Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Connecting an existing Yandex BareMetal server to Yandex Cloud Backup

Written by
Improved by
Updated at August 8, 2025

You can connect an existing BareMetal server to Cloud Backup and configure backups of its data.

For more information about connecting a BareMetal server to Cloud Backup when ordering it, see Leasing a Yandex BareMetal server connected to Cloud Backup.

For more information on managing BareMetal servers, see Step-by-step guides for Yandex BareMetal.

Connecting to Cloud Backup is supported for servers running the following operating systems:

  • CentOS 7
  • Debian 10.
  • Debian 11.
  • Ubuntu 16.04 LTS.
  • Ubuntu 18.04 LTS.
  • Ubuntu 20.04 LTS.
  • Ubuntu 22.04 LTS.
  • Ubuntu 24.04 LTS.

To connect an existing server to Cloud Backup:

  1. Get your cloud ready.
  2. Create a service account.
  3. Activate Cloud Backup.
  4. Lease a test server.
  5. Connect to the server.
  6. Install the Cloud Backup agent.
  7. Associate the server with a backup policy.
  8. Run the backup process.
  9. Restore your server from the backup.

See also How to cancel a lease and delete resources.

Get your cloud ready

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a linked billing account with an ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The infrastructure support cost includes:

Traffic transmitted between Yandex BareMetal and Yandex Cloud Backup is free of charge.

Create a service account

  1. In the management console, select the folder where you want to lease a BareMetal server.

  2. In the list of services, select Identity and Access Management.

  3. Click Create service account.

  4. Enter a name for the service account. Follow these naming requirements:

    • It must be from 2 to 63 characters long.
    • It can only contain lowercase Latin letters, numbers, and hyphens.
    • It must start with a letter and cannot end with a hyphen.

  5. Click Add role and assign the backup.editor and baremetal.editor roles to the service account.

  6. Click Create.

  7. Select the service account you created by clicking the row with its name.

  8. In the top panel, click Create new key.

  9. Select Create authorized key.

  10. Select an encryption algorithm and click Create.

  11. In the window that opens, click Download file with keys and then click Close.

You will need the authorized key of the service account in the later steps.

Activate Cloud Backup

To activate Cloud Backup, you need at least the backup.editor role for the folder where you want to lease a server and connect it to Cloud Backup.

When you enable the service, the backup provider starts. For more information about the backup provider and data sent to it, see Service activation and backup provider.

  1. In the management console, select the folder where you want to lease a server and connect it to Cloud Backup.

  2. In the list of services, select Cloud Backup.

  3. If you have not activated Cloud Backup yet, click Activate.

    If there is no Activate button, Cloud Backup is already activated. Proceed to the next step.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. View the description of the CLI command to activate the service:

    yc backup provider activate --help

  2. Activate the service in the default folder:

    yc backup provider activate --async

    Where --async displays the operation progress info. This is an optional parameter.

    Result:

    id: cdgmnefxiatx********
description: activate provider
created_at: "2024-10-14T09:03:47.960564Z"
created_by: ajec1gaqcmtr********
modified_at: "2024-10-14T09:03:47.960564Z"
done: true
metadata:
  '@type': type.googleapis.com/yandex.cloud.backup.v1.ActivateProviderMetadata
  folder_id: b1go3el0d8fs********
response:
  '@type': type.googleapis.com/google.protobuf.Empty
  value: {}

After activation, the system automatically creates the following backup policies:

  • Default daily: Daily incremental backup with the last 15 backups retained.
  • Default weekly: Weekly incremental backup with the last 15 backups retained.
  • Default monthly: Monthly incremental backup with the last 15 backups retained.

If you prefer not to create them, use the --skip-default-policy parameter.

After activation, the system automatically creates the following backup policies:

  • Default daily: Daily incremental backup with the latest 15 backups retained.
  • Default weekly: Weekly incremental backup with the latest 15 backups retained.
  • Default monthly: Monthly incremental backup with the latest 15 backups retained.

Lease a test server

If you are already leasing a server with an appropriate OS, proceed to Connect to the server. Make sure to check the network permissions you need to configure on the server.

