Restore a cluster

This page describes how to restore an AlloyDB for PostgreSQL cluster in one of two ways:

Restore an existing cluster to a recent past state. This is our recommended method for rapid recovery from large-scale data loss.
Restore a cluster from a stored backup. Use this method to restore a cluster to a state older than its recovery window, or to restore a cluster that is no longer online.

Before you begin

The Google Cloud project you are using must have been enabled to access AlloyDB.
You must have one of these IAM roles in the Google Cloud project you are using:
- roles/alloydb.admin (the AlloyDB Admin predefined IAM role)
- roles/owner (the Owner basic IAM role)
- roles/editor (the Editor basic IAM role)
If you don't have any of these roles, contact your Organization Administrator to request access.

You must have all of these IAM roles in the Google Cloud project you are using:
- compute.networks.list
- compute.addresses.create
- compute.addresses.list
- compute.globalAddresses.create
- compute.globalAddresses.list
- servicenetworking.services.addPeering
To gain these permissions while following the principle of least privilege, ask your administrator to grant you the roles/alloydb.admin ( AlloyDB Admin predefined IAM) role.

Restore from a recent point in time

AlloyDB lets you fully restore an active cluster's data from any point in time within a specific, recent range.

Available points in time to restore from

You can restore from any point in time after the more recent of the following two moments:

The moment represented by the limit of your recovery window. For example, if you have a 14-day recovery window, then this moment is 14 days in the past.
The creation time of the oldest backup taken since you last enabled continuous backup. If you created the cluster with continuous backup enabled, and you have not disabled continuous backup since then, then this moment effectively becomes the creation time of your cluster's oldest backup.

If you disable and subsequently re-enable continuous backup, then you cannot perform a point-in-time recovery until either you or AlloyDB creates the cluster's first new backup. This can be an on-demand backup, or the first of the daily backups that AlloyDB takes after you enable continuous backup.

Perform a point-in-time restore

After you restore data from a point in time into a new cluster, you create instances within that new cluster to start accessing that data:

Use either the Google Cloud console or the Google Cloud CLI to perform the restore.
Console
1. Go to the Clusters page.
  
  Go to Clusters
2. Click a cluster in the Resource Name column.
3. Click Data protection.
4. Under Restore from a point in time, click Restore.
5. In the Target time field, enter the date and time to restore from.
6. In the Cluster ID field, enter a name for the new cluster.
7. In the Network field, select a Virtual Private Cloud network for the new cluster to use.
8. If you want to encrypt this cluster's continuous backups and data-change logs using a customer-managed encryption key (CMEK) instead of the default Google-managed encryption, follow these additional steps:
  1. Click Advanced encryption options.
  2. Click the Customer-managed encryption key (CMEK) radio button.
  3. Click the Select a customer-managed key list, and select a key.
9. Click Restore.
gcloud
Use the gcloud alloydb clusters restore command, specifying a cluster and a timestamp. Note that, unlike restoring from a backup, a point-in-time recovery requires the original cluster to still exist. You cannot perform this kind of restore on a deleted cluster.
```
gcloud alloydb clusters restore NEW_CLUSTER \
  --source-cluster=SOURCE_CLUSTER \
  --point-in-time=TIMESTAMP \
  --region=REGION
```
Replace the following:
- NEW_CLUSTER: The ID to use with the new cluster.
- SOURCE_CLUSTER: The ID of the cluster to recover data from.
  To restore from a cluster in a different project, replace with the full cluster path in the following format:
  projects/SOURCE_PROJECT/locations/SOURCE_REGION/clusters/SOURCE_CLUSTER
- TIMESTAMP: A description of the point in time to recover data from, expressed in RFC 3339 format—for example, 2012-11-15T16:19:00.094Z. You can specify a fractional second as small as a microsecond.
  
