Managing Block Storage for VPC volumes

You can manage your IBM® Cloud Block Storage for Virtual Private Cloud in the UI, from the CLI, or with the API. You can detach a volume from a virtual server instance or transfer a volume from one instance to another. You can attach a previously attached volume or rename a volume. You can set automatic volume deletion or manually delete a volume. You can assign access to a volume, and you can access volume read/write metrics for monitoring performance. Apply user tags that are associated with a backup policy to a volume to create automated backups.

Managing Block Storage for VPC in the UI

Use the console to manage your Block Storage for VPC volumes. In the console, you can complete the following actions.

Detach a volume from a virtual server instance.
Transfer a volume from one instance to another.
Attach a previously attached Block Storage for VPC data volume.
Rename a Block Storage for VPC volume.
Delete a Block Storage for VPC data volume.

Detaching a Block Storage for VPC volume from a virtual server instance

You can detach a Block Storage for VPC volume that is attached to a virtual server instance. Detaching frees the volume for use by another instance.

To detach a volume, complete the following steps.

Go to the list of all Block Storage for VPC volumes. In the IBM Cloud console, click the Navigation Menu icon > VPC Infrastructure > Storage > Block Storage volumes.
Locate the volume and then, click the overflow icon (...) to open a list of options.
From the options menu, click Detach from instance.
Confirm by clicking Detach instance in the open window.

Alternatively, you can click an individual volume in the list of all Block Storage for VPCand go to the Volume Details page for that volume. Under Attached instances, click the minus sign next to the virtual server instance to detach the volume from that instance.

When you use a Hyper Protect Virtual Servers for IBM Cloud® Virtual Private Cloud instance, detaching the data volume that is attached to a running instance causes the workload that's running on the instance to fail. Therefore, it is recommended that you do not detach the data volume.

Transferring a Block Storage for VPC volume from one virtual server instance to another

To transfer a Block Storage for VPC volume to another virtual server instance, complete the following steps.

Detach the volume from its virtual server instance.
Go to the virtual server instance to which you want to transfer the volume. In the IBM Cloud console, click the Navigation Menu icon > VPC Infrastructure > Compute > Virtual server instances.
Select a virtual server instance from the list.
Under Attached Storage volumes, click the plus sign to add a volume. All Block Storage for VPCare displayed.
From the list of volumes, select the volume that you previously detached.

Attaching a previously attached Block Storage for VPC data volume

A Block Storage for VPC data volume is attached by default when you provision the volume during virtual server instance creation. When you detach a volume from an instance, it exists as an unattached volume and is displayed in the list of all Block Storage for VPC volumes. You can attach it to another instance from the list of Block Storage for VPC volumes.

Go to the list of all Block Storage for VPC volumes. In the IBM Cloud console, click the Navigation Menu icon > VPC Infrastructure > Storage > Block Storage volumes.
Locate the volume and then click overflow icon (...) to open a list of options.
From the options menu, click Attach to instance.
Select an available virtual server instance.
Confirm your selection.

Renaming a Block Storage for VPC volume

You can change the name of an existing volume to make it more meaningful.

Go to the list of all Block Storage for VPC volumes. In the IBM Cloud console, click the Navigation Menu icon > VPC Infrastructure > Storage > Block Storage volumes.
Locate the volume and then click the name of the volume to go to the Volume Details page.
Click the pencil icon after the name of the volume to edit the name. Provide a valid volume name. Valid volume names can include a combination of lowercase alpha-numeric characters (a-z, 0-9) and the hyphen (-), up to 63 characters. Volume names must begin with a lowercase letter. Volume names must be unique across the entire VPC infrastructure. For example, if you create two volumes with the same name in the same account and region, a volume name duplicate error is triggered.
Confirm your edit.

Adding user tags to a Block Storage for VPC volume

Add user tags to Block Storage for VPCfrom the list of volumes or the volumes details page.

Go to the list of Block Storage for VPC volumes. In IBM Cloud console), click the Navigation Menu icon > VPC Infrastructure > Storage > Block Storage volumes.
Locate the volume from the list that you want to add user tags.
In the tags column, click Add tags.
In the Add tags menu, enter the user tags that you want to apply to this volume. Tags display as you type.

