Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
  • Blog
  • Pricing
  • Documentation
Yandex project
© 2025 Yandex.Cloud LLC
Tutorials
    • All tutorials
    • Migrating data to Yandex Cloud using Hystax Acura
    • Fault protection with Hystax Acura
    • Configuring an SFTP server based on CentOS 7
    • VM backups using Hystax Acura
    • Backing up to Object Storage with MSP360 Backup (CloudBerry Desktop Backup)
    • Backing up to Object Storage with Duplicati
    • Backing up to Object Storage with Bacula
    • Backing up to Yandex Object Storage with Veeam Backup
    • Backing up to Object Storage with Veritas Backup Exec
    • Managed Service for Kubernetes cluster backups in Object Storage
    • Deploying GlusterFS in high availability mode
    • Deploying GlusterFS in high performance mode
      • Overview
      • Management console, CLI, and API
      • Terraform
    • Replicating logs to Object Storage using Data Streams
    • Replicating logs to Object Storage using Fluent Bit
    • Using Object Storage in Yandex Data Processing
    • Connecting a BareMetal server to Cloud Backup

In this article:

  • Get your cloud ready
  • Required paid resources
  • Activate the service
  • Create a service account
  • Create a cloud network and subnets
  • Create and configure a security group
  • Create a backup policy
  • Create a VM
  • How to delete the resources you created
  1. Storing and recovering data
  2. Linking a Cloud Backup policy to a VM automatically
  3. Management console, CLI, and API

Linking a Yandex Cloud Backup policy to a VM automatically using the management console, CLI, or API

Written by
Yandex Cloud
Updated at May 20, 2025
  • Get your cloud ready
    • Required paid resources
  • Activate the service
  • Create a service account
  • Create a cloud network and subnets
  • Create and configure a security group
  • Create a backup policy
  • Create a VM
  • How to delete the resources you created

To create a virtual machine with automatic linking to a Cloud Backup policy:

  1. Get your cloud ready.
  2. Activate the service.
  3. Create a service account.
  4. Create a cloud network and subnets.
  5. Create and configure a security group.
  6. Create a backup policy.
  7. Create your VM.

If you no longer need the resources you created, delete them.

Get your cloud readyGet your cloud ready

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

Required paid resourcesRequired paid resources

The infrastructure support cost includes:

  • Fee for VM computing resources (see Yandex Compute Cloud pricing).
  • Fee for VM disks (see Yandex Compute Cloud pricing).
  • Fee for using a dynamic external IP address (see Yandex Virtual Private Cloud pricing).
  • Fee for VMs connected to Cloud Backup and the backup size (see Yandex Cloud Backup pricing).

Activate the serviceActivate the service

Note

The minimum folder role required to activate the service is backup.editor (see its description for details).

Management console
CLI
  1. In the management console, select the folder you want to create a VM with a Cloud Backup connection in.

  2. In the list of services, select Cloud Backup.

  3. If you have not activated Cloud Backup yet, click Activate.

    If there is no Activate button, and you have access to creating a VM with a Cloud Backup connection, it means the service has already been activated. Proceed to the next step.

If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. View the description of the CLI command to activate the service:

    yc backup provider activate --help
    
  2. Activate the service in the default folder:

    yc backup provider activate --async
    

    Where --async displays the operation progress info. This is an optional parameter.

    Result:

    id: cdgmnefxiatx********
    description: activate provider
    created_at: "2024-10-14T09:03:47.960564Z"
    created_by: ajec1gaqcmtr********
    modified_at: "2024-10-14T09:03:47.960564Z"
    done: true
    metadata:
      '@type': type.googleapis.com/yandex.cloud.backup.v1.ActivateProviderMetadata
      folder_id: b1go3el0d8fs********
    response:
      '@type': type.googleapis.com/google.protobuf.Empty
      value: {}
    

After activation, the system automatically creates the following backup policies:

  • Default daily: Daily incremental backup with the last 15 backups retained.
  • Default weekly: Weekly incremental backup with the last 15 backups retained.
  • Default monthly: Monthly incremental backup with the last 15 backups retained.

If you prefer not to create them, use the --skip-default-policy parameter.

