Google Cloud Platform Newsletter

Check Archive for older issues

News

From LLMs to image generation: Accelerate inference workloads with AI Hypercomputer - Google Cloud is enhancing its AI Hypercomputer with new inference capabilities, including the Ironwood TPU, vLLM support for TPUs, and GKE Inference Gateway and Quickstart. JetStream, Google's inference engine, now integrates Pathways for lower latency and supports multi-host inference, while MaxDiffusion delivers improved image generation performance on TPUs. MLPerf™ Inference v5.0 results highlight the powerful inference performance of A3 Ultra (NVIDIA H200) and A4 (NVIDIA HGX B200) VMs.

New column-granularity indexing in BigQuery offers a leap in query performance - BigQuery introduces column-granularity indexing, enhancing query performance and cost efficiency by pinpointing relevant data within specific columns. This feature is beneficial when search tokens are selective in some columns but common across others, reducing processing and latency.

Build, use and share data with data products in BigQuery - Data products in BigQuery is now available in experimental preview. This feature aims to solve the problem of siloed data and inconsistent governance by allowing data producers to bundle and distribute BigQuery tables or views as logical blocks with business context and guarantees. It simplifies the transaction between data producers and consumers, promoting data democratization, reducing redundancy, and accelerating access to insights.

Expanding BigQuery geospatial capabilities with Earth Engine raster analytics - Earth Engine in BigQuery unlocks raster analytics directly within BigQuery, enabling SQL users to analyze geospatial datasets derived from satellite imagery. By using the ST_RegionStats() function and accessing Earth Engine datasets in BigQuery Sharing, users can gain insights for climate risk assessment, sustainable sourcing, and emissions monitoring. This integration facilitates data-driven decision-making across various industries by combining raster and vector data analysis in one platform.

Announcing new Vertex AI Prediction Dedicated Endpoints - Google Cloud introduces Vertex AI Prediction Dedicated Endpoints, designed for AI applications including generative AI, offering features like native streaming inference, gRPC support, and customizable request timeouts. These endpoints provide optimized resource handling and enhanced networking via Private Service Connect for improved security and consistent performance.

Articles, Tutorials

Infrastructure, Networking, Security, Kubernetes

COLDRIVER Using New Malware To Steal Documents From Western Targets and NGOs - COLDRIVER, a Russian government-backed threat group, is using new malware called LOSTKEYS to steal files from Western targets and NGOs. The malware is delivered through a multi-stage infection chain, starting with a fake CAPTCHA and leading to the deployment of LOSTKEYS, which exfiltrates specific files and system information. Google is taking steps to protect users and sharing findings with the security community.

Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines - The Google Cloud blog post discusses the financially-motivated threat actor UNC3944 (also known as Scattered Spider) and provides hardening guidance to defend against their tactics. UNC3944 uses social engineering and targets various sectors, and the article offers proactive recommendations focusing on identity, endpoints, applications, network infrastructure, and monitoring.

How We Cut Our GCP Bill by 30% - How We Turned Cost Optimization into a Team Superpower.

From Star to Hybrid: Mastering New Network Patterns with Google’s Enhanced NCC - Google Cloud's Network Connectivity Center (NCC) has been updated with features that provide alternatives to classic hub and spoke architectures, including enhanced autonomy for GCP projects via managing firewalls and route tables. The new features support cross-project VPC spokes, export filters, transitive access to PSC endpoints and private NAT translations, enabling both full VPC spokes and hybrid network models for greater flexibility and control.

Key Learnings from Creating Multi-Tenant GKE Clusters on Google Cloud with Thousands of Publicly Addressable Services - For SaaS companies planning to publicly expose services inside a Kubernetes cluster for each customer, the article shares learnings from architecting large Google Kubernetes Engine (GKE) clusters with many services in a multi-tenant setup. It discusses overcoming challenges and limitations when exposing thousands of deployments via subdomains, particularly regarding the Global Application Load Balancer's URLMap limit, and offers alternative solutions.

Deploying gRPC and REST Services Across Multi-Project Kubernetes Clusters on GCP - The article details deploying gRPC and REST services across multiple Google Cloud projects using Kubernetes clusters. It outlines a production-grade setup involving VPC peering, DNS configuration, and load balancing to enable secure public and private access. The guide emphasizes internal and external traffic optimization through proper networking and service discovery.

