Google Cloud Platform Newsletter

Check Archive for older issues

News

Announcing smaller machine types for A3 High VMs - Google Cloud now offers smaller machine types for A3 High VMs powered by NVIDIA H100 80GB GPUs. These new machine types provide more granularity in the number of GPUs available, allowing organizations to scale with user demand while keeping costs low.

How we’re making GKE more transparent with supply-chain attestation and SLSA - You can now verify the integrity of Google Kubernetes Engine components with SLSA, the Supply-chain Levels for Software Artifacts framework.

Introducing agent evaluation in Vertex AI Gen AI evaluation service - Vertex AI Gen AI evaluation service, now in public preview, empowers developers to rigorously assess and understand their AI agents. It includes a set of evaluation metrics for agents built with different frameworks and provides native agent inference capabilities.

New Year, New OS. Supporting your business with ChromeOS Flex - ChromeOS Flex is a free, easy-to-deploy operating system that can breathe new life into your existing hardware, transforming aging laptops, kiosks, and more into fast, secure, and modern devices. It's perfect for businesses hoping to refresh devices, improve security, and embrace sustainability while saving money. With ChromeOS Flex, you can boost security, streamline deployment, and keep your devices running smoothly.

Safer automated deployments with new Cloud Deploy features - Cloud Deploy, a fully managed continuous delivery platform, introduces new features to enhance automated deployments. The repair rollout automation rule enables retrying failed deployments or automatic rollbacks. Deploy policies, such as time-windows, provide control over automated actions. Timed promotions allow scheduled promotions between environments, simplifying software delivery pipelines.

Boost Productivity and Security with the New Chrome Web Store for Enterprises - Google has launched a new Chrome Web Store for enterprises, offering simplified access, enhanced security, increased productivity, and a customizable interface. Admins can now create custom block messages on extension detail pages for more visibility into usage policies.

Discover and assess your database workloads migration to Google Cloud using Migration Center - Google Cloud Migration Center helps organizations migrate their on-premises or cloud environments to Google Cloud. It provides intelligent, data-driven insights and actionable recommendations for optimal migration and modernization pathways. Migration Center lets you discover and assess both servers and databases, including Microsoft SQL Server, MySQL, and PostgreSQL.

Introducing BigQuery metastore, a unified metadata service with Apache Iceberg support - BigQuery metastore is a fully managed, unified metadata service that provides processing engine interoperability while enabling consistent data governance. It supports multiple engines, including BigQuery, Apache Spark, Apache Hive, and Apache Flink, and the open Apache Iceberg table format.

Announcing the 2025 Google for Startups Accelerator: AI First UK - Google for Startups Accelerator: AI First is a 12-week, equity-free accelerator designed to propel the growth of early-stage UK AI startups. The program offers expert mentorship, tailored workshops, access to Google Cloud credits, and networking opportunities. Applications are open until February 21st, 2025.

Articles, Tutorials

Infrastructure, Networking, Security, Kubernetes

Using custom Org Policies to enforce the CIS benchmark for GKE - Custom Organization Policies can help enforce the CIS Benchmark for GKE, reducing the risk of cyberattacks and ensuring compliance with industry standards. The library of ready-to-use policies makes it easy to adopt security best practices, and can be integrated with provisioning tools for automated enforcement.

Securing Cryptocurrency Organizations - Cryptocurrency organizations are at high risk of financial loss due to heists and other illegal activities. These organizations should implement heightened security controls to prevent, detect, and respond to intrusions.

Anatomy of a cloud breach - In this cloud breach analysis, the author describes how they were able to gain near-complete control over a client's GCP environment by exploiting a misconfigured Cloud Storage bucket and broad, inherited IAM roles. The author provides a detailed account of their attack, including the tools and techniques they used, and offers recommendations for remediation.

Exploring Google Cloud BGP Policies(Policy Based Routing): A Comprehensive Guide - Discover the power of GCP’s BGP (Border Gateway Protocol) policies for optimizing cloud networks. Learn how to control route advertisements using gcloud and YAML.

Avoiding Cloud Bill Disaster Lessons from a Google Cloud API Key Breached - A Google Cloud user's bill skyrocketed to $450,000 due to a compromised API key, highlighting the importance of securing API keys and adopting robust cloud security practices.

Load Balancer Backend Logs and me - Figuring out if it is the Load Balancer or the service.

