Welcome to issue #365 September 25th, 2023


Infrastructure Official Blog

Expanding our infrastructure around the world - We issued an update on the status of Google Cloud regions in Sweden, Saudi Arabia, New Zealand, Norway, Mexico, and Greece.

Networking Official Blog

Announcing 200 GB free Standard Tier internet data transfer per month - Starting October 1st, 2023, customers of Google Cloud Networking Standard Tier are eligible for 200 GB of free internet data transfer every month.

Cloud Load Balancing Networking Official Blog

Cloud Load Balancing enhancements improve security and distributed application support - Cloud Load Balancing now supports mTLS, Service Extensions callouts, cross-region internal load balancing, and cross-project service referencing.

Cloud Monitoring Compute Engine GPU Official Blog

Monitor your NVIDIA GPUs on Compute Engine with Ops Agent - Ops Agent now collects metrics from NVIDIA GPUs on Compute Engine VMs.

Dataplex Official Blog

Deliver trusted insights with Dataplex data profiling and automatic data quality

BigQuery Blockchain Official Blog Public Datasets

Enhancing Google Cloud’s blockchain data offering with 11 new chains in BigQuery

Chronicle Official Blog

Introducing the unified Chronicle Security Operations platform - Chronicle’s latest update unifies our SOAR and SIEM solutions, integrates Mandiant’s attack surface management technology, and offers more robust application of threat intelligence.

Compute Engine Confidential Computing Official Blog Security

Confidential VMs on Intel CPUs: Your new intelligent defense - Through our partnership with Intel, Google Cloud is extending our Confidential VMs on new C3 machines to use 4th Gen Intel Xeon Scalable CPUs and Intel TDX technology.

Assured workloads Official Blog Public Sector SAP

SAP NS2 achieves ITAR compliance for SAP Ariba with Google Cloud

Event Official Blog

A CSP decision maker’s guide to DTW23 - Ignite - The latest in generative AI, cloud-native software, and cloud infrastructure from Google Cloud at TM Forum’s DTW23 – Ignite.

Cloud Data Fusion Data Analytics GitHub Official Blog

Use a GitHub repository to manage pipelines across Data Fusion instances/namespaces - Push deployed pipelines from namespace to repository, or pull and deploy pipelines from repository to namespace.

Google Maps Platform Official Blog

The Aerial View API is now generally available - Aerial View gives you programmatic access to cinematic videos built with the same 3D map source used by Google Earth–and it’s now generally available. By accessing pre-rendered videos or creating new ones, developers can quickly create immersive experiences at scale for any U.S. location.


Articles, Tutorials

Infrastructure, Networking, Security, Kubernetes

GCP Experience Google Kubernetes Engine Official Blog

Providing scalable, reliable video distribution with Google Kubernetes Engine at AbemaTV - ABEMA ensured they could provide a stable video distribution during one of the largest global sporting events with load management on Google Cloud.

Networking Official Blog

Managed service egress with Private Service Connect interfaces - New PSC interfaces allow a service producer to access a consumer’s network, while maintaining the separation of producer and consumer roles.

Billing FinOps

GCP Billing & Cost Management - A summary of GCP billing & cost management, related tools and some strategies.

Cloud Logging Dataform Official Blog Security

Go from logs to security insights faster with Dataform and Community Security Analytics

DevOps Official Blog SRE Terraform Workforce Identity Federation

Manage infrastructure with Workload Identity Federation and Terraform Cloud - Terraform Cloud workspaces integrate with Workload Identity Federation to authenticate and then impersonate Google Cloud service accounts.

Kubernetes Networking

GKE & IPv6 - This article describes creating an IPv6 GKE cluster with private nodes, and some interesting aspects of running IPv6 workloads in GKE.

Cloud NAT Networking

Overcoming Overlapping Subnet Challenges with Inter-VPC NAT in GCP - This article discusses how to configure Inter-VPC NAT to privately access services running in different VPC networks that contain overlapping and non-overlapping IP ranges.

Cloud Security Command Center Security

Implementing custom asset intelligence on GCP with Security Command Center Premium - In this post, we discuss asset queries, which are a custom search tool for cloud assets included with Google Cloud Platform’s Security Command Center Premium.

