> Commvault Cloud > Virtualization > Google Cloud > Configuration

Configuring Backups for Google Cloud Instances

Configuring backups for Google Cloud (GC) instances includes creating a GC service account, selecting a backup plan, and creating a VM group of the instances that you want to back up.

Start the Configuration Wizard

  1. From the Command Center navigation pane, go to Protect > Virtualization.

    The Overview page appears.

  2. In the upper-right area of the page, click Add hypervisor.

    The Configure Hypervisor page appears.

  3. Click Google Cloud.

  4. Click Next.

    The Add Hypervisor page of the configuration wizard appears.

  5. Choose the option to configure a service account.

Create a New Service Account

When configuring backups, you can create a Google Cloud service account using one of the following methods:

  • Automatically: Run a set of commands in the Google Cloud Shell to configure the service account.

  • Manually: Download the JSON key file and set up authentication yourself.

Alternatively, you can use an existing service account or edit credentials to create custom roles with all the required permissions.

Use Google Cloud Shell

  1. Choose the Create service account option.

  2. For Credentials, click the add button add/plus button - gray - no border to create new service account with the required permissions.

    The Add credential dialog box appears.

    Steps to create a service account using Google Cloud Shell

    1. The Vendor type field contains the name of the vendor from the dropdown list.

    2. The Authentication type field, contains the type of authentication to use.

    3. For Credential vault (Optional), select Built-in or the default type for the credentials.

    4. For Credential name, enter a descriptive name for the credentials.

    5. For Service Account ID, click Create service account to set up a new service account with the required permissions.

      The Create service account window appears.

      1. Organization ID: (Optional) Define and organization id to create custom roles for backup, restore, and replication operations at the organization level in your Google Cloud environment.

      2. Project ID: Specify the Google Cloud project where the service account will be created.

        For a list of projects, you can copy and paste the following command in the Cloud Shell: gcloud projects list.

      3. Service account name: (Optional) Enter the display name for the service account to be created.

      4. Service account ID: Enter the identifier of the service account that will be created.

        Note

        A service account is automatically created using the specified service account ID when the commands are executed.

      5. Click Open Cloud Shell, to log in and execute the following commands into Cloud Shell:

        • Set the active project to work on:

          This command sets the active project to Google Cloud using the gcloud CLI.

        • Enable required services on the current project:

          This command enables the necessary services for Commvault Cloud on the Google Cloud project.

        • Create a new service account:

          This command creates a service account that will securely perform tasks for Commvault Cloud.

        • Create custom roles with the required permissions for different Commvault Cloud operations at project level:

          This command defines and creates custom IAM roles with the required permissions for Commvault Cloud operations at the project level.

          If an Organization ID is provided, the custom roles will be created at the organization level instead of the project level.

        • Grant your service account an IAM role on your project:

          This command assigns the necessary IAM roles for backup, restore, and replication, to the service account, authorizing it to access and perform required operations within your project.

        • Generate a private key file for the service account and download the JSON file:

          This command lets you specify a name for the private key file. The file will be automatically generated in Cloud Shell and downloaded as a JSON file. You can customize the file name during this step.

          This key must be uploaded in the Add Credential window to enable its use in future operations.

        • To associate the service account with multiple projects:

          To associate the service account with multiple projects, you have to run a series of commands that grant the service account access to each project in the provided list. This allows the service account to perform operations such as backup, restore, and replication on virtual machines (VMs) across those projects.

          The following procedure is recommended:

          1. Copy the Download project list command in the Cloud Shell.

          2. Run the command to automatically download the list of projects in the required format.

          3. Upload the previously downloaded text file.

          4. Once the text file is uploaded, the projects will be automatically populated, and the relevant commands will be displayed in the window.

          5. Copy these commands and run them in Cloud Shell to complete the association.

      6. Click Close.

    6. For Private key file, click Upload to choose the JSON key file.

    7. In Description, enter a description for the credential.

    8. Click Save.

  3. Click Next.

    The Access Node page of the configuration wizard appears.

  4. Choose the option to configure an access node.

Download the JSON Key File Manually

  1. In Server name, enter a descriptive name for the hypervisor.

  2. For Credentials, select existing credentials from the dropdown list.

    Steps to download the JSON key file and set up service account authentication

    1. Log on to the GC Console.

    2. Create a GC service account.

      For information, see Create service accounts in the Google Cloud documentation

    3. Assign one of the following roles to the GC service account.

      • Owner

      • Compute Instance Admin (v1) and Service Account User

      • A custom role

        For information about the permissions to assign to a custom role, see Service Account Permissions for Google Cloud.

        If you want to use IntelliSnap backups, you must assign the same permissions to your GC service account on both the source and destination projects.

      To back up instances from multiple projects, the GC service account must have access rights to all the projects (including the projects where access nodes exist).

    4. Verify that the Cloud Resource Manager API is enabled.

      If the API is not enabled, all backup jobs will fail (including backup jobs for clients that were created in a previous release).

