This page provides an end-to-end overview of how to automate backups for your Compute Engine instances using Tags.
Configure backup for new Compute Engine instances
A Compute Engine instance is a VM hosted on Google Cloud. Each instance stores data on Persistent Disks that are attached to the instance. You can create an instance or create a group of managed instances by using the Google Cloud console, the Google Cloud CLI, or the Compute Engine API.
For more detailed information, see Compute Engine.
Prerequisite to automate backups
Before you start automating backups of Compute Engine instances, read the following procedures to prepare for backups:
After setting up Backup and DR Service and creating a backup plan template, you are now ready to automate protection of your Compute Engine instances by applying the backup plan template to the instance using Tags.
Permissions
To create, update, and delete Tags definitions for Compute Engine resources, you need the Tag Administrator
role. For more information on the tagUser
role, see
Required permissions.
Administer Dynamic Protection Tags
To create, update, and delete Dynamic Protection Tags, you need to have one of the following roles:
Backup and DR Admin
Backup and DR Backup User
Backup and DR User V2
Project Editor
Project Owner
a custom role that includes the following permissions:
Required permissions
backupdr.managementServers.listDynamicProtection
backupdr.managementServers.getDynamicProtection
backupdr.managementServers.createDynamicProtection
backupdr.managementServers.deleteDynamicProtection
compute.instances.listEffectiveTags
Learn more about Backup and DR Service roles.
Apply a backup plan template using Tags automatically
This section helps you in automating the application of a backup plan to a Compute Engine instance using Tags. First you create a mapping of backup plans to Tags in the management console. Then you create Tags through Identity and Access Management (IAM) using the same values assigned in the management console.
Create Dynamic Protection Tag Values
Use these instructions to create Dynamic Protection Tag Values that can be used with yourCompute Engine instances:
In the management console, click the Backup Plans drop-down menu and select Dynamic Protection Tags.
Click Create Dynamic Protection Tag.
Enter a unique Tag Value that follows these naming requirements.
From the Application type list, select Compute Engine.
Choose a corresponding Template and Profile to be associated with this Tag Value.
Click Save. A Dynamic Protection Tag value is created.
Create Dynamic Protection Tags
Use these instructions to create Dynamic Protection Tags to attach to your Compute Engine instances in order to automate protection:
To create, update, and delete tag definitions, you need the Tag Administrator role, or another role that includes specific permissions.
Open the Tags page in the Google Cloud console.
From the Scope picker at the top of the page, select the organization or project under which you want to create a tag key.
Click
Create.In the Tag key box, enter
backupdr-dynamicprotect
as the tag key. This is a mandatory step in ensuring successful automation. Be mindful of spelling errors and be sure to include the hyphen.Optional: In the Tag key description box, enter a description of your tag key.
Click
Add value and enter each Tag value that you just created.
In the Tag value box, enter the display name of your tag value. This becomes part of the namespaced name of your tag.
In the Tag value description box, enter a description of the Template and Profile that are associated with this Tag value.
When you have finished adding tag values, click Create tag key.
Adding Dynamic Protection Tags to a resource
Now that you have created Dynamic Protection Tag Values and linked them to a Dynamic Protection Tag, the next step is to assign a Tags to a Compute Engine instance. Tag based protection doesn't work if your instances are protected within a logical group. Remove logical group and try using the dynamic protection.
Before you begin, enable the appropriate permissions for your role to ensure you have one of the following roles assigned:
Backup and DR Admin
Backup and DR Backup User
Backup and DR User V2
Project Editor
Project Owner
Your Dynamic Protection Tags can be attached to Compute Engine instances using the following instructions:
In the Google Cloud console, go to the VM instances page.
Select your project and click Continue.
In the Name column, click the name of the VM for which you want to add tags.
From the VM instance details page, complete the following steps:
- Click Edit.
- In the Basic section, click Manage Tags and add the tags that you want for the instance.
Select the
backupdr-dynamicprotect:
key and a corresponding Tag Value that maps to a Template and Profile that you set in the Google Cloud console.Click Save.
