Google Cloud Platform Newsletter

Check Archive for older issues

News

Looker debuts MCP Server to broaden AI developer access to data - Looker Model Context Protocol (MCP) Server integrates with MCP Toolbox for Databases to help AI apps such as chatbots to connect to trusted data.

Immutable, Air-Gapped, and Integrated: Data Protection for your Cloud SQL instances just got better - By integrating Google Cloud Backup and DR Service into Cloud SQL, Enhanced Backups for Cloud SQL provides business continuity for database workloads.

Redefining enterprise data with agents and AI-native foundations - Google’s Data Cloud has new data agents, a suite of agent APIs, tools, and protocols, and tech to unify data and embed AI-driven reasoning.

Announcing AI-first Colab notebook experience for Google Cloud - Introducing Data Science Agent in BigQuery Colab notebooks and Vertex AI Colab Enterprise: Data science and Analytics made simple.

Spanner columnar engine: Powering next-generation analytics on operational data - Spanner's new columnar engine bridges the OLTP-OLAP divide, letting you analyze live operational data in real time without impacting transactions.

Announcements for AI Hypercomputer: The latest infrastructure news for ML practitioners - AI Hypercomputer recently got enhancements to Dynamic Workload Scheduler, updates to MaxText and MaxDiffusion, and support for Managed Lustre.

Optimize your cloud costs using Cloud Hub Optimization and Cost Explorer - The new Cloud Hub Optimization and Cost Explorer dashboards answer questions about the most expensive resources, costs over time, and resource utilization.

Your epic quest awaits: Conquer the Agentverse - Conquer the Agentverse: Join Google Cloud Labs' live-action quest to master AI agent development, architecture, data engineering, and SRE. Learn to build, manage, and scale secure, collaborative AI systems in a hands-on, gamified mission. Register for an event near you.

Google is a Leader in the 2025 IDC MarketScape: FinOps Cloud Costs Optimization - Google recognized as a Leader in the 2025 IDC MarketScape for FinOps Cloud Cost Optimization, highlighting its integrated FinOps tools and generative AI capabilities.

Google is a Leader in the Gartner® Magic Quadrant for Strategic Cloud Platform Services - Google is a Leader in Gartner® Magic Quadrant for Strategic Cloud Platform Services.

Articles, Tutorials

Infrastructure, Networking, Security, Kubernetes

Accelerating FedRAMP 20x: How Google Cloud is automating compliance - Automate & accelerate FedRAMP authorization with Google Cloud Compliance Manager. Achieve continuous compliance and reduce time to authorization for partners & customers.

Supercharge your AI: GKE inference reference architecture, your blueprint for production-ready inference - Supercharge your AI with the GKE inference reference architecture. This production-ready blueprint simplifies deploying inference workloads on Google Kubernetes Engine (GKE), optimizing for performance, cost, and scalability with features like intelligent accelerator use, smarter scaling, and simplified operations.

Understanding Google Kubernetes Engine pricing like a five-year-old - Google Kubernetes Engine pricing resembles renting apartments and paying for utilities, with costs for space used plus a management fee. Standard mode is like renting an entire building, offering full control but requiring self-management, while Autopilot mode is like a hotel, charging only for the computing power used. The article simplifies GKE costs into understandable components.

Fixing “Service Account Key Creation is Disabled” in Google Cloud Console

Why Service Account Impersonation is Essential for Secure and Efficient Cloud Development

Configure GCP Workload Identity Federation for GitLab - This article explains how to configure Google Cloud Workload Identity Federation (WIF) for GitLab, focusing on multi-project deployments.

App Development, Serverless, Databases, DevOps

Secure your storage: Best practices to prevent dangling bucket takeovers - Storage buckets are where your data lives in the cloud, but sometimes they get forgotten. Here’s how to secure them against dangling bucket attacks.

How MLB keeps fans connected to the game – one cache hit at a time - MLB uses Google Cloud's Memorystore for Valkey to deliver real-time data to millions of fans and broadcasters, handling billions of requests daily.

