Welcome to issue #438 February 17th, 2025

News

Enhance Gemini model security with content filters and system instructions - Google Cloud's Gemini model offers enhanced security with content filters and system instructions. Content filters block harmful outputs, while system instructions provide proactive guidance to the model. Both features help ensure consistent and trustworthy interactions.

Announcing Wasm support in Go 1.24 - Go 1.24 expands its capabilities for WebAssembly (Wasm), a binary instruction format that provides for the execution of high-performance, low-level code. With a new `go:wasmexport` compiler directive and the ability to build a reactor for the WebAssembly System Interface (WASI), developers can now export functions from their Go code to Wasm, fostering deeper integrations with Wasm hosts and unlocking new possibilities for Go-based Wasm applications.

ChromeOS Flex: A Valentine’s Gift for Your PC - ChromeOS Flex is a free, cloud-based operating system designed to modernize older PCs and Macs. It offers fast boot times, built-in security, and a user-friendly interface. To install ChromeOS Flex, check compatibility, create a bootable USB drive, boot from the USB drive, and follow the on-screen instructions. Give your old laptop a new lease on life with ChromeOS Flex and enjoy a faster, more secure, and eco-friendly computing experience.

Operationalizing generative AI apps with Apigee - Apigee simplifies interactions with large language models (LLMs), improving efficiency and security. With Apigee, organizations can implement semantic caching to reduce latency, route requests to the most suitable LLM, set usage limits, and monitor and troubleshoot their gen AI applications.

Deep dive into AI with Google Cloud’s global generative AI roadshow - The Google Cloud GenAI Roadshow is a global event series that offers developers hands-on experience with Google's most advanced AI technologies.

Why you should check out our Next ‘25 Security Hub - The heart of our security presence at Next ‘25 will be the Security Hub, a dynamic space designed for engagement and exploration. Here, you can dive deep into the full portfolio of Google Cloud Security products, experience expanded demos, and get your most pressing questions answered by the engineers who build them.

Articles, Tutorials

Infrastructure, Networking, Security, Kubernetes

With MultiKueue, grab GPUs for your GKE cluster, wherever they may be - MultiKueue, a feature of Kueue, enables workload distribution across multiple GKE clusters in different regions. By identifying clusters with available resources, MultiKueue simplifies the process of dispatching jobs to the optimal location. With MultiKueue, GKE, and Dynamic Workload Scheduler, you can wait for accelerators in multiple regions and Dynamic Workload Scheduler automatically provisions resources in the best GKE clusters as soon as they are available.

Cybercrime: A Multifaceted National Security Threat - Cybercrime makes up a majority of the malicious activity online and occupies the majority of defenders' resources. In 2024, Mandiant Consulting responded to almost four times more intrusions conducted by financially motivated actors than state-backed intrusions.

Networking support for AI workloads - This blog post explores how the Cross-Cloud Network solution supports AI workloads.

5 ways Google Cloud can help you minimize credential theft risk - Google Cloud offers several measures to minimize credential theft risks, including multi-factor authentication, protecting sessions, protecting service credentials, identity and access controls, and security monitoring.

Keyless Auth To Google Cloud From GitHub Actions With Workload Identity Federation - Stop using long-lived credentials to authenticate Google Cloud from GitHub Actions and use Google’s recommended way.

Google Cloud — What is VPC Service Controls and Why Should You Care? (Article 1/3) - An overview of VPC Service Controls.

How to Provision a Cluster on GKE Using Terraform and Github Action - In this article, we will show you how to use Terraform and Github Action to provision a cluster on Google Kubernetes Engine (GKE).

Migrating Projects Between Google Cloud Organizations

Advanced Google Cloud Load Balancing & Cloud Armor Analytics with Custom Dashboards - Learn how to build advanced analytics dashboards with BigQuery, Grafana and Terraform, enabling functionalities found in solutions like Cloudflare.

App Development, Serverless, Databases, DevOps

Accelerate your cloud journey using a well-architected, principles-based framework - The Google Cloud Architecture Framework provides comprehensive guidance to design, develop, deploy, and operate efficient, secure, resilient, high-performing, and cost-effective Google Cloud topologies that support your security and compliance requirements. The framework empowers you with a structured principles-oriented design methodology that unlocks many advantages, including enhanced security, privacy, and compliance, optimized cost, resilience, scalability, and flexibility, operational excellence, and predictable and workload-specific performance.

Where’s the beef? For São Paulo’s agricultural secretariat, it’s on Cloud SQL for SQL Server - The São Paulo State Secretariat of Agriculture and Supply (SAA-SP) modernized its data infrastructure by migrating its SQL Server database to Cloud SQL for SQL Server on Google Cloud. This strategic move brought several benefits, including simplified updates, automated backups, simplified high availability, enhanced security, on-demand scalability, and reduced IT costs.

