Prepare to deploy Backup and DR Service
Before you begin
It's a good idea to readPlan a Backup and DR deploymentbefore you begin this section.
This page details the Google Cloud requirements that must be met before youenable Google Cloud Backup and DR Service which must be done in theGoogle Cloud console.
All of the tasks outlined in this page must be performed in theGoogle Cloud project where you are deploying your backup/recovery appliance.If this project is a Shared VPC service project, then some tasks areperformed in the VPC project and some in the workload project.
Allow trusted image projects
Permissions required for this task
This is an organization level policy that might not be set or even exist. To change this, your user needs to have the following permissions:
orgpolicy.policies.createorgpolicy.policies.deleteorgpolicy.policies.deleteorgpolicy.policy.get Example roles that have this permission include:Organization Policy Administrator
If you have enabled theconstraint/compute.trustedImageProjects policy in theOrganization policies, then the Google Cloud-managed source project for the imagesused to deploy the backup/recovery appliance is not allowed. You needto customize this organization policy in the projects where backup/recovery appliancesare deployed to avoid getting a policy violation error during thedeployment as detailed in the following instructions:
Go to theOrganization policies page and select the project where youdeploy your appliances.
In the policies list, clickDefine trusted image projects.
ClickEdit to customize your existing trusted image constraints.
On theEdit page, selectCustomize.
Select from the following three possibilities:
Existing inherited policy
If there is an existing inherited policy, complete the following:
ForPolicy enforcement selectMerge with parent.
ClickAdd rule.
SelectCustom from thePolicy values drop-down list to set theconstraint on specific image projects.
SelectAllow from thePolicy type drop-down list to removerestrictions for the specified image projects.
In theCustom values field, enter the custom value asprojects/backupdr-images.
ClickDone.
ExistingAllow rule
If there is an existingAllow rule, then complete the following steps:
Leave thePolicy enforcement to the default selected.
Select the existingAllow rule.
Caution: If a rule exists, use it. Don't try to add an additional rule.ClickAdd value to add additional image projects and enterthe value asprojects/backupdr-images.
ClickDone.
No existing policy or rule
If there is no existing rule, selectAdd rule and then complete thefollowing steps:
Leave thePolicy enforcement to the default selected.
SelectCustom from thePolicy values drop-down list to setthe constraint on specific image projects.
SelectAllow from thePolicy type drop-down list to removerestrictions for the specified image projects.
In theCustom values field, enter the custom value asprojects/backupdr-images.
If you are setting project-level constraints, then they mightconflict with theexisting constraints set on your organization or folder.
ClickAdd value to add additional image projects and clickDone.
ClickSave.
ClickSave to apply the constraint.
For more information about creating organization policies, seeCreate and manage organization policies.
The deployment process
To launch the installation, Backup and DR Service creates a service accountto run the installer. The service account requires privileges in the hostproject, the backup/recovery appliance service project, and themanagement console service project. For more information, seeservice accounts.
The service account used for installation becomes the service account of thebackup/recovery appliance. After installation, the permissions of the serviceaccount are reduced to just the permissions required by the backup/recovery appliance.
The management console is deployed when you install the firstbackup/recovery appliance. You can deploy Backup and DR Service in aShared VPC or in anon-shared VPC.
Backup and DR Service in a non-shared VPC
When deploying the management console and the first backup/recovery appliance isin a single project with a non-shared VPC, then all three Backup and DR Servicecomponents are in the same project.
Note: CMEK must be disabled on the project where the backup/recovery appliance is deployed.If the VPC is shared, seeBackup and DR Service in a Shared VPC.
Enable the required APIs for installation in a non-shared VPC
Before enabling the required APIs for installation in a non-shared VPC, reviewthe Backup and DR Service deployment supported regions.SeeSupported regions.
To run the installer in a non-shared VPC, the following APIs must be enabled.To enable APIs, you need the roleService usage admin.
| API | Service name |
|---|---|
| Compute Engine | compute.googleapis.com |
| Resource Manager | cloudresourcemanager.googleapis.com |
| Workflows1 | workflows.googleapis.com |
| Cloud Key Management Service (KMS) | cloudkms.googleapis.com |
| Identity and Access Management | iam.googleapis.com |
| Cloud Logging | logging.googleapis.com |
1 Workflow service is supported in the listedregions.If the Workflows service is not available in a region where the backup/recovery applianceis being deployed, then Backup and DR Service defaults to "us-central1" region.If you have an organization policy that is set to prevent creating resources inother regions, then you need to temporarily update your organization policy to allowcreation of resources in "us-central1" region. You can restrict the"us-central1" region after the backup/recovery appliance deployment.
