Quickstart: Protect and recover a Compute Engine instance to a backup vault

Learn how to protect and restore your Compute Engine instance to a backup vault.

In this quickstart, you perform the following tasks:

Create a backup vault.
Create a backup plan.
Back up a Compute Engine instance into a backup vault.
Restore a Compute Engine instance from the backup.

Before you begin

Enable the Backup and DR Service API in your Google Cloud project.

Enable the API
If you don't have a VM, Create and start a Compute Engine instance in a location where the backup vault is supported. For the purpose of this quickstart, create a Compute Engine instance in the us-central1 region.
Have the following IAM roles assigned to you in your project:
- BackupDR Admin (roles/backupdr.admin)
- Backup and DR User V2 (backupdr.backupPlanAssociations.createForComputeInstance)
- Cloud Asset Viewer (cloudasset.assets.searchAllResources)
- Compute Instance Admin (v1) (roles/compute.instanceAdmin.v1)
- Compute Viewer (roles/compute.viewer)
- Logs Viewer (roles/logging.logEntries.list)
- OS Config Admin (osconfig.osPolicyAssignments.create.)
- Project IAM Admin (roles/resourcemanager.projectIamAdmin)
- Service Usage Admin (serviceusage.services.enable)
- Service Account User (iam.serviceAccountUser)
The backup vault service agent must be granted the required roles in the restore project to create a new instance using the backup.
- Backup and DR Compute Engine Operator (roles/backupdr.computeEngineOperator)
- Compute Network User (roles/compute.networkUser) if you are using a shared VPC

Create a backup vault

A backup vault is a container to store backups in, similar to self-managed storage. Backup vaults provide protection for backups by storing them in secure, isolated, and specialized storage. For more information about backup vault, see Backup vault for immutable and indelible backups.

If you need to store your backups in a location where the backup vault isn't supported, you can use the self-managed storage based solution to protect your VMs. For more information, see Protect and recover a Compute Engine instance using management console.

Use the following instructions to create a backup vault.

In the Google Cloud console Backup and DR section, go to the Backup vaults page.

Go to Backup vaults
Click Create backup vault.
On the Create a backup vault page, enter your backup vault information.
In the Name your backup vault field, enter a name for the backup vault and an optional description.
At Choose where to store your data, select the:
- Region: for the backup vault—for example, us-central1.
- Multi-region: for the backup vault}—for example, Americas.
In the Prevent backup deletion field, enter the minimum enforced retention period defining how long backups are protected against deletion. The minimum is 1 day and the maximum is 99 years.

If you want to lock the value of the minimum enforced retention period, select Lock the enforced retention and then click the icon and select the date from the calendar.
- Prevent deletion for duration specified in backup rule: You can set the vault to inherit the Delete backups after value set in a backup plan. Backups can't be manually deleted, they will be deleted according to the value in their associated backup plan.
- Lock the enforced retention: If you want to lock the value of the minimum enforced retention period, check this and then click the icon and select the date from the calendar.
If you want to use your own encryption key, then under Encryption, select the Customer-managed encryption key (CMEK) option, and then select your key from the drop-down list. Only keys from the same location as the backup vault are displayed. You can only configure CMEK when you create a backup vault. For more details on using CMEK, see Encryption.

For required permissions, see CMEK permissions.

Note: Access to CMEK for Persistent Disk and for Compute Engine is available by invitation only. If you'd like to request access to CMEK for Persistent Disk or for your Google Cloud project, contact your sales representative.
In the Define access to your backup vault section, select an option to define access restrictions for the backup vault. If you don't select an option, the backup vault is created with the Restrict access to current organization restriction.
Click Create.

Create a backup plan

A backup plan lets you define advanced backup strategies to back up your Compute Engine instances. In a backup plan, you can define when and how to back up a Compute Engine instance. You must create the backup plan in the same region that the workload is running in and the backup vault must exist in a location that is compatible with the workload location. Also, a backup plan can only back up Compute Engine instances that are in the same region. For more information, see Backup plans in Google Cloud console.

Use the following instructions to create a backup plan. In this procedure, you'll create a backup plan for hourly backup of the Compute Engine instances and use the backup vault that you have created in the us-central1 region.

In the Google Cloud console Backup and DR section, go to the Backup plans page.

Go to Backup plans
Click Create Backup plan.
For Resource type, select Compute Engine.
In the Backup plan name field, enter a name for the backup plan. You can't change the name of a plan after the backup plan is created.
In the Backup plan description field, enter an optional description for the backup plan.
From the Regions list, select a backup plan region. The backup plan is created in this region. You can protect resources in the same region as the backup plan.
From the Backup vault list, select a backup vault to store the backups.
In the Add backup rules section, the default backup rule is already in place.
1. If you want to use the default rule and no other backup rules, you can click Create.
2. If you want to add a different backup rule for this quickstart, click Add rule.
  
