.
  • SOURCE_ZONE: the zone where the instant snapshot is located, for example, us-central1-a. The disk is created in this zone.
  • SOURCE_INSTANT_SNAPSHOT_NAME: the name of the source instant snapshot.
  • KMS_PROJECT: the project containing the key.
  • LOCATION: the location of the key ring that the key belongs to. If the key ring is global, specify global. Otherwise, specify the name of the region where the key ring is located, for example, us-west1.
  • KEY_RING: the name of the key ring that includes the key, for example, key-ring-1.
  • KEY: the name of the key used to encrypt the disk.

CSEK

The request body depends on whether the CSEK used to encrypt the instant snapshot is RSA-encrypted or not.

To use a raw (non-RSA encrypted) key, specify the key in the diskEncryptionKey.rawKey property of the request body:

POST https://compute.googleapis.com/compute/v1/projects/PROJECT/zones/SOURCE_ZONE/disks/insert
{
  "name": "NEW_DISK_NAME",
  "sourceInstantSnapshot": "projects/PROJECT/zones/SOURCE_ZONE/instantSnapshots/INSTANT_SNAPSHOT_NAME,
  "diskEncryptionKey": {
      "rawKey": "RAW_ENCRYPTION_KEY"
  }
}

Replace the following with the corresponding values:

  • PROJECT: the project in which to create the new disk.
  • SOURCE_ZONE: the zone where the instant snapshot is located, for example, us-central1-a. The disk is created in this zone.
  • NEW_DISK_NAME: a unique name for the new disk.
  • SOURCE_INSTANT_SNAPSHOT_NAME: the name of the source instant snapshot.
  • RAW_ENCRYPTION_KEY: The key used to encrypt the instant snapshot and its source disk, for example, SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0=.

To use an RSA-encrypted key, modify the preceding example as follows:

  • Make a POST request to the disks.insert method:

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/disks/insert
    

  • Specify the key in the diskEncryptionKey.rsaEncryptedKey property of the request body:

    "diskEncryptionKey": {
     "rsaEncryptedKey": "RSA_ENCRYPTED_KEY"
    }
    

Replace RSA_ENCRYPTED_KEY with your encrypted key.

API request response

If the POST request is successful, the response body will be an object that you can poll to get the status of the disk's creation. See Handling API responses for more information.