Set creation and restore locations for regionally scoped snapshots
Preview
This product or feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA products and features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.
By default, snapshots are created with a global scope. Globally scoped snapshotsare stored in a specificstorage locationand can be restored (used to create a new disk) inany region or zone.For additional location-based isolationcontrol, you can create regionally scoped snapshots. Regionally scoped snapshotsstore all snapshot data and metadatatogether in the scoped region. With regionally scoped snapshots, you can alsorestrict the regions where you can create and restore snapshots.
This document explains how to set allowed locations for regional snapshotcreation and restoration.
Before you begin
- If you haven't already, set upauthentication. Authentication verifies your identity for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:
Select the tab for how you plan to use the samples on this page:
Console
When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.
gcloud
Install the Google Cloud CLI. After installation,initialize the Google Cloud CLI by running the following command:
gcloudinit
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.- Set a default region and zone.
REST
To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.
Install the Google Cloud CLI. After installation,initialize the Google Cloud CLI by running the following command:
gcloudinit
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.For more information, seeAuthenticate for using REST in the Google Cloud authentication documentation.
Limitations
- Setting a regional scope overrides alldefault storage location settingsfor the project.
- Setting a regional scope applies only to new regional snapshots.
- You can't convert a globally scoped snapshot to a regionally scoped snapshot.You must create a new snapshot with the appropriate scope.
Required roles and permissions
To get the permissions that you need to set storage and restore locations forregionally scoped snapshots, ask your administrator to grant you the followingIAM roles on the project:
- Compute Instance Admin (v1)(
roles/compute.instanceAdmin.v1) - To connect to a VM that can run as a service account:Service Account User (v1)(
roles/iam.serviceAccountUser)
For more information about granting roles, seeManage access to projects, folders, and organizations.
These predefined roles contain the permissions required to set snapshot creationand restore locations. To see the exact permissions that are required, expandtheRequired permissions section:
Permissions required for this task
To perform this task, you must have the followingpermissions:
- To set allowed snapshot creation locations to regions other than the source disk region:
compute.diskSettings.geton the diskcompute.diskSettings.updateon the diskcompute.regionDiskSettings.geton the diskcompute.regionDiskSettings.updateon the disk- To set allowed snapshot restore locations to regions other than the source disk region:
compute.regionSnapshotSettings.geton the projectcompute.regionSnapshotSettings.updateon the project
Set allowed snapshot creation locations
By default, you can create snapshots in all regions. Torestrict where you can create regionally scoped snapshots, set allowedaccess locations at the project level. Once you set access locations, you cancreate regionally scoped snapshots for the project only in these locations.
gcloud
To let zonal disks in Zone A create snapshots in any region, use thegcloud beta compute disk-settings update command:
gcloud beta compute disk-settings update \ --zone=ZONE_A \ --access-location-policy=all-regions \
To let regional disks in Region A create snapshots in any region, use thegcloud beta compute disk-settings update command:
gcloud beta compute disk-settings update \ --region=REGION_A \ --access-location-policy=all-regions
To let disks in Region A create snapshots only in Region B, use thegcloud beta compute disk-settings update command:
gcloud beta compute disk-settings update \ --access-location-policy=specific-regions \ --region=REGION_A \ --add-access-locations=REGION_B
Replace the following:
ZONE_A: The zone of the disks that can createsnapshots in any region.REGION_A: The region of all disks (in a project)that require regionally scoped snapshot creation restrictions.REGION_B: An allowed region for regionally scopedsnapshot creation. You can set multiple regions as allowed accesslocations. You must include the region that the source disk is stored inas one of the allowed regions.