  1. In the management console, select the folder you want to lease a server in.

  2. In the list of services, select BareMetal and click Lease server.

  3. In the Availability zone field, select the availability zone the server will be leased in.

  4. In the Pool field, select the pool the server will be leased from.

  5. Under Configuration, select the appropriate server configuration.

  6. (Optional) Under Disk, configure disk partitioning:

    1. Click Configure disk layout.

    2. Specify the partitioning parameters. To create a new partition, click Add partition.

      To build RAID arrays and configure disk partitions yourself, click Remove RAID.

    3. Click Save.

    Note

    The disk partitioning parameters are vital to have your server restored from a backup later on. For more information, see Restoring a VM or Yandex BareMetal server from a backup.

  7. Under Image, select Marketplace and an OS supported in Cloud Backup.

  8. Under Lease conditions:

    1. In the Number of servers field, specify 1.

    2. In the Lease duration field, select a lease period: 1 day, 1 month, 3 months, 6 months, or 1 year.

      When this period expires, server lease will automatically be renewed for the same period. You cannot terminate the lease during the specified lease period, but you can refuse to extend the server lease further.

  9. Under Private network, in the Private subnet field, select an existing private subnet or click Create to create a new one.

  10. Under Public network, in the Public address field, select a public IP address assignment method:

    • From ephemeral subnet: Assign a random IP address. If you need to get the IP address when creating a server via a request to a DHCP server, enable Assign via DHCP.

    • From a dedicated subnet: To assign an IP address from the range of addresses of a dedicated public subnet.

      In the field that opens, select a public subnet or click Order to order a new one.

      Warning

      The dedicated public subnet does not have a DHCP server; therefore, on the network interface of the server connected to such subnet, you should manually configure a static IP address from the subnet’s range of available public IP addresses and specify the default gateway address.

    For the Cloud Backup agent to exchange data with the backup provider servers, make sure the server has network access to the IP addresses of Cloud Backup resources based on the following table:

    Port range Protocol Destination name CIDR blocks
    80 TCP CIDR 213.180.193.0/24
    80 TCP CIDR 213.180.204.0/24
    443 TCP CIDR 84.47.172.0/24
    443 TCP CIDR 84.201.181.0/24
    443 TCP CIDR 178.176.128.0/24
    443 TCP CIDR 213.180.193.0/24
    443 TCP CIDR 213.180.204.0/24
    7770-7800 TCP CIDR 84.47.172.0/24
    8443 TCP CIDR 84.47.172.0/24
    44445 TCP CIDR 51.250.1.0/24

  11. Under Access:

    1. In the Password field, select one of the following options to create a root password:

      • To generate a new root password, select New password and click Generate.

        Warning

        This option requires you to maintain password security. Save the password you generated in a secure location. Yandex Cloud does not store it, and you will not be able to retrieve it once the server is deployed.

      • To use the root password saved in a Yandex Lockbox secret, select Lockbox secret.

        In the Name, Version, and Key fields, select the secret containing your password, its version, and its key, respectively.

        If you do not have a Yandex Lockbox secret, click Create to create it.

        Choose the Custom secret type to specify a custom password or Generated to generate password automatically.

    2. In the Public SSH key field, select the SSH key saved in your organization user profile.

      If there are no SSH keys in your profile or you want to add a new key:

      1. Click Add key.

      2. Enter a name for the SSH key.

      3. Select one of the following:

        • Enter manually: Paste the contents of the public SSH key. You need to create an SSH key pair on your own.

        • Load from file: Upload the public part of the SSH key. You need to create an SSH key pair on your own.

        • Generate key: Automatically create an SSH key pair.

          When adding a new SSH key, an archive containing the key pair will be created and downloaded. In Linux or macOS-based operating systems, unpack the archive to the /home/<user_name>/.ssh directory. In Windows, unpack the archive to the C:\Users\<user_name>/.ssh directory. You do not need additionally enter the public key in the management console.