Workload Identity Federation

Workload Identity Federation - A brief description of Workload Identity Federation and how to set it.

DevOps IAM Terraform

Grant IAM permissions to Google Cloud Service Account manually and using Terraform - How to manage IAM policies to grant access to user-managed Google Cloud Service Account.

Cloud Load Balancing

Switching from an NGINX Ingress Regional Load Balancer to a Global HTTPS Load Balancer on GCP - Implementation of a Global HTTPS Load Balancer as an alternative to a Regional HTTPS Load Balancer. This modification is essential for using Cloud Armor within your Cloud Project.

App Development, Serverless, Databases, DevOps

GCP Experience Official Blog Partners SAP

DIFF Treasury Solutions powered by Google Cloud Cortex Framework - Leverage DIFF Consulting’s Treasury Solutions on Google Cloud Cortex Framework can provide better treasury reporting and implement bank data controls.

Cloud Run Cloud SQL Google Kubernetes Engine

Backstage on GKE, Cloud Run, and Cloud SQL - What is Backstage and why do you need an IDP (Internal Developer Platform)?

Cloud SQL DevOps SRE Terraform

How to connect to GCP Private Cloud SQL instance in your local machine using a Bastion and Terraform. - A Terraform snippet to create a bastion VM to access Cloud SQL instance that has a private IP.

Apigee GCP Experience Official Blog

Conrad Electronics: Simplifying and accelerating development with Apigee and GKE - Learn how an electronics retailer centralized API management and improved response time and security with Apigee.

AlloyDB Official Blog

AlloyDB for PostgreSQL under the hood: adaptive autovacuum - Adaptive autovacuum feature that is available with AlloyDB.

API Application Integration

Application Integration, the new Google Cloud product! All you need to know to start using it - An overview of Application Integration.

Artifact Registry DevOps GitHub

Building and Pushing to Artifact Registry with Github Actions - This article illustrates how to create a Github Actions workflow that builds a Docker image and pushes that image to Google Cloud Artifact Registry.


Application Logging in ABAP SDK for Google Cloud - This blog post elaborates on how “Application Logging” is enabled in ABAP SDK for Google Cloud and the opportunities that SAP developers have to adjust and utilise it as per their use case demands.

Confidential Computing

Start your Ubuntu Confidential VM with Intel® TDX on Google Cloud

Big Data, Analytics, ML&AI

BigQuery Data Analytics Official Blog Partners

How 'Anything is Possible' automated data pipelines with BigQuery and Windsor.ai

AI Looker Machine Learning Official Blog

Bring AI to Looker with the Machine Learning Accelerator

Data Analytics Official Blog Partners

Built with BigQuery: Bloomreach Engagement brings power to marketers with advanced personalization - Bloomreach Engagement, an omnichannel marketing automation product, now integrates with BigQuery, providing hyper-personalized customer experiences.


Data Cleaning 101 in SQL — #4.2 A Practical Tutorial for Data Deduplication - SQL techniques for Data Cleaning in BigQuery.

BigQuery IAM Resources Manager Terraform

Implementing Tag-Based Access Control in BigQuery - Using Resource Manager tags to implement granular access control in BigQuery.

BigQuery Cloud Dataflow

Protobuf to BigQuery with Apache Beam - Some days ago Apache released Beam 2.50, which was announced to come with support to write protocol buffer objects into BigQuery tables into BigQuery tables, thanks to the writeProtos method.

AI BigQuery Duet AI

Your AI Companion in the Google Cloud - Duet AI boosts your BigQuery SQL queries.

Generative AI

Google Cloud Jump Start Solution Deep Dive: Summarize Large Documents — Part 2 - Part 2 of the Deep Dive into the Gen AI Jump Start Solution on Summarizing Large documents.

Generative AI

Google Cloud Jump Start Solution Deep Dive: Summarize Large Documents — Part 3 - Part 3 of the Deep Dive into the Gen AI Jump Start Solution on Summarizing Large documents.


