Before you begin
It's a good idea to read Plan a Backup and DR deployment before you begin this section.
This page details the Google Cloud requirements that must be met before you enable Google Cloud Backup and DR Service which must be done in the Google Cloud console.
All of the tasks outlined in this page must be performed in the Google Cloud project where you are deploying your backup/recovery appliance. If this project is a Shared VPC service project, then some tasks are performed in the VPC project and some in the workload project.
Allow trusted image projects
If you have enabled the constraint/compute.trustedImageProjects policy in the
Organization policies, then the Google-managed source project for the images
used to deploy the backup/recovery appliance is not allowed. You need
to customize this organization policy in the projects where backup/recovery appliances
are deployed to avoid getting a policy violation error during the
deployment as detailed in the following instructions:
Go to the Organization policies page and select the project where you deploy your appliances.
In the policies list, click Define trusted image projects.
Click Edit to customize your existing trusted image constraints.
On the Edit page, select Customize.
Select from the following three possibilities:
Existing inherited policy
If there is an existing inherited policy, complete the following:
For Policy enforcement select Merge with parent.
Click Add rule.
Select Custom from the Policy values drop-down list to set the constraint on specific image projects.
Select Allow from the Policy type drop-down list to remove restrictions for the specified image projects.
In the Custom values field, enter the custom value as projects/backupdr-images.
Click Done.
Existing Allow rule
If there is an existing Allow rule, then complete the following steps:
Leave the Policy enforcement to the default selected.
Select the existing Allow rule.
Click Add value to add additional image projects and enter the value as projects/backupdr-images.
Click Done.
No existing policy or rule
If there is no existing rule, select Add rule and then complete the following steps:
Leave the Policy enforcement to the default selected.
Select Custom from the Policy values drop-down list to set the constraint on specific image projects.
Select Allow from the Policy type drop-down list to remove restrictions for the specified image projects.
In the Custom values field, enter the custom value as projects/backupdr-images.
If you are setting project-level constraints, then they might conflict with the existing constraints set on your organization or folder.
Click Add value to add additional image projects and click Done.
Click Save.
Click Save to apply the constraint.
For more information about creating organization policies, see Create and manage organization policies.
The deployment process
To launch the installation, Backup and DR Service creates a service account to run the installer. The service account requires privileges in the host project, the backup/recovery appliance service project, and the management console service project. For more information, see service accounts.
The service account used for installation becomes the service account of the backup/recovery appliance. After installation, the permissions of the service account are reduced to just the permissions required by the backup/recovery appliance.
The management console is deployed when you install the first backup/recovery appliance. You can deploy Backup and DR Service in a Shared VPC or in a non-shared VPC.
Backup and DR Service in a non-shared VPC
When deploying the management console and the first backup/recovery appliance is in a single project with a non-shared VPC, then all three Backup and DR Service components are in the same project.
If the VPC is shared, see Backup and DR Service in a Shared VPC.
Enable the required APIs for installation in a non-shared VPC
Before enabling the required APIs for installation in a non-shared VPC, review the Backup and DR Service deployment supported regions. See Supported regions.
To run the installer in a non-shared VPC, the following APIs must be enabled. To enable APIs, you need the role Service usage admin.
| API | Service name |
|---|---|
| Compute Engine | compute.googleapis.com |
| Resource Manager | cloudresourcemanager.googleapis.com |
| Workflows 1 | workflows.googleapis.com |
| Cloud Key Management Service (KMS) | cloudkms.googleapis.com |
| Identity and Access Management | iam.googleapis.com |
| Cloud Logging | logging.googleapis.com |
1 Workflow service is supported in the listed regions. If the Workflows service is not available in a region where the backup/recovery appliance is being deployed, then Backup and DR Service defaults to "us-central1" region. If you have an organization policy that is set to prevent creating resources in other regions, then you need to temporarily update your organization policy to allow creation of resources in "us-central1" region. You can restrict the "us-central1" region after the backup/recovery appliance deployment.
