Back up Cloud SQL instances to a backup vault

This page describes how to back up Cloud SQL instances to a backup vault. Sending backups to a backup vault provides immutability and enforced retention.

In the Google Cloud console, you can back up Cloud SQL instances to a backup vault by applying backup plans. You can back up in either of these two ways. Both methods allow you to store your backups securely in a backup vault, providing a reliable way to recover your Cloud SQL instances in case of data loss or other unexpected events.

  • Scheduled backups. You can automatically back up Cloud SQL instances at specific intervals, such as daily, weekly, monthly, or yearly.
  • On-demand backups. You can create on-demand backups whenever needed. On-demand backups are useful for creating backups before making significant changes to your databases or for ad hoc data protection.

Before you begin

  1. Enable the Backup and DR Service API where the Cloud SQL instances are located.
  2. Enable the API
  3. Create a backup vault
  4. Create a backup plan
  5. Assign IAM roles and permission to the backup user
  6. Grant backup vault access in the Cloud SQL project
  7. Set up Log Analytics on your bucket to monitor Backup and DR backup jobs.

IAM roles and permissions for the backup user

To get the permissions that you need to configure scheduled backups or run on-demand backups, ask your administrator to grant you the following IAM roles on your backup vault project:

For more information about granting roles, see Manage access to projects, folders, and organizations.

These predefined roles contain the permissions required to configure scheduled backups or run on-demand backups. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to configure scheduled backups or run on-demand backups:

  • backupdr.backupPlans.list
  • backupdr.backupPlanAssociations.createForCloudSqlInstance
  • backupdr.backupPlanAssociations.fetchForCloudSqlInstance
  • backupdr.backupPlanAssociations.list
  • backupdr.backupPlanAssociations.getForCloudSqlInstance
  • backupdr.backupPlanAssociations.triggerBackupForCloudSqlInstance
  • backupdr.backupPlanAssociations.deleteForCloudSqlInstance
  • backupdr.backupPlans.useForCloudSqlInstance
  • backupdr.locations.list
  • backupdr.operations.get
  • cloudasset.assets.searchAllResources

You might also be able to get these permissions with custom roles or other predefined roles.

Grant backup vault access in the Cloud SQL project

To back up a Cloud SQL instance in a project different from where the backup vault is created, you must grant the Backup and DR Cloud SQL Operator (roles/backupdr.cloudSqlOperator) IAM role to the backup vault service agent within the Cloud SQL project. If the backup vault project where the backups will be stored is different from the Cloud SQL project then assign the role to the backup vault service agent within the Cloud SQL project.

To back up a Cloud SQL instance in the same project where the backup vault is created, no roles are required to be granted.

For information about granting roles to the backup vault service agent within the project you intend to back up, see Grant a role to the service agent.

Configure a scheduled backup

Use the following instructions to configure a scheduled backup for Cloud SQL instances.

Console

  1. In the Google Cloud console, go to the Vaulted backups page.

    Go to Vaulted backups

  2. Click Schedule backup.

  3. From the Resource Type list, select Cloud SQL.

  4. From the Project list, select a project where the Cloud SQL instance is located.

  5. From the Region list, select the region where your instances are located.

  6. From the Resources list, click Browse. Choose the Cloud SQL instance that you want to back up and click Done.

  7. Click Continue.

  8. From the Backup plan list, click Select.

  9. Choose a backup plan that you want to protect the Cloud SQL instances with.

  10. Click Done.

  11. Review the backup details and click Schedule.

gcloud

  1. Configure a scheduled backup.

      gcloud backup-dr backup-plan-associations create BACKUP_PLAN_ASSOCIATION_NAME \
          --location=CSQL_REGION \
          --project=CSQL_PROJECT_ID \
          --resource=projects/CSQL_PROJECT_ID/instances/CSQL_INSTANCE_ID \
          --resource-type=sqladmin.googleapis.com/Instance \
          --backup-plan=projects/PROJECT_ID/locations/LOCATION/backupPlans/BACKUP_PLAN
    

    Replace the following:

    • BACKUP_PLAN_ASSOCIATION_NAME: the name of the backup plan association.
    • CSQL_REGION: the region where the Cloud SQL instances are located.
    • CSQL_PROJECT_ID: the name of the project where the Cloud SQL instances are located.
    • CSQL_INSTANCE_ID: the Cloud SQL instance ID.
    • PROJECT_ID: the name of the project where backup plans exist.
    • LOCATION: the location of the instance.

