Connecting an existing Linux VM to Cloud Backup
You can back up your Compute Cloud VMs with supported Linux-based operating systems.
For the Cloud Backup agent to work correctly, the VM must meet the minimum requirements.
Warning
To connect a VM to Cloud Backup, make sure its service account, public IP, and security group are set up correctly. For more information, see Connecting Compute Cloud VMs and Yandex BareMetal servers to Cloud Backup.
If you have deleted a VM from Cloud Backup and want to reconnect it, follow the steps below.
To connect a Linux VM to Cloud Backup:
- Create a service account.
- Link a service account to the VM.
- Set up network access for the VM.
- Install the Cloud Backup agent.
Create a service account
-
In the management console
, select the folder where you want to connect a VM. -
In the list of services, select Identity and Access Management.
-
Click Create service account.
-
Enter a name for the service account. The naming requirements are as follows:
- It must be from 2 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- It must start with a letter and cannot end with a hyphen.
-
Click
Add role and select thebackup.editor
role. -
Click Create.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID>
command. You can also set a different folder for any specific command using the --folder-name
or --folder-id
parameter.
-
View the description of the command to create a service account:
yc iam service-account create --help
-
Create a service account by running this command:
yc iam service-account create \ --name <service_account_name>
Result:
id: ajehb3tcdfa1******** folder_id: b1g86q4m5vej******** created_at: "2024-07-22T16:05:14.237381531Z" name: backup-sa
For more information about the
yc iam service-account create
command, see the CLI reference. -
View the description of the command to assign a role for a folder:
yc resource-manager folder add-access-binding --help
-
Assign the
backup.editor
role for the folder to the service account:yc resource-manager folder add-access-binding <folder_ID> \ --role backup.editor \ --subject serviceAccount:<service_account_ID>
Result:
done (3s) effective_deltas: - action: ADD access_binding: role_id: backup.editor subject: id: ajehb3tcdfa1******** type: serviceAccount
For more information about the
yc resource-manager folder add-access-binding
command, see the CLI reference.
With Terraform
Terraform is distributed under the Business Source License
For more information about the provider resources, see the documentation on the Terraform
If you do not have Terraform yet, install it and configure its Yandex Cloud provider.
-
Describe the resource parameters in the configuration file:
resource "yandex_iam_service_account" "backup-sa" { name = "<service_account_name>" folder_id = "<folder_ID>" } resource "yandex_resourcemanager_folder_iam_member" "backup-editor-role" { folder_id = "<folder_ID>" role = "backup.editor" member = "serviceAccount:${yandex_iam_service_account.backup-sa.id}" }
Where:
-
yandex_iam_service_account
: Service account description. -
yandex_resourcemanager_folder_iam_member
: Service account access permissions for the folder, where:role
: Role.member
: Subject the role is assigned to.
-
-
Create the resources:
-
In the terminal, go to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using this command:
terraform validate
If the configuration is correct, you will get this message:
Success! The configuration is valid.
-
Run this command:
terraform plan
The terminal will display a list of resources with their properties. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.
-
Apply the changes:
terraform apply
-
Type
yes
and press Enter to confirm the changes.
Terraform will create all the required resources. You can check the new resources using the management console
. -
For more information about resource parameters, see the relevant provider documentation:
To create a service account, use the create REST API method for the ServiceAccount resource or the ServiceAccountService/Create gRPC API call.
To assign the backup.editor
role for a folder to a service account, use the setAccessBindings method for the ServiceAccount resource or the ServiceAccountService/SetAccessBindings gRPC API call.
For more information, see Creating a service account.
Link a service account to the VM
Note
You can only link one service account to a virtual machine.
To link a service account to a VM, you need a permission to use this account. This permission comes with the iam.serviceAccounts.user and editor roles or higher.
- In the management console
, select the folder where you want to connect a VM. - In the list of services, select Compute Cloud.
- Click the VM name.
- In the top-right corner of the page, click
Edit VM. - Under Additional, select a service account with the
backup.editor
role. - Click Save changes.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID>
command. You can also set a different folder for any specific command using the --folder-name
or --folder-id
parameter.
