Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Connecting an existing Linux VM to Cloud Backup

Written by
Improved by
Updated at May 29, 2025

You can back up your Compute Cloud VMs with supported Linux-based operating systems.

For the Cloud Backup agent to work correctly, the VM must meet the minimum requirements.

Warning

To connect a VM to Cloud Backup, make sure its service account, public IP, and security group are set up correctly. For more information, see Connecting Compute Cloud VMs and Yandex BareMetal servers to Cloud Backup.

If you have deleted a VM from Cloud Backup and want to reconnect it, follow the steps below.

To connect a Linux VM to Cloud Backup:

  1. Create a service account.
  2. Link a service account to the VM.
  3. Set up network access for the VM.
  4. Install the Cloud Backup agent.

Create a service account

  1. In the management console, select the folder where you want to connect a VM.

  2. In the list of services, select Identity and Access Management.

  3. Click Create service account.

  4. Enter a name for the service account. The naming requirements are as follows:

    • It must be from 2 to 63 characters long.
    • It may contain lowercase Latin letters, numbers, and hyphens.
    • It must start with a letter and cannot end with a hyphen.

  5. Click Add role and select the backup.editor role.

  6. Click Create.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. View the description of the command to create a service account:

    yc iam service-account create --help

  2. Create a service account by running this command:

    yc iam service-account create \
  --name <service_account_name>

    Result:

    id: ajehb3tcdfa1********
folder_id: b1g86q4m5vej********
created_at: "2024-07-22T16:05:14.237381531Z"
name: backup-sa

    For more information about the yc iam service-account create command, see the CLI reference.

  3. View the description of the command to assign a role for a folder:

    yc resource-manager folder add-access-binding --help

  4. Assign the backup.editor role for the folder to the service account:

    yc resource-manager folder add-access-binding <folder_ID> \
  --role backup.editor \
  --subject serviceAccount:<service_account_ID>

    Result:

    done (3s)
effective_deltas:
  - action: ADD
    access_binding:
      role_id: backup.editor
      subject:
        id: ajehb3tcdfa1********
        type: serviceAccount

    For more information about the yc resource-manager folder add-access-binding command, see the CLI reference.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

  1. Describe the resource parameters in the configuration file:

    resource "yandex_iam_service_account" "backup-sa" {
  name        = "<service_account_name>"
  folder_id   = "<folder_ID>"
}

resource "yandex_resourcemanager_folder_iam_member" "backup-editor-role" {
  folder_id   = "<folder_ID>"
  role        = "backup.editor"
  member      = "serviceAccount:${yandex_iam_service_account.backup-sa.id}"
}

    Where:

    • yandex_iam_service_account: Service account description.

    • yandex_resourcemanager_folder_iam_member: Service account access permissions for the folder, where:

      • role: Role.
      • member: Subject the role is assigned to.

  2. Create the resources:

    1. In the terminal, go to the folder where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      The terminal will display a list of resources with their properties. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

    Terraform will create all the required resources. You can check the new resources using the management console.

For more information about resource parameters, see the relevant provider documentation:

To create a service account, use the create REST API method for the ServiceAccount resource or the ServiceAccountService/Create gRPC API call.

To assign the backup.editor role for a folder to a service account, use the setAccessBindings method for the ServiceAccount resource or the ServiceAccountService/SetAccessBindings gRPC API call.

For more information, see Creating a service account.

Link a service account to the VM

Note

You can only link one service account to a virtual machine.

To link a service account to a VM, you need a permission to use this account. This permission comes with the iam.serviceAccounts.user and editor roles or higher.

  1. In the management console, select the folder where you want to connect a VM.
  2. In the list of services, select Compute Cloud.
  3. Click the VM name.
  4. In the top-right corner of the page, click Edit VM.
  5. Under Additional, select a service account with the backup.editor role.
  6. Click Save changes.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. View the description of the VM update command:

    yc compute instance update --help

  2. Link a service account to the VM by running this command:

    yc compute instance update <VM_name_or_ID> \
  --service-account-name <service_account_name>

    Where --service-account-name: Name of the service account with the backup.editor role.