App Development, Serverless, Databases, DevOps

Observability in Action: A Google Cloud Next demo - An Observability in Action demo at Google Cloud Next 2025 showcased how to interact with metrics and logs using Cloud Monitoring, Cloud Trace, and BigQuery. Attendees used physical buttons to interact with AI models, generating data that was then analyzed using Jupyter Notebooks. The demo highlighted the importance of observability tools for identifying performance bottlenecks and gaining insights from log data.

Speed, quality, cost — pick three with Google Axion - Loveholidays tech team leveraged Google's Axion ARM-based CPUs to improve performance, quality, and cost, defying the traditional "pick two" limitation. By migrating their Kubernetes-based applications to Axion, they achieved significant latency reductions, increased conversion rates, and faster data processing, leading to substantial business improvements.

How a simple custom org policy can accidentally crash your Cloud Run Functions — Part I - This article discusses the use of organizational policies in Google Cloud, particularly focusing on a custom policy designed to prevent the creation of Cloud Storage buckets without public access prevention enabled, and how this seemingly safe policy can have unexpected consequences.

OS Login Issue on GCP: “This region is not supported by the OS Login Sign API at this time.”

Automating Google Cloud Image Upgrades with a Custom Renovate Datasource - The article explains how to automate Google Cloud image upgrades using Renovate. It details creating a custom Renovate datasource using a Cloud Function to query image versions, along with a custom manager to locate GCP image definitions in code. The solution involves a naming convention, Terraform deployment, and service account configuration, enabling Renovate to identify and propose image upgrades.

Tutorial Series : Application Hub in Google Cloud : Part 2 — Creating an Application - This article, the second in a series, focuses on creating applications within Google Cloud's Application Hub. It explains how to organize cloud resources by grouping services and workloads into functional applications.

Tutorial Series : Application Hub in Google Cloud : Part 3 — Application monitoring - The article, part three of a series on Application Hub in Google Cloud, focuses on application monitoring. It explains how App Hub provides application-centric views of logs and dashboards, enabling users to quickly zoom into the performance of applications and their individual services.

Big Data, Analytics, ML&AI

A Detailed Guide to Key Generation in BigQuery - This blog post will guide you through strategizing surrogate key management in BigQuery.

BigQuery dynamic reservation: the new query cost hack! - BigQuery cost model and reservation was binary and static. A new features makes them dynamic and opens new possibilities!

Implementing Data Loss Prevention (DLP) Encryption with Google Cloud Platform using Composer Dag - The article details how to implement data encryption using Google Cloud's KMS and DLP API. It covers setting up KMS, creating encryption keys, integrating with BigQuery, and automating the process with Cloud Composer DAGs. The process involves inspecting data, triggering encryption, and managing data transformations for enhanced security.

GCP Data Governance with Dataplex Aspects -A Taste of Experimentation with REST API’s - Supercharging Data Governance with Dataplex Aspects.

Fix: “Compute Engine Metadata server unavailable” in Airflow Docker for GCP Authentication - Running Airflow in Docker locally? Trying to reach BigQuery and getting errors? You’re not alone. Here’s how to solve it.

How Looker’s semantic layer enables trusted AI for business intelligence - Looker's semantic layer ensures accurate data insights in the AI era by providing a single source of truth for business metrics. It reduces errors in AI-generated queries, enhances data quality, and enables trustworthy AI for business intelligence by grounding AI responses in governed, consistently defined data. By using LookML, organizations can improve accuracy, reduce guesswork, and gain intelligent, conversational insights from their data.

Supercharge Your Data Quality: Anomaly Detection with BigQueryML - BigQuery ML offers a scalable solution for proactive data quality monitoring using the ML.DETECT_ANOMALIES function. By training machine learning models on historical data, users can identify outliers and anomalies in row counts or metric fluctuations. This approach enables early detection of data quality issues, improving trust and reliability in data assets.

Unleash Row-Level AI in BigQuery: Scalar LLM Functions for Smarter SQL - Bring LLM intelligence to each row: Using BigQuery’s scalar AI functions in everyday SQL tasks.

Guide to build MCP servers using vibe coding with Gemini 2.5 Pro - The article discusses how developers can use "vibe coding" with Gemini 2.5 Pro to generate code for Model Context Protocol (MCP) servers from natural language prompts, simplifying the integration of AI models with data sources.