The Developer’s Book of Spells: An End-to-End Database Journey in Your IDE - Unlock database magic within your IDE with MCP Toolbox.

Goodbye API Keys: Gemini CLI GitHub Actions with Workload Identity Federation - This guide explains why and how to use Workload Identity Federation for a more secure and manageable way to run Gemini CLI GitHub Actions.

From Laggy to Snappy: Accelerating Analytics Insights with Spanner Front-Loading - An architectural pattern for powering scalable, high-concurrency dashboards with BigQuery and Spanner.

How to Add a Custom Subdomain to Google Cloud Run: Complete Guide with Load Balancer and SSL - Why Cloud Run Needs a Load Balancer for Custom Domains.

Building a Resilient, Zero-Downtime Pipeline with Google Cloud Deploy - The article details how to build a resilient, zero-downtime continuous delivery pipeline using Google Cloud Deploy, Kubernetes Gateway API, and Cloud Build.

Big Data, Analytics, ML&AI

BigQuery under the hood: Short query optimizations in the advanced runtime - BigQuery short query optimizations accelerate small queries by executing them as a single stage. It can significantly improve slot time and latency.

BigQuery Cross-Region Replication: Don’t Overlook the Network Costs - Cross region replication involves cost hard to estimate with BigQuery. However, there is a way to approximate egress cost.

Build Scalable and Reusable ML Pipelines on Vertex AI: A Decoupled Approach - A practical guide to structuring your project with separate components, scripts, and orchestration for better MLOps.

Choosing GKE Over Dataflow: What I Learned as a Data Product Manager - A true story of listening to your architect and understanding the invisible cloud sales incentives.

Dataform CI/CD sucks. - The article discusses how companies can adapt Dataform to fit their needs when switching to other tools isn't feasible.

Securely Exposing dbt Docs on Google Cloud with Cloud Run and IAP - A comprehensive guide to securely deploy your dbt documentation within Google Cloud using Cloud Build, Cloud Run and Identity Aware Proxy.

How Wells Fargo is using Google Cloud AI to empower its workforce with agentic tools - Wells Fargo, an early adopter of Google Agentspace, is transforming how individuals and teams work, collaborate, and serve customers.

ADK Agents for BigQuery Series: Part 1 -Build a BigQuery agent with ADK - The article, part one of a series, introduces building a baseline Natural Language to SQL (NL2SQL) agent for BigQuery using Google's Agent Development Kit (ADK).

Gemini CLI Tutorial Series — Part 7 : Custom slash commands - The article discusses custom slash commands in Google Cloud's Gemini CLI, which allow users to create reusable and parameterizable prompts that can be invoked directly from the command line, improving efficiency and consistency.

Build Better Tools, Faster: A Deep Dive into the New MCP Toolbox UI - Streamline your workflow with an interactive playground designed for rapid, real-time tool development.

Gen AI Evaluation Service — Multimodal Metrics - The article discusses Gecko, a multimodal evaluation service on Google Cloud's Vertex AI for assessing image and video generation models.

Building an Intelligent Customer Support Agent with Google’s Gemini 2.5 - Transform Customer Support with 90% Automation.

Slides, Videos, Audio

Kubernetes Podcast - #257 Platform Engineering, with Ben Good.

Security Podcast - #237 Making Security Personal at the Speed and Scale of TikTok.

Releases

Apigee Advanced API Security - On August 6, 2025 we released an updated version of Advanced API Security Note: Rollouts of this release to production instances will begin within two business days and may take four or more business days to complete across all Google Cloud zones. Availability of Shadow API Discovery for APIs in any Google Cloud project Using Shadow API Discovery, you can find undocumented/shadow APIs in your existing cloud infrastructure.

AppEngine Standard & Flexible, all supported languages - To increase security, starting in March 2025, support for Transport Layer Security (TLS) version 1.1 and earlier is deprecated.