Create a service accountCreate a service account

Management console
Yandex Cloud CLI
API
  1. In the management console, select the folder the service is activated in.
  2. In the list of services, select Identity and Access Management.
  3. Click Create service account.
  4. Enter a name for the service account: backup-sa.
  5. Click Add role and select the backup.editor role.
  6. Click Create.

If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. Create a service account named backup-sa:

    yc iam service-account create --name backup-sa
    

    Result:

    id: ajehb3tcdfa1********
    folder_id: b1g86q4m5vej********
    created_at: "2024-07-22T16:05:14.237381531Z"
    name: backup-sa
    

    For more information about the yc iam service-account create command, see the CLI reference.

  2. Assign the backup.editor role for the folder to the service account:

    yc resource-manager folder add-access-binding <folder_ID> \
      --role backup.editor \
      --subject serviceAccount:<service_account_ID>
    

    Result:

    done (3s)
    effective_deltas:
      - action: ADD
        access_binding:
          role_id: backup.editor
          subject:
            id: ajehb3tcdfa1********
            type: serviceAccount
    

    For more information about the yc resource-manager folder add-access-binding command, see the CLI reference.

To create a service account, use the create REST API method for the ServiceAccount resource or the ServiceAccountService/Create gRPC API call.

To assign the backup.editor role for a folder to a service account, use the setAccessBindings method for the ServiceAccount resource or the ServiceAccountService/SetAccessBindings gRPC API call.

Create a cloud network and subnetsCreate a cloud network and subnets

Create a cloud network with a subnet in the availability zone that will host your VM.

Management console
Yandex Cloud CLI
API
  1. In the management console, select the folder you want to create a cloud network in.
  2. In the list of services, select Virtual Private Cloud.
  3. At the top right, click Create network.
  4. In the Name field, specify cloud-network.
  5. In the Advanced field, select Create subnets.
  6. Click Create network.
  1. Create a cloud network named cloud-network:

    yc vpc network create cloud-network
    

    Result:

    id: enptrcle5q3d********
    folder_id: b1g9hv2loamq********
    created_at: "2024-06-08T09:25:03Z"
    name: cloud-network
    default_security_group_id: enpbsnnop4ak********
    

    For more information about the yc vpc network create command, see the CLI reference.

  2. Create the cloud-network-ru-central1-d subnet in the ru-central1-d availability zone:

    yc vpc subnet create cloud-network-ru-central1-d \
      --zone ru-central1-d \
      --network-name cloud-network \
      --range 10.1.0.0/16
    

    Result:

    id: e9bnnssj8sc8********
    folder_id: b1g9hv2loamq********
    created_at: "2024-06-08T09:27:00Z"
    name: cloud-network-ru-central1-d
    network_id: enptrcle5q3d********
    zone_id: ru-central1-d
    v4_cidr_blocks:
    - 10.1.0.0/16
    

    For more information about the yc vpc subnet create command, see the CLI reference.

  1. Create a network named cloud-network using the create REST API method for the Network resource or the NetworkService/Create gRPC API call.
  2. Create the cloud-network-ru-central1-d subnet using the create REST API method for the Subnet resource or the SubnetService/Create gRPC API call.

Create and configure a security groupCreate and configure a security group

For the Cloud Backup agent to exchange data with the backup provider servers, the security group must contain the rules that allow network access to the IP addresses of the Cloud Backup resources.

A rule to enable VM access over SSH will also be added to the security group.

Management console
Yandex Cloud CLI
API
  1. In the management console, go to the folder you want to create a VM with a Cloud Backup connection in.

  2. In the list of services, select Virtual Private Cloud.

  3. In the left-hand panel, select Security groups.

  4. Click Create security group.

  5. In the Name field, specify backup-sg.

  6. In the Network field, select cloud-network.

  7. Under Rules, navigate to the Egress tab and click Add.

  8. Add the following outgoing traffic rules one by one:

    Port range Protocol Destination name CIDR blocks
    80 TCP CIDR 213.180.193.0/24
    80 TCP CIDR 213.180.204.0/24
    443 TCP CIDR 84.47.172.0/24
    443 TCP CIDR 84.201.181.0/24
    443 TCP CIDR 178.176.128.0/24
    443 TCP CIDR 213.180.193.0/24
    443 TCP CIDR 213.180.204.0/24
    7770-7800 TCP CIDR 84.47.172.0/24
    8443 TCP CIDR 84.47.172.0/24
    44445 TCP CIDR 51.250.1.0/24
  9. Add a rule for incoming traffic to enable VM access over SSH:

    Port range Protocol Source CIDR blocks
    22 Any CIDR 0.0.0.0/0
  10. Click Create.

