Copying a Boot Volume Backup Between Regions

You can copy boot volume backups from one region to another region using the Oracle Cloud Infrastructure Block Volume service. For more information, see Copying Boot Volume Backups Across Regions.

Note

Limitations for Copying Boot Volume Backups Across Regions

When copying boot volume backups across regions in your tenancy, you can only copy one backup at a time from a specific source region.

You can only copy boot volume backups for instances based on Oracle-Provided Images. If you try to copy a boot volume for an instance based on other image types, such as Marketplace images, the request will fail with an error.

You cannot add compatible shapes in the destination region for boot volume backups, the shape compatibility list is from the source region and cannot be changed.

When you create an instance from the Console and specify a boot volume backup that was copied from another region as the image source, you may encounter a message indicating that there was an error loading the source image. You can ignore this error message and click Create Instance to finish the instance creation process and launch the instance.

Caution

Avoid entering confidential information when assigning descriptions, tags, or friendly names to your cloud resources through the Oracle Cloud Infrastructure Console, API, or CLI.

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be granted security access in a policy  by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment  you should work in.

For administrators: The first two statements listed in the Let volume admins manage block volumes, backups, and volume groups policy lets the specified group do everything with boot volumes and boot volume backups with the exception of copying boot volume backups across regions. The aggregate resource type volume-family does not include the BOOT_VOLUME_BACKUP_COPY permission, so to enable copying boot volume backups across regions you need to ensure that you include the third statement in that policy, which is:

Allow group VolumeAdmins to use boot-volume-backups in tenancy where request.permission='BOOT_VOLUME_BACKUP_COPY'

To restrict access to just creating and managing boot volume backups, including copying boot volume backups between regions, use the policy in Let boot volume backup admins manage only backups. The individual resource type boot-volume-backups includes the BOOT_VOLUME_BACKUP_COPY permission, so you do not need to specify it explicitly in this policy.

If you are copying volume backups encrypted using Vault between regions or you want the copied volume backup to use Vault for encryption in the destination region, you need to use a policy that allows the Block Volume service to perform cryptographic operations with keys in the destination region. For a sample policy showing this, see Let Block Volume, Object Storage, File Storage, Container Engine for Kubernetes, and Streaming services encrypt and decrypt volumes, volume backups, buckets, file systems, Kubernetes secrets, and stream pools.

Restricting Access

The specific permissions needed to copy volume backups across regions are:

  • Source region: BOOT_VOLUME_BACKUP_READ, BOOT_VOLUME_BACKUP_COPY
  • Destination region: BOOT_VOLUME_BACKUP_CREATE

Sample Policies

To restrict a group to specific source and destination regions for copying volume backups

In this example, the group is restricted to copying volume backups from the UK South (London) region to the Germany Central (Frankfurt) region.

Allow group MyTestGroup to read boot-volume-backups in tenancy where all {request.region='lhr'}
Allow group MyTestGroup to use boot-volume-backups in tenancy where all {request.permission='BOOT_VOLUME_BACKUP_COPY', request.region = 'lhr', 
Allow group MyTestGroup to manage boot-volume-backups in tenancy where all {request.permission='BOOT_VOLUME_BACKUP_CREATE', request.region = 'fra'}
To restrict some source regions to specific destination regions while enabling all destination regions for other source regions

In this example, the following is enabled for the group:

  • Manage volume backups in all regions.

  • Copy volume backups from the US West (Phoenix) and US East (Ashburn) regions to any destination regions.

  • Copy volume backups from the Germany Central (Frankfurt) and UK South (London) regions only to the Germany Central (Frankfurt) or UK South (London) regions.

Allow group MyTestGroup to read boot-volume-backups in tenancy where all {request.region='lhr'}
Allow group MyTestGroup to manage boot-volume-backups in tenancy where any {request.permission!='BOOT_VOLUME_BACKUP_COPY'}
Allow group MyTestGroup to use boot-volume-backups in tenancy where all {request.permission='BOOT_VOLUME_BACKUP_COPY', any {request.region='lhr', request.region='fra'}, any{target.region='fra', target.region='lhr'}}
Allow group MyTestGroup to use boot-volume-backups in tenancy where all {request.permission='BOOT_VOLUME_BACKUP_COPY', any {request.region='phx', request.region='iad'}}
If you're new to policies, see Getting Started with Policies and Common Policies. For reference material about writing policies for instances, cloud networks, or other Core Services API resources, see Details for the Core Services.

Using the Console

  1. Open the navigation menu. Under Core Infrastructure, go to Compute and click Boot Volume Backups.

    A list of the boot volume backups in the compartment you're viewing is displayed. If you don’t see the one you're looking for, make sure you’re viewing the correct compartment (select from the list on the left side of the page).

  2. Click the Actions icon (three dots) for the boot volume backup you want to copy to another region.
  3. Click Copy to Another Region.
  4. Enter a name for the backup and choose the region to copy the backup to.

  5. In the Encryption section select whether you want the boot volume backup to use the Oracle-provided encryption key or your own Vault encryption key. If you select the option to use your own key, paste the OCID for encryption key from the destination region.

  6. Click Copy Boot Volume Backup.

  7. Confirm that the source and destination region details are correct in the confirmation dialog and then click OK.

Next Steps

After copying the boot volume backup, switch to the destination region in the Console and verify that the copied backup appears in the list of boot volume backups for that region. You can then restore the backup using the steps in Restoring a Boot Volume.

For more information about backups, see Overview of Boot Volume Backups.