    Result:

    id: epddj31hkik0********
folder_id: b1g681qpemb4********
created_at: "2025-04-21T11:07:34Z"
name: my-vm
...
service_account_id: ajelprpohp7r********
...

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

  1. In Terraform configuration file, in the section with the description of the yandex_compute_instance resource, add the service_account_id parameter and give the ID of a service account with the backup.editor role:

    resource "yandex_compute_instance" "vm-1" {
  ...
  service_account_id = "<service_account_ID>"
  ...
}

  2. Apply the changes:

    1. In the terminal, go to the folder where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      The terminal will display a list of resources with their properties. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

    Terraform will change all required resources. You can check the resources updates in the management console.

For more information about yandex_compute_instance properties, see this Terraform article.

Use the update REST API method for the Instance resource or the InstanceService/Update gRPC API call. Specify the ID of the service account with the backup.editor role in your request.

For more information, see Updating a VM.

Set up network access for the VM

Create a security group

  1. In the management console, select the folder where you want to connect a VM.

  2. In the list of services, select Virtual Private Cloud.

  3. In the left-hand panel, select Security groups.

  4. Click Create security group.

  5. Enter a name for the security group, e.g., backup-sg.

  6. In the Network field, select the network the VM resides in.

  7. Under Rules, navigate to the Egress tab and click Add.

  8. Add the following outgoing traffic rules one by one:

    Port range Protocol Destination name CIDR blocks
    80 TCP CIDR 213.180.193.0/24
    80 TCP CIDR 213.180.204.0/24
    443 TCP CIDR 84.47.172.0/24
    443 TCP CIDR 84.201.181.0/24
    443 TCP CIDR 178.176.128.0/24
    443 TCP CIDR 213.180.193.0/24
    443 TCP CIDR 213.180.204.0/24
    7770-7800 TCP CIDR 84.47.172.0/24
    8443 TCP CIDR 84.47.172.0/24
    44445 TCP CIDR 51.250.1.0/24

  9. Click Save.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. View the description of the command for creating a security group:

    yc vpc security-group create --help

  2. Create a security group with rules by running this command:

    yc vpc security-group create \
  --name <security_group_name> \
  --network-id <network_ID> \
  --rule "direction=egress,port=80,protocol=tcp,v4-cidrs=[213.180.193.0/24]" \
  --rule "direction=egress,port=80,protocol=tcp,v4-cidrs=[213.180.204.0/24]" \
  --rule "direction=egress,port=443,protocol=tcp,v4-cidrs=[84.47.172.0/24]" \
  --rule "direction=egress,port=443,protocol=tcp,v4-cidrs=[84.201.181.0/24]" \
  --rule "direction=egress,port=443,protocol=tcp,v4-cidrs=[178.176.128.0/24]" \
  --rule "direction=egress,port=443,protocol=tcp,v4-cidrs=[213.180.193.0/24]" \
  --rule "direction=egress,port=443,protocol=tcp,v4-cidrs=[213.180.204.0/24]" \
  --rule "direction=egress,from-port=7770,to-port=7800,protocol=tcp,v4-cidrs=[84.47.172.0/24]" \
  --rule "direction=egress,port=8443,protocol=tcp,v4-cidrs=[84.47.172.0/24]" \
  --rule "direction=egress,port=44445,protocol=tcp,v4-cidrs=[51.250.1.0/24]"

    Where:

    • name: Security group name.

    • network-id: ID of the network the VM resides in.

    • rule: Rule description:

      • direction: Traffic direction. egress for outgoing.
      • port: Port for receiving traffic.
      • from-port: First port in the traffic port range.
      • to-port: Last port in the traffic port range.
      • protocol: Data transfer protocol.
      • v4-cidrs: List of IPv4 CIDRs and masks of subnets the traffic will be coming to.