Run the following command:

yc vpc security-group create backup-sg \
  --network-name network-1 \
  --rule "direction=egress,port=80,protocol=tcp,v4-cidrs=[213.180.193.0/24]" \
  --rule "direction=egress,port=80,protocol=tcp,v4-cidrs=[213.180.204.0/24]" \
  --rule "direction=egress,port=443,protocol=tcp,v4-cidrs=[84.47.172.0/24]" \
  --rule "direction=egress,port=443,protocol=tcp,v4-cidrs=[84.201.181.0/24]" \
  --rule "direction=egress,port=443,protocol=tcp,v4-cidrs=[178.176.128.0/24]" \
  --rule "direction=egress,port=443,protocol=tcp,v4-cidrs=[213.180.193.0/24]" \
  --rule "direction=egress,port=443,protocol=tcp,v4-cidrs=[213.180.204.0/24]" \
  --rule "direction=egress,from-port=7770,to-port=7800,protocol=tcp,v4-cidrs=[84.47.172.0/24]" \
  --rule "direction=egress,port=8443,protocol=tcp,v4-cidrs=[84.47.172.0/24]" \
  --rule "direction=egress,port=44445,protocol=tcp,v4-cidrs=[51.250.1.0/24]" \
  --rule "direction=ingress,port=22,protocol=any,v4-cidrs=[0.0.0.0/0]"

Result:

id: enp0v73fe8fs********
folder_id: b1g86q4m5vej********
created_at: "2024-07-22T20:17:43Z"
name: backup-sgg
network_id: enp3srbi9u49********
status: ACTIVE
rules:
- id: enpporsovuhj********
    direction: EGRESS
    ports:
      from_port: "80"
      to_port: "80"
    protocol_name: TCP
    protocol_number: "6"
    cidr_blocks:
      v4_cidr_blocks:
        - 213.180.193.0/24
- id: enp7p6asol5i********
    direction: EGRESS
    ports:
      from_port: "80"
      to_port: "80"
    protocol_name: TCP
    protocol_number: "6"
    cidr_blocks:
      v4_cidr_blocks:
        - 213.180.204.0/24
...
- id: enp36mip5nhe********
    direction: INGRESS
    ports:
      from_port: "22"
      to_port: "22"
    protocol_name: ANY
    protocol_number: "-1"
    cidr_blocks:
      v4_cidr_blocks:
        - 0.0.0.0/0

For more information about the yc vpc security-group create command, see the CLI reference.

To create a security group, use the create REST API method for the SecurityGroup resource or the SecurityGroupService/Create gRPC API call.

Create a backup policyCreate a backup policy

You can create a new policy or use one of those automatically generated upon service activation.

Management console
CLI
API
  1. In the management console, select the folder you want to create a backup policy in.

  2. In the list of services, select Cloud Backup.

  3. Navigate to the Backup policies tab.

  4. Click Create policy.

  5. Specify the policy properties:

    • Name: weekly-backup
    • Frequency: Weekly
    • Days of the week: Fri
    • Start time: 03:00
    • Backup type: Incremental
    • Copy retention: Retain all copies
  6. Click Save.