Cloud Architecture Center - (New guide) Best practices for continuous access to Google Cloud: Describes best practices for using emergency access and IdP failover to ensure continuous access to Google Cloud. AI and ML perspective: Reliability: Major update to expand the reliability principles and recommendations in the AI and ML perspective.

Google Cloud Armor - Cloud Armor supports Autonomous System Numbers (ASNs) in globally scoped edge security policies for Media CDN edge cache services in Preview.

Cloud Asset Inventory - The following resource types are now publicly available through the ExportAssets, ListAssets, BatchGetAssetsHistory, QueryAssets, Feed, and Search (SearchAllResources, SearchAllIamPolicies) APIs.

BigQuery - Enabling the advanced runtime now includes short query optimizations. You can now use the new Data Science Agent (DSA) for Colab Enterprise and BigQuery to automate exploratory data analysis, perform machine learning tasks, and deliver insights all within a Colab Enterprise notebook.

Bigtable - You can add the Cassandra to Bigtable client for Java library to your Java project from the Maven Central repository.

Billing - Personalized saved reports are available in cost Reports.

Chronicle - Updated permissions for accessing product-centric feeds If you have assigned Custom IAM Roles, you can now grant access to the product-centric feeds by adding the following permissions to the role: chronicle.feedPacks.get chronicle.feedPacks.list To learn more about how to configure feeds using the product-centric feeds UI, see Configure feeds by product. Google SecOps has updated the list of supported default parsers. New YARA-L features The following capabilities have been added to YARA-L 2.0 to enhance search precision, data analysis, and investigative workflows: Conditions in UDM search and dashboards You can now filter aggregates defined in the outcome section using the new condition clause. New rules added to rule pack Curated detections has been enhanced with additional Chrome Enterprise Premium Browser Threat detections. Auto Extraction supports XML formatted logs in addition to JSON formatted logs.

Chronicle Security Operations - Updated permissions for accessing product-centric feeds If you have assigned Custom IAM Roles, you can now grant access to the product-centric feeds by adding the following permissions to the role: chronicle.feedPacks.get chronicle.feedPacks.list To learn more about how to configure feeds using the product-centric feeds UI, see Configure feeds by product. Expression Builder enhancements The Expression Builder has been enhanced with a new set of pre-built filters to help streamline query creation. Remote agent notifications Agent notifications will alert you to new remote agent version releases and agent downtime based on your permissions and associated environments. New permissions for Content Hub To access all modules in the Content Hub, you must set the correct IAM role permissions. Google SecOps has updated the list of supported default parsers. New YARA-L features The following capabilities have been added to YARA-L 2.0 to enhance search precision, data analysis, and investigative workflows: Conditions in UDM search and dashboards You can now filter aggregates defined in the outcome section using the new condition clause. New rules added to rule pack Curated detections has been enhanced with additional Chrome Enterprise Premium Browser Threat detections. Auto Extraction supports XML formatted logs in addition to JSON formatted logs.

Chronicle SOAR - Release 6.3.57 is being rolled out to the first phase of regions, as outlined in our Google SecOps release plan. Expression Builder enhancements The Expression Builder has been enhanced with a new set of pre-built filters to help streamline query creation. Remote agent notifications Agent notifications will alert you to new remote agent version releases and agent downtime based on your permissions and associated environments. Release 6.3.56 is now available for all regions.

Colab - Generally available: You can consume reservations with Colab Enterprise runtimes. You can now use the new Data Science Agent to automate exploratory data analysis, perform machine learning tasks, and deliver insights from within a Colab Enterprise notebook.

Cloud Composer - A new Cloud Composer release has started on August 05, 2025. (Cloud Composer 2) Moved the update_fab_perms option from [webserver] to [fab] in the Airflow configuration. Added task-level resource consumption Airflow metrics to Cloud Composer. New Airflow builds are available in Cloud Composer 3: composer-3-airflow-2.10.5-build.11 (default) composer-3-airflow-2.9.3-build. New images are available in Cloud Composer 2: composer-2.13.9-airflow-2.10.5 (default) composer-2.13.9-airflow-2.9.3. Cloud Composer versions 2.8.7 and 2.8.8 have reached their end of support period.

