# Creating a backup policy


Creating a [policy](../../concepts/policy.md) becomes available after you [activate](../../concepts/index.md#providers) Cloud Backup.

You can create or [update](update.md) a policy using the Yandex Cloud management console, Terraform, or a [JSON](https://en.wikipedia.org/wiki/JSON) [specification](../../concepts/policy.md#specification) via the Yandex Cloud [CLI](../../../cli/quickstart.md) or API.

{% note info %}

You cannot create backup policies with some advanced settings in the Yandex Cloud management console. Use the CLI, Terraform, or API to create such policies.

{% endnote %}

After activation, the system automatically creates the following backup policies:
* `Default daily`: Daily incremental backup with the last 15 backups retained.
* `Default weekly`: Weekly incremental backup with the last 15 backups retained.
* `Default monthly`: Monthly incremental backup with the last 15 backups retained.

{% note info %}

Backups are created based on the VM's or Yandex BareMetal server's local time. There may be a slight delay in the schedule depending on the current service load.

{% endnote %}

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder) where you want to create a [backup policy](../../concepts/policy.md).
  1. Navigate to **Cloud Backup**.
  1. In the left-hand panel, select ![policies](../../../_assets/console-icons/calendar.svg) **Backup policies**.
  1. Click **Create policy**.
  1. On the backup policy creation page:

      * Specify the policy name. The naming requirements are as follows:

        * Length: between 3 and 63 characters.
        * It can only contain lowercase Latin letters, numbers, and hyphens.
        * It must start with a letter and cannot end with a hyphen.

      * Select the [type of backup](../../concepts/backup.md#types):

          * `Incremental`: Saves only data that is different from the previous backup. On the first run, a full backup of the resource will be made.
          * `Always full`: Saves all VM or BareMetal server data.

          Once the policy is created, you cannot change the type.

      * Under **Launch settings**, select the run schedule type:

          * `Fixed schedule`: Specify the backup frequency:
          
              * `Every day`. Either once a day at a specified time or several times a day at a particular interval within the specified time period.
              * `Weekly`. Select days of the week and time for backups on those days.
              * `Monthly`. Specify months, day of the month, and time for backups.
          
              For incremental backups, you can enable **Create a full copy once a week** and select the day of the week for a full backup. On the selected day, a full backup will be created instead of an incremental one.
          
          * `Interval between backups`: Specify the interval, in hours or days, between the end of the previous backup and the start of the new one.
          
          Backups are created based on the VM's or BareMetal server's local time. There may be a slight delay in the schedule depending on the current service load.

          Once the policy is created, you cannot change the type.

      * Under **Retention settings**, set the [backup retention](../../concepts/policy.md#retention) policy:
      
        * `Retain all copies`: All backups created under this backup policy will be retained.
        * `Only the last`: Specify the number of recent backups you want to retain or the number of days, weeks, or months for which to retain the backups. All other backups will be deleted automatically.
      
            {% note info %}
      
            If you created the policy via the management console, subsequent updates of backup retention settings will take effect only after a next backup is created. If the changes have not taken effect, [disassociate](detach-vm.md) the policy from the VM or BareMetal server and then [reassociate](attach-and-detach-vm.md) it.
      
            {% endnote %}

      * Expand the **Additional** section and, in the form that opens, proceed as follows:

          * Optionally, enable **Run missed tasks after uploading** to run all skipped backup jobs after the VM starts if the VM was `Stopped` during the scheduled backup. This is only supported for incremental backups.
          * Optionally, enable **Fast backup** to speed up incremental backups. Changes in the file will be determined by size, date, and last update time. If the option is disabled, Cloud Backup will compare the contents of all files with the backup contents. This option does not work for volumes with JFS, ReiserFS3, ReiserFS4, ReFS, or XFS file systems.
          * Optionally, enable **Sector-by-sector backup** to create an exact disk or volume backup at the physical level. Backs up all disk or volume sectors, including empty areas and unallocated space. If no compression level is selected, the backup size will be equal to the disk size. This mode is used automatically for disks with unsupported file systems. You cannot recover app data from a backup like that.
          * Optionally, enable **Backup checks** to make sure you will be able to restore data from the backup. During the check, a checksum is calculated for each section available for recovery. The check may take a long time because it scans all recoverable data.

