[Yandex Cloud documentation](../../index.md) > [Yandex Cloud Backup](../index.md) > [Step-by-step guides](index.md) > VM in Cloud Backup > Connecting an existing VM to Cloud Backup > Connecting an existing Linux VM

# Connecting an existing Linux VM to Cloud Backup

You can back up your Compute Cloud [VMs](../../compute/concepts/vm.md) with [supported Linux-based operating systems](../concepts/vm-connection.md#linux).

For the proper [Cloud Backup agent](../concepts/agent.md) operation, the VM must meet the [minimum requirements](../concepts/vm-connection.md#requirements).

{% note warning %}

To connect a VM to Cloud Backup, make sure its service account, public IP address, and security group are set up correctly. For more information, see [Connecting Compute Cloud VMs and Yandex BareMetal servers to Cloud Backup](../concepts/vm-connection.md).

{% endnote %}

If you have [deleted](delete-vm.md) a VM from Cloud Backup and want to reconnect it, follow the steps below.

To connect a Linux VM to Cloud Backup:

1. [Create a service account](#create-sa).
1. [Link a service account to the VM](#connect-sa-to-vm).
1. [Set up network access for the VM](#configure-network-access).
1. [Install the Cloud Backup agent](#connect-vm).


## Create a service account {#create-sa}

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) where you want to connect a VM.
  1. Navigate to **Identity and Access Management**.
  1. Click **Create service account**.
  1. Enter a name for the [service account](../../iam/concepts/users/service-accounts.md). The naming requirements are as follows:

      * Length: between 3 and 63 characters.
      * It can only contain lowercase Latin letters, numbers, and hyphens.
      * It must start with a letter and cannot end with a hyphen.

  1. Click ![image](../../_assets/console-icons/plus.svg) **Add role** and select the `backup.user` [role](../security/index.md#backup-user).
  1. Click **Create**.

- Yandex Cloud CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. View the description of the command to create a [service account](../../iam/concepts/users/service-accounts.md):

      ```bash
      yc iam service-account create --help
      ```

  1. Create a service account by running this command:

      ```bash
      yc iam service-account create \
        --name <service_account_name>
      ```

      Result:

      ```text
      id: ajehb3tcdfa1********
      folder_id: b1g86q4m5vej********
      created_at: "2024-07-22T16:05:14.237381531Z"
      name: backup-sa
      ```

      For more information about the `yc iam service-account create` command, see the [CLI reference](../../cli/cli-ref/iam/cli-ref/service-account/create.md).

  1. View the description of the command to assign a role for a folder:

      ```bash
      yc resource-manager folder add-access-binding --help
      ```

  1. Assign the `backup.user` [role](../security/index.md#backup-user) for the [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) to the service account:

      ```bash
      yc resource-manager folder add-access-binding <folder_ID> \
        --role backup.user \
        --subject serviceAccount:<service_account_ID>
      ```

      Result:

      ```text
      done (3s)
      effective_deltas:
        - action: ADD
          access_binding:
            role_id: backup.user
            subject:
              id: ajehb3tcdfa1********
              type: serviceAccount
      ```

      For more information about the `yc resource-manager folder add-access-binding` command, see the [CLI reference](../../cli/cli-ref/resource-manager/cli-ref/folder/add-access-binding.md).

- Terraform {#tf}

  With [Terraform](https://www.terraform.io/), you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
  
  Terraform is distributed under the [Business Source License](https://github.com/hashicorp/terraform/blob/main/LICENSE). The [Yandex Cloud provider for Terraform](https://github.com/yandex-cloud/terraform-provider-yandex) is distributed under the [MPL-2.0](https://www.mozilla.org/en-US/MPL/2.0/) license.
  
  For more information about the provider resources, see the relevant documentation on the [Terraform](https://www.terraform.io/docs/providers/yandex/index.html) website or [its mirror](../../terraform/index.md).

  If you do not have Terraform yet, [install it and configure the Yandex Cloud provider](../../tutorials/infrastructure-management/terraform-quickstart.md#install-terraform).
  
  
  To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), [authenticate](../../terraform/authentication.md) using the appropriate method.