GKE: Custom Compute Classes (CCC) - Custom Compute Classes (CCC) in Google Kubernetes Engine (GKE) allow users to specify multiple node pools (with different machine families) for a set of pods in a prioritized manner. This ensures that pods can be scheduled even if the preferred node pools are unavailable, improving scalability and cost optimization.

Adding self-service capabilities to your Landing Zone - How can you grow your Google Cloud Landing Zone with data while increasing efficiency through self-service?

How cloud neutrality made our AWS-GCP migration a breeze - In this article, the author shares their experience migrating their infrastructure from AWS to GCP in just two weeks with a single engineer, thanks to their cloud-agnostic engineering approach. They emphasize the importance of cloud neutrality for startups, as it enables access to competitive pricing, faster adoption of new technologies, and preparedness for changes in the cloud provider landscape.

App Development, Serverless, Databases, DevOps

Is your platform ready for 2025? New research on platform engineering reveals the secret to success - A recent research study by Google Cloud and Enterprise Strategy Group (ESG) reveals that 55% of global organizations have already adopted platform engineering, and 90% of those plan to expand its reach to more developers. The study identifies three critical components that are central to the success of mature platform engineering leaders: fostering close collaboration, adopting a "platform as a product" approach, and defining success by measuring performance through clear metrics.

Tchibo brews up 10x faster customer insights with AlloyDB for PostgreSQL - Tchibo, a German coffee retailer, adopted AlloyDB for PostgreSQL to enhance customer feedback analysis. AlloyDB's advanced analytics and AI capabilities accelerated feedback analysis by 10x, enabling Tchibo to respond swiftly to customer needs and drive customer-centric innovation.

Migrate Oracle-based applications to Google Cloud and simplify operations - Google Cloud offers several migration paths for Oracle-based applications and databases, from fully managed services to customized options. Containerization with Google Kubernetes Engine (GKE) or Cloud Run provides agility and scalability. Oracle GraalVM creates native Java applications for optimized resource utilization.

Big Data, Analytics, ML&AI

Querying and Filtering Nested and Repeated Fields in BigQuery - Explore methods for querying and filtering Nested and Repeated data in BigQuery — including complex data such as GA4.

How Rittman Analytics Automates Project RAG Status Reporting using Vertex AI, DocumentAI, BigQuery & Looker - This article describes how Rittman Analytics automates project RAG (Red, Amber, Green) status reporting using various AI technologies from Google.

Efficient Management of SCD Type 2 Tables for Scalable Machine Learning Workflows - Unlocking historical data insights with optimized partitioning, clustering, and BigQuery’s advanced features.

How L’Oréal Tech Accelerator built its end-to-end MLOps platform - L'Oréal Tech Accelerator built an end-to-end MLOps platform on Google Cloud to accelerate AI initiatives and optimize product development. The platform streamlines workflows, ensures security, and enables rapid adoption. It leverages Kubeflow Pipelines and DevOps principles for efficient development and deployment of AI models.

Model fine-tuning made easy with Axolotl on Google Cloud Batch - Axolotl, an open-source fine-tuning tool, simplifies managing configurations and different setups, while Google Cloud Batch provides a fully managed service to handle the resource-intensive work.

10 Prompt Engineering Techniques Every Beginner Should Know - Master the art of communicating with AI and unlock its full potential.

Building GenAI Chat App (Part 1): How to Deploy Gemma 2 on Cloud Run Utilizing Ollama - This article provides a step-by-step guide on deploying Gemma 2, an open-source large language model, on Google Cloud Run using Ollama.

Examining BigQuery query performance with Row Level Security - This article explores how to get hidden information for BigQuery jobs that are querying tables with Row Level Security.

Improve the RAG pipeline with RAG triad metrics - This article discusses how to improve the performance of a Retrieve-and-Generate (RAG) pipeline using RAG triad metrics (answer relevancy, faithfulness, and contextual relevancy).

AI Agents - How to build AI Agents with Vertex AI Agent Engine (Reasoning Engine).

Agent Builder serving controls: Boosting. Semantic search with on the fly customizations. Part 1 - This blog post dives into the limitations of relying solely on semantic search and introduces boosting as a technique to refine search results in real-time. It demonstrates how boosting, a native feature of Agent Builder search apps, can be used to fine-tune search results.