    Result:

    id: enp0v73fe8fs********
folder_id: b1g86q4m5vej********
created_at: "2024-07-22T20:17:43Z"
name: backup-sg
network_id: enp3srbi9u49********
status: ACTIVE
rules:
  - id: enpdadptjl77********
    direction: EGRESS
    ports:
      from_port: "80"
      to_port: "80"
    protocol_name: TCP
    protocol_number: "6"
    cidr_blocks:
      v4_cidr_blocks:
        - 213.180.193.0/24
...
  - id: enpji0640a0f********
    direction: EGRESS
    ports:
      from_port: "44445"
      to_port: "44445"
    protocol_name: TCP
    protocol_number: "6"
    cidr_blocks:
      v4_cidr_blocks:
        - 51.250.1.0/24

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

  1. In the configuration file, describe the resources you want to create:

    resource "yandex_vpc_security_group" "test_sg_outgoing" {
  name        = "<security_group_name>"
  network_id  = "<network_ID>"

  egress {
    protocol       = "TCP"
    v4_cidr_blocks = ["213.180.193.0/24"]
    port           = 80
  }

  egress {
    protocol       = "TCP"
    v4_cidr_blocks = ["213.180.204.0/24"]
    port           = 80
  }

  egress {
    protocol       = "TCP"
    v4_cidr_blocks = ["84.47.172.0/24"]
    port           = 443
  }

  egress {
    protocol       = "TCP"
    v4_cidr_blocks = ["84.201.181.0/24"]
    port           = 443
  }

  egress {
    protocol       = "TCP"
    v4_cidr_blocks = ["178.176.128.0/24"]
    port           = 443
  }

  egress {
    protocol       = "TCP"
    v4_cidr_blocks = ["213.180.193.0/24"]
    port           = 443
  }

  egress {
    protocol       = "TCP"
    v4_cidr_blocks = ["213.180.204.0/24"]
    port           = 443
  }

  egress {
    protocol       = "TCP"
    v4_cidr_blocks = ["84.47.172.0/24"]
    from_port      = 7770
    to_port        = 7800
  }

  egress {
    protocol       = "TCP"
    v4_cidr_blocks = ["84.47.172.0/24"]
    port           = 8443
  }

  egress {
    protocol       = "TCP"
    v4_cidr_blocks = ["51.250.1.0/24"]
    port           = 44445
  }
}

    Where:

    • name: Security group name.

    • network_id: ID of the network the VM resides in.

    • egress: Description of the outgoing traffic rule:

      • protocol: Data transfer protocol.
      • v4-cidrs: List of IPv4 CIDRs and masks of subnets the traffic will be coming to.
      • port: Port for receiving traffic.
      • from_port: First port in the traffic port range.
      • to_port: Last port in the traffic port range.

  2. Create the resources:

    1. In the terminal, go to the folder where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      The terminal will display a list of resources with their properties. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

    Terraform will create all the required resources. You can check the new resources using the management console.

For more information about yandex_vpc_security_group properties, see this Terraform article.

To create a security group, use the create REST API method for the SecurityGroup resource or the SecurityGroupService/Create gRPC API call.

For more information, see Creating a security group.

Configure the VM network interface

  1. In the management console, select the folder where you want to connect a VM.

  2. Select Compute Cloud.

  3. Click the VM name.

  4. Under Network interface, add a security group to the VM network interface:

    • In the top-right corner of the section, click and select Edit.
    • In the window that opens, add the previously created security group in the Security groups field.
    • Click Save.

  5. If the VM does not have a public IP address, then under Network, click in the top-right corner of the relevant network interface section and select Add public IP address. In the window that opens:

    • In the Public address field, select Auto to get an IP address automatically assigned or List to choose a reserved address from the list.
    • Optionally, if you selected Auto in the Public address field, enable DDoS protection. For more information, see Yandex DDoS Protection in Virtual Private Cloud.
    • If you selected List in the Public address field, choose the IP address you want to assign to your VM. The IP address and the VM must be in the same availability zone.
    • Click Add.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. View the description of the VM network interface update command:

    yc compute instance update-network-interface --help

  2. Add the previously created security group to the VM network interface:

    yc compute instance update-network-interface \
  --id <VM_ID> \
  --network-interface-index <network_interface_number> \
  --security-group-id <security_group_ID>

    Where:

    • --id: VM ID.
    • --network-interface-index: Network interface number, e.g., 0.
    • --security-group-id: Security group ID.

