Use advanced disaster recovery (DR)

MySQL  |  PostgreSQL  |  SQL Server

This page describes how to useadvanced disaster recovery (DR).Advanced DR provides two main capabilities:

  • Replica failover lets you fail over your primary instance to the DRreplica immediately in the event of a region failure.For Cloud SQL for SQL Server, the DR replica is a cascadable replica.
  • Switchover lets you reverse the roles of the primary instance anda DR replica with zero data loss. You can use switchover torestore a deployment to its original deployment state after replicafailover, or you can use switchover to test DR.

Advanced DR is supported only on Cloud SQL Enterprise Plus edition instances.

Note: This page contains features related to Cloud SQL editions. Formore information about Cloud SQL editions, seeIntroduction to Cloud SQL editions.

Before you begin

If you plan to use the Google Cloud SDK, then you must use version 502.0.0 orlater. To check the version of theGoogle Cloud SDK, rungcloud --version. To updatethe Google Cloud SDK, rungcloud components update.

To install the Google Cloud SDK, seeInstall thegcloud CLI.

Create a DR replica

Before you use advanced DR,create a cascadable replicaof the primary instance in a differentregion than the primary instance.

Perform a switchover

After you've created a DR replica, you can perform the switchover operation.However, as a best practice, avoid performing the switchover operation under thefollowing circumstances:

  • The primary instance is being actively used.
  • Admin operations are in progress, such as automated backup or theenablement or disablement of high availability (HA).

To avoid a timeout, consider performing switchover when the transaction volumeis low.

When switchover completes, the operation takes a backup of the new primaryinstance (the former DR replica) as soon as the new primary instance ispromoted.This backup can take between 5 and 15 minutes to complete depending on the disksize. After this backup is complete, if you want to use PITR on the promotedinstance, then you must manuallyenable PITR.For more information about the considerations of using PITR with advanced DR, seeUse PITR with advanced DR.

After the switchover operation is complete, you'll notice that the direction ofreplication is reversed.

After your old primary instance is reconfigured as a read replica,theDNS write endpoint,which previously resolved to the old primary instance, resolves to the newprimary instance.

Before you begin

Before you perform the switchover operation, do the following:

  • If you haven't done so already,create a DR replica.
  • Verify that the primary instance and the DR replica are online.
  • If you're using aDNS write endpoint, then verify that the SSL configuration for the primary instance and the DR replica are the same. For example, if the DR replica is configured toenforce SSL encryption, but the primary instance allows unencrypted connections, then clients won't be able to connect to the new primary instance after the switchover operation completes.
  • Take an on-demand backup of the primary instance. This backup is a precaution in case you need to recover from any unexpected failures.
Note:For Cloud SQL to update awrite endpoint andpoint it to the correct instance, make sure that your replica is on the new network architecture before the switchover operation occurs. If the instance isn't created with this architecture, then you canupgrade the instance to the new network architecture.

Perform the switchover operation

gcloud

To perform the switchover operation, run the following command:

gcloudsqlinstancesswitchoverREPLICA_NAME

Replace the following variables:

  • REPLICA_NAME: the name of the DR replica that you want the primary instance to switch roles with.

Terraform

To begin the switchover operation, use aTerraform resource. To make the DR replica the new primary instance, use the first sample. The sample contains comments for the Terraform configuration changes you need to make to switch the primary instance and the DR replica.

resource "google_sql_database_instance" "original-primary" {  name             = "sqlserver-primary-instance-name"  region           = "us-east1"  database_version = "SQLSERVER_2022_ENTERPRISE"  instance_type    = "CLOUD_SQL_INSTANCE"  root_password    = "INSERT-PASSWORD-HERE"  replica_names    = ["sqlserver-replica-instance-name"]  settings {    tier    = "db-perf-optimized-N-2"    edition = "ENTERPRISE_PLUS"    backup_configuration {      enabled = "true"    }  }}resource "google_sql_database_instance" "dr_replica" {  name = "sqlserver-replica-instance-name"  # Remove or comment out the master_instance_name  # master_instance_name = google_sql_database_instance.original-primary.name  region           = "us-west2"  database_version = "SQLSERVER_2022_ENTERPRISE"  # Change the instance type from "READ_REPLICA_INSTANCE" to "CLOUD_SQL_INSTANCE".  instance_type = "CLOUD_SQL_INSTANCE"  root_password = "INSERT-PASSWORD-HERE"  # Add the original primary to the replica_names list  replica_names = ["sqlserver-primary-instance-name"]  # Remove or comment out the replica_configuration section  # replica_configuration {  #  cascadable_replica = true  # }  settings {    tier    = "db-perf-optimized-N-2"    edition = "ENTERPRISE_PLUS"  }}