Build live voice-driven agentic applications with Vertex AI Gemini Live API - The article introduces the Gemini 2.0 Flash Live API on Google Cloud Vertex AI, which enables developers to build live, voice-driven, agentic applications leveraging multimodal data (audio, visual, and text). It highlights a condition monitoring use case for industrial motor maintenance, demonstrating real-time visual and audio defect identification and streamlined repair initiation.

A Developers Guide to Googles Multimodal Live API - Low-latency, bidirectional interactions, real-time interactions for your Agents and Applications.

Real Time Audio to Audio Streaming with Googles Multimodal Live API - Bidirectional low-latency voice-to-voice communication.

Slides, Videos, Audio

Security Podcast - #223 AI Addressable, Not AI Solvable: Reflections from RSA 2025.

Releases

AlloyDB - AlloyDB supports IAM authentication in AlloyDB Studio. You can migrate from Cloud SQL for PostgreSQL to AlloyDB for PostgreSQL using your Cloud SQL for PostgreSQL backup (GA). AlloyDB lets you configure a deny maintenance period on clusters running the latest version. You can now build a vector embedding Extract, Transform, Load (ETL) pipeline that lets you generate and ingest embeddings from files or real time sources to AlloyDB using Google Cloud Dataflow.

Anthos clusters on VMware - Google Distributed Cloud (software only) for VMware 1.32.0-gke.1087 is now available for download. GA: Advanced clusters. Version changes in 1.32.0-gke.1087: The etcd version upgraded to 3.4.33 COS upgraded to milestone 117 containerd upgraded to 1.7 Cilium upgraded to 1.15.6 Other changes in 1.32.0-gke.1087: The following legacy features are blocked during cluster upgrade: Dataplane V1 (Calico) Integrated F5 Big IP load balancer configuration Non-HA admin cluster Kubeception user cluster Seesaw load balancer You must migrate your clusters to recommended features before upgrading to 1.32. Windows Server OS node pools are deprecated in version 1.32 and will be unavailable in version 1.33 and higher. The following issues were fixed in 1.32.0-gke.1087: Fixed an issue that prevented user cluster upgrades when Dataplane V2 was explicitly configured with forward mode. The 1.32.0-gke.1087 release includes many vulnerability fixes.

Apigee UI - On May 6, 2025, we released a new Apigee REST resource for debug sessions. Apigee now offers a Management API that allows users to list all recent debug sessions for a given proxy, regardless of revision or environment and current deployment status.

AppEngine Standard PHP Second Generation - Support for PHP 8.4 runtime is in Preview.

AppEngine Standard Python3 - Support for Python 3.13 runtime is in General Availability (GA).

AppEngine Standard Ruby - Support for Ruby 3.4 runtime is in Preview.

Cloud Asset Inventory - The following resource types are now publicly available through the Search (SearchAllResources, SearchAllIamPolicies) APIs.

Assured Workloads for Goverment - v1. The following products are now supported by the following control packages: Cloud Build, Cloud SQL for PostgreSQL, Cloud Workstations, Document AI, Firebase Security Rules, Cloud OS Login API, Storage Transfer Service.

BigQuery - In the Google Cloud console, Analytics Hub has been renamed BigQuery sharing (Analytics Hub). Changes that you make to your saved queries are now automatically saved.

Bigtable - You can use Data Boost when you analyze your Bigtable data with BigQuery.

CDN - Invalidation using cache tags is Generally Available.

Chronicle - Google SecOps supports Self Service creation of custom log types. Google SecOps now displays artifact first and last seen timestamps with hourly granularity. We are moving service health updates for Google Cloud Security products from the Cloud Status Dashboard to a new security-specific status dashboard. New Light Theme Google SecOps has introduced a new light theme option in the platform.

Chronicle Security Operations - Google SecOps supports Self Service creation of custom log types. We are moving service health updates for Google Cloud Security products from the Cloud Status Dashboard to a new security-specific status dashboard. New Light Theme Google SecOps has introduced a new light theme option in the platform.

Chronicle SOAR - Release 6.3.45 is being rolled out to the first phase of regions as listed here. Release 6.3.44 is now available for all regions.

