Contact UsGet started

Linking a Yandex Cloud Backup policy to a VM automatically using the management console, CLI, or API

Written by
Updated at May 20, 2025

To create a virtual machine with automatic linking to a Cloud Backup policy:

  1. Get your cloud ready.
  2. Activate the service.
  3. Create a service account.
  4. Create a cloud network and subnets.
  5. Create and configure a security group.
  6. Create a backup policy.
  7. Create your VM.

If you no longer need the resources you created, delete them.

Get your cloud ready

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The infrastructure support cost includes:

Activate the service

Note

The minimum folder role required to activate the service is backup.editor (see its description for details).

  1. In the management console, select the folder you want to create a VM with a Cloud Backup connection in.

  2. In the list of services, select Cloud Backup.

  3. If you have not activated Cloud Backup yet, click Activate.

    If there is no Activate button, and you have access to creating a VM with a Cloud Backup connection, it means the service has already been activated. Proceed to the next step.

If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. View the description of the CLI command to activate the service:

    yc backup provider activate --help

  2. Activate the service in the default folder:

    yc backup provider activate --async

    Where --async displays the operation progress info. This is an optional parameter.

    Result:

    id: cdgmnefxiatx********
description: activate provider
created_at: "2024-10-14T09:03:47.960564Z"
created_by: ajec1gaqcmtr********
modified_at: "2024-10-14T09:03:47.960564Z"
done: true
metadata:
  '@type': type.googleapis.com/yandex.cloud.backup.v1.ActivateProviderMetadata
  folder_id: b1go3el0d8fs********
response:
  '@type': type.googleapis.com/google.protobuf.Empty
  value: {}

After activation, the system automatically creates the following backup policies:

  • Default daily: Daily incremental backup with the last 15 backups retained.
  • Default weekly: Weekly incremental backup with the last 15 backups retained.
  • Default monthly: Monthly incremental backup with the last 15 backups retained.

If you prefer not to create them, use the --skip-default-policy parameter.

Create a service account

  1. In the management console, select the folder the service is activated in.
  2. In the list of services, select Identity and Access Management.
  3. Click Create service account.
  4. Enter a name for the service account: backup-sa.
  5. Click Add role and select the backup.editor role.
  6. Click Create.

If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. Create a service account named backup-sa:

    yc iam service-account create --name backup-sa

    Result:

    id: ajehb3tcdfa1********
folder_id: b1g86q4m5vej********
created_at: "2024-07-22T16:05:14.237381531Z"
name: backup-sa

    For more information about the yc iam service-account create command, see the CLI reference.

  2. Assign the backup.editor role for the folder to the service account:

    yc resource-manager folder add-access-binding <folder_ID> \
  --role backup.editor \
  --subject serviceAccount:<service_account_ID>

    Result:

    done (3s)
effective_deltas:
  - action: ADD
    access_binding:
      role_id: backup.editor
      subject:
        id: ajehb3tcdfa1********
        type: serviceAccount

    For more information about the yc resource-manager folder add-access-binding command, see the CLI reference.

To create a service account, use the create REST API method for the ServiceAccount resource or the ServiceAccountService/Create gRPC API call.

To assign the backup.editor role for a folder to a service account, use the setAccessBindings method for the ServiceAccount resource or the ServiceAccountService/SetAccessBindings gRPC API call.

Create a cloud network and subnets

Create a cloud network with a subnet in the availability zone that will host your VM.

  1. In the management console, select the folder you want to create a cloud network in.
  2. In the list of services, select Virtual Private Cloud.
  3. At the top right, click Create network.
  4. In the Name field, specify cloud-network.
  5. In the Advanced field, select Create subnets.
  6. Click Create network.

  1. Create a cloud network named cloud-network:

    yc vpc network create cloud-network

    Result:

    id: enptrcle5q3d********
folder_id: b1g9hv2loamq********
created_at: "2024-06-08T09:25:03Z"
name: cloud-network
default_security_group_id: enpbsnnop4ak********

    For more information about the yc vpc network create command, see the CLI reference.

  2. Create the cloud-network-ru-central1-d subnet in the ru-central1-d availability zone:

    yc vpc subnet create cloud-network-ru-central1-d \
  --zone ru-central1-d \
  --network-name cloud-network \
  --range 10.1.0.0/16

    Result:

    id: e9bnnssj8sc8********
folder_id: b1g9hv2loamq********
created_at: "2024-06-08T09:27:00Z"
name: cloud-network-ru-central1-d
network_id: enptrcle5q3d********
zone_id: ru-central1-d
v4_cidr_blocks:
- 10.1.0.0/16

    For more information about the yc vpc subnet create command, see the CLI reference.

