Back up AlloyDB clusters to a backup vault

This page describes how to back up AlloyDB to a backup vault. Sending backups to a backup vault provides immutability and enforced retention.

In the Google Cloud console, you can back up AlloyDB for PostgreSQL clusters to a backup vault by applying backup plans. You can back up in either of these two ways. Both methods allow you to store your backups securely in a backup vault, providing a reliable way to recover your AlloyDB clusters in case of data loss or other unexpected events.

Scheduled backups. You can automatically back up AlloyDB for PostgreSQL clusters at specific intervals, such as daily, weekly, monthly, or yearly.
On-demand backups. You can create on-demand backups whenever needed. On-demand backups are useful for creating backups before making significant changes to your databases or for ad hoc data protection.

Before you begin

Enable the Backup and DR Service API where the AlloyDB for PostgreSQL clusters are located.

Enable the API
Create a backup vault
Create a backup plan
Assign IAM roles and permission to the backup user
Grant backup vault access in the AlloyDB project
Set up Log Analytics on your bucket to monitor Backup and DR backup jobs.

IAM roles and permissions for the backup user

To get the permissions that you need to configure scheduled backups or run on-demand backups, ask your administrator to grant you the following IAM roles on your backup vault project:

Backup and DR Backup User (roles/backupdr.backupUser)
Viewer (roles/viewer)

For more information about granting roles, see Manage access to projects, folders, and organizations.

These predefined roles contain the permissions required to configure scheduled backups or run on-demand backups. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to configure scheduled backups or run on-demand backups:

backupdr.backupPlans.list
backupdr.backupPlanAssociations.createForAlloydbCluster
backupdr.backupPlanAssociations.fetchForAlloydbCluster
backupdr.backupPlanAssociations.list
backupdr.backupPlanAssociations.getForAlloydbCluster
backupdr.backupPlanAssociations.triggerBackupForAlloydbCluster
backupdr.backupPlanAssociations.deleteForAlloydbCluster
backupdr.backupPlans.useForAlloydbCluster
backupdr.locations.list
backupdr.operations.get
cloudasset.assets.searchAllResources

You might also be able to get these permissions with custom roles or other predefined roles.

The following table lists the dynamic permissions required for each API call:

Resource	Action to be Performed on the Resource	Permissions required for each API call	Project where it needs to be assigned
Backup vault	Create BackupVault	backupdr.backupVaults.create	Admin project
	Delete BackupVault	backupdr.backupVaults.delete	Admin project
	Update BackupVault	backupdr.backupVaults.update	Admin project
	List BackupVaults	backupdr.backupVaults.list	Admin project
	Get BackupVault	backupdr.backupVaults.get	Admin project
Backup plan	Create BackupPlan	backupdr.backupPlans.create	Admin project
	Delete BackupPlan	backupdr.backupPlans.delete	Admin project
	Get BackupPlan	backupdr.backupPlans.get	Admin project
	List Backup Plans	backupdr.backupPlans.list	Admin project
Backup Plan Associations	Create Backup Plan Association	backupdr.backupPlanAssociations.createForAlloydbCluster	Workload project
	Delete Backup Plan Association	backupdr.backupPlanAssociations.deleteForAlloydbCluster	Workload project
	Trigger an on-demand backup on Backup Plan Association	backupdr.backupPlanAssociations.triggerBackupForAlloydbCluster	Workload project
	Get Backup Plan Association	backupdr.backupPlanAssociations.getForAlloydbCluster	Workload project
	List Backup Plan Associations	backupdr.backupPlanAssociations.list	Workload project
	Fetch Backup Plan Associations	backupdr.backupPlanAssociations.fetchForAlloydbCluster	Workload project
Data Source	Get DataSource	backupdr.bvdataSources.get	Admin project
	List DataSources	backupdr.bvdataSources.list	Admin project
	PiTR Restore	backupdr.bvdataSources.useReadOnlyForAlloydbCluster	Admin project
Backups	Get Backup	backupdr.bvbackups.get	Admin project
	List Backups	backupdr.bvbackups.list	Admin project
	Delete Backup	backupdr.bvbackups.delete	Admin project
	Restore Backup	backupdr.bvbackups.useReadOnlyForAlloydbCluster	Admin project
Data Source References	Get DataSource Reference	backupdr.dataSourceReferences.getForAlloydbCluster	Workload project
	Fetch DataSource References	backupdr.dataSourceReferences.fetchForAlloydbCluster	Workload project
Operations	List Operations	backupdr.operations.list	Respective project
	Get Operations	backupdr.operations.get	Respective project

Grant backup vault access in the AlloyDB for PostgreSQL project

To back up an AlloyDB cluster in a project different from where the backup vault is created, you must grant the Backup and DR AlloyDB Operator (roles/backupdr.alloydbOperator) IAM role to the backup vault service agent within the AlloyDB project. If the backup vault project where the backups will be stored is different from the AlloyDB project, then assign the role to the backup vault service agent within the AlloyDB project.

To back up an AlloyDB cluster in the same project where the backup vault is created, no roles are required to be granted.

For information about granting roles to the backup vault service agent within the project you intend to back up, see Grant a role to the service agent.