Adding tags to a resource during resource creation
In certain scenarios, you might want to tag resources during resource creation, rather than after the resource is created.
Console
In the Google Cloud console, go to the VM instances page.
Select your project and click Continue.
Click Create instance.
Click Manage Tags and Labels.
Click Add Tags.
Follow the instructions in the side panel to select the
backupdr-dynamicprotect
to add to the instance.Click Save.
Complete other steps in Create and start a VM instance to finish creating the instance.
gcloud
To use Google Cloud CLI or APIs, follow the SDK documentation to do the following:
Terraform
Use the following Terraform template to get started with using Dynamic Protection Tags. This template assumes you haven't already created any Dynamic Protection tag keys in the Google Cloud console and will set it up for you. The template creates a new Compute Engine instance and binds it to a dynamic protection tag. You can wait for the scheduled Dynamic Protection job to run at 4:00 AM or 4:00 PM local time for it to take effect, or you can run a Dynamic Protection job on-demand by following the steps in Run Manual Auto Protection.
variable "project_id" {
description = "The ID of the existing Google Cloud project"
type = string
}
variable "region" {
description = "The Google Cloud region where demo-instance should be created"
type = string
}
variable "zone" {
description = "The Google Cloud zone where demo-instance should be created"
type = string
}
provider "google" {
project = var.project_id
region = var.region
zone = var.zone
}
data "google_project" "project" {
project_id = var.project_id
}
# Reference: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/tags_tag_key
resource "google_tags_tag_key" "key" {
parent = "projects/${var.project_id}"
short_name = "backupdr-dynamicprotect"
description = "Tag key for Dynamic Protection."
}
# Reference: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/tags_tag_value
resource "google_tags_tag_value" "value" {
parent = "tagKeys/${google_tags_tag_key.key.name}"
short_name = "backupdr-gold" # This value should be present in the "Management Console UI" > "Backup Plans" > "Dynamic Protection Tags"
description = "Tag value for gold plan."
}
# Reference: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance
# Ensure not to define tag in "resource_manager_tags" block while creating VM instance. It'll destroy the VM
# when tag value is changed/removed later. Instead define a separate tag binding using "google_tags_tag_binding"
# or "google_tags_location_tag_binding" resource. It'll modify just tag binding and VM instance won't be affected.
resource "google_compute_instance" "vm_instance" {
name = "demo-instance"
machine_type = "e2-micro"
zone = var.zone
boot_disk {
initialize_params {
image = "debian-cloud/debian-11"
}
}
network_interface {
network = "default"
access_config {
// Ephemeral public IP
}
}
}
# Reference: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_tags_location_tag_binding
resource "google_tags_location_tag_binding" "binding" {
parent = "//compute.googleapis.com/projects/${data.google_project.project.number}/zones/${var.zone}/instances/${google_compute_instance.vm_instance.instance_id}"
tag_value = "tagValues/${google_tags_tag_value.value.name}"
location = var.zone
}
# Reference for Tag bindings at project/org level: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/tags_tag_binding
Detach a Tag from a resource
You can detach a Tag from a resource by deleting the tag binding resource.
To review instructions on how to detach tags, see Detaching a tag from a resource in the Resource Manager documentation.
Console
In the Google Cloud console, go to the VM instances page.
Select your project and click Continue.
In the Name column, click the name of the VM for which you want to add tags.
From the VM instance details page, complete the following steps:
Click Edit.
In the Basic section, click Manage Tags and remove the
backupdr-dynamicprotect
for the instance.Click Save.
gcloud
To use Google Cloud CLI follow the documentation to use Google Cloud CLI to detach a Tag from a resource.
