=============== LIBRARY RULES =============== From library maintainers: - This is unofficial documentation - always verify against official Veeam Help Center # Veeam Backup for Google Cloud Veeam Backup for Google Cloud is an enterprise-grade data protection and disaster recovery solution designed specifically for Google Cloud environments. The product enables organizations to create image-level backups and cloud-native snapshots of VM instances, Cloud SQL instances, and Cloud Spanner instances, storing backed-up data in cost-effective Google Cloud storage buckets for long-term retention. The solution integrates with Veeam Backup & Replication through the Google Cloud Plug-in, providing a unified management experience through both the Veeam Backup & Replication console and a dedicated Web UI. Key capabilities include automated backup scheduling with daily, weekly, monthly, and yearly policies, flexible restore options (entire instances, individual disks, file-level recovery), cross-platform recovery to VMware vSphere, Microsoft Hyper-V, Nutanix AHV, AWS, and Microsoft Azure, as well as data encryption using Veeam encryption mechanisms or Google Cloud KMS customer-managed encryption keys (CMEKs). --- ## Deploying Backup Appliance Deploy a backup appliance from the Veeam Backup & Replication console to enable Google Cloud data protection. The appliance runs on an Ubuntu 22.04 LTS VM instance and hosts the Web UI, PostgreSQL database, and REST API service. ```bash # Prerequisites: Enable Infrastructure Manager for your Google Cloud project # Navigate in Veeam Backup & Replication console: # 1. Open Backup Infrastructure view # 2. Navigate to Managed Servers > Google Cloud # 3. Click "Add Server" on the ribbon # 4. Select "Deploy a new appliance to Google Cloud" # Deployment creates the following resources automatically: # - Storage bucket: deployfiles-{InstanceName}-{TimeStamp} # - VM instance from Ubuntu 22.04 LTS image # - Service account with required IAM permissions # - Firewall rules for required ports # Required ports for appliance communication: # TCP/443 - Web UI access and REST API # TCP/13140 - REST API service # TCP/22 - SSH for deployment and upgrades # TCP/587 - SMTP notifications ``` --- ## Adding Service Accounts Service accounts provide Veeam Backup for Google Cloud with the permissions needed to perform data protection operations across Google Cloud projects. ```bash # Navigate to Configuration > Service Accounts in the Web UI # Click "Add" to launch the Add Service Account wizard # Service account types: # 1. Create new service account - Veeam creates and configures the account # 2. Use existing service account - Link an existing Google Cloud service account # Required IAM roles for backup operations: # - compute.viewer (VM instance discovery) # - compute.storageAdmin (snapshot management) # - storage.objectAdmin (backup repository access) # - cloudsql.viewer (Cloud SQL instance discovery) # - cloudsql.admin (Cloud SQL backup operations) # - spanner.viewer (Cloud Spanner instance discovery) # - spanner.admin (Cloud Spanner backup operations) # Example: Granting required permissions via gcloud gcloud projects add-iam-policy-binding PROJECT_ID \ --member="serviceAccount:veeam-backup@PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/compute.storageAdmin" gcloud projects add-iam-policy-binding PROJECT_ID \ --member="serviceAccount:veeam-backup@PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/storage.objectAdmin" ``` --- ## Adding Backup Repositories Backup repositories are Google Cloud storage buckets that store image-level backups and archived data. Repositories can use Standard, Nearline, or Archive storage classes. ```bash # Navigate to Configuration > Repositories in the Web UI # Click "Add" to launch the Add Repository wizard # Repository configuration steps: # 1. Specify repository name and description # 2. Select Google Cloud project # 3. Provide HMAC key for bucket access # 4. Configure bucket settings (name, region, storage class) # 5. Enable optional encryption # Storage class recommendations: # - Standard: Frequent access, hot data (backups < 30 days) # - Nearline: Monthly access (backups 30-90 days) # - Archive: Long-term retention (backups > 90 days) # Example: Creating a storage bucket via gcloud for use as repository gsutil mb -p