Configure backup plans

By default, AlloyDB for PostgreSQL continuously backs up your data with a 14-day recovery window, using Google-managed encryption. This page describes how to adjust this default behavior in two ways:

Before you begin

  • The Google Cloud project you are using must have been enabled to access AlloyDB.
  • You must have one of these IAM roles in the Google Cloud project you are using:
    • roles/alloydb.admin (the AlloyDB Admin predefined IAM role)
    • roles/owner (the Owner basic IAM role)
    • roles/editor (the Editor basic IAM role)

    If you don't have any of these roles, contact your Organization Administrator to request access.

Configure continuous backup and recovery

This section describes the Google Cloud CLI commands that you can use to configure, disable, or re-enable continuous backup and recovery on your cluster.

Reconfigure continuous backup

Use the gcloud CLI to configure the recovery window and encryption settings of your cluster's continuous backup system.

If you decrease the recovery window's size, then AlloyDB immediately shortens the distance into the past that you can perform a point-in-time recovery. For example, if you reduce the window's size from 14 days to 7 days, then points in time more than 7 days in the past become unavailable for recovery.

If you increase the window's size, then the span of time available for point-in-time recovery grows in real time until it reaches the new limit that you specified. For example, if you change the window's size from 7 to 14 days, it takes an additional 7 days for the recovery window's effective size to grow to its new maximum of 14 days into the past.

gcloud

To use the gcloud CLI, you can install and initialize the Google Cloud CLI, or you can use Cloud Shell.

To configure continuous backup and recovery on a cluster, use the gcloud alloydb clusters update command.

gcloud alloydb clusters update CLUSTER_ID \
    --continuous-backup-recovery-window-days=WINDOW_LENGTH \
    --region=REGION_ID \
    --project=PROJECT_ID

Replace the following:

  • CLUSTER_ID: The ID of the cluster.

  • WINDOW_LENGTH: The length of time, in days, of this cluster's continuous backup and recovery window. The value must be between 1 and 35, inclusive.

    The value of this argument defines both of the following aspects of continuous backup and recovery:

    • The maximum distance into the past, relative to the present, that you can perform a point-in-time recovery based on continuous backups.

    • The length of time that AlloyDB retains continuous backups and data-change logs in storage.

    This argument is optional. If you do not include it, then AlloyDB sets the recovery window to 14 days.

  • REGION_ID: The ID of the region where the cluster is placed.

  • PROJECT_ID: The ID of the project where the cluster is placed.

If you want to encrypt this cluster's continuous backups and data-change logs using a customer-managed encryption key (CMEK) instead of the default Google-managed encryption, provide these additional arguments:

  • --continuous-backup-encryption-key=KEY_ID: The ID of the CMEK key to use.

  • --continuous-backup-encryption-key-keyring=KEYRING_ID: The ID of the key's keyring.

  • --continuous-backup-encryption-key-location=LOCATION_ID: The ID of the keyring's region. Note that the region you specify must match the cluster's region.

  • --continuous-backup-encryption-key-project=PROJECT_ID: The keyring's project ID.

To use CMEK with AlloyDB, you need to complete some additional setup steps. For more information, see Using CMEK with AlloyDB.

Disable continuous backup and recovery

When you disable continuous backup, point-in-time recovery becomes unavailable for your cluster. It becomes available again if you re-enable continuous backup, as described in the next section.

gcloud

To disable continuous backup and recovery on a cluster, use the gcloud alloydb clusters update command.

gcloud alloydb clusters update CLUSTER_ID \
    --no-enable-continuous-backup
    --region=REGION_ID \
    --project=PROJECT_ID

Replace the following:

  • CLUSTER_ID: The ID of the cluster.
  • REGION_ID: The ID of the region where the cluster is placed.
  • PROJECT_ID: The ID of the project where the cluster is placed.

Re-enable continuous backup

To re-enable your cluster's continuous backup configuration after disabling it, follow the same procedure as reconfiguring continuous backup, adding an --enable-continuous-backup argument to the gcloud CLI command.

Re-enabling continuous backup also makes point-in-time recovery available again. The recovery window begins with the first subsequent backup that AlloyDB creates. To make point-in-time recovery available as soon as possible, create an on-demand backup right after re-enabling continuous backup. Otherwise, the recovery window commences with the next daily backup that AlloyDB takes.

Configure additional automated backups

This section shows how to enable or disable an automated backup schedule on your cluster that works independenty from the continuous backup system. This includes configuring how often AlloyDB takes these additional automated backups, and for how long it retains them.

Automated backup configuration attributes

Each AlloyDB cluster can have one customizable automated backup configuration, which includes the following attributes:

  • A schedule for taking backups. You can set this to specific days of the week, and at specific times on those days.

  • A retention policy, expressed either as an amount of time to keep backups or as a number of backups to keep. By default, AlloyDB retains automated backups for 14 days.

    Backups older than the retention policy are subject to automated deletion. For more information, see Backup retention and deletion.

  • The amount of time that AlloyDB waits before canceling an incomplete attempt to take a new automated backup. AlloyDB uses a default timeout of one hour.

