Google Cloud Platform Newsletter

Check Archive for older issues

News

Streamline read scalability with Cloud SQL autoscaling read pools - Cloud SQL read pools with autoscaling are now generally available, making it easier to scale reads in and out in response to real-time application needs.

Next-gen caching with Memorystore for Valkey 9.0, now GA - Build faster, low-latency apps. Discover how Memorystore for Valkey 9.0 delivers up to 40% higher throughput and powerful new developer commands.

Introducing multi-cluster GKE Inference Gateway: Scale AI workloads around the world - Multi-cluster GKE Inference Gateway scales AI/ML inference across multiple Google Cloud regions.

Google Cloud and NVIDIA expand AI innovation across industries at GTC 2026 - At NVIDIA GTC 2026, we showcased co-engineered AI infrastructure that technology leaders need to scale their agentic AI workloads.

BigQuery Studio is more useful than ever, with enhanced Gemini assistant - BigQuery Studio’s latest Gemini-powered assistant goes from being a code assistant into a fully context-aware analytics partner.

Announcing the Colab MCP Server: Connect Any AI Agent to Google Colab - Google Colab has released the open-source Colab MCP (Model Context Protocol) Server, allowing any AI agent to programmatically access and control its notebooks. This innovation transforms Colab into a fast, secure cloud sandbox where agents can automate the entire development lifecycle, from structuring cells to managing dependencies.

Articles, Tutorials

Infrastructure, Networking, Security, Kubernetes

The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors - DarkSword is a new iOS exploit chain that leverages multiple zero-day vulnerabilities to fully compromise iOS devices.

Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape - An overview of the ransomware landscape and common TTPs directly observed in 2025 ransomware incidents.

Your GCP load balancer has been lying about capacity and IN_FLIGHT mode fixes that - Google Cloud's traditional load balancing mode, RATE, often misrepresents backend capacity for long-lived connections by only counting initial requests, leading to inefficient traffic distribution. The new IN_FLIGHT balancing mode, combined with a LONG traffic duration setting, fixes this by tracking concurrent, in-progress requests.

Scaling SRE Systems with GCP + Kubernetes: Lessons from Running at 10x Traffic

Using Cloud Armor with an External CDN: Identifying the Real Client IP - When an external CDN precedes Google Cloud Load Balancing, Cloud Armor typically sees the CDN's IP address instead of the original client's. This article explains how to configure Cloud Armor to correctly identify the real client IP from headers like X-Forwarded-For, enabling accurate logging, security rule evaluation, and rate limiting.

Connecting to Google Managed Services: VPC Peering, PSA, and PSC Explained - A practical guide to private connectivity in Google Cloud — when to use what, and why it matters.

GKE Native Support for Custom Metrics: Smarter Autoscaling Beyond CPU and Memory - Google Kubernetes Engine (GKE) now natively supports custom metrics, enabling smarter autoscaling decisions beyond traditional CPU and memory usage. This eliminates the need for complex external adapters, simplifying how applications expose crucial metrics like queue depth or request rate to the autoscaler.

App Development, Serverless, Databases, DevOps

Passwordless Migrations: How to Enable IAM Authentication for Google DMS Destinations - This article details a streamlined, more secure method for heterogeneous database migrations by enabling passwordless IAM authentication for Google Database Migration Service (DMS) destinations. It explains how to configure destinations like AlloyDB and Cloud SQL for PostgreSQL to use the DMS service account, eliminating the need for static credentials.

Data Agents using MCP Toolbox Java SDK on Cloud Run - This article details how the Model Context Protocol (MCP) Toolbox Java SDK allows developers to build AI data agents that can query databases using natural language.

This is Cloud Run: Nine Ways to Deploy (and When to Use Each) - This article comprehensively details nine different methods for deploying applications to Google Cloud Run, outlining the best use cases for each, from quick prototyping to robust production pipelines.

How Cloud Run’s Default CPU Throttling Turned an 18-Second Response Into an 8-Minute Timeout - A deep dive into a subtle Cloud Run behavior that silently broke our async AI pipeline — and the single flag that fixed everything.

Big Data, Analytics, ML&AI

How I Reduced BigQuery Pipeline Failures from 20 per Day to Zero Using Exponential Retries 🚀 - Anyone who has managed cloud data pipelines knows this universal truth:.

Data Modeling: Best Practices with BigQuery and dbt - An opinionated guide to Data Modeling.

Why Your BigQuery Queries Just Got Faster - Understanding the rollout of BigQuery’s advanced runtime.

