Set creation and restore locations for regionally scoped snapshots

By default, snapshots are created with a global scope. Globally scoped snapshots are stored in a specific storage location and can be restored (used to create a new disk) in any region or zone. For additional location-based isolation control, you can create regionally scoped snapshots. Regionally scoped snapshots store all snapshot data and metadata together in the scoped region. With regionally scoped snapshots, you can also restrict the regions where you can create and restore snapshots.

This document explains how to set allowed locations for regional snapshot creation and restoration.

Before you begin

  • If you haven't already, then set up authentication. Authentication is the process by which your identity is verified for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:

    Select the tab for how you plan to use the samples on this page:

    Console

    When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.

    gcloud

    1. After installing the Google Cloud CLI, initialize it by running the following command: 

      gcloud init

      If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

    2. Set a default region and zone.

    REST

    To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.

      After installing the Google Cloud CLI, initialize it by running the following command: 

      gcloud init

      If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

    For more information, see Authenticate for using REST in the Google Cloud authentication documentation.

Limitations

  • Setting a regional scope overrides all default storage location settings for the project.
  • Setting a regional scope applies only to new regional snapshots.
  • You can't convert a globally scoped snapshot to a regionally scoped snapshot. You must create a new snapshot with the appropriate scope.

Required roles and permissions

To get the permissions that you need to set storage and restore locations for regionally scoped snapshots, ask your administrator to grant you the following IAM roles on the project:

For more information about granting roles, see Manage access to projects, folders, and organizations.

These predefined roles contain the permissions required to set snapshot creation and restore locations. To see the exact permissions that are required, expand the Required permissions section:

Set allowed snapshot creation locations

By default, you can create snapshots in all regions. To restrict where you can create regionally scoped snapshots, set allowed access locations at the project level. Once you set access locations, you can create regionally scoped snapshots for the project only in these locations.

gcloud

To let zonal disks in Zone A create snapshots in any region, use the gcloud beta compute disk-settings update command:

  gcloud beta compute disk-settings update \
      --zone=ZONE_A \
      --access-location-policy=all-regions \

To let regional disks in Region A create snapshots in any region, use the gcloud beta compute disk-settings update command:

  gcloud beta compute disk-settings update \
      --region=REGION_A \
      --access-location-policy=all-regions

To let disks in Region A create snapshots only in Region B, use the gcloud beta compute disk-settings update command:

  gcloud beta compute disk-settings update \
      --access-location-policy=specific-regions \
      --region=REGION_A \
      --add-access-locations=REGION_B

Replace the following:

  • ZONE_A: The zone of the disks that can create snapshots in any region.
  • REGION_A: The region of all disks (in a project) that require regionally scoped snapshot creation restrictions.
  • REGION_B: An allowed region for regionally scoped snapshot creation. You can set multiple regions as allowed access locations. You must include the region that the source disk is stored in as one of the allowed regions.

REST

To let zonal disks in Zone A create snapshots in any region, make a PATCH request to the diskSettings.patch method:

  PATCH https://compute.googleapis.com/compute/beta/projects/PROJECT_ID/zones/ZONE_A/diskSettings?updateMask=accessLocation

  {
    "accessLocation":
    {
      "policy":"ALL_REGIONS"
    }
  }

To let regional disks in Region A create snapshots only in Region B, make a PATCH request to the regionDiskSettings.patch method:

  PATCH https://compute.googleapis.com/compute/beta/projects/PROJECT_ID/regions/REGION_A/diskSettings?updateMask=accessLocation

  {
    "accessLocation":
    {
      "policy":"SPECIFIC_REGIONS",
      "locations":
      {
        "REGION_B":{"region":"REGION_B"}
      }
    }
  }

Replace the following:

  • PROJECT_ID: The ID of the project.
  • ZONE_A: The zone of the disk.
  • REGION_A: The region of the disk.
  • REGION_B: An allowed region for snapshot creation. You can set multiple regions as allowed access locations. You must include the region that the source disk is stored in as one of the allowed regions.

Set allowed snapshot restore locations

By default, you can restore regionally and globally scoped snapshots to any region. To configure restore locations for your regionally scoped snapshots, set allowed access locations at the project level. You must set allowed access locations for each project individually. Once you set access locations, you can restore regionally scoped snapshots for the project only in these locations.

gcloud

To let snapshots for a project in Region A be restored in all regions, use the gcloud beta compute snapshot-settings update command:

  gcloud beta compute snapshot-settings update \
      --project=PROJECT_ID \
      --region=REGION_A \
      --access-location-policy=all-regions

To let snapshots for a project in Region A be restored only in Region B, use the gcloud beta compute snapshot-settings update command:

  gcloud beta compute snapshot-settings update \
      --project=PROJECT_ID \
      --access-location-policy=specific-regions \
      --region=REGION_A \
      --add-access-locations=REGION_B

Replace the following:

  • PROJECT_ID: The ID of the project.
  • REGION_A: The region where the regionally scoped snapshots are stored.
  • REGION_B: An allowed region where regionally scoped snapshots can be restored. You can set multiple regions as allowed restore locations.

REST

To let snapshots for a project in Region A be restored in all regions, make a PATCH request to the regionSnapshotSettings.patch method:

  PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION_A/snapshotSettings?updateMask=accessLocation

  {
    "accessLocation":
    {
      "policy":"ALL_REGIONS"
    }
  }

To let snapshots for a project in Region A be restored only in Region B, make a PATCH request to the regionSnapshotSettings.patch method:

  PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION_A/snapshotSettings?updateMask=accessLocation

  {
    "accessLocation":
    {
      "policy":"SPECIFIC_REGIONS",
      "locations":
        {"REGION_B":
          {"region":"REGION_B"}
        }
    }
  }

Replace the following:

  • PROJECT_ID: The ID of the project.
  • REGION_A: The region where the regionally scoped snapshots are stored.
  • REGION_B: An allowed region where regionally scoped snapshots can be restored. You can set multiple regions as allowed restore locations.

Edit allowed snapshot restore locations

gcloud

To view the allowed restore locations for snapshots for a project stored in Region A, use the gcloud beta compute snapshot-settings describe command:

  gcloud beta compute snapshot-settings describe \
      --project=PROJECT_ID \
      --region=REGION_A

To remove Region B from the list of allowed restore locations for snapshots for a project stored in Region A, use the gcloud beta compute snapshot-settings update command:

  gcloud beta compute snapshot-settings update \
      --project=PROJECT_ID \
      --access-location-policy=specific-regions \
      --remove-access-locations=REGION_B \
      --region=REGION_A

Replace the following:

  • PROJECT_ID: The ID of the project.
  • REGION_A: The region where the regionally scoped snapshots are stored.
  • REGION_B: The region where you want to remove restore access for regionally scoped snapshots.

REST

To view the allowed restore locations for snapshots for a project stored in Region A, make a GET request to the regionSnapshotSettings.get method:

  GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION_A/snapshotSettings

To remove Region B from the list of allowed restore locations for snapshots for a project stored in Region A, make a PATCH request to the regionSnapshotSettings.patch method:

  PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION_A/snapshotSettings?updateMask=accessLocation

  {
    "accessLocation":
    {
      "policy":"SPECIFIC_REGIONS",
      "locations":
        {"REGION_B":{}}
    }
  }

Replace the following:

  • PROJECT_ID: The ID of the project.
  • REGION_A: The region where the regionally scoped snapshots are stored.
  • REGION_B: The region where you want to remove restore access for regionally scoped snapshots.