PROJECT_ID -c STANDARD -l us-central1 gs://veeam-backup-repo-prod/ # Generate HMAC key for the service account gsutil hmac create veeam-backup@PROJECT_ID.iam.gserviceaccount.com # Output: Access ID and Secret (save these for repository configuration) ``` --- ## Creating VM Backup Policies Backup policies define the schedule, retention, and target settings for protecting VM instances. Policies can create cloud-native snapshots and image-level backups on configurable schedules. ```bash # Navigate to Policies > VM in the Web UI # Click "Add" to launch the Add VM Policy wizard # Policy configuration workflow: # Step 1: Name and description # Step 2: Select source project # Step 3: Configure regions and VM selection (all VMs, by label, specific VMs) # Step 4: Configure targets (snapshots location, backup repository, archive repository) # Step 5: Configure schedule (daily, weekly, monthly, yearly) # Step 6: Enable labels, notifications, and health checks # Step 7: Review estimated cost and required permissions # Example schedule configuration: # Daily schedule: # - Snapshots: Every 4 hours (00:00, 04:00, 08:00, 12:00, 16:00, 20:00) # - Backups: Once daily at 02:00 # - Retention: Keep 7 restore points for snapshots, 14 days for backups # Weekly schedule: # - Run every Sunday at 01:00 # - Retention: Keep backups for 4 weeks # Monthly schedule: # - Run on 1st day of month at 00:00 # - Retention: Keep backups for 12 months # Snapshot location options: # - Multi-regional: Store in closest multi-regional location # - Regional: Store in same region as source VM ``` --- ## Creating Cloud SQL Backup Policies Protect Cloud SQL instances (MySQL and PostgreSQL) with scheduled snapshots and image-level backups that capture instance configuration, databases, triggers, stored procedures, and users. ```bash # Navigate to Policies > Cloud SQL in the Web UI # Click "Add" to launch the Add Cloud SQL Policy wizard # Policy configuration steps: # 1. Specify policy name and description # 2. Select project containing Cloud SQL instances # 3. Select regions and instances to protect # 4. Configure backup targets and schedule # 5. Enable staging server for backup processing (optional) # 6. Configure notifications and health checks # Supported Cloud SQL instance types: # - MySQL instances # - PostgreSQL instances # Note: SQL Server instances are NOT supported # Example: Health check configuration # Enable "Verify backup data integrity" option # Veeam performs CRC checks on backup files after creation # Failed health checks trigger email notifications ``` --- ## Creating Cloud Spanner Backup Policies Protect Cloud Spanner instances with scheduled snapshots and image-level backups. This feature requires backup appliances managed by Veeam Backup & Replication. ```bash # Navigate to Policies > Cloud Spanner in the Web UI # Click "Add" to launch the Add Cloud Spanner Policy wizard # Policy configuration steps: # 1. Specify policy name and description # 2. Select project containing Cloud Spanner instances # 3. Select regions and instances to protect # 4. Configure backup targets (snapshot location, backup repository) # 5. Configure schedule and retention # 6. Configure notifications # Cloud Spanner backups capture: # - Database schema # - All data # - Views # - Foreign keys # Snapshot storage location depends on instance regional configuration ``` --- ## Performing VM Instance Restore Restore entire VM instances from cloud-native snapshots or image-level backups to the original location or a new location in Google Cloud. ```bash # Navigate to Protected Data > VM in the Web UI # Select the VM instance to restore # Click "Restore" > "Entire Instance" # Restore wizard steps: # 1. Select restore point (snapshot or backup) # 2. Choose restore mode: # - Restore to original location (overwrite existing) # - Restore to new location (specify new settings) # 3. Select service account for restore operation # 4. Select target project # 5. Select region and availability zone # 6. Configure encryption (use original or specify new keys) # 7. Specify instance name and machine type # 8. Configure network settings (VPC, subnet, IP address) # 9. Run configuration and permission checks # 10. Specify restore reason (for audit logging) # Supported disk types for restore: # - Zonal persistent disks (pd-standard, pd-balanced, pd-extreme, pd-ssd) # - Regional