Creating custom policies

If the needs of your data protection environment are not covered with any of the predefined policies, you can create a new policy and tailor it to your needs. In this case, besides setting the desired RPO, the retention period for the backup data, and the target, you can also enable one or more additional policy options for optimal policy implementation.

If you plan to protect instances, Google Kubernetes Engine applications, or buckets, you can also enable one or more of the following policy options:

Policy option	Allows you to...
Backup Window	Start all backup tasks within specified time frames to improve efficiency and avoid an overload of your environment. For details, see “Creating backup windows”.
Copy^a	Create a copy of backup data.
Archiving^a	Preserve your data for future reference. For details, see “Creating data archives”.
Labels	Set up automatic policy assignment based on the labels or tags added to the instances in Google Compute Engine, the applications in Google Kubernetes Engine, or the buckets in Google Cloud Storage.

^aFor GKE applications: This policy option is available only for applications using persistent volumes.

Prerequisites

Only if you plan to select a manually created target. A bucket must be added to HYCU for Google Cloud as a target. For instructions, see “Setting up targets”.
Only if you plan to enable the Backup Window policy option. A backup window must exist for the selected HYCU for Google Cloud protection set. For instructions, see “Creating backup windows”.
Only if you plan to enable the Archiving policy option. A data archive must exist for the selected HYCU for Google Cloud protection set. For instructions, see “Creating data archives”.
Only if you plan to enable the Labels policy option.
- The HYCU Managed Service Account (HMSA) must have the following roles granted on the projects with the instances that you plan to protect, the clusters on which the GKE applications that you plan to protect are deployed, or the buckets that you plan to protect:
  - Compute Admin (roles/compute.admin)
  - Service Account User (roles/iam.serviceAccountUser)
  - Storage Admin (roles/storage.admin)
  - Required only if protecting GKE applications. Kubernetes Engine Admin (roles/container.admin)
  For instructions on how to grant permissions to service accounts, see Google Cloud documentation.
- The labels that you plan to specify in HYCU for Google Cloud must be added to instances in Google Compute Engine as labels (preferred) or custom metadata tags, to GKE applications in Google Kubernetes Engine as metadata labels, or to buckets in Google Cloud Storage as bucket labels.
  
  For instructions on how to do this, see Google Cloud or Kubernetes documentation.

Considerations

HYCU for Google Cloud automatically associates the resource with one of the pricing tiers based on the value of the Backup every option that you set in the policy. However, if you are storing data as a snapshot and have enabled the Archiving option, the pricing tier is automatically set to bronze regardless of the specified RPO.
If you want that your data to be stored as a snapshot and on a target, make sure to select the Snapshot backup target type and also enable the Copy policy option.
Only if you plan to enable the Labels policy option.
- Labels that you specify in policies in HYCU for Google Cloud must be unique within the selected protection set.
- When matched, the hycu‑policy custom metadata tag takes precedence over other labels or tags that might be added to the same instance in Google Compute Engine, to the same application in Google Kubernetes Engine, or to the same bucket in Google Cloud Storage. For more information on the hycu‑policy tag, see “Setting up automatic policy assignment”.
Only if you plan to store backup data on a target. Backup and restore speed depends on the region of the chosen target and the regions of the instances or Kubernetes clusters with your GKE applications. The optimum speed is achieved when the target and the instances or clusters reside in the same region.

Procedure

In the Policies panel, click  New. The New Policy dialog box opens.
Enter a name for your policy and, optionally, its description.

Enable the required policy options by clicking them (the Backup policy option is mandatory and therefore enabled by default). Depending on what kind of data you plan to protect, the following policy options are available:

Policy option	Instance and GKE application data protection	SAP HANA application data protection	Bucket data protection
Backup Window	h	x	h
Copy^a	h	x	h
Archiving^a	h	x	h
Labels	h	x	h

^aFor GKE applications: This policy option is available only for applications using persistent volumes.

In the Backup section, do the following:
1. In the Backup every fields, set the RPO (in months, weeks, days, hours, or minutes).
  n Note You can set the RPO to 30 minutes in the following cases:
  - If you are storing data only as a snapshot.
  - If you are storing data as a snapshot and have enabled the Archiving option.
  For all other cases, the minimum RPO is one hour.
2. In the Retention fields, set a retention period (in months, weeks, or days) for the backup data.
3. Select one of the following backup target types:
  - Applicable only if protecting instances or GKE applications using persistent volumes. Snapshot
    
    Under Snapshot Location, select Regional or Multi‑regional.
    
    Example
    
    If your instance resides in the us‑central1‑a zone, with the Multi‑regional option selected, a snapshot of the instance is replicated to all us regions, whereas with the Regional option selected, a snapshot is stored only in the us‑central1 region.
  - Target
    
    From the Target drop-down menu, select the target that you want to use for storing data.
    
    If you select the Automatically selected option, HYCU for Google Cloud creates a bucket in the region of the instance or the Kubernetes cluster and uses it as a target for storing the data. If an automatically created bucket already exists, it is used instead.
    
    i Important Automatically created targets can be selected only if you plan to protect instance data or GKE application data (and not SAP HANA application or bucket data).

Depending on which policy options you have enabled, do the following:

Policy option	Instructions
Backup Window	In the Backup Window section, from the Backup window drop-down menu, select a backup window for backup tasks. If you do not select a backup window, the Always value is shown, which means that your backups are allowed to run at any time.
Copy^a	In the Copy section, do the following: Set a retention period (in months, weeks, or days) for the copy of backup data. From the Target drop-down menu, select a target that you want to use for storing data. If you want the target to be selected automatically, make sure the Automatically selected option is selected. In this case, HYCU for Google Cloud creates a bucket in the region of the instance or the Kubernetes cluster and uses it as a target for storing the data. If an automatically created bucket already exists, it is used instead. If you want to select a manually created target, make sure that this target is different from the one you selected for the backup. i Important Automatically created targets can be selected only if you plan to protect instance data or GKE application data (and not SAP HANA application or bucket data).
Archiving^a	In the Archiving section, from the Data archive drop-down menu, select a data archive.
Labels	In the Labels section, enter a label key and value, and then click Add. If required, repeat the action as appropriate. For details on automatic policy assignment, see “Setting up automatic policy assignment”.

^aFor GKE applications: This policy option is available only for applications using persistent volumes.

Click Save.

The policy is created and added to the list of policies. For details on managing policies, see “Managing policies”.