      4. Click Add.

      The system will add the SSH key to your organization user profile. If the organization has disabled the ability for users to add SSH keys to their profiles, the added public SSH key will only be saved in the user profile inside the newly created resource.

  12. Under Server information:

    1. Specify the server name in the Name field.
    2. Optionally, add a server description in the Description field.
    3. Optionally, set labels in the Labels field.

  13. Click Lease server.

  1. View the description of the command for leasing a server:

    yc baremetal server create --help

  2. Get a list of configurations:

    yc baremetal configuration list

  3. Lease a server:

    yc baremetal server create \
  --hardware-pool-id <pool> \
  --configuration-id <configuration_ID> \
  --storage "partition={type=<file_system>,size-gib=<partition_size>,mount-point=<mount_point>},raid-type=<RAID array level>,disk={id=<disk_number>,size-gib=<disk_size>,type=<disk_type>}" \
  --os-settings "image-id=<image_ID>,image-name=<image_name>,ssh-key-public=<public_SSH_key_contents>,ssh-key-user-id=<SSH_key_user_ID>,password-plain-text=<user_password>,password-lockbox-secret={secret-id=<secret_ID>,version-id=<secret_version>,key=<secret_key>}" \
  --rental-period-id <lease_period> \
  --network-interfaces private-subnet-id=<private_subnet_ID> \
  --network-interfaces public-subnet-id=<public_subnet_ID> \
  --name <server_name> \
  --description "<server_description>" \
  --labels <label_key>=<label_value>

    Where:

    • --hardware-pool-id: Pool to lease a server from.

    • --configuration-id: Server configuration ID.

    • --storage: Disk partitioning settings. This is an optional parameter. Possible settings:

      • partition: Disk partition:

        • type: File system. The possible values are Ext3, Ext4, Swap, or Xfs.
        • size-gib: Partition size in GB.
        • mount-point: Mount point.

      • disk: Disk:

        • id: Disk number.
        • size-gib: Disk size in GB.
        • type: Disk type.

      • raid-type: RAID array level.

      Note

      The disk partitioning parameters are vital to have your server restored from a backup later on. For more information, see Restoring a VM or Yandex BareMetal server from a backup.

    • --os-settings: OS settings. To lease a server without an operating system, skip this parameter. Possible settings:

      • image-id: ID of one of the available Yandex Cloud Marketplace public OS images.

      • image-name: Name of one of the available Yandex Cloud Marketplace public OS images.

      • ssh-key-public: Public SSH key contents. You will need to create your own SSH key pair to establish a secure server connection.

      • ssh-key-user-id: SSH key user ID.

      • password-plain-text: Root user's password.

        Warning

        This option requires you to maintain password security. Save the password you generated in a secure location. Yandex Cloud does not store it, and you will not be able to retrieve it once the server is deployed.

      • password-lockbox-secret: Yandex Lockbox secret:

        • secret-id: Secret ID.
        • version-id: Secret version.
        • key: Secret key.

      You can install the OS from a custom ISO image later.

    • --rental-period-id: Server lease period. The possible values are 1 day, 1 month, 3 months, 6 months or 1 year.

      When this period expires, server lease will automatically be renewed for the same period. You cannot terminate the lease during the specified lease period, but you can refuse to extend the server lease further.

    • --network-interfaces: Network settings:

      Warning

      The dedicated public subnet does not have a DHCP server; therefore, on the network interface of the server connected to such subnet, you should manually configure a static IP address from the subnet’s range of available public IP addresses and specify the default gateway address.

      For the Cloud Backup agent to exchange data with the backup provider servers, make sure the server has network access to the IP addresses of Cloud Backup resources based on the following table:

      Port range Protocol Destination name CIDR blocks
      80 TCP CIDR 213.180.193.0/24
      80 TCP CIDR 213.180.204.0/24
      443 TCP CIDR 84.47.172.0/24
      443 TCP CIDR 84.201.181.0/24
      443 TCP CIDR 178.176.128.0/24
      443 TCP CIDR 213.180.193.0/24
      443 TCP CIDR 213.180.204.0/24
      7770-7800 TCP CIDR 84.47.172.0/24
      8443 TCP CIDR 84.47.172.0/24
      44445 TCP CIDR 51.250.1.0/24
    • --name: Server name.
    • --description: Server description. This is an optional parameter.
    • --labels: Server labels. This is an optional parameter.