Run Manual Auto Protection
Although the protection engine runs daily at 4:00 AM and 4:00 PM local time, you can also make an on-demand run of the Dynamic Protection engine using the following command steps:
Set the management console endpoint by entering a value that starts with 'https://bmc-' and ends with '.com'. For example,
https://bmc-PROJECT_NUMBER-GENERATED_ID-dot-REGION.backupdr.googleusercontent.com
export MC_ENDPOINT="MC_ENDPOINT_edited_value"
Generate a bearer token:
echo "Generating a new bearer token..." export BEARER_TOKEN=$(gcloud auth print-access-token) echo "Bearer token generated: BEARER_TOKEN=$BEARER_TOKEN"
Get a new session ID:
echo "Generating a new session id..." export SESSION_RESPONSE=$(curl -XPOST -H "Authorization: Bearer $BEARER_TOKEN" -d {} "$MC_ENDPOINT/actifio/session" 2>&-) export SESSION_ID=$(echo $SESSION_RESPONSE | jq -r '.session_id') if [ -z ${SESSION_ID} ] then echo "Issue with generating a new session id. Response: $SESSION_RESPONSE"; return 1; fi echo "Session id generated: SESSION_ID=$SESSION_ID"
After you have set an endpoint, generated a bearer token, and gotten a session ID, you can trigger dynamic protection jobs for an hour until the session ID expires.
Trigger a dynamic protection job
A dynamic protection job updates all Compute Engine instances with their current tags, and assigns backup plans based the tags. The triggered job can take a few minutes depending on the number of changes pending for your workloads.
echo "Triggering dynamic protection job.." curl -H "Authorization: Bearer $BEARER_TOKEN" -H "backupdr-management-session: Actifio $SESSION_ID" -H "Content-Type: application/json" -XPOST -d '{}' "$MC_ENDPOINT/actifio/dynamicprotection/job/gceinstance" echo "Dynamic protection job triggered."
Use Dynamic Protection with the Resource Manager
You can use dynamic protection tags with Resource Manager, automating protection of your Compute Engine instances at a higher organizational level. Use the Resource Manager to tag resources at the project level or higher to ensure protection is inherited across all your resources. Learn more about Tag Inheritance.
Migrate manual protection to Dynamic Protection
If you intend to migrate your already protected resources to using dynamic protection using Tags, you must enable the migration flag in your project. After you've enabled migration, any manually protected instances can now use dynamic protection. Adding tags and resources automatically protects based on the tag and it removes the existing manual protection.
Bash
Run the following commands.
Set the management console endpoint by entering a value that starts with 'https://bmc-' and ends with '.com'. For example,
https://bmc-PROJECT_NUMBER-GENERATED_ID-dot-REGION.backupdr.googleusercontent.com
#!/bin/bash export MC_ENDPOINT="MC_ENDPOINT_edited_value"
Enable migration.
curl -H "Authorization: Bearer $BEARER_TOKEN" -H "backupdr-management-session: Actifio $SESSION_ID" -H "Content-Type: application/json" -XPATCH -d '{ "enableMigrationToTagBasedProtection":"true"}' "$MC_ENDPOINT/actifio/dynamicprotection/jobconfig"
Management console
To enable migration of manually protected Compute Engine instances to tag-based protection, follow these steps:
- Toggle Enable migration to tag based protection to ON status
- Confirm the Enable Migration dialog. Manually protected Compute Engine instances will be reprotected using the tag defined on the VM.
To disable migration of manually protected Compute Engine instances to tag-based protection, follow these steps:
- Toggle Enable migration to tag based protection to OFF status.
- Confirm the Disable Migration dialog. This disables the migration of manually protected Compute Engine instances to tag based protection.
Best practices
Dynamic protection can increase the number of backup jobs running and the amount of storage used. For best results, consider the following:
Increase backup windows. A window of 6 to 10 hours can help to ensure that all jobs run to completion.
A restored VM will carry over the same protection tag as the source VM along with the same backup plan, however the protection type will change from tag based protection to user initiated protection. The resource will continue to be protected using the carried over backup plan. To change the protection type back to tag based protection, you can remove the carried over protection backup plan and trigger dynamic protection job on-demand or wait for its next scheduled execution so that application is assigned tag based protection again.
A mounted VM on any existing host or newly created host won't carry over the same protection tag as the source VM, so it won't be protected automatically after the mount operation. If a newly mounted VM needs to be protected then you can apply to the new VM tag binding similar to the source VM.