Linking a Yandex Cloud Backup policy to a VM automatically using the management console, CLI, or API
To create a virtual machine with automatic linking to a Cloud Backup policy:
- Prepare your cloud.
- Activate the service.
- Create a service account.
- Create a cloud network and subnets.
- Create and configure a security group.
- Create a backup policy.
- Create a VM.
If you no longer need the resources you created, delete them.
Prepare your cloud
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The infrastructure support cost includes:
- Fee for VM computing resources (see Yandex Compute Cloud pricing).
- Fee for VM disks (see Yandex Compute Cloud pricing).
- Fee for using a dynamic external IP address (see Yandex Virtual Private Cloud pricing).
- Fee for VMs connected to Cloud Backup and the backup size (see Yandex Cloud Backup pricing).
Activate the service
Note
The minimum folder role required to activate the service is backup.editor
(see its description for details).
-
In the management console
, select the folder you want to create a VM with a Cloud Backup connection in. -
In the list of services, select Cloud Backup.
-
If you have not activated Cloud Backup yet, click Activate.
If there is no Activate button, and you have access to creating a VM with a Cloud Backup connection, it means the service has already been activated. Proceed to the next step.
Create a service account
- In the management console
, select the folder the service is activated in. - In the list of services, select Identity and Access Management.
- Click Create service account.
- Enter a name for the service account:
backup-sa
. - Click
Add role and select thebackup.editor
role. - Click Create.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
Create a service account named
backup-sa
:yc iam service-account create --name backup-sa
Result:
id: ajehb3tcdfa1******** folder_id: b1g86q4m5vej******** created_at: "2024-07-22T16:05:14.237381531Z" name: backup-sa
For more information about the
yc iam service-account create
command, see the CLI reference. -
Assign the
backup.editor
role for the folder to the service account:yc resource-manager folder add-access-binding <folder_ID> \ --role backup.editor \ --subject serviceAccount:<service_account_ID>
Result:
done (3s) effective_deltas: - action: ADD access_binding: role_id: backup.editor subject: id: ajehb3tcdfa1******** type: serviceAccount
For more information about the
yc resource-manager folder add-access-binding
command, see the CLI reference.
To create a service account, use the create REST API method for the ServiceAccount resource or the ServiceAccountService/Create gRPC API call.
To assign the backup.editor
role for the folder to the service account, use the setAccessBindings method for the ServiceAccount resource or the ServiceAccountService/SetAccessBindings gRPC API call.
Create a cloud network and subnets
Create a cloud network with a subnet in the availability zone that will host your VM.
- In the management console
, select the folder you want to create a cloud network in. - In the list of services, select Virtual Private Cloud.
- At the top right, click Create network.
- In the Name field, specify
cloud-network
. - In the Advanced field, select Create subnets.
- Click Create network.
-
Create a cloud network named
cloud-network
:yc vpc network create cloud-network
Result:
id: enptrcle5q3d******** folder_id: b1g9hv2loamq******** created_at: "2024-06-08T09:25:03Z" name: cloud-network default_security_group_id: enpbsnnop4ak********
For more information about the
yc vpc network create
command, see the CLI reference. -
Create a subnet named
cloud-network-ru-central1-d
in theru-central1-d
availability zone:yc vpc subnet create cloud-network-ru-central1-d \ --zone ru-central1-d \ --network-name cloud-network \ --range 10.1.0.0/16
Result:
id: e9bnnssj8sc8******** folder_id: b1g9hv2loamq******** created_at: "2024-06-08T09:27:00Z" name: cloud-network-ru-central1-d network_id: enptrcle5q3d******** zone_id: ru-central1-d v4_cidr_blocks: - 10.1.0.0/16
For more information about the
yc vpc subnet create
command, see the CLI reference.
- Create a network named
cloud-network
using the create REST API method for the Network resource or the NetworkService/Create gRPC API call. - Create the
cloud-network-ru-central1-d
subnet using the create REST API method for the Subnet resource or the SubnetService/Create gRPC API call.