You can also add access management tags to a volume from the Add tags menu. For more information about creating and adding access management tags, see Apply access management tags to a volume.
When you're done adding tags, click Save. When you refresh the screen, the list of Block Storage for VPC shows the number of tags that are added in the Tags column.

You can also add tags from the volume details page. To do so, follow these steps.

Go to the list of Block Storage for VPC volumes.
On the volume details, click Add tags next to the volume name.
In the Add tags menu, enter the user tags that you want to apply to this volume. When finished, click Save.

Adding user tags that are associated with a backup policy to a volume in the UI

You can add user tags that are associated with a backup policy to a Block Storage for VPC volume. Backup policies schedule automatic creation of backup snapshots. When one volume tag matches a backup policy tag for target resources, it triggers a backup of the volume contents. A backup policy defines a backup plan that schedules when backup snapshots are taken.

From the volume details page, you can view the backup policies that are applied to the volume and add user tags that are associated with a backup policy.

Go to the list of Block Storage for VPC volumes. In IBM Cloud console), click the Navigation Menu icon > VPC Infrastructure > Storage > Block Storage volumes.
Locate the volume that you want and click the name link.
From the Block Storage for VPCdetails page, click the Backup policies tab.
Click Attach.
In the side panel, select a backup policy from the list of available policies, and then select the policy tags to apply to the volume. You can also view the plan details that can help you decide whether to use that policy.
Click Apply policy and tags. The backup policy shows in the list of backup policies that are associated with the volume.

When you go to the backup policy page, the volume for which you added tags shows up in the list of volumes.

For more information about creating backups, see Creating a backup policy. For more information about user tags, see Working with tags.

Managing Block Storage for VPC from the CLI

Manage your Block Storage for VPCfrom the command-line interface (CLI). You can update a volume name, update a volume attachment, detach a volume, and delete a volume.

Before you can use the CLI, you must install the IBM Cloud CLI and the VPC CLI plug-in. For more information, see the CLI prerequisites.

Log in to the IBM Cloud.
```
ibmcloud login --sso -a cloud.ibm.com
```
This command returns a URL and prompts for a passcode. Go to that URL in your browser and log in. If successful, you get a one-time passcode. Copy this passcode and paste it as a response on the prompt. After successful authentication, you are prompted to choose your account. If you have access to multiple accounts, select the account that you want to log in as. Respond to any remaining prompts to finish logging in.
Select the current generation of VPC.
```
ibmcloud is target --gen 2
```

Updating a volume name

To change a volume name, specify either the volume name or ID and then indicate the new name. The volume name can be up to 63 alpha-numeric characters and include special characters, and must begin with a lowercase letter. The volume name must be unique across the VPC infrastructure.

ibmcloud is volume-update VOLUME_ID [--name NEW_NAME] [--json]

See the following example.

$ ibmcloud is volume-update r014-dee9736d-08ee-4992-ba8d-3b64a4f0baac --name demo-volume-update
Updating volume 933c8781-f7f5-4a8f-8a2d-3bfc711788ee under account Test Account as test.user@ibm.com...
ID                                     r014-dee9736d-08ee-4992-ba8d-3b64a4f0baac
Name                                   demo-volume-update
CRN                                    crn:v1:bluemix:public:is:us-east-1:a/a1234567::volume:r014-dee9736d-08ee-4992-ba8d-3b64a4f0baac
Status                                 available
Attachment state                       unattached
Capacity                               100
IOPS                                   3000
Bandwidth(Mbps)                        393
Profile                                general-purpose
Encryption key                         -
Encryption                             provider_managed
Resource group                         defaults
Created                                2023-06-29T16:14:59+00:00
Zone                                   us-east-1
Health State                           ok
Volume Attachment Instance Reference   -
Active                                 false
Unattached capacity update supported   false
Unattached iops update supported       false
Busy                                   false
Tags                                   -

Updating a volume attachment from the CLI

You can update the volume attachment name and change the default auto delete setting with the instance-volume-attachment-update command.

ibmcloud is instance-volume-attachment-update INSTANCE_ID VOLUME_ATTACHMENT_ID [--name NEW_NAME] [--auto-delete true | false] [--json]

Use the --name option and specify a new name for the volume attachment. Specify --auto-delete true to automatically delete a volume that is attached to an instance, when you delete the instance. Specify --auto-delete false, if you want to keep the volume as a stand-alone volume after the instance is deleted.

