Welcome to issue #426 November 25th, 2024

News

Announcing Mistral AI’s Large-Instruct-2411 on Vertex AI - Google Cloud has announced the availability of Mistral AI's newest model, Mistral-Large-Instruct-2411, on Vertex AI Model Garden. This advanced dense large language model (LLM) has 123B parameters and offers strong reasoning, knowledge, and coding capabilities.

Build, deploy, and promote AI agents through Google Cloud’s AI agent ecosystem - Google Cloud has launched an AI agent ecosystem program to help partners build and co-innovate AI agents. The program provides product support, marketing amplification, and co-selling opportunities to partners.

Announcing new updates to Cloud Translation AI, now covering 189 languages - Google Cloud's Translation AI now supports 189 languages, including Cantonese, Fijian, and Balinese, while maintaining fast performance. You can customize your translations' tone and style with as few as five examples, or use up to 30,000 for ultimate precision.

Make IAM for GKE easier to use with Workload Identity Federation - Google Cloud has made it easier to use Workload Identity Federation for GKE, simplifying the process of granting access to Cloud APIs using OpenID Connect. This update allows Google Cloud IAM policies to directly reference GKE workloads and Kubernetes service accounts, removing the need to manage another set of Google Cloud service accounts.

Google Cloud NetApp Volumes now available for OpenShift on Google Cloud - NetApp Volumes is now available for OpenShift on Google Cloud.

New ways to protect your sensitive data with Chrome Enterprise - Chrome Enterprise offers advanced security and DLP capabilities to protect sensitive company data. New enhancements include Chrome Security Insights for proactive threat identification, URL Filtering Audit Mode for refining web access policies, granular copy and paste protections, watermarking, screenshot protections, Evidence Locker for secure storage of files under investigation, Chrome Extension Telemetry in Google Security Operations for deeper visibility into browser activity, and mobile threat protections for Android devices.

New Cassandra to Spanner adapter simplifies Yahoo's migration journey - The new Cassandra to Spanner proxy adapter simplifies the migration of Cassandra workloads to Spanner, without requiring changes to application logic. Yahoo successfully migrated from Cassandra to Spanner using the proxy adapter, reaping the benefits of improved performance, scalability, consistency, and operational efficiency.

Articles, Tutorials

Infrastructure, Networking, Security, Kubernetes

Seeing Through a GLASSBRIDGE: Understanding the Digital Marketing Ecosystem Spreading Pro-PRC Influence Operations - GLASSBRIDGE is an umbrella group of four companies that operate networks of inauthentic news sites and newswire services spreading pro-PRC influence operations. These firms bulk-create and operate hundreds of domains that pose as independent news websites from dozens of countries but publish thematically similar, inauthentic content aligned with the political interests of the People’s Republic of China (PRC).

How Vodafone is using gen AI to enhance network life cycle - Vodafone and Google Cloud are collaborating to integrate generative AI into Vodafone's network departments to drive innovation, optimize costs, and enhance efficiency.

Empowering Gemini for Malware Analysis with Code Interpreter and Google Threat Intelligence - Gemini, a powerful malware analysis tool from Google Cloud, has been enhanced with new capabilities to tackle obfuscation techniques and provide real-time insights into indicators of compromise (IOCs). By integrating the Code Interpreter extension, Gemini can now dynamically create and execute code to deobfuscate specific strings or code sections. Additionally, Google Threat Intelligence (GTI) function calling enables Gemini to query GTI for additional context on URLs, IPs, and domains found within malware samples.

Migrating MongoDB to GKE: A Secure and Scalable Solution - Migrating MongoDB to Google Kubernetes Engine (GKE) offers a secure, scalable, and high-performance solution for managing MongoDB clusters. By leveraging Kubernetes' orchestration capabilities and Google Cloud's infrastructure, businesses can simplify database management, reduce operational overhead, and enhance security and availability. This migration can lead to long-term operational efficiency and cost savings.

How to Configure SSO with Entra ID (formerly Azure AD) and Google Cloud Identity SSO - Step-by-step instructions for configuring single sign-on with Entra ID and Google Cloud Identity.