          * Optionally, select a data **Compression** in the backup. The higher the compression level, the longer it takes to create a backup, but such a backup will be smaller in size. How efficient compression is depends on the type of data you are backing up: files that are already compressed, such as JPG, PDF, or MP3, are difficult to compress further, unlike, for example, DOC or XLS. 

              {% note info %}

              You can only select a compression level when creating a policy. You cannot change it for an existing policy.

              {% endnote %}

          * Optionally, enable **Multivolume snapshot** to create time-synchronized data backups spanning several volumes. This parameter decides whether snapshots of several volumes will be created simultaneously or one after another. Select your preferred method for creating snapshots:
          
              * `Via Cloud Backup agent`: Snapshot volumes using the Cloud Backup agent managed by LVM.
              * `Via LVM`: Snapshot volumes using the built-in LVM tools. If the snapshot cannot be created using LVM, it will be created using the Cloud Backup agent.
          
          * Optionally, under **Commands before and after backup**, set the actions Cloud Backup will perform before and after the backup. To do this, enable **Run the command before backup** and/or **Run the command after backup**, and specify the following settings:
          
              * **Command or path to file**: Command or path to the executable file that needs to be executed (run), e.g., `/usr/bin/myapp`.
              * **Working folder**: Working directory to execute the command (run the file) in, e.g., `/etc/myapp/`.
              * **Arguments**: Command line parameters that will be applied when executing the command (running the file), e.g., `-d -rw`.
              * Enable **Terminate backup when a command fails** to stop the backup if there is a command execution (file running) error.
          
              {% note info %}
          
              You can add to each policy not more than one command executed before the backup and not more than one executed after the backup.
          
              {% endnote %}
          
          * Optionally, under **Commands before and after data capture**, set the actions Cloud Backup will perform before and after the data capture (taking the snapshot). To do this, enable **Run the command before data capture** and/or **Run the command after data capture**, and specify the following settings:
          
              * **Command or path to file**: Command or path to the executable file that needs to be executed (run), e.g., `/usr/bin/pg_start_backup.sh`.
              * **Working folder**: Working directory to execute the command (run the file) in, e.g., `/var/lib/postgresql/`.
              * **Arguments**: Command line parameters that will be applied when executing the command (running the file), e.g., `--flush-all`.
              * Enable **Terminate backup when a command fails** to stop the backup if there is a command execution (file running) error.
          
              {% note info %}
          
              Commands run as close to the snapshot time as possible, i.e., immediately before or after the data capture.
              You can add no more than one command of each type per policy.
          
              {% endnote %}
          
          * Optionally, under **Repeat operation on task failure**, specify the backup settings in the event of failure:
          
              * **Number of attempts**: Maximum number of retry attempts. If reached, the operation is considered failed. Attempts will stop as soon as the operation succeeds or when the specified number of attempts is reached, whichever comes earlier.
                  This setting does not apply if the backup was started manually.
              * **Time between attempts**: Interval between reattempts.
          
          * Optionally, under **Error handling**, configure the Cloud Backup behavior if errors occur:
          
              *  **Repeat operation on task failure**: Reattempt settings in case of backup errors:
          
                  * **Number of attempts**: Maximum number of retry attempts.
                  * **Time between attempts**: Interval between reattempts.
          
              * **Retry in case of an error while creating a snapshot**: Reattempt settings in case of snapshot errors:
          
                  *  **Number of attempts**: Maximum number of retry attempts.
                  *  **Time between attempts**: Interval between reattempts.
          
          * Optionally, under **File filters**, you can use filters to exclude specific files and folders from your backups or do the opposite and back up only specific file system items:
          
              * **Do not backup files that meet the following criteria**.
              * **Only backup files that meet the following criteria**.
          