persistent disks # Note: Local SSDs configuration is restored, but data is not recoverable ``` --- ## Performing Disk Restore Restore individual persistent disks from VM instance restore points to recover specific volumes without restoring the entire instance. ```bash # Navigate to Protected Data > VM in the Web UI # Select the VM instance containing the disk # Click "Restore" > "Disk Restore" # Disk restore wizard steps: # 1. Select restore point # 2. Choose disks to restore # 3. Select restore mode (original or new location) # 4. Select service account and target project # 5. Select region and availability zone # 6. Configure encryption settings # 7. Specify new disk names # 8. Run configuration checks # Example use case: # Restore a corrupted data disk to a new location # Attach restored disk to existing VM for data recovery # Original disk remains unchanged for comparison ``` --- ## Performing File-Level Recovery Recover individual files and folders from VM instance backups using the file-level recovery browser accessible through the Web UI. ```bash # Navigate to Protected Data > VM in the Web UI # Select the VM instance # Click "Restore" > "File-Level Recovery" # File-level recovery wizard steps: # 1. Select restore point (snapshot or backup) # 2. Choose restore mode (backup-based recommended for file recovery) # 3. Run permission checks # 4. Specify recovery reason # 5. Start recovery session (deploys worker instance) # 6. Browse and select files/folders in recovery browser # 7. Download files or restore to original location # 8. Stop recovery session when complete # Supported file systems: # - FAT, FAT32, NTFS (Windows) # - ext2, ext3, ext4, XFS, Btrfs (Linux) # Recovery options in browser: # - Download to local machine # - Restore to original location (preserves permissions) # - Overwrite existing files option # Prerequisites: # - Worker instance network configuration for target region # - Firewall rule allowing HTTPS (port 443) to worker instance ``` --- ## Performing Cloud SQL Instance Restore Restore entire Cloud SQL instances or specific databases from snapshots or image-level backups. ```bash # Navigate to Protected Data > Cloud SQL in the Web UI # Select the instance to restore # Click "Restore" # Restore options: # 1. Entire Instance Restore # - Restore complete Cloud SQL instance configuration # - Includes all databases, users, triggers, stored procedures # - Can restore to original or new location # 2. Database Restore (from image-level backups only) # - Restore specific databases # - Select target instance (original or different) # - Databases restored to running Cloud SQL instance # Restore wizard steps: # 1. Select restore point # 2. Choose restore type (entire instance or database) # 3. Select target project and region # 4. Configure instance settings (name, tier, storage) # 5. Configure network and security settings # 6. Run configuration checks # 7. Specify restore reason ``` --- ## Performing Instant Recovery to VMware/Hyper-V Instantly recover Google Cloud VM instances to on-premises VMware vSphere, Microsoft Hyper-V, or Nutanix AHV environments from image-level backups. ```bash # Prerequisites: # - vCenter Server, Hyper-V server, or Nutanix AHV cluster added to backup infrastructure # - HMAC keys configured for backup repositories # In Veeam Backup & Replication console: # 1. Open Home view # 2. Navigate to Backups > External Repository # 3. Expand the backup policy # 4. Select VM instance # 5. Click "Instant Recovery" on ribbon # 6. Select target platform: # - VMware vSphere # - Microsoft Hyper-V # - Nutanix AHV # Instant Recovery benefits: # - VM runs directly from backup storage # - Near-zero RTO (Recovery Time Objective) # - Production VM while storage vMotion migrates data # - Test/dev environments from production backups ``` --- ## Configuring Data Encryption Enable encryption for backed-up data using Veeam encryption or Google Cloud KMS customer-managed encryption keys (CMEKs). ```bash # Veeam Encryption (configured per repository): # Navigate to Configuration > Repositories # Edit repository > Enable encryption # Specify encryption password (AES-256) # Google Cloud KMS Encryption: # 1. Create a key ring and key in Cloud KMS gcloud kms keyrings create veeam-backup-keyring \ --location=us-central1 gcloud kms keys create