Google Cloud Platform Newsletter

Check Archive for older issues

News

Simplify your Cloud Run security with Identity Aware Proxy (IAP) - Integrating Identity Aware Proxy (IAP) directly with Cloud Run makes it easier to control user access to applications running in Google Cloud.

Introducing no-cost trials for Data Connect - Google Cloud has announced a no-cost trial for Firebase Data Connect, enabling users to provision a PostgreSQL database instance for prototyping without upfront billing concerns. Users on Spark plans can get a 90-day trial without a credit card, while Blaze plan users receive a 3-month trial with more configuration flexibility.

Secure Browsing, Powered by Peers: Join the New Chrome Enterprise Community - Join the new global Chrome Enterprise Customer Community. A collaborative hub for IT admins to connect, share best practices, and scale browser management.

Why context is the missing link in AI data security - In the AI era, organizations need more than security controls that rely on manual tagging and simple keyword matching — and we’ve updated Sensitive Data Protection to help.

Welcoming Wiz to Google Cloud: Redefining security for the AI era - Google has completed today its acquisition of Wiz, a leading security platform. The Wiz team will join Google Cloud, and we will retain the Wiz brand.

Gemini for Government: Build custom AI agents for unclassified work on GenAI.mil - Now with Agent Designer, personnel can build their own agents on GenAI.mil to support unclassified work tasks and automate administrative workflows.

Plan mode is now available in Gemini CLI - Gemini CLI now features Plan Mode, a read-only environment that allows the AI to analyze complex codebases and map out architectural changes without the risk of accidental execution. By leveraging the new ask_user tool and expanded Model Context Protocol (MCP) support, developers can collaboratively refine strategies and pull in external data before committing to implementation.

Introducing Finish Changes and Outlines, now available in Gemini Code Assist extensions on IntelliJ and VS Code - Google has introduced Finish Changes and Outlines for Gemini Code Assist in IntelliJ and VS Code to reduce developer friction and eliminate the need for long, manual prompting.

Introducing Wednesday Build Hour - Wednesday Build Hour is a weekly, interactive "technical gym session" led by Google Cloud experts to help developers and architects sharpen their cloud skills.

Google named a Leader in IDC MarketScape: U.S. State and Local Government Professional Security Services 2025–2026 Vendor Assessment - Google named a Leader in IDC MarketScape: U.S. State and Local Government Professional Security Services 2025–2026. Secure mission-critical workloads with AI-optimized infrastructure and Mandiant frontline expertise.

Articles, Tutorials

Infrastructure, Networking, Security, Kubernetes

Cloud CISO Perspectives: New Threat Horizons report highlights current cloud threats - Threat actors are exploiting vulnerabilities faster than ever, from our newest Cloud Threat Horizons Report. Here’s what CISOs need to know.

The Cheapest and Most Expensive Months for Google Cloud Disk Usage - This article investigates an unexpected increase in Google Cloud disk storage costs, revealing that disk usage is billed based on a theoretical 730-hour month. This fixed monthly hour calculation means the effective hourly price for storage varies, making shorter months like February comparatively more expensive and longer months like March cheaper than advertised rates.

gRPC on GKE for Fun & Profit Part 2— The Walkthrough - This article provides a practical walkthrough for deploying a multi-service gRPC application on Google Kubernetes Engine (GKE). It details setting up chained frontend and backend gRPC services, integrating them with a Google Cloud Application Load Balancer using the Gateway API, and configuring essential components like namespaces and TLS certificates.

Part I : GKE Managed DRANET with TPUs - This article explores leveraging Google Kubernetes Engine (GKE) Managed DRANET to optimize performance for Google Cloud TPUs. It details how DRANET creates dedicated network interfaces for TPU traffic, reducing bandwidth contention for high-performance AI workloads. The guide demonstrates setting up a GKE cluster with DRANET and deploying a vLLM model (Gemma) to utilize this specialized networking.

Supercharge your GKE Gateway: Introducing Utilization Based Load Balancing (UBB) - This article introduces Google Cloud's Utilization Based Load Balancing (UBB) for GKE Gateway, a feature designed to optimize traffic distribution across GKE clusters utilizing mixed-performance compute nodes. By intelligently routing requests based on actual node utilization, UBB ensures high-performance nodes are fully leveraged, significantly improving application responsiveness and success rates.