    5. If you plan to edit the configuration to use a P12 private key file for service account authentication, complete the following:

      1. Record the P12 private key file name and the P12 key password.

      2. Copy the P12 private key file to the <Commvault Cloud base folder>/certificates/external directory on each access node. If the <Commvault Cloud base folder>/certificates/external directory does not already exist, create the directory.

    6. Record the service account ID, the project ID, and the name of the JSON file for service account authentication.

    7. Download the JSON file for service account authentication.

Use an Existing Service Account

  1. Choose the Use existing service account option.

  2. To authenticate using the service account attached to the Access Node, enable the Use Service Account associated to the Access Node toggle.

    Note

    When this option is selected, the system will automatically utilize the service account associated with the Google Cloud instance designated as the Access Node. No file upload is required. Ensure that the Access Node's service account has the necessary IAM permissions to access your Google Cloud resources.

  3. Click Next.

    The Access Node page of the configuration wizard appears.

  4. Choose the option to configure an access node.

Edit Existing Credentials to Create Custom Roles

Credentials can be edited to create custom roles with all required permissions, which are then assigned to the selected service account.

  1. Choose the Use existing service account option.

  2. Disable the Use Service Account associated to the Access Node toggle.

  3. For Credentials, choose a saved credential from the drop down list and click the edit button edit button outline grey/gray pencil.

    The Edit credential dialog box appears.

    Steps to create a custom role and assign it to a service account using Google Cloud Shell

    1. For Service Account ID, click Create Custom Role.

      The Create custom role dialog box appears.

      1. Organization ID: (Optional) Define and organization id to create custom roles for backup, restore, and replication operations at the organization level in your Google Cloud environment.

      2. Project ID: Indicates the Google Cloud project which hosts the chosen service account.

      3. Service account ID: Indicates the identifier of the service account selected.

      4. Click Open Cloud Shell, to log in and execute the following commands into Cloud Shell:

        • Set the active project to work on:

          This command sets the active project to Google Cloud using the gcloud CLI.

        • Enable required services on the current project:

          This command enables the necessary services for Commvault Cloud on the Google Cloud project.

        • Create custom roles with the required permissions for different Commvault Cloud operations at project level:

          This command defines and creates custom IAM roles with the required permissions for Commvault Cloud operations at the project level.

          If an Organization ID is provided, the custom roles will be created at the organization level instead of the project level.

        • Grant your service account an IAM role on your project:

          This command assigns the necessary IAM roles for backup, restore, and replication, to the service account, authorizing it to access and perform required operations within your project.

        • To associate the service account with multiple projects:

          To associate the service account with multiple projects, you have to run a series of commands that grant the service account access to each project in the provided list. This allows the service account to perform operations such as backup, restore, and replication on virtual machines (VMs) across those projects.

          The following procedure is recommended:

          1. Copy the Download project list command in the Cloud Shell.

          2. Run the command to automatically download the list of projects in the required format.

          3. Upload the previously downloaded text file.

          4. Once the text file is uploaded, the projects will be automatically populated, and the relevant commands will be displayed in the window.

          5. Copy these commands and run them in Cloud Shell to complete the association.

      5. Click Close.

  4. Click Next.

    The Access Node page of the configuration wizard appears.

  5. Choose the option to configure an access node.

Add an Access Node

You can select one or more existing access nodes for the hypervisor, or create a new one. Alternatively, you can manually download Windows or Linux 64-bit Access Node Package and set up authentication yourself.

Note

The access node must be present on Google Cloud. You can designate one access node to back up instances from multiple projects (to which access rights are provided in your GC service account). For faster backups and restores, designate at least one access node for every Google Cloud region.

Add an Existing Access Node

  1. For the Access nodes dropdown list, select one or more access nodes for the hypervisor.

  2. Click OK to close the Access Node drop down list.

  3. Click Next.

    The Add Hypervisor page of the configuration wizard appears.

Deploy a New Access Node

  1. Click the add button add/plus button - gray - no border.

    The Add a new Access node dialog box appears

  2. Choose the Deploy a new access node option.

    Steps to deploy a new access node

    1. Click the package to download for the platform: Linux (64-bit) or Windows (64-bit).

    2. For Instance Name, enter the name of the access node.

    3. For Project ID, specify the Google Cloud project where the access node will be created.

      For a list of projects, you can copy and paste the following command in the Cloud Shell: gcloud projects list.

    4. For Zone, enter the zone in which the access node will be created.

      For a list of zones, you can copy and paste the following command in the Cloud Shell: gcloud compute zones list.

    5. For Subnet URL, provide the subnet URL details of the VM.

      For a list subnet details, you can copy and paste the following command in the Cloud Shell: gcloud compute networks subnets list.

    6. For VPC Network, provide the VPC network details of the VM.

      For a list network details, you can copy and paste the following command in the Cloud Shell: gcloud compute networks subnets list.

    7. To assign an external IP address to the VM, enable External IP.

    8. Enable Use reserved static IP address and enter the static IP you want to use.

      Note

      For Reserving a static external IP address on Google Cloud, see Reserve a static external IP address

    9. For Network Service Tier, choose one of the following options based on the static IP's network tier set during the reservation of the external IP on Google Cloud.