  • A data-encryption preference: either the default Google-managed encryption or a customer-managed encryption key (CMEK) that you provide.

Enable and configure automated backups

Use the gcloud CLI to enable automated backups using a custom configuration.

This involves, at minimum, specifying a backup schedule. All other configuration options are optional. AlloyDB applies the default values listed in the previous section to any configuration options that you do not explicitly set.

Each time you run this command to define a new automated backup configuration, AlloyDB completely replaces the cluster's current configuration with the new one.

gcloud

Use the gcloud alloydb clusters update command to define a schedule for creating automated backups:

gcloud alloydb clusters update CLUSTER_ID \
    --automated-backup-days-of-week=DAYS_LIST \
    --automated-backup-start-times=UTC_TIMES_LIST \
    --region=REGION_ID \
    --project=PROJECT_ID

Replace the following:

  • CLUSTER_ID: The ID of the cluster you want to define the schedule for.

  • DAYS_LIST: A comma-separated list of one or more days when you want automated backups to be taken. Valid values are MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, and SUNDAY.

  • UTC_TIMES_LIST: A comma-separated list of one or more times when you want automated-backup operations to start on the specified days. Specify times in the format HH:00 on a 24-hour cycle in UTC time.

  • REGION_ID: The ID of the region where the cluster is placed.

  • PROJECT_ID: The ID of the project where the cluster is placed.

This example sets a cluster to take an automated backup at midnight UTC on every Monday and Thursday:

gcloud alloydb clusters update my-cluster \
    --automated-backup-days-of-week=MONDAY,THURSDAY \
    --automated-backup-start-times=00:00 \
    --region=us-central1 \
    --project=my-project

To encrypt scheduled backups using a CMEK key instead of the default Google-managed encryption, provide these additional arguments:

  • --automated-backup-encryption-key=KEY_ID: The ID of the CMEK key to use.

  • --automated-backup-encryption-keyring=KEYRING_ID: The ID of the key's keyring.

  • --automated-backup-encryption-location=LOCATION_ID: The ID of that keyring's region. Note that it must match the cluster's region.

  • --automated-backup-encryption-project=PROJECT_ID: The keyring's project ID.

To use CMEK with AlloyDB, you need to complete some additional setup steps. For more information, see Using CMEK with AlloyDB.

You can also specify the automated backups retention policy, based on either a duration or a number of backups to keep. To do this, include either of the following arguments:

  • To have AlloyDB retain all automated backups for a certain amount of time, use --automated-backup-retention-period=DURATION.

    Replace DURATION with a duration string, as described by gcloud topic datetimes. You can specify a duration as long as one year.

  • To have AlloyDB instead retain a certain number of backups, use --automated-backup-retention-count=COUNT.

    Replace COUNT with the number of automated backups that AlloyDB should retain for up to one year.

Disable automated backups

gcloud

To disable automated backups, use the gcloud alloydb clusters update command.

gcloud alloydb clusters update CLUSTER_ID \
    --disable-automated-backup \
    --region=REGION_ID \
    --project=PROJECT_ID

Replace the following:

  • CLUSTER_ID: The ID of the cluster to disable automated backups on.
  • REGION_ID: The ID of the region where the cluster is placed.
  • PROJECT_ID: The ID of the project where the cluster is placed.

View backup plans

You can use the Google Cloud CLI to view details about your cluster's automated or continuous backup plans:

  1. Use the gcloud alloydb clusters describe command to display details about the cluster.

  2. The continuousBackupConfig and continuousBackupInfo keys summarize the cluster's continuous backup and recovery configuration. This includes whether continuous backup is enabled, the size of its recovery window, and its encryption settings.

    The continuousBackupInfo key also displays the continuous backup schedule: always one backup per day, every day.

  3. The automatedBackupPolicy key, if present, summarizes the cluster's automated backup configuration. This includes whether automated backup is enabled, and displays the backup schedule and encryption settings.

For example, the following output of a gcloud alloydb clusters describe command shows that the cluster has automated backup enabled, with backups taken every Monday and Thursday at around 1 AM UTC. It also has continuous backup enabled, with a 10-day recovery window.

automatedBackupPolicy:
  enabled: true
  location: us-central1
  weeklySchedule:
    daysOfWeek:
    - MONDAY
    - THURSDAY
    startTimes:
    - hours: 1
clusterType: PRIMARY
continuousBackupConfig:
  enabled: true
  recoveryWindowDays: 10
continuousBackupInfo:
  encryptionInfo:
    encryptionType: GOOGLE_DEFAULT_ENCRYPTION
  schedule:
  - MONDAY
  - TUESDAY
  - WEDNESDAY
  - THURSDAY
  - FRIDAY
  - SATURDAY
  - SUNDAY
clusterType: PRIMARY
createTime: '2023-01-23T02:42:56.953258476Z'
databaseVersion: POSTGRES_14
encryptionInfo:
  encryptionType: GOOGLE_DEFAULT_ENCRYPTION
name: [...]
reconciling: false
state: READY
uid: [...]
updateTime: '2023-02-06T19:08:57.367222025Z'