Official Blog Public Sector Workspace

Submerge into a Google Workspace Immersion with the Navy - Examples of how Navy is using products in Google Workspace.

Business Official Blog

Meet the inaugural cohort of the Google for Startups Accelerator: AI First in Europe - The first Google for Startups Accelerator: AI First cohort gains access to Google AI experts, plus deep dives on product design and business growth.

Slides, Videos, Audio

Kubernetes Podcast - #208 History of containerd, with Phil Estes.

Security Podcast - #139 What is Chronicle? Beyond XDR and into the Next Generation of Security Operations.



Memorystore for Memcached - Added new Memorystore for Memcached region: Dammam (me-central2). The Version Upgrade feature is now Generally Available on Memorystore for Memcached.

Cloud Memorystore - Added new Memorystore for Redis region: Dammam (me-central2).

StratoZone - Added virtual machine assessment data export feature. Added support for mcdc CLI data synchronization with Migration Center. Updated Google Cloud pricing. Updated the cloud service mappings from Azure to Google Cloud. Removed legacy secondary MFA requirement for user accounts. Added self-service option to add Migration Center users to StratoZone. StratoProbe - updated .NET Desktop Runtime to 6.0.22. StratoProbe - updated PostgreSQL to version 12.16. StratoProbe - fixed an issue related to integer overflow in SQL Server data collection. Fixed a minor UI issue on Assessment Summary and Proposal report pop-up. Fixed a UI issue related to out-of-scope assets export pop-up. Fixed an issue with incorrect Extreme/Hyperdisk drive type recommendation for certain packages. Fixed a display issue on Assessment Summary and Proposal report where some excluded machine families were duplicated on the Assumptions slide.

Network Connectivity Center - The issue that you cannot get the status of a long-running operation for a spoke without the networkconnectivity.operations.get IAM permission in the spoke project is now resolved.

Cloud VPN - Cloud VPN is now available in region me-central2 (Dammam, Saudi Arabia).

Cloud PubSub - Pub/Sub is now available in Dammam, Saudi Arabia (me-central2). Messages written to a dead letter topic configured for a BigQuery subscription contain an attribute with the reason the message could not be written to BigQuery. The backlog metrics of subscriptions with filtering enabled only include messages that match the filter.

Resource Manager - Tag key and value short names can now have a maximum length of 256 characters.

Cloud Run - Cloud Run integrations (Preview) are now available in the following regions: asia-northeast1 asia-northeast2 asia-south1 asia-southeast2 australia-southeast1 europe-central2 europe-north1 europe-west2 europe-west3 northamerica-northeast1 southamerica-east1 us-east4 us-west2 us-west3. The following new region is now available: me-central2. Cloud Run Operators are available in Cloud Composer.

Secret Manager - Secret Manager is now available in the following region: me-central2 For more information, see Secret Manager locations.

Security Command Center - Vulnerabilities per resource type graphic released to General Availability The Security Command Center Overview page in the Cloud console now shows a Vulnerabilities per resource type graphic, which replaces the Active vulnerabilities over time by severity graphic.

SAP Solutions - Google Cloud's Agent for SAP version 2.6 Version 2.6 of Google Cloud's Agent for SAP is generally available (GA).

Cloud Spanner - You can create Cloud Spanner regional instances in Dammam, Saudi Arabia (me-central2).

Cloud SQL MySQL - Support for me-central2 (Dammam) region.

Cloud SQL Postgres - The oracle_fdw extension, version 1.2 is now available. Support for me-central2 (Dammam) region.

Cloud SQL SQL Server - Support for me-central2 (Dammam) region.

Cloud Storage - The gcloud CLI now supports setting a user-defined prefix for naming temporary components of a parallel composite upload. Cloud Storage is now available in Dammam, Saudi Arabia (me-central2 region).

Vertex AI - Debian 10 and Python 3.7 images have reached their end of patch and support life for Vertex AI Workbench managed notebooks and user-managed notebooks.

Virtual Private Cloud - For auto mode VPC networks, added a new subnet for the Dammam me-central2 region.

Workflows - Workflows is available in the following additional region: me-central2 (Dammam, Saudi Arabia).