List instances for which backups are scheduled

Use the following instructions to list the Cloud SQL instances for which backups are scheduled.

Console

  1. In the Google Cloud console, go to the Vaulted backups page.

    Go to Vaulted backups

  2. At the top of the table, select Filter table > Resource type. Select Cloud SQL. This limits the display to only the Cloud SQL instances that have backup plans applied and their backups stored in a backup vault within a project.

gcloud

List Cloud SQL instances for which backups are scheduled:

  gcloud alpha backup-dr backup-plan-associations fetch-for-resource-type sqladmin.googleapis.com/Instance \
  --location=LOCATION \
  --project=PROJECT_ID

Replace the following:

  • LOCATION: the location of the scheduled backups.
  • PROJECT_ID: the name of the project where the Cloud SQL instances are located.

Create an on-demand backup

You can initiate an on-demand backup for a Cloud SQL instance with a backup plan by triggering the backup rule of your choice to run immediately. On-demand backups typically capture only the data changed since the last backup (incremental).

When creating an on-demand backup, you can choose a rule from the backup plan associated with the Cloud SQL instance. This rule determines when the on-demand backup gets deleted. You can check the backup job status from the Jobs page. For more information, see Monitor backup and restore jobs in Google Cloud console.

Use the following instructions to create an on-demand backup.

Console

  1. In the Google Cloud console, go to the Vaulted backups page.

    Go to Vaulted backups

    The Vaulted backups page lists only the data resources that have backup plans applied and their backups stored in a backup vault within a project.

  2. Select the resource to back up. Either from the menu, or from the details page for the resource, select Create on-demand backup.

  3. In the Create an on-demand backup window, select a backup rule to use and click Create.

  4. To view the status of the on-demand backup job, click Notifications.

gcloud

  1. Create an on-demand backup. Initiate an on-demand backup using an existing backup plan association. Specify a rule ID to determine the expiration period for this single, on-demand backup:

    gcloud backup-dr backup-plan-associations trigger-backup BACKUP_PLAN_ASSOCIATION_NAME \
    --backup-rule-id=RULE_ID \
    --project=PROJECT_ID \
    --location=LOCATION \
    [--no-async]
    

    Replace the following:

    • BACKUP_PLAN_ASSOCIATION_NAME: the name of the backup plan association.

    • RULE_ID: the backup rule name that you want to associate to run on-demand backups.

    • PROJECT_ID: the name of the project.

    • LOCATION: the location of the scheduled backups.

Unprotect a Cloud SQL instance

You can unprotect a Cloud SQL instance by removing the backup plan applied to the instance. Removing a backup plan from a Cloud SQL instance doesn't delete any backups created while the backup plan was in use. You can still access and manage these existing backups until they expire.

Use the following instructions to unprotect a Cloud SQL instance.

Console

  1. In the Google Cloud console, go to the Vaulted backups page.

    Go to Vaulted backups

  2. Click the name of the database that you want to remove a backup plan from.

  3. Select Remove backup plan.

gcloud

Unprotect a Cloud SQL instance.

  gcloud backup-dr backup-plan-associations delete BACKUP_PLAN_ASSOCIATION_NAME \
  --project=PROJECT_ID \
  --location=LOCATION

Replace the following:

  • BACKUP_PLAN_ASSOCIATION_NAME: the name of the backup plan association that you want to delete.
  • PROJECT_ID: the name of the project.
  • LOCATION: the location of the scheduled backup.