  1. Describe the configuration of the backup policy you are creating in the backup-policy-scheme.json file.

    {
      "compression": "NORMAL",
      "format": "AUTO",
      "multiVolumeSnapshottingEnabled": true,
      "preserveFileSecuritySettings": true,
      "reattempts": {
        "enabled": true,
        "interval": {
          "type": "SECONDS",
          "count": "30"
        },
        "maxAttempts": "30"
      },
      "silentModeEnabled": true,
      "splitting": {
        "size": "1099511627776"
      },
      "vmSnapshotReattempts": {
        "enabled": true,
        "interval": {
          "type": "MINUTES",
          "count": "5"
        },
        "maxAttempts": "3"
      },
      "vss": {
        "enabled": true,
        "provider": "TARGET_SYSTEM_DEFINED"
      },
      "archive": {
        "name": "'[Machine Name]-[Plan ID]-[Unique ID]A'"
      },
      "performanceWindow": {
        "enabled": true
      },
      "scheduling": {
        "backupSets": [
          {
            "time": {
              "weekdays": [
                "FRIDAY"
              ],
              "repeatAt": [
                {
                  "hour": "3"
                }
              ],
              "type": "WEEKLY"
            }
          }
        ],
        "enabled": true,
        "maxParallelBackups": "2",
        "randMaxDelay": {
          "type": "MINUTES",
          "count": "30"
        },
        "scheme": "ALWAYS_INCREMENTAL",
        "weeklyBackupDay": "MONDAY"
      },
      "cbt": "ENABLE_AND_USE",
      "fastBackupEnabled": true,
      "quiesceSnapshottingEnabled": true
    }
    
  2. Create a backup policy:

    yc backup policy create \
      --name weekly-backup \
      --settings-from-file ./backup-policy-scheme.json
    

    Result:

    id: cdgo5vytuw57********
    name: weekly-backup
    created_at: "2024-07-23T20:34:37Z"
    updated_at: "2024-07-23T20:34:37Z"
    enabled: true
    settings:
      compression: NORMAL
      format: AUTO
      multi_volume_snapshotting_enabled: true
      preserve_file_security_settings: true
      reattempts:
        enabled: true
        interval:
          type: SECONDS
          count: "30"
        max_attempts: "30"
      silent_mode_enabled: true
      splitting:
        size: "1099511627776"
      vm_snapshot_reattempts:
        enabled: true
        interval:
          type: MINUTES
          count: "5"
        max_attempts: "3"
      vss:
        enabled: true
        provider: TARGET_SYSTEM_DEFINED
      archive:
        name: '''[Machine Name]-[Plan ID]-[Unique ID]A'''
      performance_window:
        enabled: true
      retention: {}
      scheduling:
        backup_sets:
          - time:
              weekdays:
                - FRIDAY
              repeat_at:
                - hour: "3"
              type: WEEKLY
            type: TYPE_AUTO
        enabled: true
        max_parallel_backups: "2"
        rand_max_delay:
          type: MINUTES
          count: "30"
        scheme: ALWAYS_INCREMENTAL
        weekly_backup_day: MONDAY
      cbt: ENABLE_AND_USE
      fast_backup_enabled: true
      quiesce_snapshotting_enabled: true
    folder_id: b1g86q4m5vej********
    

    Save the policy id.

    For more information about the yc backup policy create command, see the CLI reference.

To create a backup policy, use the create REST API method for the Policy resource or the PolicyService/Create gRPC API call.

Create a VMCreate a VM

Management console
Yandex Cloud CLI
API
  1. In the management console, select the folder where you want to create your VM.

  2. In the list of services, select Compute Cloud.

  3. In the left-hand panel, select Virtual machines.

  4. Click Create virtual machine.

  5. Under Boot disk image, in the Product search field, enter Ubuntu 22.04 LTS and select a public Ubuntu 22.04 LTS image.

  6. Under Location, select the ru-central1-d availability zone.

  7. Under Network settings:

    • In the Subnet field, select the network named cloud-network and the subnet named cloud-network-ru-central1-d.
    • In the Public IP address field, leave the Auto value to assign a random external IP address from the Yandex Cloud pool.
    • In the Security groups field, select the backup-sg security group.
  8. Under Access, select SSH key and specify the VM access data:

    • In the Login field, specify the username: vm-user.
    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no saved SSH keys in your profile, or you want to add a new key:

      • Click Add key.
      • Enter a name for the SSH key.
      • Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
      • Click Add.

      The SSH key will be added to your organization user profile.

      If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.

  9. Under General information, specify the VM name: backup-instance.

  10. Under Additional:

    • Select the backup-sa service account.
    • Enable Cloud Backup.
    • Select the backup policy created earlier.
  11. Click Create VM.

Note

The commands yc compute instance create | create-with-container | update | add-metadata support substitution of environment variable values into VM metadata. When you execute a Yandex Cloud CLI command, these values, specified in the user-data key in $<variable_name> format, will be substituted into the VM metadata from the environment variables of the environment the command is executed in.