Access Approval - v1. Access Approval supports Cloud Monitoring in the Preview stage.

AlloyDB - AlloyDB now offers basic instances, which are primary instances containing only one node, in one zone. Database server compatibility with PostgreSQL version 15 is now available in Preview.

Anthos Config Management - 1.16.1. Supported configuring the period that Config Sync waits before re-pulling the latest chart with the field spec.helm.period in RootSync or RepoSync. Fixed an issue related to metric labels commit and type that could cause an increase in Google Cloud Monitoring metric write throughput. Fixed a repeating error in the otel-collector deployment log that has been occuring since Anthos Config Management version 1.15.0. The constraint template library's K8sRestrictRbacSubjects template now returns all violation messages for ClusterRoleBinding or RoleBinding with more than one violation.

Anthos clusters on bare metal - 1.16. Release 1.16.1 Anthos clusters on bare metal 1.16.1 is now available for download. Supported node pool versions: If you use selective worker node pool upgrades to upgrade a cluster to version 1.16.1, the following versions are supported for the worker node pools: 1.16.1 1.16.0 1.15.4 1.15.3 1.15.2 1.15.1 1.15.0. Functionality changes: Added the optional userClaim field to the ClientConfig custom resource definition bundled with Anthos clusters on bare metal. Fixes: Fixed an issue where etcd blocked upgrades due to an incorrect initial-cluster-state. Fixes: The following container image security vulnerabilities have been fixed in 1.16.1: Critical container vulnerabilities: CVE-2022-1996 High-severity container vulnerabilities: CVE-2017-11468 CVE-2019-13509 CVE-2020-16845 CVE-2020-28362 CVE-2020-28366 CVE-2020-28367 CVE-2021-20206 CVE-2023-27561 CVE-2023-29002 Medium-severity container vulnerabilities: CVE-2015-3627 CVE-2019-19794 CVE-2020-8569 CVE-2020-14039 CVE-2020-15586 CVE-2020-24553 CVE-2020-29510 CVE-2021-20329 CVE-2023-27593 CVE-2023-27594 CVE-2023-27595 CVE-2023-30851. Known issues: For information about the latest known issues, see Anthos clusters on bare metal known issues in the Troubleshooting section.

Apigee X - On September 19, 2023, we released an updated version of Apigee X (1-11-0-apigee-5). Bug ID Description 296296456 Implemented fix to ensure that continueOnError is honored in the SpikeArest policy. Bug ID Description 296506425, 295936113, 295925991, 295688738, 296110120, 281112632 Security fix for apigee-runtime.

Artifact Registry - Artifact Registry is now available in the me-central2 region (Dammam, Saudi Arabia).

Cloud Asset Inventory - The following resource types are now publicly available through the analyze policy APIs (AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning).

Assured Workloads for Goverment - The CJIS compliance program now supports the following products.

Batch - Documentation has been updated to reflect new default options for jobs that use GPUs: Defining the machine type of the job's VMs is optional.

BigQuery - The maximum number of rows for results returned in Connected Sheets has increased as follows: Pivot tables increased from 30,000 to 50,000 rows Data extracts increased from 25,000 to 50,000 rows. The BigQuery Data Transfer Service now supports transfers from Search Ads 360 using the new Search Ads 360 reporting API.

BigTable - Cloud Bigtable is available in the me-central2 (Dammam) region.

Chronicle - The following supported default parsers have changed. Chronicle feed management contains the following changes for the Google Cloud Storage source type: To create a new Google Cloud Storage feed, you must use the new service account. Chronicle recently disclosed a security vulnerability.

Key Access Justifications - Access Approval supports Cloud Monitoring in the Preview stage.

Cloud Composer - Cloud Composer 2.4.3 release started on September 18, 2023. The apache-airflow-providers-google package is upgraded to version 10.7.0 in images with Airflow 2.5.3 and 2.4.3. Cloud Composer 2.4.3 images are available: composer-2.4.3-airflow-2.5.3 (default) composer-2.4.3-airflow-2.4.3. Cloud Composer versions 2.0.26 and 1.19.9 have reached their end of full support period.