  Note that this timestamp must exist within the retention period you specified when you created the cluster.
- REGION: The region that contains the source cluster, and where AlloyDB creates the new cluster. For example: us-central1.
- PROJECT_ID: The ID of the project that contains the source cluster.
If you want to encrypt the new cluster's data with a customer-managed encryption key (CMEK) instead of Google-managed encryption, then you must provide these additional arguments:
- --kms-key=KEY_ID: The ID of the CMEK key to use. * --kms-keyring=KEYRING_ID: The ID of the key's keyring. * --kms-location=LOCATION_ID: The ID of that keyring's region. Note that it must match the cluster's region.
- --kms-project=PROJECT_ID: The ID of the keyring's project.
To restore a cluster with Private Service Connect enabled, make sure that you add the --enable-private-service-connect flag.
After AlloyDB finishes creating the cluster, create a primary instance for it. That instance lets you access the restored data. Note that the new instance's configuration need not exactly match that of the original primary instance.
Optional: Create read-pool instances.

Resume using the cluster.

Restore from a backup

When you restore from a backup, you configure a new cluster in the same region as that of the backup. The backup used to restore can be in a different project than the source cluster. AlloyDB creates the cluster and restores the backup's data to that cluster's data storage. Then, you create an instance in that cluster to access the data.

Restore the backup to a new AlloyDB cluster.

Console

In the Google Cloud console, go to the Backups page.
Go to Backups
In the list of backups, locate the backup you want to restore and click Restore in its row.
In the Cluster ID field, enter an ID for the cluster that will be created to host the restored data.
In the Network list, select the network you want the newly created cluster to be accessible from.
If you want to encrypt the new cluster's data with a customer-managed encryption key (CMEK) instead of Google-managed encryption, follow these additional steps:
1. Click Advanced encryption options.
2. Select Customer-managed encryption key (CMEK).
3. Select a customer-managed key from the menu that appears.
  
  The Google Cloud console limits this list to keys within the same Google Cloud project and region as the new cluster. To use a key that is not on this list, click Don't see your key? Enter key resource name, and then type the key's resource name into the resulting dialog.
  
  Note that using CMEK with AlloyDB requires some additional setup. For more information, see Using CMEK with AlloyDB.
Click Restore.

gcloud

To use the gcloud CLI, you can install and initialize the Google Cloud CLI, or you can use Cloud Shell.

Use the gcloud alloydb clusters restore command to create a cluster and restore the backup's data to it.

gcloud alloydb clusters restore CLUSTER_ID \
    --backup=BACKUP_ID \
    --network=NETWORK \
    --region=REGION_ID \
    --project=PROJECT_ID

CLUSTER_ID: The ID of the cluster to create.
BACKUP_ID: The ID of the backup to restore into the new cluster.
To restore from a backup in a different project, replace with the full backup path in the following format:
projects/SOURCE_PROJECT/locations/SOURCE_REGION/backups/SOURCE_BACKUP
NETWORK: The name of the VPC network you want the newly created cluster to be accessible from.
REGION_ID: The ID of the region where the source backup is stored and where the new cluster is created.
PROJECT_ID: The ID of the project where the new cluster is.

If you want to encrypt the new cluster's data using a customer-managed encryption key (CMEK) instead of the default Google-managed encryption, then you must provide these additional arguments:

--kms-key=KEY_ID: The ID of the CMEK key to use.
--kms-keyring=KEYRING_ID: The ID of the key's keyring.
--kms-location=LOCATION_ID: The ID of that keyring's region. Note that it must match the cluster's region.
--kms-project=PROJECT_ID: The keyring's project ID.

To restore a cluster with Private Service Connect enabled, make sure that you add the --enable-private-service-connect flag.

After AlloyDB finishes creating the cluster, create a primary instance for it.

When creating the new primary instance, you need to specify its configuration, including its size and flags; AlloyDB does not store instance configuration as part of the backup. Note that the configuration need not exactly match that of the original primary instance.

When AlloyDB finishes creating the instance, you can use it to access your restored data.
Finish configuring the new cluster by setting up read-pool instances, if necessary.