#506 Issue
June 8, 2026
Welcome to issue #505 June 1st, 2026
News
Official BlogDeveloper's guide to Gemini Enterprise and A2UI integration - Learn how to use A2UI, an open protocol for agent-driven user interfaces, and integrate an A2UI-enabled agent with Gemini Enterprise so your agent renders rich and interactive UI natively in the GE chat surface.
Official Blog Security Threat IntelligenceIntroducing Google AI Threat Defense to help you outpace the adversary - AI Threat Defense is a comprehensive AI-powered cybersecurity solution, an always-on security platform to outpace AI-driven attacks.
LLM Official BlogNano Banana 2 and Nano Banana Pro are generally available, and already powering creative workflows - Nano Banana 2 and Nano Banana Pro are generally available today via Gemini Enterprise Agent Platform. These models empower you to integrate high-quality image generation and editing capabilities directly into your applications and workflows.
Official Blog Partners StartupsAnnouncing the newest cohort of the Google for Startups Accelerator: Middle East, North Africa & Turkey - Some 15 companies join the newest cohort of the Google for Startups Accelerator: Middle East, North Africa & Turkey.
Chrome Enterprise Official BlogNew study: Securing AI in the browser is a top priority for IT Leaders - A new Omdia report, commissioned by Google, finds that 92% of organizations allow employees to use GenAI applications, which will likely make the browser more of a security priority.
Articles, Tutorials
Infrastructure, Networking, Security, Kubernetes
CISO Official BlogCloud CISO Perspectives: How to build an AI-ready security program for the public sector - From industrial control systems to decades-old municipal databases, here’s our CISO guidance to prep AI-ready security programs for the public sector.
AI Hypercomputer Infrastructure Networking Official BlogHow we evolved Google’s global and data center networks for the AI era - Google’s data center and global networks can distribute AI workloads across campuses, to create a massive-scale, pooled hypercomputing resource.
Official Blog Threat Intelligence2 PhaaS 2 Furious: The Evolution of Chinese-Language Phishing Services - We highlight rapid growth and key shifts in the Chinese-language phishing-as-a-service (PhaaS) ecosystem.
Official Blog Threat IntelligenceExploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability - A critical zero-day vulnerability (CVE-2026-5426) was exploited in the KnowledgeDeliver Learning Management System (LMS), enabling unauthenticated Remote Code Execution. This flaw stemmed from identical pre-shared ASP.NET machine keys, allowing threat actors to leverage ViewState deserialization to inject malicious code and infect users with Cobalt Strike. The article details the attack chain, offering crucial hunting tips and remediation steps like immediately rotating machine keys.
AI Google Kubernetes Engine GPU KubernetesPart II: Use GKE managed DRANET with TPUs and autopilot cluster - This article details how to leverage Google Kubernetes Engine (GKE) managed DRANET with TPUs and an Autopilot cluster. It guides users through deploying AI workloads, specifically the Gemma 4 model using vLLM, by configuring custom ComputeClasses and ResourceClaimTemplates for efficient resource allocation.
Kubernetes LLM Paywall TPUAutoscaling vLLM on GKE with TPU Nodes: Autopilot vs Standard Mode Compared - A practical ops-focused guide for deploying and scaling LLM inference on Google Kubernetes Engine with TPU node pools.
AI SecurityBreaking and Securing AI: an introduction - This article provides an introduction to the security threats facing AI systems, detailing how vulnerabilities in machine learning models and AI agents can be exploited. It outlines various attack vectors such as model exfiltration, data poisoning, and agent manipulation, transforming AI into an insider threat. The piece then presents Google Cloud's comprehensive defense strategies, including secure storage, artifact registries, data lineage, anomaly detection, and an Agent Gateway designed to inspect and secure AI interactions in real-time.
LLM Model ArmorModel Armor: How to Actually Secure LLMs in Production (Without Killing Innovation) - Google Cloud Model Armor provides an essential security layer for Large Language Models in production, addressing critical risks such as prompt injection, data leakage, and harmful outputs. Acting as an inline proxy, it screens both user inputs and model responses to enforce security policies, redact sensitive information, and log activities for compliance.
