This page provides instructions for how to back up Compute Engine instances to a Backup and DR Service backup vault including how to grant backup vault access in your Compute Engine project, configure scheduled backups, create on-demand backups, and how to manage your vaulted backups.
Overview
Sending backups to a backup vault provides immutability and enforced retention. With a backup vault, you can store backups in a single region or in a multi-region. There are two main methods for backing up Compute Engine instances:
- Use the management console to back up Compute Engine instances: if you have any of the following backup requirements, you can use the management console to back up Compute Engine instances: - Cross-region backups
- Backups of specific disks attached to a virtual machine (VM)
- Automated protection of Google Compute Engine VMs based on tags
- If the Google Cloud console-based backup plans and backup vaults are not in a location that is compatible with the region where your source VMs are running.
 
- Use the Google Cloud console to back up Compute Engine instances: in the Google Cloud console, you can back up Compute Engine instances to a backup vault by applying backup plans. You can back up your data using either of the following methods. Both methods allow you to store your backups securely in a backup vault, providing a reliable way to recover your Compute Engine instances in case of data loss or other unexpected events. - Scheduled backups: automatically back up Compute Engine instances at specific intervals, such as daily, weekly, monthly, or yearly. 
- On-demand backups: create on-demand backups whenever needed. On-demand backups are useful for creating backups before making significant changes to your instances or for ad hoc data protection. 
 
Before you begin
- Enable the Backup and DR Service API where the Compute Engine instances are located. 
- Set up Log Analytics on your bucket to monitor Backup and DR backup jobs. 
Limitations
Backup and DR Service doesn't support backing up Compute Engine instances to a backup vault if the instance uses any of the following configurations:
- VM instances with extreme persistent disks attached.
- VM instances with any hyperdisk-* disk types. Use Disk-Backup
- VM instances that use a C3D, H3, A3, or Z3 machine type.
- VM instances with customer-managed encryption keys (CMEK) or customer-supplied encryption keys (CSEK).
- VM instances without any attached disks.
- VM instances larger than 200 terabytes (TB).
IAM roles and permissions for the backup user
To get the permissions that you need to configure scheduled backups or run on-demand backups, ask your administrator to grant you the following IAM roles on your backup vault project:
- 
  
  
    
      Backup and DR Backup User  (roles/backupdr.backupUser)
- 
  
  
    
