Google Cloud Platform Newsletter

Check Archive for older issues

News

Introducing BigQuery managed and SQL-native inference for open models - BigQuery now supports managed and SQL-native inference for Hugging Face and Vertex AI Model Garden open models.

AuraInspector: Auditing Salesforce Aura for Data Exposure - Our open-source tool AuraInspector can help defenders identify Salesforce Aura access control misconfigurations.

New Google Public Sector research shows that nearly 90% of federal agencies are already using AI - A new survey reveals nearly 90% of U.S. government agencies are adopting AI, despite security and budget hurdles. Explore the findings and the path to scaling innovation.

Articles, Tutorials

Infrastructure, Networking, Security, Kubernetes

Cloud CISO Perspectives: Practical guidance on building with SAIF - Learn our practical guidance for CISOs and security leaders who want to build AI boldly and responsibly with our Secure AI Framework.

Closing the Door on Net-NTLMv1: Releasing Rainbow Tables to Accelerate Protocol Deprecation - Mandiant aims to lower the barrier for security professionals to demonstrate the insecurity of Net-NTLMv1.

A gRPC transport for the Model Context Protocol - Google Cloud is working with MCP maintainers to support pluggable transports in the MCP SDK and support gRPC as a transport without transcoding.

Understanding how zonal affinity works along with weighted load balancing for internal Network Load Balancers - This article demonstrates how Google Cloud's zonal affinity and weighted load balancing for Internal Network Load Balancers work together to optimize traffic.

Choosing the Most Performant GCP Machine Type for GKE: A Real Production Experiment - A production experiment on Google Kubernetes Engine (GKE) investigated optimal GCP machine types for a CPU-bound service, discovering that C2D (AMD EPYC) machines consistently outperformed others.

Migrating from ingress-nginx to Gateway API on GKE: Routing React and Python Services - This article outlines the process of migrating a React and Python application from `ingress-nginx` to the Kubernetes Gateway API on Google Kubernetes Engine (GKE).

Stop Coding Your Traces: A Zero-Touch Guide to GKE Autopilot & OpenTelemetry - Stop coding traces. Build a zero-touch OpenTelemetry pipeline on GKE Autopilot for Node.js. Get deep visibility without the tech debt.

The Cloud Kill Switch: How to Build a GCP Budget Guard - This article provides a step-by-step guide to building a "Cloud Kill Switch" for Google Cloud Platform, using a Cloud Function to automatically disable billing when a predefined budget is exceeded.

Why I Built My Own GCP Cleanup Tool Instead of Using Google’s - A Python CLI tool to delete unused GCP projects.

App Development, Serverless, Databases, DevOps

Your Proxy Should Only Allow Requests with a Custom Header — How Do You Do It in Apigee X? - This article demonstrates how to implement a custom header validation in Google Cloud's Apigee X to enhance API security. It explains how Apigee X proxies act as intermediaries to enforce policies, ensuring only requests with a specific custom header and value can access backend services.

Unlocking 3x Write Performance: A Deep Dive into Cloud SQL MySQL Optimizations - This article explores how Google Cloud SQL for MySQL Enterprise Plus significantly boosts performance for high-volume write operations through its "optimized writes" feature. This intelligent system automatically fine-tunes MySQL settings using five sophisticated optimization layers, resulting in up to 3x higher write throughput and substantially reduced latency.

Bridging the Identity Gap: Microsoft Entra ID Integration with Cloud SQL for SQL Server - Google Cloud has announced the public preview of Microsoft Entra ID integration with Cloud SQL for SQL Server. This new feature allows organizations to centralize identity management, enhance security with advanced Entra ID features, and streamline user administration across multi-cloud environments.

Google SDK for ABAP Cloud. - This article provides a practical guide to setting up and configuring the Google SDK for ABAP Cloud (Steampunk), detailing the installation process, handling certificates, and integrating with Google Cloud components like Secrets Manager.

Implementing Zero Trust A2A with ADK in Cloud Run - Secure your A2A Agents on Cloud Run: Use the A2A protocol and ADK to build Zero Trust agentic microservices with Google Identities!

