#509 Issue
June 29, 2026
Welcome to issue #507 June 15th, 2026
News
BigQuery Data Analytics Official BlogIntroducing the Open Knowledge Format - Learn how the Open Knowledge Format helps secure data sharing and improves collaboration across teams with standardized documentation.
AI Official BlogPowering the next era of Confidential AI - We are thrilled to collaborate with Apple on its expanded Private Cloud Compute (PCC) systems announced this week at WWDC 2026.
Agents Data Analytics Looker Official BlogTransform dashboards into interactive data experiences with Looker agents - Looker dashboard agents are embedded directly within dashboards and allow users to explore business intelligence (BI) data with natural language.
LLM Official BlogClaude Fable 5: Available on Google Cloud - Claude Fable 5, Anthropic’s latest frontier model, is now generally available on Google Cloud.
Cloud Storage Official BlogStorage Insights datasets: Enabling org-wide operational discovery with activity insights - Storage Insights datasets, now GA, provide visibility into your Google Cloud Storage assets for cost optimization and faster troubleshooting.
Articles, Tutorials
Infrastructure, Networking, Security, Kubernetes
Official Blog Threat IntelligenceShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit - An active compromise and extortion campaign attributed to ShinyHunters targeting Oracle PeopleSoft with a zero-day exploit.
AI Official Blog SecurityDetecting and containing AI-powered threats with Google Security Operations agents - Learn how Google Security Operations works in concert with AI Threat Defense to monitor, detect, and respond to threats, particularly from code you do not own or can not patch.
AI Google Kubernetes Engine LLM Networking Official BlogReport: GKE Inference Gateway delivers up to 92% faster AI responses - GKE Inference Gateway uses prefix caching and other routing algorithms to land requests on the best accelerator for the job.
Google Kubernetes EngineIs it possible to do Multi-Region, Multi-Cluster and Cross-Project load balancing in GKE without Service Mesh? - This article explores the challenges of implementing multi-region, multi-cluster, and cross-project load balancing in Google Kubernetes Engine, noting limitations with standard GKE load balancing options. It presents a solution that avoids service mesh complexity by leveraging a user-managed load balancer combined with the `gke-autoneg-controller` for dynamic backend management across different projects. This approach enables flexible traffic distribution while mitigating the operational overhead associated with service mesh deployments.
Cloud Trace Google Kubernetes EngineCentralizing Telemetry: How to Route OpenTelemetry Traces Across GCP Projects from GKE - This guide outlines a method for centralizing OpenTelemetry traces from Google Kubernetes Engine (GKE) clusters in one Google Cloud project to a distinct observability project. It leverages the OpenTelemetry Collector and GKE Workload Identity to securely route traces across project boundaries, ensuring efficient management and proper billing for observability data.
Google Kubernetes Engine KubernetesHave your cake and eat it too: Combining Atomic Provisioning with node reuse in GKE - This article explains how to optimize resource utilization in GKE for AI/ML workloads by combining atomic provisioning with node reuse. It details a method using a TAS-Enabled Resource Flavor fallback in Kueue to allow subsequent jobs to run immediately on idle infrastructure provisioned by previous tasks. This approach significantly reduces startup latency and enhances the efficiency of scarce resources like GPUs and TPUs.
Google Kubernetes Engine KubernetesBeyond the Mega-Cluster: How We Rebuilt Our Infrastructure for Global Scale - A platform engineering team shares how they rebuilt their infrastructure for global scale, transitioning from problematic "mega-clusters" to a sharded, data-driven architecture. This involved implementing advanced solutions like Private Service Connect and Ambient Mesh, creating a secure, self-service platform that reduces developer "cognitive tax" and supports over 1,000 application teams.
Agents AI IAMSPIFFE: Why Google’s New Agent Identity is the Future of AI Security - Google Cloud's new Agent Identity service tackles the security challenges of autonomous AI agents by ensuring their traceability and auditability. This service utilizes the open-source SPIFFE standard, providing each agent with a unique cryptographic identity through mutual TLS and token binding. By integrating this into its platform, Google Cloud offers enhanced security, granular auditing, and eliminates the need for hardcoded keys for AI agents.
