This page describes how to restore an AlloyDB for PostgreSQL cluster from a stored backup. Use this method to restore a cluster to a state older than its recovery window, or to restore a cluster that is no longer online.
Before you begin
- The Google Cloud project you are using must have been enabled to access AlloyDB.
- You must have one of these IAM roles in the Google Cloud project you are using:
roles/alloydb.admin
(the AlloyDB Admin predefined IAM role)roles/owner
(the Owner basic IAM role)roles/editor
(the Editor basic IAM role)
If you don't have any of these roles, contact your Organization Administrator to request access.
- You must have all of these IAM roles in the Google Cloud project you are using:
compute.networks.list
compute.addresses.create
compute.addresses.list
compute.globalAddresses.create
compute.globalAddresses.list
servicenetworking.services.addPeering
To gain these permissions while following the principle of least privilege, ask your administrator to grant you the
roles/alloydb.admin
( AlloyDB Admin predefined IAM) role.
Restore from a backup
When you restore from a backup, you configure a new cluster in the same region as that of the backup. The backup used to restore can be in a different project than the source cluster. AlloyDB creates the cluster and restores the backup's data to that cluster's data storage. Then, you create an instance in that cluster to access the data.
- Restore the backup to a new AlloyDB cluster.
- In the Google Cloud console, go to the Backups page.
- In the list of backups, locate the backup you want to restore and click Restore in its row.
- In the Cluster ID field, enter an ID for the cluster that will be created to host the restored data.
- In the Network list, select the network you want the newly created cluster to be accessible from.
If you want to encrypt the new cluster's data with a customer-managed encryption key (CMEK) instead of Google-managed encryption, follow these additional steps:
- Click Advanced encryption options.
- Select Cloud KMS key.
- In Key type, select Cloud KMS.
Select a customer-managed key from the menu that appears.
The Google Cloud console limits this list to keys within the same Google Cloud project and region as the new cluster. To use a key that is not on this list, click Don't see your key? Enter key resource name, and then type the key's resource name into the resulting dialog.
Note that using CMEK with AlloyDB requires some additional setup. For more information, see Using CMEK with AlloyDB.
- Click Restore.
CLUSTER_ID
: The ID of the cluster to create.BACKUP_ID
: The ID of the backup to restore into the new cluster.
To restore from a backup in a different project, replace with the full backup path in the following format:
projects/SOURCE_PROJECT/locations/SOURCE_REGION/backups/SOURCE_BACKUP
NETWORK
: The name of the VPC network you want the newly created cluster to be accessible from.REGION_ID
: The ID of the region where the source backup is stored and where the new cluster is created.PROJECT_ID
: The ID of the project where the new cluster is.--kms-key=KEY_ID
: The ID of the CMEK key to use.--kms-keyring=KEYRING_ID
: The ID of the key's keyring.--kms-location=LOCATION_ID
: The ID of that keyring's region. Note that it must match the cluster's region.--kms-project=PROJECT_ID
: The keyring's project ID.-
After AlloyDB finishes creating the cluster, create a primary instance for it.
When creating the new primary instance, you need to specify its configuration, including its size and flags; AlloyDB does not store instance configuration as part of the backup. Note that the configuration need not exactly match that of the original primary instance.
When AlloyDB finishes creating the instance, you can use it to access your restored data.
- Finish configuring the new cluster by setting up read-pool instances, if necessary.
Console
gcloud
To use the gcloud CLI, you can install and initialize the Google Cloud CLI, or you can use Cloud Shell.
Use the
gcloud alloydb clusters restore
command to create a cluster and
restore the backup's data to it.
gcloud alloydb clusters restore CLUSTER_ID \ --backup=BACKUP_ID \ --network=NETWORK \ --region=REGION_ID \ --project=PROJECT_ID
If you want to encrypt the new cluster's data using a customer-managed encryption key (CMEK) instead of the default Google-managed encryption, then you must provide these additional arguments:
To restore a cluster with Private Service Connect enabled, make sure that you add the --enable-private-service-connect
flag.
What's next
- Restore an existing cluster to a recent past state.
- Create a read pool instance.
- Create a secondary cluster and instance.