BigQuery Added Pipe Syntax. Most Teams Haven’t Switched Yet. Here’s Why They Should. - BigQuery introduced a new pipe syntax in 2024 to address the mental overhead and debugging challenges of traditional SQL, offering a more intuitive, sequential approach to data transformation. While it significantly improves debugging by allowing incremental query execution, widespread adoption is hindered by a lack of compatible tooling. Specialized editors are crucial for teams to fully leverage this syntax for cleaner, faster-to-debug queries.

Spark on GCP is Overkill — Use BigQuery Instead - When BigQuery beats Spark — and when it doesn’t.

Dataplex: The Boring Tool Your Data Team Needs to Survive 🔍 - Google Cloud Dataplex serves as a unified data governance platform, bringing order to distributed data by centralizing management, automating quality validation, and enabling intelligent discovery. It helps teams understand data provenance through lineage, align on terminology with business glossaries, and ensure data quality with automated checks and AI-driven insights. This article demonstrates how to practically implement key Dataplex features for robust data governance.

Build a Multi-Agent System for Expert Content with Google ADK, MCP and Cloud Run - Part 1 - Build "Dev Signal," a multi-agent system using Google ADK, MCP, and Cloud Run. Part 1 covers setting up tools like Reddit discovery, Google Cloud grounding, and a custom image generator.

Building Distributed AI Agents - Elevate your AI integration with the orchestrator pattern. Learn how to build scalable, specialized AI microservices that seamlessly plug into your existing React or Node.js applications, moving beyond monolithic agents for reliable production performance.

Why 'Brownfield' Deployments Break Agent Architectures — Lessons from Google

Developer’s Guide to AI Agent Protocols - This blog post introduces a suite of six protocols, such as MCP and A2A, designed to eliminate custom integration code by standardizing how AI agents access data and communicate.

End-to-End AI Agent on GCP: ADK, BigQuery MCP, Agent Engine, and Cloud Run - This article demonstrates building an end-to-end AI agent on Google Cloud, showcasing a football statistics assistant using Google's Agent Development Kit (ADK). It details connecting to BigQuery via Cloud API Registry for data and explores deployment options like Cloud Run or Vertex AI Agent Engine, complete with robust CI/CD.

Building a RAG Pipeline with Gemini 2.5 - Why Your AI Gives Wrong Answers — And How RAG Fixes It.

Video Understanding with Gemini: Notes From the Field - This article outlines architectural strategies for effective video understanding using Google's Gemini models, emphasizing that teaching AI to interpret video is a complex engineering challenge. It proposes a multi-stage agentic workflow, including initial triage and deep analysis, while leveraging audio-first contextualization to enhance accuracy and mitigate hallucination.

Your Gemini CLI Extensions Just Got Smarter: Introducing Agent Skills - Discover how our new Cloud SQL for PostgreSQL skills saves tokens and boosts performance.

Slides, Videos, Audio

Security Podcast - #267 AI SOC or AI in a SOC? Cutting Through Hype, Pricing Models, and SIEM Detection Efficacy with Raffy Marty.

Releases

Chronicle SOAR - Announcement: Phase 2 of the SOAR migration to Google Cloud has been extended from June 30th to September 30th, 2026. Announcement: Stage 2 of the SOAR migration to Google Cloud has been extended from June 30th to September 30th, 2026. Announcement: SOAR Permission Groups migration to Google Cloud IAM is now in General Availability (GA). You can now leverage Google Cloud IAM for precise, granular feature access, moving away from legacy permission groups. You can enable it by migrating the legacy SOAR permission groups and permissions to Google Cloud IAM through a self-service migration available from January 26, 2026. Please check the documentation and video for full instructions. This update is available to all customers who have completed Stage 1 of the SOAR migration to Google Cloud.

Contact Center AI Platform - Detailed description on the release page.

VPC Service Controls - Feature: VPC Service Controls feature (Status: Preview ): VPC Service Controls supports the following identities in ingress and egress rules to allow access to resources protected by a service perimeter: Agent identities SPIFFE formats for third-party workforce and workload identities This feature is available in Preview. For more information, see Supported identities for ingress and egress rules. Feature: General availability support for the following integration: CX Agent Studio