Inference on GKE Private Clusters - Deploying an inference service on your GKE private cluster using Artifact Registry, Cloud Storage and Persistent Disks.

App Development, Serverless, Databases, DevOps

What are Private Services? - And why do they matter about connecting to Cloud SQL?

Migrating Between Major PostgreSQL Versions on GCP Using Database Migration Service - This guide offers a practical, step-by-step approach to achieving zero-downtime major PostgreSQL version upgrades on Google Cloud's Cloud SQL using the Database Migration Service (DMS).

AlloyDB AI: Auto Embedding Generation & AI Functions now Generally Available - Google Cloud has announced the General Availability of foundational features in AlloyDB AI, including Auto Vector Embedding Generation and powerful AI Functions. Auto Vector Embeddings automate the entire lifecycle of vectors, ensuring continuous data synchronization and enabling significantly faster bulk embedding generation for Retrieval Augmented Generation (RAG) applications.

Optimize Cloud SQL for SQL Server with Database Migration Service - Introducing SQL Server migrations from one Cloud SQL to another (public preview).

Unleash Your Development Superpowers: Refining the Core Coding Experience - The Gemini Code Assist team has introduced a suite of updates focused on streamlining the core coding workflow through high-velocity tools like Agent Mode with Auto Approve and Inline Diff Views. These enhancements, along with new features for precise context management and custom commands, aim to transform the AI from a general assistant into a highly tailored, seamless collaborator that adapts to your specific development style.

Bring Your Database Tools to the Agent Skill Ecosystem - Easily convert your MCP Toolbox toolsets into standard Agent Skills with a single command.

Skills vs. Tools: Replacing the Google Firestore MCP Server with Skills (+ Go Binaries) - As AI agents become deeply integrated into our development workflows, an architectural debate has emerged: Skills vs. Tools.

Big Data, Analytics, ML&AI

Automating Dataform Workflows: How to Trigger Pipelines from GCS File Events - This article presents a method for automating Dataform workflows by triggering pipelines directly from Google Cloud Storage file events. It outlines an architecture using Eventarc and Cloud Functions (2nd Gen) to detect new data uploads in GCS and subsequently initiate Dataform workflow invocations via its API, ensuring data transformations kick off promptly.

Your Pipeline Succeeded. Your Data Didn't. - This article details how Nordnet leverages BigQuery’s native ML capabilities and dbt to automate volume anomaly detection across hundreds of tables.

BigQuery pipe syntax by example - SQL faster to write and far easier to maintain.

Stream processing with BigQuery STATEFUL continuous queries and ADK agents for Telco network monitoring - This article outlines an automated pipeline for Telco network monitoring and self-healing, designed to address dynamic user demand on static infrastructure. It leverages BigQuery's stateful continuous queries for real-time anomaly detection and Pub/Sub to trigger AI agents (ADK) for intelligent network reconfiguration.

Auditing BigQuery Access Across a GCP Organization - Auditing BigQuery access across a Google Cloud organization is challenging because native tools provide fragmented views. This article introduces `bq-discovery`, a Python CLI tool that unifies Cloud Asset Inventory, BigQuery dataset metadata, and Cloud Identity to create a single, normalized, and queryable inventory of BigQuery permissions. This solution allows for comprehensive access analysis and auditing by consolidating all relevant access paths into one dataset.

So You Think You’re a BigQuery Power User - This article unveils several powerful, often-overlooked features in BigQuery's GoogleSQL that significantly streamline query writing. It demonstrates how new syntaxes, such as `GROUP BY ALL`, `UNION ALL BY NAME`, chained function calls, and `ANY_VALUE(x HAVING MAX y)`, make queries more readable, concise, and efficient for modern SQL development.

Decoding BigQuery capacity commitments and CUDs - This article delves into Google Cloud BigQuery's capacity commitments and Committed Use Discounts (CUDs), explaining their evolution and how they impact cost optimization. It highlights that while commitments offer predictability, they can lead to unexpected costs if workload patterns aren't consistently stable.