DevOps NetworkingGCP Hybrid Subnets: Migrate to Google Cloud Without Changing a Single IP Address - GCP Hybrid Subnets offer a solution for seamless cloud migration by allowing organizations to extend their on-premises IP address space directly into a Google Cloud VPC. This eliminates the need to re-IP workloads, update DNS records, or change application configurations, significantly reducing the complexity and risk associated with moving to the cloud. By effectively creating a single flat network between on-premises and cloud environments, it enables gradual, phased migrations without disruptions.
ChronicleNew To Google SecOps: Disintegration — Working with TTLs in Data Tables - This guide delves into managing Time-to-Live (TTL) values for Google SecOps data tables programmatically via API commands. It illustrates how to set default table-wide expirations and individual row-level TTLs, emphasizing how primary keys influence data modification versus new entry creation for precise data retention control.
Google Kubernetes EngineSurviving N4 stockouts in GKE - Facing N4 machine type stockouts in Google Kubernetes Engine (GKE), the author implemented a resilient solution using a dedicated cluster and a cluster-level default ComputeClass. This configuration prioritizes N4 nodes, automatically falls back to C4 nodes when N4 is unavailable, and then actively migrates workloads back to N4 once capacity returns.
App Development, Serverless, Databases, DevOps
DevOps Official BlogHow to unlock true ROI in software development – a deep dive into the latest DORA research - Dig into the new DORA: ROI of AI-assisted software development report. Learn how to manage early adoption challenges and calculate the ROI of AI-assisted software development using an interactive calculator.
AlloyDB Data Analytics Databases GCP Experience Official BlogModernizing Healthcare: How Alcidion achieved greater stability and performance with AlloyDB - AlloyDB boosted performance on Alcidion’s flagship platform, Miya Precision, a dynamic intelligent care platform for modern hospitals.
Compute Engine GPU InfrastructureG4 Fractional VMs are now available on Google Cloud!
Cloud SQLTales from a Battle-Tested Migration: Moving a Complex Oracle DB to PostgreSQL on GCP - This article details the challenging process of migrating a complex Oracle database to Cloud SQL for PostgreSQL on Google Cloud, revealing that automated conversion tools are often insufficient and manual refinement is essential.
Agents Antigravity MCPBuilding with the Developer Knowledge API and Antigravity CLI - Enabling The Developer API support with MCP to streamline Google Cloud Development.
Big Data, Analytics, ML&AI
Data Analytics Official Blog Serverless Spark StreamingDeep dive: How Lightning Engine delivers 4.9x faster Apache Spark performance - How Lightning Engine for Managed Service for Apache Spark, now GA, supercharges job execution compared with standard and managed Spark alternatives.
BigQuery FinOpsA practitioners view on BigQuery Workload Management - This guide offers a practitioner's perspective on optimizing BigQuery workload management for performance and cost efficiency. It covers critical techniques across storage, query, compute, billing, and caching, preparing data platforms for the demands of AI agentic workflows. Mastering these strategies is key to ensuring BigQuery deployments scale effectively and cost-efficiently.
BigQueryOptimizing Data Vault in BigQuery: Why Physical Clustering Matters More Than Hash-Based Keys - Traditional Data Vault designs, heavily reliant on hash-based business keys, create performance inefficiencies in BigQuery because their random distribution prevents effective physical data pruning. BigQuery's clustering mechanism requires structured data locality to efficiently skip storage blocks, a capability undermined by high-entropy hash keys.
Generative AI LLM Official Blog10 Indispensable Prompts Our Team Refuses to Build Without - Boost your developer productivity with 10 proven AI prompts used by our engineering team to ship high-quality, robust code. Learn how to de-risk your development process and streamline your workflow with these expert-tested prompt strategies.
Big Data BigQuery LLM Machine LearningYou Probably Don’t Need a Vector Database - If Your Data Already Lives in BigQuery - How I built an end-to-end RAG proof-of-concept in pure SQL: no new infrastructure, no data movement, and pay-per-query cost.
Antigravity Generative AI LLM Official BlogChoosing your surface: Antigravity 2.0, Antigravity CLI, Antigravity IDE, or Antigravity SDK - Compare Antigravity surfaces: 2.0 (Desktop), CLI, IDE, and SDK. Choose the best interface for your workflow—whether desktop orchestration, terminal, or custom Python.