  1. Describe the resource properties in the configuration file:

      ```hcl
      resource "yandex_iam_service_account" "backup-sa" {
        name        = "<service_account_name>"
        folder_id   = "<folder_ID>"
      }

      resource "yandex_resourcemanager_folder_iam_member" "backup-user-role" {
        folder_id   = "<folder_ID>"
        role        = "backup.user"
        member      = "serviceAccount:${yandex_iam_service_account.backup-sa.id}"
      }
      ```

      Where:

      * `yandex_iam_service_account`: [Service account](../../iam/concepts/users/service-accounts.md) description.
      * `yandex_resourcemanager_folder_iam_member`: Description of the service account's access permissions for the [folder](../../resource-manager/concepts/resources-hierarchy.md#folder), where:

          * `role`: [Role](../security/index.md#backup-user) to assign.
          * `member`: Subject the role is assigned to.

  1. Create the resources:

      1. In the terminal, navigate to the configuration file directory.
      1. Make sure the configuration is correct using this command:
      
         ```bash
         terraform validate
         ```
      
         If the configuration is valid, you will get this message:
      
         ```bash
         Success! The configuration is valid.
         ```
      
      1. Run this command:
      
         ```bash
         terraform plan
         ```
      
         You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
      1. Apply the configuration changes:
      
         ```bash
         terraform apply
         ```
      
      1. Type `yes` and press **Enter** to confirm the changes.

      Terraform will create all the required resources. You can check the new resources using the [management console](https://console.yandex.cloud).

  For more information about resource parameters, see the relevant provider documentation:

  * [yandex_iam_service_account](../../terraform/resources/iam_service_account.md)
  * [yandex_resourcemanager_folder_iam_member](../../terraform/resources/resourcemanager_folder_iam_member.md)

- API {#api}

  To create a [service account](../../iam/concepts/users/service-accounts.md), use the [create](../../iam/api-ref/ServiceAccount/create.md) REST API method for the [ServiceAccount](../../iam/api-ref/ServiceAccount/index.md) resource or the [ServiceAccountService/Create](../../iam/api-ref/grpc/ServiceAccount/create.md) gRPC API call.

  To assign the `backup.user` [role](../security/index.md#backup-user) for a folder to a service account, use the [setAccessBindings](../../iam/api-ref/ServiceAccount/setAccessBindings.md) method for the [ServiceAccount](../../iam/api-ref/ServiceAccount/index.md) resource or the [ServiceAccountService/SetAccessBindings](../../iam/api-ref/grpc/ServiceAccount/setAccessBindings.md) gRPC API call.

{% endlist %}

For more information, see [Creating a service account](../../iam/operations/sa/create.md).


## Link a service account to the VM {#connect-sa-to-vm}

{% note info %}

You can only link one service account to a virtual machine.

{% endnote %}

To link a service account to a VM, you need a permission to use this account. This permission comes with the [iam.serviceAccounts.user](../../iam/security/index.md#iam-serviceAccounts-user) and [editor](../../iam/roles-reference.md#editor) roles or higher.

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) where you want to connect a VM to Cloud Backup.
  1. Navigate to **Compute Cloud** and select the VM from the list that opens.
  1. In the top-right corner of the page, click ![image](../../_assets/console-icons/pencil.svg) **Edit VM**.
  1. Under **Additional**, select a service account with the `backup.user` role or higher.
  1. Click **Save changes**.

- Yandex Cloud CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. View the description of the VM update command:

      ```bash
      yc compute instance update --help
      ```

  1. Link a service account to the VM by running this command:

      ```bash
      yc compute instance update <VM_name_or_ID> \
        --service-account-name <service_account_name>
      ```

      Where `--service-account-name` is the name of a service account with the `backup.user` role or higher.

      Result:

      ```text
      id: epddj31hkik0********
      folder_id: b1g681qpemb4********
      created_at: "2025-04-21T11:07:34Z"
      name: my-vm
      ...
      service_account_id: ajelprpohp7r********
      ...
      ```

- Terraform {#tf}

  With [Terraform](https://www.terraform.io/), you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
  
  Terraform is distributed under the [Business Source License](https://github.com/hashicorp/terraform/blob/main/LICENSE). The [Yandex Cloud provider for Terraform](https://github.com/yandex-cloud/terraform-provider-yandex) is distributed under the [MPL-2.0](https://www.mozilla.org/en-US/MPL/2.0/) license.
  
