Getting started with Backup and DR: protect and recover a Compute Engine instance

This exercise guides you through the steps of discovering and protecting a Compute Engine instance, and finally mounting a fully-functional new Compute Engine instance from the backup image to a new location.

• Discover and add Compute Engine instances to the management console

• Monitor the progress of the backup job

• Restore the Compute Engine instance to an alternate region

• Manage the active mount

Before you begin

Before you begin, you must read and complete the following procedures:

• Plan a Backup and DR deployment
• Prepare to deploy Backup and DR
• Deploy Backup and DR

After deploying Backup and DR, to discover and protect Compute Engine instances, you need to do the following:

• Create a backup plan template. Define the backup policy and frequency. Only snapshot policies can be used. You must validate the regional location of the stored snapshots. If your backup plan template includes OnVault or StreamSnap policies then it cannot be used to create Compute Engine instance backup images.
• Validate your cloud credential service account

Create a backup plan template

Templates are composed of backup policies. In policies, you can define when to run a backup, how frequently to run a backup, and how long to retain the backup image for—Days, Weeks, Months, or Years.

Use these instructions to create a backup template:

1. Click Backup Plans and select Templates from the drop-down menu.

   The Templates page opens.

2. Click Create Templates.

   The Create Template page opens appears with a new empty backup template.

3. In the Template field, enter a name for the backup template. For the template name, enter an alphanumeric text string. Spaces, underscores (_), and dashes (-) are allowed in a name. Do not include special characters.

4. In the Description field, enter a brief description for this backup template.

5. To modify Allow Overrides in Policy Settings, complete the following:

   • Click Yes to allow selected App Manager advanced settings to override the settings specified in a backup plan policy's advanced settings. You can override policy settings in the App Manager only if the Allow Overrides on Policy Settings parameter is set to Yes.
   • Click No if you do not want to allow backup plan policy setting override in the App Manager.

6. Click either +(Plus) in the backup plan policy map or +Add in the Policies section to add a production to snapshot backup policy.

7. Enter a Policy Name.

8. If appropriate for the policy type, specify the schedule type: Windowed or Continuous. The default is Windowed.

   • Windowed. Defines a discrete snapshot backup schedule adhering to a specific frequency and time window—for example, perform a backup every 30 minutes, daily from 09:00 to 17:00 UTC. You can instruct the backup/recovery appliance to run multiple backup jobs at a specified frequency interval or once during a specified time window.
   • Continuous. Defines a continuous snapshot backup schedule—for example, perform a backup job every eight hours, starting the first job at 01:00 UTC. In this policy schedule, jobs run continuously (24/7) at the specified time interval.

9. Configure the policy frequency settings per the selected schedule type as outlined in the lists below.

   • Windowed.

     • On These Days. Configures the frequency of the policy by defining an interval at which snapshot images are captured. Based on this interval setting, the snapshot job runs once every specified number of days, weeks, months, or years. Click the link of this parameter and modify the Run interval. The schedule is displayed in a calendar view. From this view you can specify Days, Weeks, Months, or Years. The calendar view changes accordingly based on your selection.
     • Except. Defines an exception to the Run schedule. You can specify an Except value of daily, weekly, monthly, or yearly. For example, to skip the daily snapshot schedule every Friday, select weekly and select Friday. Click the link of this parameter and modify the exception. The schedule is displayed in a calendar view. From this view you can specify Days, Weeks, Months, or Years. The calendar view changes accordingly based on your selection.
     • Within This Window. Defines a start and end time window for capturing images.
     • Run Once Per Window. Specifies that the frequency duration for capturing snapshot images is once during the specified Run Between time window.
     • Every. Specifies a repeat frequency duration (minutes or hours) for capturing snapshot images during the specified Run Between time window. For example, every two hours.

   • Continuous.

     • Every. Specifies the time period to repeat the snapshot image capture in.
     • Starting At. Specific the time of day to run the first job in the continuous cycle of image captures at.

   • Both Windowed and Continuous.

     • Retain For. Specifies the length of time that you intend to retain the snapshot image. For example, retain the image for two days.

10. If applicable, change the application priority from the Priority drop-down list. The default job priority is medium, but you can change the priority to high or low.