AI Gemma LLMDiffusionGemma: The Developer Guide - DiffusionGemma is an experimental text-generation model built on the Gemma 4 architecture that uses diffusion-based parallel generation instead of token-by-token autoregression, enabling much faster inference, bidirectional context awareness, and real-time self-correction while remaining deployable on consumer GPUs. Its architecture generates and refines 256-token blocks in parallel through iterative denoising, allowing it to handle complex constraint-based tasks such as Sudoku more effectively than traditional language models and demonstrating strong gains from fine-tuning. The model integrates with vLLM and other popular inference frameworks, giving developers access to a new non-autoregressive approach that combines high performance, efficient long-context scaling, and straightforward customization and deployment.
BigQuery Data Agent KitData Agent Kit - I Explored GCS, Visualized Data, and Built a Pipeline Without Leaving My Editor - A hands-on look at Google’s new Data Agent Kit, from a data engineer’s chair.
Gemini Enterprise Agent Platform Vertex AIVertex AI is now Gemini Enterprise Agent Platform: A migration map for Agent Builders - A field guide for anyone who has been building agents on Google Cloud and just watched the platform get a new name — and a new shape.
Slides, Videos, Audio
Kubernetes Podcast - #268 Agent Sandbox and Lovable, with Jonathan Grahl.
Releases
Agent Assist - Agent Assist offers Proactive generative knowledge assist V2 in GA. This version supports rich search context, multiple suggested queries, and granular control over triggering events.
Apigee Hybrid - Various security and CVE fixes are included in this release. v1.16.5 On June 8, 2026 we released an updated version of the Apigee hybrid software, v1.16.5. For information on upgrading, see Upgrading Apigee hybrid to version v1.16.5. For information on new installations, see The big picture. Note: This is a patch release: The container images used in patch releases are integrated with the Apigee hybrid Helm charts. Upgrading to a patch via the Helm chart automatically updates the images. No manual image changes are typically needed. For information on container image support in Apigee hybrid releases, see Apigee release process.
App Hub - App Hub support for resources from Memorystore is now generally available ( GA ).
BigQuery - You can analyze data lineage with Gemini Cloud Assist in BigQuery. This feature is in Preview. You can now use Gemini Cloud Assist to schedule queries. This feature is in Preview. IAM deny policies for BigQuery are now generally available (GA). You can use the Google-developed, open source Java Database Connectivity (JDBC) driver for BigQuery to connect your Java applications to BigQuery. This feature is generally available (GA). You can use custom constraints with Organization Policy to provide more granular control over specific fields for some BigQuery sharing resources. For more information, see Manage Sharing data exchanges and listings using custom constraints. This feature is generally available (GA). You can manage and limit the costs associated with BigQuery generative AI functions by configuring daily token quotas. Token-based cost management for BigQuery generative AI functions is generally available (GA). You can analyze data lineage with Gemini Cloud Assist in BigQuery. This feature is generally available (GA). BigQuery continuous queries now support the following aggregation functions: ARRAY_AGG STRING_AGG Support for these functions is in Preview. You can monitor performance, analyze capacity, and optimize costs with Gemini Cloud Assist in BigQuery. This feature is in Preview. Support for the AI.KEY_DRIVERS function is restored. You can use the AI.KEY_DRIVERS function to identify segments of data that cause statistically significant changes to a summable metric. This feature is in Preview. BigQuery AI functions can use ObjectRef values directly as input, without calling the OBJ.GET_ACCESS_URL function. This feature is generally available (GA).