  For more information about the provider resources, see the relevant documentation on the [Terraform](https://www.terraform.io/docs/providers/yandex/index.html) website or [its mirror](../../terraform/index.md).

  If you do not have Terraform yet, [install it and configure the Yandex Cloud provider](../../tutorials/infrastructure-management/terraform-quickstart.md#install-terraform).
  
  
  To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), [authenticate](../../terraform/authentication.md) using the appropriate method.

  1. In the Terraform configuration file, in the section with the description of the `yandex_compute_instance` resource, add the `service_account_id` property and specify the ID of the service account with the `backup.user` role or higher:

      ```hcl
      resource "yandex_compute_instance" "vm-1" {
        ...
        service_account_id = "<service_account_ID>"
        ...
      }
      ```

  1. Apply the changes:

      1. In the terminal, navigate to the configuration file directory.
      1. Make sure the configuration is correct using this command:
      
         ```bash
         terraform validate
         ```
      
         If the configuration is valid, you will get this message:
      
         ```bash
         Success! The configuration is valid.
         ```
      
      1. Run this command:
      
         ```bash
         terraform plan
         ```
      
         You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
      1. Apply the configuration changes:
      
         ```bash
         terraform apply
         ```
      
      1. Type `yes` and press **Enter** to confirm the changes.

      Terraform will change all required resources. You can check the update in the [management console](https://console.yandex.cloud).

  For more information about `yandex_compute_instance` properties, see [this provider guide](../../terraform/data-sources/compute_instance.md).

- API {#api}

  Use the [update](../../compute/api-ref/Instance/update.md) REST API method for the [Instance](../../compute/api-ref/Instance/index.md) resource or the [InstanceService/Update](../../compute/api-ref/grpc/Instance/update.md) gRPC API call. Specify the ID of the service account with the `backup.user` role or higher in your request.

{% endlist %}

For more information, see [Updating a VM](../../compute/operations/vm-control/vm-update.md).


## Set up network access for the VM {#configure-network-access}

### Create a security group {#create-sg}

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the folder where you want to connect a VM.
  1. Navigate to **Virtual Private Cloud**.
  1. In the left-hand panel, select ![image](../../_assets/console-icons/shield.svg) **Security groups**.
  1. Click **Create security group**.
  1. Enter a name for the [security group](../../vpc/concepts/security-groups.md), e.g., `backup-sg`.
  1. In the **Network** field, select the [network](../../vpc/concepts/network.md) the VM resides in.
  1. Under **Rules**, navigate to the **Egress** tab and click **Add**.
  1. Add the following outgoing traffic rules one by one:

      Port range | Protocol | Destination name | CIDR blocks
      --- | --- | --- | ---
      `80` | `TCP` | `CIDR` | `213.180.193.0/24`
      `80` | `TCP` | `CIDR` | `213.180.204.0/24`
      `443` | `TCP` | `CIDR` | `84.47.172.0/24`
      `443` | `TCP` | `CIDR` | `84.201.181.0/24`
      `443` | `TCP` | `CIDR` | `178.176.128.0/24`
      `443` | `TCP` | `CIDR` | `213.180.193.0/24`
      `443` | `TCP` | `CIDR` | `213.180.204.0/24`
      `7770-7800` | `TCP` | `CIDR` | `84.47.172.0/24`
      `8443` | `TCP` | `CIDR` | `84.47.172.0/24`
      `44445` | `TCP` | `CIDR` | `51.250.1.0/24`
      
      
      
      {% note tip %}
      
      When installing the [Cloud Backup agent](../concepts/agent.md) on your VM or BareMetal server, you might need to install missing software components from the internet. To do this, add the following outgoing traffic rule to the [security group](../../vpc/concepts/security-groups.md):
      * **Port range**: `0-65535`.
      * **Protocol**: `Any`.
      * **Destination name**: `CIDR`.
      * **CIDR blocks**: `0.0.0.0/0`.
      
      Once the Cloud Backup agent is installed, you can delete this rule.
      