Scaling Kubernetes: How to Seamlessly Expand Service IP Ranges - In Kubernetes, ensuring sufficient IP addresses for Services is crucial for scaling and maintaining infrastructure. This blog post explores how to extend the Service IP range in a Google Kubernetes Engine (GKE) cluster, including prerequisites, enabling beta APIs, adding a new ServiceCIDR, and deleting a ServiceCIDR.

Finally, a Secure and Simple Way to let your external CI/CD Pipeline Deploy to Private GKE Clusters - Learn how to use Workload Identity Federation and DNS-based control access to securely deploy to private GKE clusters from CI/CD tooling.

Secure access to sidecar containers logs in Cloud Logging - In Cloud Logging, you can grant different access permissions to logs generated by different containers in the same pod running on GKE. This is useful when sidecar containers provide helper functions to applications managed by different teams with varying access requirements. To achieve this, create a group for users needing sidecar log access, create a log bucket for sidecar logs, set up a log sink to route sidecar logs to the bucket, and grant the Logs View Accessor role on the bucket's default log view to the group.

App Development, Serverless, Databases, DevOps

Boost your Continuous Delivery pipeline with Generative AI - Generative AI technologies can enhance the quality and efficiency of software delivery by automating time-consuming tasks and providing valuable assistance in code reviews and release notes generation. The article demonstrates how to leverage Gemini models in Vertex AI within a continuous delivery pipeline to support code reviews and generate release notes for pull requests, showcasing the potential of AI-infused software development lifecycles.

Create a self-escalating chatbot in Conversational Agents using Webhook and Generators - This blog post demonstrates how to create a self-escalating chatbot using Google Cloud's generative AI solutions such as Vertex AI, Conversational Agents (Dialogflow CX), and others. The post provides a detailed step-by-step guide on building the knowledge base, gauging user satisfaction, escalating with generative AI, triggering the email with Cloud Run Functions, and connecting the pieces.

Tricky waterfall caching systems - This article describes the optimization of mobile apps and NodeJS backend APIs deployed on Cloud Run with an External Application Load Balancer.

Use GCP new gcsFuse feature to host web site in GCS with https and authentication - Shows how to use GCP new features to easily setup a web site in a private GCS bucket with https and authentication.

Optimize your Cloud Run Functions - Learn how to optimize your Cloud Run functions to achieve the best cost-performance balance. Understand the pricing formula and how it's affected by resource configuration and execution duration. Explore configuration changes, such as allocating resources based on workload needs and using concurrent requests per instance. Discover coding optimizations like moving heavy compute tasks to global execution state to benefit from CPU Boost during cold starts.

Step-by-Step Guide to Cloud Run Volume Mounts with Cloud Storage - The article provides a step-by-step guide to setting up Cloud Storage volume mounts in Cloud Run and demonstrates their advantage through a simple use case of uploading text files directly to a Cloud Storage bucket.

2x Faster, 40% less RAM: The Cloud Run stdout logging hack

Quick Guide: Setting Up Google OAuth2 Login with a Custom Domain in Firebase Auth - This guide shows how to set up Google OAuth2 login with a custom domain in Firebase Auth. This process involves configuring the GCP Console, setting up DNS settings, configuring Firebase, and updating your web server's JavaScript code.

You probably don't need to build large scale microservices. Here is what you can do instead

Big Data, Analytics, ML&AI

Tracking 10,000 IoT drones with PubSub and BigQuery GeoSpatial - Google Cloud's Pub/Sub and BigQuery provide a scalable solution for tracking and analyzing data from IoT drones. Pub/Sub ensures reliable data ingestion, while BigQuery's geospatial functions unlock insights from location data. This architecture has practical applications in precision agriculture, delivery logistics, infrastructure inspection, disaster response, and more. Explore more about BigQuery's geospatial capabilities in the official documentation.

Don't let resource exhaustion leave your users hanging: A guide to handling 429 errors - This article explores strategies to handle 429 resource exhaustion errors when using large language models (LLMs) in production. It discusses three practical approaches: backoff and retry mechanisms, dynamic shared quota, and provisioned throughput.