REST
To let zonal disks in Zone A create snapshots in any region, make aPATCH request to thediskSettings.patch method:
PATCH https://compute.googleapis.com/compute/beta/projects/PROJECT_ID/zones/ZONE_A/diskSettings?updateMask=accessLocation { "accessLocation": { "policy":"ALL_REGIONS" } }To let regional disks in Region A create snapshots only in Region B, make aPATCH request to theregionDiskSettings.patch method:
PATCH https://compute.googleapis.com/compute/beta/projects/PROJECT_ID/regions/REGION_A/diskSettings?updateMask=accessLocation { "accessLocation": { "policy":"SPECIFIC_REGIONS", "locations": { "REGION_B":{"region":"REGION_B"} } } }Replace the following:
PROJECT_ID: The ID of the project.ZONE_A: The zone of the disk.REGION_A: The region of the disk.REGION_B: An allowed region for snapshot creation.You can set multiple regions as allowed access locations. You must includethe region that the source disk is stored in as one of the allowed regions.
Set allowed snapshot restore locations
By default, you can restore regionally and globally scoped snapshots to anyregion. To configurerestore locations for your regionally scoped snapshots, set allowed accesslocations at the project level. You must set allowed access locations foreach project individually. Once you set access locations, you can restoreregionally scoped snapshots for the project only in these locations.
gcloud
To let snapshots for a project in Region A be restored inall regions,use thegcloud beta compute snapshot-settings update command:
gcloud beta compute snapshot-settings update \ --project=PROJECT_ID \ --region=REGION_A \ --access-location-policy=all-regions
To let snapshots for a project in Region A be restored only in Region B,use thegcloud beta compute snapshot-settings update command:
gcloud beta compute snapshot-settings update \ --project=PROJECT_ID \ --access-location-policy=specific-regions \ --region=REGION_A \ --add-access-locations=REGION_B
Replace the following:
PROJECT_ID: The ID of the project.REGION_A: The region where the regionally scopedsnapshots are stored.REGION_B: An allowed region where regionally scopedsnapshots can be restored. You can set multiple regions as allowed restorelocations.
REST
To let snapshots for a project in Region A be restored inall regions,make aPATCHrequest to theregionSnapshotSettings.patch method:
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION_A/snapshotSettings?updateMask=accessLocation { "accessLocation": { "policy":"ALL_REGIONS" } }To let snapshots for a project in Region A be restored only in Region B,make aPATCH request to theregionSnapshotSettings.patch method:
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION_A/snapshotSettings?updateMask=accessLocation { "accessLocation": { "policy":"SPECIFIC_REGIONS", "locations": {"REGION_B": {"region":"REGION_B"} } } }Replace the following:
PROJECT_ID: The ID of the project.REGION_A: The region where the regionally scopedsnapshots are stored.REGION_B: An allowed region where regionally scopedsnapshots can be restored. You can set multiple regions as allowed restorelocations.
Edit allowed snapshot restore locations
gcloud
To view the allowed restore locations for snapshots for a project stored inRegion A, use thegcloud beta compute snapshot-settings describe command:
gcloud beta compute snapshot-settings describe \ --project=PROJECT_ID \ --region=REGION_A
To remove Region B from the list of allowed restore locations for snapshotsfor a project stored in Region A, usethegcloud beta compute snapshot-settings update command:
gcloud beta compute snapshot-settings update \ --project=PROJECT_ID \ --access-location-policy=specific-regions \ --remove-access-locations=REGION_B \ --region=REGION_A
Replace the following:
PROJECT_ID: The ID of the project.REGION_A: The region where the regionally scopedsnapshots are stored.REGION_B: The region where you want to removerestore access for regionally scoped snapshots.
REST
To view the allowed restore locations for snapshots for a project stored inRegion A, make aGET request to theregionSnapshotSettings.get method:
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION_A/snapshotSettings
To remove Region B from the list of allowed restore locations for snapshotsfor a project stored in Region A, make aPATCH request to theregionSnapshotSettings.patch method:
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION_A/snapshotSettings?updateMask=accessLocation { "accessLocation": { "policy":"SPECIFIC_REGIONS", "locations": {"REGION_B":{}} } }Replace the following:
PROJECT_ID: The ID of the project.REGION_A: The region where the regionally scopedsnapshots are stored.REGION_B: The region where you want to removerestore access for regionally scoped snapshots.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.