- NAME
- 
- gcloud beta sql backups restore - restores a backup of a Cloud SQL instance
 
- SYNOPSIS
- 
- 
gcloud beta sql backups restoreID--restore-instance=RESTORE_INSTANCE[--activation-policy=ACTIVATION_POLICY] [--active-directory-dns-servers=[DNS_SERVER_IP_ADDRESS,…]] [--active-directory-domain=ACTIVE_DIRECTORY_DOMAIN] [--active-directory-mode=ACTIVE_DIRECTORY_MODE] [--active-directory-organizational-unit=ACTIVE_DIRECTORY_ORGANIZATIONAL_UNIT] [--active-directory-secret-manager-key=ACTIVE_DIRECTORY_SECRET_MANAGER_KEY] [--[no-]assign-ip] [--async] [--audit-bucket-path=AUDIT_BUCKET_PATH] [--audit-retention-interval=AUDIT_RETENTION_INTERVAL] [--audit-upload-interval=AUDIT_UPLOAD_INTERVAL] [--authorized-networks=NETWORK,[NETWORK,…]] [--availability-type=AVAILABILITY_TYPE] [--no-backup] [--backup-instance=BACKUP_INSTANCE] [--backup-location=BACKUP_LOCATION] [--backup-project=BACKUP_PROJECT] [--backup-start-time=BACKUP_START_TIME] [--clear-active-directory] [--clear-active-directory-dns-servers] [--clear-disk-encryption=CLEAR_DISK_ENCRYPTION] [--clear-network] [--collation=COLLATION] [--connector-enforcement=CONNECTOR_ENFORCEMENT] [--cpu=CPU] [--database-version=DATABASE_VERSION] [--[no-]deletion-protection] [--deny-maintenance-period-end-date=DENY_MAINTENANCE_PERIOD_END_DATE] [--deny-maintenance-period-start-date=DENY_MAINTENANCE_PERIOD_START_DATE] [--deny-maintenance-period-time=DENY_MAINTENANCE_PERIOD_TIME] [--edition=EDITION] [--enable-bin-log] [--enable-google-private-path] [--enable-point-in-time-recovery] [--[no-]final-backup] [--final-backup-retention-days=FINAL_BACKUP_RETENTION_DAYS] [--insights-config-query-insights-enabled] [--insights-config-query-plans-per-minute=INSIGHTS_CONFIG_QUERY_PLANS_PER_MINUTE] [--insights-config-query-string-length=INSIGHTS_CONFIG_QUERY_STRING_LENGTH] [--insights-config-record-application-tags] [--insights-config-record-client-address] [--maintenance-release-channel=MAINTENANCE_RELEASE_CHANNEL] [--maintenance-window-day=MAINTENANCE_WINDOW_DAY] [--maintenance-window-hour=MAINTENANCE_WINDOW_HOUR] [--memory=MEMORY] [--network=NETWORK] [--require-ssl] [--retained-backups-count=RETAINED_BACKUPS_COUNT] [--retained-transaction-log-days=RETAINED_TRANSACTION_LOG_DAYS] [--ssl-mode=SSL_MODE] [--[no-]storage-auto-increase] [--storage-provisioned-iops=STORAGE_PROVISIONED_IOPS] [--storage-provisioned-throughput=STORAGE_PROVISIONED_THROUGHPUT] [--storage-size=STORAGE_SIZE] [--storage-type=STORAGE_TYPE] [--tier=TIER,-tTIER] [--time-zone=TIME_ZONE] [--timeout=TIMEOUT; default=3600] [--allowed-psc-projects=PROJECT,[PROJECT,…]--enable-private-service-connect] [--disk-encryption-key=DISK_ENCRYPTION_KEY:--disk-encryption-key-keyring=DISK_ENCRYPTION_KEY_KEYRING--disk-encryption-key-location=DISK_ENCRYPTION_KEY_LOCATION--disk-encryption-key-project=DISK_ENCRYPTION_KEY_PROJECT] [--region=REGION|--gce-zone=GCE_ZONE|--secondary-zone=SECONDARY_ZONE--zone=ZONE] [GCLOUD_WIDE_FLAG …]
 
- 
- DESCRIPTION
- 
(BETA)The command lets you restore to an existing instance using ID. To restore using a backupDR backup, use the backupDR ID. When backup Name is used to restore it lets you restore to an existing instance or a new instance. When restoring to new instance, optional flags can be used to customize the new instance.
- POSITIONAL ARGUMENTS
- 
- ID
- The ID of the backup run to restore from or the backup NAME for restore to existing/new instance. To find the NAME, run the following command: $ gcloud sql backups list --filter=instance:{instance}
 
- REQUIRED FLAGS
- 
- --restore-instance=- RESTORE_INSTANCE
- The ID of the target Cloud SQL instance that the backup is restored to.
 