  In the Add a backup rule pane, enter your backup rule information and click Save.
  - Name your backup rule: Enter a name for the backup rule.
  - Choose when to create backups: Specify the recurrence and frequency of the backup.
  - Window: Select the Timezone, Start time, and Endtime for the backup job.
  - Choose how long backups are kept before they are deleted: Enter the duration in days that the backups should be retained before they are deleted. Note that this value must be equal to or greater than the backup vault minimum enforced retention period.
Set a maximum custom on-demand retention. (Preview)

Your custom on-demand backups can be kept for up to the maximum custom on-demand retention. When you create an on-demand backup, set your retention or you can use an existing backup rule. If unspecified, the vault's minimum enforced retention period plus 30 days is used as the maximum limit for custom retention period.

Enter a value in days in Maximum retention. This value must be greater than or equal to the vault's minimum enforced retention period.

Note: All retention periods are capped at 36,135 days (99 years).
Click Create.

Back up a Compute Engine instance into a backup vault

In the Google Cloud console, you can back up Compute Engine instances to a backup vault by applying backup plans. You can back up in either of these two ways: Scheduled backups and On-demand backups.

Configure a scheduled backup

Use the following instructions to configure a scheduled backup.

In the Google Cloud console Backup and DR section, go to the Vaulted backups page.

Go to Vaulted backups
Click Schedule backup.
Select the Resource type Compute Engine.
Leave the Project unchanged.
From the Region list, select the instance region us-central1.
From the Resources list, click Browse.
Choose the Compute Engine instance that you want to back up and click Done.
Click Continue.
From the Backup plan list, click Select, and select the backup plan that you just created.
Click Continue.
Review the backup details and click Schedule.

The first backup made according to this backup plan will be triggered when the current time is within the backup window. If the backup job is not running yet, then run an on-demand backup now.

Take on-demand backup

Use the following instructions to create an on-demand backup.

In the Google Cloud console Backup and DR section, go to the Vaulted backups page.

Go to Vaulted backups
In the Resources with vaulted backups list, in the row that contains the backed up instance, click the icon. Click Create on-demand backup.
At Choose when to delete this backup select Based on an existing backup rule and click Create.
To view the backup operation status, you can:
- Check the notification bell at the top of the Google Cloud console.
- Go to the Jobs page.
Go to Jobs

Restore a Compute Engine instance from a backup

You can restore a Compute Engine instance to the same project or to a different project. This quickstart guides you to restore the VM in the same project.

Use the following instructions to restore a Compute Engine instance from a backup in a backup vault.

In the Google Cloud console Backup and DR section, go to the Vaulted resources page.

Go to Vaulted resources
Click the instance that you just backed up.
In the details page, from the actions menu of the backup, select the backup that you just made and click the icon, and then select Restore.

In the Restore a backup page, review the restore details and click Browse to select the backup.
Click Continue.
In the Create a VM instance from a backup page, leave the instance configuration to the default and click Create.
In the Google Cloud console, go to the Jobs page to view the restore operation status.

Go to Jobs

Clean up

To avoid incurring charges to your Google Cloud account for the instances used on this page, follow these steps.

Use the following instructions to delete the restored VM:

In the Google Cloud console Compute Engine section, go to the VM instances page.

Go to the VM instances page
Select the row containing the VM instance that you've created as part of the restore.
Click Delete and click Delete to confirm.

Use the following instructions to remove the backup plan from the backed up Compute Engine instance:

In the Google Cloud console Backup and DR section, go to the Vaulted backups page.

Go to Vaulted resources
In the row that contains the backed up instance, click the icon. Click Remove backup plan and then confirm the removal.

Note: The backup automatically expires and gets deleted after the one day retention period.

Use the following instructions to delete the backup plan. Deleting the backup plan is an optional step.

In the Google Cloud console Compute Engine section, go to the Backup plans page.

Go to Backup plans
In the row that contains the backup plan, click the icon. Click Delete and then type delete to confirm the deletion.

This deletes the backup plan.

Use the following instructions to delete the backup vault. Deleting the backup vault is an optional step.

In the Google Cloud console Backup and DR section, go to the Backup vaults page.

Go to Backup vaults
1. In the row that contains the backup vault, click the icon. Click Delete and then type delete to confirm the deletion.
This deletes the backup vault and related contents.

Note: The backup vault incurs a cost only when the backup vault stores data. The existence of an empty backup plan doesn't incur any cost. You cannot delete the vault until the last of the backups has passed the minimum retention period and is eligible for deletion or has been automatically deleted.

Use the following instructions to delete a VM if you created a VM to use as part of this quickstart. Deleting the VM is an optional step.

In the Google Cloud console, go to the VM instances page.

Go to the VM instances page
Select the row containing the VM instance that you've created in this quickstart.
Click Delete and then click Delete to confirm.

This deletes the instance created as part of this quickstart.