              Exclusion filters take precedence over inclusion filters.
          
              To include or exclude files, add some criteria, e.g., file names, paths, or masks. `*` and `?` wildcards are supported. Use a new line for each criterion. Criteria are case-insensitive.

  1. Click **Save**.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. See the description of the [CLI](../../../cli/index.md) command to create a [backup policy](../../concepts/policy.md):

      ```bash
      yc backup policy create --help
      ```

  1. Specify the configuration of the backup policy you are creating as a data schema in [JSON](https://en.wikipedia.org/wiki/JSON) format.

      {% cut "Sample configuration file" %}

      ```json
      {
        "compression": "NORMAL",
        "format": "AUTO",
        "multiVolumeSnapshottingEnabled": true,
        "preserveFileSecuritySettings": true,
        "reattempts": {
          "enabled": true,
          "interval": {
            "type": "SECONDS",
            "count": "30"
          },
          "maxAttempts": "30"
        },
        "silentModeEnabled": true,
        "splitting": {
          "size": "1099511627776"
        },
        "vmSnapshotReattempts": {
          "enabled": true,
          "interval": {
            "type": "MINUTES",
            "count": "5"
          },
          "maxAttempts": "3"
        },
        "vss": {
          "enabled": true,
          "provider": "TARGET_SYSTEM_DEFINED"
        },
        "archive": {
          "name": "'[Machine Name]-[Plan ID]-[Unique ID]A'"
        },
        "performanceWindow": {
        },
        "retention": {
          "rules": [
            {
              "maxCount": "10"
            }
          ],
          "beforeBackup": true
        },
        "scheduling": {
          "backupSets": [
            {
              "time": {
                "weekdays": [
                  "MONDAY"
                ],
                "repeatAt": [
                  {
                    "minute": "5"
                  }
                ],
                "type": "WEEKLY"
              }
            }
          ],
          "enabled": true,
          "maxParallelBackups": "2",
          "randMaxDelay": {
            "type": "MINUTES",
            "count": "30"
          },
          "scheme": "ALWAYS_INCREMENTAL",
          "weeklyBackupDay": "MONDAY"
        },
        "cbt": "ENABLE_AND_USE",
        "fastBackupEnabled": true,
        "quiesceSnapshottingEnabled": true,
        "prePostCommands": [
          {
            "cmd": "/usr/bin/myapp",
            "args": "-d -rw",
            "enabled": true,
            "stopOnError": true,
            "type": "PRE_COMMAND",
            "wait": true,
            "workdir": "/etc/myapp/"
          }
        ]
      }
      ```

      {% endcut %}

      {% note info %}

      The `preserveFileSecuritySettings` and `quiesceSnapshottingEnabled` parameters are no longer supported.
      
      {% endnote %}

      Save the configuration to a `.json` file.

      The example describes a configuration for a backup policy that will create [incremental](../../concepts/backup.md#types) [VM](../../../compute/concepts/vm.md) or [BareMetal server](../../../baremetal/concepts/servers.md) [backups](../../concepts/backup.md) every Monday at 00:05 (UTC+0). Only the last 10 backups will be stored.

      See the [full backup policy specification](../../concepts/policy.md#specification) for details.

  1. Create a backup policy:

      ```bash
      yc backup policy create \
        --name <policy_name> \
        --settings-from-file <path_to_configuration_file>
      ```

      Where:

      * `--name`: Name of the backup policy you are creating.
      * `--settings-from-file`: Path to the backup policy configuration file in JSON format.