      To access the VM over [SSH](../../compute/operations/vm-connect/ssh.md), add the following incoming traffic rule:
      * **Port range**: `22`.
      * **Protocol**: `Any`.
      * **Destination name**: `CIDR`.
      * **CIDR blocks**: `0.0.0.0/0`.
      
      {% endnote %}

  1. Click **Save**.

- Yandex Cloud CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. View the description of the command for creating a [security group](../../vpc/concepts/security-groups.md):

      ```bash
      yc vpc security-group create --help
      ```

  1. Create a security group with [rules](../../vpc/concepts/network.md#security-groups-rules) by running this command:

      ```bash
      yc vpc security-group create \
        --name <security_group_name> \
        --network-id <network_ID> \
        --rule "direction=egress,port=80,protocol=tcp,v4-cidrs=[213.180.193.0/24]" \
        --rule "direction=egress,port=80,protocol=tcp,v4-cidrs=[213.180.204.0/24]" \
        --rule "direction=egress,port=443,protocol=tcp,v4-cidrs=[84.47.172.0/24]" \
        --rule "direction=egress,port=443,protocol=tcp,v4-cidrs=[84.201.181.0/24]" \
        --rule "direction=egress,port=443,protocol=tcp,v4-cidrs=[178.176.128.0/24]" \
        --rule "direction=egress,port=443,protocol=tcp,v4-cidrs=[213.180.193.0/24]" \
        --rule "direction=egress,port=443,protocol=tcp,v4-cidrs=[213.180.204.0/24]" \
        --rule "direction=egress,from-port=7770,to-port=7800,protocol=tcp,v4-cidrs=[84.47.172.0/24]" \
        --rule "direction=egress,port=8443,protocol=tcp,v4-cidrs=[84.47.172.0/24]" \
        --rule "direction=egress,port=44445,protocol=tcp,v4-cidrs=[51.250.1.0/24]"
      ```

      Where:

      * `name`: Security group name.
      * `network-id`: ID of the [network](../../vpc/concepts/network.md) the VM resides in.
      * `rule`: Rule description:

          * `direction`: Traffic direction, where `egress` stands for outgoing traffic.
          * `port`: Port for receiving traffic.
          * `from-port`: First port in the traffic port range.
          * `to-port`: Last port in the traffic port range.
          * `protocol`: Data transfer protocol.
          * `v4-cidrs`: List of IPv4 CIDRs and masks of subnets the traffic will come to.

      Result:

      ```bash
      id: enp0v73fe8fs********
      folder_id: b1g86q4m5vej********
      created_at: "2024-07-22T20:17:43Z"
      name: backup-sg
      network_id: enp3srbi9u49********
      status: ACTIVE
      rules:
        - id: enpdadptjl77********
          direction: EGRESS
          ports:
            from_port: "80"
            to_port: "80"
          protocol_name: TCP
          protocol_number: "6"
          cidr_blocks:
            v4_cidr_blocks:
              - 213.180.193.0/24
      ...
        - id: enpji0640a0f********
          direction: EGRESS
          ports:
            from_port: "44445"
            to_port: "44445"
          protocol_name: TCP
          protocol_number: "6"
          cidr_blocks:
            v4_cidr_blocks:
              - 51.250.1.0/24
      ```

- Terraform {#tf}

  With [Terraform](https://www.terraform.io/), you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
  
  Terraform is distributed under the [Business Source License](https://github.com/hashicorp/terraform/blob/main/LICENSE). The [Yandex Cloud provider for Terraform](https://github.com/yandex-cloud/terraform-provider-yandex) is distributed under the [MPL-2.0](https://www.mozilla.org/en-US/MPL/2.0/) license.
  
  For more information about the provider resources, see the relevant documentation on the [Terraform](https://www.terraform.io/docs/providers/yandex/index.html) website or [its mirror](../../terraform/index.md).

  If you do not have Terraform yet, [install it and configure the Yandex Cloud provider](../../tutorials/infrastructure-management/terraform-quickstart.md#install-terraform).
  
  
  To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), [authenticate](../../terraform/authentication.md) using the appropriate method.

