Welcome to issue #437 February 10th, 2025

News

BigQuery datasets now available on Google Cloud Marketplace - Google Cloud Marketplace now offers BigQuery datasets, enabling organizations to access high-quality data for analytics, AI, and business applications. Customers can easily find, buy, and consume datasets from a centralized catalog, simplifying data procurement and reducing administrative burden.

Announcing public beta of Gen AI Toolbox for Databases - Gen AI Toolbox for Databases, an open-source server, simplifies the creation, deployment, and management of sophisticated generative AI (gen AI) tools capable of querying databases with secure access, robust observability, scalability, and comprehensive manageability.

Rightsize your Memorystore for Redis Clusters with open-source Autoscaler - Google Cloud’s Memorystore Cluster Autoscaler, now available on GitHub, automatically scales Memorystore for Redis Clusters based on utilization metrics. The Autoscaler can be deployed to Cloud Run or GKE and supports various scaling scenarios, including standard, plateau, batch, and spiky workloads.

Solve database bottlenecks faster with the latest query insights for Cloud SQL Enterprise Plus - Cloud SQL Enterprise Plus edition now provides enhanced query insights capabilities to help developers and DBAs build and deploy high-performing applications.

Helping our partners co-market faster with AI - Google Cloud's Partner Marketing Studio now features Gemini, an AI-powered content creation tool. Partners can customize pre-built campaigns or generate original content from scratch, tailored to their specific audience and industry.

Empowering women with cloud and AI skills: Register for the Google Launchpad for Women series - Google Cloud is offering a free three-week "Google Launchpad for Women" series to empower women in their customer ecosystem to develop their cloud and AI skills. Registration is now open to Google Cloud customers in the Americas, EMEA, and Japan, with the program beginning on March 4th in Japan and March 6th in the Americas and EMEA.

Getting started with Swift’s Alliance Connect Virtual on Google Cloud - Swift’s Alliance Connect Virtual can be deployed on Google Cloud, allowing financial institutions to leverage cloud infrastructure’s scalability, flexibility, and cost-effectiveness while maintaining security and reliability standards.

Announcing partner-delivered professional services on Google Cloud Marketplace - Google Cloud Marketplace now offers professional services from qualified independent software vendors (ISVs) and systems integrators (SIs). Customers can find, buy, deploy, and manage partner-provided solutions and services to support the end-to-end lifecycle of their purchased Google Cloud Marketplace solutions.

Articles, Tutorials

Infrastructure, Networking, Security, Kubernetes

How we improved GKE volume attachments for stateful applications by up to 80% - Google Kubernetes Engine (GKE) recently introduced an enhancement that significantly improves the speed at which Persistent Disks (PDs) are attached and detached. This blog post describes new and improved method technique for large scale attach and detach disk operations.

CVE-2023-6080: A Case Study on Third-Party Installer Abuse - Mandiant researchers discovered a local privilege escalation vulnerability, tracked as CVE-2023-6080, in Lakeside Software's SysTrack Agent version 10.7.8. By exploiting flaws in the Microsoft Software Installer (MSI) repair action, an attacker with low-privilege access could escalate privileges locally.

How I Optimised Kubernetes Autoscaling in GKE? A Practical Guide to Balancing Performance & Cost! - Learn how I used past data, HPA, and resource limits to scale Kubernetes efficiently in GKE — cutting costs while ensuring peak performance!

Accelerating Cloud Migration with the Migration Factory and Migration Tools - What is a cloud migration factory? How does it differ from the cloud centre of excellence? What migration tools do you need?

Google SecOps Managed Forwarder on Google Kubernetes Engine - This article presents a blueprint for a modular and scalable solution for a SecOps forwarder deployment on Google Kubernetes Engine (GKE).

Deploying Kubeflow on Intel Xeon CPUs on Google Cloud Platform - This article provides a step-by-step guide to deploying Kubeflow on GCP, including setting up a GCP project, installing Anthos, creating a Kubernetes cluster, and deploying Kubeflow.

Stop bringing old practices to the cloud - In the blog, I will review some of the common old (and perhaps bad) practices organizations are still using today in the cloud.

App Development, Serverless, Databases, DevOps

Empowering federal agencies with a more secure and efficient developer experience - Google Cloud empowers federal agencies to meet FedRAMP, IL4, and IL5 compliance with ease, while enhancing developer productivity with tools like Cloud Workstations and Gemini Code Assist.