Compute Engine - Preview: Compute Engine API now enforces the Filtered list cost overhead quota, which limits the number of resources to be filtered out from server-side *.list and *.aggregatedList methods. Preview: You can now view the organization-wide patch status dashboard and OS policy compliance reports by using VM Manager. The Google Cloud console labels for OS patch management and OS configuration management on VM Manager pages have been renamed to Patch and OS policies respectively. Generally available: Instance templates are available as both regional and global resources. Generally available: Autohealing in managed instance groups (MIG) supports regional health checks. Generally available: Dammam, Kingdom of Saudi Arabia, Middle East me-central2-a,b,c has launched with E2, N2, N2D, and T2D VMs in all three zones. Preview: Snapshot settings are centralized configuration parameters for all snapshots in a project.

Data Catalog - Data Catalog is available in the me-central2 (Dammam) region.

Database Migration Service - Database Migration Service now supports customer-managed encryption keys (CMEK) that are externally managed with Cloud External Key Manager.

Dataflow - Dataflow is now available in Dammam, Saudi Arabia (me-central2).

Dataproc Serverless - New Dataproc on Compute Engine subminor image versions: 2.0.77-debian10, 2.0.77-rocky8, 2.0.77-ubuntu18 2.1.25-debian11, 2.1.25-rocky8, 2.1.25-ubuntu20, 2.1.25-ubuntu20-arm. New Dataproc Serverless for Spark runtime versions: 1.1.32 2.0.40 2.1.19. In the latest Dataproc on Compute Engine 2.0 and 2.1 image versions, unset the CLOUDSDK_PYTHON variable to allow the gcloud command-line tool to use its bundled Python interpreter. Fixed Scala compilation errors bug where Jupyter notebooks were not visible with the Toree kernel in Dataproc on Compute Engine 2.1 images. Dataproc is now available in the me-central2 region (Dammam, Saudi Arabia).

Dataproc - New Dataproc on Compute Engine subminor image versions: 2.0.77-debian10, 2.0.77-rocky8, 2.0.77-ubuntu18 2.1.25-debian11, 2.1.25-rocky8, 2.1.25-ubuntu20, 2.1.25-ubuntu20-arm. New Dataproc Serverless for Spark runtime versions: 1.1.32 2.0.40 2.1.19. In the latest Dataproc on Compute Engine 2.0 and 2.1 image versions, unset the CLOUDSDK_PYTHON variable to allow the gcloud command-line tool to use its bundled Python interpreter. Fixed Scala compilation errors bug where Jupyter notebooks were not visible with the Toree kernel in Dataproc on Compute Engine 2.1 images. Dataproc is now available in the me-central2 region (Dammam, Saudi Arabia).

Cloud Deploy - Cloud Deploy now supports workforce identity federation.

Dialogflow - Dialogflow CX intent import/export and training phrase import/export are now generally available.

Cloud Data Loss Prevention - Sensitive Data Protection is available in me-central2 (Dammam).

Document AI - Launched Document AI Enterprise Document OCR v2.0 and OCR add ons in Preview.

Identity Platform - Time-based one-time password (TOTP) as an additional multi-factor authentication option is generally available (GA).

Google Kubernetes Engine - Note: This is a correction of the November 07, 2022 release note, which omitted the applicable version numbers for this feature. The Observability dashboards on the GKE Clusters List, Cluster Details, and Workload List pages are now customizable. The me-central2 region in Dammam, Saudi Arabia is now available. GKE clusters running version 1.28 or later block new bindings of ClusterRole cluster-admin to User system:anonymous, Group system:authenticated, or Group system:unauthenticated due to the security risks of these bindings. GKE has temporarily paused all automatic node upgrades due to an issue with blue-green upgrades rollback functionality.

Cloud Logging - You can now save charts generated from a Log Analytics SQL query to a custom dashboard. You can now customize the Logs Dashboard page by using custom dashboards. You can now use the Log fields pane of the Logs Explorer to filter your Kubernetes Container logs by their service name.


Latest Issues


Zdenko Hrček
Třebanická 183
Prague, Czech Republic
Phone: +420 777 283 075
Email: [email protected]