Big Data, Analytics, ML&AI

Vibe querying: Write SQL queries faster with Comments to SQL in BigQuery - Comments to SQL in BigQuery is an AI-powered feature that bridges the gap between human language and structured data queries. Read to learn more.

How Palo Alto Networks built a multi tenant scalable Unified Data Platform - Learn how Palo Alto Networks used Dataflow, Pub/Sub, and BigQuery to build a scalable multi-tenant Unified Data Platform, achieving 30% compute cost savings.

Building a Medallion Architecture using Apache Iceberg on Google Cloud - This guide explores integrating Apache Spark and Iceberg to build modern data lake architectures within big data environments.

BigQuery History-Based Optimizations: What Changed - I spent a few weeks chasing a performance issue that turned out not to be a bug, a bad schema, or poorly written SQL.

Clean up your BigQuery instance. Delete old tables with BigQuery Cleaner - BigQuery instances can become cluttered with unused tables, leading to confusion and increased storage costs. BigQuery Cleaner is a command-line tool designed to automate the identification and cleanup of these "ghost tables" by analyzing query history to find unreferenced data.

Hacking BigQuery — Explicit table locks - Why they are useful and how to implement them on BigQuery.

Querylab.io: No more overspending on BigQuery - Why BigQuery costs get out of control — and how a BigQuery-first IDE fixes that.

BigQuery Table Valuation Functions: Quantify Cost per Query Before You Ship - This article details how to quantify BigQuery query costs *before* deployment using "table valuation" functions and dry runs. This proactive method allows teams to estimate bytes processed and forecast expenses, effectively blocking costly "oops" queries during development.

BigQuery Adaptive Materializations: Auto-Refresh Policies Based on Query Heatmaps - This article details an adaptive strategy for optimizing Google BigQuery materialized views by leveraging query heatmaps derived from job metadata. This approach dynamically tunes refresh policies and max staleness based on actual query patterns and demand, utilizing BigQuery's recommender and user-defined thresholds.

Palo Alto Networks automates customer intelligence document creation with agentic design - Palo Alto Networks reduces time to create comprehensive customer intelligence documents by leveraging a scalable AI agent on Google Cloud.

A Guide to Fine-Tuning FunctionGemma - FunctionGemma is a specialized AI model for function calling. This post explains why fine-tuning is key to resolving tool selection ambiguity (e.g., internal vs. Google search) and achieving ultra-specialization, transforming it into a strict, enterprise-compliant agent.

Improve AI output with continuous improvement - This article details how continuous improvement strategies can significantly enhance AI outputs by employing a looping mechanism where AI models iterate on each other's responses.

BigQuery as a Feature Store (Without Regret): Cost Controls, Partition Strategy, and Online/Offline Parity - This article provides a practical guide on leveraging BigQuery as a robust offline feature store for machine learning, focusing on mitigating common issues like cost overruns and data inconsistencies.

BigQuery Product Quantization UDFs: ANN Vector Search at a Fraction of the Cost - This article demonstrates how to achieve approximate nearest neighbor (ANN) vector search in BigQuery at a significantly lower cost. It details implementing Product Quantization (PQ) using User-Defined Functions (UDFs) to compress vectors, enabling a two-stage process of cheap shortlisting followed by precise reranking.

The Tool Bloat Epidemic - Strategies for combating tool bloat to improve agent accuracy, latency, and cost.

Vertex AI Agentic AI & Multi-Agent Systems: The Nitty-Gritties for Expert AI Engineers — Solving the Hard Stuff - Making multi-agent systems reliable in production.

Slides, Videos, Audio

Agent Factory Recap: Reinforcement Learning and Fine-Tuning on TPUs - Learn how to master RL fine-tuning for specialized agents using Google TPUs and the vertically integrated MaxText platform. Solve complex scaling hurdles.

Security Podcast - #258 Why Your Security Strategy Needs an Immune System, Not a Fortress with Royal Hansen.

Releases

AlloyDB - Fixed: Memory usage estimation is more accurate for high-dimensional vector indexes. This fix prevents out of memory (OOM) errors by enforcing defined memory constraints throughout the index build process. You might need to increase your maintenance_work_mem settings to align with the real usage estimates.