Fixing “Error 403: Insufficient Regional Quota to Satisfy Request: Resource “SSD_TOTAL_GB”” When… - Google Cloud Platform (GCP) users on the free tier or with limited quotas often encounter the error:.

Building a Secure Serverless Microservice on GCP with VPC and Terraform - How We Deployed a Timestamp/IP API Using Cloud Run, Serverless VPC Access, and Infrastructure-as-Code.

Optimising the Cost of our Video Intelligence Service on Google Cloud Run, Aided with Billing Reporting - Using the Google Cloud Billing Dashboard to see where our spend is going, and then taking steps to eliminate that cost.

How to use Auth Proxy and Connectors with PSC? - This article demonstrates how to connect applications in one GCP organization to an AlloyDB instance in another organization using Private Service Connect (PSC), the AlloyDB Auth Proxy, and language connectors.

Two Ways to Build a Vector Store on GCP in No Time - This article explores two approaches to building a vector store on Google Cloud Platform (GCP) for vector search capabilities: using AlloyDB with a managed relational database or hosting a dedicated vector database like ChromaDB.

Big Data, Analytics, ML&AI

XCom in Cloud Composer 2: A Blessing and a Curse for Airflow Data Sharing - XCom, a feature in Apache Airflow and Google Cloud Composer, enables tasks within a DAG to exchange small amounts of data. While useful for sharing metadata or small result sets, its misuse can lead to environment update/upgrade failures and snapshot issues.

How I Slashed BigQuery Query Time by 69%: A Performance Optimization Journey - Analyzing BigQuery execution graph to identify the Input stage as the bottleneck and discovering significant data skewness.

Monitoring Resource Usage of Google Cloud VertexAI JupyterLab Notebooks - A Bash script to monitor resource usage of JupyterLab notebooks in Google Cloud Vertex AI Workbench. An alert is triggered if total memory usage exceeds a specified threshold. This helps MLOps engineers identify and address resource-intensive notebooks, ensuring system stability and smooth collaboration.

How to build a strong brand logo with Imagen 3 and Gemini - Build a unique and compelling brand logo using Imagen 3, Gemini, and the Python Library Pillow.

Using Vertex AI Pipelines for an MLOps Workflow: A GA4 Recommendation System Case Study - This article demonstrates how to implement a production-grade MLOps workflow on Google Cloud Platform using Vertex AI Pipelines.

Get Started with n8n on Google Cloud for AI Workflow Automation - n8n is a no-code workflow automation platform that integrates with 400+ products. This blog post shows how to build a workflow running on a self-hosted deployment using Google Kubernetes Engine.

Scale-to-Zero LLM Inference with vLLM, Cloud Run and Cloud Storage FUSE - Deploy LLMs on Cloud Run and pay only when you use them.

Google Cloud Model Armor - Google Cloud Model Armor is a fully managed service that helps secure your generative AI applications by screening prompts and responses for security risks.

Leverage open models like Gemma 2 on GKE with LangChain

Various

Designing sustainable AI: A deep dive into TPU efficiency and lifecycle emissions - Google's Tensor Processing Units (TPUs) have improved the carbon efficiency of AI workloads by 3x over four years, from TPU v4 to Trillium. The study found that operational electricity emissions comprise over 70% of a Google TPU's lifetime emissions, emphasizing the importance of energy-efficient AI chips and carbon-free electricity.

5 AI trends shaping the future of the public sector in 2025 - Artificial intelligence (AI) is poised to become a cornerstone of public sector operations in 2025, transforming how agencies make decisions and serve constituents. Key trends include multimodal AI for analyzing diverse data, AI agents for handling complex tasks, assistive search for improved knowledge work, AI-powered constituent experiences, and enhanced security with AI.

Passing the Google cloud developer exam

Slides, Videos, Audio

Security Podcast - #209 vCISO in the Cloud: Navigating the New Security Landscape (and Don’t Forget Resilience!).

Releases

AlloyDB - The AlloyDB Omni Kubernetes operator version 1.3.0 is generally available (GA).