Shrink CloudSQL unused disk space using Database Migration Service - This blog post shows how to shrink unused disk space in CloudSQL using Database Migration Service.

Cloud SQL Enterprise Plus vs. AlloyDB: A pgbench Showdown for High-Performance OLTP - Cloud SQL Enterprise Plus and AlloyDB, two Google Cloud database services, were compared using the pgbench benchmark to determine their performance for high-performance OLTP workloads.

Solving Cross-VPC Cloud SQL Connectivity for DMS - This article discusses three methods for establishing private connectivity between Cloud SQL instances across different projects with different networks, a requirement for Database Migration Service (DMS) migrations.

Managing Secret For Your Golang Apps With The GCP Secret Manager - This article explores how to securely store and manage secrets for Go applications using Google Cloud Secret Manager. We demonstrate how to create and access secrets using the Secret Manager CLI and provide code examples for both local development and deployment to Cloud Run.

Big Data, Analytics, ML&AI

Balance of power: A full-stack approach to power and thermal fluctuations in ML infrastructure - Google has observed unprecedented power fluctuations in its large-scale synchronized ML workloads, posing risks to data center infrastructure functionality, reliability, and energy efficiency. To address this, Google implemented a full-stack approach with compiler-based power shaping, achieving a 50% reduction in power fluctuations and a 10°C drop in temperature fluctuations with minimal performance impact.

Hands-on Guide to External Tables in BigQuery using Dataform - External tables in BigQuery allow you to query data directly from cloud storage without the need for data migration. By using Dataform to create and manage external tables, you can simplify data management and leverage BigQuery's powerful query engine.

Build an Agentic Workflow for your BigQuery data using LangGraph and Gemini - This blog post explores how LangGraph can be used to build agentic workflows for data stored in BigQuery.

Data Harmony: Leveraging Embeddings, Vector Search, and LLMs for MDM - Harness the power of Embeddings and Gemini for Fuzzy Matching in MDM systems.

SQL is all you need! - Supercharge BigQuery with BigFunctions.

Expose Cloud Composer database to Looker Studio - In this article, we'll show you how to expose your Cloud Composer database to Looker Studio. We'll create a proxy VM with an external IP and run a TCP proxy to forward traffic to the database. We'll also set up a HAProxy config file and copy it to the compute instance. Finally, we'll set up the connection in Looker Studio and verify that the Airflow tables appear.

Detecting Similar SQL Queries with Vertex AI and Vector Search - Leveraging Google’s Vertex AI to find semantically similar SQL queries in a fictional dataset.

1 Big Mistake I Made When I Was First Learning about AI Prompting - Allan Alfonso shares a crucial mistake he made when first learning about AI prompting: relying solely on one-sentence prompts. He discovered that effective prompting involves a structured approach, including elements like persona, context, task, example, output format, and tone. By providing more than just a single sentence, users can enhance the AI's responses and leverage its full potential. This highlights the importance of viewing mistakes as learning opportunities in the evolving field of AI prompting.

Slides, Videos, Audio

Kubernetes Podcast - #247 Kubernetes History Inspector, with Kakeru Ishii.

Security Podcast - #210 Cloud Security Surprises: Real Stories, Real Lessons, Real "Oh No!" Moments.

Releases

VPC Service Controls - VPC Service Controls feature: Support for using third-party identities (both single identities and groups) in the ingress and egress rules to allow access to resources protected by a service perimeter is generally available.

AlloyDB - Support for advanced query insights, index advisor, and active queries is now generally available (GA) in AlloyDB for PostgreSQL. You cannot enable advanced query insights on clusters with secondary instances. The extension vector, which includes pgvector functions and operators, is updated to version 0.8.0.

Anthos clusters on VMware - Google Distributed Cloud (software only) for VMware 1.31.200-gke.58 is now available for download. The following issue is fixed in 1.31.200-gke.58: Fixed an issue that caused Runtime: out of memory errors after running gkeadm to create or upgrade clusters. The 1.31.200-gke.58 release includes many vulnerability fixes.

Apigee API Hub - IAM conditions for fine-grained access API hub now integrates with IAM Conditions, enabling you to define and enforce granular, conditional attribute-based access control for your API hub resources. Enhanced onboarding experience After provisioning your API hub instance in your Google Cloud project, you'll now see an updated Overview page. Auth support for Vertex AI extensions API hub now supports the following authentication configurations for creating Vertex AI extensions: API Key: Authenticate using API keys stored in Secret Manager. Resource ID length limits increased The maximum allowed length for API hub resource IDs has been increased.

Apigee UI - On February 11, 2025, we released an updated version of the Apigee UI. Bug ID Description 356780408 Fixed issue preventing users from saving a proxy revision Resolved issue in the proxy editor where navigating away from a proxy file containing an error would not properly clear the error state, requiring users to reload the page to save the edited proxy.