Monitoring BigQuery Costs at Plum: A Detailed Breakdown - The article explores monitoring and managing BigQuery costs by analyzing metadata from tools like dbt, Apache Airflow, Looker, and user-generated queries.

Streamlining Dynamic Data Masking in BigQuery with dbt and Terraform - What is Dynamic Data Masking and How Does It Differ from Anonymisation?

Save on GCP Log Storage Costs with Dataflow Compression - This blog introduces an automated solution for compressing and moving archival logs using Dataflow. The solution can reduce storage costs by up to 70% for large datasets, while adding minimal compute costs. Logs are compressed using the Zstandard algorithm and moved to cheaper storage classes. Lifecycle management policies can handle deletion, ensuring that storage is only used for as long as necessary. The code and instructions for setting this up can be found in the GitHub repository.

Build an AI agent for trip planning with Gemini 1.5 Pro: A step-by-step guide - Learn how to build an AI agent for trip planning with Gemini 1.5 Pro, a new feature that allows developers to connect Gemini models with external systems, APIs, and data sources. This enables the AI to retrieve real-time information and perform actions, making it more dynamic and versatile.

How Commerzbank is transforming financial advisory workflows with gen AI - Commerzbank, a leading German bank, partnered with Google Cloud to develop an advanced AI-powered solution that automates time-consuming financial advisory workflows. The solution involves a multi-step gen-AI architecture that includes audio chunking, advanced diarization and transcription, fact extraction, summary generation, and summary optimization.

RAG based application with AlloyDB and Vertex AI - This blog post demonstrates building a Retrieval Augmented Generation (RAG) application using AlloyDB for PostgreSQL, Vertex AI, and Cloud Run. It covers setting up the database, populating it with vector embeddings, deploying a retrieval service, and testing the application. The demo showcases how to extend Gen AI applications with information from Cloud Databases.

Batch prediction in Gemini - Batch generation in Gemini allows sending multiple generative AI requests in batches and getting responses asynchronously in Cloud Storage or BigQuery. It simplifies processing large datasets, saves time, and offers a 50% discount compared to standard requests.

Building a Real-Time Data Visualization Solution with Generative AI - Leveraging OpenAI, LangChain, and Streamlit for Intelligent Data Analysis and Visualization.

Various

Realizing AI's Full Potential where Workforce, Security, & Collaboration Matter - AI is rapidly reshaping the public sector, ushering in a new era of intelligent and AI-powered service delivery and mission impact. Google recently commissioned IDC to conduct a study that surveyed 161 federal CAIOs, government AI leaders, and other decision-makers to understand how agency leaders are leading in this new AI era. Key findings include the importance of cybersecurity, the potential of generative AI, and the need for an AI-ready workforce.

Slides, Videos, Audio

Security Podcast - #199 Your Cloud IAM Top Pet Peeves (and How to Fix Them).

Releases

AlloyDB - You can set up AlloyDB clusters using a copy of your Cloud SQL for PostgreSQL backup. Model endpoint management is generally available (GA) for both AlloyDB and AlloyDB Omni. AlloyDB for PostgreSQL is now available in the following region: northamerica-south1 (Mexico).

Google Distributed Cloud Bare Metal - 1.30. Release 1.30.300-gke.84 Google Distributed Cloud for bare metal 1.30.300-gke.84 is now available for download. Fixes: Fixed an issue where the control plane VIP might become unavailable because Keepalived didn't check correctly that the VIP is on a node with a responsive HAProxy. The following container image security vulnerabilities have been fixed in 1.30.300-gke.84: Low-severity container vulnerabilities: CVE-2024-43167 CVE-2024-43168. Known issues: For information about the latest known issues, see Google Distributed Cloud for bare metal known issues in the Troubleshooting section. 1.29. Release 1.29.800-gke.111 Google Distributed Cloud for bare metal 1.29.800-gke.111 is now available for download. Functionality changes: Added support for configuring the GKE Identity Service to enforce a minimum transport layer security (TLS) version of 1.2 for HTTPS connections. Fixes: Fixed the issue where non-root users can't run bmctl restore to restore quorum. The following container image security vulnerabilities have been fixed in 1.29.800-gke.111: High-severity container vulnerabilities: CVE-2023-49083 CVE-2024-0743 CVE-2024-6609 Medium-severity container vulnerabilities: CVE-2023-23931 CVE-2024-50096 CVE-2024-50099. Known issues: For information about the latest known issues, see Google Distributed Cloud for bare metal known issues in the Troubleshooting section.

