GSP1326

Overview

Business continuity and disaster recovery planning is critical for sustaining business operations while recovering from a significant security incident, natural disaster, or disruption.

Google Cloud Backup and DR Service is a cloud-based backup and disaster recovery solution that enables the backup and recovery of data to support quick resumption of critical business operations.

After Backup and DR Service performs an initial full backup, your data (general applications, VMware VMs, Compute Engine VMs, databases, and file systems) is backed up incrementally, updating and storing any data that has changed since the last backup.

In this lab, you discover and protect a Compute Engine instance, and mount a fully-functional new Compute Engine instance from the backup image to a new location.

Objectives

In this lab, you learn how to perform the following tasks:

• Create a Backup Vault and configure a Backup Plan.
• Schedule automated backups for Compute Engine instances.
• Initiate on-demand backups.
• Restore a Compute Engine instance to the same project.
• Restore a Compute Engine instance to an alternate project.

Scenario

Cymbal Bank's Incident Response Team successfully responded to the security incident and contained the unauthorized access. Hannah and the rest of the Incident Response Team are working on implementing recovery actions to restore the affected virtual machines (VMs). You have been asked to assist with this.

Here’s how you’ll do this task: First, you’ll connect to the Backup Vault. Next, you’ll create and validate a backup plan. Next, you’ll schedule a backup. Then, you’ll create a on-demand backup to create image of VM instance. Finally, you’ll restore a Compute Engine instance in two different Google Cloud projects.

Setup and requirements

Before you click the Start Lab button

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources are made available to you.

This hands-on lab lets you do the lab activities in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials you use to sign in and access Google Cloud for the duration of the lab.

To complete this lab, you need:

• Access to a standard internet browser (Chrome browser recommended).

Note: Use an Incognito (recommended) or private browser window to run this lab. This prevents conflicts between your personal account and the student account, which may cause extra charges incurred to your personal account.

• Time to complete the lab—remember, once you start, you cannot pause a lab.

Note: Use only the student account for this lab. If you use a different Google Cloud account, you may incur charges to that account.

How to start your lab and sign in to the Google Cloud console

1. Click the Start Lab button. If you need to pay for the lab, a dialog opens for you to select your payment method. On the left is the Lab Details pane with the following:

   • The Open Google Cloud console button
   • Time remaining
   • The temporary credentials that you must use for this lab
   • Other information, if needed, to step through this lab

2. Click Open Google Cloud console (or right-click and select Open Link in Incognito Window if you are running the Chrome browser).

   The lab spins up resources, and then opens another tab that shows the Sign in page.

   Tip: Arrange the tabs in separate windows, side-by-side.

   Note: If you see the Choose an account dialog, click Use Another Account.

3. If necessary, copy the Username below and paste it into the Sign in dialog.

   {{{user_0.username | "Username"}}}

   You can also find the Username in the Lab Details pane.

4. Click Next.

5. Copy the Password below and paste it into the Welcome dialog.

   {{{user_0.password | "Password"}}}

   You can also find the Password in the Lab Details pane.

6. Click Next.

   Important: You must use the credentials the lab provides you. Do not use your Google Cloud account credentials. Note: Using your own Google Cloud account for this lab may incur extra charges.

7. Click through the subsequent pages:

   • Accept the terms and conditions.
   • Do not add recovery options or two-factor authentication (because this is a temporary account).
   • Do not sign up for free trials.

After a few moments, the Google Cloud console opens in this tab.

Note: To access Google Cloud products and services, click the Navigation menu or type the service or product name in the Search field.

Task 1. Create a backup vault

1. In the Google Cloud console, click the Navigation menu () > Backup and DR. (You will have to click More Products and then scroll down to find Backup and DR in the Storage section).
2. From left nevigation pane, click Backup vaults.
3. In the Backup vaults section, click +CREATE BACKUP VAULT.
4. In the name field, enter a name vm-backup-vault for the backup vault.
5. In the Description field, type Virtual Machine Backup vaults.
6. Click Continue.
7. For Location, Select .
8. Click Continue.
9. For Minimum enforced retention, Enter 10 days. Click Continue.
10. On Define access to your backup vault page leave the default settings and click CREATE.

Click Check my progress to verify the objective. Create a backup vault

Task 2. Create a backup plan

1. From the left nevigation pane, click Backup plans.

2. In the Backup plan section, click +CREATE BACKUP PLAN.

3. In the Backup plan name field, enter a name vm-backup-plan for the backup vault.

4. In the Description field, type Virtual Machine Backup plan.

5. For Region, Select .

6. For Backup vault, Select vm-backup-vault.

7. In the Add backup rules, click +ADD RULE. Enter the following values:

   Field	Value
   Name	backup-rule
   Recurrance	Hourly
   Repeat every	4
   Start time	12:00 A.M.
   End time	12:00 P.M.
   Delete backups after	10

8. Click +SAVE.

9. Click +CREATE.

Click Check my progress to verify the objective. Create a backup plan

Task 3. Schedule backup for VM

You can automatically back up Compute Engine instances at specific intervals, such as daily, weekly, monthly, or yearly.

1. From left nevigation pane, click Vaulted backups.
2. In the Vaulted backups section, click SCHEDULE BACKUP.
3. In the Resources section,

Enter the values for the following fields:

Property	Value (type value or select option as specified)
Project
Region

4. In the Resources field, click BROWSE. Select the checkbox next to lab-vm.
5. Click DONE
6. In the Backup plan, click SELECT. Select vm-backup-plan.
7. Click DONE
8. Click CONTINUE.
9. Click SCHEDULE.