DevOps Paywall99% of Google Cloud Arcade Users Make These Mistakes! - Most people don’t fail Google Cloud Arcade because the labs are hard. They fail because they play the game completely wrong.
App Development, Serverless, Databases, DevOps
AlloyDB Databases Official BlogAlloyDB Hot Standby: Faster failovers, consistent performance - Boost AlloyDB resilience with Hot Standby. Get faster failovers, reduced downtime, and stable performance after recovery, all at no additional cost.
DevOps Official Blog SREAI in SRE: Where and how Google is deploying agentic AI to improve operations - With SRE AI, Google plans to fully adopt AI and agentic technologies, leveraging AI as a force multiplier while also maintaining control.
Monitoring Official BlogGo from resource-level to business-level maintenance in Google Cloud - You shouldn’t have to think like an infrastructure manager when you’re trying to solve a business problem. That’s why we are excited to announce the launch of App-centric maintenance visibility within Unified Maintenance.
AI Cloud Run Official BlogA Guide to AI Cold Starts on Cloud Run - Learn how to optimize AI cold starts on Cloud Run using GPU best practices, image streaming, and Elastic's proven architecture for serverless models.
Cloud RunAutomate Server-Side Google Tag Manager Updates on Cloud Run - This article provides methods for automating server-side Google Tag Manager updates on Cloud Run, addressing the need to manually refresh static container images for new stable versions. It details both a semi-automated solution, which uses email alerts with an approval button for deployment, and a fully automated weekly job that seamlessly updates to the latest version with zero downtime, leveraging Google Cloud services like Cloud Functions and Cloud Scheduler.
Cloud SpannerMy Experiments with Distributed Systems: Google Cloud Spanner - Spanner gives you a familiar interface, but it still demands deliberate design choices.
Cloud SpannerIntroducing Repeatable Read Isolation in Spanner: New Flexibility to Tune Performance - Google Cloud Spanner has introduced Repeatable Read isolation, offering developers enhanced flexibility to tune performance with lower latency and fewer transaction aborts. This new isolation level is particularly beneficial for latency-sensitive workloads with low write contention, complementing Spanner's default Serializable isolation. While it can significantly improve throughput, users should carefully consider potential anomalies like write-skew in certain scenarios.
API Firebase Gemini SecurityHow to Secure Gemini API Keys in Google Cloud & Firebase - This article provides a guide on securing Gemini API keys in Google Cloud and Firebase to prevent malicious use and unexpected billing surges. It details a robust approach that involves using a backend proxy with Firebase Hosting and Cloud Functions to securely retrieve keys from Google Cloud Secret Manager, isolating them in a dedicated 'vault' project. The solution also emphasizes enabling Firebase App Check to protect backend functions from unauthorized access and spam.
Big Data, Analytics, ML&AI
BigQuery Data Analytics Official BlogFrom petabytes to predictions: Easy BigQuery insights in Google Sheets - Learn how to use Connected Sheets to analyze governed BigQuery data warehouse from a familiar Google Sheets interface.
Cloud Dataflow Data Analytics Official Blog StreamingEvolving Dataflow to process massive datasets for machine learning - Dataflow users can benefit from Flume features like pipelines, vertical scaling, right fitting, dynamic sharding, and straggler detection.
A2A BigQueryA2A ecosystem: BigQuery Data Engineering Agent - This article explores the evolving AI architecture, shifting from custom-built agents to orchestrating specialized, remote AI agents via the Agent-to-Agent (A2A) protocol. It highlights the BigQuery Data Engineering Agent as a key example, demonstrating how it automates data pipeline creation and maintenance using natural language and A2A integration to reduce development and maintenance overhead. This approach enables composing multi-agent systems and enforcing standards through A2A extensions.