Create and configure a security group
For the Cloud Backup agent to exchange data with the backup provider servers, the security group must contain the rules that allow network access to the IP addresses of the Cloud Backup resources.
A rule to enable VM access over SSH will also be added to the security group.
-
In the management console
, go to the folder you want to create a VM with a Cloud Backup connection in. -
In the list of services, select Virtual Private Cloud.
-
In the left-hand panel, select
Security groups. -
Click Create security group.
-
In the Name field, specify
backup-sg
. -
In the Network field, select
cloud-network
. -
Under Rules, go to the Egress tab and click Add rule.
-
Add the following outgoing traffic rules one by one:
Port range Protocol Destination name CIDR blocks 80
TCP
CIDR
213.180.193.0/24
80
TCP
CIDR
213.180.204.0/24
443
TCP
CIDR
84.47.172.0/24
443
TCP
CIDR
84.201.181.0/24
443
TCP
CIDR
178.176.128.0/24
443
TCP
CIDR
213.180.193.0/24
443
TCP
CIDR
213.180.204.0/24
7770-7800
TCP
CIDR
84.47.172.0/24
8443
TCP
CIDR
84.47.172.0/24
44445
TCP
CIDR
51.250.1.0/24
-
Add a rule for incoming traffic to enable VM access over SSH:
Port range Protocol Source CIDR blocks 22
Any
CIDR
0.0.0.0/0
-
Click Create.
Run the following command:
yc vpc security-group create backup-sg \
--network-name network-1 \
--rule "direction=egress,port=80,protocol=tcp,v4-cidrs=[213.180.193.0/24]" \
--rule "direction=egress,port=80,protocol=tcp,v4-cidrs=[213.180.204.0/24]" \
--rule "direction=egress,port=443,protocol=tcp,v4-cidrs=[84.47.172.0/24]" \
--rule "direction=egress,port=443,protocol=tcp,v4-cidrs=[84.201.181.0/24]" \
--rule "direction=egress,port=443,protocol=tcp,v4-cidrs=[178.176.128.0/24]" \
--rule "direction=egress,port=443,protocol=tcp,v4-cidrs=[213.180.193.0/24]" \
--rule "direction=egress,port=443,protocol=tcp,v4-cidrs=[213.180.204.0/24]" \
--rule "direction=egress,from-port=7770,to-port=7800,protocol=tcp,v4-cidrs=[84.47.172.0/24]" \
--rule "direction=egress,port=8443,protocol=tcp,v4-cidrs=[84.47.172.0/24]" \
--rule "direction=egress,port=44445,protocol=tcp,v4-cidrs=[51.250.1.0/24]" \
--rule "direction=ingress,port=22,protocol=any,v4-cidrs=[0.0.0.0/0]"
Result:
id: enp0v73fe8fs********
folder_id: b1g86q4m5vej********
created_at: "2024-07-22T20:17:43Z"
name: backup-sgg
network_id: enp3srbi9u49********
status: ACTIVE
rules:
- id: enpporsovuhj********
direction: EGRESS
ports:
from_port: "80"
to_port: "80"
protocol_name: TCP
protocol_number: "6"
cidr_blocks:
v4_cidr_blocks:
- 213.180.193.0/24
- id: enp7p6asol5i********
direction: EGRESS
ports:
from_port: "80"
to_port: "80"
protocol_name: TCP
protocol_number: "6"
cidr_blocks:
v4_cidr_blocks:
- 213.180.204.0/24
...
- id: enp36mip5nhe********
direction: INGRESS
ports:
from_port: "22"
to_port: "22"
protocol_name: ANY
protocol_number: "-1"
cidr_blocks:
v4_cidr_blocks:
- 0.0.0.0/0
For more information about the yc vpc security-group create
command, see the CLI reference.
To create a security group, use the create REST API method for the SecurityGroup resource or the SecurityGroupService/Create gRPC API call.