veeam-backup-key \ --location=us-central1 \ --keyring=veeam-backup-keyring \ --purpose=encryption # 2. Grant service account access to the key gcloud kms keys add-iam-policy-binding veeam-backup-key \ --location=us-central1 \ --keyring=veeam-backup-keyring \ --member="serviceAccount:veeam-backup@PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/cloudkms.cryptoKeyEncrypterDecrypter" # 3. Configure repository to use CMEK # Specify key resource name during repository creation: # projects/PROJECT_ID/locations/us-central1/keyRings/veeam-backup-keyring/cryptoKeys/veeam-backup-key # Note: Customer-supplied encryption keys (CSEKs) are NOT supported ``` --- ## Managing Backup Retention Configure retention policies to automatically remove outdated restore points and manage storage costs. ```bash # Retention settings are configured per schedule type in backup policies # Snapshot retention (count-based): # - Specify number of restore points to keep # - Oldest snapshots removed when limit exceeded # Example: Keep 7 daily snapshots # Backup retention (time-based): # - Specify number of days or months to keep restore points # - Restore points older than threshold are removed # Example: Keep daily backups for 14 days, weekly for 4 weeks, monthly for 12 months # Retention process (runs daily): # 1. Veeam detects outdated restore points in repositories # 2. Worker instance deployed in repository region # 3. Backup chain transformed: # - Data from oldest incremental injected into full backup # - Incremental backup removed # 4. Process repeats until all outdated points removed # 5. Worker instance removed after completion # Archive retention: # - Separate retention settings for archived backups # - Typically longer retention periods (years) # - Archive storage class reduces costs for long-term storage # Worker instance limits: # - Maximum 10 concurrent worker instances for retention tasks # - Additional tasks queued if limit reached ``` --- ## Network Ports and Firewall Configuration Configure firewall rules to allow communication between Veeam components and Google Cloud services. ```bash # Required firewall rules for backup appliance: # Inbound rules: # TCP/443 - Web UI access from workstations # TCP/13140 - REST API access # TCP/22 - SSH (deployment and upgrades) # Outbound rules: # TCP/443 - Google Cloud APIs, Veeam Update Repository # TCP/587 - SMTP notifications # TCP/80 - OS security updates (security.ubuntu.com) # TCP/3306 - Cloud SQL MySQL instances # TCP/5432 - Cloud SQL PostgreSQL instances # Example: Create firewall rule for Web UI access gcloud compute firewall-rules create allow-veeam-webui \ --direction=INGRESS \ --priority=1000 \ --network=default \ --action=ALLOW \ --rules=tcp:443,tcp:13140 \ --source-ranges=10.0.0.0/8 \ --target-tags=veeam-appliance # Example: Create firewall rule for worker instances (file-level recovery) gcloud compute firewall-rules create allow-veeam-worker-flr \ --direction=INGRESS \ --priority=1000 \ --network=default \ --action=ALLOW \ --rules=tcp:443 \ --source-ranges=0.0.0.0/0 \ --target-tags=veeam-worker ``` --- ## Summary Veeam Backup for Google Cloud provides comprehensive data protection for VM instances, Cloud SQL, and Cloud Spanner workloads through a combination of cloud-native snapshots and image-level backups. The solution supports flexible scheduling with daily, weekly, monthly, and yearly policies, enabling organizations to implement grandfather-father-son (GFS) retention schemes. Primary use cases include disaster recovery with near-zero RTO through Instant Recovery, compliance requirements through long-term archival storage, and operational recovery scenarios such as file-level recovery and database restores. Integration patterns center around the Veeam Backup & Replication console for enterprise-wide management and the Web UI for Google Cloud-specific operations. Organizations can extend protection beyond Google Cloud by restoring workloads to VMware vSphere, Microsoft Hyper-V, Nutanix AHV, AWS, and Microsoft Azure. The REST API (port 13140) enables automation and integration with orchestration tools, while SMTP notifications and health checks provide operational visibility. For security, the solution supports both Veeam encryption and Google Cloud KMS customer-managed keys, with all data encrypted at rest in storage buckets.