      Result:

      ```text
      id: cdgkoivuvtey********
      name: sample-backup-policy
      created_at: "2025-10-06T19:09:31Z"
      updated_at: "2025-10-06T19:09:31Z"
      enabled: true
      settings:
        compression: NORMAL
        format: AUTO
        multi_volume_snapshotting_enabled: true
        reattempts:
          enabled: true
          interval:
            type: SECONDS
            count: "30"
          max_attempts: "30"
        silent_mode_enabled: true
        splitting:
          size: "1099511627776"
        vm_snapshot_reattempts:
          enabled: true
          interval:
            type: MINUTES
            count: "5"
          max_attempts: "3"
        vss:
          enabled: true
          provider: TARGET_SYSTEM_DEFINED
        archive:
          name: '''[Machine Name]-[Plan ID]-[Unique ID]A'''
        performance_window: {}
        retention:
          rules:
            - max_count: "10"
          before_backup: true
        scheduling:
          backup_sets:
            - time:
                weekdays:
                  - MONDAY
                repeat_at:
                  - minute: "5"
                type: WEEKLY
              type: TYPE_AUTO
          enabled: true
          max_parallel_backups: "2"
          rand_max_delay:
            type: MINUTES
            count: "30"
          scheme: ALWAYS_INCREMENTAL
          weekly_backup_day: MONDAY
        cbt: ENABLE_AND_USE
        fast_backup_enabled: true
        file_filters: {}
        pre_post_commands:
          - cmd: /usr/bin/myapp
            args: -d -rw
            enabled: true
            stop_on_error: true
            type: PRE_COMMAND
            wait: true
            workdir: /etc/myapp/
      folder_id: b1gt6g8ht345********
      ```

      For more information about this command, see the [CLI reference](../../../cli/cli-ref/backup/cli-ref/policy/create.md).

- Terraform {#tf}

  With [Terraform](https://www.terraform.io/), you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
  
  Terraform is distributed under the [Business Source License](https://github.com/hashicorp/terraform/blob/main/LICENSE). The [Yandex Cloud provider for Terraform](https://github.com/yandex-cloud/terraform-provider-yandex) is distributed under the [MPL-2.0](https://www.mozilla.org/en-US/MPL/2.0/) license.
  
  For more information about the provider resources, see the relevant documentation on the [Terraform](https://www.terraform.io/docs/providers/yandex/index.html) website or [its mirror](../../../terraform/index.md).

  If you do not have Terraform yet, [install it and configure the Yandex Cloud provider](../../../tutorials/infrastructure-management/terraform-quickstart.md#install-terraform).
  
  
  To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), [authenticate](../../../terraform/authentication.md) using the appropriate method.

  To create a [backup policy](../../concepts/policy.md):
  1. In the Terraform configuration file, describe the backup policy parameters:

     ```hcl
     resource "yandex_backup_policy" "my_policy" {
         archive_name                      = "[Machine Name]-[Plan ID]-[Unique ID]a"
         cbt                               = "USE_IF_ENABLED"
         compression                       = "NORMAL"
         fast_backup_enabled               = true
         format                            = "AUTO"
         multi_volume_snapshotting_enabled = true
         name                              = "<backup_policy_name>"
         performance_window_enabled        = true
         sector_by_sector                  = true
         run_later                         = true
         validation_enabled                = true
         lvm_snapshotting_enabled          = true
         silent_mode_enabled               = true
         splitting_bytes                   = "9223372036854775807"
         vss_provider                      = "NATIVE"

         reattempts {
             enabled      = true
             interval     = "1m"
             max_attempts = 10
         }

         retention {
             after_backup = false

             rules {
                 max_age       = "365d"
                 repeat_period = []
             }
         }

         scheduling {
             enabled              = false
             max_parallel_backups = 0
             random_max_delay     = "30m"
             scheme               = "ALWAYS_INCREMENTAL"
             weekly_backup_day    = "MONDAY"

             backup_sets {
                 execute_by_time {
                     type                      = "MONTHLY"
                     include_last_day_of_month = true
                     monthdays                 = []
                     months                    = [1,2,3,4,5,6,7,8,9,10,11,12]
                     repeat_at                 = ["04:10"]
                     repeat_every              = "30m"
                     weekdays                  = []
                 }
             }
         }

         vm_snapshot_reattempts {
             enabled      = true
             interval     = "1m"
             max_attempts = 10
         }
     }
     ```

     Where:

     * `archive_name`: Names of generated archives. This is an optional setting. The parameter variables include:
       * `Machine Name`: [VM](../../../compute/concepts/vm.md) or [BareMetal server](../../../baremetal/concepts/servers.md) name.
       * `Plan ID`: Plan ID.
       * `Unique ID`: Unique ID.