      Viewer  (roles/viewer)
For more information about granting roles, see Manage access to projects, folders, and organizations.
These predefined roles contain the permissions required to configure scheduled backups or run on-demand backups. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to configure scheduled backups or run on-demand backups:
- 
                  backupdr.backupPlans.list
- 
                  backupdr.backupPlanAssociations.createForComputeInstance
- 
                  backupdr.backupPlanAssociations.list
- 
                  backupdr.backupPlanAssociations.get
- 
                  backupdr.backupPlanAssociations.triggerBackupForComputeInstance
- 
                  backupdr.backupPlanAssociations.deleteForComputeInstance
- 
                  backupdr.backupPlans.useForComputeInstance
- 
                  backupdr.locations.list
- 
                  backupdr.operations.get
- 
                  cloudasset.assets.searchAllResources
You might also be able to get these permissions with custom roles or other predefined roles.
The following table lists the dynamic permissions required for each API call:
| Resource | Action to be Performed on the Resource | Permissions required for each API call | Project where it needs to be assigned | 
|---|---|---|---|
| Backup vault | Create BackupVault | backupdr.backupVaults.create | Admin project | 
| Delete BackupVault | backupdr.backupVaults.delete | Admin project | |
| Update BackupVault | backupdr.backupVaults.update | Admin project | |
| List BackupVaults | backupdr.backupVaults.list | Admin project | |
| Get BackupVault | backupdr.backupVaults.get | Admin project | |
| Backup plan | Create BackupPlan | backupdr.backupPlans.create | Admin project | 
| Delete BackupPlan | backupdr.backupPlans.delete | Admin project | |
| Get BackupPlan | backupdr.backupPlans.get | Admin project | |
| List Backup Plans | backupdr.backupPlans.list | Admin project | |
| Backup Plan Associations | Create Backup Plan Association | compute.instances.updateBackupDrConfig | Workload project | 
| backupdr.backupPlanAssociations.createForComputeInstance | Workload project | ||
| backupdr.backupPlans.useForComputeInstance | Admin project | ||
| Delete Backup Plan Association | backupdr.backupPlanAssociations.deleteForComputeInstance | Workload project | |
| compute.instances.updateBackupDrConfig | Workload project | ||
| Trigger an on-demand backup on Backup Plan Association | backupdr.backupPlanAssociations.triggerBackupForComputeInstance | Workload project | |
| Get Backup Plan Association | backupdr.backupPlanAssociations.getForComputeInstance | Workload project | |
| List Backup Plan Associations | backupdr.backupPlanAssociations.list | Workload project | |
| Fetch Backup Plan Associations | backupdr.backupPlanAssociations.fetchForComputeInstance | Workload project | |
| Data Source | Get DataSource | backupdr.bvdataSources.get | Admin project | 
| List DataSources | backupdr.backupPlanAssociations.list | Admin project | |
| PiTR Restore | backupdr.bvdataSources.useReadOnlyForComputeInstance | Admin project | |
| Backups | Get Backup | backupdr.bvbackups.get | Admin project | 
| List Backups | backupdr.bvbackups.list | Admin project | |
| Delete Backup | backupdr.bvbackups.delete | Admin project | |
| Restore Backup | backupdr.bvbackups.useReadOnlyForComputeInstance | Admin project | |
| Data Source References | Get DataSource Reference | backupdr.dataSourceReferences.getForComputeInstance | Workload project | 
| Fetch DataSource References | backupdr.dataSourceReferences.fetchForComputeInstance | Workload project | |
| Operations | List Operations | backupdr.operations.list | Respective project | 
| Get Operations | backupdr.operations.get | Respective project | 
Grant backup vault access in the Compute Engine project
To back up a Compute Engine VM instance in a project different from where the
backup vault is created, you must grant the Backup and DR Compute Engine Operator
(roles/backupdr.computeEngineOperator) IAM role to the backup vault
service agent within the Compute Engine project.
To back up a Compute Engine VM instance in the project same as where the backup vault is created, no roles are required to be granted.
For information about granting roles to the backup vault service agent within the project you intend to back up, see Grant a role to the service agent.
Configure a scheduled backup
Use the following instructions to configure a scheduled backup for Compute Engine instances.
Console
- In the Google Cloud console, go to the Vaulted backups page. 
- Click Schedule backups. 
- From the Projects list, click Browse and select a project where the Compute Engine instances are located. 
- From the Region list, select the region where your instances are located. 
- From the Resources list, click Browse. 
- Choose the Compute Engine instance that you want to back up and click Done. 
- Click Continue. 
- From the Backup plan list, click Select. 
- Choose a backup plan that you want to protect the Compute Engine instance with. 
- Click Done. 
- Review the backup details and click Schedule. 
gcloud
- Get the instance ID. - gcloud compute instances describe VM_NAME --zone=VM_ZONE --format="value(id)"- Replace the following: - VM_NAME: the name of the VM instance.
- VM_ZONE: the location where the VM is located.
 
- Configure a scheduled backup. - gcloud backup-dr backup-plan-associations create BACKUP_PLAN_ASSOCIATION_NAME \ --location=VM_REGION \ --resource=projects/VM_PROJECT_ID/zones/VM_ZONE/instances/VM_ID \ --backup-plan=projects/PROJECT_ID/locations/LOCATION/backupPlans/BACKUP_PLAN- Replace the following: - BACKUP_PLAN_ASSOCIATION_NAME: the name of the backup plan association.
- VM_REGION: the region where the Compute Engine instance is located.
- VM_PROJECT_ID: the name of the project where the Compute Engine instances are located.
- VM_ZONE: the zone where the Compute Engine instance is located.
- VM_ID: the Compute Engine instance ID.
- PROJECT_ID: the name of the project where backup plans exist.
- LOCATION: the region where your backup plans exist.
- BACKUP_PLAN: the name of the backup plan that you want to associate the Compute Engine instance with.
 