GCP Experience Official Blog Public SectorHow the University of Central Oklahoma is using AI to streamline analysis of complex criminal cases - Discover how the University of Central Oklahoma uses Google's NotebookLM to accelerate forensic case analysis and help transform criminal justice.
Data Analytics GCP ExperienceFrom Fragile URL Parsing to Basket Intelligence: Building a Real-Time View of Romanian E-commerce - This article details how a company iteratively built a real-time product intelligence system to gain a comprehensive view of e-commerce. They transitioned from fragile keyword matching and over-engineered NLP attempts to a robust, log-parsing architecture that extracts detailed basket information directly from transaction logs.
AI BigQueryFrom Unstructured Data to Conversational Analytics & Forecast! - This article addresses how to build reliable AI agent systems by tackling common failures stemming from poor data architectures rather than the large language model itself. It introduces Google Cloud's Agentic Data Cloud as a comprehensive solution, enabling agent orchestration as a core part of the data platform.
AI Gemma LLMHow the community trained Gemma to "Think" with Tunix and TPUs - The Google Tunix Hackathon on Kaggle challenged developers to transform small, non-reasoning base models into general reasoning engines using Kaggle TPUs and a limited compute budget. The winning teams achieved this by implementing multi-stage post-training pipelines that combined Supervised Fine-Tuning (SFT) with advanced alignment techniques like GRPO and SimPO.
AI MCPSupercharge your integration workflow with the Google Pay & Wallet Developer MCP server - Google has announced the new Google Pay Wallet Developer MCP server, an open-standard tool designed to securely connect AI development assistants and IDEs with real-time API and account context. The server allows developers to remain within their development environment to search official documentation, validate Wallet pass definitions, check integration status, and manage merchant accounts.
Agents MCPSecuring AI agents with MCP Authorization - Toolbox’s new MCP auth enables zero-trust security for AI agents by gating database tools behind standard OAuth2 providers.
Agents Looker SecuritySeamless AI-to-Data Integration: Using MCP Toolbox and PRM for Looker OAuth - Securely connect AI agents to Looker data using MCP Toolbox and OAuth PRM for standardized, per-user authentication.
Agents LLMAgents Are Now Files - Google’s new Managed Agents API isn’t the interesting part. The fact that you define an agent in two markdown files is.
ADK Cloud RunHow to Securely Connect ADK Agents to Models on Cloud Run - Securely connect ADK agents to LLMs on Cloud Run. Learn how to fetch, inject, and refresh Google ID tokens for your custom model endpoints.
BigQuery Dataform Google AnalyticsBeyond Web Design: How GOV.UK Leverages Dataform and BigQuery for Nation-Scale GA4 Governance - GOV.UK demonstrates a robust GA4 governance strategy by linking standardized front-end design directly to consistent back-end data collection using Google Cloud. They leverage Dataform to automatically clean and flatten complex GA4 data within BigQuery, making it readily accessible for analysis. This approach, combined with proactive PII removal, ensures high-quality, privacy-compliant data.
ADK AgentsThe Real Google AI Architecture Decision Is the Boundary - Choosing among Gemini, Conversational Agents, ADK, Agent Runtime, Genkit, and custom orchestration is, a decision about ownership.
Slides, Videos, Audio
Kubernetes Podcast - #267 Kubernetes 1.36, with Ryota Sawada.
Security Podcast - #279 Native Cloud Security: Is 'Good Enough' Actually Winning?
Releases
AppEngine Standard - Enable only needed legacy bundled services using the app_engine_bundled_services field for improved security and maintainability of your applications (Preview).
Backup and DR Service - You can now view the Google Cloud Backup and DR Service protection summary at the organization and folder levels. To learn more about protection summary, see Find unprotected resources using protection summary. You can now view the Google Cloud Backup and DR Service protection summary at the organization and folder level. To learn more about protection summary, see Find unprotected resources using protection summary.
BigQuery - The Data Science Agent (DSA) for Colab Enterprise and BigQuery is now generally available (GA). An updated version of the Simba ODBC driver for BigQuery is now available.