Compute Engine - For Hyperdisk Throughput, the maximum IOPS for a single volume has increased from 600 MiB/s to 2,400 MiB/s. Generally Available: The storage-optimized Z3 machine series offers a bare metal (z3-highmem-192-highlssd-metal) machine type with 192 vCPUs, 1,536 GB of memory, and 72 TiB of Local SSD storage. The Compute Engine feature that deploys containers on VMs during VM creation is deprecated.

Cloud NGFW - You can create a secure tag at the organization level and bind its value to all virtual machine (VM) instances across that organization.

Gemini - Quick Preview of chat code suggestions across multiple files VS Code Gemini Code Assist 2.44.0 Gemini Code Assist chat provides a quick preview of the collective code suggestions across multiple files in the chat.

Google Kubernetes Engine - You can now customize a node system configuration with the following new Kubelet, Sysctl, and Linux config options: kubeletConfig flags: topologyManager (on GKE versions 1.32.3-gke.1785000 and later) memoryManager (on GKE versions 1.32.3-gke.1785000 and later) maxParallelImagePulls (on GKE versions 1.33.1-gke.1918000 and later) singleProcessOomKill (on GKE versions 1.32.4-gke.1132000, 1.33.0-gke.1748000 and later) evictionSoft evictionSoftGracePeriod evictionMinimumReclaim evictionMaxPodGracePeriodSeconds sysctl flags: vm.overcommit_memory vm.overcommit_ratio vm.vfs_cache_pressure vm.dirty_ratio vm.dirty_background_ratio vm.dirty_expire_centisecs vm.dirty_writeback_centisecs vm.watermark_scale_factor vm.min_free_kbytes vm.swappiness fs.nr_open fs.file-max fs.inotify.max_user_watches fs.inotify.max_user_instances fs.aio-max-nr net.ipv4.tcp_max_orphans linuxConfig flags: transparentHugepageEnabled (on GKE versions 1.33.2-gke.4655000 and later) transparentHugepageDefrag (on GKE versions 1.33.2-gke.4655000 and later). The C4 machine series now has General Availability machine types that support Local SSD storage options. (2025-R33) Version updates GKE cluster versions have been updated. The M4 machine series is generally available in GKE Standard clusters. A fix is available for an issue in which the Compute Engine Persistent Disk CSI driver failed with an invalid cpuString error on GKE nodes that used custom machine types.

GKE new features - You can now customize a node system configuration with the following new Kubelet, Sysctl, and Linux config options: kubeletConfig flags: topologyManager (on GKE versions 1.32.3-gke.1785000 and later) memoryManager (on GKE versions 1.32.3-gke.1785000 and later) maxParallelImagePulls (on GKE versions 1.33.1-gke.1918000 and later) singleProcessOomKill (on GKE versions 1.32.4-gke.1132000, 1.33.0-gke.1748000 and later) evictionSoft evictionSoftGracePeriod evictionMinimumReclaim evictionMaxPodGracePeriodSeconds sysctl flags: vm.overcommit_memory vm.overcommit_ratio vm.vfs_cache_pressure vm.dirty_ratio vm.dirty_background_ratio vm.dirty_expire_centisecs vm.dirty_writeback_centisecs vm.watermark_scale_factor vm.min_free_kbytes vm.swappiness fs.nr_open fs.file-max fs.inotify.max_user_watches fs.inotify.max_user_instances fs.aio-max-nr net.ipv4.tcp_max_orphans linuxConfig flags: transparentHugepageEnabled (on GKE versions 1.33.2-gke.4655000 and later) transparentHugepageDefrag (on GKE versions 1.33.2-gke.4655000 and later). The C4 machine series now has General Availability machine types that support Local SSD storage options. The M4 machine series is generally available in GKE Standard clusters.

Load Balancing - Cross-region internal Application Load Balancers can now route requests for static content to Cloud Storage buckets.

