Google Cloud release notes

You can now disable external ephemeral IP addresses for App Engine Flex services. Read our documentation to learn how. This feature is at the Preview launch stage.

You can now disable external ephemeral IP addresses for App Engine Flex services. Read our documentation to learn how. This feature is at the Preview launch stage.

You can now disable external ephemeral IP addresses for App Engine Flex services. Read our documentation to learn how. This feature is at the Preview launch stage.

You can now disable external ephemeral IP addresses for App Engine Flex services. Read our documentation to learn how. This feature is at the Preview launch stage.

You can now disable external ephemeral IP addresses for App Engine Flex services. Read our documentation to learn how. This feature is at the Preview launch stage.

You can now disable external ephemeral IP addresses for App Engine Flex services. Read our documentation to learn how. This feature is at the Preview launch stage.

You can now disable external ephemeral IP addresses for App Engine Flex services. Read our documentation to learn how. This feature is at the Preview launch stage.

Dialogflow CX now supports version-specific webhooks.

Dialogflow CX now supports fine-grained webhook errors for built-in events.

Enabling endpoint discovery multi-cluster installations with declarative API is now available as a preview feature in all release channels. For more information, see Enable endpoint discovery between public clusters with declarative API.

You can now see more log entries in the Logs Explorer as a result of several style changes.

Support for 3rd generation AMD EPYC Milan processors on general purpose N2D machine types is now available in Preview.

Support for compute-optimized C2D machine types is now available in Preview, featuring:

• 3rd generation AMD EPYC Milan processors
• AMD Secure Encrypted Virtualization (SEV) which can encrypt the memory of the VM to protect data in-use
• The largest VM sizes and are best-suited for high-performance computing (HPC)

You can now quickly identify which of your workloads are underutilized in the Cost Optimization tab. You can also quickly apply suggested values for resource requests and limits (or your own preferred values).

This feature is now available in Preview. For more information, see GKE workload rightsizing.

Anthos clusters on VMware 1.9.6-gke.1 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.9.6-gke.1 runs on Kubernetes 1.21.5-gke.1200.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.11, 1.10, and 1.9.

Airflow 2.2.5 is available in Cloud Composer images.

(Cloud Composer 2) You can now assign permissions for an environment's service account on the service account level instead of the project level. To use this feature, create environments using gcloud, API, or Terraform. Cloud Console support for this feature will be released at a later date.

(Cloud Composer 2) Increased the memory limit for the Redis queue and made it scale with the environment's size.

New Airflow metrics for pools, smart sensor, and SLA email notifications are available for Cloud Composer environments.

Added support for PrivateCACertificate resource.

Added spec.subsetting field to ComputeBackendService.

Added spec.secondaryIpRange field to RedisInstance.

Export support for additional monetization-related values

Apigee X now supports export of additional fee-based values for organizations using monetization. For more information, see Generating monetization reports.

Specifying a user-managed service account for each App Engine version during deployment is now generally available.

Specifying a user-managed service account for each App Engine version during deployment is now generally available.

Specifying a user-managed service account for each App Engine version during deployment is now generally available.

Specifying a user-managed service account for each App Engine version during deployment is now generally available.

Specifying a user-managed service account for each App Engine version during deployment is now generally available.

Specifying a user-managed service account for each App Engine version during deployment is now generally available.

Specifying a user-managed service account for each App Engine version during deployment is now generally available.

Specifying a user-managed service account for each App Engine version during deployment is now a generally available.

Specifying a user-managed service account for each App Engine version during deployment is now generally available.

Specifying a user-managed service account for each App Engine version during deployment is now generally available.

Specifying a user-managed service account for each App Engine version during deployment is now generally available.

Specifying a user-managed service account for each App Engine version during deployment is now generally available.

Specifying a user-managed service account for each App Engine version during deployment is now generally available.

Specifying a user-managed service account for each App Engine version during deployment is now generally available.

Specifying a user-managed service account for each App Engine version during deployment is now generally available.

Specifying a user-managed service account for each App Engine version during deployment is now generally available.

Specifying a user-managed service account for each App Engine version during deployment is now generally available.

Specifying a user-managed service account for each App Engine version during deployment is now generally available.