- OPTIONAL FLAGS
- 
- --activation-policy=- ACTIVATION_POLICY
- 
Activation policy for this instance. This specifies when the instance should be
activated and is applicable only when the instance state is
RUNNABLE. The default isalways. More information on activation policies can be found here: https://cloud.google.com/sql/docs/mysql/start-stop-restart-instance#activation_policy.ACTIVATION_POLICYmust be one of:always,never.
- --active-directory-dns-servers=[- DNS_SERVER_IP_ADDRESS,…]
- A comma-separated list of the DNS servers to be used for Active Directory. Only available for SQL Server instances. E.g: 10.0.0.1,10.0.0.2
- --active-directory-domain=- ACTIVE_DIRECTORY_DOMAIN
- Managed Service for Microsoft Active Directory domain this instance is joined to. Only available for SQL Server instances.
- --active-directory-mode=- ACTIVE_DIRECTORY_MODE
- 
Defines the Active Directory mode. Only available for SQL Server instances.
ACTIVE_DIRECTORY_MODEmust be one of:MANAGED_ACTIVE_DIRECTORY,CUSTOMER_MANAGED_ACTIVE_DIRECTORY.
- --active-directory-organizational-unit=- ACTIVE_DIRECTORY_ORGANIZATIONAL_UNIT
- Defines the organizational unit to be used for Active Directory. Only available for SQL Server instances. E.g: OU=Cloud,DC=ad,DC=example,DC=com
- --active-directory-secret-manager-key=- ACTIVE_DIRECTORY_SECRET_MANAGER_KEY
- The secret manager key storing administrator credentials. Only available for SQL Server instances.
- --[no-]assign-ip
- 
Assign a public IP address to the instance. This is a public, externally
available IPv4 address that you can use to connect to your instance when
properly authorized. Use --assign-ipto enable and--no-assign-ipto disable.
- --async
- Return immediately, without waiting for the operation in progress to complete.
- --audit-bucket-path=- AUDIT_BUCKET_PATH
- The location, as a Cloud Storage bucket, to which audit files are uploaded. The URI is in the form gs://bucketName/folderName. Only available for SQL Server instances.
- --audit-retention-interval=- AUDIT_RETENTION_INTERVAL
- The number of days for audit log retention on disk, for example, 3dfor 3 days. Only available for SQL Server instances.
- --audit-upload-interval=- AUDIT_UPLOAD_INTERVAL
- How often to upload audit logs (audit files), for example, 30mfor 30 minutes. Only available for SQL Server instances.
- The list of external networks that are allowed to connect to the instance. Specified in CIDR notation, also known as 'slash' notation (e.g. 192.168.100.0/24).
- --availability-type=- AVAILABILITY_TYPE
- 
Specifies level of availability. AVAILABILITY_TYPEmust be one of:- regional
- Provides high availability and is recommended for production instances; instance automatically fails over to another zone within your selected region.
- zonal
- Provides no failover capability. This is the default.
 