    • The backup plan scheduler identifies when one or more policies applied to applications are to run, and then initiates a job that places the policy into a queue when the scheduled start time occurs. For each policy type there is a pacing mechanism to ensure that the system is not overwhelmed with running jobs. This pacing mechanism uses job slots to achieve this steady state, which means that even if a job is supposed to start at a particular time it executes only occurs when a job slot is available.
    • If multiple applications are scheduled to run at the same time with the same job priority, the selection of the application to run is randomized to ensure fairness across all of the applications of the same priority.
    1. Configure the Advanced Settings. See Configure advanced policy settings for a backup plan policy for details.

11. When you are done creating the new policy, click Update Policy to add it to the template. You return to the Templates list.

12. Click Save Template.

Validate your cloud credential service account

Every appliance has a dedicated service account attached to it—that was created during appliance deployment in the project where the appliance was deployed. For appliances installed on version 11.0.2 and higher, a corresponding cloud credential for this service account is automatically created at the time of an appliance deployment. The name of the cloud credential is based on the appliance name followed by the suffix -sa. For example, if the name of the backup/recovery appliance is bur-appliance-us-east1 then the name appliances corresponding cloud credential is bur-appliance-us-east1-sa.

Permissions required for this task

To get the permissions that you need to view and assign IAM roles, ask your administrator to grant you the following IAM role on the project if you do not already have the permissions needed to assign IAM roles:

• roles/iam.serviceAccountCreator

You need to validate that the service account of the backup/recovery appliance has the correct IAM roles.

Use these instructions to validate and set required IAM roles:

1. In the Google Cloud console, click the menu icon on the top left of the screen.
2. Navigate to IAM & Admin > IAM.
3. Select the service account attached to your backup appliance.
4. Select Edit principal.

5. Validate if the Backup and DR Cloud Storage Operator role is already assigned. If not, then complete the following:

   1. Select Add Another Role.
   2. From the Select a role drop-down, use the filters to search for and add the role Backup and DR Cloud Storage Operator.

6. Select Add Another Role

7. From the Select a role drop-down, use the filters to search for and the role Backup and DR Compute Engine Operator.

8. Select Save.

Discover and add Compute Engine instances to the management console

Use the management console Onboarding Wizard to add Compute Engine instances.

1. Select Backup in the management console Backup and Recover menu. The onboarding wizard displays a variety of supported application types. Select Compute Engine instance.

2. Select your credential and click Next. The dropdowns are populated with the Appliance as your appliance, and the Zone as the one that matches the credential you added.

3. Choose a zone where the instances to be backed up are located.

4. On the next panel a list of Compute Engine instances appear. If no instances appear, then ensure that the zone selected matches with the zone where your Compute Engine instances are located or running. Use the checkbox to select the Compute Engine instances to be backed up and then select Next.

5. When you use the Onboarding Wizard you have four choices:

   • Apply a backup plan: To apply a backup plan to the discovered instances and start creating backups.
   • Add to a logical group: To add the discovered instances to a logical group and use the backup plan applied to that group.
   • Add as unmanaged: To discover the instance and apply a backup plan to the discovered instances later.
   • Mark as ignored: To discover the instance as ignored, meaning they are added but without a backup plan and with the ignored flag in the Applications page, indicating they do not need a backup plan.

6. If you choose to apply a backup plan, then use the Onboarding Wizard to attach the policy template and profile to your Compute Engine instance. Select the instance you want to back up using the checkbox and then use the three drop-downs above it to:

   1. Apply a backup plan.
   2. Use the template you created.
   3. Select OK.

7. Click Next.

8. A Summary screen appears. Select Finish to complete the onboarding process which starts backing up the selected Compute Engine instances based on the Policy Template you attached.

9. After onboarding is complete, a pop-up appears. Click Finish again. Once the policy template is attached to the selected VMs, the status changes to a green checkmark.

Backup and DR ensures that the chosen Compute Engine instances get backed up per the frequency set in the backup policy. Since you created a continuous backup policy, the first—full—backup job is automatically triggered. Subsequent backup jobs are triggered according to the frequency or schedule.

Monitor the progress of the backup job

This is an optional step. The backup job starts immediately. If you go to the Monitor menu and select Jobs, you can watch the progress of the backup job. When the job is finished, you have an image that you can restore.

Restore the Compute Engine instance to an alternate region

Now that you have an image of your Compute Engine instance, you can create a brand new Compute Engine instance in a different region from the backup images.