$ ibmcloud is instance-volume-attachment-update kj-test-ro otp1 --name one-true-pairing --auto-delete false
Updating volume attachment otp1 of instance kj-test-ro under account Test Account as user test.user@ibm.com...

ID                0757-6757e676-0bf5-4b79-9a5b-29c24e17420c
Name              one-true-pairing
Volume            ID                                          Name
                  r014-dee9736d-08ee-4992-ba8d-3b64a4f0baac   demo-volume-update

Status            attached
Bandwidth(Mbps)   393
Type              data
Device            0757-6757e676-0bf5-4b79-9a5b-29c24e17420c-bxsh7
Auto delete       false
Created           2023-06-29T18:14:57+00:00

For more information about available command options, see ibmcloud is instance-volume-attachment-update.

Detaching a volume from the CLI

Use the instance-volume-attachment-detach command to detach a volume from an instance and delete the volume attachment. The Block Storage for VPC volume is not deleted; you can later attach it to another instance.

In the syntax for this command, INSTANCE is the ID or name of the instance. VOLUME_ATTACHMENT is the ID or name of the volume attachment. You can specify multiple volume attachments. For more information about volume attachments, see the CLI reference for creating a volume attachment.

ibmcloud is instance-volume-attachment-detach INSTANCE (VOLUME_ATTACHMENT1 VOLUME_ATTACHMENT2 ...) [--output JSON] [-f, --force] [-q, --quiet]

$ ibmcloud is instance-volume-attachment-detach kj-test-ro one-true-pairing
This will delete volume attachment one-true-pairing and cannot be undone. Continue [y/N] ?> y
Deleting volume attachment one-true-pairing from instance kj-test-ro under account Test Account as user test.user@ibm.com...
OK
Volume attachment one-true-pairing is deleted.

For more information about available command options, see ibmcloud is instance-volume-attachment-detach.

Managing Block Storage for VPC with the API

Manage your Block Storage for VPCprogrammatically by making calls to the VPC REST APIs. You can update a volume name, update a volume attachment, detach a volume, and delete a volume.

Updating the name of a volume with the API

Make a PATCH /volumes/{id} call and specify a new name for the volume.

curl -X PATCH "$vpc_api_endpoint/v1/volumes?version=2022-04-22&generation=2" \
-H "Authorization: $iam_token" \
-d '{
      "name": "my-volume-4-update"
    }'

A successful response looks like the following example.

{
  "capacity": 50,
  "created_at": "2022-04-22T23:16:53.000Z",
  "crn": "crn:[...]",
  "encryption": "user_managed",
  "encryption_key": {
    "crn": "crn:[...]"
  },
  "href": "https://us-south.iaas.cloud.ibm.com/v1/volumes/2d1bb5a8-40a8-447a-acf7-0eadc8aeb054",
  "id": "2d1bb5a8-40a8-447a-acf7-0eadc8aeb054",
  "iops": 100,
  "name": "my-volume-4-update",
  "profile": {
    "href": "https://us-south.iaas.cloud.ibm.com/v1/volume/profiles/custom",
    "name": "custom"
  },
  "resource_group": {
    "href": "https://resource-controller.cloud.ibm.com/v2/resource_groups/4bbce614c13444cd8fc5e7e878ef8e21",
    "id": "4bbce614c13444cd8fc5e7e878ef8e21",
    "name": "Default"
  },
  "status": "available",
  "status_reasons": [],
  "volume_attachments": [],
  "zone": {
    "href": "https://us-south.iaas.cloud.ibm.com/v1/regions/us-south/zones/us-south-2",
    "name": "us-south-2"
  }
}

Updating a volume attachment with the API

Make a PATCH /instances call and specify the ID of the new volume attachment.

PATCH /instances/{instance_id}/volume_attachments/{id}

curl -X PATCH "$vpc_api_endpoint/v1/instances/$instance_id/volume_attachments/$volume_attachment_id?version=2022-04-22&generation=2" \
-H "Authorization: $iam_token" \
-d '{
      "delete_volume_on_instance_delete": false,
      "name": "my-volume-attachment-data-5iops-updated"
    }'

A successful response looks like the following example.