The user account requires these permissions in the non-shared VPC project
| Preferred role | Permissions needed |
|---|---|
| resourcemanager.projectIamAdmin (Project IAM Admin) | resourcemanager.projects.getIamPolicy |
| resourcemanager.projects.setIamPolicy | |
| resourcemanager.projects.get | |
| iam.serviceAccounts.delete | |
| iam.serviceAccounts.get | |
| workflows.workflows.delete | |
| workflows.executions.create | |
| workflows.executions.get | |
| workflows.operations.get | |
| serviceusage.serviceUsageAdmin (Service Usage Admin) | serviceusage.services.list |
| iam.serviceAccountUser (Service Account User) | iam.serviceAccounts.actAs |
| iam.serviceAccountAdmin (Service Account Admin) | iam.serviceAccounts.create |
| iam.serviceAccounts.delete | |
| iam.serviceAccounts.get | |
| workflows.editor (Workflows Editor) | workflows.workflows.create |
| workflows.workflows.delete | |
| workflows.executions.create | |
| workflows.executions.get | |
| workflows.operations.get | |
| backupdr.admin (Backup and DR Admin) | backupdr.* |
| viewer (Basic) | Grants the permissions required to view most of Google Cloud resources. |
Backup and DR in a Shared VPC
When deploying the management console and the first backup/recovery appliance in a Shared VPC project, you must configure these three projects in either the host project or in one or more service projects:
Before enabling the required APIs for installation in a Shared VPC, review the Backup and DR deployment supported regions. See Supported regions.
VPC owner project: This owns the selected VPC. The VPC owner is always the host project.
Management console project: This is where the Backup and DR API is activated and where you access the management console to manage workloads.
Backup/recovery appliance project: This is where the backup/recovery appliance is installed and usually where the protected resources reside.
In a Shared VPC, these may be one, two, or three projects.
| Type | VPC Owner | Management console | Backup/recovery appliance |
|---|---|---|---|
| HHH | Host project | Host project | Host project |
| HHS | Host project | Host project | Service project |
| HSH | Host project | Service project | Host project |
| HSS | Host project | Service project | Service project |
| HS2 | Host project | Service project | A different service project |
Descriptions of the deployment strategies
HHH: Shared VPC. The VPC owner, the management console, and the backup/recovery appliance are all in the host project.
HHS: Shared VPC. The VPC owner and the management console are in the host project, and the backup/recovery appliance is in a service project.
HSH: Shared VPC. The VPC owner and the backup/recovery appliance are in the host project, and the management console is in a service project.
HSS: Shared VPC. The VPC owner is in the host project, and the backup/recovery appliance and the management console are in one service project.
HS2: Shared VPC. The VPC owner is in the host project, and the backup/recovery appliance and the management console are in two different service projects.
Enable these required APIs for installation in the host project
To run the installer, the following APIs must be enabled. To enable APIs, you need the role Service usage admin.
| API | Service name |
|---|---|
| Compute Engine | compute.googleapis.com |
| Resource Manager | cloudresourcemanager.googleapis.com |
Enable these required APIs for installation in the backup/recovery appliance project
| API | Service name |
|---|---|
| Compute Engine | compute.googleapis.com |
| Resource Manager | cloudresourcemanager.googleapis.com |
| Workflows 1 | workflows.googleapis.com |
| Cloud Key Management Service (KMS) | cloudkms.googleapis.com |
| Identity and Access Management | iam.googleapis.com |
| Cloud Logging | logging.googleapis.com |
1 Workflow service is supported in the listed regions. If the Workflows service is not available in a region where backup/recovery appliance is being deployed, then Backup and DR Service defaults to the "us-central1" region. If you have an organization policy that is set to prevent creating resources in other regions, then you need to temporarily update your organization policy to allow creation of resources in "us-central1" region. You can restrict the "us-central1" region after the backup/recovery appliance deployment.
The user account requires these permissions in the VPC owner project
| Preferred Role | Permissions needed |
|---|---|
| resourcemanager.projectIamAdmin (Project IAM Admin) | resourcemanager.projects.getIamPolicy |
| resourcemanager.projects.setIamPolicy | |
| resourcemanager.projects.get | |
| iam.serviceAccounts.delete | |
| iam.serviceAccounts.get | |
| workflows.workflows.delete | |
| workflows.executions.create | |
| workflows.executions.get | |
| workflows.operations.get | |
| serviceusage.serviceUsageAdmin (Service Usage Admin) | serviceusage.services.list |
The user account requires these permissions in the management console project
The management console is deployed when you install the first backup/recovery appliance.
