This document describes how to protect specific VM instances from deletion
by setting the deletionProtection property on an Instance resource. To learn
more about VM instances, read the Instances
documentation.
As part of your workload, there might be certain VM instances that are critical to running your application or services, such as an instance running a SQL server, a server used as a license manager, and so on. These VM instances might need to stay running indefinitely so you need a way to protect these VMs from being deleted.
By setting the deletionProtection flag, a VM instance can be protected from
accidental deletion. If a user attempts to delete a VM instance for which
you have set the deletionProtection flag, the request fails. Only a user that
has been granted a role with compute.instances.create permission can reset
the flag to allow the resource to be deleted.
Before you begin
- Read the Instances documentation.
- 
  
  If you haven't already, set up authentication.
  Authentication verifies your identity for access to Google Cloud services and APIs. To run
  code or samples from a local development environment, you can authenticate to
  Compute Engine by selecting one of the following options:
  
    
    
      
    
  
    
    
      
    
  
    
    
      
    
  
 
  
 
  
    
      Select the tab for how you plan to use the samples on this page: ConsoleWhen you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication. gcloud- 
 
  
  
  
    
    
  
    
    
  
    
    
      
    
  
  
    
    
  
    
    
  
    
    
  
  
  
   
    
      Install the Google Cloud CLI. After installation, initialize the Google Cloud CLI by running the following command: gcloud initIf you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity. 
- Set a default region and zone.
 GoTo use the Go samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials. Install the Google Cloud CLI. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity. If you're using a local shell, then create local authentication credentials for your user account: gcloud auth application-default login You don't need to do this if you're using Cloud Shell. If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity. For more information, see Set up authentication for a local development environment. JavaTo use the Java samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials. Install the Google Cloud CLI. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity. If you're using a local shell, then create local authentication credentials for your user account: gcloud auth application-default login You don't need to do this if you're using Cloud Shell. If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity. For more information, see Set up authentication for a local development environment. Node.jsTo use the Node.js samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials. Install the Google Cloud CLI. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity. If you're using a local shell, then create local authentication credentials for your user account: gcloud auth application-default login You don't need to do this if you're using Cloud Shell. If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity. For more information, see Set up authentication for a local development environment. PHPTo use the PHP samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials. Install the Google Cloud CLI. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity. If you're using a local shell, then create local authentication credentials for your user account: gcloud auth application-default login You don't need to do this if you're using Cloud Shell. If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity. For more information, see Set up authentication for a local development environment. PythonTo use the Python samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials. Install the Google Cloud CLI. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity. If you're using a local shell, then create local authentication credentials for your user account: gcloud auth application-default login You don't need to do this if you're using Cloud Shell. If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity. For more information, see Set up authentication for a local development environment. RESTTo use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI. Install the Google Cloud CLI. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity. For more information, see Authenticate for using REST in the Google Cloud authentication documentation. 
- 
 
  
  
  
    
    
  
    
    
  
    
    
      
    
  
  
    
    
  
    
    
  
    
    
  
  
  
   
    
      
Specifications
- Deletion prevention does not prevent the following actions: - Terminating an instance from within the VM
(such as running the shutdowncommand)
- Stopping an instance
- Resetting an instance
- Suspending an instance
- Instances being removed due to fraud and abuse after being detected by Google
- Instances being removed due to project termination
 
- Terminating an instance from within the VM
(such as running the 
- Deletion protection can be applied to both regular VMs and preemptible VMs. 
- Deletion protection cannot be applied to VMs that are part of a managed instance group but can be applied to instances that are part of unmanaged instance groups. 
- Deletion prevention cannot be specified in instance templates. 
Permissions
To perform this task, you must have been granted the following permissions OR one of the following IAM roles on the resource.
Permissions
- compute.instances.create
Roles
- compute.admin
- compute.instanceAdmin.v1
Setting deletion protection during instance creation
By default, deletion protection is disabled for your instance. Enable deletion protection using the instructions below.
Console
- In the Google Cloud console, go to the Create an instance page. 
- Expand the Advanced options section and do the following: - Expand the Management section.
- Select the Enable deletion protection checkbox.
 
- Continue with the VM creation process. 
gcloud
When creating a VM instance,
include either the --deletion-protection or no-deletion-protection
flags. Deletion protection is disabled by default so to enable deletion
protection:
gcloud compute instances create [INSTANCE_NAME] --deletion-protection
where [INSTANCE_NAME] is the name of the desired instance.
To disable deletion protection during creation:
gcloud compute instances create [INSTANCE_NAME] --no-deletion-protection
Go
Java
Node.js
Python
REST
In the API, when
creating a VM instance,
include the deletionProtection property in your request body. For example:
POST https://compute.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/[ZONE]/instances
{
  "name": "[INSTANCE_NAME]",
  "deletionProtection": "true",
  ...
}
To disable deletion protection, set deletionProtection to false.
Determining if an instance has deletion protection enabled
You can determine if an instance has deletion protection enabled in the gcloud tool
or in the API.
Console
- Go to the VM instances page. 
- If prompted, select your project and click Continue. 
- On the VM instances page, pull down the Columns menu and enable Deletion protection.   
- A new column appears with the deletion protection icon. If a VM has deletion protection enabled, the icon appears next to the instance name. 
gcloud
In the gcloud CLI, run the instances describe command and search
for the deletion protection field. For example:
gcloud compute instances describe example-instance | grep "deletionProtection"
The tool returns the value of the deletionProtection property, either set
to true or false:
deletionProtection: false
Go
Java
Node.js
Python
REST
In the API, make a GET request and look for the deletionProtection
field:
GET https://compute.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/[ZONE]/instances/[INSTANCE_NAME]
Toggling deletion protection for existing instances
You can toggle deletion protection for an existing instance, irrespective of the instance's current status. Specifically, you do not have to stop the instance before you can enable or disable deletion protection.
Console
- Go to the VM instances page. 
- If prompted, select your project and click Continue. 
- Click the name of the instance for which you want to toggle deletion protection. The instance details page displays. 
- From the instance details page, complete the following steps: - Click the Edit button at the top of the page.
- Under Deletion Protection, check the box to enable or uncheck the box to disable deletion protection.   
- Save your changes. 
 
gcloud
Using the gcloud CLI, run the update command with either the
--deletion-protection or --no-deletion-protection flag:
gcloud compute instances update [INSTANCE_NAME] \
    [--deletion-protection | --no-deletion-protection]
For example, to enable deletion protection for an instance named
example-vm:
gcloud compute instances update example-vm --deletion-protection
Go
Java
Node.js
Python
REST
In the API, make a POST request to the setDeletionProtection method
with the deletionProtection query parameter. For example:
POST https://compute.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/[ZONE]/instances/[INSTANCE_NAME]/setDeletionProtection?deletionProtection=true
To disable deletion protection, set deletionProtection to false. Do not
provide a request body with the request.
What's next
- Learn how to stop an instance.
- Delete your instances if you no longer need them.