Temp Tables and Session Mode - This article explains how using BigQuery's temporary tables in conjunction with session mode can significantly reduce query costs. By materializing filtered data subsets into temporary tables that persist within a session, users can avoid repeatedly processing large datasets. This approach offers substantial cost savings and improved efficiency for analysts and engineers performing iterative or multi-step queries.

Building Enterprise-Scale Custom Connectors for Vertex AI Discovery Engine & Gemini Enterprise - Enable high throughput & automate updates to a RAG data store for Agent Applications.

What you need to know about the Gemini Embedding 2 model - Google's Gemini Embedding 2, now in preview, is its first natively multimodal embedding model, unifying various data types like text, images, and audio into a single API call and joint embedding space.

Debugging Broken Streaming Pipelines: A Data Engineer’s Survival Guide - For an enterprise data engineer, the most frustrating pager alert is often the one you never receive.

Build Resilient LLM Applications on Vertex AI and Reduce 429 Errors - Deep dive into Vertex AI’s consumption models and architectural best practices for managing request flows. Use this guide to build smooth, resilient, and truly scalable AI applications.

Slides, Videos, Audio

Security Podcast - #266 Resetting the SOC for Code War: Allie Mellen on Detecting State Actors vs. Doing the Basics.

Releases

Cloud Monitoring - Feature: You can configure legend templates for PromQL-formatted charts. To learn more, see Configure the name of a legend column.

VMware Engine - Announcement: The VMware Engine ve2 node type is now available in the following additional region: Los Angeles, USA, North America ( us-west2-b ) Feature: Public Preview: You can now migrate VMware management VMs from their host cluster to a different cluster within the same private cloud. To migrate management VMs, you must have at least two clusters in your private cloud, and the destination cluster must be a workload cluster. This operation transitions the target workload cluster to a management cluster, and the source management cluster becomes a workload cluster.

BigQuery - Feature: Updates to conversational analytics include the following improvements: ObjectRef support: BigQuery conversational analytics now integrates with Google Cloud Storage through ObjectRef functions. This lets you reference and interact with unstructured data such as images and PDFs in Cloud Storage buckets in your conversational analysis. BQML support: BigQuery conversational analytics now supports a set of BigQuery ML functions, including AI.FORECAST, AI.DETECT_ANOMALIES, and AI.GENERATE. These functions let you perform advanced analytics tasks with simple conversational prompts. Chat with BigQuery results: You can now start conversations and chat with query results in BigQuery Studio (SQL editor). Enhanced support for partitioned tables: BigQuery conversational analytics can now use BigQuery table partitioning. The agent can optimize SQL queries by using partitioned columns such as date ranges on a date-partitioned table. This can improve query performance and reduce costs. Labels for agent-generated queries: BigQuery jobs initiated by the conversational analytics agent are now labeled in BigQuery Job History in the Google Cloud Console. You can identify, filter, and analyze the jobs run by the conversational analytics agent by referencing labels similar to {‘ca-bq-job’: ‘true’}. These labels can help with the following tasks: Monitor and attribute cost. Audit agent activity. Analyze agent-generated query performance. Suggest next questions (clickable): When working with BigQuery conversational analytics, the agent now suggests questions that are directly clickable in the Google Cloud console. This feature is available in Preview. Feature: You can now understand and debug BigQuery query performance with a visual mapping of your SQL query in the query execution graph. A heatmap highlights the steps that consume more slot-time. This feature is generally available (GA). Change: BigQuery advanced runtime is now enabled as the default runtime for all projects.

Contact Center AI Platform - details on the release page.

Cloud Trace - Change: You can send trace data to your Google Cloud project by using the Cloud Trace API or the Telemetry API. These two APIs are enabled individually. If you send trace data to the Telemetry API endpoint, then Google Cloud Observability requires that the Cloud Trace API be enabled on your Google Cloud project before it stores the trace data. If the Cloud Trace API is disabled, then Google Cloud Observability discards the trace data. To learn more, see APIs that ingest trace data.