Cloud Composer - A new Cloud Composer release has started on May 07, 2025. Data lineage in Cloud Composer now uses OpenLineage in all regions supported by Cloud Composer. For newly created Cloud Composer 3 environments, the minimum amount of memory is changed to 2 GB. For newly created environments, database retention policy is now enabled by default in Google Cloud CLI, API, and Terraform. Improved the environment liveness monitoring. (Airflow 2.10.5) The apache-airflow-providers-google package was upgraded to version 15.1.0 in Cloud Composer 2 images and Cloud Composer 3 builds. (Airflow 2.10.5) Changes in preinstalled packages: apache-airflow-providers-standard was upgraded to 1.0.0 from 0.4.0. The default version of Airflow is changed to 2.10.5. Airflow 2.10.2 is no longer included in Cloud Composer images and builds. New Airflow builds are available in Cloud Composer 3: composer-3-airflow-2.10.5-build.2 (default) composer-3-airflow-2.9.3-build.22. New images are available in Cloud Composer 2: composer-2.13.0-airflow-2.10.5 (default) composer-2.13.0-airflow-2.10.2. Cloud Composer versions 2.7.0 and 2.7.1 have reached their end of support period. The Deployment Manager API is no longer automatically enabled when you enable Cloud Composer API because this API isn't used by the Cloud Composer service. It is now possible to migrate from Cloud Composer 1 to Cloud Composer 3 using snapshots.

Database Migration Service - You can now use additional concurrency settings for heterogeneous SQL Server migration jobs with Database Migration Service.

Dataplex - Custom connectors for managed connectivity pipelines are available for a variety of third-party data sources. You can use custom constraints with Organization Policy to provide more granular control over specific fields for some Dataplex and data lineage resources.

Dataproc Serverless - New Dataproc Serverless for Spark runtime versions: 1.1.102 1.2.46 2.2.46. Dataproc on Compute Engine: The default enabling (setting to true) of the following cluster properties for diagnosing Dataproc clusters, previously announced for May 10, 2025 in the February 10, 2025 release note, will occur on date to be announced in future release note at least one month prior to the date they are enabled (set to true by default) : dataproc:diagnostic.capture.enabled dataproc:dataproc.logging.extended.enabled dataproc:dataproc.logging.syslog.enabled You can continue to use these diagnostic features by setting the properties listed above to true during cluster creation.

Dataproc - New Dataproc on Compute Engine subminor image versions: 2.0.140-debian10, 2.0.140-rocky8, 2.0.140-ubuntu18 2.1.88-debian11, 2.1.88-rocky8, 2.1.88-ubuntu20, 2.1.88-ubuntu20-arm 2.2.56-debian12, 2.2.56-rocky9, 2.2.56-ubuntu22. Dataproc on Compute Engine: The default enabling (setting to true) of the following cluster properties for diagnosing Dataproc clusters, previously announced for May 10, 2025 in the February 10, 2025 release note, will occur on date to be announced in future release note at least one month prior to the date they are enabled (set to true by default) : dataproc:diagnostic.capture.enabled dataproc:dataproc.logging.extended.enabled dataproc:dataproc.logging.syslog.enabled You can continue to use these diagnostic features by setting the properties listed above to true during cluster creation.

Datastream - You can now use Private Service Connect interfaces as a private connectivity method in Datastream.

Document AI - Custom extractor model pretrained-foundation-model-v1.5-2025-04-25 powered by Gemini 2.5 Flash LLM is available as Public Preview in US regions.

Cloud Functions - Support for the Python 3.13 runtime is in General Availability (GA). Support for the Ruby 3.4 runtime is in Preview. Support for the PHP 8.4 runtime is in Preview.

IAM - Workload Identity Federation support for X.509 certificates is generally available. A new enforcement version, enforcement version 3, is available for principal access boundary policies.

Integration Connectors - The following connectors are now generally available (GA): Bigtable Marketo SAP Hybris C4C To view the list of all the GA connectors, see Connectors in GA. The following connectors are now generally available (GA): LinkedIn Okta Oracle Sales Cloud To view the list of all the GA connectors, see Connectors in GA. The ZATCA connector is now available in Google Cloud Marketplace.