The user account requires these permissions in the non-shared VPC project
| Preferred role | Permissions needed |
|---|---|
| resourcemanager.projectIamAdmin (Project IAM Admin) | resourcemanager.projects.getIamPolicy |
| resourcemanager.projects.setIamPolicy | |
| resourcemanager.projects.get | |
| iam.serviceAccounts.delete | |
| iam.serviceAccounts.get | |
| workflows.workflows.delete | |
| workflows.executions.create | |
| workflows.executions.get | |
| workflows.operations.get | |
| serviceusage.serviceUsageAdmin (Service Usage Admin) | serviceusage.services.list |
| iam.serviceAccountUser (Service Account User) | iam.serviceAccounts.actAs |
| iam.serviceAccountAdmin (Service Account Admin) | iam.serviceAccounts.create |
| iam.serviceAccounts.delete | |
| iam.serviceAccounts.get | |
| workflows.editor (Workflows Editor) | workflows.workflows.create |
| workflows.workflows.delete | |
| workflows.executions.create | |
| workflows.executions.get | |
| workflows.operations.get | |
| backupdr.admin (Backup and DR Admin) | backupdr.* |
| viewer (Basic) | Grants thepermissions required to view most of Google Cloud resources. |
Backup and DR in a Shared VPC
When deploying the management console and the first backup/recovery appliance ina Shared VPC project, you must configure these three projects in either the hostproject or in one or more service projects:
Before enabling the required APIs for installation in a Shared VPC, review theBackup and DR deployment supported regions. SeeSupported regions.
Note: CMEK must be disabled on the project where any backup/recovery appliance is deployed.VPC owner project: This owns the selected VPC. The VPC owner is always thehost project.
Management console project: This is where the Backup and DR API isactivated and where you access the management console to manage workloads.
Backup/recovery appliance project: This is where thebackup/recovery appliance is installed and usually where the protected resourcesreside.
In a Shared VPC, these may be one, two, or three projects.
| Type | VPC Owner | Management console | Backup/recovery appliance |
|---|---|---|---|
| HHH | Host project | Host project | Host project |
| HHS | Host project | Host project | Service project |
| HSH | Host project | Service project | Host project |
| HSS | Host project | Service project | Service project |
| HS2 | Host project | Service project | A different service project |
Descriptions of the deployment strategies
HHH: Shared VPC. The VPC owner, the management console, and thebackup/recovery appliance are all in the host project.
HHS: Shared VPC. The VPC owner and the management console are in the hostproject, and the backup/recovery appliance is in a service project.
HSH: Shared VPC. The VPC owner and the backup/recovery appliance are inthe host project, and the management console is in a service project.
HSS: Shared VPC. The VPC owner is in the host project, and thebackup/recovery appliance and the management console are in one serviceproject.
HS2: Shared VPC. The VPC owner is in the host project, and thebackup/recovery appliance and the management console are in two differentservice projects.
Enable these required APIs for installation in the host project
To run the installer, the following APIs must be enabled. To enable APIs, youneed the roleService usage admin.
| API | Service name |
|---|---|
| Compute Engine | compute.googleapis.com |
| Resource Manager | cloudresourcemanager.googleapis.com |
Enable these required APIs for installation in the backup/recovery appliance project
| API | Service name |
|---|---|
| Compute Engine | compute.googleapis.com |
| Resource Manager | cloudresourcemanager.googleapis.com |
| Workflows1 | workflows.googleapis.com |
| Cloud Key Management Service (KMS) | cloudkms.googleapis.com |
| Identity and Access Management | iam.googleapis.com |
| Cloud Logging | logging.googleapis.com |
1 Workflow service is supported in the listedregions.If the Workflows service is not available in a region where backup/recovery applianceis being deployed, then Backup and DR Service defaults to the "us-central1" region.If you have an organization policy that is set to prevent creating resources inother regions, then you need to temporarily update your organization policy toallow creation of resources in "us-central1" region. You can restrict the"us-central1" region after the backup/recovery appliance deployment.
The user account requires these permissions in the VPC owner project
Note: The roles may grant more permissions than you need. For minimum requiredpermissions, assign only those listed in thePermissions needed column.| Preferred Role | Permissions needed |
|---|---|
| resourcemanager.projectIamAdmin (Project IAM Admin) | resourcemanager.projects.getIamPolicy |
| resourcemanager.projects.setIamPolicy | |
| resourcemanager.projects.get | |
| iam.serviceAccounts.delete | |
| iam.serviceAccounts.get | |
| workflows.workflows.delete | |
| workflows.executions.create | |
| workflows.executions.get | |
| workflows.operations.get | |
| serviceusage.serviceUsageAdmin (Service Usage Admin) | serviceusage.services.list |
The user account requires these permissions in the management console project
Note: The roles may grant more permissions than you need. For minimum requiredpermissions, assign only those listed in thePermissions needed column.The management console is deployed when you install the firstbackup/recovery appliance.
