NOTE: I’ve been asked to hold this post until Veeam released the final version of this software, that happened today. You will not need to manually install the software as I did here with a Beta version, as it is now available in the Google Marketplace, but you may be interested to learn how Infrastructure as Code works in Google Cloud anyway. And the second part is about the first configuration, that is useful regardless the installation method.
I received a few weeks ago a preview of this software from my colleagues that are developing it, and I wanted to try it out and show it to other people.
For this short demo, we will create a dedicated project in our GCP account. Projects are the units of management in GCP, and it’s a good practice to use many of them to split workloads and resources, also for security reasons. For many of our operations today we will use the Cloud shell, a command line tool directly available in the GCP web interface.
Let’s first create the new project:
gcloud projects create veeamgcp-backup
We then switch to this project to start using it:
We can see that we are now working on the new project, as it is listed in the yellow text.
Time to build our resources. We have uploaded and extracted the Veeam configuration files, and we now run them. But before doing this, we also need to upload a public key, created from a ssh pair. This will be used to eventually login via SSH to our virtual machine. Most of the operations will be done via the web interface, but you may need for emergency to access the console of the underlying vm. And also, since the vm is exposed to internet via both SSH and HTTPS, it’s a good security practice to protect the SSH access with private keys.
Now, the command we need to run is like this one:
gcloud deployment-manager deployments create veeam-gcp --template=veeambackup.jinja --properties="zone:'europe-west1-b', sshPublicKey:'ssh-rsa veeam-gcp.public lucagcp', dataDiskSizeGb:20, network:['default'],subnetwork:['default']"
What are we doing here? We are asking Google to use its “infrastructure as code” tool, called Deployment Manager, to start a new deployment, that we call “veeam-gcp”. This deployment will use the template we uploaded “veeambackup.jinja (Jinja is a python-like language used to describe services that Google can build automatically) and we tell where we want the vm to be deployed, in our case “Europe West 1, Zone b”, that is Belgium (you can see the complete list here.). Also, we state that we want to use my public key, combined to a new user that will exist in the vm that is called lucagcp. We want a disk that is 20Gb in size, and we are fine with default settings for the network.
We fire the command. If it’s a new project, GCP will ask us if we want to enable API for this project, and we’ll say yes. For the same reason of being a fresh new project, the command will probably fail with some errors. The nice thing of Cloud Shell is that it will not just tell us the error, but it will also offer links to go and fix it. Those errors are related to other API not being enabled in this project. We can click those link and enable the requested API:
If we then re-run the command, it will fail again but this time because the deployment we are trying to create already exists, even if it was not completed. We can remove the failed deployment and try again by running the delete command. In my example, it will be:
gcloud deployment-manager deployments delete veeam-gcp
After we have enabled all the missing components, the command will complete and we will have our new VM correctly deployed, and reachable with the public IP that is listed in the output (this machine has been destroyed, don’t waste time trying to connect to it):
We can paste that IP in a web browser and reach the start screen of our virtual machine over HTTPS. We will be able to configure the machine for its first use. There are two main steps: the first is the Instance ID of your VM. As the owner of the account, we should be the only one knowing that ID, and this would prove our identity (remember, the interface is reachable by anyone on the internet):
We can obtain this ID in the properties of the virtual machine, under Compute Engine -> Virtual Machines. The following step is to create our administrative account. Again, as the public IP is reachable from anywhere on the internet and the interface is a common https, please make sure the user you create has a non-common username and a very complex password! When done, the wizard will show the login screen, and with the new credentials we can reach the dashboard of the software:
Nice, we are in!
However, the service account used to install Veeam Backup for GCP does not have the permissions required to perform data protection tasks for the project selected during the product installation. To fix this, go into Configuration -> Permissions -> Projects. Select the project and run the Edit Project wizard; at the Service Account step, click Generate and download script. We will the run this script in our Google Cloud Shell to assign all the necessary permissions to the service account.
We can go back into the configuration and click the “Check permissions” button to ensure that the account now has all the permissions required to perform data protection tasks for the project.
We also need to enable Cloud Resource Manager API, thankfully the error messages from GCP are very useful, and we can use the suggested link to fix the problem. Now, if we check again the permissions:
our account has all the permissions, and we are ready to protect our virtual machines. Tomorrow we’ll see how to run our first backup!