  1. Create a network named cloud-network using the create REST API method for the Network resource or the NetworkService/Create gRPC API call.
  2. Create the cloud-network-ru-central1-d subnet using the create REST API method for the Subnet resource or the SubnetService/Create gRPC API call.

Create and configure a security group

For the Cloud Backup agent to exchange data with the backup provider servers, the security group must contain the rules that allow network access to the IP addresses of the Cloud Backup resources.

A rule to enable VM access over SSH will also be added to the security group.

  1. In the management console, go to the folder you want to create a VM with a Cloud Backup connection in.

  2. In the list of services, select Virtual Private Cloud.

  3. In the left-hand panel, select Security groups.

  4. Click Create security group.

  5. In the Name field, specify backup-sg.

  6. In the Network field, select cloud-network.

  7. Under Rules, navigate to the Egress tab and click Add.

  8. Add the following outgoing traffic rules one by one:

    Port range Protocol Destination name CIDR blocks
    80 TCP CIDR 213.180.193.0/24
    80 TCP CIDR 213.180.204.0/24
    443 TCP CIDR 84.47.172.0/24
    443 TCP CIDR 84.201.181.0/24
    443 TCP CIDR 178.176.128.0/24
    443 TCP CIDR 213.180.193.0/24
    443 TCP CIDR 213.180.204.0/24
    7770-7800 TCP CIDR 84.47.172.0/24
    8443 TCP CIDR 84.47.172.0/24
    44445 TCP CIDR 51.250.1.0/24

  9. Add a rule for incoming traffic to enable VM access over SSH:

    Port range Protocol Source CIDR blocks
    22 Any CIDR 0.0.0.0/0

  10. Click Create.

Run the following command:

yc vpc security-group create backup-sg \
  --network-name network-1 \
  --rule "direction=egress,port=80,protocol=tcp,v4-cidrs=[213.180.193.0/24]" \
  --rule "direction=egress,port=80,protocol=tcp,v4-cidrs=[213.180.204.0/24]" \
  --rule "direction=egress,port=443,protocol=tcp,v4-cidrs=[84.47.172.0/24]" \
  --rule "direction=egress,port=443,protocol=tcp,v4-cidrs=[84.201.181.0/24]" \
  --rule "direction=egress,port=443,protocol=tcp,v4-cidrs=[178.176.128.0/24]" \
  --rule "direction=egress,port=443,protocol=tcp,v4-cidrs=[213.180.193.0/24]" \
  --rule "direction=egress,port=443,protocol=tcp,v4-cidrs=[213.180.204.0/24]" \
  --rule "direction=egress,from-port=7770,to-port=7800,protocol=tcp,v4-cidrs=[84.47.172.0/24]" \
  --rule "direction=egress,port=8443,protocol=tcp,v4-cidrs=[84.47.172.0/24]" \
  --rule "direction=egress,port=44445,protocol=tcp,v4-cidrs=[51.250.1.0/24]" \
  --rule "direction=ingress,port=22,protocol=any,v4-cidrs=[0.0.0.0/0]"

Result:

id: enp0v73fe8fs********
folder_id: b1g86q4m5vej********
created_at: "2024-07-22T20:17:43Z"
name: backup-sgg
network_id: enp3srbi9u49********
status: ACTIVE
rules:
- id: enpporsovuhj********
    direction: EGRESS
    ports:
      from_port: "80"
      to_port: "80"
    protocol_name: TCP
    protocol_number: "6"
    cidr_blocks:
      v4_cidr_blocks:
        - 213.180.193.0/24
- id: enp7p6asol5i********
    direction: EGRESS
    ports:
      from_port: "80"
      to_port: "80"
    protocol_name: TCP
    protocol_number: "6"
    cidr_blocks:
      v4_cidr_blocks:
        - 213.180.204.0/24
...
- id: enp36mip5nhe********
    direction: INGRESS
    ports:
      from_port: "22"
      to_port: "22"
    protocol_name: ANY
    protocol_number: "-1"
    cidr_blocks:
      v4_cidr_blocks:
        - 0.0.0.0/0

For more information about the yc vpc security-group create command, see the CLI reference.

To create a security group, use the create REST API method for the SecurityGroup resource or the SecurityGroupService/Create gRPC API call.

Create a backup policy

You can create a new policy or use one of those automatically generated upon service activation.