Save the server name and ID, as you will need them later.

For more information on leasing a server, see this BareMetal guide.

Connect to the server

  1. In the management console, select the folder containing your server.
  2. In the list of services, select BareMetal.
  3. Find the server you need, click in its row, and select Start KVM console.
  4. In the window that opens, click KVM console.

To establish a server connection, specify the server public IP address which you can get using the management console, in the Public address field under Network settings on the server page.

  1. In the terminal, run this command:

    ssh root@<server_public_IP_address>

    If this is your first time connecting to the server, you will get this unknown host warning:

    The authenticity of host '51.250.83.243 (51.250.83.243)' can't be established.
ED25519 key fingerprint is SHA256:6Mjv93NJDCaf/vu3NYwiLQK4tKI+4cfLtkd********.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

  2. Type yes into the terminal and press Enter.

  3. Enter the password you specified when creating the server and press Enter.

To establish a server connection, specify the server public IP address which you can get using the management console, in the Public address field under Network settings on the server page.

Make sure the Windows account has read access to the key folder.

  1. To connect to the server, run the following command in the command line:

    ssh root@<server_public_IP_address>

    If this is your first time connecting to the server, you will get this unknown host warning:

    The authenticity of host '89.169.132.223 (89.169.132.223)' can't be established.
ECDSA key fingerprint is SHA256:DfjfFB+in0q0MGi0HnqLNMdHssLfm1yRanB********.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

  2. Type yes into the terminal and press Enter.

  3. Enter the password you specified when creating the server and press Enter.

Install the Cloud Backup agent

  1. Copy the file with the service account's authorized key you created earlier to the server. To do this, run the following command on the local machine:

    scp <path_to_authorized_key_file_on_local_machine> \
root@<server_public_IP_address>:<absolute_path_to_folder_on_server>

  2. Install the Yandex Cloud CLI by running this command on the server:

    curl -sSL https://storage.yandexcloud.net/yandexcloud-yc/install.sh | bash

  3. Install the required packages and utilities:

    apt update && apt install -y jq

    yum install epel-release -y && \
yum update -y && \
yum install jq -y && \
yum install wget -y

  4. Authenticate in the Yandex Cloud CLI using service account credentials:

    yc config set service-account-key <absolute_path_to_authorized_key>

  5. Get an IAM token:

    yc iam create-token

  6. Install the Cloud Backup agent, specifying the service account IAM token you got earlier:

    wget https://storage.yandexcloud.net/backup-distributions/agent_installer_bms.sh && \
sudo bash ./agent_installer_bms.sh \
-t=<IAM_token>

    Wait until you see the message confirming Cloud Backup agent registration:

    ...
Agent registered with id D9CA44FC-716A-4B3B-A702-C6**********

Associate the server with a backup policy

You can create backups in Cloud Backup only as part of a backup policy. By default, BareMetal servers are not associated with any policy.

To associate a server with a backup policy:

  1. In the management console, select the folder where you want to associate a server with a backup policy.

  2. In the list of services, select Cloud Backup.

  3. In the left-hand panel, select Backup policies.

  4. Select the policy to associate your server with.

    Create a new backup policy as needed.

  5. Under Attached resources, click Attach a VM.

  6. In the window that opens, select the BareMetal servers tab and select the server from the list.

  7. Click Attach.

  1. See the description of the CLI command for associating a BareMetal server with a backup policy:

    yc backup policy apply --help

  2. Get the ID of the policy you want to associate your server with:

    yc backup policy list

    Result:

    +----------------------+----------------------+---------+---------+---------------------+---------------------+
|          ID          |      FOLDER ID       |  NAME   | ENABLED |     CREATED AT      |     UPDATED AT      |
+----------------------+----------------------+---------+---------+---------------------+---------------------+
| abc7n3wln123******** | ghi681qpe789******** | policy1 | true    | 2023-07-03 09:12:02 | 2023-07-03 09:12:43 |
| deflqbiwc456******** | ghi681qpe789******** | policy2 | true    | 2023-07-07 14:58:23 | 2023-07-07 14:58:23 |
+----------------------+----------------------+---------+---------+---------------------+---------------------+

    Create a new backup policy as needed.