GKE attached clusters - GKE attached clusters now supports clusters in the us-central1 region.

Anthos clusters on VMware - Google Distributed Cloud (software only) for VMware 1.30.300-gke.84 is now available for download. The following issues are fixed in 1.30.300-gke.84: Fixed the issue that additional manual steps are needed after disabling always-on secrets encryption with gkectl update cluster.

GDCV for VMware - Google Distributed Cloud (software only) for VMware 1.30.300-gke.84 is now available for download. The following issues are fixed in 1.30.300-gke.84: Fixed the issue that additional manual steps are needed after disabling always-on secrets encryption with gkectl update cluster.

Apigee UI - On November 22, 2024, we released an updated version of the Apigee UI. This release includes an improved Apps page for Apigee API Management in the Google Cloud console, making it easier to manage API products that are assigned to app credentials. Bug ID Description 357165778 Refactored app credential management experience Resolved issue causing the Apps page in the Apigee UI in Cloud console to crash when working with apps that have a large amount of products assigned to app credentials.

App Hub - App Hub supports regional infrastructure resources with global applications in Preview.

AppEngine Flexible Go - Go 1.23 is now available in preview.

AppEngine Flexible NodeJS - Node.js 22 is now generally available.

AppEngine Standard Go - Go 1.23 is now available in preview.

AppEngine Standard NodeJS - Node.js 22 is now generally available.

Application Integration - JavaScript task using Gemini If your integration flow requires any complex data mapping logic, Gemini can now recommend a JavaScript task.

Artifact Registry - Artifact Registry is available in the northamerica-south1 region (Queretaro, Mexico, North America). Artifact Registry now provides the option to enable or disable vulnerability scanning on individual repositories.

Cloud Asset Inventory - The following resource types are now publicly available through the ExportAssets, ListAssets, BatchGetAssetsHistory, QueryAssets, Feed, and Search (SearchAllResources, SearchAllIamPolicies) APIs. The following resource types are now publicly available through the ExportAssets, ListAssets, BatchGetAssetsHistory, QueryAssets, and Feed APIs.

Assured Workloads for Goverment - The Sovereign Controls for Kingdom of Saudi Arabia control package now supports the following products: Sensitive Data Protection, Google Cloud Armor, Secret Manager. The Sovereign Controls for EU control package now supports the following products: BigQuery Data Transfer Service, Sensitive Data Protection, GKE Identity Service, Google Cloud Armor, Resource Manager, Secret Manager.

Backup and DR Service - This release fixes an issue with OnVault pool jobs leaving behind inactive cloudbacker mountpoints. This release deprecates support for ssh-rsa as the ssh Host Key algorithm. This release fixes the synchronization between database and log backup states. This release fixes an issue where SAP HANA database and log backup jobs using Persistent Disk snapshots would complete with a warning status due to metadata upload failures to Google Cloud Storage for disaster recovery. This release removes the 700 thread hard limit and psrv restarts at 800 threads when the psrv is at high usage. This release fixes the Tomcat vulnerability CVE-2024-38286. For a list of Kernel vulnerability fixes check the Release page.

BigQuery - You can create a search index on columns containing INT64 or TIMESTAMP data and BigQuery can optimize predicates that use those columns.

Bigtable - You can now create a Data Boost app profile and view Data Boost metrics in the Google Cloud console. Bigtable is now available in the northamerica-south1 (Mexico) region.