  1. In the management console, select the folder you want to create a backup policy in.

  2. In the list of services, select Cloud Backup.

  3. Navigate to the Backup policies tab.

  4. Click Create policy.

  5. Specify the policy properties:

    • Name: weekly-backup
    • Frequency: Weekly
    • Days of the week: Fri
    • Start time: 03:00
    • Backup type: Incremental
    • Copy retention: Retain all copies

  6. Click Save.

  1. Describe the configuration of the backup policy you are creating in the backup-policy-scheme.json file.

    {
  "compression": "NORMAL",
  "format": "AUTO",
  "multiVolumeSnapshottingEnabled": true,
  "preserveFileSecuritySettings": true,
  "reattempts": {
    "enabled": true,
    "interval": {
      "type": "SECONDS",
      "count": "30"
    },
    "maxAttempts": "30"
  },
  "silentModeEnabled": true,
  "splitting": {
    "size": "1099511627776"
  },
  "vmSnapshotReattempts": {
    "enabled": true,
    "interval": {
      "type": "MINUTES",
      "count": "5"
    },
    "maxAttempts": "3"
  },
  "vss": {
    "enabled": true,
    "provider": "TARGET_SYSTEM_DEFINED"
  },
  "archive": {
    "name": "'[Machine Name]-[Plan ID]-[Unique ID]A'"
  },
  "performanceWindow": {
    "enabled": true
  },
  "scheduling": {
    "backupSets": [
      {
        "time": {
          "weekdays": [
            "FRIDAY"
          ],
          "repeatAt": [
            {
              "hour": "3"
            }
          ],
          "type": "WEEKLY"
        }
      }
    ],
    "enabled": true,
    "maxParallelBackups": "2",
    "randMaxDelay": {
      "type": "MINUTES",
      "count": "30"
    },
    "scheme": "ALWAYS_INCREMENTAL",
    "weeklyBackupDay": "MONDAY"
  },
  "cbt": "ENABLE_AND_USE",
  "fastBackupEnabled": true,
  "quiesceSnapshottingEnabled": true
}

  2. Create a backup policy:

    yc backup policy create \
  --name weekly-backup \
  --settings-from-file ./backup-policy-scheme.json

    Result:

    id: cdgo5vytuw57********
name: weekly-backup
created_at: "2024-07-23T20:34:37Z"
updated_at: "2024-07-23T20:34:37Z"
enabled: true
settings:
  compression: NORMAL
  format: AUTO
  multi_volume_snapshotting_enabled: true
  preserve_file_security_settings: true
  reattempts:
    enabled: true
    interval:
      type: SECONDS
      count: "30"
    max_attempts: "30"
  silent_mode_enabled: true
  splitting:
    size: "1099511627776"
  vm_snapshot_reattempts:
    enabled: true
    interval:
      type: MINUTES
      count: "5"
    max_attempts: "3"
  vss:
    enabled: true
    provider: TARGET_SYSTEM_DEFINED
  archive:
    name: '''[Machine Name]-[Plan ID]-[Unique ID]A'''
  performance_window:
    enabled: true
  retention: {}
  scheduling:
    backup_sets:
      - time:
          weekdays:
            - FRIDAY
          repeat_at:
            - hour: "3"
          type: WEEKLY
        type: TYPE_AUTO
    enabled: true
    max_parallel_backups: "2"
    rand_max_delay:
      type: MINUTES
      count: "30"
    scheme: ALWAYS_INCREMENTAL
    weekly_backup_day: MONDAY
  cbt: ENABLE_AND_USE
  fast_backup_enabled: true
  quiesce_snapshotting_enabled: true
folder_id: b1g86q4m5vej********

    Save the policy id.

    For more information about the yc backup policy create command, see the CLI reference.

To create a backup policy, use the create REST API method for the Policy resource or the PolicyService/Create gRPC API call.

Create a VM

  1. In the management console, select the folder where you want to create your VM.

  2. In the list of services, select Compute Cloud.

  3. In the left-hand panel, select Virtual machines.

  4. Click Create virtual machine.

  5. Under Boot disk image, in the Product search field, enter Ubuntu 22.04 LTS and select a public Ubuntu 22.04 LTS image.

  6. Under Location, select the ru-central1-d availability zone.

  7. Under Network settings:

    • In the Subnet field, select the network named cloud-network and the subnet named cloud-network-ru-central1-d.
    • In the Public IP address field, leave the Auto value to assign a random external IP address from the Yandex Cloud pool.
    • In the Security groups field, select the backup-sg security group.

  8. Under Access, select SSH key and specify the VM access data:

    • In the Login field, specify the username: vm-user.

    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no saved SSH keys in your profile, or you want to add a new key:

      • Click Add key.
      • Enter a name for the SSH key.
      • Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
      • Click Add.

      The SSH key will be added to your organization user profile.