Google Kubernetes Engine - (2025-R18) Version updates GKE cluster versions have been updated. 1.33 is now available in the Rapid channel Kubernetes 1.33 is now available in the Rapid channel. New features in 1.33 New v1beta2 versions of the Kubernetes Dynamic Resource Allocation (DRA) APIs will be available (because this is a beta API, using it in GKE clusters requires opt-in). Deprecated in 1.33 The gitRepo volume driver is deprecated and disabled for security reasons. Other changes in 1.33 containerd 2.0 is supported. In GKE version 1.32 and later, GKE Sandbox (gVisor) can now be configured with SYS_ADMIN privileges in GKE Autopilot. ClusterProfile sync is now available to generate a cluster inventory for an existing fleet.

GKE new features - In GKE version 1.32 and later, GKE Sandbox (gVisor) can now be configured with SYS_ADMIN privileges in GKE Autopilot. ClusterProfile sync is now available to generate a cluster inventory for an existing fleet.

Cloud Logging - Log Analytics can now automatically infer fields of a column when the data type is JSON.

Looker - Looker (Google Cloud core) and Looker (original) changes. If the Force mobile authentication setting is enabled, mobile users will be logged out after 60 minutes, rather than 30 minutes, of inactivity. Looker (Google Cloud core) and Looker (original) changes. The following features have been added to Studio in Looker, which is available in preview: You can now create reports using the responsive layout.

Cloud Monitoring - Version 2.56.0 of the Ops Agent using the Prometheus receiver can fail to send metrics and report negative start times. When you create a snooze for a single alerting policy, you can now use resource, metric, and metadata label types to filter applicable incidents.

Cloud NAT - Private NAT supports Cloud Run in Preview.

Network Connectivity Center - You can use custom constraints to define your own restrictions on Google Cloud services for Network Connectivity Center resources.

Resource Manager - You can use custom constraints with Organization Policy to provide more granular control over specific fields for some Dataplex and data lineage resources.

Cloud Run - Direct VPC egress supports Private NAT (Preview). Support for the Python 3.13 runtime is in General Availability (GA). Support for the Ruby 3.4 runtime is in Preview. Support for the PHP 8.4 runtime is in Preview.

Security Command Center - A Security Risk Overview dashboard for Compute Engine is available in the Google Cloud console. The following Security Command Center Enterprise pages that you previously accessed through the Google Security Operations console are now under Security Command Center in the Google Cloud console: Risk Overview Issues Assets (previously called resources) Findings The Security Command Center Enterprise left navigation also includes links to pages in the Google Security Operations console. Web Security Scanner, a built-in service of Security Command Center, released new detectors.

Service Mesh - Managed Cloud Service Mesh. The following images are now rolling out for managed Cloud Service Mesh: 1.21.5-asm.42 is rolling out to the rapid release channel. A behavioral change regarding user-provided credentials (private key and certificate) for TLS termination at ingress is now rolling out to the Rapid release channel.

Cloud SQL MySQL - If you create an instance using the Google Cloud Console, then the per-instance CA (GOOGLE_MANAGED_INTERNAL_CA) option is now the default server certificate authority (CA) mode for your Cloud SQL instance.

Cloud SQL Postgres - If you create an instance using the Google Cloud Console, then the per-instance CA (GOOGLE_MANAGED_INTERNAL_CA) option is now the default server certificate authority (CA) mode for your Cloud SQL instance. You can migrate to AlloyDB for PostgreSQL using your Cloud SQL for PostgreSQL backup (GA).

Cloud SQL SQL Server - If you create an instance using the Google Cloud Console, then the per-instance CA (GOOGLE_MANAGED_INTERNAL_CA) option is now the default server certificate authority (CA) mode for your Cloud SQL instance. Cloud SQL for Enterprise Plus edition supports AI-assisted troubleshooting.

Cloud Text-to-Speech - We just released three new voice features for Chirp 3: HD Voices.

VMware Engine - VMware Engine ve2 nodes are available in Montreal, Canada (northamerica-northeast1).

Virtual Private Cloud - The following features of internal ranges are available in General Availability: Reserving internal ranges with IPv6 addresses Creating immutable ranges (ranges that can't be edited, except for the description) Editable descriptions For more information, see Internal ranges overview. When you reserve an internal range with an automatically allocated IPv4 CIDR block, you can specify the allocation strategy that is used to select a free block.