API Gateway - Feature: Centralize API Gateway API management using Apigee API hub Connect API Gateway to Apigee API hub to enable seamless publishing of API metadata from your API Gateway project to API hub. This integration provides a centralized, unified view of your APIs across different gateways, simplifying API discovery, governance, and management. Key benefits include: Centralized API discovery: All your API Gateway APIs are discoverable in API hub alongside APIs from other sources Enhanced visibility: Gain insights into your API landscape with consolidated metadata Streamlined management: Simplify API governance and lifecycle management across your diverse API ecosystem For more detail, see Centralize API management using API hub. Note: Rollouts of this release to production instances might take up to 5 business days to complete across all Google Cloud zones. Your instances might not have the feature available until the rollout is complete.

Apigee API Hub - Feature: Ingest API Gateway metadata into API hub API hub now supports automatic metadata ingestion from Google Cloud API Gateway. You can now attach your API Gateway projects to API hub to enable auto-ingestion for all your APIs. For more information see Centralize API management using API hub. Note: Rollouts of this release to production instances might take up to 5 business days to complete across all Google Cloud zones. Your instances might not have the feature available until the rollout is complete.

Apigee UI - Announcement: On January 12, 2026, we released an updated version of the Apigee UI. Feature: Manage environment-level resources in the Apigee UI You can now manage environment-level resources using the Apigee UI. Previously, environment-level resources could only be managed using the API. For more information, see Managing resources.

Apigee Advanced API Security - Announcement: On January 12, 2026 we released an updated version of Advanced API Security Abuse Detection Feature: Introduction of Terraform support for managing Advanced API Security abuse detection exclusion lists You can now use Terraform to manage Advanced API Security abuse detection exclusion lists. The feedback feature allows you to specify CIDR ranges and IP addresses to exclude from future incident reports, and is used to exclude traffic known to be safe, such as requests related to automated testing. Note: Exclusion lists are not available for VPC-SC customers at this time. For usage information, see Exclude traffic from abuse detection and Use Terraform in Apigee in the Apigee documentation and the Terraform abuse detection feedback (exclusion lists) instructions.

Cloud Asset Inventory - Feature: The location granularity for the following Bigtable Backup resource type has changed from global to regional. bigtableadmin.googleapis.com/Backup

Cloud Build - Change: Cloud Build now supports OCI artifacts. OCI artifacts for a build are shown in the following locations: The Artifacts column of Build history page The Execution details tab of the Build details page The Build Artifacts tab of the Build details page For more information, see View build results.

Chronicle - Announcement: Self-service deprovisioning general availability The self-service deprovisioning feature is now GA. For more information, see Self-service deprovisioning for Google SecOps. Announcement: Auto extraction general availability As part of the GA release for the auto extraction feature, customers now need to opt-in and choose which fields to extract. (Full auto extraction is no longer supported.) The opt-in functionality does not impact the extracted fields that are already in use (in saved searches and rules), because those fields have been automatically opted-in as part of the GA migration. For more information, see Auto Extraction overview.

Chronicle Security Operations - Feature: OneMCP for Google SecOps You can use the Google SecOps remote MCP server to enable LLM agents to perform a range of data-related tasks. This feature is in Preview. Announcement: Self-service deprovisioning general availability The self-service deprovisioning feature is now GA. For more information, see Self-service deprovisioning for Google SecOps. Announcement: Auto extraction general availability As part of the GA release for the auto extraction feature, customers now need to opt-in and choose which fields to extract. (Full auto extraction is no longer supported.) The opt-in functionality does not impact the extracted fields that are already in use (in saved searches and rules), because those fields have been automatically opted-in as part of the GA migration. For more information, see Auto Extraction overview. Feature: Copy instance metadata To enable Google support to test and troubleshoot customer issues, a new option to copy SOAR information and share with Support has been added to the platform. This option, entitled Copy instance metadata, can be accessed from the question mark at the top of the platform.

Chronicle SOAR - Announcement: Release 6.3.72 is being rolled out to the first phase of regions as listed here. This release contains the following changes: Feature: Integration Rollback This feature is currently in Preview. You can now roll back commercial response integrations to their previously installed version. This action reverts all integration content, including standard code and any custom modifications, to the state of the last installed version. For more information, see Roll back response integration version. Announcement: Release 6.3.71 is now available for all regions.