| Preferred Role | Permissions needed |
|---|---|
| resourcemanager.projectIamAdmin (Project IAM Admin) | resourcemanager.projects.getIamPolicy |
| resourcemanager.projects.setIamPolicy | |
| resourcemanager.projects.get | |
| iam.serviceAccounts.delete | |
| iam.serviceAccounts.get | |
| workflows.workflows.delete | |
| workflows.executions.create | |
| workflows.executions.get | |
| workflows.operations.get | |
| backupdr.admin (Backup and DR Admin) | backupdr.* |
| viewer (Basic) | Grants thepermissions required to view most Google Cloud resources. |
The user account requires these permissions in the backup/recovery appliance project
Note: The roles may grant more permissions than you need. For minimum requiredpermissions, assign only those listed in thePermissions needed column.| Preferred Role | Permissions needed |
|---|---|
| resourcemanager.projectIamAdmin (Project IAM Admin) | resourcemanager.projects.getIamPolicy |
| resourcemanager.projects.setIamPolicy | |
| resourcemanager.projects.get | |
| iam.serviceAccountUser (Service Account User) | iam.serviceAccounts.actAs |
| iam.serviceAccountAdmin (Service Account Admin) | iam.serviceAccounts.create |
| iam.serviceAccounts.delete | |
| iam.serviceAccounts.get | |
| workflows.editor (Workflows Editor) | workflows.workflows.create |
| workflows.workflows.delete | |
| workflows.executions.create | |
| workflows.executions.get | |
| workflows.operations.get | |
| serviceusage.serviceUsageAdmin (Service Usage Admin) | serviceusage.services.list |
In addition to the end user account permissions,other permissionsare temporarily granted to the service account created on your behalf until theinstallation is complete.
Configure networks
If a VPC network has not already been created for your target project, youneed one created before proceeding.SeeCreate and modify Virtual Private Cloud (VPC) networks for details.You need a subnet in each region where you plan to deploy a backup/recovery appliance,and the should be assigned with thecompute.networks.create permission create it.
If you are deploying backup/recovery appliances in multiple networks, use subnetsthat don't share the same IP address ranges to prevent multiplebackup/recovery appliances from having the same IP address.
Configure Private Google Access
The backup/recovery appliance communicates with the management console usingPrivate Google Access. It'srecommended that you enable Private Google Access for each subnet where youwant to deploy a backup/recovery appliance.
The subnet where the backup/recovery appliance is deployed needs to communicate toa unique domain hosted under the domainbackupdr.googleusercontent.com. It'srecommended that you include the following configuration in Cloud DNS:
- Create a private zone for theDNS name
backupdr.googleusercontent.com. - Create an
Arecord for the domainbackupdr.googleusercontent.comand include each of the four IP addresses199.36.153.8,199.36.153.9,199.36.153.10,199.36.153.11from theprivate.googleapis.comsubnet199.36.153.8/30. If you're using VPC Service Controls, then use199.36.153.4,199.36.153.5,199.36.153.6,199.36.153.7from therestricted.googleapis.comsubnet199.36.153.4/30. - Create a
CNAMErecord for*.backupdr.googleusercontent.comthat points tothe domain namebackupdr.googleusercontent.com.
This ensures that any DNS resolution for your unique management console domaintraverses using Private Google Access.
Ensure that your firewall rules have an egress rule that allows access on TCP443 to either the199.36.153.8/30 or199.36.153.4/30 subnet. Also,if you have an egress rule that allows all traffic to0.0.0.0/0, thenconnectivity between the backup/recovery appliances and the management console shouldsucceed.
Create a Cloud Storage bucket
You need a Cloud Storage bucket if you want to protect databases and filesystems using the Backup and DR agent, and then copy the backups toCloud Storage for long term retention. This also applies for VMware VM backupscreated using VMware vSphere storage APIs data protection.
Permissions required for this task
To create a Cloud Storage bucket you need a role that contains the following permissions:
storage.buckets.getstorage.objects.createstorage.objects.deletestorage.objects.getstorage.objects.listiam.serviceAccountKeys.create Roles that have these permissions include
Storage Admin andEditor.Create a Cloud Storage bucket using the following instructions:
In the Google Cloud console, go to the Cloud StorageBuckets page.
ClickCreate bucket.
Enter a name for the bucket.
Choose a region to store your data in and clickContinue.
Choose a default storage class and clickContinue. Use nearline whenretention is 30 days or less or coldline when retention is 90 days or more.If retention is between 30 and 90 days then consider using coldline.
LeaveUniform access control selected and clickContinue. Don't usefine-grained.
LeaveProtection tools set toNone and clickContinue.Don't select other choices as they don't work with Backup and DR Service.
ClickCreate.
Validate that your service account has access to your bucket:
Select your new bucket to display the bucket details.
Go toPermissions.
UnderPrincipals, ensure your new service accounts are listed. If theyare not then use theAdd button to add both reader and writer serviceaccounts as principals.
Backup and DR Cloud Storage Operatorrole is added with an IAM condition that only allows it toaccess buckets if the bucket that is created starts with the same name ofthe appliance. Due to this, you must manually add the service account as aprincipal against each user-created bucket that you add to an OnVault pool.
What's next
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.