Terraform
You can use a Terraform resource to configure a scheduled backup.
Change the backup plan applied to a Compute Engine instance
You can change the backup plan applied to a Compute Engine instance to another backup plan. The other backup plan must meet these criteria:
- Use the same backup vault
- Be in the same region as the Compute Engine instance
Use the following instructions to change the backup plan associated with a Compute Engine instance.
Console
- In the Google Cloud console, go to the Vaulted backups page. - The Vaulted backups page lists only the instances that have backup plans applied and their backups stored in a backup vault within a project. 
- Select the backup that will get a different plan. Either from the backup details page for the backup, or from the menu, select Change backup plan. The Select a backup plan window lists only the backup plans that are valid for this instance. 
- Select a backup plan and click Apply. 
gcloud
- Change the assigned backup plan. - gcloud backup-dr backup-plan-associations update BACKUP_PLAN_ASSOCIATION_NAME \ --workload-project=VM_PROJECT_ID \ --location=VM_REGION \ --backup-plan=BACKUP-PLAN \ --project=PROJECT_ID- Replace the following: - BACKUP_PLAN_ASSOCIATION_NAME: the name of the backup plan association resource.
- VM_PROJECT_ID: the project-id of the Compute Engine instance.
- VM_REGION: the location of the Compute Engine instance.
- BACKUP_PLAN: the name of the backup plan that you are switching to.
- PROJECT_ID: the project-id of the selected backup plan.
 
List scheduled backups
Use the following instructions to list the backed up Compute Engine instances.
Console
- In the Google Cloud console, go to the Vaulted backups page. - The Vaulted backups page lists only the instances that have backup plans applied and their backups stored in a backup vault within a project. 
gcloud
- List scheduled backups. - gcloud backup-dr backup-plan-associations list \ --location=LOCATION \ --project=PROJECT_ID- Replace the following: - PROJECT_ID: the name of the project.
- LOCATION: the location of the scheduled backups.
 
Create an on-demand backup
You can initiate an on-demand backup for a Compute Engine instance with a backup plan by triggering the backup rule of your choice to run immediately. On-demand backups typically capture only the data changed since the last backup (incremental).
When creating an on-demand backup, you can choose a rule from the backup plan associated with the Compute Engine instance. This rule determines when the on-demand backup gets deleted. You can check the backup job status from the Jobs page. For more information, see Monitor backup and restore jobs in Google Cloud console.
Use the following instructions to create an on-demand backup.
Console
- Go to the VM instances > Details > Backup Plan to create an on-demand backup.
- Click Create On-Demand Backup. You must have the correct permissions to make an on-demand backup.
- Choose a backup rule.
- Click Create to start the on-demand backup creation process.
- To view the status of the on-demand backup job, click Notifications.
gcloud
- Create an on-demand backup. - gcloud backup-dr backup-plan-associations trigger-backup BACKUP_PLAN_ASSOCIATION_NAME \ --project=PROJECT_ID --location=LOCATION \ --backup-rule-id=RULE_ID- Replace the following: - BACKUP_PLAN_ASSOCIATION_NAME: the name of the backup plan association. Run the command- gcloud backup-dr backup-plan-associations list --location=LOCATION --project=PROJECT_IDto get the list of the backup plans associated with the Compute Engine instance.
- PROJECT_ID: the name of the project.
- LOCATION: the location of the scheduled backups.
- RULE_ID: the backup rule name that you want to associate to run on-demand backups.
 
Unprotect a Compute Engine instance
You can unprotect a Compute Engine instance by removing the backup plan applied to the instance. Removing a backup plan from a Compute Engine instance doesn't delete the backup plan or any backups created while the instance was in use. You can still access and manage these existing backups.
Use the following instructions to unprotect a Compute Engine instance.
Console
- In the Google Cloud console, go to the Vaulted backups page. 
- Click the name of the instance that you want to remove a backup plan. 
- Select Remove backup plan. 
gcloud
- Unprotect a Compute Engine instance. - gcloud backup-dr backup-plan-associations delete BACKUP_PLAN_ASSOCIATION_NAME\ --project=PROJECT_ID \ --location=LOCATION- Replace the following: - BACKUP_PLAN_ASSOCIATION_NAME: the name of the backup you want to delete.
- PROJECT_ID: the name of the project.
- LOCATION: the location of the scheduled backup.