Back up disks to a backup vault
This page describes how to back up disks to a backup vault. Sendingbackups to a backup vault provides immutability and enforced retention.With a backup vault, you can store backups in a region or in a multi-region.
In the Google Cloud console, you can back up disks to a backup vault byapplying backup plans. You can back up in two ways:
- Scheduled backups: You can automatically back up disksat specific intervals, such as daily, weekly, monthly, or yearly.
- On-demand backups: You can create on-demand backups whenever needed.On-demand backups are useful for creating backups before making significantchanges to your instances or forad hoc data protection.
Both methods allow you to store your backups securely in a backup vault,providing a reliable way to recover your disks in case of data loss or otherunexpected events.
Before you begin
- Enable the Backup and DR Service API where the disks are located.
- Enable the API
- Create a backup vault
- Create a backup plan
- Assign IAM roles and permission to the backup user
- Grant backup vault access in the Compute Engine project
- Set up Log Analytics on your bucket to monitor Backup and DRbackup jobs.
Limitations
Backup and DR Service doesn't support:
- Backing up disks to a backup vault for disks with customer-suppliedencryption keys (CSEK).
- Backing up disks with access mode READ_WRITE_MANY is not supported.
- Cross-region backups.
- More than one backup per hour.
IAM roles and permissions for the backup user
To get the permissions that you need to configure scheduled backups or run on-demand backups, ask your administrator to grant you the following IAM roles on your backup vault project:
- Backup and DR Backup User (
roles/backupdr.backupUser) - Viewer (
roles/viewer)
For more information about granting roles, seeManage access to projects, folders, and organizations.
These predefined roles contain the permissions required to configure scheduled backups or run on-demand backups. To see the exact permissions that are required, expand theRequired permissions section:
Required permissions
The following permissions are required to configure scheduled backups or run on-demand backups:
backupdr.backupPlans.listbackupdr.backupPlanAssociations.createForComputeDiskbackupdr.backupPlanAssociations.listbackupdr.backupPlanAssociations.getbackupdr.backupPlanAssociations.triggerBackupForComputeDiskbackupdr.backupPlanAssociations.deleteForComputeDiskbackupdr.backupPlans.useForComputeDiskbackupdr.locations.listbackupdr.operations.getcloudasset.assets.searchAllResources
You might also be able to get these permissions withcustom roles or otherpredefined roles.
Grant backup vault access in the project where the disks are
To back up a disk in a project different from where the backup vaultis created, you must grant the Backup and DR Disk Operator(roles/backupdr.diskOperator) IAM role to thebackup vault service agent within the project where the disks are.
To back up a disk in the project where the backup vault is created,no roles are required to be granted.
If the disk is protected by customer-managed encryption keys (CMEK), you mustgrant theCloud KMS CryptoKey Encrypter/Decrypter role(roles/cloudkms.cryptoKeyEncrypterDecrypter)to the backup vault service agent(service-BACKUP_VAULT_PROJECT_NUMBER@gcp-sa-backupdr.iam.gserviceaccount.com)on the KMS key used to encrypt the disk. This permission is required forBackup and DR Service to access the key during backup and restore operations.
For information about granting roles to the backup vault service agentwithin the project you intend to back up, seeGrant a role to the service agent.
Configure a scheduled backup
Use the following instructions to configure a scheduled backup for disks.
Console
In the Google Cloud console, go to theVaulted backups page.
ClickSchedule backups.
ForResource type, selectDisks.
From theProjects list, clickBrowse and select a project wherethe disks are located.
From theRegion list, select the region where your disks are located.
From theResources list, clickBrowse.
Choose the disks that you want to back up and clickDone.
ClickContinue.
From theBackup plan list, clickSelect.
Choose a backup plan that you want to protect the disks with.
ClickDone.
Review the backup details and clickSchedule.At this point you have associated a backup plan with the disks. The backupplan schedules the chosen disks for backup per the frequency set in thebackup policy, but they are not backed up yet. If the current time iswithin the window set in the backup plan, then the first backup job willstart within a few minutes. If the current time is outside the plan window,thencreate an on-demand backup.
gcloud
Get the instance ID.
gcloud compute instances describeDISK_NAME --zone=DISK_ZONE --format="value(id)"Replace the following:
DISK_NAME: the name of the disk.DISK_ZONE: the location where the disk is located.
Configure a scheduled backup.
gcloudbackup-drbackup-plan-associationscreateBACKUP_PLAN_ASSOCIATION_NAME\--location=DISK_REGION\--resource=projects/DISK_PROJECT_ID/zones/DISK_ZONE/disks/DISK_ID\--resource-type=compute.googleapis.com/Disk\--backup-plan=projects/PROJECT_ID/locations/LOCATION/backupPlans/BACKUP_PLANReplace the following:
BACKUP_PLAN_ASSOCIATION_NAME: the name of the backup plan association.DISK_REGION: the region where the disks are located.DISK_PROJECT_ID: the name of the project where the disks are located.DISK_ZONE: the zone where the disks are located.DISK_ID: the disk ID.PROJECT_ID: the name of the project where backup plans exist.LOCATION: the region where your backup plans exist.BACKUP_PLAN: the name of the backup plan that you want to associate with the disk.
Terraform
You can use aTerraform resource to configure a scheduled backup.
# Before creating a backup plan association, you need to create backup plan (google_backup_dr_backup_plan)# and compute disk (google_compute_disk or google_compute_region_disk).resource "google_backup_dr_backup_plan_association" "disk_association" { provider = google-beta location = "us-central1" backup_plan_association_id = "my-disk-bpa" resource = google_compute_disk.default.id resource_type = "compute.googleapis.com/Disk" backup_plan = google_backup_dr_backup_plan.disk_default.name}Change the backup plan associated with disks
You can change the backup plan associated with a disk toanother backup plan. The other backup plan must:
- Use the same backup vault
- Be in the same region as the disk Compute Engine instance
Use the following instructions to change the backup plan associated with disks.