{
  "created_at": "2022-04-22T16:35:47.000Z",
  "delete_volume_on_instance_delete": false,
  "href": "https://us-south.iaas.cloud.ibm.com/v1/instances/8f06378c-ed0e-481e-b98c-9a6dfbee1ed5/volume_attachments/9f2a645e-19c1-4f8f-b062-46b9e0671999",
  "id": "9f2a645e-19c1-4f8f-b062-46b9e0671999",
  "name": "my-volume-attachment-data-5iops-updated",
  "status": "attached",
  "type": "data",
  "volume": {
    "crn": "crn:[...]",
    "href": "https://us-south.iaas.cloud.ibm.com/v1/volumes/d8b26921-1409-4c2f-9b46-39b5b6e0b945",
    "id": "d8b26921-1409-4c2f-9b46-39b5b6e0b945",
    "name": "my-volume-data-5iops"
  }
}

Detaching a volume with the API

Make a DELETE /instances request and specify the volume attachment ID to delete a volume attachment. Deleting a volume attachment detaches a volume from an instance.

DELETE /instances/{instance_id}/volume_attachments/{id}

curl -X DELETE "$vpc_api_endpoint/v1/instances/$instance_id/volume_attachments/$volume_attachment_id?version=2022-04-22&generation=2" \
-H "Authorization: $iam_token"

Verify that the volume is detached from the instance by making a GET /instances/{instance_id} call.

Applying user tags that are associated with a backup policy to a volume with the API

To add user tags to a volume, you first make a GET /volumes/{volume_id} call and copy the hash string from Etag property in the response header. You then use the hash string when you specify If-Match in a PATCH /volumes/{volume_id} request to create new user tags.

For more information, see Apply tags to Block Storage for VPC volumes in the VPC backup service documentation.

Applying access management tags to a Block Storage for VPC volume

Access management tags are metadata that you can add to your Block Storage for VPCto help organize access control resource relationships. You first create the tag and then apply it to a new volume or to an existing volume. You can apply the same access management tag to multiple Block Storage for VPC volumes. You then assign access to the tag in IAM. Optionally, you can create an IAM access group and manage users.

Access management tags are not used by backup policies to create backup snapshots. Backup snapshots are created when user tags match backup policy tags for target resources to volume user tags.

Step 1 - Creating an IAM access management tag in the UI

In the console, complete the following steps.

Go to Manage > Account, and then select Tags.
Click the Access management tags tab. Add a tag name in the field. Access management tags require a key:value format.
Click Create Tags.

Step 1 - Creating an IAM access management tag with the API

With the Global Search and Tagging API, make a POST/ tags call to create an access management tag. Specify the tag in the tag_names property. For an example, see Creating access management tags by using the API.

Step 2 - Adding an access management tag to a volume

Add an access management tag to an existing volume or when you create a volume. To add access management tags to an existing volume, complete the following steps.

Go to the list of Block Storage for VPC volumes. In IBM Cloud console, click the Navigation Menu icon > VPC Infrastructure > Storage > Block Storage volumes.
Locate the volume from the list.
In the tags column, click Add tags.
In the Add tags menu, enter the access management tags in the access management tag field. Tags that you created display as you type.
Click Save.

Step 3 - Assigning access and users

After you create an access management tag and apply it to a volume, complete the following steps to assign access and add users.

Create an access group. Access groups are assigned policies that grant roles and permissions to the members of that group. You assign access to the specific access management tags for the Block Storage for VPC service. For more information about access groups, see Setting up access groups.
Assign an access policy to a group.
Add users to the access group.

When you look at the specific resources for the VPC infrastructure and specify Block Storage for VPC as the resource type, you can see the access management tags for the Block Storage for VPC service.

Deleting a Block Storage for VPC volume and data eradication

When you delete a Block Storage for VPC volume, that data immediately becomes inaccessible. All pointers to the data on the physical disk are removed. If you later create a volume in the same or another account, a new set of pointers is assigned. The account can't access any data that was on the physical storage because those pointers are deleted. When new data is written to the disk, any inaccessible data from the deleted volume is overwritten.