  1. In the configuration file, describe the resources you want to create:

      ```hcl
      resource "yandex_vpc_security_group" "test_sg_outgoing" {
        name        = "<security_group_name>"
        network_id  = "<network_ID>"

        egress {
          protocol       = "TCP"
          v4_cidr_blocks = ["213.180.193.0/24"]
          port           = 80
        }

        egress {
          protocol       = "TCP"
          v4_cidr_blocks = ["213.180.204.0/24"]
          port           = 80
        }

        egress {
          protocol       = "TCP"
          v4_cidr_blocks = ["84.47.172.0/24"]
          port           = 443
        }

        egress {
          protocol       = "TCP"
          v4_cidr_blocks = ["84.201.181.0/24"]
          port           = 443
        }

        egress {
          protocol       = "TCP"
          v4_cidr_blocks = ["178.176.128.0/24"]
          port           = 443
        }

        egress {
          protocol       = "TCP"
          v4_cidr_blocks = ["213.180.193.0/24"]
          port           = 443
        }

        egress {
          protocol       = "TCP"
          v4_cidr_blocks = ["213.180.204.0/24"]
          port           = 443
        }

        egress {
          protocol       = "TCP"
          v4_cidr_blocks = ["84.47.172.0/24"]
          from_port      = 7770
          to_port        = 7800
        }

        egress {
          protocol       = "TCP"
          v4_cidr_blocks = ["84.47.172.0/24"]
          port           = 8443
        }

        egress {
          protocol       = "TCP"
          v4_cidr_blocks = ["51.250.1.0/24"]
          port           = 44445
        }
      }
      ```

      Where:

      * `name`: [Security group](../../vpc/concepts/security-groups.md) name.
      * `network_id`: ID of the [network](../../vpc/concepts/network.md) the VM resides in.
      * `egress`: Description of the outgoing traffic [rule](../../vpc/concepts/network.md#security-groups-rules):

          * `protocol`: Data transfer protocol.
          * `v4-cidrs`: List of IPv4 CIDRs and masks of subnets the traffic will come to.
          * `port`: Port for receiving traffic.
          * `from_port`: First port in the traffic port range.
          * `to_port`: Last port in the traffic port range.

  1. Create the resources:

      1. In the terminal, navigate to the configuration file directory.
      1. Make sure the configuration is correct using this command:
      
         ```bash
         terraform validate
         ```
      
         If the configuration is valid, you will get this message:
      
         ```bash
         Success! The configuration is valid.
         ```
      
      1. Run this command:
      
         ```bash
         terraform plan
         ```
      
         You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
      1. Apply the configuration changes:
      
         ```bash
         terraform apply
         ```
      
      1. Type `yes` and press **Enter** to confirm the changes.

      Terraform will create all the required resources. You can check the new resources using the [management console](https://console.yandex.cloud).

    For more information about `yandex_vpc_security_group` properties, see [this provider guide](../../terraform/data-sources/vpc_security_group.md).

- API {#api}

  To create a [security group](../../vpc/concepts/security-groups.md), use the [create](../../vpc/api-ref/SecurityGroup/create.md) REST API method for the [SecurityGroup](../../vpc/api-ref/SecurityGroup/index.md) resource or the [SecurityGroupService/Create](../../vpc/api-ref/grpc/SecurityGroup/create.md) gRPC API call.

{% endlist %}

For more information, see [Creating a security group](../../vpc/operations/security-group-create.md).


### Configure the VM network interface {#configure-vm}

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the folder where you want to connect a VM to Cloud Backup.
  1. Navigate to **Compute Cloud** and select the VM.
  1. Under **Network interface**, add a security group to the VM [network interface](../../compute/concepts/network.md):
  
      * In the top-right corner of the section, click ![image](../../_assets/console-icons/ellipsis.svg) and select **Edit**.
      * In the window that opens, select the previously created security group in the **Security groups** field.
      * Click **Save**.
  
  1. If the VM does not have a [public IP address](../../vpc/concepts/address.md#public-addresses), then under **Network**, click ![image](../../_assets/console-icons/ellipsis.svg) in the top-right corner of the relevant network interface section and select **Add public IP address**. In the window that opens:
  
      * In the **Public address** field, select `Auto` to get an IP address automatically or `List` to choose a reserved address from the list.
      * Optionally, if you selected `Auto` in the **Public address** field, enable **DDoS protection**. For more information, see [Yandex DDoS Protection in Virtual Private Cloud](../../vpc/ddos-protection/index.md).
      * If you selected `List` in the **Public address** field, choose the IP address you want to assign to your VM. The IP address and the VM must be in the same [availability zone](../../overview/concepts/geo-scope.md).
      * Click **Add**.
  