Chronicle Security Operations - Announcement: Stage 2 of the SOAR migration to Google Cloud has been extended from June 30th to September 30th, 2026. Announcement: Phase 2 of the SOAR migration to Google Cloud has been extended from June 30th to September 30th, 2026. Announcement: Unified Feature Role-based Access Control (RBAC) is now in General Availability (GA). This enables administrators to manage feature access control for Google SecOps including SOAR by leveraging Google Cloud IAM instead of managing it separately for SIEM and SOAR. You can enable it by migrating the legacy SOAR permission groups and permissions to Google Cloud IAM through a self-service migration available from January 26, 2026. Please check the documentation and video for full instructions. This update is available to all customers who have completed Stage 1 of the SOAR migration to Google Cloud. Feature: Bindplane features for Google SecOps general availability The following Bindplane features that relate to Google SecOps are now in General Availability (GA): Single sign-on with custom claims role mapping: gives a production-ready way to manage Bindplane access through your identity provider. For more information, see Single Sign-On (Cloud). SecOps parser validator: validates that your logs will be parsed correctly by Google SecOps directly from the snapshot view. Get immediate feedback on parsed events or validation errors without waiting for data to appear in Google SecOps. For more information, see Validate SecOps Parser. Forwarder migration tool: provides production-ready paths to migrate existing forwarder configurations into Bindplane-managed pipelines. For more information, see Migrate Configurations. Feature: Agentic Automation This feature is in Public Preview. You can now use Agentic Automation to embed AI Agents directly into your workflows. This feature lets you integrate AI-driven capabilities into your existing playbooks while staying in charge of critical actions by combining agents with deterministic automation steps. For more information, see Agentic Automation. Feature: View Triage and Investigation Agent (TIN) results in the Case Summary This feature is currently in Preview and is part of a gradual rollout. You can now view TIN results and verdict summaries directly within the Case Summary view. This integration provides real-time progress updates and automated verdicts for true or false positives without leaving the case. For more information, see Use Triage and Investigation Agent (TIN) to investigate alerts.

Vertex AI - Deprecated: Vertex Explainable AI is deprecated. For details, see Vertex AI deprecations.

Security Command Center - Change: The names of Event Threat Detection rules pertaining to AI control plane have changed. The Cloud Run Threat Detection rule Privilege Escalation: Fileless Execution in /dev/shm has been shut down.

Cloud Build - Feature: Cloud Build now supports uploading OCI images to Artifact Registry during a build process. OCI artifacts for a build are shown in the following locations: The Artifacts column of Build history page The Execution details tab of the Build details page The Build artifacts tab of the Build details page For more information, see Store an OCI image in Artifact Registry after your build completes and the Cloud Build configuration file schema definition for oci.

BigQuery - Feature: BigQuery now lets you configure a global default location. This setting is used if the location isn't set or can't be inferred from the request. You can set the default location at the organization or project level. This feature is generally available (GA). Feature: In BigQuery ML, you can now automatically deploy open models to Vertex AI endpoints. Automatically deployed models offer the following benefits: Automatic Vertex AI resource management Reserve open model resources by using Compute Engine reservations Automatic or immediate open model undeployment to save costs This feature is generally available (GA). Feature: You can now use a custom organization policy to allow or deny specific operations on routines. This feature is in preview.

AlloyDB - Feature: AlloyDB enhanced backups are generally available ( GA ). You can now select the Enhanced tier during cluster creation, manage your project-level backups with tiered tabs, and delete an enhanced backup. For more information, see Manage enhanced backups. Feature: AlloyDB now supports the 2 vCPU C4A machine type ( c4a-highmem-2-lssd ), which is powered by Google Axion, Google's custom Arm-based processor. This expansion provides a smaller entry point and more flexibility for scaling your production workloads using Axion-based instances. For more information, see Choose an AlloyDB machine type.

Looker - Detailed description on the release page.

Cloud Composer - Change: New Airflow builds are available in Cloud Composer 3: composer-3-airflow-3.1.7-build.1 composer-3-airflow-2.10.5-build.30 (default) composer-3-airflow-2.9.3-build.50 Announcement: A new Cloud Composer release has started on March 17, 2026. Get ready for upcoming changes and features as we roll out the new release to all regions. This release is in progress at the moment. Listed changes and features might not be available in some regions yet. Change: (Airflow 3.1.7) Starting from version composer-3-airflow-3.1.7-build.1, Airflow workers no longer have direct access to the Airflow database of your environment. This change follows the architectural and security improvements introduced in the community version of Airflow 3.0. For more information about an alternative way to export and access the data stored in the Airflow database, see Access the Airflow database. This change is gradually rolled out to all regions supported by Cloud Composer 3. Change: (Airflow 3.1.7 in Cloud Composer 3) The apache-airflow-providers-google package was upgraded to version 20.0.0. For more information about changes, see the apache-airflow-providers-google changelog. Change: (Airflow 3.1.7 in Cloud Composer 3) The apache-airflow-providers-cncf-kubernetes package was upgraded to version 10.13.0. For changes in other packages, see the preinstalled packages changelog. Change: New images are available in Cloud Composer 2: composer-2.16.7-airflow-2.10.5 (default) composer-2.16.7-airflow-2.9.3 Deprecated: The following Cloud Composer versions and builds have reached their end of support period: composer-3-airflow-2.9.3-build.18, composer-3-airflow-2.9.3-build.17, composer-2.11.5-*, and composer-2.11.4-*.