1. From the management console, go to Backup & Recover > Recover. Select the Compute Engine instance you want to recover and click Next.

2. Select a point in time backup image from which you want to recover the Compute Engine instance and select Mount.

3. The Mount panel has many selection choices. Ensure you change the top-most option to the Mount as new selection.

4. Review all the configuration options. There are at least two that you should change:

   • Zone: Change this to a different zone, to simulate recovering to a different region in the Google Cloud.

   • Instance Name: Change the instance name by adding a suffix so it goes from centos-7 to centos-7-recovered.

5. Select Mount at the bottom of the panel.

   A Mount job starts. You can monitor this just like you monitored the snapshots from Monitor > Jobs. The job may take five minutes or longer depending on what region you selected.

6. You can display the recovered VM in the Google Cloud console by going to Compute Engine, VM instances.

Restore the Compute Engine instance to an alternate project

You can also create a brand new Compute Engine instance in a different project from the backup images. To do this, you need to add the default service account, as a Principal in the target project.

1. In the Google Cloud console, select the desired target project from the Project selection drop-down.
2. Click the menu icon on the top left of the screen.
3. Navigate to IAM & Admin > IAM.
4. Select Grant Access.
5. In the New principals field, enter the email address of the service account.
6. In the Assign Roles section, assign the Backup and DR Compute Engine Operator role.

7. Click Save.

8. From the management console, go to Backup & Recover > Recover. Select the Compute Engine instance you want to recover and click Next.

9. Select a point in time backup image from which you want to recover the Compute Engine instance and select Mount.

10. The Mount panel has many selection choices. Ensure you change the top-most option to the Mount as new selection.

11. Review all the configuration options. There is at least one that you should change:

    • Project: Change this to a different project, to simulate recovering to a different project in the Google Cloud.

    • Instance Name: Provided the instance name is not in use in the target project you can leave the instance name the same.

12. Select Mount at the bottom of the panel.

    A Mount job starts. You can monitor this just like you monitored the snapshots from Monitor > Jobs. The job may take five minutes or longer depending on what region you selected.

13. You can display the Recovered VM in the Google Cloud console by going to Compute Engine, VM instances.

Manage the active mount

Because the backup/recovery appliance created this Compute Engine instance, even though it is not managing the disks for this instance, it still tracks it. You have two choices:

• Unmount and delete: This deletes the Compute Engine instance and its disks removing the active mount.
• Forget the active mount: This removes the mount record from Backup and DR but leave the Compute Engine instance in place. A Compute Engine administrator needs to manage the lifecycle of this instance from now on.

Delete the instance

If you choose to delete the instance, complete the following:

1. Go to App Manager > Active Mounts. You see one Active Mount with the name you gave your new Compute Engine instance.
2. Right-click the mount and select Unmount & Delete, then click Submit. Once the job completes—you can monitor it from Monitor > Jobs again—the new Compute Engine instance is gone.

Forget the instance

If you choose to forget the instance, complete the following:

1. Go to App Manager > Active Mounts. You see one Active Mount with the name you gave your new Compute Engine instance.

2. Right-click the mount and select Forget Active Image, then click Submit once the job completes—you can monitor it from Monitor then click Jobs again.

   The new Compute Engine instance is not be listed in the management console Active Mounts panel, but is still be present in Compute Engine.

Impact of protecting instances where disks are encrypted with CMEK

If you are protecting a Compute Engine instance that has attached disks that are encrypted with Customer Managed Encryption Keys (CMEK), then be aware of the following:

• The snapshots will be encrypted with the current key version of the key that was used to encrypt the instance disks. See Rotate your Cloud KMS encryption key for a persistent disk.
• If the key version in use by a snapshot is disabled or deleted then a mount or restore operation will fail. See Impact of disabling or deleting CMEKs.

View key version

To determine which key version is in use by a snapshot image:

1. Go to Backup and Recover > Recover.
2. Right-click the relevant application, select Access and then identify both the image name and consistency date of the relevant image from the access page.
3. Now go to the Google Cloud console Compute Engine > Snapshots.
4. Locate the snapshot for the relevant disk with a matching snapshot creation time.
5. Select the snapshot to view the details view for that snapshot.
6. Scroll down to the Key ID field. You can validate this by matching the snapshot by reviewing the snapshot label which should contain the image name.

What's next

• Mount backup images of Compute Engine instances
• Import PD snapshot images