Protect new Compute Engine instances using the default backup plan

Backup and DR Service employs backup plans to control when and how your data resources are backed up, and how long and how securely to retain the backups. You can create different backup plans for different needs, and Backup and DR Service provides a default backup plan to protect Compute Engine instances.

What's a backup plan?

This page describes the default backup plan for vaulted resources, its benefits, how it works, and its limitations.

The default backup plan

A default backup plan, similar to backup plans created in the Google Cloud console, offers a streamlined approach to protect your Compute Engine VMs. You can automatically apply the default backup plan to a new Compute Engine VM when you enable the Backup and DR Service in your project and have the required permissions to create the VM. The default backup plan eliminates the need to manually create a backup plan through the Backup and DR Service, ensuring a baseline level of protection for your VMs.

Default backup plan settings

The default backup plan creates a daily backup. It stores the backup for 14 days in the default backup vault, of which the first day is immutable. For the remainder of the 14 days, the backup can be deleted by an authorized user. After 14 days the backup is automatically deleted.

Setting Value
Backup schedule Daily between 00:00 and 06:00 in the local timezone for the region.
Storage The default backup vault
Retention 14 days
Enforced retention One day

You can modify the backup schedule and storage duration in the backup plan.

You can modify the enforced retention period by editing the backup vault.

If the default backup plan doesn't meet your organization's requirements, you can select a different plan altogether during VM creation or choose to opt-out using the No backups option.

Benefits

The default backup plan provides the following benefits:

  • Enhance data protection: The default backup plan improves the baseline level of protection for all new VMs created through the Google Cloud console. This minimizes the risk of data loss from accidental deletions, cyber-attacks, or other unforeseen events.
  • Simplify data protection management: The automatic application of a default backup plan removes the need for manual configuration, making it easier to protect your VMs from day one.
  • Promote best practices: The default backup plan promotes robust data protection across your Google Cloud environment.

How the default backup plan works for Compute Engine instances

When creating a new Compute Engine instance, you can specify if you want a Compute Engine instance to use a default backup plan or create a new backup plan with manual configuration. If you leave the default backup plan option, a default backup vault is automatically created within the same project with the minimum enforced retention period for one day. The default backup vault doesn't lock the retention period, However, you can modify the minimum retention period and enable retention lock. For instructions, see Update the minimum enforced retention period on an existing backup vault. Note that the default backup plan cannot be modified after creation. You can apply only one default backup plan per supported region for a Compute Engine instance.

The default backup plan automatically creates daily backups between 00:00 and 06:00 in the local time region of the workload. These backups are retained for 14 days in the default backup vault. The default backup plan has a backup deletion policy for one day.

The default backup plan is named default-compute-instance-plan-<region>. There is one default backup plan for each supported region. This plan provides the same protection for all associated Compute Engine instances in the regions.

The default backup plan is available only for new Compute Engine VMs created through the Google Cloud console. It doesn't impact existing VMs or their data protection configurations. If you are protecting multi-regional persistent disk snapshots, you can continue to protect your VMs through the existing management console to ensure that you have multi-region persistent disk snapshot support.

Limitations

  • A default backup plan cannot be used if the VM is created in a region that is not supported by Backup and DR Service.
  • You can use the default backup plan only in the same region where the Compute Engine instance resides.
  • You can apply only one default backup plan per region.

FAQ: Default backup plan feature for new Compute Engine VMs

Backup and DR Service introduces a default backup plan for new Compute Engine VMs created through the Google Cloud console. Here's what you need to know:

Q: What is changing?

A: New Compute Engine VMs created through the Google Cloud console can have a default backup plan automatically applied if the project has Backup and DR Service enabled and the user creating the VM has the necessary permissions.

Q: Why is Google Cloud making this change?

A: We recognize the critical importance of protecting your valuable data and workloads in Compute Engine. This change aims to:

  • Enhance data protection: The default backup plan improves the baseline level of protection for all new VMs created through the Google Cloud console. This minimizes the risk of data loss due to accidental deletions, cyber-attacks, or other unforeseen events.
  • Simplify data protection management: The automatic application of a default backup plan removes the need for manual configuration, making it easier to protect your VMs from day one.
  • Promote best practices: This change encourages the adoption of robust data protection measures across your Google Cloud environment.

With this enhancement, your workloads will have an improved foundational level of protection in place, allowing you to focus on other critical aspects of your business.