Security Command Center - Announcement: In March 2026, Risk Engine will launch enhanced heuristics to more accurately identify default high-value resources. No action is required. As a result of this enhancement, customers using the default high-value resource set may observe changes in the exposure scores of their findings, resources, and issues. Customers using custom resource value configurations are not affected.

Looker - Feature: It is no longer necessary to manually configure OAuth credentials when creating a Looker (Google Cloud core) instance that uses only public secure connections and no custom domain. For these instances, Looker (Google Cloud core) now automatically manages OAuth client and secret information, simplifying the setup process. Manual OAuth configuration is still required for instances that use private connections, hybrid connections, or a custom domain. Feature: Beginning in Looker 26.4, customer-hosted Looker instances will use a new LookML parser with optimized performance. This parser is already in use for Looker-hosted instances. For customer-hosted instances on Looker 26.4, if you want to revert to the legacy parser, contact Looker Support for details on how to disable the new parser. The legacy parser will be fully deprecated in Looker 26.6. Feature: Looker (Google Cloud core) instances with public or hybrid connections now support IP allowlists, which enhance security by ensuring that only traffic from specified IP addresses can access your instance. To connect to certain Google Cloud services, like Conversational Analytics or Connected Sheets, you can select an option to automatically allowlist the necessary IP ranges for those services. You can configure an IP allowlist for an existing instance by editing it in the Google Cloud console. This feature will roll out to instances over the next week.

Cloud SQL MySQL - Feature: You can now execute SQL statements using the Cloud SQL Data API for administrative queries. Feature: You can now enable automatic server certificate rotation for your Cloud SQL instance. This feature is specifically designed for instances utilizing the Certificate Authority Service (CAS). Automatic server certificate rotation helps you maintain high security standards while removing the operational burden of manual rotation. For more information about enabling automatic server certificate rotation for your instance, see Enable automatic server certificate rotation.

Cloud SQL Postgres - Feature: You can now execute SQL statements using the Cloud SQL Data API for administrative queries. Feature: You can now enable automatic server certificate rotation for your Cloud SQL instance. This feature is specifically designed for instances utilizing the Certificate Authority Service (CAS). Automatic server certificate rotation helps you maintain high security standards while removing the operational burden of manual rotation. For more information about enabling automatic server certificate rotation for your instance, see Enable automatic server certificate rotation.

Cloud Storage Transfer - Change: The size limit for manifest files used in agent-based transfers has been removed. For more information, see Transfer specific files or objects using a manifest.

Cloud Storage - Feature: Rapid Bucket is now generally available. Rapid Bucket lets you store objects in the Rapid storage class by defining a zone as a bucket's location. This architecture optimizes data access and I/O performance between your storage and compute resources. Rapid Bucket is most suitable for data-intensive workloads like AI/ML and high-scale data analytics. For more information, see Rapid Bucket and Create zonal buckets. Change: Object uploads that use customer-managed encryption keys (CMEK) now fail if the Cloud Storage service agent lacks the necessary IAM role to decrypt the object. For steps to grant the required role, see Assign a Cloud KMS key to a service agent.

Chronicle - Feature: Set up and manage data processing pipelines This feature is currently in Preview. You can now use the Data Processing pipelines to filter, transform, and redact Google SecOps data before ingestion. This feature provides more control over ingested data, letting you reduce costs by filtering out unwanted events, transform data for better compatibility, and protect sensitive information by redacting or masking values before storage. You can configure data processing pipelines using the Bindplane console or the Google SecOps Data Pipeline APIs. For more information, see Set up and manage data processing pipelines. Announcement: Manage parser versions The Manage parser versions feature is in Public Preview for all customers.

Cloud Composer - Announcement: Cloud Composer 2 environments can no longer be created in Turin (europe-west12). We're switching this region to supporting only Cloud Composer 3 environments.