Billing - FOCUS billing data export to BigQuery available in Preview Cloud Billing data export to BigQuery now offers a FOCUS billing data export available in Preview. The FinOps Open Cost and Usage Specification (FOCUS) is an open specification that defines clear requirements for technology billing data generators to produce consistent cost and usage datasets. The Google Cloud billing data export using the FOCUS specifications includes FOCUS columns up to FOCUS version 1.2. For more information about the FOCUS billing data export to BigQuery, refer to the following documentation: Set up FOCUS Cloud Billing data export to BigQuery Structure of the FOCUS data export FOCUS conformance report Query examples for FOCUS use cases Multi-project access to Cloud Billing cost views available in Preview In Cloud Billing accounts, multi-project access to usage costs lets project owners, solution owners, developers, and other non-billing admins see cost data for all of their authorized projects in a single view in the Cloud Billing console. The multi-project view uses a combination of Cloud Billing account permissions and Google Cloud project permissions that let Cloud Billing administrators and organization administrators jointly control access to project-level cost data. Using project-scoped Cloud Billing account permissions, Cloud Billing administrators can control which solution owners can view aggregated cost data in the Cloud Billing console. Learn more about cost management for project owners. Learn how to set up multi-project access to costs views. CUD dashboard redesign available (preview) The redesigned CUD dashboard is available in the Billing section of the Google Cloud console. It provides a consolidated view of all your resource-based and spend-based CUDs in a single place. The new design improves usability and scalability, helping you find information faster. For more information, see View your commitments.
Chronicle - UDM fields now show whether data is enriched or not The new Enrichment feature introduces improvements for managing and understanding your data. Each UDM field is now labeled with an icon to indicate its data source: U for unenriched fields and E for enriched fields. Enriched fields contain values that Google SecOps generates to provide additional context about artifacts in your environment. For more information, see: Viewing events. UDM fields now show the sources of enrichment The new Enrichment feature introduces improvements for managing and understanding your data. Each UDM field is now labeled with an icon to indicate its data source: U for unenriched fields and E for enriched fields. Enriched fields contain additional metadata values that indicate the source of the enriched data. For more information, see: Viewing events. Asynchronous Search APIs for large datasets Google SecOps now supports asynchronous Search APIs that let you perform long-running queries without blocking your applications. This is ideal for searches that return a large volume of results. Non-blocking queries: Initiate searches and receive an operation ID to track progress, so your application remains responsive. Handle large result sets: Retrieve up to 1 million results from data sources including Unified Data Model (UDM) events, data tables, and Entity Context Graph (ECG). Paginated results: View results efficiently in manageable pages. For more information, see Asynchronous Search APIs and Result limits for data sources. [Spotlight Feature] Investigate detections in Google SecOps Search Google SecOps Search now supports querying, filtering, and analyzing system-generated detections. When searching on events or entities, matching detections will now appear in the Alerts and Detections tab, providing a more holistic workflow for threat investigation. For more details, see Investigate detections in Search. Non-prioritized IoC Matching rules Category Google SecOps has introduced a new detection category, Non-prioritized IoC Matching rules, as part of the Curated Detections feature. These rule sets integrate with Google's Indicators of Compromise (IoC) feeds and build on curated threat intelligence to identify malicious activities within Google SecOps environments, specifically focusing on threats identifiable through high-fidelity indicators like IPs, domains, and file hashes. This rules category provides comprehensive coverage for threats often missed by standard managed content, including cryptomining, Command and Control (C2) communications, and the use of malicious anonymization services. For more information, refer to Non-prioritized IoC Matching rules category overview.
Chronicle SOAR - Release 6.3.88 is now available for all regions. This release contains internal and customer bug fixes.