Slides, Videos, Audio

Security Podcast - #207 EP207 Slaying the Ransomware Dragon: Can a Startup Succeed?

GCP Bytes Podcast - #8 In this episode we discuss; Starlink and telstra, Starlink and Optus, GDG Sydney, GDG Melbourne, Kurian CEO of the year, Big Stories of 2024, Google AI Video, Willow, Trillium GA, MFA for Google, Bing Spoofing Google, Jetson Orin, NVIDIA Digits.

Releases

Application Integration - Application Integration now uses a new V8 JavaScript engine, which provides enhanced security, reliability and performance.

App Hub - App Hub supports resources from Google Kubernetes Engine (GKE) Gateways, services, and workloads in Preview.

Cloud Architecture Center - (New guide) Optimize AI and ML workloads with Parallelstore: Learn how to optimize performance for artificial intelligence (AI) or machine learning (ML) workloads with parallel file system storage by using Parallelstore.

Backup and DR Service - Management console is now available in the Columbus (us-east5) region. For updates to the backup appliance, a default window now exists to schedule non disruptive patch updates. Fixes for SAP HANA Persistent Disk Snapshots Enhancing imports of log images: Log images can now be imported correctly with the right recovery range. Fixes for Oracle databases backed up to OnVault and backup vault Hosts from both source and remote backup appliances are now listed in the restore page. The following CVEs have been addressed in this release: CVE-2024-38286, CVE-2019-9636, CVE-2023-5178, CVE-2020-14343, CVE-2021-29921, CVE-2019-7164, CVE-2020-27619, CVE-2018-20060, CVE-2019-20477, CVE-2019-9948, CVE-2020-1747, CVE-2021-3177, CVE-2022-42919, CVE-2024-0565, CVE-2015-20107, CVE-2023-51042, CVE-2020-10878, CVE-2023-6546, CVE-2022-0391, CVE-2022-45884, CVE-2021-33631, CVE-2020-10543, CVE-2019-20907, CVE-2023-3812, CVE-2019-11324, CVE-2022-45919, CVE-2023-6931, CVE-2024-1086, CVE-2021-43818, CVE-2021-33503, CVE-2020-26116, CVE-2019-20916, CVE-2023-2163, CVE-2021-42771, CVE-2022-45886, CVE-2021-3737, CVE-2023-52425, CVE-2018-18074, CVE-2021-27291, CVE-2021-20270, CVE-2023-24329, CVE-2019-18874, CVE-2019-16056, CVE-2019-7548, CVE-2021-3572, CVE-2019-9740, CVE-2021-23336, CVE-2020-14422, CVE-2021-3426, CVE-2023-1192, CVE-2022-38096, CVE-2023-6135, CVE-2020-8492, CVE-2020-27783, CVE-2020-28493, CVE-2023-46218, CVE-2021-4189, CVE-2020-26137, CVE-2021-3733, CVE-2019-16935, CVE-2021-28957, CVE-2018-20852, CVE-2019-11236, CVE-2019-9947, CVE-2020-28241, CVE-2023-5388, CVE-2023-28322 CVE-2022-48624, CVE-2023-38546, CVE-2021-20095.

BigQuery - BigQuery metastore lets you access and manage metadata from a variety of processing engines, including BigQuery and Apache Spark. In BigQuery ML, you can now evaluate Anthropic Claude models by using the ML.EVALUATE function. You can use natural language to prepare data with Gemini in BigQuery. Data preparation in BigQuery lets you test data preparations you're developing before you deploy and schedule runs in production.

Chronicle - The following rules have been removed from their associated rule packs due to high alert volume across the Google SecOps customer base GCP Workspace Data Exfil Drive: Suspicious Workspace Actions Observed after a Successful Suspicious Login GCP Suspicious Infrastructure Change: Replacement of Existing Compute Machine Image Replacement of Existing Compute Disk GCP Cloud SQL Ransom: Base64 Encoded Cloud SQL Command CIDR SCC Persistence: SCC: Persistence: New API Method SCC: Persistence: IAM Anomalous Grant SCC: Persistence: GCE Admin Added SSH Key CIDR SCC Malware: SCC: Added Library Loaded SCC: Added Binary Executed CIDR SCC Cloud IDS Low: SCC: Cloud IDS: Low Threat Finding CIDR SCC Cloud Armor Medium: SCC: Cloud Armor: Medium - Increasing Deny Ratio SCC: Cloud Armor: Medium - Allowed Traffic Spike Azure Identity: Azure External User Invitation Azure Defender for Cloud Windows and Linux VM: Azure Defender for Cloud: Anonymous IP access AWS GuardDuty Discovery: AWS GuardDuty: Recon:EC2/PortProbeUnprotectedPort.

