Apply a backup plan during instance creation

This document explains how to apply a Backup and DR Service backup plan to your Compute Engine instance when creating the instance using the Google Cloud console.

Read this document only if you want to back up an entire Compute Engine instance. If you want to back up only the disk data for your instance, then use disk snapshots and snapshot schedules instead. Learn more about choosing the correct data protection option for your use case.

Alternatively, to learn how to apply backup plans to existing instances using the Google Cloud console, see Back up Compute Engine instances to a backup vault instead.

Backup and DR backup plans let you define advanced backup strategies to store your Compute Engine instances in secure storage locations called backup vaults. You can configure backup rules such as the following:

How often to back up your instance resources
How long to retain the backups
Where and how to replicate the backed up data

You first define your backup rules in the backup plan configuration and then apply that plan to your Compute Engine instance. The Backup and DR Service then automatically backs up your instance resources and retains those backups based on these rules. For more information about backup plans and backup vaults, see Backup and DR Service overview.

Before you begin

Enable the Backup and DR Service API where the Compute Engine instances are located.
Enable the API
Create a backup vault
Create a backup plan
Set up Log Analytics on your bucket to monitor Backup and DR backup jobs.

Required roles

To get the permissions that you need to create an instance and apply a backup plan during its creation, ask your administrator to grant you the following IAM roles:
- To create the instance: Compute Instance Admin (v1) (roles/compute.instanceAdmin.v1) on the project for the Compute Engine instance
- To configure scheduled backups or run on-demand backups:
  - Backup and DR Backup User (roles/backupdr.backupUser) on the project for the backup vault
  - Viewer (roles/viewer) on the project for the backup vault
For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.
If you want to back up a Compute Engine instance to a backup vault that is in a different project than the instance, then make sure the Backup and DR Vault Service Agent for the backup vault has been granted permission to access the instances in that project. (If the backup vault and instance are in the same project, then this permission is already granted by default.)

To ensure that Backup and DR Vault Service Agent has the necessary permissions to back up a Compute Engine instance to a backup vault, ask your administrator to grant Backup and DR Vault Service Agent the Backup and DR Compute Engine Operator (roles/backupdr.computeEngineOperator) IAM role on the project for the Compute Engine instance.
Important: You must grant this role to Backup and DR Vault Service Agent, not to your user account. Failure to grant the role to the correct principal might result in permission errors.

Limitations

You must use the Google Cloud console to create an instance that has a backup plan applied.
You can use only those backup plans that are in the same region as the instance that you're creating.
Backup and DR Service doesn't support backing up Compute Engine instances to a backup vault if the instance uses any of the following configurations:
- Instances with extreme Persistent Disk volumes attached.
- Instances with any Hyperdisk Extreme volumes attached.
- Instances that use a C3D, H3, A3, or Z3 machine type.
- Instances with customer-managed encryption keys (CMEK) or customer-supplied encryption keys (CSEK).
- Instances without any attached disks.
- Instances larger than 200 terabytes (TB).

Create an instance that has a backup plan applied

To create an instance that has a backup plan applied, follow these steps in the Google Cloud console:

In the Google Cloud console, go to the Create an instance page.

Go to Create an instance

If prompted, select your project and click Continue.

The Create an instance page appears and displays the Machine configuration pane.
In the Name field, specify a name for your instance. For more information, see Resource naming convention.
In the Region field, specify the region where you want your instance.
Optional: In the Zone field, select a zone for this instance.

The default selection is Any. If you don't change this default selection, then Google automatically chooses a zone for you based on machine type and availability.
To specify a backup plan for this instance, do the following:
1. In the navigation menu, click OS and storage. The Operating system and storage pane appears.
  
  Important: If you see a Data protection pane in the navigation menu, click Data protection instead of OS and storage and then continue with the remaining steps. For more information, see the February 14, 2025 release note.
2. In the Backup plan section, click Select a plan.
3. In the Select a backup plan pane that appears, do the following:
  1. Verify that the Project field has the same project name where your backup plans exist. If not, select the correct project.
  2. In the Backup plan name column, click the name of the back plan that you want to use.
  3. To confirm your choice of backup plan and return to the Operating system and storage pane, click Apply.
Optional. Specify any other configuration parameters of your choice. For more information about custom configuration options, see Create and start an instance.
To create and start the VM, click Create.

What's next

Learn how to restore an instance from a backup vault.
Learn about the other instance protection options provided by Backup and DR.