Compute Engine - Feature: When you autoscale a managed instance group (MIG), you can monitor the configured group size and the size recommended by the autoscaler on a chart. For more information, see Monitor group size. Issue: To address high-severity kernel vulnerabilities (including CVE-2025-21756 and CVE-2025-38052 ) in Rocky Linux 8 and 9, updates are available for the Compute Engine images maintained by CIQ. If your VM instances use images dated before September 2025 (version v20250912 ), you must take action to ensure you continue to receive security patches. How to determine if your Compute Engine VMs are affected You are affected if your VM instance uses a Rocky Linux image from an -optimized-gcp or -optimized-gcp-nvidia family with a version date older than v20250912 (for example, rocky-linux-9-optimized-gcp-v20250807). To check your VM's source image, see View VM instance image details. You can view details for these image families in Rocky Linux OS details. Action required If your image version is v20250912 or later: Your VM is already configured to use the newer SIG/Cloud Next (SCN) repositories and is receiving security updates. No action is required. If your image version is older than v20250912: Your VM is configured to use legacy SIG/Cloud repositories that no longer receive regular kernel updates and won't receive future security patches. While running sudo dnf update applies a one-time patch for the vulnerabilities listed, you must manually migrate the VM to the SCN repositories to receive ongoing updates by following the CIQ migration guide.

VPC Service Controls - Feature: General availability support for the following integration: Managed Lustre

GKE new features - Feature: Managed OpenTelemetry for GKE is available in Preview for clusters running version 1.34.1-gke.2178000 or later. Managed OpenTelemetry for GKE provides a fully managed and simplified experience for collecting OpenTelemetry Protocol (OTLP) traces, metrics, and logs on GKE. This feature includes the following characteristics: Managed collection: an in-cluster OTLP endpoint that automatically routes telemetry to the Cloud Telemetry API. Automatic configuration: a new Instrumentation custom resource that automatically injects environment variables into your workloads to simplify OTLP ingestion. For more information, see Managed OpenTelemetry for GKE. Feature: In GKE version 1.35 and later, all organization and cluster administrators can granularly control which privileged Autopilot partner workloads can run in GKE clusters. Additionally, approved customers can authorize and run their own privileged workloads in Autopilot mode by using custom allowlists. For more information, see About Autopilot privileged workloads.

Cloud Shell - Change: The Cloud Shell Editor is built with Code OSS for Cloud Shell 1.108.2

Workload Manager - Announcement: Generally available: The Workload Manager observability service for SAP workloads is now generally available and introduces the following enhancements: The main observability dashboard displays the Observability Pre-reqs field, which indicates the overall status of the observability prerequisites for your SAP workloads. For more information, see View system dashboard. Instead of waiting 48 hours, you can immediately remove your SAP workload from the Workload Manager Observability page of the Google Cloud console by using the projects.locations.insights.delete API method. For more information, see Remove workloads from the observability dashboard. For more information about the observability service, see SAP observability overview.

Cloud Spanner - Feature: Spanner supports the optimistic concurrency control mode. Optimistic concurrency control is suitable for transactional workloads with low read-write contention. It assumes that conflicts in transactions are rare. Reads and queries within a read-write transaction proceed without acquiring locks. For more information, see Concurrency control.

Apigee API Hub - Feature: Security monitoring condition support in Advanced API Security for multi-gateway projects Advanced API Security's multi-gateway Risk Assessment feature (available through API hub) now includes support for security monitoring conditions and alerts. Security monitoring conditions allow you to map resources (gateways) to security profiles. Cloud Monitoring can then use this mapping to create dedicated dashboards to track security scores over time and alert based on metric levels. For information on monitoring conditions features and usage see Manage monitoring conditions for multiple Apigee organizations and gateways. Note: Rollouts of this release to production instances might take up to 5 business days to complete across all Google Cloud zones. Your instances might not have the feature available until the rollout is complete. Feature: Support for Apigee Edge Private Cloud (OPDK) in Advanced API Security for multi-gateway projects API hub Advanced API Security for multi-gateway now includes support for the OPDK gateway type for risk assessment security profiles. For information on risk assessment custom security profiles and gateway specification, see Create a security profile. Note: Rollouts of this release to production instances might take up to 5 business days to complete across all Google Cloud zones. Your instances might not have the feature available until the rollout is complete.