Chronicle Security Operations - The Google SecOps team identified that a cloud threat detection rule pack (azure-defender-for-cloud-vm-extensions) was inadvertently made available to all customers. The following new YARA-L 2.0 functions are available in Rules and Search: arrays.concat arrays.join_string arrays.max arrays.min arrays.size arrays.index_to_int cast.as_bool cast.as_float math.ceil math.floor math.geo_distance math.is_increasing math.pow math.random strings.contains strings.count_substrings strings.extract_domain strings.extract_hostname strings.from_hex strings.ltrim strings.reverse strings.rtrim strings.trim strings.url_decode timestamp.as_unix_seconds timestamp.now The following new YARA-L 2.0 functions are available in Rules: hash.sha256 window.avg window.first window.last window.median window.mode window.stddev window.variance Details on function signatures and behavior can be found in YARA-L2.0 Function Syntax Reference Documentation. The prioritization logic of Applied Threat Intelligence (ATI) rule set has been improved to remove alerts from events that have a specified security result action of BLOCKED or QUARANTINED. After July 2025, the Enterprise Insights page and the CBN alerts will no longer be available. The following rules have been removed from their associated rule packs due to high alert volume across the Google SecOps customer base GCP Workspace Data Exfil Drive: Suspicious Workspace Actions Observed after a Successful Suspicious Login GCP Suspicious Infrastructure Change: Replacement of Existing Compute Machine Image Replacement of Existing Compute Disk GCP Cloud SQL Ransom: Base64 Encoded Cloud SQL Command CIDR SCC Persistence: SCC: Persistence: New API Method SCC: Persistence: IAM Anomalous Grant SCC: Persistence: GCE Admin Added SSH Key CIDR SCC Malware: SCC: Added Library Loaded SCC: Added Binary Executed CIDR SCC Cloud IDS Low: SCC: Cloud IDS: Low Threat Finding CIDR SCC Cloud Armor Medium: SCC: Cloud Armor: Medium - Increasing Deny Ratio SCC: Cloud Armor: Medium - Allowed Traffic Spike Azure Identity: Azure External User Invitation Azure Defender for Cloud Windows and Linux VM: Azure Defender for Cloud: Anonymous IP access AWS GuardDuty Discovery: AWS GuardDuty: Recon:EC2/PortProbeUnprotectedPort. Python 3.7 is being deprecated and will be fully removed on June 1, 2025.

Chronicle SOAR - Release 6.3.31 is now in General Availability. Release 6.3.32 is currently in Preview. Python 3.7 is being deprecated and will be fully removed on June 1, 2025.

Cloud Composer - The following recently released Cloud Composer 3 Airflow builds are rolled back and aren't available for creating and upgrading existing environments: composer-3-airflow-2.10.2-build.6, composer-3-airflow-2.9.3-build.13.

Compute Engine - Preview: To prevent data loss or corruption when a compute instance is stopped, you can enable graceful shutdown in the instance. Generally available: Managed instance groups (MIGs) let you create pools of suspended and stopped virtual machine (VM) instances.

Data Fusion - You can use custom constraints with Organization Policy to provide more granular control over specific fields for some Cloud Data Fusion resources.

Dataflow - Managed I/O now supports automatic upgrades for supported I/O connectors.

Dataplex - Data lineage path visualization is available in preview.

Dialogflow - The Conversational Agents console has launched for preview to create agents that can use a combination of generative and deterministic features.

Document AI - Effective January 27, 2025, new and existing processors require explicit storage.objects.get permissions to access Google Cloud Storage buckets for training dataset imports and offline/batch processing.

Gemini - IntelliJ Gemini Code Assist now provides citations in Gemini Chat. Admins can now block all suggestions containing citations during code completion, generation, and chat conversation for VS Code Gemini Code Assist.