Cloud Logging - You can now build queries without manually writing SQL in the Log Analytics page by using the query builder.

Media CDN - You can use Autonomous System Numbers (ASN) based rules from Cloud Armor for Media CDN.

Migration Center - The discovery client 6.3.7 is available with new features and bug fixes. Generally available: You can now export collected data from the discovery client to a file for manual import into the Migration Center. When you run an inventory discovery on your Amazon Web Services (AWS) account, memory utilization for Amazon EC2 instances is collected by the mcdc CLI if the Amazon CloudWatch agent is installed and configured. When you run a Linux guest scan, the mcdc CLI now discovers the Btrfs filesystem. You can now filter the discovered Amazon Relational Database Service (Amazon RDS) assets by tags. Fixed an issue that prevented parsing of df output on Linux when a mount point name contained spaces. Fixed an issue where ZFS partitions not generated by the zpool command were incorrectly included in Linux scans. Fixed an issue that caused floppy disk drives to be incorrectly included in Linux disk scans. Fixed an issue in the Linux collection script where the output tar file had insufficient permissions, which prevented access by the original non-root user when the script was run with root privileges. Fixed an issue that prevented the collection of CPU model names for vSphere ESXi hosts, resulting in missing CPU information for vSphere virtual machines (VMs) in Migration Center. Added guidance on the Migration Center user interface to help Active Directory (AD) administrators to resolve potential authentication failures by verifying MCDCUsers group membership. When you upgrade to discovery client 6.3.7, data collected by earlier versions of discovery client and that was not already uploaded to Migration Center will be deleted.

Cloud Monitoring - You can now use the time_series_billed_for_queries_count metric to estimate charges based on the number of time series that have been queried.

Cloud Interconnect - Cross-Site Interconnect (Preview) support is available in the following colocation facilities: Equinix Dallas (DA1), Dallas Equinix Miami (MI1), Miami For more information, see the Locations table and Global Locations.

Cloud Run - Support for manually scaling your Cloud Run service is now at General Availability (GA).

Security Command Center - Risk reports generated and downloaded from Security Command Center include a system attack exposure page that shows the organization's exposure risk over time and lists the projects and resources that have the highest risk. The following Container Threat Detection detectors have been released to General Availability: Execution: Possible Arbitrary Command Execution through CUPS (CVE-2024-47177) Execution: Socat Reverse Shell Detected Privilege Escalation: Abuse of Sudo For Privilege Escalation (CVE-2019-14287) Privilege Escalation: Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034) Privilege Escalation: Sudo Potential Privilege Escalation (CVE-2021-3156). Model Armor supports the asia-southeast1 location.

Sensitive Data Protection - Sensitive Data Protection provides recommendations to optimize your infoType selections.

Cloud Spanner - Columnar engine for Spanner is now in Preview.

Cloud SQL MySQL - Cloud SQL for Enterprise Plus edition supports quality enhancements for AI-assisted troubleshooting. Cloud SQL for MySQL now supports model endpoint management to help you build your generative AI applications.

Cloud SQL Postgres - Cloud SQL for Enterprise Plus edition supports quality enhancements for AI-assisted troubleshooting. PostgreSQL has identified a bug in PostgreSQL's May 8, 2025 release that is causing logical replication to halt.

Cloud SQL SQL Server - Cloud SQL now offers planned maintenance and machine tier upgrades for your Cloud SQL Enterprise plus instances with near-zero downtime for eligible instances.

Vertex AI - OpenAI's gpt-oss models are available through Model Garden.

Vertex AI Workbench - Generally available: You can consume reservations with Vertex AI Workbench instances.

VPC Service Controls - General availability support for the following integration: FleetPackage API. General availability support for the following integration: Backup for GKE.

Virtual Private Cloud - VPC Flow Logs includes metadata annotations for Google services such as Google APIs and VPC-hosted services. When you reserve an internal range with an automatically allocated IPv4 CIDR block, you can specify the allocation strategy that is used to select a free block.