Cloud Asset Inventory - The following resource types are now publicly available through the ExportAssets, ListAssets, BatchGetAssetsHistory, QueryAssets, Feed, and Search (SearchAllResources, SearchAllIamPolicies).

BigQuery - BigQuery data preparation provides context-aware join operation recommendations from Gemini.

Carbon Footprint - For the January 2025 semi-annual methodology refresh (released in mid-February 2025), we implemented the following improvements and updated the carbon model to version 12: Improved internal cost accounting for Vertex AI and Notebooks services.

CDN - Cloud CDN supports invalidation by using cache tags with faster performance and higher rate limits in Preview.

Certificate Authority Service - Custom Authority Information Access (AIA) and CRL Distribution Point (CDP) extensions for certificate authorities (CAs) is now generally available (GA).

Chronicle - The following parser documentation is now available: Collect NGINX logs Collect Proofpoint On-Demand logs Collect Qualys asset context logs Collect Qualys Continuous Monitoring logs Collect Qualys Scan logs Collect Qualys Vulnerability Management logs Collect Qualys Virtual Scanner logs Collect ThreatConnect IOC logs Collect Akamai DNS logs Collect Aruba switch logs Collect Bitdefender logs Collect HashiCorp audit logs Collect Microsoft SQL Server logs Collect FireEye NX logs Collect Illumio Core logs Collect Microsoft Azure Key Vault logging logs Collect BeyondTrust Remote Support logs Collect BlueCat DDI logs Collect BMC Helix Discovery logs Collect Brocade ServerIron logs Collect Check Point firewall logs Collect CyberArk EPM logs Collect CyberArk PAM logs Collect Dell ECS logs Collect Dell switch logs Collect IBM Security Verify Access logs Collect McAfee Firewall Enterprise logs Collect NetApp ONTAP logs Collect Trend Micro Apex One logs Collect Trend Micro Deep Security logs Collect Versa Networks Secure Access Service Edge (SASE) logs Collect VMware Networking and Security Virtualization (NSX) Manager logs Collect Zscaler Cloud Access Security Broker (CASB) alert logs. The following is a correction to the release note published on December 22, 2024.

Chronicle Security Operations - Manage user preferences The ability to manage platform time zones, date/time settings, and notifications has been relocated to the new User Preferences dialog, accessible from your avatar. This feature is available in Preview. The following parser documentation is now available: Collect NGINX logs Collect Proofpoint On-Demand logs Collect Qualys asset context logs Collect Qualys Continuous Monitoring logs Collect Qualys Scan logs Collect Qualys Vulnerability Management logs Collect Qualys Virtual Scanner logs Collect ThreatConnect IOC logs Collect Akamai DNS logs Collect Aruba switch logs Collect Bitdefender logs Collect HashiCorp audit logs Collect Microsoft SQL Server logs Collect FireEye NX logs Collect Illumio Core logs Collect Microsoft Azure Key Vault logging logs Collect BeyondTrust Remote Support logs Collect BlueCat DDI logs Collect BMC Helix Discovery logs Collect Brocade ServerIron logs Collect Check Point firewall logs Collect CyberArk EPM logs Collect CyberArk PAM logs Collect Dell ECS logs Collect Dell switch logs Collect IBM Security Verify Access logs Collect McAfee Firewall Enterprise logs Collect NetApp ONTAP logs Collect Trend Micro Apex One logs Collect Trend Micro Deep Security logs Collect Versa Networks Secure Access Service Edge (SASE) logs Collect VMware Networking and Security Virtualization (NSX) Manager logs Collect Zscaler Cloud Access Security Broker (CASB) alert logs. The following is a correction to the release note published on December 22, 2024.

Chronicle SOAR - Release 6.3.35 is currently in Preview. New options for closing a case This feature is currently in Preview. Release 6.3.34 is now in General Availability.

Compute Engine - Starting as soon as February 14, 2025, projects might start seeing a Data protection pane on the Create an instance page in the Google Cloud console. You can apply a Backup and DR Service backup plan during instance creation.

Database Migration Service - Database Migration Service for homogeneous AlloyDB for PostgreSQL migrations now lets you migrate specific databases from your source instance. Database Migration Service for homogeneous Cloud SQL for SQL Server migrations now lets you promote, restart, or view additional metrics for each database individually.

Dataproc - Data Lineage for Dataproc Hive is now in Public Preview, which can be enabled using the Hive Lineage initialization action.

Document AI - Custom extractor model pretrained-foundation-model-v1.4-2025-02-05 powered by Gemini 2.0 Flash LLM is available as Public Preview in US and EU regions with improved accuracy.

Cloud Functions - Cloud Run functions created with the Cloud Functions (v2) API (cloudfunctions.googleapis.com) can now be detached so that they can only be managed through the Cloud Run Admin API (run.googleapis.com).