Anthos clusters on VMware - Google Distributed Cloud (software only) for VMware 1.31.100-gke.136 is now available for download. The following functional change was made in 1.31.100-gke.136: Removed support in the Konnectivity server (konnectivity-server) for the following weak cryptographic cipher suites: TLS_RSA_WITH_AES_256_GCM_SHA384 and TLS_RSA_WITH_AES_128_GCM_SHA256. The following issues are fixed in 1.31.100-gke.136: Fixed an issue to prevent checking for add-on node IP addresses for HA admin clusters with three control-plane nodes and no add-on nodes. The 1.31.100-gke.136 release includes many vulnerability fixes. Google Distributed Cloud (software only) for VMware 1.30.500-gke.126 is now available for download. The following issues are fixed in 1.30.500-gke.126: Fixed an issue that caused non-HA cluster upgrades to get stuck creating or updating cluster control plane workloads. The 1.30.500-gke.126 release includes many vulnerability fixes. Google Distributed Cloud (software only) for VMware 1.29.1000-gke.94 is now available for download. The following issues are fixed in 1.29.1000-gke.94: Fixed an issue to prevent checking for add-on node IP addresses for HA admin clusters with three control-plane nodes and no add-on nodes. The 1.29.1000-gke.94 release includes many vulnerability fixes.

Apigee Integrated Portal - On February 4, 2025 we released a new version of the Apigee integrated portal. This release includes general improvements to performance and availability.

Backup and DR Service - The Backup and DR service has added support for activating the management console and for storing backup vault data in the following regions: us-east5, asia-northeast1, and asia-southeast2.

Apigee UI - On February 3, we released an updated version of the Apigee UI. GA of Apigee analytics dashboards in Google Cloud console You can now access these dashboards in the Apigee UI in Google Cloud console: Analytics > Developer analysis > Developer engagement Analytics > Developer analysis > Traffic composition Analytics > End user analysis > Devices Analytics > End user analysis > Geomap.

Cloud Architecture Center - Google Cloud Architecture Framework: Security, privacy, and compliance: Major update to align the recommendations with core principles of security.

BigQuery - You can create a JavaScript user-defined aggregate function by using the CREATE AGGREGATE FUNCTION statement. The BigQuery ML ML.BUCKETIZE and ML.QUANTILE_BUCKETIZE functions now support formatting of the function output. You can now use the BY NAME and CORRESPONDING modifiers with set operations to match columns by name instead of by position.

Bigtable - Tags data for Bigtable instances is now included in Cloud Billing data, letting you use tagged Bigtable instances to gain visibility into your resource usage and spending.

Billing - Google Cloud Marketplace now uses the agency model for marketplace services for UK, FR, and DE customers.

Chronicle - Google SecOps has updated the list of supported default parsers.

Chronicle Security Operations - The collector ID representing Google Cloud direct ingestion in the Cloud Monitoring metrics and BigQuery has changed from dddddddd-dddd-dddd-dddd-dddddddddddd to aaaa3333-aaaa-3333-aaaa-3333aaaa3333. Google SecOps has updated the list of supported default parsers.

Chronicle SOAR - Release 6.3.33 is now in General Availability. Release 6.3.34 is currently in Preview.

Cloud Composer - Starting March 2025, the default version for new Cloud Composer environments changes from Cloud Composer 2 to Cloud Composer 3. Cloud Composer 2 is no longer available in Mexico (northamerica-south1). All Cloud Composer environment's GKE clusters are set up with maintenance exclusions from January 21, 2025 to February 10, 2025.

Config Connector - Config Connector version 1.128.0 is now available. New Beta resources (direct reconciler) ApigeeEnvgroup Define environment groups to specify the hostnames for routing traffic to Apigee environments. New Fields SpannerInstance You need to use the alpha.cnrm.cloud.google.com/reconciler: direct annotation on SpannerInstance resource to opt-in these features. Reconciliation Improvements We have added support for direct reconciliation to more resources, with opt-in behaviour. New Alpha resources (direct reconciler) IAPSettings Customize the Identity-Aware Proxy (IAP) settings for applications and services running on Google Cloud Platform. DataformRepository fields validation error.

Data Catalog - Data Catalog is deprecated and will be discontinued on January 30, 2026.

Dataproc Serverless - Spark UI for Dataproc Serverless Batches and Interactive sessions, which lets you to monitor and debug your serverless Spark workloads, is now available for CMEK (Customer-Managed Encryption Keys) and Assured Workloads.

Dataproc - New Dataproc on Compute Engine subminor image versions: 2.0.131-debian10, 2.0.131-rocky8, 2.0.131-ubuntu18 2.1.79-debian11, 2.1.79-rocky8, 2.1.79-ubuntu20, 2.1.79-ubuntu20-arm 2.2.45-debian12, 2.2.45-rocky9, 2.2.45-ubuntu22.