Create a backup policy
You can create a new policy or use one of those automatically generated upon service activation.
-
In the management console
, select the folder you want to create a backup policy in. -
In the list of services, select Cloud Backup.
-
Go to the
Backup policies tab. -
Click Create policy.
-
Specify the policy properties:
- Name:
weekly-backup
. - Create backups:
Every week
. - Days of the week:
Friday
. - Time:
03:00
. - Type:
Incremental
. - Retain backups:
Retain all backups
.
- Name:
-
Click Save.
-
Describe the configuration of the backup policy you are creating in the
backup-policy-scheme.json
file.{ "compression": "NORMAL", "format": "AUTO", "multiVolumeSnapshottingEnabled": true, "preserveFileSecuritySettings": true, "reattempts": { "enabled": true, "interval": { "type": "SECONDS", "count": "30" }, "maxAttempts": "30" }, "silentModeEnabled": true, "splitting": { "size": "1099511627776" }, "vmSnapshotReattempts": { "enabled": true, "interval": { "type": "MINUTES", "count": "5" }, "maxAttempts": "3" }, "vss": { "enabled": true, "provider": "TARGET_SYSTEM_DEFINED" }, "archive": { "name": "'[Machine Name]-[Plan ID]-[Unique ID]A'" }, "performanceWindow": { "enabled": true }, "scheduling": { "backupSets": [ { "time": { "weekdays": [ "FRIDAY" ], "repeatAt": [ { "hour": "3" } ], "type": "WEEKLY" } } ], "enabled": true, "maxParallelBackups": "2", "randMaxDelay": { "type": "MINUTES", "count": "30" }, "scheme": "ALWAYS_INCREMENTAL", "weeklyBackupDay": "MONDAY" }, "cbt": "ENABLE_AND_USE", "fastBackupEnabled": true, "quiesceSnapshottingEnabled": true }
-
Create a backup policy:
yc backup policy create \ --name weekly-backup \ --settings-from-file ./backup-policy-scheme.json
Result:
id: cdgo5vytuw57******** name: weekly-backup created_at: "2024-07-23T20:34:37Z" updated_at: "2024-07-23T20:34:37Z" enabled: true settings: compression: NORMAL format: AUTO multi_volume_snapshotting_enabled: true preserve_file_security_settings: true reattempts: enabled: true interval: type: SECONDS count: "30" max_attempts: "30" silent_mode_enabled: true splitting: size: "1099511627776" vm_snapshot_reattempts: enabled: true interval: type: MINUTES count: "5" max_attempts: "3" vss: enabled: true provider: TARGET_SYSTEM_DEFINED archive: name: '''[Machine Name]-[Plan ID]-[Unique ID]A''' performance_window: enabled: true retention: {} scheduling: backup_sets: - time: weekdays: - FRIDAY repeat_at: - hour: "3" type: WEEKLY type: TYPE_AUTO enabled: true max_parallel_backups: "2" rand_max_delay: type: MINUTES count: "30" scheme: ALWAYS_INCREMENTAL weekly_backup_day: MONDAY cbt: ENABLE_AND_USE fast_backup_enabled: true quiesce_snapshotting_enabled: true folder_id: b1g86q4m5vej********
Save the policy
id
.For more information about the
yc backup policy create
command, see the CLI reference.
To create a backup policy, use the create REST API method for the Policy resource or the PolicyService/Create gRPC API call.
Create a VM
-
In the management console
, select the folder where you want to create a VM. -
In the list of services, select Compute Cloud.
-
In the left-hand panel, select
Virtual machines and click Create virtual machine. -
Enter a name for the VM:
backup-instance
. -
Select the
ru-central1-d
availability zone. -
Under Boot disk image, select Ubuntu 22.04 image.
-
Under Network settings:
- Select the
cloud-network-ru-central1-d
subnet. - In the Public IP field, select
Auto
. - Select the
backup-sg
security group.