    Result:

    id: epddj31hkik0********
folder_id: b1g681qpemb4********
updateNetworkInterfaced_at: "2025-04-21T11:07:34Z"
name: my-vm
...
network_interfaces:
  - index: "0"
    mac_address: d0:0d:d9:8c:31:a4
    subnet_id: e2lb1da2dd9v********
    primary_v4_address:
      address: 10.129.**.**
      one_to_one_nat:
        address: 158.160.**.**
        ip_version: IPV4
    security_group_ids:
      - enpqtbh6ulo3********
...

  3. View the description of the command for assigning a public IP address to a VM:

    yc compute instance add-one-to-one-nat --help

  4. If your VM has no public IP address, assign one:

    yc compute instance add-one-to-one-nat \
  --id <VM_ID> \
  --network-interface-index <network_interface_number>

    Where:

    • --id: VM ID.
    • --network-interface-index: Network interface number, e.g., 0.

    Result:

    id: epddj31hkik0********
folder_id: b1g681qpemb4********
updateNetworkInterfaced_at: "2025-04-21T11:07:34Z"
name: my-vm
...
network_interfaces:
  - index: "0"
    mac_address: d0:0d:d9:8c:31:a4
    subnet_id: e2lb1da2dd9v********
    primary_v4_address:
      address: 10.129.**.**
      one_to_one_nat:
        address: 158.160.**.**
        ip_version: IPV4
    security_group_ids:
      - enpqtbh6ulo3********
...

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

  1. Open the configuration file and update the VM network interface parameters in the section with the description of the yandex_compute_instance resource.

    resource "yandex_compute_instance" "my-vm" {
...
  network_interface {
    ...
    security_group_ids = "<security_group_ID>"
    nat                = true
    ...
  }
...
}

    Where:

    • yandex_compute_instance: VM description.
    • network_interface: VM network interface settings.
    • security_group_ids: List of security group IDs.
    • nat: Specifies if an instance will have an assigned public IP address.

  2. Create the resources:

    1. In the terminal, go to the folder where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      The terminal will display a list of resources with their properties. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

    Terraform will change all required resources. You can check the resources’ updates in the management console.

For more information about yandex_compute_instance properties, see this Terraform article.

To add a security group to the VM network interface, use the updateNetworkInterface REST API method for the Instance resource or the InstanceService/UpdateNetworkInterface gRPC API call.

To assign a public IP address to a VM, use the addOneToOneNat REST API method for the Instance resource or the InstanceService/AddOneToOneNat gRPC API call.

For more information, see Changing security groups of a VM network interface and Assigning a public IP address to a VM.

Install the Cloud Backup agent

  1. Connect to the VM over SSH.

  2. Install the Cloud Backup agent on the VM:

    sudo apt update && \
sudo apt install -y jq && \
curl https://storage.yandexcloud.net/backup-distributions/agent_installer.sh | sudo bash

    Result:

    ...
Agent registered with id D9CA44FC-716A-4B3B-A702-C6**********

    sudo yum install epel-release -y && \
sudo yum update -y && \
sudo yum install jq -y && \
curl https://storage.yandexcloud.net/backup-distributions/agent_installer.sh | sudo bash

    Result:

    ...
Agent registered with id D9CA44FC-716A-4B3B-A702-C6**********

After that, you can link your VM to backup policies.

To connect an existing VM to Cloud Backup, you can also take snapshots of the VM disks and create a new VM based on those snapshots by selecting the backup option.

See also

Previous
Creating and connecting a Windows VM
Next
Connecting an existing Linux VM with OS Login