The following resource types are now publicly available through the Export APIs (ExportAssets and BatchGetAssetsHistory), the Feed API, and the Search APIs (SearchAllResources and SearchAllIamPolicies):

• Cloud Firestore
  • firestore.googleapis.com/Database

The following resource types are now publicly available through the Analyze Policy APIs (AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning):

• Datastream
  • datastream.googleapis.com/Stream
  • datastream.googleapis.com/ConnectionProfile
  • datastream.googleapis.com/PrivateConnection

N2D VMs are now available in Paris, France europe-west9-a,b,c.

See VM instance pricing for details.

Traffic Director for GKE now supports using the Kubernetes Gateway APIs to create a service mesh.

Traffic Director control plane logging and monitoring now supports request count by zone, in addition to DS API Connected Streams and request count.

The ability to configure Vertex AI private endpoints is now general available (GA). Vertex AI private endpoints provide a low-latency, secure connection to the Vertex AI online prediction service. You can configure Vertex AI private endpoints by using VPC Network Peering. For more information, see Use private endpoints for online prediction.

Users can view build logs directly in GitHub or GitHub Enterprise without logging into Cloud Build. For more information, see Building repositories from GitHub and Building repositories from GitHub Enterprise. This feature is generally available.

General availability for the following integration:

• Google Cloud Deploy

The following resource types are now publicly available through the Export APIs (ExportAssets and BatchGetAssetsHistory), the Feed API, and the Search APIs (SearchAllResources and SearchAllIamPolicies):

• Cloud KMS
  • cloudkms.googleapis.com/EkmConnection

You can now tag services using Resource Manager tags for fine-grained access control.

M92 Release

• TensorFlow Enterprise 2.9 is now available. Note that this TensorFlow Enterprise version does not include Long Term Version Support.
• Starting with PyTorch 1.11, PyTorch environments now support XLA by default.
• TensorFlow Enterprise patch releases: 2.6.4 and 2.8.1.
• Deep Learning Containers are now available on Artifact Registry.

M92 Release

• TensorFlow Enterprise 2.9 is now available. Note that this TensorFlow Enterprise version does not include Long Term Version Support.
• Starting with PyTorch 1.11, PyTorch environments now support XLA by default.
• TensorFlow Enterprise patch releases: 2.6.4 and 2.8.1.

Eventarc is now available in the following regions:

• europe-west8 (Milan, Italy)
• europe-west9 (Paris, France)

The rule source for Cloud Armor preconfigured rules now includes ModSecurity Core Rule Set (CRS) 3.3 in public preview. For more information, see Tuning Google Cloud Armor WAF rules.

Updates were made to the applications that let you send Security Command Center data to to the following SIEM and SOAR platforms:

• Cortex XSOAR—see Sending Security Command Center data to Cortex XSOAR.
• Elastic Stack—see Sending Security Command Center data to Elastic Stack and Sending Security Command Center data to Elastic Stack using Docker.
• IBM QRadar—see Sending Security Command Center data to IBM QRadar.

In addition, Security Command Center can automatically send findings, assets, audit logs, and security sources to Splunk. For more information, see Sending Security Command Center data to Splunk.

TensorFlow Enterprise 2.9 is now available. Note that this TensorFlow Enterprise version does not include Long Term Version Support.

TensorFlow Enterprise 2.6 has been updated to 2.6.4.

TensorFlow Enterprise 2.8 has been updated to 2.8.1.

Cloud Composer performs several retries when checking pip connectivity.

(Cloud Composer 2) Workers and schedulers generate a warning log message when storage usage is close to the limit.

New maintenance versions are now available through self-service maintenance. See the maintenance changelog to learn more about these new maintenance versions.

New maintenance versions are now available through self-service maintenance. See the maintenance changelog to learn more about these new maintenance versions.

New maintenance versions are now available through self-service maintenance. See the maintenance changelog to learn more about these new maintenance versions.

Datastream now supports backfilling Oracle database tables that have more than 100 million rows. Click here to access the documentation.

Tags are now available. You can use tags to group or organize your clusters according to custom business dimensions. This is in addition to the hierarchical resource organization provided by GCP's resource manager. The integration of tags with policy engines (via conditional rules) such as IAM or Organization Policy, also allows you to apply centralized policies to custom security perimeters defined through tag bindings.