Configure a scheduled backup

To configure a scheduled backup for AlloyDB clusters, use the following instructions.

Console

In the Google Cloud console, go to the Vaulted backups page.

Go to Vaulted backups
Click Schedule backup.
From the Resource Type list, select AlloyDB.
From the Project list, select a project where the AlloyDB cluster is located.
From the Region list, select the region where your clusters are located.
From the Resources list, click Browse. Choose the AlloyDB cluster that you want to back up and click Done.
Click Continue.
From the Backup plan list, click Select.
Choose a backup plan that you want to protect the AlloyDB clusters with.
Click Done.
Review the backup details and click Schedule.

gcloud

Configure a scheduled backup.

  gcloud backup-dr backup-plan-associations create BACKUP_PLAN_ASSOCIATION_NAME \
      --location=ALLOYDB_REGION \
      --project=ALLOYDB_PROJECT_ID \
      --resource=projects/ALLOYDB_PROJECT_ID/clusters/ALLOYDB_CLUSTER_ID \
      --resource-type=alloydb.googleapis.com/Cluster \
      --backup-plan=projects/PROJECT_ID/locations/LOCATION/backupPlans/BACKUP_PLAN

Replace the following:

BACKUP_PLAN_ASSOCIATION_NAME: the name of the backup plan association.
ALLOYDB_REGION: the region where the AlloyDB clusters are located.
ALLOYDB_PROJECT_ID: the name of the project where the AlloyDB clusters are located.
ALLOYDB_CLUSTER_ID: the AlloyDB cluster ID.
PROJECT_ID: the name of the project where backup plans exist.
LOCATION: the location of the cluster.

List clusters for which backups are scheduled

To list the AlloyDB clusters for which backups are scheduled, use the following instructions.

Console

In the Google Cloud console, go to the Vaulted backups page.

Go to Vaulted backups
At the top of the table, select Filter table > Resource type. Select AlloyDB. This filters the display to show only the AlloyDB clusters that have backup plans applied and backups stored in a backup vault within a project.

gcloud

List AlloyDB clusters for which backups are scheduled:

  gcloud backup-dr backup-plan-associations fetch-for-resource-type alloydb.googleapis.com/Cluster \
  --location=LOCATION \
  --project=PROJECT_ID

Replace the following:

LOCATION: the location of the scheduled backups.
PROJECT_ID: the name of the project where the AlloyDB clusters are located.

Create an on-demand backup

You can initiate an on-demand backup for an AlloyDB cluster with a backup plan by triggering the backup rule of your choice to run immediately. On-demand backups typically capture only the data changed since the last backup (incremental).

When creating an on-demand backup, you can choose a rule from the backup plan associated with the AlloyDB cluster. This rule determines when the on-demand backup gets deleted. You can check the backup job status from the Jobs page. For more information, see Monitor backup and restore jobs in Google Cloud console.

Use the following instructions to create an on-demand backup.

Console

In the Google Cloud console, go to the Vaulted backups page.

Go to Vaulted backups

The Vaulted backups page lists only the data resources that have backup plans applied and their backups stored in a backup vault within a project.
Select the resource to back up. Either from the menu, or from the details page for the resource, select Create on-demand backup.
In the Create an on-demand backup window, select a backup rule to use and click Create.
To view the status of the on-demand backup job, click Notifications.

gcloud

Create an on-demand backup. Initiate an on-demand backup using an existing backup plan association. Specify a rule ID to determine the expiration period for this single, on-demand backup:
```
gcloud backup-dr backup-plan-associations trigger-backup BACKUP_PLAN_ASSOCIATION_NAME \
--backup-rule-id=RULE_ID \
--project=PROJECT_ID \
--location=LOCATION \
[--no-async]
```
Replace the following:
- BACKUP_PLAN_ASSOCIATION_NAME: the name of the backup plan association.
  
  Note: To get a list of backup plans associated with the AlloyDB cluster, run the command gcloud backup-dr backup-plan-associations fetch-for-resource-type alloydb.googleapis.com/Cluster --location=LOCATION --project=PROJECT_ID
- RULE_ID: the backup rule name that you want to associate to run on-demand backups.
- PROJECT_ID: the name of the project.
- LOCATION: the location of the scheduled backups.

Unprotect an AlloyDB cluster

You can unprotect an AlloyDB cluster by removing the backup plan applied to the cluster. Removing a backup plan from an AlloyDB cluster doesn't delete any backups created while the backup plan was in use. You can still access and manage these existing backups until they expire.

To unprotect an AlloyDB cluster, use these instructions.

Console

In the Google Cloud console, go to the Vaulted backups page.

Go to Vaulted backups
Click the name of the database that you want to remove a backup plan from.
Select Remove backup plan.

gcloud

Unprotect an AlloyDB cluster.

  gcloud backup-dr backup-plan-associations delete BACKUP_PLAN_ASSOCIATION_NAME \
  --project=PROJECT_ID \
  --location=LOCATION

Replace the following:

BACKUP_PLAN_ASSOCIATION_NAME: the name of the backup plan association that you want to delete.
PROJECT_ID: the name of the project.
LOCATION: the location of the scheduled backup.