After you make your changes, update the primary and DR replica by runningterraform plan. Verify that the output includesPlan: 0 to add, 1 to change, 0 to destroy. To perform the switchover, runterraform apply.

At this point, the original primary is a replica of the new primary instance. However, that change isn't reflected in your Terraform state automatically. To make the original primary instance a replica of the new primary instance in your Terraform state, use the second sample. The second sample provides comments that describe the changes you need to make after running the first sample.

resource "google_sql_database_instance" "original-primary" {  name = "sqlserver-primary-instance-name"  # Set master_instance_name to the new primary instance, the original DR replica.  master_instance_name = "sqlserver-replica-instance-name"  region               = "us-east1"  database_version     = "SQLSERVER_2022_ENTERPRISE"  # Change the instance type from "CLOUD_SQL_INSTANCE" to "READ_REPLICA_INSTANCE".  instance_type = "READ_REPLICA_INSTANCE"  root_password = "INSERT-PASSWORD-HERE"  # Remove  values from the replica_names field, but don't remove the field itself.  replica_names = []  # Add replica_configuration section and set cascadable_replica to true.  replica_configuration {    cascadable_replica = true  }  settings {    tier    = "db-perf-optimized-N-2"    edition = "ENTERPRISE_PLUS"    backup_configuration {      enabled = "true"    }  }}resource "google_sql_database_instance" "dr_replica" {  name             = "sqlserver-replica-instance-name"  region           = "us-west2"  database_version = "SQLSERVER_2022_ENTERPRISE"  # Change the instance type from "READ_REPLICA_INSTANCE" to "CLOUD_SQL_INSTANCE".  instance_type = "CLOUD_SQL_INSTANCE"  root_password = "INSERT-PASSWORD-HERE"  # Add the original primary to the replica_names list  replica_names = ["sqlserver-primary-instance-name"]  settings {    tier    = "db-perf-optimized-N-2"    edition = "ENTERPRISE_PLUS"  }}

If your Terraform state is updated successfully, then when you runterraform plan against the second sample, a message similar to the following appears:

No changes. Your infrastructure matches the configuration.

If you runterraform apply, then you receive a message similar to the following:

Resources: 0 added, 0 changed, 0 destroyed.

REST v1

Before using any of the request data, make the following replacements:

  • PROJECT_ID: the ID or project number of the Google Cloud project of the primary instance and the DR replica.
  • REPLICA_NAME: the name of the DR replica.

HTTP method and URL:

POST https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/REPLICA_NAME/switchover

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d "" \
     "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/REPLICA_NAME/switchover"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/REPLICA_NAME/switchover" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/REPLICA_NAME",  "status": "PENDING",  "user": "user@example.com",  "insertTime": "2024-04-01T22:43:37.981Z",  "operationType": "SWITCHOVER",  "name": "OPERATION_ID",  "targetId": "REPLICA_ID",  "selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

REST v1beta4

Before using any of the request data, make the following replacements:

  • PROJECT_ID: the ID or project number of the Google Cloud project of the primary instance and the DR replica.
  • REPLICA_NAME: the name of the DR replica.

HTTP method and URL:

POST https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/REPLICA_NAME/switchover

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d "" \
     "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/REPLICA_NAME/switchover"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/REPLICA_NAME/switchover" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/REPLICA_NAME",  "status": "PENDING",  "user": "user@example.com",  "insertTime": "2024-04-01T22:43:37.981Z",  "operationType": "SWITCHOVER",  "name": "OPERATION_ID",  "targetId": "REPLICA_ID",  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

Perform DR by invoking a replica failover

In the event of region failure or a disaster, you can perform DR byinvoking a replica failover operation to your designated DR replica. To performa replica failover, you promote the DR replica. In contrast with switchover, the promotion of the DR replica isimmediate.