The following new connectors are available for Apigee:

• Apache Cassandra connection
• BigCommerce connection
• Email connection
• JIRA Cloud connection

Eventarc for Google Kubernetes Engine (GKE) is now available in Preview.

General availability for the following integration:

• Database Migration Service

M91 release

The M91 release of Vertex AI Workbench managed notebooks includes the following:

• Log streaming to the consumer project via Logs Viewer is now supported
• Added the net-tools package
• Regular package refreshments and bug fixes

The following functions have been added:

• default and if support conditions within expressions
• map.get performs a safe lookup on a map, returning null if a key is not found

A Status field that tracks the current steps and progress of an execution is available in Preview. See the Workflows Executions REST API Overview.

Cloud Run jobs are now available in Preview.

Network Analyzer is now available in Preview.

Artifact Registry is now available in the europe-southwest1 region (Madrid, Spain).

You can now use Cloud Build attestors to secure your image deployments. To learn how to set up gated deployments, see Securing image deployments to Cloud Run and Google Kubernetes Engine. To learn how to view build integrity records, see Viewing build provenance. This feature is generally available.

Cloud KMS is available in the following region:

• europe-southwest1

For more information, see Cloud KMS locations.

Cloud Router now supports MD5 authentication of BGP sessions. This feature is available in preview. For more information, see Use MD5 authentication.

Cloud Storage is now available in Madrid, Spain (europe-southwest1 region).

• Jobs within same state will rank higher in results when search jobs in a state level location with TELECOMMUTE_ALLOWED option

Cloud VPN is now available in region europe-southwest1 (Madrid, Spain).

Pricing is available on the Cloud VPN pricing page.

Generally available: Madrid, Spain europe-southwest1-a,b,c has launched with E2 and N2 VMs available in all three zones.

See VM instance pricing for details.

Added IAMPolicy and IAMPolicyMember support for AccessContextManagerAccessPolicy.

Added spec.approvalConfig field to CloudBuildTrigger.

Added spec.rule.redirectOptions field to ComputeSecurityPolicy.

Added spec.addonsConfig.gkeBackupAgentConfig field to ContainerCluster.

Added cnrm.cloud.google.com/skip-wait-on-job-termination directive to DataflowFlexTemplateJob and DataflowJob.

Added spec.rrdatasRefs field to DNSRecordSet.

Added spec.columnLayout.columns.widgets.logsPanel, spec.gridLayout.widgets.logsPanel, spec.mosaicLayout.tiles.widget.logsPanel, and spec.rowLayout.rows.widgets.logsPanel fields to MonitoringMonitorDashboard.

Added spec.enableExactlyOnceDelivery field to PubSubSubscription.

Dataflow is now available in Madrid (europe-southwest1).

Google Cloud Deploy now lets you change the timeout for Cloud Build operations, from the default setting of 1 hour.

The europe-southwest1 region in Madrid is now available.

Added new Memorystore for Memcached region: Madrid (europe-southwest1).

Pub/Sub is now available in europe-southwest1 (Madrid) .

For auto mode VPC networks, added a new subnet 10.204.0.0/20 for the Madrid europe-southwest1 region. For more information, see Auto mode IP ranges.

The GoogleIDToken.Audience tag now includes the useTargetUrl attribute to simplify audience configuration of Google ID tokens for Apigee policies.

Regional external and regional internal HTTP(S) load balancers now support using Cloud Run services as backends for the load balancer. This is configured using a serverless network endpoint group (NEG).

For details, see:

• Serverless NEG concepts
• Setting up a regional external HTTP(S) load balancer with a Cloud Run backend
• Setting up an internal HTTP(S) load balancer with a Cloud Run backend

This feature is available in Preview.

The following new region is now available: europe-southwest1.

Generally available: Insights for idle VM and machine size recommendations help you assess the utilization of your Compute Engine resources. Insights are automatically generated based on system metrics or metrics gathered by the Cloud Monitoring service.

Learn more about VM insights and MIG insights.

Reserving static regional external IPv6 addresses is available as a limited Preview feature. Contact your sales representative for access.