-
View the description of the VM update command:
yc compute instance update --help
-
Link a service account to the VM by running this command:
yc compute instance update <VM_name_or_ID> \ --service-account-name <service_account_name>
Where
--service-account-name
: Name of the service account with thebackup.editor
role.Result:
id: epddj31hkik0******** folder_id: b1g681qpemb4******** created_at: "2025-04-21T11:07:34Z" name: my-vm ... service_account_id: ajelprpohp7r******** ...
With Terraform
Terraform is distributed under the Business Source License
For more information about the provider resources, see the documentation on the Terraform
If you do not have Terraform yet, install it and configure its Yandex Cloud provider.
-
In Terraform configuration file, in the section with the description of the
yandex_compute_instance
resource, add theservice_account_id
parameter and give the ID of a service account with thebackup.editor
role:resource "yandex_compute_instance" "vm-1" { ... service_account_id = "<service_account_ID>" ... }
-
Apply the changes:
-
In the terminal, go to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using this command:
terraform validate
If the configuration is correct, you will get this message:
Success! The configuration is valid.
-
Run this command:
terraform plan
The terminal will display a list of resources with their properties. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.
-
Apply the changes:
terraform apply
-
Type
yes
and press Enter to confirm the changes.
Terraform will change all required resources. You can check the resources updates in the management console
. -
For more information about yandex_compute_instance
properties, see this Terraform article
Use the update REST API method for the Instance resource or the InstanceService/Update gRPC API call. Specify the ID of the service account with the backup.editor
role in your request.
For more information, see Updating a VM.
Set up network access for the VM
Create a security group
-
In the management console
, select the folder where you want to connect a VM. -
In the list of services, select Virtual Private Cloud.
-
In the left-hand panel, select
Security groups. -
Click Create security group.
-
Enter a name for the security group, e.g.,
backup-sg
. -
In the Network field, select the network the VM resides in.
-
Under Rules, navigate to the Egress tab and click Add.
-
Add the following outgoing traffic rules one by one:
Port range Protocol Destination name CIDR blocks 80
TCP
CIDR
213.180.193.0/24
80
TCP
CIDR
213.180.204.0/24
443
TCP
CIDR
84.47.172.0/24
443
TCP
CIDR
84.201.181.0/24
443
TCP
CIDR
178.176.128.0/24
443
TCP
CIDR
213.180.193.0/24
443
TCP
CIDR
213.180.204.0/24
7770-7800
TCP
CIDR
84.47.172.0/24
8443
TCP
CIDR
84.47.172.0/24
44445
TCP
CIDR
51.250.1.0/24
-
Click Save.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID>
command. You can also set a different folder for any specific command using the --folder-name
or --folder-id
parameter.
-
View the description of the command for creating a security group:
yc vpc security-group create --help
-
Create a security group with rules by running this command:
yc vpc security-group create \ --name <security_group_name> \ --network-id <network_ID> \ --rule "direction=egress,port=80,protocol=tcp,v4-cidrs=[213.180.193.0/24]" \ --rule "direction=egress,port=80,protocol=tcp,v4-cidrs=[213.180.204.0/24]" \ --rule "direction=egress,port=443,protocol=tcp,v4-cidrs=[84.47.172.0/24]" \ --rule "direction=egress,port=443,protocol=tcp,v4-cidrs=[84.201.181.0/24]" \ --rule "direction=egress,port=443,protocol=tcp,v4-cidrs=[178.176.128.0/24]" \ --rule "direction=egress,port=443,protocol=tcp,v4-cidrs=[213.180.193.0/24]" \ --rule "direction=egress,port=443,protocol=tcp,v4-cidrs=[213.180.204.0/24]" \ --rule "direction=egress,from-port=7770,to-port=7800,protocol=tcp,v4-cidrs=[84.47.172.0/24]" \ --rule "direction=egress,port=8443,protocol=tcp,v4-cidrs=[84.47.172.0/24]" \ --rule "direction=egress,port=44445,protocol=tcp,v4-cidrs=[51.250.1.0/24]"
Where:
-
name
: Security group name. -
network-id
: ID of the network the VM resides in. -
rule
: Rule description:direction
: Traffic direction.egress
for outgoing.port
: Port for receiving traffic.from-port
: First port in the traffic port range.to-port
: Last port in the traffic port range.protocol
: Data transfer protocol.v4-cidrs
: List of IPv4 CIDRs and masks of subnets the traffic will be coming to.