  3. Get the ID of the server to associate. To do this, go to the relevant folder in the management console and select BareMetal from the list of services. The IDs are specified in the server list, the ID field.

  4. Associate the server with the backup policy, specifying the policy ID:

    yc backup policy apply <policy_ID> \
  --instance-ids <server_ID>

    Where --instance-ids is the ID of the BareMetal server being associated with the policy.

For more information about this command, see the CLI reference.

Run the backup process

Note

If you are using LVM to manage the disk space of the protected resource, learn how to restore resources with LVM in Cloud Backup.

To start a BareMetal server backup outside the backup policy schedule:

  1. In the management console, select the folder containing your backup policy.
  2. In the list of services, select Cloud Backup.
  3. In the left-hand panel, select BareMetal servers.
  4. Find the server you need, click in its row, and select Create backup.
  5. In the window that opens, select the backup policy for creating the backup and click Create.

Cloud Backup will start creating a backup of the BareMetal server. You can see the progress in the relevant server row in the Server status field.

Run this command, specifying the backup policy and server IDs:

yc backup policy execute \
  --id <policy_ID> \
  --instance-id <server_ID>

Wait for the operation to complete.

You can also run this command in asynchronous mode using the --async parameter and track the backup process using the yc backup resource list-tasks command.

Restore your server from the backup

Note

You can restore neither a VM backup to a BareMetal server, nor a BareMetal server backup to a VM.

If you need to restore one server's backup to another server, or if the OS has been reinstalled on the source server, reinstall the Cloud Backup agent on that server.

To avoid errors when recovering from a backup, start by comparing the parameters of the disks and partitions of the backup against those of the VM or Yandex BareMetal server. For more information, see Viewing the parameters of backup disks and partitions.

Tip

If the server used a RAID array, we recommend restoring the backup to a server with a similar partition configuration. We also recommend that you make the partitions at least as large as on the source server.

To restore your server from a backup:

  1. In the management console, select the folder containing the backup.
  2. In the list of services, select Cloud Backup.
  3. In the left-hand panel, select Backups and open the BareMetal servers tab.
  4. Next to the backup you need to restore your BareMetal server from, click and select Recover BareMetal server.
  5. In the window that opens, select the server used to create the selected backup. This server will be marked in the list as (current).
  6. Click Restore.

This will start the BareMetal server restoration from the backup. Wait for it to complete.

  1. Get a list of backups for the server, specifying its ID:

    yc backup backup list \
  --instance-id <server_ID>

    Save the backup ID.

  2. Restore your server from the backup, specifying their IDs:

    yc backup backup recover \
  --destination-instance-id="<server_ID>" \
  --source-backup-id="<backup_ID>"

    The recovery of your BareMetal server will start. Wait for it to complete.

    You can also run this command in asynchronous mode using the --async parameter and track the backup process using the yc backup resource list-tasks command.

    For more information about the yc backup backup recover command, see the CLI reference.

Warning

After you recover a BareMetal server from another server’s backup, you may lose network access to the target server. This is because the network settings recovered from the backup, namely the network interface MAC addresses, were taken from the source server.

To restore the network on the target VM, update the MAC addresses in the server's network interface settings using the KVM console. You can get current MAC addresses in the server OS using the ip a command or in the management console on the server information page under Public network and Private network. For more information on setting up network interfaces in a particular OS, see the relevant OS guides.

How to cancel a lease and delete resources

  1. Cancel your BareMetal server lease.
  2. Delete the backup in Cloud Backup using the CLI.

See also

Previous
Using Object Storage in Yandex Data Processing
Next
Object Storage integration with Nextcloud