To change such behavior, i.e. to provide a variable name to the VM metadata in $<variable_name> format rather than take the variable value from the CLI command runtime environment, use the two-dollar syntax, e.g., $$<variable_name>.

For more information, see Specifics of providing environment variables in metadata via the CLI.

  1. Describe the custom metadata configuration in the user-data.yaml file:

    #cloud-config
    datasource:
      Ec2:
      strict_id: false
    ssh_pwauth: no
    users:
    - name: vm-user
      sudo: ALL=(ALL) NOPASSWD:ALL
      shell: /bin/bash
      ssh_authorized_keys:
      - <public_SSH_key>
    packages:
      - curl
      - perl
      - jq
    runcmd:
      - curl https://storage.yandexcloud.net/backup-distributions/agent_installer.sh | sudo bash
    
  2. Specify the weekly-backup policy ID in the cloudbackup.json file:

    {"initialPolicies": ["<weekly_backup_policy_ID>"]}
    

    To learn more about getting the policy ID, see Getting information about a backup policy.

  3. Run this command:

    yc compute instance create \
      --name backup-instance \
      --zone ru-central1-d \
      --network-interface subnet-name=cloud-network-ru-central1-d,security-group-ids=<backup-sg_security_group_ID>,ipv4-address=auto,nat-ip-version=ipv4 \
      --create-boot-disk image-folder-id=standard-images,image-family=ubuntu-2204-lts,size=15 \
      --metadata-from-file user-data=./user-data.yaml,cloudbackup=./cloudbackup.json \
      --service-account-name backup-sa
    

    For more information about the yc compute instance create command, see the CLI reference.

To create a VM, use the create REST API method for the Instance resource or the InstanceService/Create gRPC API call.

In the request body, specify:

  • In the metadata field, the user-data object containing the custom metadata configuration with a script to install the Cloud Backup agent.

  • In the cloudbackup field, the backup policy ID. To learn more about getting the policy ID, see Getting information about a backup policy.

Use \n as a line separator.

Request body example
{
  "folderId": "<folder_ID>",
  "name": "backup-instance",
  "zoneId": "ru-central1-d",
  "platformId": "standard-v3",
  "resourcesSpec": {
    "memory": "2147483648",
    "cores": "2"
  },
  "metadata": {
    "user-data": "#cloud-config\ndatasource:\nEc2:\n  strict_id: false\nssh_pwauth: no\nusers:\n- name: vm-user\n  shell: /bin/bash\n  sudo: ALL=(ALL) NOPASSWD:ALL\n  ssh_authorized_keys:\n  - <public_SSH_key>\npackages:\n  - curl\n  - perl\n  - jq\nruncmd:\n  - curl https://storage.yandexcloud.net/backup-distributions/agent_installer.sh | sudo bash",
    "cloudbackup": "{\"initialPolicies\": [\"<policy_ID>\"]}"
  },
  "bootDiskSpec": {
    "diskSpec": {
      "size": "16106127360",
      "imageId": "fd8ljvsrm3l1********"
    }
  },
  "networkInterfaceSpecs": [
    {
      "subnetId": "<subnet_ID>",
      "primaryV4AddressSpec": {
        "oneToOneNatSpec": {
          "ipVersion": "IPV4"
        }
      },
      "securityGroupIds": [
        "<security_group_ID>"
      ]
    }
  ],
  "serviceAccountId": "<service_account_ID>"
}

Note

When the VM switches to the Running status, a Cloud Backup agent will start installing on it. This may take from 5 to 10 minutes.

A policy is linked asynchronously after you create and initialize a VM, as well as install and configure a Cloud Backup agent. This may take up to 10-15 minutes. As a result, the virtual machine will appear in the list of Cloud Backup VMs and in the list of VMs linked to the weekly-backup policy.

You can monitor the installation progress using the VM serial port in the management console.

How to delete the resources you createdHow to delete the resources you created

To stop paying for the resources you created:

  1. Delete the VM from Cloud Backup.
  2. Delete the VM from Compute Cloud.
  3. Delete the static public IP address if you reserved one.
  4. Delete VM backups, if any.

See alsoSee also

  • Linking a Yandex Cloud Backup policy to a VM automatically using Terraform

Was the article helpful?

Previous
Overview
Next
Terraform
Yandex project
© 2025 Yandex.Cloud LLC