Cloud Composer - Announcement: A new Cloud Composer release has started on January 14, 2026. Get ready for upcoming changes and features as we roll out the new release to all regions. This release is in progress at the moment. Listed changes and features might not be available in some regions yet. Feature: Database retention policy is now available in environments with Airflow 3, starting with composer-3-airflow-3.1.0-build.5. This change is now rolled out to all regions supported by Cloud Composer 3. Change: Cloud Composer 3 environments no longer consume the Cloud SQL Admin API quota in the customer project. Fixed: Improved error handling when an invalid Airflow version is specified during environment creation. Change: (Airflow 3.1.0 in Cloud Composer 3) The apache-airflow-providers-google package was upgraded to version 19.2.0. For more information about changes, see the apache-airflow-providers-google changelog. Change: (Airflow 3.1.0 in Cloud Composer 3) The apache-airflow-providers-cncf-kubernetes package was upgraded to version 10.11.1. For changes in other packages, see the preinstalled packages changelog. Change: New Airflow builds are available in Cloud Composer 3: composer-3-airflow-3.1.0-build.7 composer-3-airflow-2.10.5-build.24 (default) composer-3-airflow-2.9.3-build.44 Change: New images are available in Cloud Composer 2: composer-2.16.2-airflow-2.10.5 (default) composer-2.16.2-airflow-2.9.3 Deprecated: The following Cloud Composer versions and builds have reached their end of support period: composer-3-airflow-2.9.3-build.12, composer-2.10.2-airflow-2.9.3, composer-2.10.2-airflow-2.10.2.

Contact Center AI Insights - Announcement: This product has a new name. The same product with the same features is now called Customer Experience Insights, or CX Insights for short.

Dataflow - Feature: Dataflow now serves a notice for when the Dataflow Runner v2 container image of a streaming pipeline will be upgraded. To use a new image and avoid the scheduled maintenance, launch a replacement job before the upgrade. For more information, see Runner v2 harness update.

Dataplex - Breaking: Some of the metadata that is stored in Dataplex Universal Catalog is changing. This change brings the metadata stored in Dataplex into consistency with metadata from the original source systems such as Vertex AI, Bigtable, Spanner, Pub/Sub, Dataform, and Dataproc Metastore. If you have workloads that depend on such Dataplex metadata, you must adjust them to preserve continuity. For more information about the scope of this change and what you need to do, see Changes to metadata stored in Dataplex Universal Catalog.

Dataproc - Announcement: Dataproc on Compute Engine: The following subminor image versions announced on January 06, 2026 have been rolled back: 2.0.156-debian10, 2.0.156-ubuntu18, 2.0.156-rocky8 2.1.105-debian11, 2.1.105-ubuntu20, 2.1.105-ubuntu20-arm, 2.1.105-rocky8 2.2.73-debian12, 2.2.73-ubuntu22, 2.2.73-ubuntu22-arm, 2.2.73-rocky9 2.3.20-debian12, 2.3.20-ml-ubuntu22, 2.3.20-rocky9, 2.3.20-ubuntu22, 2.3.20-ubuntu22-arm

Cloud Networking Products - Feature: Monitoring your internet-bound DNS queries for malicious activity using DNS Armor is generally available ( GA ). For more information, see Advanced threat detection with DNS Armor.

Buildpacks - Feature: Cloud Run and Cloud Run functions source deployments support the pyproject.toml file for managing dependencies. This feature is in General Availability for all supported Python versions. For more information, see Deploy Python applications with a pyproject.toml file.

Document AI - Feature: Document AI is introducing document-level prompting for custom document processors. This feature allows you to provide an overall description of the document to inject deep business knowledge into the model, leading to improved extraction quality. Document-level prompting offers improved accuracy by giving the model necessary context for extraction at the document level. This allows for easily supplied general information, such as geographical limitations (for example, all the address fields are located in the USA ), to guide the model. For more details, refer to the documentation on custom extractor mechanisms and document-level prompting.