Compute Engine - The documentation has been updated to clarify that future reservation requests don't support E2 machine types. Generally available: Queretaro, Mexico, North America (northamerica-south1-a,b,c) has launched with E2, N4, C4, and C3D VMs available in all three zones.

Data Catalog - Data Catalog is now available in the Mexico (northamerica-south1) region.

Data Fusion - The Cloud SQL MySQL plugins version 1.11.5 is available in Cloud Data Fusion versions 6.8.0 and later.

Database Migration Service - Database Migration Service now lets you select if a connection profile is for a source or a destination database, based on your migration scenario.

Dataflow - Dataflow is available in Queretaro, Mexico (northamerica-south1).

Dataproc - Dataproc is now available in the northamerica-south1 region (Queretaro, Mexico).

Datastore - You can now use Active Assist to provide recommendations and insights that improve the reliability of your databases. Firestore in Datastore mode now supports the northamerica-south1 Queretaro region.

Deep Learning Containers - M126 release Base CUDA 12.3 container images are now available.

Deep Learning VM - M126 release CUDA 12.4 VM images are now available.

Cloud Deploy - You can now automatically promote releases across targets at scheduled times, in preview.

Cloud Data Loss Prevention - The November 4 release note announcing the release of sample discovery findings was published in error.

Cloud Filestore - Filestore is now available in Mexico (northamerica-south1 region).

Anti Money Laundering AI - Two major engine versions within the v4 tuning version are no longer used by customers and are deprecated as of today.

Cloud Firestore - You can now use Active Assist to provide recommendations and insights that improve the reliability of your databases. Firestore now supports the northamerica-south1 Queretaro region.

Cloud Functions - Cloud Run functions now supports the Go 1.23 runtime at the Preview release level. Cloud Run functions now supports the Node.js 22 runtime at the General Availability release level.

Gemini - Gemini Code Assist clients are communicating with a new API (cloudcode-pa.googleapis.com), which may require updates to your configuration.

Integration Connectors - The BigQuery connector now supports the Array data type.

Networking Interconnect - Dedicated Cloud Interconnect support is available in the following colocation facilities: Queretaro, Mexico, North America For more information, see the Locations table and Global Locations.

KMS - Cloud KMS is available in the following region: northamerica-south1 For more information, see Cloud KMS locations.

Google Kubernetes Engine - If your GKE cluster was created before version 1.26, you can now migrate it to cgroupv2. You can now specify a custom resource policy as a compact placement policy with node auto-provisioning in clusters running GKE version 1.31.1-gke.2010000 or later. (2024-R45) Version updates GKE cluster versions have been updated. GKE version 1.31 introduces increased scalability, allowing users to create clusters with up to 65,000 nodes. The northamerica-south1 region in Querétaro, Mexico location is now available. Performance horizontal Pod autoscaling (HPA) profile is now available in Preview for new and existing GKE clusters running version 1.31.2-gke.1138000 or later.

GKE new features - You can now specify a custom resource policy as a compact placement policy with node auto-provisioning in clusters running GKE version 1.31.1-gke.2010000 or later. GKE version 1.31 introduces increased scalability, allowing users to create clusters with up to 65,000 nodes. Performance horizontal Pod autoscaling (HPA) profile is now available in Preview for new and existing GKE clusters running version 1.31.2-gke.1138000 or later.

Live Stream API - You can now create a DVR session for a past, current, or future live stream.

Load Balancing - Regional external Application Load Balancers, cross-region internal Application Load Balancers, regional internal Application Load Balancers, regional internal proxy Network Load Balancers, cross-region internal proxy Network Load Balancers, and regional external proxy Network Load Balancers now support IPv4 and IPv6 (dual-stack) backends. Percentage-based request mirroring is now supported for the cross-region and regional internal Application Load Balancers.

Memorystore for Memcached - Added new Memorystore for Memcached region: Querétaro (northamerica-south1).

Cloud Interconnect - Dedicated Cloud Interconnect support is available in the following colocation facilities: Queretaro, Mexico, North America For more information, see the Locations table and Global Locations.

Cloud VPN - Cloud VPN is now available in region northamerica-south1 (Queretaro, Mexico, North America).