Bigtable - As part of Bigtable Enterprise Plus edition, you can configure a retention period of up to 365 days for backups. This feature is generally available (GA). For more information, see Bigtable backups overview.
CDN - For global external Application Load Balancers, you can configure Cloud CDN cache policies at various levels of a URL map, providing more granular control over caching. You can now apply specific caching logic based on hostnames, URL paths, HTTP headers, and query parameters. This feature is Generally Available. For more information, see Cache policies in URL maps.
Chronicle SOAR - Unified and Upgraded Chronicle API Chronicle API has been unified with API resources from legacy SOAR API. This unification provides a more robust, secure, and extensible experience. This upgrade signals API stability and functional completeness, enabling customer and partner adoption for production usage. We recommend that customers and partners use Chronicle API for a more robust, secure, and extensible experience. Learn more about API Stability. This update includes the following resources: Case, CaseAlert, CaseStageDefinition, CaseTagDefinition, CaseQueueFilter, CaseCloseDefinition, ContextProperty, InvolvedEntity, Task, CaseComment, CaseWallRecord, ChatMessage, View, VisualFamily, ChatMessages.attachment, ContentPack, SocRole, EmailTemplate, DynamicParameter, EntitiesBlocklist, Environment, EnvironmentGroup, Integration, Integrationaction, UserNotification, Integrationactionrevision, Connector, ConnectorInstance, RemoteAgent, Connectorlog, Connectorrevision, IntegrationInstance, UniqueEntity, Integrationsjob, JobInstance, JobInstances.log, Jobs.revision, Integrationmanager, Integrationmanagerrevision, AlertGroupingRule, Announcement, Attachment, CustomList, FormDynamicParameter, MarketplaceIntegration, ModuleSetting, SlaDefinition, NotificationSetting, PropertySchemaDefinition, RequestTemplate, SoarDomain, SoarNetwork, WorkdeskLink, SystemNotification, WorkdeskContact, WorkdeskNote, LegacySoarUsers.localization. For a full list of updated resources and links to the documentation, please see the Chronicle API documentation. Release 6.3.86 is now available for all regions. Release 6.3.87 is being rolled out to the first phase of regions as listed here. This release contains internal and customer bug fixes.
Cloud Composer - The following Managed Airflow versions and builds have reached their end of support period: composer-3-airflow-2.9.3-build.24, composer-2.13.2-airflow-2.9.3, composer-2.13.2-airflow-2.10.5. New images are available in Managed Airflow (Gen 2): composer-2.17.3-airflow-2.11.1 (default) composer-2.17.3-airflow-2.10.5 New Airflow builds are available in Managed Airflow (Gen 3): composer-3-airflow-3.1.7-build.10 composer-3-airflow-2.11.1-build.6 (default) composer-3-airflow-2.10.5-build.39 (Airflow 3) The INFO log level filter in Airflow UI now correctly displays log messages with this logging level. In Managed Airflow (Gen 3), it is now possible to create Kubernetes Secrets with the kubernetes.io/dockerconfigjson secret type through the beta Cloud Composer API, in addition to the default Opaque secret type. For more information, see Manage Kubernetes Secrets. Managed Service for Apache Airflow now supports Google Cloud tags for environments. Tags provide a way to create annotations for resources, and conditionally allow or deny policies based on whether a resource has a specific tag. A new Managed Service for Apache Airflow release has started on May 27, 2026. Get ready for upcoming changes and features as we roll out the new release to all regions. This release is in progress at the moment. Listed changes and features might not be available in some regions yet.
Cloud Logging - You can view the available regional endpoints for the Cloud Logging API on the REST reference pages. For an example, see Method: projects.locations.buckets.list.
Cloud Spanner - Spanner Graph supports a suite of graph algorithms covering use cases such as fraud detection, entity resolution, and recommendations. You can invoke graph algorithms as built-in function calls in Spanner Graph queries. You can save your output to Cloud Storage or Spanner. This feature is available in Preview.