Console
In the Google Cloud console, go to theVaulted backups page.
TheVaulted backups page lists only the instances that havebackup plans applied and their backups stored in a backup vaultwithin a project.
Select the data resource to get a different plan. Either from the backup detailspage for the backup, or from themenu on the far right of a Compute Engine instance, selectChange backup plan.
TheSelect a backup plan window lists only the backup plans that arevalid for this instance. Select a backup plan and clickApply.
gcloud
Change the assigned backup plan.
gcloudbackup-drbackup-plan-associationsupdateBACKUP_PLAN_ASSOCIATION_NAME\--resource-type=compute.googleapis.com/Disk\--workload-project=DISK_PROJECT_ID\--location=DISK_REGION\--backup-plan=BACKUP-PLAN\--project=PROJECT_IDReplace the following:
BACKUP_PLAN_ASSOCIATION_NAME: the name of the backup plan association resource.DISK_PROJECT_ID: the project-id of the disk.DISK_REGION: the location of the disk.BACKUP_PLAN: the name of the backup plan that you are switching to.PROJECT_ID: the project-id of the selected backup plan.
List scheduled and on-demand backups
Use the following instructions to list disks that are backed upor are scheduled to be backed up.
Console
In the Google Cloud console, go to theVaulted backups page.
TheVaulted backups page lists only the instances and disks that havebackup plans applied and their backups stored in a backup vaultwithin a project.
Click a disk to view all the backups (both scheduled and on-demandbackups) available for that disk.
gcloud
List scheduled and on-demand backups.
gcloud backup-dr backup-plan-associations list \ --location=LOCATION \ --project=PROJECT_IDReplace the following:
LOCATION: the location of the scheduled backups.PROJECT_ID: the name of the project.
Create an on-demand backup
You can initiate an on-demand backup for disks with abackup plan by triggering the backup rule of your choice to run immediately.On-demand backups are incremental and capture only the changed data since thelast backup.
When creating an on-demand backup, you can choose a rule from thebackup plan associated with the disk. This rule determineswhen the on-demand backup gets deleted. You can check the backup job status fromtheJobs page. For more information, seeMonitor backup and restore jobs in Google Cloud console.
Note: You can only run one backup job at a time. If an on-demand or scheduledbackup job is already in progress, then attempting to start another on-demandbackup job, the new job fails with theUnable to queue the operation error.Use the following instructions to create an on-demand backup.
Console
- Go toVaulted backups.
- Select the disk to back up.
- ClickCreate On-Demand Backup.
Choose when to delete this backup. You have these options:
- Based on custom retention periodBy default, the limit is set as the backup vault's minimum enforcedretention period plus 30 days. To set a different limit, add a maximum custom on-demand retention period to your backup plan.
- Based on an existing backup rule. Select a rule from theDelete backups after drop-down.
ClickCreate to start the on-demand backup creation process.
To view the status of the on-demand backup job, clickNotifications.
gcloud
Create an on-demand backup that uses a backup rule.
gcloud backup-dr backup-plan-associations trigger-backupBACKUP_PLAN_ASSOCIATION_NAME \ --project=PROJECT_ID \ --location=REGION \ --backup-rule-id=RULE_ID --labels=LABELSReplace the following:
BACKUP_PLAN_ASSOCIATION_NAME: the name of thebackup plan association. Run the commandgcloud backup-dr backup-plan-associations list --location=LOCATION --project=PROJECT_IDto get the list of the backup plans associated with the Compute Engine disk.PROJECT_ID: the name of the project.REGION: the location of the scheduled backups.RULE_ID: the backup rule name that you want to associate to run on-demand backups.LABELS: optional labels for the backup as comma-separated key-value pairs such aswebserver=backend,media=images.
Create an on-demand backup that uses custom retention.
gcloud backup-dr backup-plan-associations trigger-backupBACKUP_PLAN_ASSOCIATION_NAME \ --project=PROJECT_ID \ --location=REGION \ --custom-retention-days=CUSTOM_RETENTION --labels=LABELSReplace the following:
BACKUP_PLAN_ASSOCIATION_NAME: the name of thebackup plan association. Run the commandgcloud backup-dr backup-plan-associations list --location=LOCATION --project=PROJECT_IDto get the list of the backup plans associated with the Compute Engine disk.PROJECT_ID: the name of the project.REGION: the location of the scheduled backups.CUSTOM_RETENTION: The custom retention period indays for this on-demand backup. This value must be equal to or greaterthan the backup vault retention time and less than or equal to themax-custom-on-demand-retention-days value that is configured in thebackup plan (or the vault retention time + 30 days ifmax-custom-on-demand-retention-days is not configured).LABELS: optional labels for the backup as comma-separated key-value pairs such aswebserver=backend,media=images.
Unprotect disks
You can unprotect disks by removing the backup planapplied to the disks. Removing a backup plan from disksdoesn't delete the backup plan or any backups created while the instance was in use.You can still access and manage these existing backups.
Use the following instructions to unprotect a disk:
Console
In the Google Cloud console, go to theVaulted backups page.
Click the name of the disk to remove a backup plan from.
SelectRemove backup plan.
gcloud
Unprotect disks.
gcloud backup-dr backup-plan-associations deleteBACKUP_PLAN_ASSOCIATION_NAME\ --project=PROJECT_ID \ --location=REGIONReplace the following:
BACKUP_PLAN_ASSOCIATION_NAME: the name of thebackup plan association to delete.PROJECT_ID: the name of the project.REGION: the location of the scheduled backup.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.