Backup and DR Service - Feature: Announcing the general availability (GA) of multi-region backup vaults for Cloud SQL instances. This release extends our robust data protection capabilities, allowing you to store your Cloud SQL instance backups in backup vaults in multi-region storage locations.

Cloud Run - Feature: Support for Ruby 4.0 runtime is in General Availability.

Cloud SQL Postgres - Feature: You can now cancel an in-place major version upgrade operation during the main upgrade phase, when the upgrade is actually being performed. For more information, see Cancel the major version upgrade.

Dataproc - Announcement: New Dataproc on Compute Engine subminor image versions: 2.1.111-debian11, 2.1.111-rocky8, 2.1.111-ubuntu20, 2.1.111-ubuntu20-arm 2.2.79-debian12, 2.2.79-rocky9, 2.2.79-ubuntu22, 2.2.79-ubuntu22-arm 2.3.26-debian12, 2.3.26-ml-ubuntu22, 2.3.26-rocky9, 2.3.26-ubuntu22, 2.3.26-ubuntu22-arm Fixed: Fixed CVEs CVE-2025-58057, CVE-2025-53864, CVE-2025-68161, CVE-2025-48924, and CVE-2025-33042. Upgraded Dataproc Metastore Proxy to v0.0.78 to fix CVEs. Default JDK is set to Temurin JDK - 11.0.30 in all 2.1, 2.2 and 2.3 images.

AppEngine Standard Ruby - Feature: Support for Ruby 4.0 runtime is in General Availability.

Cloud Functions - Feature: Support for Ruby 4.0 runtime is in General Availability.

Memorystore for Redis Cluster - Feature: The simulate maintenance event feature for Memorystore for Redis Cluster is Generally Available. Feature: You can deploy clusters in the asia-southeast3 (Bangkok) region. Feature: You can use the Google Cloud console to find and set maintenance windows and perform self-service maintenance on clusters. This feature is Generally Available.

Apigee Advanced API Security - Announcement: On March 17, 2026 we released an updated version of Advanced API Security abuse detection Feature: VPC-SC support in abuse detection This release includes full support in Advanced API Security abuse detection for VPC-SC customers. This includes support for VPC-SC with the Advanced Anomaly Detection ML model used for abuse detection, as well as detection exclusion lists. For usage information, see Abuse detection in the documentation.

Data Fusion - Fixed: Cloud Data Fusion version 6.11.1.2 is generally available (GA). This release includes the following changes: Fixed the triggers panel in the pipeline details page to display the correct triggers count on initial load ( CDAP-21230 ). Updated the GraphQL query mechanism to cache the pipelines list and fix the long loading screen in the deployed pipelines list page ( CDAP-21229 ).

Database Migration Service - Announcement: Database Migration Service for heterogeneous SQL Server migrations now supports failback migration jobs in Preview. Failback migrations let you push CDC updates back to the original SQL Server source from the destination PostgreSQL database after you complete the standard migration. This feature keeps your original source database alive and up to date in case you need to switch your application back to the source SQL Server database. For more information, see the page relevant for your migration scenario: Failback migration guide for SQL Server to Cloud SQL for PostgreSQL Failback migration guide for SQL Server to AlloyDB for PostgreSQL

Dataproc Serverless - Fixed: Fixed CVEs CVE-2025-58057, CVE-2025-53864, CVE-2025-68161, CVE-2025-48924, and CVE-2025-33042.

Virtual Private Cloud - Feature: You can update a service attachment's target service without recreating the service attachment. Consumer connections are preserved during the update, but traffic is briefly disrupted. This feature is available in General Availability. For more information, including a list of supported configurations, see Service mutability.

Cloud Memorystore - Feature: You can deploy instances in the asia-southeast3 (Bangkok) region.

Memorystore for Memcached - Feature: You can deploy instances in the asia-southeast3 (Bangkok) region.