      Instead of assigning a public IP address to your VM, you can associate the subnet hosting this VM with a [route table](../../vpc/concepts/routing.md#rt-vm) allowing internet access via a [NAT gateway](../../vpc/concepts/gateways.md) or a custom router.

- Yandex Cloud CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. View the description of the VM [network interface](../../compute/concepts/network.md) update command:

      ```bash
      yc compute instance update-network-interface --help
      ```

  1. Add the previously created security group to the VM network interface:

      ```bash
      yc compute instance update-network-interface \
        --id <VM_ID> \
        --network-interface-index <network_interface_number> \
        --security-group-id <security_group_ID>
      ```

      Where:

      * `--id`: VM ID.
      * `--network-interface-index`: Network interface number, e.g., `0`.
      * `--security-group-id`: Security group ID.

      Result:

      ```text
      id: epddj31hkik0********
      folder_id: b1g681qpemb4********
      updateNetworkInterfaced_at: "2025-04-21T11:07:34Z"
      name: my-vm
      ...
      network_interfaces:
        - index: "0"
          mac_address: d0:0d:d9:8c:31:a4
          subnet_id: e2lb1da2dd9v********
          primary_v4_address:
            address: 10.129.**.**
            one_to_one_nat:
              address: 158.160.**.**
              ip_version: IPV4
          security_group_ids:
            - enpqtbh6ulo3********
      ...
      ```

  1. View the description of the command for assigning a public IP address to a VM:

      ```bash
      yc compute instance add-one-to-one-nat --help
      ```

  1. If your VM has no [public IP address](../../vpc/concepts/address.md#public-addresses), assign one:

      ```bash
      yc compute instance add-one-to-one-nat \
        --id <VM_ID> \
        --network-interface-index <network_interface_number>
      ```

      Where:

      * `--id`: VM ID.
      * `--network-interface-index`: Network interface number, e.g., `0`.

      Result:

      ```text
      id: epddj31hkik0********
      folder_id: b1g681qpemb4********
      updateNetworkInterfaced_at: "2025-04-21T11:07:34Z"
      name: my-vm
      ...
      network_interfaces:
        - index: "0"
          mac_address: d0:0d:d9:8c:31:a4
          subnet_id: e2lb1da2dd9v********
          primary_v4_address:
            address: 10.129.**.**
            one_to_one_nat:
              address: 158.160.**.**
              ip_version: IPV4
          security_group_ids:
            - enpqtbh6ulo3********
      ...
      ```

- Terraform {#tf}

  With [Terraform](https://www.terraform.io/), you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
  
  Terraform is distributed under the [Business Source License](https://github.com/hashicorp/terraform/blob/main/LICENSE). The [Yandex Cloud provider for Terraform](https://github.com/yandex-cloud/terraform-provider-yandex) is distributed under the [MPL-2.0](https://www.mozilla.org/en-US/MPL/2.0/) license.
  
  For more information about the provider resources, see the relevant documentation on the [Terraform](https://www.terraform.io/docs/providers/yandex/index.html) website or [its mirror](../../terraform/index.md).

  If you do not have Terraform yet, [install it and configure the Yandex Cloud provider](../../tutorials/infrastructure-management/terraform-quickstart.md#install-terraform).
  
  
  To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), [authenticate](../../terraform/authentication.md) using the appropriate method.

  1. Open the configuration file and change the VM [network interface](../../compute/concepts/network.md) properties in the section with the description of the `yandex_compute_instance` resource.

      ```hcl
      resource "yandex_compute_instance" "my-vm" {
      ...
        network_interface {
          ...
          security_group_ids = "<security_group_ID>"
          nat                = true
          ...
        }
      ...
      }
      ```

      Where:

      * `yandex_compute_instance`: VM description.
      * `network_interface`: VM network interface settings.
      * `security_group_ids`: List of security group IDs.
      * `nat`: Specifies if a VM will have an assigned public IP address.

