Restore a Compute Engine instance from a backup vault

This page helps you to restore a Compute Engine instance from a backup vault in the Google Cloud console.

Before you begin

  • Grant the Backup and DR Compute Engine Operator (roles/backupdr.computeEngineOperator) IAM role for the backup vault service agent of the vault in the target project where restore is being performed.

  • Grant the Compute Network User (roles/compute.networkUser) IAM role for the backup vault service agent of the vault in the VPC host project if you are using Shared VPC.

  • Grant the following IAM roles for the user who performs the restore in the backup vault project.

    • Backup and DR Restore User (roles/backupdr.restoreUser) for both backup vault and target project.
    • Compute Viewer (roles/compute.viewer) for only the target.

    These predefined roles contain the permissions required to access the backup vault in the Compute Engine project. For specific permissions, see the following list.

    • backupdr.bvbackups.restore
    • backupdr.compute.restoreFromBackupVault
    • backupdr.backupVaults.get
    • backupdr.backupVaults.list
    • backupdr.bvbackups.list
    • backupdr.bvdataSources.get
    • backupdr.bvdataSources.list
    • backupdr.bvbackups.get

    To restore an instance using the Google Cloud CLI CLI or the API, a user must have the following permissions:

    • backupdr.bvbackups.restore on the backup resource.
    • backupdr.compute.restoreFromBackupVault on the target project where the instance will be restored.

Additional Permissions for the Google Cloud console

When restoring an instance using the Google Cloud console, the user needs the CLI permissions plus the following permissions. These additional permissions are required for the console to list and display the necessary Compute Engine resources for selection in the user interface:

  • compute.acceleratorTypes.list
  • compute.disks.list
  • compute.machineTypes.list
  • compute.projects.get
  • compute.regions.list
  • compute.zones.list

For more information about granting roles, see Manage access to projects, folders, and organizations.

Restore a Compute Engine instance

Use the following instructions to restore a Compute Engine instance.

Console

  1. In the Google Cloud console, go to the Vaulted backups page.

    Go to Vaulted backups

    All Compute Engine instances with vaulted backups are listed here.

  2. Click the action icon to select the Restore action. The Restore page displays where you select the following restore options:

    • Select a Resource name.
    • Select a Backup creation time.
    • Select the Project name into which you want to restore the VM.

  3. Click Proceed.

    • The next page Create a new VM instance from a backup appears, where the VM properties are pre-populated based on the source VM properties. You can modify the properties to create a new VM, for example, change the selection for Region or Machine Type.

  4. Click Create to create a new VM from the selected backup.

gcloud

  1. If not already granted, grant the Backup and DR Compute Engine Operator (roles/backupdr.computeEngineOperator) IAM role to the backup vault service agent in the recovery project where the VM is being recovered.

  2. To get the backup vault service account, use the following command.

      gcloud backup-dr backup-vaults describe BACKUPVAULT_NAME
  --location=LOCATION

    Replace the following:

    • BACKUPVAULT_NAME: the backup vault name you want to restore data from.
    • LOCATION: the location of the backup vault.

  3. To restore a Compute Engine instance, use the following commands.

    • Restore a VM in the same project as the workload project with backup ID.

        gcloud backup-dr backups restore compute test-backup-id \
  --project=PROJECT --location=LOCATION \
  --backup-vault=BACKUPVAULT_NAME --data-source=DATA_SOURCE\
  --name=NAME --target-zone=TARGET_ZONE \
  --target-project=TARGET_PROJECT

    • Restore a VM in the same project as the workload project with backup full resource URL.

        gcloud backup-dr backups restore compute projects/test-project-id/locations/us-central1/backupVaults/test-vault/dataSources/test-ds/backups/test-backup-id \
  --name=NAME --target-zone=TARGET_ZONE \
  --target-project=TARGET_PROJECT

    • Restore a Compute Engine instance with custom service-account and network configuration.

        gcloud backup-dr backups restore compute test-backup-id \
  --project=PROJECT --location=LOCATION \
  --backup-vault=BACKUPVAULT_NAME --data-source=DATA_SOURCE\
  --name=NAME --target-zone=TARGET_ZONE \
  --target-project=TARGET_PROJECT \
  --network-interface=network=NETWORK,subnet=SUBNET \
  --service-account=SERVICE_ACCOUNT \
  --scopes=SCOPE

      Replace the following:

      • PROJECT: the name of the backup vault project.
      • LOCATION: the location of the backup vault.
      • BACKUPVAULT_NAME: the backup vault name you want to restore data from.
      • DATA_SOURCE: the data source name you want to restore data from.
      • NAME: the name of the restored VM.
      • TARGET_ZONE: the region the VM is restored in.
      • TARGET_PROJECT: the project the VM is restored in.
      • NETWORK: the network URI of the VM.
      • SUBNET: the subnet URI of the VM.
      • SERVICE_ACCOUNT: the service account of the restored VM.
      • SCOPE: the authorization scope of the service account.

To override other VM properties, see Overview of Backup and DR Service Google Cloud CLI commands.

Restoring from a CMEK-enabled backup vault

When you restore a backup from a CMEK-enabled backup vault, the encryption of the restored resource depends on the encryption of the source:

  • If the source resource was protected by CMEK: The restored resource defaults to using the same CMEK key as the source. For example:
    • A Compute Engine persistent disk encrypted with key K1 is restored to a disk encrypted with K1.
    • If a VM has multiple disks, each disk in the restored VM inherits the encryption of its corresponding source disk (CMEK-encrypted disks remain encrypted with their original keys, and Google-managed encrypted disks remain Google-managed).
  • If the source resource used Google-managed encryption: The restored resource defaults to using Google-managed encryption.

You can override this default behavior when restoring Compute Engine persistent disks or Compute Engine instances using the API or Google Cloud CLI. For example, you can restore a backup of a CMEK-protected resource to a new resource that uses Google-managed encryption, or to a new resource protected by a different CMEK key. To restore to a resource protected by a new CMEK key, ensure the relevant service agent (e.g., Compute Engine Service Agent) for the destination project has roles/cloudkms.cryptoKeyEncrypterDecrypter permission on the new destination key.

If the Cloud Key Management Service key that protects the source workload is unavailable during a restore operation, the restore fails by default. In this case, you must use the API or Google Cloud CLI to override the encryption setting by specifying a new CMEK key or by changing the encryption type to Google-managed encryption for the restored resource.

If the Cloud Key Management Service key version used to encrypt data in the backup vault is disabled or destroyed, you won't be able to restore from that backup.

The Backup and DR Compute Engine guide