Looker - Looker (Google Cloud core) and Looker (original) changes. Looker 25.2 is expected to include the following changes, features, and fixes: Expected Looker (original) deployment start: Tuesday, February 18, 2025 Expected Looker (original) final deployment and download available: Thursday, February 27, 2025 Expected Looker (Google Cloud core) deployment start: Tuesday, February 18, 2025 Expected Looker (Google Cloud core) final deployment: Tuesday, March 4, 2025. The Search Content Summaries API endpoint now returns more secure results when a closed system is enabled for an instance. Looker now prevents developers from creating new models named system__activity. The Chart Config Editor now supports the median function in the formatters.select parameter. The manage_modelsets_restricted permission is now generally available. The manage_schedules permission is now generally available. An issue has been fixed where downloading a dashboard as a PDF with multiple pages could cause some content to be cut off. An issue has been fixed where using a Snowflake or Postgres connection could trigger the following error message: Driver cannot be initialized: can't modify frozen String. An issue has been fixed where creating a visualization with no unpivoted dimensions could cause Looker to display a vague error message for some chart types. An issue has been fixed where encoded embed domains could not be used with the Embed SDK. An issue has been fixed where the Marketplace auto-update and auto-install processes could cause other parts of Looker to take longer to respond. An issue has been fixed where searching terms with multiple words in the field picker would match each word separately. An issue has been fixed where an invalid conditional formatting string could cause the Explore page to crash. An issue has been fixed where actions whose connection tests failed would continue to run excessive tests in the background. An issue has been fixed where Looker did not correctly apply theme text colors to axis labels on timeline visualizations. An issue has been fixed where setting a long external_group_id when creating an embed user caused Looker to display a vague error. An issue has been fixed where navigating to a Look from another Look could cause incorrect System Activity records. An issue has been fixed where reordering columns in an Explore could cause hidden table calculations to be removed from the table. An issue has been fixed where adding multiple dashboard filters to the same date field could cause Looker to remove filters from the dashboard. An issue has been fixed where tables could be cut off on dashboard PDFs that included multiple pages. An issue has been fixed where dashboard filters could prevent users from using commas to add multiple filter conditions. An issue has been fixed where certain custom visualization configurations could cause rendered PDF downloads to be blank. An issue has been fixed where the LookML Validator could surface outdated LookML errors that were related to extensions. An issue has been fixed where exploring from a merge query on an embedded dashboard could lead to a blank page. An issue has been fixed where embed users were unable to see certain shared folders.

Cloud Monitoring - The Dashboards page of the Cloud Console has been refreshed. You can now use a variable to control the visibility of a dashboard widget.

Cloud NAT - Cloud NAT gateways for Public NAT support IPv6 to IPv4 network address translation in Preview.

Resource Manager - Custom organization policies are now generally available for Cloud Logging. Custom organization policies are now generally available for security posture resources. Custom organization policies are now generally available for Spanner. Custom organization policies are now generally available for Identity-Aware Proxy. Custom organization policies are now generally available for Developer Connect. Custom organization policies are now generally available for Dataproc Serverless. Custom organization policies are now generally available for Cloud DNS.

Security Command Center - The attack path simulations feature can now automatically set the resource value of a Vertex AI dataset based on the sensitivity of the data that the dataset contains. Security Command Center now supports integration with Snyk. Cloud Infrastructure Entitlement Management (CIEM) has launched support for the following: AWS Managed Microsoft AD and on-premises Active Directory identities.

Sensitive Data Protection - The JAPAN_CORPORATE_NUMBER infoType detector is available in all regions. The RELIGIOUS_TERM infoType detector is now generally available in all regions.

Service Extensions - Service Extensions plugins support Go-compiled Wasm, in addition to Rust and C++.

Cloud Spanner - Managed autoscaler is Generally Available. Custom organization policies are now generally available for Spanner.

Cloud SQL MySQL - Cloud SQL for MySQL lets you recreate a lagging replica when replication falls behind a predefined length of time. Cloud SQL for MySQL vector search is now generally available. You can now use a custom DNS name to connect to your Cloud SQL instances by adding a custom subject alternative name (SAN) to your Cloud SQL instances.

Cloud SQL Postgres - Cloud SQL for PostgreSQL now supports the tds_fdw extension. You can now use a custom DNS name to connect to your Cloud SQL instances by adding a custom subject alternative name (SAN) to your Cloud SQL instances.

Cloud SQL SQL Server - Point in time recovery (PITR) is available by default for all Cloud SQL Enterprise Plus edition for SQL Server instances. You can now use a custom DNS name to connect to your Cloud SQL instances by adding a custom subject alternative name (SAN) to your Cloud SQL instances.

Cloud Text-to-Speech - Journey voices have been rebranded as Chirp HD voices.