Since the DR replica assumes the role of the primary instance immediately,it's possible that the replica doesn't have all of the data from theold primary instance due to replication lag. For this reason, a replica failovercan incur data loss.

As part of the promotion process, replica failover takes a backup of the newprimary instance (the former DR replica) right after the DR replica becomes thenew primary instance. After this backup is complete, point-in-time-recovery(PITR) is fully enabled on the new primary instance. This backup can takebetween 5 and 15 minutes to complete depending on the disk size of the new (andold) primary instance. During this backup period, PITR isn't available.

When the old primary instance comes back online, the replica failover processtakes a backup. After this backup is taken, the old primary instance isrecreated as a read replica of the new primary instance.

For more information about the considerations of using PITR with advanced DR,seeUse PITR with advanced DR.

After you invoke the replica failoveroperation, theDNS write endpoint,which previously resolved to the old primary instance,resolves to the new primary instance.

Before you begin

Before you can perform a replica failover, do the following:

  • If you haven't done so already, thencreate a DR replica.
  • Make sure the DR replica is online and healthy.
Note:For Cloud SQL to update awrite endpoint andpoint it to the correct instance, make sure that your replica is on the new network architecture before the replica failover operation occurs. If the instance isn't created with this architecture, then you canupgrade the instance to the new network architecture.

Perform the replica failover operation

gcloud

To invoke a replica failover to the DR replica, use the following command:

gcloudsqlinstancespromote-replica\REPLICA_NAME--failover

Replace the following variable:

  • REPLICA_NAME: the name of the DR replica

REST v1

Before using any of the request data, make the following replacements:

  • PROJECT_ID: the ID or project number of the Google Cloud project of the primary instance and DR replica.
  • REPLICA_NAME: the name of the DR replica.
  • ENABLE_REPLICA_FAILOVER: set totrue to use replica failover. If you set to false, then the API uses the regularpromoteReplica method without replica failover.

HTTP method and URL:

POST https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/REPLICA_NAME/promoteReplica?failover=ENABLE_REPLICA_FAILOVER

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d "" \
     "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/REPLICA_NAME/promoteReplica?failover=ENABLE_REPLICA_FAILOVER"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/REPLICA_NAME/promoteReplica?failover=ENABLE_REPLICA_FAILOVER" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/REPLICA_NAME",  "status": "PENDING",  "user": "user@example.com",  "insertTime": "2020-01-21T22:43:37.981Z",  "operationType": "PROMOTE_REPLICA",  "name": "OPERATION_ID",  "targetId": "REPLICA_NAME",  "selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

REST v1beta4

Before using any of the request data, make the following replacements:

  • PROJECT_ID: the ID or project number of the Google Cloud project of the primary instance and DR replica.
  • REPLICA_NAME: the name of the DR replica.
  • ENABLE_REPLICA_FAILOVER: set totrue to use replica failover. If you set to false, then the API uses the regularpromoteReplica method without replica failover.

HTTP method and URL:

POST https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/REPLICA_NAME/promoteReplica?failover=ENABLE_REPLICA_FAILOVER

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d "" \
     "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/REPLICA_NAME/promoteReplica?failover=ENABLE_REPLICA_FAILOVER"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/REPLICA_NAME/promoteReplica?failover=ENABLE_REPLICA_FAILOVER" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/REPLICA_NAME",  "status": "PENDING",  "user": "user@example.com",  "insertTime": "2024-04-01T22:43:37.981Z",  "operationType": "PROMOTE_REPLICA",  "name": "OPERATION_ID",  "targetId": "REPLICA_NAME",  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

Check the status of a replica failover

Replica failover occurs in two phases.The first phase is the promotion of the DR replica.The second phase is the recreation ofthe old primary instance as a read replica.

To check the status of replica failover, check the status of eachphase.