Cloud Storage - As of August 26, 2026, in buckets with hierarchical namespace enabled, the Object Lifecycle Management Delete action will delete empty folders when the empty folder meets all of the conditions in the lifecycle rule.
Cloud Trace - The Observability API is generally available ( GA ). This API lets you configure the following: The default storage location and the default encryption key for your trace data. The observability scope. A linked BigQuery dataset, which lets your use BigQuery services to analyze your trace data. For more information, see the following documents: Set defaults for observability buckets Configure observability scopes for multi-project queries Manage observability buckets API overview Cloud Trace in Observability Analytics is generally available ( GA ). Observability Analytics lets you query and analyze your trace data by using SQL. You can chart your query results, save your queries, and join your trace and log data. For more information, see the following documents: Query and analyze telemetry with Observability Analytics. Chart SQL query results Sample SQL queries Analyze trace data with BigQuery. Trace scopes are generally available ( GA ). For more information, see Create and manage trace scopes. The following remote MCP servers automatically generate a trace span for tools/call operations. These spans can help you understand the behavior of your agentic applications. For more information, see Investigate MCP calls using Trace. BigQuery Cloud SQL You can view the available regional endpoints for the Observability API and for the Telemetry API on their REST reference pages. For more information, see API overview.
Colab - Data Science Agent Generally available: Use the Data Science Agent to automate exploratory data analysis, perform machine learning tasks, and deliver insights from within a Colab Enterprise notebook. To get started, see Use the Data Science Agent.
Compute Engine - Generally available: Two C4A bare metal machine types are generally available: c4a-standard-96-metal with 96 vCPUs and 384 GB of DDR5 memory c4a-highmem-96-metal with 96 vCPUs and 768 GB DDR5 memory These two machine types support Hyperdisk Balanced, Hyperdisk Extreme, Hyperdisk Throughput, and Hyperdisk ML volume storage and up to 100 Gbps of network bandwidth. To learn more about the C4A machine family, read General-purpose machines. To see where you can create C4A bare metal instances, read Bare metal instances.
Contact Center AI Platform - For a full list of changes, visit the release page.
Dataplex - Data products in Knowledge Catalog is Generally Available ( GA ). A data product serves as a logical, curated package of data assets and context designed to solve a specific business problem. This release includes the following new features: Approval workflows for data product consumption: Data product consumers can browse published data products, submit access requests, and track their status. Data product owners can track, approve, or reject access requests using the Google Cloud Console or the API. For more information, see Use data products and Manage data products. Automated documentation and insights: Data product owners can leverage Knowledge Catalog data insights and Gemini to automatically generate sample queries, business insights, and documentation templates for data products. For more information, see Create data products. Service account support: Data product owners can configure service accounts in access groups, and data product consumers can request access for their service accounts. For more information, see Create data products. Remote Model Context Protocol (MCP) server support (Preview) Data applications and AI agents can programmatically interact with data products. By deploying the Knowledge Catalog remote MCP server, developers can create data products, discover data products, and inspect data product metadata from external IDEs and LLM clients. For more information, see Access data products using Model Context Protocol. You can use the data lineage remote MCP server to interact with Knowledge Catalog (formerly Dataplex Universal Catalog) to query data lineage graphs, discover upstream data provenance, and analyze downstream impact. This feature is available in preview. For more information, see Use the data lineage remote MCP server.
Document AI - Layout parser image and table annotations is in General Availability (GA). Layout parser can identify if there are images or tables in parsed documents. When found, images and tables are annotated as a descriptive block of text with the information depicted in the image and table.
Error Reporting - You can view the available regional endpoints for the Error Reporting API on the REST reference pages. For an example, see Method: projects.events.list.