- Select the
-
Under Access:
- Select the
backup-sa
service account. - In the Login field, enter the username:
vm-user
. - In the SSH key field, paste the contents of the public key file. You need to create a key pair for the SSH connection yourself.
- Select the
-
Under Additional:
- Enable Cloud Backup.
- Select the backup policy created earlier.
-
Click Create VM.
-
Describe the custom metadata configuration in the
user-data.yaml
file:#cloud-config datasource: Ec2: strict_id: false ssh_pwauth: no users: - name: vm-user sudo: ALL=(ALL) NOPASSWD:ALL shell: /bin/bash ssh_authorized_keys: - <public_SSH_key> packages: - curl - perl - jq runcmd: - curl https://storage.yandexcloud.net/backup-distributions/agent_installer.sh | sudo bash
-
Specify the
weekly-backup
policy ID in thecloudbackup.json
file:{"initialPolicies": ["<weekly_backup_policy_ID>"]}
To learn more about getting the policy ID, see Getting information about a backup policy.
-
Run this command:
yc compute instance create \ --name backup-instance \ --zone ru-central1-d \ --network-interface subnet-name=cloud-network-ru-central1-d,security-group-ids=<backup-sg_security_group_ID>,ipv4-address=auto,nat-ip-version=ipv4 \ --create-boot-disk image-folder-id=standard-images,image-family=ubuntu-2204-lts,size=15 \ --metadata-from-file user-data=./user-data.yaml,cloudbackup=./cloudbackup.json \ --service-account-name backup-sa
For more information about the
yc compute instance create
command, see the CLI reference.
To create a VM, use the create REST API method for the Instance resource or the InstanceService/Create gRPC API call.
In the request body, specify:
- In the
metadata
field, theuser-data
object containing the custom metadata configuration with a script to install a backup agent. - In the
cloudbackup
field, the backup policy ID. To learn more about getting the policy ID, see Getting information about a backup policy.
Use \n
as a line separator.
Request body example
{
"folderId": "<folder_ID>",
"name": "backup-instance",
"zoneId": "ru-central1-d",
"platformId": "standard-v3",
"resourcesSpec": {
"memory": "2147483648",
"cores": "2"
},
"metadata": {
"user-data": "#cloud-config\ndatasource:\nEc2:\n strict_id: false\nssh_pwauth: no\nusers:\n- name: vm-user\n shell: /bin/bash\n sudo: ALL=(ALL) NOPASSWD:ALL\n ssh_authorized_keys:\n - <public_SSH_key>\npackages:\n - curl\n - perl\n - jq\nruncmd:\n - curl https://storage.yandexcloud.net/backup-distributions/agent_installer.sh | sudo bash",
"cloudbackup": "{\"initialPolicies\": [\"<policy_ID>\"]}"
},
"bootDiskSpec": {
"diskSpec": {
"size": "16106127360",
"imageId": "fd8ljvsrm3l1********"
}
},
"networkInterfaceSpecs": [
{
"subnetId": "<subnet_ID>",
"primaryV4AddressSpec": {
"oneToOneNatSpec": {
"ipVersion": "IPV4"
}
},
"securityGroupIds": [
"<security_group_ID>"
]
}
],
"serviceAccountId": "<service_account_ID>"
}
Note
When the VM switches to the Running
status, a Cloud Backup agent will start installing on it. This may take from 5 to 10 minutes.
A policy is linked asynchronously after you create and initialize a VM, as well as install and configure a backup agent. This may take up to 10-15 minutes. As a result, the virtual machine will appear in the list of Cloud Backup VMs and in the list of VMs linked to the weekly-backup
policy.
You can monitor the installation progress using the VM serial port in the management console.
How to delete the resources you created
To stop paying for the resources you created:
- Delete the VM from Cloud Backup.
- Delete the VM from Compute Cloud.
- Delete the static public IP if you reserved one.
- Delete VM backups, if any.