       Make sure the last character in the generated archive name is not a variable.
     * `cbt`: Configuration for tracking [backup](../../concepts/backup.md) contents. This is an optional setting. The possible values include:
       * `CHANGED_BLOCK_TRACKING_UNSPECIFIED`: Not specified.
       * `USE_IF_ENABLED`: Use if enabled.
       * `ENABLE_AND_USE`: Enable and use.
       * `DO_NOT_USE`: Do not use.

       The default value is `DO_NOT_USE`.
     * `compression`: Backup compression ratio. This is an optional setting. The possible values include:
       * `NORMAL`: Standard compression ratio.
       * `HIGH`: High compression ratio.
       * `MAX`: Maximum compression ratio.
       * `OFF`: Disabled.

       The default value is `NORMAL`.
     * `fast_backup_enabled`: Fast backup for tracking changes to files. When enabled, file changes are detected by the file size and its timestamp. When disabled, files are checked for changes by comparing their contents to backed up files. It can either be `true` or `false`.
     * `format`: Backup format. This is an optional setting. The possible values include:
       * `VERSION_11`: Deprecated format, not recommended.
       * `VERSION_12`: Recommended format for high-speed backup and recovery.
       * `AUTO`: Automatic format selection. The default option is `VERSION_12`, unless you are creating [incremental](../../concepts/backup.md#types) backups for the images created in other versions.
     * `multi_volume_snapshotting_enabled`: Creating backups for multiple volumes at the same time. This is an optional setting. It can either be `true` or `false`.
     * `name`: Name of the backup policy.
     * `performance_window_enabled`: Time windows to limit backup performance. This is an optional setting. It can either be `true` or `false`. The default value is `false`.
     * `sector_by_sector`: Sector-by-sector backup. Backs up all disk or volume sectors, including empty areas and unallocated space. If no compression level is selected, the backup size will be equal to the disk size. This mode is used automatically for disks with unsupported file systems. You cannot recover app data from a backup like that. It can either be `true` or `false`. The default value is `false`.
     * `run_later`: If the VM was `Stopped` during a scheduled backup, all skipped backup jobs will be executed after the VM starts. It can either be `true` or `false`. The default value is `false`.
     * `validation_enabled`: Checks the possibility of recovering data from the new backup. During the check, a checksum is calculated for each section available for recovery. The check may take a long time because it scans all recoverable data. It can either be `true` or `false`. The default value is `false`.
     * `lvm_snapshotting_enabled`: Uses LVM to create a volume snapshot. If the snapshot cannot be created using LVM, it will be created using the Cloud Backup agent. It can either be `true` or `false`. The default value is `false`.
     * `silent_mode_enabled`: Silent mode that assumes minimum interaction with users. This is an optional setting. It can either be `true` or `false`. The default value is `true`.
     * `splitting_bytes`: Defines the size for splitting backups. This is an optional setting. The default value is `9223372036854775807`.
     * `vss_provider`: VSS settings. This is an optional setting. It can either be `NATIVE` or `TARGET_SYSTEM_DEFINED`. The default value is `NATIVE`.
     * `reattempts`: Defines repeat attempts in case the backup operation fails:
       * `enabled`: Retry creating a backup if non-critical errors occur (e.g., when failing to connect to a target [disk](../../../compute/concepts/disk.md)). This is an optional setting. It can either be `true` or `false`. The default value is `true`.
       * `interval`: Interval between retries. This is an optional setting. The default value is `5m`.
       * `max_attempts`: Maximum number of retry attempts. If reached, the operation is considered failed. This is an optional setting. The default value is `5`.
     * `retention`: Backup retention options:
       * `after_backup`: Apply backup retention rules after the backup is completed. It can either be `true` or `false`.
       * `rules`: Backup retention rules:
          * `max_age`: Delete backups whose age exceeds `max_age`.
          * `max_count`: Delete backups if their number exceeds `max_count`.
          * `repeat_period`: Period for applying the rules.