GKE new features - To monitor the efficiency of the GKE training JobSet, the following two GKE system metrics are available in Preview: kubernetes.io/jobset/scheduling_goodput: the fraction of time that all the resources required to run the training JobSet are available. kubernetes.io/jobset/proxy_runtime_goodput: the fraction of time that all required accelerators are productive. This metric provides an estimate of the real runtime goodput. For details about GKE metrics, see Kubernetes metrics. For details about goodput metrics that are used to measure efficiency, see Monitor goodput with the ML Goodput Measurement library. You can also view these new GKE metrics in the JobSet monitoring dashboard. Cloud Storage FUSE CSI driver is now supported for Google Cloud Dedicated clusters and node pools running GKE version 1.36.0-gke.1266000 and higher. To use the driver, you must specify the custom-endpoint mount option by using either the gcsfuse CLI or the configuration file format. For more information, see About Cloud Storage FUSE CSI driver for GKE. In GKE versions 1.36.0-gke.2459000 and later, you can directly configure Cloud Logging for L4 load balancer backend services by using the L4LBConfig CustomResourceDefinition (CRD). This feature is available for the following load balancer types: Internal L4 load balancers with subsetting enabled. External L4 load balancers with regional backend services (RBS) enabled. Confidential GKE Nodes now support cluster level enablement of AMD SEV-SNP and Intel TDX on GKE Autopilot. C4A bare metal instances are generally available with GKE clusters. For more information, see the Arm workloads on GKE document, including the "Requirements and limitations" section for specific version requirements. GKE Gateway now supports backend authenticated TLS for Gateway-originated connections to Pods or InferencePools for the following GatewayClasses: gke-l7-global-external-managed gke-l7-regional-external-managed gke-l7-rilb gke-l7-global-regional-managed-mc gke-l7-global-external-managed-mc
Load Balancing - For global external Application Load Balancers, you can configure Cloud CDN cache policies at various levels of a URL map. This provides granular control over caching policies based on criteria like hostname, URL path, HTTP headers, and query parameters. This feature is in General availability. For more information, see Configure a Cloud CDN cache policy. Frontend configuration for load balancing incoming IPv6 traffic is now supported for the following load balancers: Regional external Application Load Balancer Regional external proxy Network Load Balancer Regional internal Application Load Balancer Regional internal proxy Network Load Balancer Cross-region internal Application Load Balancer Cross-region internal proxy Network Load Balancer This feature is in Preview. For more information, see the following documentation: Forwarding rules overview IPv6 for Application Load Balancers and proxy Network Load Balancers Convert Application Load Balancer to IPv6 Convert Proxy Network Load Balancer to IPv6 Proxy-only subnets for Envoy-based load balancers
Looker - For a full list of changes, visit the release page.
Marketplace Partners - We've reduced the processing and delivery delay for Google Cloud Marketplace partner reports from 2 days (D+2) to 1 day (D+1), accelerating by one day the delivery of the Customer Insights reports to Cloud Marketplace partners. For information about processing times, see Customer Insights report frequency
Secure Source Manager - Secure Source Manager enforces a daily rate quota on the size of code scanned for credentials per instance. The default quota limit is 1 GB per day per instance. For more information, see Quotas and limits. To enhance security and address potential vulnerabilities (such as GHSA-3m6q-h5gj-7mrw), the Secure Source Manager Git-over-SSH server configuration has removed support for several legacy and insecure SSH algorithms. SSH clients must support one or more of the following modern algorithms to connect: Key Exchange Algorithms: curve25519-sha256, diffie-hellman-group14-sha256 Ciphers: [email protected], aes128-ctr, aes192-ctr,aes256-ctr, [email protected], [email protected] MACs: [email protected], hmac-sha2-256 Users with old or non-standard SSH clients lacking support for these algorithms will be unable to connect using SSH for Git operations. Ensure your SSH client is up-to-date.
Security Command Center - Risk reports are updated to include more content in the Risk Engine introduction and the System attack exposure pages. For more information about what's included in risk reports, see Risk reports overview. Risk Engine detects toxic combinations that are related to Managed Service for Apache Spark (formerly known as Dataproc), including Lightning Engine.