| Preferred Role | Permissions needed |
|---|---|
| resourcemanager.projectIamAdmin (Project IAM Admin) | resourcemanager.projects.getIamPolicy |
| resourcemanager.projects.setIamPolicy | |
| resourcemanager.projects.get | |
| iam.serviceAccounts.delete | |
| iam.serviceAccounts.get | |
| workflows.workflows.delete | |
| workflows.executions.create | |
| workflows.executions.get | |
| workflows.operations.get | |
| backupdr.admin (Backup and DR Admin) | backupdr.* |
| viewer (Basic) | Grants the permissions required to view most Google Cloud resources. |
The user account requires these permissions in the backup/recovery appliance project
| Preferred Role | Permissions needed |
|---|---|
| resourcemanager.projectIamAdmin (Project IAM Admin) | resourcemanager.projects.getIamPolicy |
| resourcemanager.projects.setIamPolicy | |
| resourcemanager.projects.get | |
| iam.serviceAccountUser (Service Account User) | iam.serviceAccounts.actAs |
| iam.serviceAccountAdmin (Service Account Admin) | iam.serviceAccounts.create |
| iam.serviceAccounts.delete | |
| iam.serviceAccounts.get | |
| workflows.editor (Workflows Editor) | workflows.workflows.create |
| workflows.workflows.delete | |
| workflows.executions.create | |
| workflows.executions.get | |
| workflows.operations.get | |
| serviceusage.serviceUsageAdmin (Service Usage Admin) | serviceusage.services.list |
In addition to the end user account permissions, other permissions are temporarily granted to the service account created on your behalf until the installation is complete.
Configure networks
If a VPC network has not already been created for your target project, you
need one created before proceeding.
See Create and modify Virtual Private Cloud (VPC) networks for details.
You need a subnet in each region where you plan to deploy a backup/recovery appliance,
and the should be assigned with the compute.networks.create permission create it.
If you are deploying backup/recovery appliances in multiple networks, use subnets that don't share the same IP address ranges to prevent multiple backup/recovery appliances from having the same IP address.
Configure Private Google Access
The backup/recovery appliance communicates with the management console using Private Google Access. It's recommended that you enable Private Google Access for each subnet where you want to deploy a backup/recovery appliance.
The subnet where the backup/recovery appliance is deployed needs to communicate to
a unique domain hosted under the domain backupdr.googleusercontent.com. It's
recommended that you include the following configuration in Cloud DNS:
- Create a private zone for the
DNS name
backupdr.googleusercontent.com. - Create an
Arecord for the domainbackupdr.googleusercontent.comand include each of the four IP addresses199.36.153.8,199.36.153.9,199.36.153.10,199.36.153.11from theprivate.googleapis.comsubnet199.36.153.8/30. If you're using VPC Service Controls, then use199.36.153.4,199.36.153.5,199.36.153.6,199.36.153.7from therestricted.googleapis.comsubnet199.36.153.4/30. - Create a
CNAMErecord for*.backupdr.googleusercontent.comthat points to the domain namebackupdr.googleusercontent.com.
This ensures that any DNS resolution for your unique management console domain traverses using Private Google Access.
Ensure that your firewall rules have an egress rule that allows access on TCP
443 to either the 199.36.153.8/30 or 199.36.153.4/30 subnet. Also,
if you have an egress rule that allows all traffic to 0.0.0.0/0, then
connectivity between the backup/recovery appliances and the management console should
succeed.
Create a Cloud Storage bucket
You need a Cloud Storage bucket if you want to protect databases and file systems using the Backup and DR agent, and then copy the backups to Cloud Storage for long term retention. This also applies for VMware VM backups created using VMware vSphere storage APIs data protection.
Create a Cloud Storage bucket using the following instructions:
In the Google Cloud console, go to the Cloud Storage Buckets page.
Click Create bucket.
Enter a name for the bucket.
Choose a region to store your data in and click Continue.
Choose a default storage class and click Continue. Use nearline when retention is 30 days or less or coldline when retention is 90 days or more. If retention is between 30 and 90 days then consider using coldline.
Leave Uniform access control selected and click Continue. Don't use fine-grained.
Leave Protection tools set to None and click Continue. Don't select other choices as they don't work with Backup and DR Service.
Click Create.
Validate that your service account has access to your bucket:
Select your new bucket to display the bucket details.
Go to Permissions.
Under Principals, ensure your new service accounts are listed. If they are not then use the Add button to add both reader and writer service accounts as principals.