Migrate a Compute Engine instance backup configuration from the management console to a backup vault

Use the Compute Engine instance protection migration tool to migrate Compute Engine instance protection from Backup and DR Service management console backup plans to backup vault backup plans. This tool does not migrate existing backups.

The migration process uses an overlap and cutover strategy:

Protect: Use the MigrateToBackupVault command to protect Compute Engine instances with a backup vault backup plan.
Verify: Confirm that the backup vault creates backups successfully.
Unprotect: Use the UnprotectVMsFromManagementConsole command to remove protection from the management console.

The tool includes checks to ensure a safe transition. For example, unprotection from the management console only occurs if a successful backup for the instance exists in the backup vault.

Limitations

Migration is not supported if your current management console backup plan or Compute Engine instance configuration includes any of the following features.

Management console backup plans features

High-Frequency Backups: backup frequency of 1 hour or less is not supported.
Archive Snapshots: long-term retention that uses archive snapshots is not supported.

Compute Engine instance features

Hyperdisk Storage: Compute Engine instances that use Google Cloud Hyperdisk are not supported for migration.
Partial / Selective Disk Backup: Compute Engine instances where specific disks are excluded from backups are not supported for migration. Backup vault protects the entire Compute Engine instance.

The tools check for these limitations at both the management console backup plan and individual Compute Engine instance levels.

Before you begin

Ensure you have the following Identity and Access Management (IAM) roles:
- Backup and DR Admin (Legacy role for management console operations)
- roles/backupdr.admin (To manage backup vault, backup plans, and Associations)
Ensure you have the following resources:
- A pre-existing backup vault.
- A pre-existing backup plan configured to use the backup vault. Create this backup plan in the Google Cloud console. It can be equivalent to the management console backup plan.

For more information, see the Backup and DR documentation for creating backup vaults and backup plans.

Install the migration tool

The tool is a single executable: backupdr_gcevm_migration_tool.

Google Cloud Shell

Open Cloud Shell in the Google Cloud console.
Click More and then click Upload.
Select the backupdr_gcevm_migration_tool file.

Make the tool executable:

chmod +x ~/backupdr_gcevm_migration_tool

Run the tool using ~/backupdr_gcevm_migration_tool.

Local Environment

Download the backupdr_gcevm_migration_tool executable.
Install and authenticate the gcloud CLI. For more information, see Install the Google Cloud CLI.

Move the executable to a directory, for example ~/tools, and make it executable:

mkdir -p ~/tools
mv ~/Downloads/backupdr_gcevm_migration_tool ~/tools/
chmod +x ~/tools/backupdr_gcevm_migration_tool

Optional: To run the tool from any directory, add it to your PATH. Add the following line to your ~/.bashrc or ~/.zshrc file:
```
export PATH="$PATH:$HOME/tools"
```
Reload your shell:
```
source ~/.bashrc
```

Migrate Compute Engine instances

Replace placeholder values in the examples with your resource names and URLs.

Protect Compute Engine instances with a backup vault backup plan

The MigrateToBackupVault command identifies eligible Compute Engine instances in a management console backup plan and protects them with the specified backup vault backup plan.

Run the MigrateToBackupVault command:
```
./backupdr_gcevm_migration_tool MigrateToBackupVault \
  --slt_name=SLT_NAME \
  --management_server_url=MANAGEMENT_SERVER_URL \
  --backup_plan=projects/PROJECT_ID/locations/REGION/backupPlans/BACKUP_PLAN_NAME \
  --workload_projects=PROJECT_ID_1,PROJECT_ID_2 \
  --apply \
  --trigger_backup
```
Replace the following:
- SLT_NAME: The name of the source management console backup plan (formerly known as a service level template or SLT).
- MANAGEMENT_SERVER_URL: The URL of the Backup and DR management console.
- PROJECT_ID: Your Google Cloud project ID.
- REGION: The region where your backup plan is located.
- BACKUP_PLAN_NAME: The name of the backup plan to apply.
- PROJECT_ID_1,PROJECT_ID_2: A comma-separated list of project IDs that contain Compute Engine instances, or all.
Additional flags:
- --apply: Executes the protection. If omitted, the tool runs in dry-run mode.
- --trigger_backup: Initiates an on-demand backup immediately after the protection is applied.
The command creates an output file named MigrateToBackupVault_{slt_name}_output.txt that summarizes the actions taken and VM status.
Verify that the VMs are protected by the backup plan. Go to the Backup and DR > Vaulted Backups page in the Google Cloud console.

Unprotect Compute Engine instances from the management console

The UnprotectVMsFromManagementConsole command removes protection from Compute Engine instances in the management console. This command only unprotects a VM if it is protected by the new backup plan and has at least one successful backup vault backup.

Run the UnprotectVMsFromManagementConsole command:
```
./backupdr_gcevm_migration_tool UnprotectVMsFromManagementConsole \
  --slt_name=SLT_NAME \
  --management_server_url=MANAGEMENT_SERVER_URL \
  --workload_projects=PROJECT_ID_1,PROJECT_ID_2 \
  --apply
```
Replace the following:
- SLT_NAME: The name of the source management console backup plan.
- MANAGEMENT_SERVER_URL: The URL of the Backup and DR management console.
- PROJECT_ID_1,PROJECT_ID_2: A comma-separated list of project IDs or all.
Additional flags:
- --apply: Executes the unprotection. If omitted, the tool runs in dry-run mode.
The command creates an output file named UnprotectVMsFromManagementConsole_{slt_name}_output.txt that summarizes the actions.
Verify that the eligible instances are no longer protected in the management console.

What's next

Learn more about Backup plans in the management console.
Learn how to Manage backups in the Google Cloud console.