Chronicle Security Operations - UDM fields now show whether data is enriched or not The new Enrichment feature introduces improvements for managing and understanding your data. Each UDM field is now labeled with an icon to indicate its data source: U for unenriched fields and E for enriched fields. Enriched fields contain values that Google SecOps generates to provide additional context about artifacts in your environment. For more information, see: Viewing events. UDM fields now show the sources of enrichment The new Enrichment feature introduces improvements for managing and understanding your data. Each UDM field is now labeled with an icon to indicate its data source: U for unenriched fields and E for enriched fields. Enriched fields contain additional metadata values that indicate the source of the enriched data. For more information, see: Viewing events. Asynchronous Search APIs for large datasets Google SecOps now supports asynchronous Search APIs that let you perform long-running queries without blocking your applications. This is ideal for searches that return a large volume of results. Non-blocking queries: Initiate searches and receive an operation ID to track progress, so your application remains responsive. Handle large result sets: Retrieve up to 1 million results from data sources including Unified Data Model (UDM) events, data tables, and Entity Context Graph (ECG). Paginated results: View results efficiently in manageable pages. For more information, see Asynchronous Search APIs and Result limits for data sources. [Spotlight Feature] Search for cases using SIEM Search Google SecOps SIEM Search now provides robust capabilities for analyzing cases and case history alongside existing Unified Data Model (UDM) events and entities. This update allows security analysts to seamlessly correlate case details with other security telemetry within a single interface, streamlining workflows and accelerating incident response. Key Highlights: Unified Search Experience: Conduct searches across UDM events, entities, cases, and case history from a single SIEM Search interface. Correlate SIEM and SOAR Data: Effortlessly link case details and historical activities with security data, reducing context switching and improving investigation efficiency. For more information, see Search cases and case history. [Spotlight Feature] Investigate detections in Google SecOps Search Google SecOps Search now supports querying, filtering, and analyzing system-generated detections. When searching on events or entities, matching detections will now appear in the Alerts and Detections tab, providing a more holistic workflow for threat investigation. For more details, see Investigate detections in Search. Non-prioritized IoC Matching rules Category Google SecOps has introduced a new detection category, Non-prioritized IoC Matching rules, as part of the Curated Detections feature. These rule sets integrate with Google's Indicators of Compromise (IoC) feeds and build on curated threat intelligence to identify malicious activities within Google SecOps environments, specifically focusing on threats identifiable through high-fidelity indicators like IPs, domains, and file hashes. This rules category provides comprehensive coverage for threats often missed by standard managed content, including cryptomining, Command and Control (C2) communications, and the use of malicious anonymization services. For more information, refer to Non-prioritized IoC Matching rules category overview.
Cloud Architecture Center - (New guide) Implement agentic analytics workflows for distributed data: A high-level architecture for implementing cross-cloud analytics workflows that use AI agents.
Cloud Composer - Several API dependencies that aren't required by Managed Airflow (Gen 3) are now phased out and must be enabled separately if you want to create Managed Airflow (Gen 2) environments in a new project. This change was announced previously. The following API dependencies were phased out: artifactregistry.googleapis.com cloudbuild.googleapis.com container.googleapis.com pubsub.googleapis.com The following API dependencies aren't phased out yet and are scheduled to be detached from the Cloud Composer API in the future: sqladmin.googleapis.com Existing Managed Airflow (Gen 3) and Managed Airflow (Gen 2) environments in projects where the Cloud Composer API is already enabled aren't impacted. You can do the following: If your project has only Managed Airflow (Gen 3) environments, then you can manually disable the listed APIs that were phased out. If your project has Managed Airflow (Gen 2) environments, then we recommend to keep these APIs enabled because disabling them might lead to environment's malfunction. If you want to create Managed Airflow (Gen 2) environments in a new project, you can enable the listed APIs manually or using a Google Cloud CLI command. For more information, see Enable Managed Airflow (Gen 2) dependencies. If you use automation scripts to provision Managed Airflow (Gen 2) environments, then make sure that the listed APIs are enabled in addition to the Cloud Composer API.
Cloud Domains - Organization Policy Service custom constraints are generally available for Cloud Domains. For more information, see Use custom organization policies.
Cloud SQL MySQL - Cloud SQL for MySQL managed buffer pool is now generally available ( GA ). Managed buffer pool helps you avoid out-of-memory events (OOMs) on your Cloud SQL instance by reducing innodb_buffer_pool_size when memory usage is high.
Cloud SQL Postgres - You can now create and query parameterized secure views in Cloud SQL for PostgreSQL. Parameterized secure views let you use PostgreSQL views with more granular access control over your data. While you can issue a GRANT statement to control whether a user can query a PostgreSQL view, a GRANT statement doesn't let you control the data that the view returns based on the user who is making the query. To gain this level of control, use parameterized secure views. You can define parameters such as a user ID or region within the view. When your application queries the view, a user can provide values for these parameters, which customizes the query results. Using parameterized secure views lets you enforce "least privilege" access to help ensure that your users interact only with the data that is relevant and authorized to them. This feature is in Preview.