You can now configure Metrics Explorer and charts on dashboards to display a ratio of metrics by using the Cloud Console. For more information, see Ratios of metrics.

The feature for listing the effectively evaluated tags on a resource has launched into public preview. For more information, see Listing effective tags on a resource.

The new format element %J is generally available (GA) for DATE, TIME, DATETIME, and TIMESTAMP functions. This format element lets you use the ISO 8601 1-based day of the year.

A Cloud Bigtable table overview page in the Cloud console is now generally available (GA). The table overview displays monitoring metrics and replication details for a selected table.

Cloud Build now supports a script field, which allows users to specify shell scripts to execute in a build step. This feature is available as a preview release. To learn more, see Using the script field.

Regional external HTTP(S) load balancers now support Shared VPC configurations where the load balancer's forwarding rule, target proxy, and URL map, can be created in a host or service project, while the backend services and backends can be distributed across multiple service projects in the Shared VPC environment. This is referred to as cross-project service referencing. Cross-project backend services can be referenced from a single URL map.

Cross-project service referencing gives service developers and admins autonomy over the exposure of their services through the centrally managed load balancer.

For details, see:

• Shared VPC architectures
• Setting up a regional external HTTP(S) load balancer with Shared VPC

This feature is available in Preview.

You can now hide large amounts of similar log entries from your query results in the Logs Explorer. To learn more, see Hide similar logs.

You can now define service-level objectives (SLOs) for your Cloud Run services using SLO monitoring in Cloud Monitoring or the Cloud Run service page.

Release 1.10.4

Anthos clusters on bare metal 1.10.4 is now available for download. To upgrade, see Upgrade Anthos on bare metal. Anthos clusters on bare metal 1.10.4 runs on Kubernetes 1.21.

Added the API Hub label in the Apigee community.

Added provisioning instructions.

Documentation: Provision API hub

Added instructions on how to get support.

Documentation: Get support

Action buttons in the UI are now disabled if you do not have appropriate permissions to perform the action.

Error messages for rejected logins for an inactive user are now more informative to the user.

Emails from portal-sso will either be the email address of the sender that the user sets up in the custom smtp settings, or it will be no-reply@google.com, instead of the human-readable name orgname-portalname. This screenshot illustrates emails sent from portal-sso in e2e. It shows one email with custom smtp settings (tsnow-custom-smtp) and one email with the default settings (no-reply).

We have released a new version of the Develop tab in the Proxy Editor. See Introducing the new Proxy Editor.

The Ruby 3.0 runtime for App Engine standard environment is now generally available.

Rebilling is now available in the Partner Sales Console and Cloud Channel API. This new billing data service helps you simplify your customer billing process by configuring discounts and exporting your billing data to a BigQuery dataset.

• Read an overview of rebilling
• Learn about enabling your rebilling data export

Support for europe-west9 (Paris).

Support for europe-west9 (Paris).

Support for europe-west9 (Paris).

Spot Pods for GKE Autopilot clusters is now generally available. Use Spot Pods to run your fault-tolerant workloads at reduced costs.

Spot VMs on GKE is now generally available. Spot VMs let you run fault-tolerant workloads at lower costs.

The resource usage restriction Organization Policy constraint has launched into general availability.

Anthos component releases for April 2022

Anthos clusters on VMware:

• April 11, 2022: security bulletin
• April 12, 2022: security bulletin
• April 18, 2022: 1.10.3-gke.49 patch release
• April 27, 2022: 1.11.0-gke.543 quarterly minor release
• April 28, 2022: security bulletin

Anthos clusters on bare metal:

• April 12, 2022: security bulletin
• April 27, 2022: 1.9.7 patch release
• April 28, 2022: security bulletin

Anthos clusters on AWS:

• April 05, 2022: (previous generation) security bulletin
• April 07, 2022: (previous generation) security bulletin
• April 12, 2022: (previous generation) security bulletin
• April 13, 2022: release updates
• April 19, 2022: (previous generation) issue announcement
• April 26, 2022: security bulletin
• April 26, 2022: (previous generation) security bulletin

Anthos clusters on Azure:

• April 13, 2022: release updates
• April 26, 2022: security bulletin

Anthos Config Management:

• April 21, 2022: 1.11.1 patch release

Anthos Service Mesh:

• April 14, 2022: 1.13.2-asm.2 patch release

Connect:

• N/A

Cloud Run for Anthos:

• N/A

Migrate for Anthos and GKE:

• N/A

Cloud Logging:

• April 2022: release updates

Cloud Monitoring:

• April 2022: release updates

In addition to the existing labels, you can now use the "istio-injection" label as an alias. For more information, see Injection labels.