Google Kubernetes Engine - (2025-R03) Version updates GKE cluster versions have been updated. User-managed firewall rules for GKE LoadBalancer Services is now generally available on GKE clusters running version 1.31.3-gke.1056000 or later. You can now customize a node system configuration with the following new kubelet and sysctl configuration options: Kubelet containerLogMaxSize containerLogMaxFiles imageGcLowThresholdPercent imageGcHighThresholdPercent imageMinimumGcAge imageMaximumGcAge (1.30.7-gke.1076000 and later, 1.31.3-gke.1023000 and later) allowedUnsafeSysctls (1.32.0-gke.1448000 and later) Sysctl kernel.shmmni kernel.shmmax kernel.shmall net.netfilter.nf_conntrack_acct (1.32.0-gke.1448000 and later) net.netfilter.nf_conntrack_max (1.32.0-gke.1448000 and later) net.netfilter.nf_conntrack_buckets (1.32.0-gke.1448000 and later) net.netfilter.nf_conntrack_tcp_timeout_close_wait (1.32.0-gke.1448000 and later) net.netfilter.nf_conntrack_tcp_timeout_established (1.32.0-gke.1448000 and later) net.netfilter.nf_conntrack_tcp_timeout_time_wait (1.32.0-gke.1448000 and later) To learn more, see Kubelet configuration options and Sysctl configuration options. Starting with GKE version 1.32.1-gke.1002000, the default OS image for Ubuntu is updated from Ubuntu 22.04 to Ubuntu 24.04. You can now use A3 Ultra VM powered by NVIDIA H200 Tensor Core GPUs with our new Titanium ML network adapter, which delivers non-blocking 3.2 Tbps of GPU-to-GPU traffic with RDMA over Converged Ethernet (RoCE).

GKE new features - User-managed firewall rules for GKE LoadBalancer Services is now generally available on GKE clusters running version 1.31.3-gke.1056000 or later. You can now customize a node system configuration with the following new kubelet and sysctl configuration options: Kubelet containerLogMaxSize containerLogMaxFiles imageGcLowThresholdPercent imageGcHighThresholdPercent imageMinimumGcAge imageMaximumGcAge (1.30.7-gke.1076000 and later, 1.31.3-gke.1023000 and later) allowedUnsafeSysctls (1.32.0-gke.1448000 and later) Sysctl kernel.shmmni kernel.shmmax kernel.shmall net.netfilter.nf_conntrack_acct (1.32.0-gke.1448000 and later) net.netfilter.nf_conntrack_max (1.32.0-gke.1448000 and later) net.netfilter.nf_conntrack_buckets (1.32.0-gke.1448000 and later) net.netfilter.nf_conntrack_tcp_timeout_close_wait (1.32.0-gke.1448000 and later) net.netfilter.nf_conntrack_tcp_timeout_established (1.32.0-gke.1448000 and later) net.netfilter.nf_conntrack_tcp_timeout_time_wait (1.32.0-gke.1448000 and later) To learn more, see Kubelet configuration options and Sysctl configuration options. You can now use A3 Ultra VM powered by NVIDIA H200 Tensor Core GPUs with our new Titanium ML network adapter, which delivers non-blocking 3.2 Tbps of GPU-to-GPU traffic with RDMA over Converged Ethernet (RoCE).

Load Balancing - Changes to RSA certificate requirements coming April 28, 2025 We're changing how Application Load Balancers establish TLS connections to backends.

Cloud Logging - On April 22, 2025, Cloud Logging will replace the single, global quota for the number of calls to write log entries with a set of volume-based regional quotas.

Memorystore for Redis Cluster - Added support for on-demand and automated backups.

Cloud Interconnect - Dedicated Interconnect and Cross-Cloud Interconnect VLAN attachments support maximum bandwidths up to 100 Gbps.

Resource Manager - You can use custom constraints with Organization Policy to provide more granular control over specific fields for some Cloud Data Fusion resources.

Cloud Run - You can now use dual-stack subnets with internal IPv6 to let your Cloud Run services and jobs send IPv4 and internal IPv6 traffic to a VPC network with Direct VPC egress. The Cloud Run Builder (roles/run.builder) IAM role is now available in preview.

Security Command Center - Risk Engine, which generates attack exposure scores and attack paths for your high-value resources, now supports the spanner.googleapis.com/Instance resource type.

Cloud Trace - The Trace Explorer page in the Google Cloud console has been refreshed. Introducing trace scopes.

Workload Manager - Generally available: You can define organizational best practices for your workloads using custom rules written in the Rego policy language.