Q: Are my existing VMs affected?

A: No, this change won't impact your existing VMs or their current data protection configurations. Only new VMs created through the Google Cloud console are affected.

Q: What if I create VMs using automation or Terraform?

A: VMs created using Google Cloud CLI, Terraform, or other APIs won't be impacted by this change.

Q: Can I opt out of the default backup plan?

A: Yes, you can opt out or choose another backup plan during the VM creation process in the Google Cloud console. You'll find these options under the new Data protection tab.

Q: I'm protecting VMs with Backup and DR tag-based protection. Will that protection change?

A: No, your existing Backup and DR protection, including tag-based protection, will remain unchanged. This update only affects new VMs created through the Cloud Console after this feature is released. Tag-based protection can identify if a VM has a default plan and won't double protect your instance if a tag is applied. You will need to mark the VM as No Backups and continue to tag the VM if you want to use tag-based protection.

Q: What would happen if the VM created is in a different region where the backup plan is not supported?

A: A user cannot use default backup plans if the VM is created in a region that is not supported by Backup and DR.

Q: Do I need to do anything to ensure my existing Backup and DR protection stays as is?

A: No action is required from your side. Your existing VMs and their associated backup configurations won't be automatically modified.

Q: Should I transition to this new scheme of protection using the default plan?

A: It depends on your specific needs and current setup. Consider these factors:

  • Ease of use: The default plan offers a basic solution for basic VM protection providing a daily backup retained for 14 days.
  • Customization: If the default plan does not meet your organizational requirements, you can choose a different plan altogether during VM creation or choose to opt-out using the No backups option.

Q: If I'm protecting multi-regional persistent disk snapshots, then I probably don't want my new VMs to go to a regional backup vault. How do I ensure that?

A: You can continue to protect your VMs through the management console.

Q: I'm a Backup and DR customer but I'm not protecting VMs (for example, only databases). Does this mean that my new VMs will start to be protected with a backup vault?

A: Yes, if you create new VMs through the Google Cloud console and have Backup and DR Service enabled with the necessary permissions, they will be protected with the default backup plan and associated default vault. If you want to use a different backup plan, you can select it when you create the VM. If you don't want to protect your VM through this new experience, then select the No backups option.

Q: How does this new default backup plan compare with my current persistent disk protection (assuming I use snapshots)?

A: Both offer data protection, but with key differences:

  • Snapshots: Individual disk backups that are prone to cyberattacks and malicious deletions if a bad actor has access to projects in which snapshots reside.
  • Backup and DR: Offers the capability to store backups into a backup vault that provides safeguarding against ransomware attacks and malicious deletions. You define the duration of both the backup storage and its enforced retention.

Q: Should I use the backup plan default protection or not?

A: Ultimately, the decision depends on your specific organization's requirements and preferences. The default backup plan gives you peace of mind to know that all VMs have a baseline level of protection. You can remove the protection and switch to using persistent disk snapshots, or choose a different backup plan within Backup and DR to take backups. If you have complex backup needs, we recommend configuring your own backup plan policies for specific workloads.

Q: Can I disable this feature through Org Policy?

A: No, you cannot use Org Policy to disable this feature. if you don't intend to protect your VM then select the No backups option. In addition, you can customize your default configuration in the Compute Engine settings page.

Q: What permissions will I need to use the default backup plans?

A: You need the backupdr.serviceConfig.initialize permission in order to use backup plans if you are using a custom role within your IAM settings. If you are using one of the Backup and DR predefined roles such as Backup and DR Admin or Backup and DR User V2, the permissions will automatically be available to use. If you are using a computeAdmin or computeInstanceAdmin role, the permissions have also been automatically added to these roles. The final list of permissions we will be adding to the roles/compute.admin, roles/compute.instanceAdmin and roles/compute.instanceAdmin.v1 roles are:

  • backupdr.backupPlans.useForComputeInstance
  • backupdr.serviceConfig.initialize
  • backupdr.backupPlanAssociations.createForComputeInstance
  • backupdr.backupPlanAssociations.deleteForComputeInstance
  • backupdr.backupPlanAssociations.triggerBackupForComputeInstance
  • backupdr.backupPlanAssociations.list
  • backupdr.locations.list

Q: Who can I contact if I have further questions?

A: If you have any further questions, contact us at gcbdr-default-backup-plans@google.com.