- --backup
- 
Enables daily backup. Enabled by default, use --no-backupto disable.
- --backup-instance=- BACKUP_INSTANCE
- The ID of the instance that the backup was taken from. This argument must be specified when the backup instance is different from the restore instance. If it is not specified, the backup instance is considered the same as the restore instance. This flag is not supported when restore happens from backup name, only supported when restore happens from backup ID in timestamp format.
- --backup-location=- BACKUP_LOCATION
- Choose where to store your backups. Backups are stored in the closest multi-region location to you by default. Only customize if needed.
- --backup-project=- BACKUP_PROJECT
- The project of the instance to which the backup belongs. If it isn't specified, backup and restore instances are in the same project. This flag is not supported when restore happens from backup name, only supported when restore happens from backup ID in timestamp format.
- --backup-start-time=- BACKUP_START_TIME
- Start time of daily backups, specified in the HH:MM format, in the UTC timezone.
- --clear-active-directory
- Clears the Active Directory configuration.
- --clear-active-directory-dns-servers
- Removes the list of DNS Servers from the Active Directory Config.
- --clear-disk-encryption=- CLEAR_DISK_ENCRYPTION
- Disables CMEK in the restored instance.
- --clear-network
- Clears the network setting. This is useful to restore a backup to a different project or region where the original network configuration isn't available.
- --collation=- COLLATION
- Cloud SQL server-level collation setting, which specifies the set of rules for comparing characters in a character set.
- --connector-enforcement=- CONNECTOR_ENFORCEMENT
- 
Cloud SQL Connector enforcement mode. It determines how Cloud SQL Connectors are
used in the connection. See the list of modes here.
CONNECTOR_ENFORCEMENTmust be one of:- CONNECTOR_ENFORCEMENT_UNSPECIFIED
- The requirement for Cloud SQL connectors is unknown.
- NOT_REQUIRED
- Does not require Cloud SQL connectors.
- REQUIRED
- Requires all connections to use Cloud SQL connectors, including the Cloud SQL Auth Proxy and Cloud SQL Java, Python, and Go connectors. Note: This disables all existing authorized networks.
 
- --cpu=- CPU
- Whole number value indicating how many cores are desired in the machine. Both --cpu and --memory must be specified if a custom machine type is desired, and the --tier flag must be omitted.--cpu and --memory flags are not compatible with the Enterprise Plus edition. These flags should not be used when creating an Enterprise Plus edition, as the machine configuration is determined by the --tier flag instead.
- --database-version=- DATABASE_VERSION
- The database engine type and versions. If left unspecified, no changes occur. See the list of database versions at https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/SqlDatabaseVersion. Note for restore to new instance major version upgrades are not supported. Only minor version upgrades are allowed.
- --[no-]deletion-protection
- 
Enable deletion protection on a Cloud SQL instance. Use
--deletion-protectionto enable and--no-deletion-protectionto disable.
- --deny-maintenance-period-end-date=- DENY_MAINTENANCE_PERIOD_END_DATE
- 
Date when the deny maintenance period ends, that is
2021-01-10
- --deny-maintenance-period-start-date=- DENY_MAINTENANCE_PERIOD_START_DATE
- 
Date when the deny maintenance period begins, that is
2020-11-01
- --deny-maintenance-period-time=- DENY_MAINTENANCE_PERIOD_TIME
- 
Time when the deny maintenance period starts or ends, that is
05:00:00
- --edition=- EDITION
- 
Specifies the edition of Cloud SQL instance. EDITIONmust be one of:enterprise,enterprise-plus.
- --enable-bin-log
- Allows for data recovery from a specific point in time, down to a fraction of a second. Must have automatic backups enabled to use. Make sure storage can support at least 7 days of logs.
- --enable-google-private-path
- Enable a private path for Google Cloud services. This flag specifies whether the instance is accessible to internal Google Cloud services such as BigQuery. This is only applicable to MySQL and PostgreSQL instances that don't use public IP. Currently, SQL Server isn't supported.
- --enable-point-in-time-recovery
- Allows for data recovery from a specific point in time, down to a fraction of a second, via write-ahead logs. Must have automatic backups enabled to use. Make sure storage can support at least 7 days of logs.
- --[no-]final-backup
- 
Enables the final backup to be taken at the time of instance deletion. Use
--final-backupto enable and--no-final-backupto disable.
- --final-backup-retention-days=- FINAL_BACKUP_RETENTION_DAYS
- Specifies number of days to retain final backup. The valid range is between 1 and 365. For instances managed by BackupDR, the valid range is between 1 day and 99 years. Default value is 30 days.
- --insights-config-query-insights-enabled
- Enable query insights feature to provide query and query plan analytics.
- --insights-config-query-plans-per-minute=- INSIGHTS_CONFIG_QUERY_PLANS_PER_MINUTE
- Number of query plans to sample every minute. Default value is 5. Allowed range: 0 to 20.
- --insights-config-query-string-length=- INSIGHTS_CONFIG_QUERY_STRING_LENGTH
- Sets the default query length limit. For Cloud SQL Enterprise edition, the range is from 256 to 4500 (in bytes) and the default query length is 1024 bytes. For Cloud SQL Enterprise Plus edition, the range is from 1024 to 100,000 (in bytes) and the default query length is 10,000 bytes.
- Allow application tags to be recorded by the query insights feature.
- --insights-config-record-client-address
- Allow the client address to be recorded by the query insights feature.
- --maintenance-release-channel=- MAINTENANCE_RELEASE_CHANNEL
- 
Which channel's updates to apply during the maintenance window. If not
specified, Cloud SQL chooses the timing of updates to your instance.
MAINTENANCE_RELEASE_CHANNELmust be one of:- preview
- Preview updates release prior to production updates. You may wish to use the preview channel for dev/test applications so that you can preview their compatibility with your application prior to the production release.
- production
- Production updates are stable and recommended for applications in production.
- week5
- week5 updates release after the production updates. Use the week5 channel to receive a 5 week advance notification about the upcoming maintenance, so you can prepare your application for the release.
 