Cloud Firestore - Feature: Firestore Enterprise edition now supports Native mode and the Pipeline operations interface. Pipeline operations are a new query interface for Firestore. This interface provides advanced query functionality that includes complex expressions. It also adds support for many new functions like min, max, substring, regex_match and array_contains_all. With Firestore Enterprise edition in Native mode, index creation is also completely optional, streamlining the process of developing new queries. To learn more about Pipeline operations, see the query interfaces overview. This feature is available in Preview.

Infrastructure Manager - Change: Infrastructure Manager is available in the following regions: me-central2 For more information about regions, see Infrastructure Manager locations.

Load Balancing - Feature: Managed workload identity is available for backend mutual TLS (mTLS) in global external Application Load Balancers. This feature allows to: Streamline certificate management: Managed workload identity enables automated certificate and trust management for backend mTLS through seamless integration with Certificate Authority Service and Certificate Manager. Eliminate operational toil: Certificates are automatically rotated based on the workload identity pool's configuration, removing the complexity and manual bottleneck of private key provisioning and maintenance. Improve visibility and governance: Gain visibility into communication between distributed services and proactively apply governance to workloads across environments. For more information, see Backend mTLS with managed workload identity overview This feature is in Preview.

Looker - Feature: Looker (Google Cloud core) is now available in the asia-southeast3 (Bangkok) region. For more information, see the Looker (Google Cloud core) locations documentation.

Cloud Run - Feature: Cloud Run and Cloud Run functions source deployments support the pyproject.toml file for managing dependencies. This feature is in General Availability for all supported Python versions. For more information, see Deploy Python applications with a pyproject.toml file.

Service Mesh - Announcement: The following images are now rolling out for managed Cloud Service Mesh: 1.21.6-asm.8 is rolling out to the rapid release channel. 1.20.8-asm.60 is rolling out to the regular release channel. 1.19.10-asm.55 is rolling out to the stable release channel. These patch releases contain the fixes for the following managed Cloud Service Mesh CVEs: CVE Proxy Control Plane CNI Distroless CVE-2025-61729 Yes Yes - Yes CVE-2025-61727 Yes Yes - Yes

Cloud Spanner - Feature: Several updates have been made to full-text search: Named schemas now support full-text search. Spanner search indexes can now accelerate pattern matching expressions such as LIKE, STARTS_WITH, and ENDS_WITH for pattern matching, and REGEXP_CONTAINS for regular expression matching. TOKENIZE_FULLTEXT now has an argument for removing diacritics. SEARCH and SCORE automatically use this if the data was tokenized with this option. TOKENIZE_SUBSTRING now supports emojis.

Cloud Storage Transfer - Feature: Storage Transfer Service event-driven transfers are now available for Azure Blob Storage and Data Lake Storage Gen2 sources. Event-driven transfers listen to Azure Event Grid notifications via Azure Storage Queues to automatically transfer new or updated objects from your Azure container to Cloud Storage. For more information, see Event-driven transfers from Azure Blob Storage or Data Lake Storage Gen2.

Cloud Storage - Feature: You can now use dry run mode to simulate storage batch operations jobs without modifying or deleting data. Dry run helps you to validate your job configuration before running the actual operation. To learn how to configure a dry run job, see Create and manage batch operations jobs. Feature: When you bulk restore soft-deleted objects, you can restore objects that were live at a specific time. You can also choose the objects to restore based on the object creation time.

Cloud Tools for Powershell - Deprecated: Effective immediately, Cloud Tools for PowerShell is deprecated and can no longer be installed using the Google Cloud CLI. For more information, see Cloud Tools for PowerShell deprecation.

VMware Engine - Feature: Private clouds capable of hosting both ve1 and ve2 node-family clusters are available in the following additional regions: London, England, Europe ( europe-west2-a, europe-west2-b ) São Paulo, Brazil, South America ( southamerica-east1-a ) Dallas, Texas, North America ( us-south1-b ) While a private cloud can contain mixed node families, each individual cluster must be comprised of nodes from the same family type. Note: To create a new cluster of a different node family, contact Cloud Customer Care.

VPC Service Controls - Feature: Preview stage support for the following integration: Cloud Location Finder