Oracle Cloud Infrastructure Documentation

Copying a Volume Backup Between Regions

Learn how to create a volume backup copy in a specific region.

These procedures apply to volume backups. For volume group backups, see Copying a Volume Group Backup.

Required IAM Policy

To use Oracle Cloud Infrastructure, an administrator must be a member of a group granted security access in a policy  by a tenancy administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don't have permission or are unauthorized, verify with the tenancy administrator what type of access you have and which compartment  your access works in.

For administrators: The first two statements listed in the Let volume admins manage block volumes, backups, and volume groups policy lets the specified group do everything with block volumes and backups with the exception of copying volume backups across regions. The aggregate resource type volume-family does not include the VOLUME_BACKUP_COPY permission, so to enable copying volume backups across regions you need to ensure that you include the third statement in that policy, which is:

Allow group VolumeAdmins to use volume-backups in tenancy where request.permission='VOLUME_BACKUP_COPY'

To restrict access to just creating and managing volume backups, including copying volume backups between regions, use the policy in Let boot volume backup admins manage only backups. The individual resource type volume-backups includes the VOLUME_BACKUP_COPY permission, so you do not need to specify it explicitly in this policy.

If you are copying volume backups encrypted using Vault between regions or you want the copied volume backup to use Vault for encryption in the destination region, you need to use a policy that allows the Block Volume service to perform cryptographic operations with keys in the destination region. For a sample policy showing this, see Let Block Volume, Object Storage, File Storage, Kubernetes Engine, and Streaming services encrypt and decrypt volumes, volume backups, buckets, file systems, Kubernetes secrets, and stream pools.

Restricting Access

The specific permissions needed to copy volume backups across regions are:

  • Source region: VOLUME_BACKUP_READ, VOLUME_BACKUP_COPY
  • Destination region: VOLUME_BACKUP_CREATE

Sample Policies

To restrict a group to specific source and destination regions for copying volume backups

In this example, the group is restricted to copying volume backups from the UK South (London) region to the Germany Central (Frankfurt) region.

Allow group MyTestGroup to read volume-backups in tenancy where all {request.region='lhr'}
Allow group MyTestGroup to use volume-backups in tenancy where all {request.permission='VOLUME_BACKUP_COPY', request.region = 'lhr', 
Allow group MyTestGroup to manage volume-backups in tenancy where all {request.permission='VOLUME_BACKUP_CREATE', request.region = 'fra'}
To restrict some source regions to specific destination regions while enabling all destination regions for other source regions

In this example, the following is enabled for the group:

  • Manage volume backups in all regions.

  • Copy volume backups from the US West (Phoenix) and US East (Ashburn) regions to any destination regions.

  • Copy volume backups from the Germany Central (Frankfurt) and UK South (London) regions only to the Germany Central (Frankfurt) or UK South (London) regions.

Allow group MyTestGroup to read volume-backups in tenancy where all {request.region='lhr'}
Allow group MyTestGroup to manage volume-backups in tenancy where any {request.permission!='VOLUME_BACKUP_COPY'}
Allow group MyTestGroup to use volume-backups in tenancy where all {request.permission='VOLUME_BACKUP_COPY', any {request.region='lhr', request.region='fra'}, any{target.region='fra', target.region='lhr'}}
Allow group MyTestGroup to use volume-backups in tenancy where all {request.permission='VOLUME_BACKUP_COPY', any {request.region='phx', request.region='iad'}}
If you're new to policies, see Managing Identity Domains and Common Policies. For reference material about writing policies for instances, cloud networks, or other Core Services API resources, see Details for the Core Services.
    1. Open the navigation menu  and select Storage. Under Block Storage, select Block Volume Backups.

      A list of the block volume backups in the compartment you're viewing is displayed. If you don't see the one you're looking for, make sure you're viewing the correct compartment (select from the list on the left side of the page).

    2. Select the Actions menu (three dots) for the block volume backup you want to copy to another region.
    3. Select Copy to Another Region.

    4. Enter a name for the backup and choose the region to copy the backup to. Avoid entering confidential information.

    5. In the Encryption section, select whether you want the volume backup to use the Oracle-provided encryption key or your own Vault encryption key. If you select the option to use your own key, copy and paste in the OCID for the encryption key from the destination region.

    6. Select Copy Block Volume Backup.

    7. Confirm that the source and destination region details are correct in the confirmation dialog and then select OK.

  • Use the oci bv backup copy command and specify the --destination-region and --volume-backup-id parameters to copy a volume backup to the specified region:

    oci bv backup copy --destination-region <region_name> --volume-backup-id <unique_ID> [OPTIONS]
    For example:
    oci bv backup copy --destination-region $<destination_region> --volume-backup-id $<volume_backup_ID>

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Run the CopyVolumeBackup operation and specify the volumeBackupId attribtue in the request body and and destinationRegion attribute in the CopyVolumeBackupDetails resource to create a volume backup copy in a specific region.