Preventing Accidental VM Deletion

This document describes how to protect specific VM instances from deletion by setting the deletionProtection property on an Instance resource. To learn more about VM instances, read the Instances documentation.

As part of your workload, there might be certain VM instances that are critical to running your application or services, such as an instance running a SQL server, a server used as a license manager, and so on. These VM instances might need to stay running indefinitely so you need a way to protect these VMs from being deleted.

By setting the deletionProtection flag, a VM instance can be protected from accidental deletion. If a user attempts to delete a VM instance for which you have set the deletionProtection flag, the request fails. Only a user that has been granted a role with compute.instances.create permission can reset the flag to allow the resource to be deleted.

Before you begin

Specifications

  • Deletion prevention does not prevent the following actions:

  • Deletion protection can be applied to both regular VMs and preemptible VMs.

  • Deletion protection cannot be applied to VMs that are part of a managed instance group but can be applied to instances that are part of unmanaged instance groups.
  • Deletion prevention cannot be specified in instance templates.

Permissions

To perform this task, you must have been granted the following permissions OR the following IAM roles.

Permissions

  • compute.instances.create permission on the project

Roles

  • compute.admin role
  • compute.instanceAdmin.v1 role

Setting deletion protection during instance creation

By default, deletion protection is disabled for your instance. Enable protection deletion using the instructions below.

Console

  1. Go to the VM instances page.

    Go to the VM instances page

  2. If prompted, select your project and click Continue.
  3. Click the Create instance button.
  4. Expand the Management, disks, networking, SSH keys section.
  5. Under Management, toggle the Enable deletion protection checkbox.

    Screenshot of VM deletion check box

  6. Continue with the VM creation process.

gcloud

When creating a VM instance, include either the --deletion-protection or no-deletion-protection flags. Deletion protection is disabled by default so to enable deletion protection:

 gcloud compute instances create [INSTANCE_NAME] --deletion-protection

where [INSTANCE_NAME] is the name of the desired instance.

To disable deletion protection during creation:

 gcloud compute instances create [INSTANCE_NAME] --no-deletion-protection

API

In the API, when creating a VM instance, include the deletionProtection property in your request body. For example:

POST https://www.googleapis.com/v1/compute/projects/[PROJECT_ID]/zones/[ZONE]/instances

{
  "name": "[INSTANCE_NAME]",
  "deletionProtection": "true",
...
}

To disable deletion protection, set deletionProtection to false.

Toggling deletion protection for existing instances

You can toggle deletion protection for an existing instance, irrespective of the instance's current status. Specifically, you do not have to stop the instance before you can enable or disable deletion protection.

Console

  1. Go to the VM instances page.

    Go to the VM instances page

  2. If prompted, select your project and click Continue.
  3. Click the name of the instance for which you want to toggle deletion protection.
  4. Click Edit.
  5. Under Deletion Protection, check the box to enable or uncheck the box to disable deletion protection.

    Screenshot of VM deletion check box

  6. Save your changes.

gcloud

Using the gcloud tool, run the update command with either the --deletion-protection or --no-deletion-protection flag:

gcloud compute instances update [INSTANCE_NAME] \
    [--deletion-protection | --no-deletion-protection]

For example, to disable deletion protection for an instance named example-vm:

gcloud compute instances update example-vm --no-deletion-protection

API

In the API, make a POST request to the setDeletionProtection method with the delectionProtection query parameter. For example:

POST https://www.googleapis.com/v1/compute/projects/[PROJECT_ID]/zones/[ZONE]/instances/[INSTANCE_NAME]/setDeletionProtection?deletionProtection=true

To disable deletion protection, set deletionProtection to false. Do not provide a request body with the request.

Determining if an instance has deletion protection enabled

You can determine if an instance has deletion protection enabled in the gcloud tool or in the API.

Console

  1. Go to the VM instances page.

    Go to the VM instances page

  2. If prompted, select your project and click Continue.
  3. On the VM instances page, pull down the Columns menu and enable Deletion protection.

    Screenshot of VM deletion option

  4. A new column appears with the deletion protection icon. If a VM has deletion protection enabled, the icon appears next to the instance name.

gcloud

In the gcloud tool, run the instances describe command and search for the deletion protection field. For example:

gcloud compute instances describe example-instance | grep "deletionProtection"

The tool returns the value of the deletionProtection property, either set to true or false:

deletionProtection: false

API

In the API, make a GET request and look for the deletionProtection field:

GET https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/[ZONE]/instances/[INSTANCE_NAME]

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Compute Engine Documentation