GKE - Change: (2026-R11) Version updates Note: Your clusters might not have these versions available. Rollouts are already in progress when we publish the release notes, and can take multiple days to complete across all Google Cloud zones. Version 1.34.4-gke.1130000 is now the default version for cluster creation. The following versions are now available: 1.32.13-gke.1090000 1.33.9-gke.1117000 1.34.5-gke.1153000 1.35.1-gke.1396002 1.35.2-gke.1269001 1.35.2-gke.1485000 The following node versions are now available: 1.30.14-gke.2215000 1.31.14-gke.1599000 1.32.13-gke.1090000 1.33.9-gke.1117000 1.34.5-gke.1153000 1.35.1-gke.1396002 1.35.2-gke.1269001 1.35.2-gke.1485000 The following versions are no longer available: 1.32.11-gke.1211000 is deprecated. This version will be removed in 90 days, or at the end of support, if sooner. 1.33.5-gke.2326000 is deprecated. This version will be removed in 90 days, or at the end of support, if sooner. 1.34.3-gke.1318000 is deprecated. This version will be removed in 90 days, or at the end of support, if sooner. 1.35.0-gke.2745005 is deprecated. This version will be removed in 90 days, or at the end of support, if sooner. 1.35.0-gke.3047001 is deprecated. This version will be removed in 90 days, or at the end of support, if sooner. 1.35.0-gke.3047002 is deprecated. This version will be removed in 90 days, or at the end of support, if sooner. 1.35.2-gke.1269000 is deprecated. This version will be removed in 90 days, or at the end of support, if sooner. Clusters in this channel running the listed minor version have new general auto-upgrade targets. GKE can upgrade control planes and nodes to the following new versions with this release: GKE upgrades clusters to the following new minor versions if there are no factors, such as maintenance exclusions or deprecated APIs, preventing upgrades: 1.31 to 1.32.12-gke.1076000 1.32 to 1.33.5-gke.2469000 GKE upgrades clusters to the following new patch versions if no minor version upgrade is available, or if the cluster has maintenance exclusions or other factors preventing minor version upgrades: 1.32 to 1.32.12-gke.1076000 1.33 to 1.33.5-gke.2469000 1.34 to 1.34.4-gke.1130000 1.35 to 1.35.1-gke.1396002

Chronicle - Feature: Bindplane features for Google SecOps general availability The following Bindplane features that relate to Google SecOps are now in General Availability (GA): Single sign-on with custom claims role mapping: gives a production-ready way to manage Bindplane access through your identity provider. For more information, see Single Sign-On (Cloud). SecOps parser validator: validates that your logs will be parsed correctly by Google SecOps directly from the snapshot view. Get immediate feedback on parsed events or validation errors without waiting for data to appear in Google SecOps. For more information, see Validate SecOps Parser. Forwarder migration tool: provides production-ready paths to migrate existing forwarder configurations into Bindplane-managed pipelines. For more information, see Migrate Configurations.

Compute Engine - Breaking: Changed: The following operations on the boot disk of a Compute Engine instance that has a service account attached require the iam.serviceAccounts.actAs permission on the service account. In the following list, the boot disk of such an instance is referred to as the source disk. Creating a standard or archive snapshot of the source disk, including application consistent snapshots Cloning the source disk Creating a machine image of the instance Creating a custom image of the source disk Starting asynchronous replication of the source disk to another region Creating a new disk when you create an instance, if the new disk is created from an instant snapshot of the source disk If you have already have the Compute Instance Admin (v1) ( roles/compute.instanceAdmin.v1 ) role and the Service Account User (v1) ( roles/iam.serviceAccountUser ) role on the project, no action is required. Otherwise, ask your administrator to grant you the iam.serviceAccounts.actAs permission on the service account. For instructions, see Manage access to other resources.

Cloud Trace - Feature: Google Cloud Observability has expanded the supported locations for observability buckets, which store your trace data, to include the following: africa-south1 asia-east1 asia-east2 asia-northeast2 asia-northeast3 asia-south1 asia-south2 asia-southeast2 asia-southeast3 australia-southeast2 europe-north2 europe-west1 europe-west4 europe-west6 europe-west8 me-central1 northamerica-northeast2 northamerica-south1 southamerica-west1 us-east5 us-south1 us-west2 us-west3 For a list of supported locations, see Locations for observability buckets. Feature: You can create alerting policies that monitor the results of your SQL queries. For more information, see Monitor your SQL query results with an alerting policy. This feature is in public preview.

Cloud Spanner - Feature: Spanner now offers AI functions, as a part of machine learning functions, that help you perform semantic operations using Large Language Models (LLMs) in SQL to classify, evaluate, and rank your data: AI.CLASSIFY: Classify a natural language input into user-defined categories. AI.IF: Evaluate a condition described in natural language. AI.SCORE: Rate natural language input and assign it a score.