Artifact Registry is now available in the europe-west9 region (Paris, France).

The following new features are now generally available (GA) for ARIMA_PLUS models:

• You can use ML.EVALUATE to calculate new forecasting accuracy metrics such as MAPE, SMAPE, and MSE.
• You can perform fast model training with little or no loss of forecasting accuracy by using the TIME_SERIES_LENGTH_FRACTION, MIN_TIME_SERIES_LENGTH and MAX_TIME_SERIES_LENGTH options.

To learn how to achieve one hundred times higher scalability with the ARIMA_PLUS model while using the new forecasting accuracy metrics, see the Accelerate ARIMA_PLUS to forecast 1 million time series within hours. You can also read ARIMA_PLUS best practices.

The following resource types are now publicly available through the Export APIs (ExportAssets and BatchGetAssetsHistory), the Feed API, and the Search APIs (SearchAllResources and SearchAllIamPolicies):

• Certificate Authority Service
  • privateca.googleapis.com/Certificate

Cloud Bigtable is available in the europe-west9 (Paris) region. For more information, see Bigtable locations.

Cloud Functions has added support for the following new runtimes at the Preview release level:

• Python 3.10
• PHP 8.1

Cloud KMS is available in the following region:

• europe-west9

For more information, see Cloud KMS locations.

The following new region is now available: europe-west9.

You can create Cloud Spanner regional instances in Paris (europe-west9).

Query Optimizer version 4 is generally available, and is the default optimizer version.

Generally available: Paris, France europe-west9-a,b,c has launched with general-purpose E2 and N2 VMs available in all three zones.

See VM instance pricing for details.

Dataflow is now available in Paris (europe-west9).

The europe-west9 region in Paris is now available.

Added new Memorystore for Memcached region: Paris (europe-west9).

Pub/Sub is now available in europe-west9 (Paris).

Release 1.11.1

Anthos clusters on bare metal 1.11.1 is now available for download. To upgrade, see Upgrade Anthos on bare metal. Anthos clusters on bare metal 1.11.1 runs on Kubernetes 1.22.

Case-insensitive collation support for BigQuery is now available for Preview. Collation determines how strings are sorted and compared in collation-supported operations. If case-insensitive collation is used, case is ignored in comparison and sorting operations.

These operations support collation:

• Several comparison operations
• Join operations
• ORDER BY operations
• GROUP BY operations
• Several scalar and aggregate function operations
• Set operations

The COLLATE function is now available for Preview in Google Standard SQL for BigQuery. With the COLLATE function, you can pass in a STRING and return a STRING with a collation specification.

The DEFAULT COLLATE clause is now available for Preview. With this clause, the default collation specification is applied to all column data types supporting collation. You can use the DEFAULT COLLATE clause in the following DDL statements:

• CREATE SCHEMA and ALTER SCHEMA
• CREATE TABLE and ALTER TABLE

The COLLATE clause is now available for Preview. With this clause, a collation specification is applied to a specific column in a table. You can use the COLLATE clause in the following DDL statements:

• ALTER TABLE ADD COLUMN
• ALTER COLUMN SET DATA TYPE

New maintenance versions are now available through self-service maintenance. See the maintenance changelog to learn more about these new maintenance versions.

New maintenance versions are now available through self-service maintenance. See the maintenance changelog to learn more about these new maintenance versions.

New maintenance versions are now available through self-service maintenance. See the maintenance changelog to learn more about these new maintenance versions.

Cloud Storage is now available in Paris, France (europe-west9 region).

Cloud VPN is now available in region europe-west9 (Paris, France).

Pricing is available on the Cloud VPN pricing page.

Config Controller is now supported in region europe-north1 and australia-southeast1

Added --use-private-endpoint flag to gcloud anthos config controller create to restrict access to the master's private endpoint IP of a config controller instance. Available in gcloud 378.0.0 (release note).

