Configure Google Cloud VMware Engine for Backup and DR protection

Before you begin, it's a good idea to review Backup and DR for VMware VMs.

Before you add, discover, and protect a VMware VM, you must do the following in the Google Cloud VMware Engine:

Create a Google Cloud VMware Engine private cloud

This procedure assumes you've already created a Google Cloud VMware Engine private cloud, deployed Google Cloud VMware Engine, and have the VMware VMs that you want to back up. If you haven't yet deployed Google Cloud VMware Engine, see Create a Google Cloud VMware Engine private cloud.

Google Cloud VMware Engine private cloud and the VPC connection

After you create a Google Cloud VMware Engine private cloud, you need to add a private connection between your Google Cloud VMware Engine private cloud and the VPC where your backup/recovery appliance is deployed. See Complete private connection creation in the Google Cloud VMware Engine portal.

Set administrator permissions to manage VMware Engine instances

To manage VMware Engine instances with administrator privileges:

  1. Elevate the permissions first.
  2. Create a user that is not associated with any group.
  3. Create a role with the permissions in the following list.
  4. Assign the role to the newly-created user.
  5. Assign the role in the vCenter Server Appliance.

Required permissions


  • Allocate space
  • Browse datastore
  • Low level file operations
  • Removefile
  • Update virtual machine files


  • Create folder


  • Cancel task
  • Disable methods
  • Enable methods
  • Licenses
  • Log event


  • Configuration

    • Storage partition configuration
  • Local operations

    • Create virtual machine
    • Delete virtual machine
    • Reconfigure virtual machine


  • Assign network

  • Host profile

    • Clear
    • Create
    • Delete
    • Edit
    • Export
    • View


  • Assign virtual machine to resource pool


  • Create task
  • Update task


  • Export
  • View OVF environment
  • vApp application configuration
  • vApp instance configuration
  • vApp managedBy configuration
  • vApp resource configuration

Virtual machine

  • Change Configuration

    • Acquire disk lease
    • Add existing disk
    • Add new disk
    • Add or remove device
    • Advanced configuration
    • Change Settings
    • Change resource
    • Configure Raw device
    • Modify device settings
    • Query unowned files
    • Remove disk
    • Rename
    • Toggle disk change tracking
  • Edit Inventory

    • Create from existing
    • Create new
    • Remove
  • Guest operations

    • Guest operation modifications
    • Guest operation program execution
    • Guest operation queries
  • Interaction

    • Configure CD media
    • Connect devices
    • Power off
    • Power on
    • Suspend
  • Provisioning

    • Allow disk access
    • Allow read-only disk access
    • Allow virtual machine download
    • Clone virtual machine
    • Deploy template
  • Snapshot management

    • Create snapshot
    • Remove snapshot
    • Rename snapshot
    • Revert to snapshot

Set NFS ingress firewall rules for the backup/recovery appliance

When you perform VMware VM mounts using NFS, the backup/recovery appliance provides access to the VMDKs using an NFS datastore. You need to set the ingress firewall rules for the backup appliance to ensure NFS mounts don't encounter unexpected errors.

  1. In the Google Cloud console, go to the Firewall page.


  2. Find the VPC firewall rule for your backup/recovery appliance.

    It contains the following:

    • Target: Service account for your backup appliance.

    For example:

    • tcp ports:
      • 26
      • 443
      • 3260
      • 5107
  3. Edit the firewall rules and add the following:

    • In the Source IPv4 range, add the system management subnet of your Google Cloud VMware Engine private cloud. You can find the system management subnet in Google Cloud VMware Engine portal by navigating to Resources, then Select your private cloud, then Subnets.

    • tcp:

      • 26
      • 111
      • 443
      • 756
      • 2049
      • 3260
      • 4001
      • 4045
      • 5107
    • udp:

      • 111
      • 756
      • 2049
      • 4001
      • 4045
  4. Click Save.

Configure a solution user account

To perform backup, the backup/recovery appliance needs to connect to the vCenter server using an authenticated user that has the correct permissions. The easiest way to set this up is by using a solution user account.

You need to set the solution user account password beforehand:

  1. Access the VMware Engine portal

  2. Select Resources, then select your private cloud.

  3. Select Change your vSphere privileges.

  4. Leave the user type and time interval to the default option, and select I Understand.

  5. Click Confirm.

  6. Click Launch vSphere client (HTML5).

  7. Go to Menu and click Administration.

  8. Click Single Sign On.

  9. Click Users and Groups.

  10. From the main panel, select the gve.local domain and select the desired solution user account.

  11. Click Edit.

  12. Enter a strong password in the Password and Confirm Password fields for the solution user account. Optionally, add the description. Take a note of which solution user you use, for example solution-user-01, and the password you set, as you need to use it when configuring the vCenter host.

  13. Click Save.

What's next

The VMware administrator's guide