This page helps you to restore a Compute Engine instance from a backup vault in the Google Cloud console.
Before you begin
Grant the Backup and DR Compute Engine Operator (
roles/backupdr.computeEngineOperator
) IAM role for the backup vault service agent of the vault in the target project where restore is being performed.Grant the Compute Network User (
roles/compute.networkUser
) IAM role for the backup vault service agent of the vault in the VPC host project if you are using Shared VPC.Grant the following IAM roles for the user who performs the restore in the backup vault project.
- Backup and DR Restore User (
roles/backupdr.restoreUser
) for both backup vault and target project. - Compute Viewer (
roles/compute.viewer
) for only the target.
These predefined roles contain the permissions required to access the backup vault in the Compute Engine project. For specific permissions, see the following list.
backupdr.bvbackups.restore
backupdr.compute.restoreFromBackupVault
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.bvbackups.list
backupdr.bvdataSources.get
backupdr.bvdataSources.list
backupdr.bvbackups.get
For more information about granting roles, see Manage access to projects, folders, and organizations.
- Backup and DR Restore User (
Restore a Compute Engine instance
Use the following instructions to restore a VM instance.
Console
In the Google Cloud console, go to the Vaulted backups page.
All Compute Engine instances with vaulted backups are listed here.
Click the action icon to select the Restore action. The Restore page displays where you select the following restore options:
- Select a Resource name.
- Select a Backup creation time.
- Select the Project name into which you want to restore the VM.
Click Proceed.
- The next page Create a new VM instance from a backup appears, where the VM properties are pre-populated based on the source VM properties. You can modify the properties to create a new VM, for example, change the selection for Region or Machine Type.
Click Create to create a new VM from the selected backup.
gcloud
If not already granted, grant the Backup and DR Compute Engine Operator (
roles/backupdr.computeEngineOperator
) IAM role to the backup vault service agent in the recovery project where the VM is being recovered.To get the backup vault service account, use the following command.
gcloud alpha backup-dr backup-vaults describe BACKUPVAULT_NAME --location=LOCATION
Replace the following:
- BACKUPVAULT_NAME: the backup vault name you want to restore data from.
- LOCATION: the location of the backup vault.
To restore a VM instance, use the following commands.
Restore a VM in the same project as the workload project with backup ID.
gcloud alpha backup-dr backups restore compute test-backup-id \ --project=PROJECT --location=LOCATION \ --backup-vault=BACKUPVAULT_NAME --data-source=DATA_SOURCE\ --name=NAME --target-zone=TARGET_ZONE \ --target-project=TARGET_PROJECT
Restore a VM in the same project as the workload project with backup full resource URL.
gcloud alpha backup-dr backups restore compute projects/test-project-id/locations/us-central1/backupVaults/test-vault/dataSources/test-ds/backups/test-backup-id \ --name=NAME --target-zone=TARGET_ZONE \ --target-project=TARGET_PROJECT
Restore a VM instance with custom service-account and network configuration.
gcloud alpha backup-dr backups restore compute test-backup-id \ --project=PROJECT --location=LOCATION \ --backup-vault=BACKUPVAULT_NAME --data-source=DATA_SOURCE\ --name=NAME --target-zone=TARGET_ZONE \ --target-project=TARGET_PROJECT \ --network-interface=network=NETWORK,subnet=SUBNET \ --service-account=SERVICE_ACCOUNT \ --scopes=SCOPE
Replace the following:
- PROJECT: the name of the backup vault project.
- LOCATION: the location of the backup vault.
- BACKUPVAULT_NAME: the backup vault name you want to restore data from.
- DATA_SOURCE: the data source name you want to restore data from.
- NAME: the name of the restored VM.
- TARGET_ZONE: the region the VM is restored in.
- TARGET_PROJECT: the project the VM is restored in.
- NETWORK: the network URI of the VM.
- SUBNET: the subnet URI of the VM.
- SERVICE_ACCOUNT: the service account of the restored VM.
- SCOPE: the authorization scope of the service account.
To override other VM properties, see Overview of Backup and DR Service Google Cloud CLI commands.
The Backup and DR Compute Engine guide
- Create and manage a backup plan for vaulted backups
- Check for the cloud credentials
- Discover and protect Compute Engine instances
- Mount backup images of Compute Engine Persistent Disk
- Restore a Compute Engine instance
- Import Persistent Disk snapshot images