Added gcloud anthos config controller get-config-connector-identity which prints the default Config Connector identity, to allow easier subsequent permission grant. Available in gcloud 383.0.0 (release notes)

Let gcloud anthos config controller create prints the default Config Connector identity, to allow easier subsequent permission grant. Available in gcloud 383.0.0 (release notes)

Added new Memorystore for Memcached region: Milan (europe-west8).

Traffic Director's service routing APIs now include Gateway TLS routing.

For auto mode VPC networks, added a new subnet 10.200.0.0/20 for the Paris europe-west9 region. For more information, see Auto mode IP ranges.

MySQL 8.0 is now the default major database version for Cloud SQL for MySQL.

Generally available: Spot VMs are available for all machine types, regions, and zones. Use Spot VMs for workloads that can withstand preemption to receive large discounts. Spot VMs provide discounts of 60-91% off the on-demand price for standard VMs for machine types and GPUs and also provide smaller discounts for local SSDs. Spot prices can change up to once a month to reflect the underlying supply and demand.

Spot VMs are the latest version of preemptible VM instances. Although new and existing preemptible VMs continue to be supported and use the same prices as Spot VMs, Spot VMs provide new features that are not supported for preemptible VMs. For example, preemptible VMs can only run for up to 24 hours at a time, but Spot VMs have no maximum runtime.

Learn more about Spot VMs and preemptible VMs.

The datastore.databases.getMetadata permission now supports custom Identity and Access Management roles. You can use custom roles with this permission to unlink your database from App Engine.

You can now comment within your Logging queries. For more information, see Logging query language: comments.

The following Cloud SQL recommenders that help you optimize your database costs are now generally available:

• Idle database instance recommender: Identifies idle database instances in your project and provides recommendations about the savings that you can make by shutting them down.

• Overprovisioned database instance recommender: Identifies overprovisioned database instances in your project and provides recommendations about the savings that you can make by rightsizing these instances.

The following Cloud SQL recommenders that help you optimize your database costs are now generally available:

• Idle database instance recommender: Identifies idle database instances in your project and provides recommendations about the savings that you can make by shutting them down.

• Overprovisioned database instance recommender: Identifies overprovisioned database instances in your project and provides recommendations about the savings that you can make by rightsizing these instances.

The following Cloud SQL recommenders that help you optimize your database costs are now generally available:

• Idle database instance recommender: Identifies idle database instances in your project and provides recommendations about the savings that you can make by shutting them down.

• Overprovisioned database instance recommender: Identifies overprovisioned database instances in your project and provides recommendations about the savings that you can make by rightsizing these instances.

Dialogflow ES has added preview support for the following languages:

Afrikaans, Albanian, Amharic, Armenian, Azerbaijani, Basque, Belarusian, Bosnian, Bulgarian, Catalan, Cebuano, Chichewa, Corsican, Croatian, Czech, Esperanto, Estonian, Frisian, Galician, Georgian, Greek, Gujarati, Haitian Creole, Hausa, Hmong, Hungarian, Icelandic, Igbo, Irish, Javanese, Kannada, Kazakh, Khmer, Kinyarwanda, Kurdish, Kyrgyz, Latin, Latvian, Lithuanian, Luxembourgish, Macedonian, Malagasy, Malayalam, Maltese, Maori, Mongolian, Nepali, Oriya/Odia, Punjabi, Samoan, Scots Gaelic, Serbian - Cyrillic, Serbian - Latin, Sesotho, Shona, Slovak, Slovenian, Somali, Sundanese, Swahili, Tajik, Tatar, Turkmen, Uzbek, Welsh, Xhosa, Yoruba, Zulu

Preview: You can now get notification recommendations and insights for Error Reporting. For more information, see Error Reporting notification recommender and insights.

The datastore.databases.getMetadata permission now supports custom Identity and Access Management roles.

Connectivity to router appliances is now generally available in Network Topology. Google Cloud users can use Network Topology to audit their networking configuration and troubleshoot issues related to the router appliance instances.

Preview: The Error Reporting notification recommender looks for recent crashes in your Cloud project and provides recommendations if you have not configured Error Reporting notifications.