      • Premium: Offers low-latency, high-performance global networking using Google’s high-quality infrastructure.

      • Standard: Provides cost-effective regional networking using the public internet.

    10. Once all configuration details for the VM are provided, log in to Google Cloud Shell and run the following commands:

      • Deploy the access node using terraform configuration:

        Copy the VM configuration details from the window and run the script in the Cloud Shell to automatically deploy and configure the access node.

      • After deploying the access node, execute below command to cleanup the metadata used for CommServe registration:

        Run the this command in the Cloud Shell to clean up the metadata used during the CommServe registration process.

    11. Click Close.

  3. Once the access node is configured with the CommServe, refresh the page and select the access node from the dropdown list.

  4. Click Next.

    The Add Hypervisor page of the configuration wizard appears.

Download Windows or Linux 64-bit Access Node Package

You can manually download the Windows or Linux software package by using following the steps:

  1. Click the edit button edit button outline grey/gray pencil.

    The Add a new Access node dialog box appears.

  2. Choose the Download the access node package option.

    Steps to download the access node package

    1. Click the package to download for the platform: Linux (64-bit) or Windows (64-bit).

    2. Click Download to download and install the access node package on a Google Cloud VM that meets the minimum requirements.

    3. Copy the provided Auth code to your clipboard, as it will be required during the package installation on the access node.

    4. Once the access node is configured with the CommServe, refresh the page and select the access node from the dropdown list.

  3. Click Next.

    The Add Hypervisor page of the configuration wizard appears.

Add Hypervisor

  1. For Add Hypervisor, enter the name of the hypervisor.

  2. Click Next.

    The Select Plan page of the configuration wizard appears.

Add a Plan

  1. For Plan, select an existing backup plan or create a new backup plan.

    Steps to create a backup plan

    1. Click the add button add/plus button - gray - no border.

      The Add plan dialog box appears.

    2. In the Plan name box, enter a descriptive name for the backup plan.

    3. For the backup plan settings, select pre-defined settings or create custom settings:

      • To select pre-defined settings, under Retention rules, select one of the following:

        • Select Standard retention to retain the incremental backups for 1 month.

        • Select Extended retention for optimized storage where the incremental backups of primary and secondary copies are retained for 1 month, and extended retention for monthly and yearly full backups.

          Note

          The Extended retention option is available only when the secondary copy backup is selected.

      • To create custom settings, select Custom plan, and then specify the following:

        • For Snapshot retention, specify the number of snapshots to retain for IntelliSnap backups.

        • For Retention, specify the amount of time to retain the backups.

        • For Retention monthly full (Secondary copy), specify the amount of time to retain the monthly full backup on secondary copy.

        • For Retention yearly full (Secondary copy), specify the amount of time to retain the yearly full backup on secondary copy.

        • For Backups run every, specify how often to run backups.

    4. Click Done.

  2. Click Next.

    The Add VM Group page of the configuration wizard appears.

Add VM Group

A VM group is a set of VMs that you want to back up with the same settings. By default, the VM group includes all unprotected instances. You can modify the VM group content by using rules that auto-discover content and by selecting projects, regions, and zones.

Important

If you specify VM group content based on regions or zones, and one or more of the regions or zones contains multiple projects, then all instances in those projects are backed up. If some of those instances don't actually need to be backed up, then you will incur unnecessary costs. After you specify content for the VM group, use the Preview button to verify that the VM group does not include instances that don't actually need to be backed up.

  1. In Name, enter a descriptive name for the VM group.

  2. To create rules that auto-discover and select instances to back up, do the following:

    1. Click Add, and then select Rules.

      The Add rule dialog box appears.

    2. From the list, select the type of rule to create, and then specify the rule:

      • Browse: Select specific instances. (Selecting this option changes the Add rule dialog box to the Add content dialog box.)

      • Instance name or pattern: Select instances based on their names. For example, to select instances that have a name that includes "east", enter Instance name or pattern | Contains | east.

      • Label: Select instances based on the labels they contain. For example, to select instances that have a "department:finance" label, enter Key | Equals | department and Value | Equals | finance.

      • Project: Select instances based on the project that they belong to. For example, to select instances in the MyCompany project, enter Project | Equals | MyCompany.

      • Region: Select instances based on the region that they reside in.

      • Zone: Select instances based on the zone that they reside in. For example, to select instances that reside in any eastern US zone, enter Zone | Contains | us-east. You can enter the zone value by typing or browsing to select.

    3. Click Save.

  3. To select instances in other ways, do the following:

    1. Click Add, and then select Content.

      The Add content dialog box appears.

    2. From the Browse and select VMs list, select one of the following:

      • By project: Select instances based on the project they are associated with.

      • By region: Select instances based on the region that they reside in.

      • By zone: Select instances based on the zone that they reside in.

    3. Click Save.

  4. To see the instances that are selected for the VM group, click the Preview button.

    Important

    Carefully review the VM group to verify that it does not include instances that don't actually need to be backed up.

  5. Click Next.

    The Summary page of the configuration wizard appears.

Summary

  1. Review the summary.

  2. Click Finish.

Loading...