- --maintenance-window-day=- MAINTENANCE_WINDOW_DAY
- 
Day of week for maintenance window, in UTC time zone.
MAINTENANCE_WINDOW_DAYmust be one of:SUN,MON,TUE,WED,THU,FRI,SAT.
- --maintenance-window-hour=- MAINTENANCE_WINDOW_HOUR
- Hour of day for maintenance window, in UTC time zone.
- --memory=- MEMORY
- Whole number value indicating how much memory is desired in the machine. A size unit should be provided (eg. 3072MiB or 9GiB) - if no units are specified, GiB is assumed. Both --cpu and --memory must be specified if a custom machine type is desired, and the --tier flag must be omitted. --cpu and --memory flags are not compatible with the Enterprise Plus edition. These flags should not be used when creating an Enterprise Plus edition, as the machine configuration is determined by the --tier flag instead.
- --network=- NETWORK
- 
Network in the current project that the instance will be part of. To specify
using a network with a shared VPC, use the full URL of the network. For an
example host project, 'testproject', and shared network, 'testsharednetwork',
this would use the form:
--network=projects/testproject/global/networks/testsharednetwork
- --require-ssl
- Specified if users connecting over IP must use SSL.
- --retained-backups-count=- RETAINED_BACKUPS_COUNT
- How many backups to keep. The valid range is between 1 and 365. Default value is 7 for Enterprise edition instances. For Enterprise_Plus, default value is 15. Applicable only if --no-backups is not specified.
- --retained-transaction-log-days=- RETAINED_TRANSACTION_LOG_DAYS
- How many days of transaction logs to keep. The valid range is between 1 and 35. Only use this option when point-in-time recovery is enabled. If logs are stored on disk, storage size for transaction logs could increase when the number of days for log retention increases. For Enterprise, default and max retention values are 7 and 7 respectively. For Enterprise_Plus, default and max retention values are 14 and 35.
- --ssl-mode=- SSL_MODE
- 
Set the SSL mode of the instance. SSL_MODEmust be one of:- ALLOW_UNENCRYPTED_AND_ENCRYPTED
- Allow non-SSL and SSL connections. For SSL connections, client certificate will not be verified.
- ENCRYPTED_ONLY
- Only allow connections encrypted with SSL/TLS.
- TRUSTED_CLIENT_CERTIFICATE_REQUIRED
- Only allow connections encrypted with SSL/TLS and with valid client certificates.
 