  1. Create the resources:

      1. In the terminal, navigate to the configuration file directory.
      1. Make sure the configuration is correct using this command:
      
         ```bash
         terraform validate
         ```
      
         If the configuration is valid, you will get this message:
      
         ```bash
         Success! The configuration is valid.
         ```
      
      1. Run this command:
      
         ```bash
         terraform plan
         ```
      
         You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
      1. Apply the configuration changes:
      
         ```bash
         terraform apply
         ```
      
      1. Type `yes` and press **Enter** to confirm the changes.

      Terraform will change all required resources. You can check the update in the [management console](https://console.yandex.cloud).

  For more information about `yandex_compute_instance` properties, see [this Terraform article](../../terraform/data-sources/compute_instance.md).

- API {#api}

  To add a security group to the VM [network interface](../../compute/concepts/network.md), use the [updateNetworkInterface](../../compute/api-ref/Instance/updateNetworkInterface.md) REST API method for the [Instance](../../compute/api-ref/Instance/index.md) resource or the [InstanceService/UpdateNetworkInterface](../../compute/api-ref/grpc/Instance/updateNetworkInterface.md) gRPC API call.

  To assign a [public IP address](../../vpc/concepts/address.md#public-addresses) to a VM, use the [addOneToOneNat](../../compute/api-ref/Instance/addOneToOneNat.md) REST API method for the [Instance](../../compute/api-ref/Instance/index.md) resource or the [InstanceService/AddOneToOneNat](../../compute/api-ref/grpc/Instance/addOneToOneNat.md) gRPC API call.

{% endlist %}

For more information, see [Changing security groups of a VM network interface](../../compute/operations/vm-control/vm-change-security-groups-set.md) and [Assigning a public IP address to a VM](../../compute/operations/vm-control/vm-attach-public-ip.md).


## Install the Cloud Backup agent {#connect-vm}

1. [Connect](../../compute/operations/vm-connect/ssh.md) to the VM over SSH.
1. Install the Cloud Backup agent on the VM by running this command in the Linux terminal:

    {% list tabs group=operating_system %}

    - Ubuntu {#ubuntu}

      ```bash
      sudo apt update && \
      sudo apt install -y jq && \
      curl https://storage.yandexcloud.net/backup-distributions/agent_installer.sh | sudo bash
      ```

      Result:

      ```text
      ...
      Agent registered with id D9CA44FC-716A-4B3B-A702-C6**********
      ```

    - CentOS {#centos}

      ```bash
      sudo yum install epel-release -y && \
      sudo yum update -y && \
      sudo yum install jq -y && \
      curl https://storage.yandexcloud.net/backup-distributions/agent_installer.sh | sudo bash
      ```

      Result:

      ```text
      ...
      Agent registered with id D9CA44FC-716A-4B3B-A702-C6**********
      ```

    {% endlist %}

    {% note info %}

    If you get the `Failed to parse cloudbackup from instance attributes IAM token and instance registration id are empty, unable to provide authorization` error, make sure the VM has a service account with the `backup.user` [role](../security/index.md#backup-user) or higher [assigned](connect-vm-linux.md#connect-sa-to-vm).

    {% endnote %}

After successfully installing the agent, you can link your VM to a [backup policy](../concepts/policy.md).

To connect an existing VM to Cloud Backup, you can also [take](../../compute/operations/disk-control/create-snapshot.md) snapshots of the VM disks and [create](../../compute/operations/vm-create/create-from-snapshots.md) a new VM based on those snapshots by selecting the backup option.

{% note info %}

If you are using [LVM](https://en.wikipedia.org/wiki/Logical_Volume_Manager_(Linux)) to manage the disk space of the protected resource, learn [how to restore](../concepts/backup.md#lvm) resources with LVM in Cloud Backup.

{% endnote %}


#### See also {#see-also}

* [Creating a Linux VM with a connection to Cloud Backup](create-vm.md)
* [Linking a VM to a backup policy](policy-vm/update.md#update-vm-list)
* [Creating a backup policy](policy-vm/create.md)
* [Restoring a VM or Yandex BareMetal server from a backup](backup-vm/recover.md)