Result:
id: enp0v73fe8fs******** folder_id: b1g86q4m5vej******** created_at: "2024-07-22T20:17:43Z" name: backup-sg network_id: enp3srbi9u49******** status: ACTIVE rules: - id: enpdadptjl77******** direction: EGRESS ports: from_port: "80" to_port: "80" protocol_name: TCP protocol_number: "6" cidr_blocks: v4_cidr_blocks: - 213.180.193.0/24 ... - id: enpji0640a0f******** direction: EGRESS ports: from_port: "44445" to_port: "44445" protocol_name: TCP protocol_number: "6" cidr_blocks: v4_cidr_blocks: - 51.250.1.0/24
-
With Terraform
Terraform is distributed under the Business Source License
For more information about the provider resources, see the documentation on the Terraform
If you do not have Terraform yet, install it and configure its Yandex Cloud provider.
-
In the configuration file, describe the resources you want to create:
resource "yandex_vpc_security_group" "test_sg_outgoing" { name = "<security_group_name>" network_id = "<network_ID>" egress { protocol = "TCP" v4_cidr_blocks = ["213.180.193.0/24"] port = 80 } egress { protocol = "TCP" v4_cidr_blocks = ["213.180.204.0/24"] port = 80 } egress { protocol = "TCP" v4_cidr_blocks = ["84.47.172.0/24"] port = 443 } egress { protocol = "TCP" v4_cidr_blocks = ["84.201.181.0/24"] port = 443 } egress { protocol = "TCP" v4_cidr_blocks = ["178.176.128.0/24"] port = 443 } egress { protocol = "TCP" v4_cidr_blocks = ["213.180.193.0/24"] port = 443 } egress { protocol = "TCP" v4_cidr_blocks = ["213.180.204.0/24"] port = 443 } egress { protocol = "TCP" v4_cidr_blocks = ["84.47.172.0/24"] from_port = 7770 to_port = 7800 } egress { protocol = "TCP" v4_cidr_blocks = ["84.47.172.0/24"] port = 8443 } egress { protocol = "TCP" v4_cidr_blocks = ["51.250.1.0/24"] port = 44445 } }
Where:
-
name
: Security group name. -
network_id
: ID of the network the VM resides in. -
egress
: Description of the outgoing traffic rule:protocol
: Data transfer protocol.v4-cidrs
: List of IPv4 CIDRs and masks of subnets the traffic will be coming to.port
: Port for receiving traffic.from_port
: First port in the traffic port range.to_port
: Last port in the traffic port range.
-
-
Create the resources:
-
In the terminal, go to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using this command:
terraform validate
If the configuration is correct, you will get this message:
Success! The configuration is valid.
-
Run this command:
terraform plan
The terminal will display a list of resources with their properties. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.
-
Apply the changes:
terraform apply
-
Type
yes
and press Enter to confirm the changes.
Terraform will create all the required resources. You can check the new resources using the management console
. -
For more information about yandex_vpc_security_group
properties, see this Terraform article
To create a security group, use the create REST API method for the SecurityGroup resource or the SecurityGroupService/Create gRPC API call.
For more information, see Creating a security group.
Configure the VM network interface
-
In the management console
, select the folder where you want to connect a VM. -
Select Compute Cloud.
-
Click the VM name.
-
Under Network interface, add a security group to the VM network interface:
- In the top-right corner of the section, click
and select Edit. - In the window that opens, add the previously created security group in the Security groups field.
- Click Save.
- In the top-right corner of the section, click
-
If the VM does not have a public IP address, then under Network, click
in the top-right corner of the relevant network interface section and select Add public IP address. In the window that opens:- In the Public address field, select
Auto
to get an IP address automatically assigned orList
to choose a reserved address from the list. - Optionally, if you selected
Auto
in the Public address field, enable DDoS protection. For more information, see Yandex DDoS Protection in Virtual Private Cloud. - If you selected
List
in the Public address field, choose the IP address you want to assign to your VM. The IP address and the VM must be in the same availability zone. - Click Add.
- In the Public address field, select
If you do not have the Yandex Cloud CLI yet, install and initialize it.