  1. Check the status of the first phase.

    Console

    To check if the DR replica has been promoted to a standalone instance, do the following:

    1. In the Google Cloud console, go to theCloud SQL Instances page.

      Go to Cloud SQL Instances

    2. Find the name of the DR replica that you promoted.
    3. Verify thatSQL ServerVERSION appears in theType column for the new primary instance.

    gcloud

    You can check the status by running the following command:

    gcloudsqlinstancesdescribeDR_REPLICA_NAME

    Replace the following variable:

    • DR_REPLICA_NAME: the name of the promoted DR replica

    In the output, check that the following field appears and thereplica has become a standalone Cloud SQL primary instance:

    instanceType: CLOUD_SQL_INSTANCE

  2. To verify the completion of the second phase, check theoperations log on the instance for the messageRECONFIGURE_OLD_PRIMARY.

    The appearance of this message depends on when the oldprimary instance returns online, which can take minutes ordays in the event of a disaster.

    For more information on how to check the operations logs on an instance, seeView instance logs.

Use PITR with advanced DR

Whether a switchover or replica failover, if the DR replica is promoted to aprimary instance, and you want to use PITR on the promoted instance, you mustmanually enable PITR.

After PITR is enabled, the backup configuration and transaction log retentionpolicies apply. If you don't specify values for these settings, the default valueof 14 days applies.

For more information, seeUse PITR.

After PITR is enabled on the new primary instance, you can restore the instanceto any point in time during which it is an active primary instance.

Split-brain during replica failover

It's possible that split-brain occurs when the primary instance continues toaccept writes while a replica is promoted using replica failover. After thereplica is promoted, when the old primary instance is available again, it isrebuilt as a replica of the promoted instance and a final backup is made. Thisbackup can be used to recover any split-brain data that was not written to thepromoted replica.

Note: Split-brain can't happen for switchover operations.

Deletion of backups and transaction logs on replicas

If a primary instance that was enabled with PITR and backups becomes a readreplica, then the last backup and PITR retention policy from its time as aprimary instance is preserved and applied during its time as a replica. Eventhough the new primary instance is not taking backups, the old backups andtransaction logs used for PITR are deleted on the read replica according to thelast configured policy.

For example, if the instance is configured to have daily automated backups andkeep 7 backups with 7 days of PITR logs, then when this instance becomes a readreplica, anything older than 7 days is deleted once a day.

If you need to delete backups sooner, then you can remove backups manually. Formore information, seeDelete a backup.

Note: You can't modify backup configuration settings while the instance is areplica.

Recommendations for VPC Service Controls and advanced DR

If you use VPC Service Controls, then make sure that your service perimeters allownecessary communications for all recovery operations such as point-in-timerecovery (PITR) operations, especially when you use CMEK with keys in adifferent project.

Advanced DR operations, like switchover and replica failover, can enable orreconfigure features like PITR, which can be blocked by VPC Service Controls ifthe service perimeters aren't configured correctly for CMEK and cross-projectkey access.

For more information, seeConfigureVPC Service Controls.

Limitations

  • You can't designate a Cloud SQL Enterprise Plus edition read replicainstance as DR replica if the primary instance stores its transaction logsfor point-in-time recovery (PITR) on disk. To check where an instancestores its logs for PITR, seeCheck the storage location of transaction logs used for PITR.

  • You can't designate an external replica as a DR replica.

  • Terraform isn't supported for replica failover operations.

  • You can't use the Google Cloud console to perform replica failover or switchover operations.

Troubleshoot

IssueTroubleshooting
Switchover operation has failed.
    Make sure the instance meets all the stated DR replica(cascadable replica) requirements.
  • Check the volume of transactions on the database. If the transaction volume is high, then the operationmight timeout. Consider retrying the operation when the transaction load islower.
Switchover operation has failed and the primary instance is stuck inread-only mode. Perform a database restart to bring the primary instance back towrite mode.
Switchover operation has completed, but the Google Cloud console doesn't show thenew reversed roles for the instances.Refresh your browser to show the updated topology.
Replica failover operation has failed.
  • Make sure that you've created a DR replica for the primary instanceand that the DR replica is online.
  • If failover to the DR replica has failed, then promote to aregular (non-DR) read replica instead.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.