Apigee Advanced API Security - Announcement: On March 10, 2026 we released an updated version of Advanced API Security Abuse Detection Feature: General availability of monitoring conditions in risk assessment v2 Starting with this release, the risk assessment v2 monitoring conditions feature is generally available. For information on monitoring conditions features and usage see monitoring conditions and alerts. For usage information and a list of all features in Risk Assessment v2, see the Risk Assessment v2 customer documentation.

Chronicle Security Operations - Feature: Set up and manage data processing pipelines This feature is currently in Preview. You can now use the Data Processing pipelines to filter, transform, and redact Google SecOps data before ingestion. This feature provides more control over ingested data, letting you reduce costs by filtering out unwanted events, transform data for better compatibility, and protect sensitive information by redacting or masking values before storage. You can configure data processing pipelines using the Bindplane console or the Google SecOps Data Pipeline APIs. For more information, see Set up and manage data processing pipelines. Announcement: Manage parser versions The Manage parser versions feature is in Public Preview for all customers.

Service Mesh - details on the release page

Apigee Hybrid - details on the release page

Sensitive Data Protection - Feature: The CRIME_STATUS infoType detector is available in Preview. For more information about all infoTypes, see InfoType detector reference.

Dataproc - Announcement: Dataproc on Compute Engine: The following subminor image versions announced on March 08, 2026 have been rolled back: 2.1.110-debian11, 2.1.110-rocky8, 2.1.110-ubuntu20, 2.1.110-ubuntu20-arm 2.2.78-debian12, 2.2.78-rocky9, 2.2.78-ubuntu22, 2.2.78-ubuntu22-arm 2.3.25-debian12, 2.3.25-ml-ubuntu22, 2.3.25-rocky9, 2.3.25-ubuntu22, 2.3.25-ubuntu22-arm

Dataproc Serverless - Announcement: New Serverless for Apache Spark runtime versions: 1.2.75 2.2.75 2.3.28 3.0.11

Cloud Run - Feature: Support for Go 1.26 runtime is in General Availability. Feature: Configuring Identity-Aware Proxy (IAP) directly on Cloud Run to secure your services without the need for load balancers is in General Availability (GA).

Cloud Functions - Feature: Support for Go 1.26 runtime is in General Availability.

AppEngine Standard Go - Feature: Support for Go 1.26 runtime is in General Availability.

Cloud Logging - Issue: The automatic backfill operation performed on a log bucket that has been upgraded to use Log Analytics has been temporarily paused. To manually initiate the backfill operation, contact Cloud Customer Care.

Backup and DR Service - Feature: Announcing the release of the Backup and DR local MCP server. With this you can use natural language prompts to manage Backup and DR jobs.

Dataproc Metastore - Deprecated: The Hive Metastore versions 1.2.2 and 2.2.0 are deprecated. You can no longer create services with these versions. Existing services will continue to function.

Cloud PubSub - Feature: You can now use the Pub/Sub remote MCP server to manage Pub/Sub resources. You can create, list, get, update, and delete Pub/Sub topics, subscriptions, and snapshots, as well as publish messages to topics. This feature is in Preview.

Gemini - Announcement: Gemini 3.1 Pro and 3.0 Flash are available (Preview) Gemini 3.1 Pro and Gemini 3.0 Flash are now available to Gemini Code Assist users in VS Code and IntelliJ, in Preview. You can use these models for agent mode, chat, and code generation.

Buildpacks - Feature: The Node.js buildpack supports the Bun package manager in Preview. For more information, see Building a Node.js application.

Cloud SQL SQL Server - Feature: You can now enable automatic server certificate rotation for your Cloud SQL instance. This feature is specifically designed for instances utilizing the Certificate Authority Service (CAS). Automatic server certificate rotation helps you maintain high security standards while removing the operational burden of manual rotation. For more information about enabling automatic server certificate rotation for your instance, see Enable automatic server certificate rotation.

Apigee UI - Feature: Manage environment-scoped Key Value Maps in the Apigee UI You can now view, add, edit, and delete environment-scoped Key Value Map (KVM) entries in the Apigee UI. For more information, see Using key value maps. Announcement: On March 13, 2026, we released an updated version of the Apigee UI.

Document AI - Feature: Custom splitter model pretrained-splitter-v1.5-2025-07-14 is available in General Availability (GA).