Click Check my progress to verify the objective. Schedule a backup for VM

Task 4. Create a on-demand backup

In this task, you’ll initiate an on-demand backup for a Compute Engine instance with a backup plan by triggering the backup rule of your choice to run immediately. On-demand backups are incremental and capture only the changed data since the last backup.

1. On Vaulted backups page, click lab-vm.
2. Click CREATE ON-DEMAND BACKUP.
3. Select backup-rule. Click CREATE.

It will take several minutes (~5 minutes) for the Create On-demand backup operation to complete. To check the status of the creation process, click the Notifications icon (bell icon) in the top main navigation bar to display a status notification. Ensure that the icon status for Create an on-demand backup has a green check next to it before proceeding.

Click Check my progress to verify the objective. Create a on-demand backup

Task 5. Restore a Compute Engine instance

Now that you have an image of your Compute Engine instance, you’ll create a brand new Compute Engine instance using the backup image that you created in the previous task.

Before restoring the Backup, the backup vault service agent must be granted the required roles in the restore project to create an instance using the backup.

1. On Vaulted backups page, click lab-vm.

2. Click RESTORE.

3. Scroll down to the page and copy the Backup vault service agent service account. This should be of the form vault-xxxxxxxxx-xxxxx@gcp-sa-backupdr-pr.iam.gserviceaccount.com.

4. In the Google Cloud console, in the Navigation menu (), click IAM & Admin > IAM.

5. Click Grant access.

6. Click Add principal, in the New principals field, paste the email address of the backup vault service agent service account.

7. In the Assign roles section:

   • Click Select a role and assign the Backup and DR > Backup and DR Compute Engine Operator role.
   • Click +Add Another Role.
   • Click Select a role and assign the Compute engine > Compute Network User role.
   • Click +Add Another Role.
   • Click Select a role and assign the Compute engine > Compute Viewer role.

8. Click Save.

9. In the Google Cloud console, click the Navigation menu () > Backup and DR. (You will have to click More Products and then scroll down to find Backup and DR in the Storage section).

10. On Vaulted backups page, click lab-vm.

11. Click RESTORE. Enter the values for the following fields:

    Property	Value (type value or select option as specified)
    Resource name	lab-vm
    Backup	Select latest backup from the list
    Restore project name

12. Click CONTINUE.

13. Change the name for the new VM instance to lab-vm-recovered.

14. Select Region and zone . Leave the remaining field as it is. Click Create.

Click Check my progress to verify the objective.

Restore a Compute Engine instance

Task 6. Restore a Compute Engine instance to an alternate project

In this task, you’ll restore a Computer Engine instance using the backup template you created, but this time to a different project.

You can also create a brand new Compute Engine instance in a different project from backup images.

To restore a Compute Engine instance to an alternate project, the backup vault service agent must be granted the required roles in the restore project to create an instance using the backup.

1. In the Google Cloud console, in the Navigation menu (), click IAM & Admin > IAM.

2. In the list of principals, find and copy the email of the Service account for Backup vault service agent to use in Step 6. The email is similar to the following: vault-xxxxxxxxx-xxxxx@gcp-sa-backupdr-pr.iam.gserviceaccount.com.

3. In the Google Cloud console, click the Project selection drop-down. If the project lists only one project, click All to open the All tab.

4. Search for Google Cloud project ID 2: and then click to select that project ID. You are now in the Permissions page for Google Cloud project ID 2:.

5. Click Grant access.

6. In the Add Principles section, in the New principals field, paste the email address of the service account of Google Cloud project 1, named Service account for Backup vault service agent. It should be still in your clipboard.

7. In the Assign roles section:

   • Click Select a role and assign the Backup and DR > Backup and DR Compute Engine Operator role.
   • Click +Add Another Role.
   • Click Select a role and assign the Compute engine > Compute Network User role.
   • Click +Add Another Role.
   • Click Select a role and assign the Compute engine > Compute Viewer role.

8. Click Save.

   You’ve added the service account of Google Cloud project 1 as a principal to Google Cloud project 2. You can now recover the instance on Google Cloud project 2.

9. Change to Google Cloud project ID 1:.

10. In the Google Cloud console, click the Navigation menu () > Backup and DR. (You will have to click More Products and then scroll down to find Backup and DR in the Storage section).

11. On Vaulted backups page, click lab-vm.

12. Click RESTORE. Enter the values for the following fields:

    Property	Value (type value or select option as specified)
    Resource name	lab-vm
    Backup	Select latest backup from the list
    Restore project name

13. Click CONTINUE.

14. Change the name for the new VM instance to lab-vm-project2.

15. Select Region and zone . Leave the remaining field as it is. Click Create.

Note: The VM instance may take five minutes or longer to create.

Click Check my progress to verify the objective.

Restore a Compute Engine instance to an alternate project

Congratulations

Great work! You successfully used Google Backup and DR Service to create a backup template and then applied it to two Compute Engine instances.

You have shown how to prepare for issues with VMs and the service. When a device malfunctions, you can use Backup and DR Service to restore mal-functioning devices across multiple Google Cloud projects.

Manual Last Updated June 16, 2025

Lab Last Tested May 21, 2025

Copyright 2025 Google LLC. All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.