By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID>
command. You can also set a different folder for any specific command using the --folder-name
or --folder-id
parameter.
-
View the description of the VM network interface update command:
yc compute instance update-network-interface --help
-
Add the previously created security group to the VM network interface:
yc compute instance update-network-interface \ --id <VM_ID> \ --network-interface-index <network_interface_number> \ --security-group-id <security_group_ID>
Where:
--id
: VM ID.--network-interface-index
: Network interface number, e.g.,0
.--security-group-id
: Security group ID.
Result:
id: epddj31hkik0******** folder_id: b1g681qpemb4******** updateNetworkInterfaced_at: "2025-04-21T11:07:34Z" name: my-vm ... network_interfaces: - index: "0" mac_address: d0:0d:d9:8c:31:a4 subnet_id: e2lb1da2dd9v******** primary_v4_address: address: 10.129.**.** one_to_one_nat: address: 158.160.**.** ip_version: IPV4 security_group_ids: - enpqtbh6ulo3******** ...
-
View the description of the command for assigning a public IP address to a VM:
yc compute instance add-one-to-one-nat --help
-
If your VM has no public IP address, assign one:
yc compute instance add-one-to-one-nat \ --id <VM_ID> \ --network-interface-index <network_interface_number>
Where:
--id
: VM ID.--network-interface-index
: Network interface number, e.g.,0
.
Result:
id: epddj31hkik0******** folder_id: b1g681qpemb4******** updateNetworkInterfaced_at: "2025-04-21T11:07:34Z" name: my-vm ... network_interfaces: - index: "0" mac_address: d0:0d:d9:8c:31:a4 subnet_id: e2lb1da2dd9v******** primary_v4_address: address: 10.129.**.** one_to_one_nat: address: 158.160.**.** ip_version: IPV4 security_group_ids: - enpqtbh6ulo3******** ...
With Terraform
Terraform is distributed under the Business Source License
For more information about the provider resources, see the documentation on the Terraform
If you do not have Terraform yet, install it and configure its Yandex Cloud provider.
-
Open the configuration file and update the VM network interface parameters in the section with the description of the
yandex_compute_instance
resource.resource "yandex_compute_instance" "my-vm" { ... network_interface { ... security_group_ids = "<security_group_ID>" nat = true ... } ... }
Where:
yandex_compute_instance
: VM description.network_interface
: VM network interface settings.security_group_ids
: List of security group IDs.nat
: Specifies if an instance will have an assigned public IP address.
-
Create the resources:
-
In the terminal, go to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using this command:
terraform validate
If the configuration is correct, you will get this message:
Success! The configuration is valid.
-
Run this command:
terraform plan
The terminal will display a list of resources with their properties. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.
-
Apply the changes:
terraform apply
-
Type
yes
and press Enter to confirm the changes.
Terraform will change all required resources. You can check the resources’ updates in the management console
. -
For more information about yandex_compute_instance
properties, see this Terraform article
To add a security group to the VM network interface, use the updateNetworkInterface REST API method for the Instance resource or the InstanceService/UpdateNetworkInterface gRPC API call.
To assign a public IP address to a VM, use the addOneToOneNat REST API method for the Instance resource or the InstanceService/AddOneToOneNat gRPC API call.
For more information, see Changing security groups of a VM network interface and Assigning a public IP address to a VM.
Install the Cloud Backup agent
-
Connect to the VM over SSH.
-
Install the Cloud Backup agent on the VM:
UbuntuCentOSsudo apt update && \ sudo apt install -y jq && \ curl https://storage.yandexcloud.net/backup-distributions/agent_installer.sh | sudo bash
Result:
... Agent registered with id D9CA44FC-716A-4B3B-A702-C6**********
sudo yum install epel-release -y && \ sudo yum update -y && \ sudo yum install jq -y && \ curl https://storage.yandexcloud.net/backup-distributions/agent_installer.sh | sudo bash
Result:
... Agent registered with id D9CA44FC-716A-4B3B-A702-C6**********
After that, you can link your VM to backup policies.
To connect an existing VM to Cloud Backup, you can also take snapshots of the VM disks and create a new VM based on those snapshots by selecting the backup option.