      If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.

  9. Under General information, specify the VM name: backup-instance.

  10. Under Additional:

    • Select the backup-sa service account.
    • Enable Cloud Backup.
    • Select the backup policy created earlier.

  11. Click Create VM.

Note

The commands yc compute instance create | create-with-container | update | add-metadata support substitution of environment variable values into VM metadata. When you execute a Yandex Cloud CLI command, these values, specified in the user-data key in $<variable_name> format, will be substituted into the VM metadata from the environment variables of the environment the command is executed in.

To change such behavior, i.e. to provide a variable name to the VM metadata in $<variable_name> format rather than take the variable value from the CLI command runtime environment, use the two-dollar syntax, e.g., $$<variable_name>.

For more information, see Specifics of providing environment variables in metadata via the CLI.

  1. Describe the custom metadata configuration in the user-data.yaml file:

    #cloud-config
datasource:
  Ec2:
  strict_id: false
ssh_pwauth: no
users:
- name: vm-user
  sudo: ALL=(ALL) NOPASSWD:ALL
  shell: /bin/bash
  ssh_authorized_keys:
  - <public_SSH_key>
packages:
  - curl
  - perl
  - jq
runcmd:
  - curl https://storage.yandexcloud.net/backup-distributions/agent_installer.sh | sudo bash

  2. Specify the weekly-backup policy ID in the cloudbackup.json file:

    {"initialPolicies": ["<weekly_backup_policy_ID>"]}

    To learn more about getting the policy ID, see Getting information about a backup policy.

  3. Run this command:

    yc compute instance create \
  --name backup-instance \
  --zone ru-central1-d \
  --network-interface subnet-name=cloud-network-ru-central1-d,security-group-ids=<backup-sg_security_group_ID>,ipv4-address=auto,nat-ip-version=ipv4 \
  --create-boot-disk image-folder-id=standard-images,image-family=ubuntu-2204-lts,size=15 \
  --metadata-from-file user-data=./user-data.yaml,cloudbackup=./cloudbackup.json \
  --service-account-name backup-sa

    For more information about the yc compute instance create command, see the CLI reference.

To create a VM, use the create REST API method for the Instance resource or the InstanceService/Create gRPC API call.

In the request body, specify:

  • In the metadata field, the user-data object containing the custom metadata configuration with a script to install the Cloud Backup agent.

  • In the cloudbackup field, the backup policy ID. To learn more about getting the policy ID, see Getting information about a backup policy.

Use \n as a line separator.

Request body example
{
  "folderId": "<folder_ID>",
  "name": "backup-instance",
  "zoneId": "ru-central1-d",
  "platformId": "standard-v3",
  "resourcesSpec": {
    "memory": "2147483648",
    "cores": "2"
  },
  "metadata": {
    "user-data": "#cloud-config\ndatasource:\nEc2:\n  strict_id: false\nssh_pwauth: no\nusers:\n- name: vm-user\n  shell: /bin/bash\n  sudo: ALL=(ALL) NOPASSWD:ALL\n  ssh_authorized_keys:\n  - <public_SSH_key>\npackages:\n  - curl\n  - perl\n  - jq\nruncmd:\n  - curl https://storage.yandexcloud.net/backup-distributions/agent_installer.sh | sudo bash",
    "cloudbackup": "{\"initialPolicies\": [\"<policy_ID>\"]}"
  },
  "bootDiskSpec": {
    "diskSpec": {
      "size": "16106127360",
      "imageId": "fd8ljvsrm3l1********"
    }
  },
  "networkInterfaceSpecs": [
    {
      "subnetId": "<subnet_ID>",
      "primaryV4AddressSpec": {
        "oneToOneNatSpec": {
          "ipVersion": "IPV4"
        }
      },
      "securityGroupIds": [
        "<security_group_ID>"
      ]
    }
  ],
  "serviceAccountId": "<service_account_ID>"
}

Note

When the VM switches to the Running status, a Cloud Backup agent will start installing on it. This may take from 5 to 10 minutes.

A policy is linked asynchronously after you create and initialize a VM, as well as install and configure a Cloud Backup agent. This may take up to 10-15 minutes. As a result, the virtual machine will appear in the list of Cloud Backup VMs and in the list of VMs linked to the weekly-backup policy.

You can monitor the installation progress using the VM serial port in the management console.

How to delete the resources you created

To stop paying for the resources you created:

  1. Delete the VM from Cloud Backup.
  2. Delete the VM from Compute Cloud.
  3. Delete the static public IP address if you reserved one.
  4. Delete VM backups, if any.

See also

Previous
Overview
Next
Terraform