          The `max_age` and `max_count` attributes are mutually exclusive, i.e., the use of one makes it impossible to use the other.
     * `scheduling`: Backup scheduling options:
       * `enabled`: Enable backup scheduling. This is an optional setting. It can either be `true` or `false`. The default value is `true`.
       * `max_parallel_backups`: Maximum number of concurrent backups. This is an optional setting. The default value is `0` (unlimited).
       * `random_max_delay`: Sets a random delay between concurrent jobs. This is an optional setting. The default value is `30m`.
       * `scheme`: Backup schedule scheme. This is an optional setting. The possible values include:
         * `ALWAYS_INCREMENTAL`: Always incremental.
         * `ALWAYS_FULL`: Always full.
         * `WEEKLY_FULL_DAILY_INCREMENTAL`: Create an incremental backup every day and a full one weekly.
         * `WEEKLY_INCREMENTAL`: Create an incremental backup every week.

         The default value is `ALWAYS_INCREMENTAL`.
       * `weekly_backup_day`: Day of the week when the weekly backup is run. This is an optional setting. The default value is `MONDAY`.
       * `backup_sets`: List of schedules with backup sets:
          * `execute_by_time`: Settings for backups at a specific time:
            * `include_last_day_of_month`: Running backups on the last day of each month. This is an optional setting. It can either be `true` or `false`. The default value is `false`.
            * `monthdays`: List of days to to which the schedule applies. This is an optional setting. It can be used for the `MONTHLY` format.
            * `months`: List of months to which the schedules applies. This is an optional setting.
            * `repeat_at`: List of time values in `HH:MM` (24-hour) format to which the schedule applies. This is an optional setting.
            * `repeat_every`: Frequency for repeat backups. This is an optional setting.
            * `type`: Schedule type. The possible values are `HOURLY`, `DAILY`, `WEEKLY`, and `MONTHLY`.
            * `weekdays`: List of days of the week to which the schedule applies. It can be used for the `WEEKLY` format.
     * `vm_snapshot_reattempts`: Backup retries in case of failures:
       * `enabled`: Retry a backup if any errors occur. This is an optional setting. It can either be `true` or `false`. The default value is `true`.
       * `interval`: Interval between retries. This is an optional setting. The default value is `5m`.
       * `max_attempts`: Maximum number of retry attempts. If reached, the operation is considered failed. This is an optional setting. The default value is `5`.

     {% note info %}

     The `preserveFileSecuritySettings` and `quiesceSnapshottingEnabled` parameters are no longer supported.
     
     {% endnote %}


     For more information about `yandex_backup_policy` properties, see [this provider guide](../../../terraform/resources/backup_policy.md).
  1. Create the resources:

     1. In the terminal, navigate to the configuration file directory.
     1. Make sure the configuration is correct using this command:
     
        ```bash
        terraform validate
        ```
     
        If the configuration is valid, you will get this message:
     
        ```bash
        Success! The configuration is valid.
        ```
     
     1. Run this command:
     
        ```bash
        terraform plan
        ```
     
        You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
     1. Apply the configuration changes:
     
        ```bash
        terraform apply
        ```
     
     1. Type `yes` and press **Enter** to confirm the changes.

     Terraform will create all the required resources. You can check the new resources in the [management console](https://console.yandex.cloud) or using this [CLI](../../../cli/quickstart.md) command:

     ```bash
     yc backup policy list
     ```

- API {#api}

  To create a [backup policy](../../concepts/policy.md), use the [create](../../backup/api-ref/Policy/create.md) REST API method for the [Policy](../../backup/api-ref/Policy/index.md) resource or the [PolicyService/Create](../../backup/api-ref/grpc/Policy/create.md) gRPC API call.

{% endlist %}

#### See also {#see-also}

* [Updating a backup policy](update.md).
* [Deleting a backup policy](delete.md).