Cloud PubSub - Pub/Sub is now available in the northamerica-south1 region (Queretaro, Mexico, North America).

Cloud Run - Support for the Go 1.23 runtime is now in Preview. Support for the Node.js 22 runtime is now in general availability (GA).

Secret Manager - Creating custom organization policies with Secret Manager resources is now in General Availability (GA).

Secure Source Manager - Secure Source Manager supports email notifications.

Security Command Center - The Sensitive Data Protection discovery service is now included in Security Command Center Enterprise. As of November 13, 2024, Security Command Center can produce Cloud Entitlement Infrastructure Management (CIEM) findings for the following identity and access issues in AWS environments: Users, groups, or assumed IAM roles that are inactive and have one or more permissions.

Sensitive Data Protection - The November 4 release note announcing the release of sample discovery findings was published in error.

Service Mesh - Managed Cloud Service Mesh. The rollout of managed Cloud Service Mesh version 1.19 to all channels has completed.

Cloud Spanner - Spanner supports the ALL_DIFFERENT graph predicate in GoogleSQL-dialect databases. You can create Spanner regional instance configurations in Querétaro, Mexico (northamerica-south1).

Cloud SQL MySQL - You can now authenticate to Cloud SQL Studio by using IAM database authentication. For Cloud SQL Enterprise Plus edition instances, advanced disaster recovery (DR) is now generally available (GA). The write endpoint feature is now available in Preview. Support for the northamerica-south1 (Mexico) region. Cloud SQL now supports near-zero downtime when you enable or disable data cache for Cloud SQL Enterprise Plus edition primary instances. Cloud SQL now supports near-zero downtime for infrequent scale downs (once every three hours) of the compute size (vCPU, memory) of your Cloud SQL Enterprise Plus edition primary instance.

Cloud SQL Postgres - You can now set up AlloyDB clusters using a copy of your Cloud SQL for PostgreSQL backup. You can now authenticate to Cloud SQL Studio by using IAM database authentication. For Cloud SQL Enterprise Plus edition instances, you can now use advanced disaster recovery (DR) to simplify recovery and fallback processes after you perform a cross-regional failover. The write endpoint feature is now available in Preview. The pgvector extension is now upgraded from version 0.7.4 to version 0.8.0. Support for the northamerica-south1 (Mexico) region. Cloud SQL now supports near-zero downtime when you enable or disable data cache for Cloud SQL Enterprise Plus edition primary instances. Cloud SQL now supports near-zero downtime for infrequent scale downs (once every three hours) of the compute size (vCPU, memory) of your Cloud SQL Enterprise Plus edition primary instance.

Cloud SQL SQL Server - Support for the northamerica-south1 (Mexico) region.

Cloud Text-to-Speech - Cloud TTS Journey voices have been updated to improve the accuracy of generated speech.

Traffic Director - Managed Cloud Service Mesh. The rollout of managed Cloud Service Mesh version 1.19 to all channels has completed.

Vertex AI Workbench - v1. M126 release The M126 release of Vertex AI Workbench user-managed notebooks includes the following: Upgraded JupyterLab to 3.6.8. The M126 release of Vertex AI Workbench managed notebooks includes the following: Upgraded JupyterLab to 3.6.8. v2. M126 release The M126 release of Vertex AI Workbench instances includes the following: Preview: JupyterLab 4+ is available on new Vertex AI Workbench instances.

VMware Engine - VMware Engine ve1 nodes are now available in the following additional region: Dallas, Texas, North America (us-south1-b). VMware Engine ve2 nodes are now available in the following regions: São Paulo, Brazil (southamerica-east1) Santiago, Chile (southamerica-west1).

VPC Service Controls - VPC Service Controls feature: VPC Service Controls extends support for etags in the service perimeter resources.

Virtual Private Cloud - For auto mode VPC networks, added a new subnet 10.224.0.0/20 for the Mexico northamerica-south1 region.

Workstation - The Cloud Workstations base editor (Code OSS) has been upgraded to 1.94.2.