Cloud Trace - The Trace API supports regional endpoints. For a list of supported endpoints, see the REST API reference pages: v1 REST reference v2 REST reference
Compute Engine - Generally available: The C4D machine series supports Hyperdisk Balanced High Availability disks. For more information, see About Hyperdisk Balanced High Availability and Performance limits for machine series. A vulnerability (CVE-2025-10263) about bypass of translation stages or GPT protections in some Arm core families was discovered and has been addressed. For more information, see the GCP-2026-036 security bulletin. In an autoscaled managed instance group (MIG), you can configure the stabilization period to manage how quickly the autoscaler deletes instances after a decrease in the load. This configuration can help optimize costs or maintain extra capacity based on your workload requirements. For more information, see Configure stabilization period.
Contact Center AI Platform - Full details on the release page.
Dataplex - Knowledge Catalog now supports data profile scans for unstructured data (such as PDFs in Cloud Storage) on existing BigQuery object tables. This feature uses Vertex AI Gemini models to extract semantic insights, including entities and relationships, from unstructured content. Note: Data profile scans for unstructured data are currently available in Preview using the Dataplex REST API only. The cloud console and gcloud workflows are not supported for this feature. For more information, see About unstructured data insights and Use data profile for unstructured data.
Gemini - Gemini 3.5 Flash is generally available Gemini 3.5 Flash is now generally available to Gemini Code Assist users in VS Code and IntelliJ. You can use this model for agent mode, chat, and code generation.
Media CDN - The maximum cacheable object size for Media CDN can be increased up to 1 TiB. To request a limit increase for your project, contact your Google support representative. This feature is Generally Available. For more information, see Quotas and limits. Media CDN lets you identify the country codes of the edge caches serving client requests. This feature is Generally Available. For more information, see Custom headers.
NetApp - The backup capabilities for ONTAP-mode are generally available (GA). For more information, see About backups. Google Cloud NetApp Volumes remote Model Context Protocol (MCP) server is generally available. NetApp Volumes remote MCP server lets you manage storage pools, volumes, backup vaults, backup policies, backups, and snapshots from LLMs, AI applications, and AI-enabled development platforms. For more information, see Use the NetApp Volumes remote MCP server and NetApp Volumes MCP Reference. Google Cloud NetApp Volumes remote Model Context Protocol (MCP) server is generally available. NetApp Volumes remote MCP server lets you manage storage pools, volumes, backup vaults, backup policies, backups, and snapshots from LLMs, AI applications, and AI-enabled development platforms. For more information, see Use the NetApp Volumes remote MCP server and NetApp Volumes MCP Reference.
Network Connectivity Center - NCC Gateway is generally available. NCC Gateway lets you enable security functions, such as third-party Security Service Edge (SSE), for cross-cloud network traffic. You can use Secure Access Connect with NCC Gateway to securely connect remote workforces to private applications in Google Cloud, on-premises, or other cloud providers and to public applications, like Palo Alto Networks Prisma Access. For information about pricing, see NCC Gateway pricing.
Network Intelligence Center - Cloud Network Insights is in General Availability. Cloud Network Insights monitors your network and web application performance across multicloud and hybrid networks and provides visualization tools to help identify and diagnose network issues. The following additional features are included in this release: Compute Engine VM Monitoring Points: deploy a Monitoring Point optimized for Google Cloud directly to your Google Cloud infrastructure using Terraform. Connectivity Tests support: run Connectivity Tests from Cloud Network Insights to validate connectivity between endpoints of some dual-ended network paths.
Policy Intelligence - Policy Simulator for deny policies is generally available.
Pub/Sub Lite - The Pub/Sub Lite to Managed Service for Apache Kafka migration guide has been updated to use the latest client libraries and to use Kafka Connect in Managed Service for Apache Kafka.
Sensitive Data Protection - The OBJECT_TYPE/PERSON/SIGNATURE infoType detector is available in global and the asia, europe, and us multi-regions. For more information about all infoTypes, see InfoType detector reference. Added support for inspecting and de-identifying batched content. You can now include a BatchContentItem in your ContentItem requests.
