Oracle Cloud Infrastructure Documentation

Copying a Boot Volume Backup Between Regions

You can copy boot volume backups from one region to another region using the Oracle Cloud Infrastructure Block Volume service. For more information, see Copying Boot Volume Backups Across Regions.

Note

Limitations for Copying Boot Volume Backups Across Regions

When copying boot volume backups across regions in your tenancy, you can only copy one backup at a time from a specific source region.

You can only copy boot volume backups for instances based on Oracle-Provided Images. If you try to copy a boot volume for an instance based on other image types, such as Marketplace images, the request will fail with an error.

You cannot add compatible shapes in the destination region for boot volume backups, the shape compatibility list is from the source region and cannot be changed.

When you create an instance from the Console and specify a boot volume backup that was copied from another region as the image source, you may encounter a message indicating that there was an error loading the source image. You can ignore this error message and click Create Instance to finish the instance creation process and launch the instance.

Warning

Avoid entering confidential information when assigning descriptions, tags, or friendly names to your cloud resources through the Oracle Cloud Infrastructure Console, API, or CLI.

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be given the required type of access in a policy  written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you've been granted and which compartment  you should work in.

For administrators: The first two statements listed in the Let volume admins manage block volumes, backups, and volume groups policy lets the specified group do everything with boot volumes and boot volume backups with the exception of copying boot volume backups across regions. The aggregate resource type volume-family does not include the BOOT_VOLUME_BACKUP_COPY permission, so to enable copying boot volume backups across regions you need to ensure that you include the third statement in that policy, which is:

Allow group VolumeAdmins to copy boot-volume-backups in tenancy

To restrict access to just creating and managing boot volume backups, including copying boot volume backups between regions, use the policy in Let boot volume backup admins manage only backups. The individual resource type boot-volume-backups includes the BOOT_VOLUME_BACKUP_COPY permission, so you do not need to specify it explicitly in this policy.

If you are copying volume backups encrypted using Key Management between regions or you want the copied volume backup to use Key Management for encryption in the destination region, you need to use a policy that allows the Block Volume service to perform cryptographic operations with keys in the destination region. For a sample policy showing this, see Let Block Volume, Object Storage, File Storage, and Container Engine for Kubernetes services encrypt and decrypt volumes, volume backups, buckets, file systems, and Kubernetes secrets.

Restricting Access

The specific permissions needed to copy volume backups across regions are:

  • Source region: BOOT_VOLUME_BACKUP_READ, BOOT_VOLUME_BACKUP_COPY

  • Destination region: BOOT_VOLUME_BACKUP_CREATE

Sample Policies

To restrict a group to specific source and destination regions for copying volume backups
To restrict some source regions to specific destination regions while enabling all destination regions for other source regions

If you're new to policies, see Getting Started with Policies and Common Policies. For reference material about writing policies for instances, cloud networks, or other Core Services API resources, see Details for the Core Services.

Using the Console

  1. Open the navigation menu. Under Core Infrastructure, go to Compute and click Boot Volume Backups.

    A list of the block volume backups in the compartment you're viewing is displayed. If you don’t see the one you're looking for, make sure you’re viewing the correct compartment (select from the list on the left side of the page).

  2. Click the Actions icon (three dots) for the block volume backup you want to copy to another region.
  3. Click Copy to Another Region.
  4. Enter a name for the backup and choose the region to copy the backup to.

  5. In the Encryption section select whether you want the volume backup to use the Oracle-provided encryption key or your own Key Management encryption key. If you select the option to use your own key, paste the OCID for encryption key from the destination region.

  6. Click Copy Boot Volume Backup.

  7. Confirm that the source and destination region details are correct in the confirmation dialog and then click OK.

Using the API

To copy a volume backup to another region, use the following operation:

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

Next Steps

After copying the boot volume backup, switch to the destination region in the Console and verify that the copied backup appears in the list of boot volume backups for that region. You can then restore the backup using the steps in Restoring a Boot Volume.

For more information about backups, see Overview of Boot Volume Backups.