IBM guarantees that data deleted cannot be accessed and that deleted data is eventually overwritten and eradicated. Further, when you delete a Block Storage for VPC volume, those blocks must be overwritten before that Block Storage for VPC is made available again, either to you or to another customer.

Further, when IBM decommissions a physical drive, the drive is destroyed before disposal. Decommissioned drives are unusable and any data on them is inaccessible.

Deleting a Block Storage for VPC data volume in the UI

Deleting a Block Storage for VPC volume completely removes its data. The volume cannot be restored.

You cannot delete an active Block Storage for VPC volume. To delete a volume, first detach it from the virtual server instance. If you took snapshots of the volume, all snapshots must be in a stable state.

To delete a volume, complete the following steps.

Go to the list of all Block Storage for VPC volumes. In the IBM Cloud console, click the Navigation Menu icon > VPC Infrastructure > Storage > Block Storage volumes.
Locate the volume that you want to delete and then click the overflow icon (...) to open a list of options.
From the options menu, click Delete.
Confirm the deletion.

Automatically delete Block Storage for VPC data volumes

By using the Auto Delete feature, you can specify that a Block Storage for VPC data volume is automatically deleted when you delete an instance to which it is attached.

You don't need to set automatic deletion for boot volumes. Boot volumes are created during instance creation and automatic deletion is enabled by default. When you delete the instance, the boot volume is also deleted.

To enable Auto Delete for an existing Block Storage for VPC data volume that is attached to an instance, follow these steps:

Locate the virtual server instance to which the data volume is attached. In the IBM Cloud console, click the Navigation Menu icon > VPC Infrastructure > Compute > Virtual server instances.
Under Attached Block Storage for VPC volumes, select a volume.
On the next page, click Auto Delete to enable.
Confirm your selection.

Alternatively, select a data volume from the list of Block Storage for VPC(Storage > Block Storage volumes). On the volume details page, under Attached instances, click the Auto delete toggle to enable or disable automatic deletion.

You can also enable Auto Delete on a new data volume when you create an instance. For more information, see Create and attach a Block Storage for VPC volume when you create a new instance.

Deleting a Block Storage for VPC volume from the CLI

Use the volume-delete command and specify the volume ID to delete a Block Storage for VPC volume.

You cannot delete an active Block Storage for VPC volume. You must first detach it from the virtual server.

ibmcloud is volume-delete (VOLUME_NAME | VOLUME_ID) [-f, --force]

See the following example.

$ ibmcloud is volume-delete demovolume1
This will delete volume demovolume1 and cannot be undone. Continue [y/N] ?> y
Deleting volume demovolume1 under account Test Account as user test.user@ibm.com...
OK
Volume demovolume1 is deleted.

Deleting a Block Storage for VPC volume with the API

Make a DELETE /volumes/{id} call.

curl -X DELETE "$vpc_api_endpoint/v1/volumes/$volume_id?version=2022-04-22&generation=2" \
-H "Authorization: $iam_token"

To verify that the volume is deleted, list the volumes by making a GET /volumes call.

Sanitizing your data before you delete a volume

When you delete a Block Storage for VPC volume, IBM guarantees that your data is inaccessible on the physical disk and is eventually eradicated. If you have extra compliance requirements such as NIST 800-88 Guidelines for Media Sanitization, you must perform data sanitation procedures before you delete your volumes. For more information, see the NIST 800-88 Guidelines for Media Sanitation.

Sanitizing and deleting the volume means your data can't be restored.

Managing access to a Block Storage for VPC volume

With Administrator privileges, you can assign volume-level user access to the Block Storage for VPC service. The following table shows the information that you must provide in the Identity and Access Management (IAM) UI.

Table 1. Information for IAM
IAM field	Action
Services	Select Infrastructure Services.
Resource Type	Select Block Storage for VPC.
Volume ID	Enter the volume ID to assign access to a specific volume.
Select Roles	Assign platform access roles, typically, Operator.

For more information, see the best practices for assigning access. For the complete IAM process, which includes inviting users to your account and assigning Cloud IAM access, see the IAM getting started tutorial.

Next steps

You can create more volumes.

For issues with existing Block Storage for VPC volumes, you might be able to troubleshoot and fix the problems yourself. For more information, see troubleshooting Block Storage for VPC.