Service Mesh - 1.26.8-asm.11 is now available for in-cluster Cloud Service Mesh. This patch release contains the fix for the security vulnerability listed in GCP-2026-035. For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh. Cloud Service Mesh 1.26.8-asm.11 uses Envoy v1.34.14. 1.27.9-asm.5 is now available for in-cluster Cloud Service Mesh. This patch release contains the fix for the security vulnerability listed in GCP-2026-035. For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh. Cloud Service Mesh 1.27.9-asm.5 uses Envoy v1.35.12-dev. 1.28.7-asm.4 is now available for in-cluster Cloud Service Mesh. This patch release contains the fix for the security vulnerability listed in GCP-2026-035. For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh. Cloud Service Mesh 1.28.7-asm.4 uses Envoy v1.36.8-dev. The rollouts previously announced on June 3, 2026 have been stopped. The following release will supersede them and include those patches and the fix for the vulnerability listed in GCP-2026-035. 1.29.4-asm.0 is now available for in-cluster Cloud Service Mesh. You can now download 1.29.4-asm.0 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.29.4 subject to the list of supported features. The following environment variables, labels, and annotations are not supported: PILOT_IGNORE_RESOURCES and PILOT_INCLUDE_RESOURCES RetryIgnorePreviousHosts omit_empty_values PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY MAX_CONNECTIONS_PER_SOCKET_EVENT_LOOP with the value 1 PILOT_DNS_JITTER_DURATION PILOT_DNS_JITTER_DURATION ENABLE_NATIVE_SIDECARS with the value true PILOT_IP_AUTOALLOCATE_IPV4_PREFIX and PILOT_IP_AUTOALLOCATE_IPV6_PREFIX PILOT_DNS_CARES_UDP_MAX_QUERIES ENABLE_WILDCARD_HOST_SERVICE_ENTRIES_FOR_TLS 'BLOCKED_CIDRS_IN_JWKS_URIS` ENABLE_DEBUG_ENDPOINT_AUTH DISABLE_TRACK_REMAINING_CB_METRICS gateway.istio.io/tls-cipher-suites fileFlushMinSizeKB and fileFlushInterval settings in ProxyConfig topology.istio.io/locality statsCompression ProxyConfig option proxy.istio.io/config annotation for metric compression overrides Istio's experimental feature to enable lazy subset creation of envoy statistics is not supported. The formatter option within the spec.tracing[].customTags field of the Telemetry custom resource (telemetry.istio.io) is unsupported. The istiod_remote_cluster_sync_status Prometheus gauge metric, exposed on the Istiod control plane metrics endpoint (port 15014 /metrics ), is not supported. The following are unsupported for proxyless gRPC clients: Configuring the LEAST_REQUEST load balancing policy within the spec.trafficPolicy.loadBalancer.simple field of a DestinationRule custom resource ( networking.istio.io ) Configuring the http2MaxRequests circuit breaker within the spec.trafficPolicy.connectionPool.http.http2MaxRequests field of a DestinationRule custom resource ( networking.istio.io ) The ENABLE_AUTO_SNI flag is still supported to keep aligned with the legacy behavior. For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh. Cloud Service Mesh version 1.29.4-asm.0 uses Envoy v1.37.4-dev. In-cluster Cloud Service Mesh 1.26 is no longer supported. For more information and to view the earliest end-of-life dates for other versions, see Supported versions. The following images are now rolling out for managed Cloud Service Mesh: Sidecar version 1.21.6-asm.36, is rolling out to the rapid release channel. Sidecar version 1.20.8-asm.86 is rolling out to the regular release channel. Sidecar version 1.19.10-asm.76 is rolling out to the stable release channel. These rollouts will preempt those previously announced on June 3, 2026. These patch releases contain the fix for the vulnerability listed in GCP-2026-035 Proxy version csm_mesh_proxy.20260423_RC03 for Gateway API on GKE clusters is rolling out to all Managed Cloud Service Mesh release channels over the next week.
VMware Engine - The VMware Engine ve2 node type is now available in the following additional region: Mexico City ( northamerica-south1 )
Workstation - The workstation configuration creation page in the Google Cloud console has been optimized to make configuration creation faster and easier. Common machine settings are grouped into selectable machine presets, frequently used settings are consolidated on the Configuration essentials landing page, and a pending cluster with default settings is automatically provisioned when no cluster exists in your selected region.