- --[no-]storage-auto-increase
- 
Storage size can be increased, but it cannot be decreased; storage increases are
permanent for the life of the instance. With this setting enabled, a spike in
storage requirements can result in permanently increased storage costs for your
instance. However, if an instance runs out of available space, it can result in
the instance going offline, dropping existing connections. This setting is
enabled by default. Use --storage-auto-increaseto enable and--no-storage-auto-increaseto disable.
- --storage-provisioned-iops=- STORAGE_PROVISIONED_IOPS
- Indicates how many IOPS to provision for the data disk. This sets the number of I/O operations per second that the disk can handle.
- --storage-provisioned-throughput=- STORAGE_PROVISIONED_THROUGHPUT
- Indicates how much throughput to provision for the data disk. This sets the throughput in MB per second that the disk can handle.
- --storage-size=- STORAGE_SIZE
- Amount of storage allocated to the instance. Must be an integer number of GB. The default is 10GB. Information on storage limits can be found here: https://cloud.google.com/sql/docs/quotas#storage_limits
- --storage-type=- STORAGE_TYPE
- 
The storage type for the instance. The default is SSD.
STORAGE_TYPEmust be one of:SSD,HDD,HYPERDISK_BALANCED.
- --tier=- TIER,- -t- TIER
- 
Machine type for a shared-core instance e.g.
db-g1-small--cpuand--memoryflags. Learn more about how CPU and memory affects pricing: https://cloud.google.com/sql/pricing.
- --time-zone=- TIME_ZONE
- Set a non-default time zone. Only available for SQL Server instances.
- --timeout=- TIMEOUT; default=3600
- 
Time to synchronously wait for the operation to complete, after which the
operation continues asynchronously. Ignored if --async flag is specified. By
default, set to 3600s. To wait indefinitely, set to unlimited.
- --allowed-psc-projects=- PROJECT,[- PROJECT,…]
- A comma-separated list of projects. Each project in this list might be represented by a project number (numeric) or by a project ID (alphanumeric). This allows Private Service Connect connections to be established from specified consumer projects.
- --enable-private-service-connect
- Enable connecting to the Cloud SQL instance with Private Service Connect.
- 
Key resource - The Cloud KMS (Key Management Service) cryptokey that will be
used to protect the instance. The 'Compute Engine Service Agent' service account
must hold permission 'Cloud KMS CryptoKey Encrypter/Decrypter'. The arguments in
this group can be used to specify the attributes of this resource.
- --disk-encryption-key=- DISK_ENCRYPTION_KEY
- 
ID of the key or fully qualified identifier for the key.
To set the kms-keyattribute:- 
provide the argument --disk-encryption-keyon the command line.
 This flag argument must be specified if any of the other arguments in this group are specified. 
- 
provide the argument 
- --disk-encryption-key-keyring=- DISK_ENCRYPTION_KEY_KEYRING
- 
The KMS keyring of the key.
To set the kms-keyringattribute:- 
provide the argument --disk-encryption-keyon the command line with a fully specified name;
- 
provide the argument --disk-encryption-key-keyringon the command line.
 
- 
provide the argument 
- --disk-encryption-key-location=- DISK_ENCRYPTION_KEY_LOCATION
- 
The Google Cloud location for the key.
To set the kms-locationattribute:- 
provide the argument --disk-encryption-keyon the command line with a fully specified name;
- 
provide the argument --disk-encryption-key-locationon the command line.
 
- 
provide the argument 
- --disk-encryption-key-project=- DISK_ENCRYPTION_KEY_PROJECT
- 
The Google Cloud project for the key.
To set the kms-projectattribute:- 
provide the argument --disk-encryption-keyon the command line with a fully specified name;
- 
provide the argument --disk-encryption-key-projecton the command line;
- 
set the property core/project.
 
- 
provide the argument 
 
- 
At most one of these can be specified:
- --region=- REGION
- Regional location (e.g. asia-east1, us-east1). See the full list of regions at https://cloud.google.com/sql/docs/instance-locations.
- 
At most one of these can be specified:
- --gce-zone=- GCE_ZONE
- 
(DEPRECATED) Preferred Compute Engine zone (e.g. us-central1-a, us-central1-b,
etc.).
Flag --gce-zoneis deprecated and will be removed by release 255.0.0. Use--zoneinstead.
- --secondary-zone=- SECONDARY_ZONE
- Preferred secondary Compute Engine zone (e.g. us-central1-a, us-central1-b, etc.).
- --zone=- ZONE
- Preferred Compute Engine zone (e.g. us-central1-a, us-central1-b, etc.).
 
 
 
- GCLOUD WIDE FLAGS
- 
These flags are available to all commands: --access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.Run $ gcloud helpfor details.
- NOTES
- 
This command is currently in beta and might change without notice. These
variants are also available:
gcloud sql backups restoregcloud alpha sql backups restore
      gcloud beta sql backups restore
  
  Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-10-21 UTC.