Cloud Quotas - Terraform support for quota adjuster is available in Preview.

Gemini - IntelliJ Gemini Code Assist now has a setting to block suggestions that contain citations. Fixed issues with Google Cloud project settings for VS Code Gemini Code Assist.

Identity-Aware Proxy - Generally available: You can configure Workforce Identity Federation with IAP, and use an external identity provider (IdP) to authenticate and authorize a workforce—a group of users, such as employees, partners, and contractors—using Identity and Access Management (IAM), so that the users can securely access services deployed on Google Cloud or on-premises. Generally available: Support for service account JWT authentication for Identity Platform and Workforce Identity Federation configured applications.

Integration Connectors - The Azure AD connector now supports event subscription which you can leverage in your integrations by using the Azure AD trigger.

Google Kubernetes Engine - (2025-R05) Version updates GKE cluster versions have been updated. Weighted load balancing for GKE External LoadBalancer Services is now generally available on GKE clusters running version 1.31.0-gke.1506000 or later. A bug in the image streaming feature caused authentication-related failures in specific scenarios when the workload tried to access container image data. A security vulnerability was discovered in the Google Secret Manager Provider for Secret Store CSI Driver. GKE cluster notifications have the following new capabilities: You can now receive cluster notifications through Cloud Logging. Starting on February 3, 2025, GKE will create a new service agent named service-{PROJECT_ NUMBER}@gcp-sa-gkenode.iam.gserviceaccount.com that the GKE system workloads that run on your worker nodes can use.

GKE new features - Weighted load balancing for GKE External LoadBalancer Services is now generally available on GKE clusters running version 1.31.0-gke.1506000 or later. GKE cluster notifications have the following new capabilities: You can now receive cluster notifications through Cloud Logging.

Cloud Logging - You can now create and manage your log views by using the Google Cloud console.

Memorystore for Redis Cluster - Multi-VPC support for Memorystore for Redis Cluster is now Generally Available (GA).

Cloud Monitoring - When you create a snooze from the Incident details page, you can now apply the snooze to other incidents that have one or more of the same resource labels. You can now create custom organization policies on alerting policies, notification channels, and snoozes.

Resource Manager - You can now create custom organization policies for Workflows. You can now create custom organization policies for Cloud Monitoring alerting policies, notification channels, and snoozes.

Cloud Run - When deploying a function in Cloud Run, you can now specify an Artifact Registry image repository to store the container (Preview).

Security Command Center - Protect your AI applications using Model Armor Model Armor is a Google Cloud service that enables you to apply content safety and content security controls to LLM prompts and responses to mitigate risks such as sensitive data leakage, prompt injection, and offensive content.

Sensitive Data Protection - The CREDIT_CARD_EXPIRATION_DATE infoType detector is available in all regions. Regional endpoints for Sensitive Data Protection are available in the eu and us multi-regions. The CVV_NUMBER infoType detector is available in all regions.

Service Mesh - Managed Cloud Service Mesh. A new version of the data plane for Gateway API is now generally available (GA) as a part of managed Cloud Service Mesh for clusters on GKE Rapid channel. Managed Cloud Service Mesh starts using Envoy.1.33 for Gateway API on GKE clusters with rapid channel.

Cloud Spanner - Informational foreign keys are available in Spanner.

Cloud SQL MySQL - You can now configure customer-managed CA (CUSTOMER_MANAGED_CAS_CA) as the server certificate authority (CA) mode when you create a Cloud SQL instance.

Cloud SQL Postgres - You can now migrate a subset of databases from an external server to a destination Cloud SQL instance. You can now configure customer-managed CA (CUSTOMER_MANAGED_CAS_CA) as the server certificate authority (CA) mode when you create a Cloud SQL instance.

Cloud SQL SQL Server - You can now configure customer-managed CA (CUSTOMER_MANAGED_CAS_CA) as the server certificate authority (CA) mode when you create a Cloud SQL instance.

Cloud Storage - Announced billing changes for accessing Cloud Storage through BigQuery take effect Feb 21, 2025.

Workflows - Support for retrieving the detailed history of a workflow execution (expected iterations, in-scope variables) is available in Preview. v1. Support for creating custom organization policy constraints is available.