Security Command Center error detectors are generally available (GA). Error detectors report configuration errors that prevent Security Command Center and its services from functioning properly. Remediation guidance is provided for each finding type. For more information, see Security Command Center errors.

The connections[] and description attributes were added to the Finding object.

• The connections[] attribute contains information about the IP connection associated with the finding. It includes the destination IP address, the destination port, the source IP address, the source port, and the protocol.
• The description attribute provides an explanation of the finding.

For more information, see the API documentation for the Finding object.

Anthos clusters on VMware 1.11.0-gke.543 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.11.0-gke.543 runs on Kubernetes v1.22.8-gke.200.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.11, 1.10, and 1.9.

Cluster lifecycle Improvements:

• Admin cluster creation is now resumable. If admin cluster creation fails at any step, you can now rerun gkectl create admin to resume the admin cluster creation.

Platform enhancements:

• Windows Node Pool:

  • GA: Support for Windows Dataplane V2 is generally available. Windows Dataplane V2 is now enabled by default for Windows node pools. This means that containerd is also enabled by default for Windows node pools.
  • Added deprecation notice for Windows nodes that Docker and Flannel will be removed in a subsequent version. If you are using Docker container runtime, you should update your user cluster configuration with gkectl update cluster to use containerd and Windows Dataplane V2 instead.
  • Added support for idempotent Windows startup script execution after node reboot.
  • New Windows Server 2019 OS build version 10.0.17763.2565 has been qualified for Anthos 1.11.0.

• Egress NAT Gateway:

  • GA: Egress NAT Gateway is now generally available. With this feature, you can configure source network address translation (SNAT) so that certain egress traffic from user clusters is given a predictable source IP address. This enables return traffic from workloads outside the originating cluster to reach the cluster. For more information, see Configuring an egress NAT gateway.

• MetalLB:

  • GA: The new load balancer option, MetalLB, is now generally available as another bundled software load balancer in addition to Seesaw.

• Multinic logs:

  • The Fluent Bit Logging agent can now collect logs for Pods with multiple network interfaces, and send them to Cloud Logging. Logs will be collected as system logs and no extra charges will apply.

Security enhancements: - Admin cluster CA Certificate Rotation:

• GA: You can now use gkectl to rotate system root CA certificates for admin clusters.

Simplify day-2 operations:

• GA: gkectl update admin supports registering an existing admin cluster.
• Cluster diagnosis improvements:
  • gkectl diagnose cluster automatically runs during admin or user cluster upgrade failure.
  • gkectl diagnose cluster searches and surfaces related events for any validation failure.
• GA: gkectl update supports enabling and disabling of Cloud Logging and Cloud Monitoring in an existing cluster. You can also enable or disable logging to Cloud Audit Logs with gkectl update on both admin and user clusters.
• Changes made to the metrics-server-config ConfigMap are now preserved across cluster upgrades.

Release 1.9.7

Anthos clusters on bare metal 1.9.7 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.9.7 runs on Kubernetes 1.21.

All system taxonomy descriptions are now editable.

The following searchable fields are now publicly available through the resource search API (SearchAllResources).

• tagKeys
• tagValues
• tagValueIds

You can now do the following in the improved Logs Explorer:

• Use the new plain-text search field and filter menus to construct queries without using the query language
• Customize your date and time format preferences for building queries and to display dates and times in the UI.
• Toggle on and off the default summary fields to see a raw-text view of your logs.

When querying your logs data in the Logs Explorer, you can now select queries from a library, making it easier to explore your data and find logs during time-critical troubleshooting sessions.

The ability to configure the time travel window is now in Preview. You can specify the duration of the time travel window, from a minimum of two days to a maximum of seven days.

Three new INFORMATION_SCHEMA views that show table storage metadata are now in Preview.

• Use the TABLE_STORAGE view to get a snapshot of current storage usage for tables and materialized views.
• Use the TABLE_STORAGE_TIMELINE_BY_PROJECT and TABLE_STORAGE_TIMELINE_BY_ORGANIZATION views to understand table storage changes over time at either the project or the organization level.

BigQuery Admin Resource Charts are now generally available (GA) for on-demand users, enabling administrators to monitor key metrics and troubleshoot issues across the entire organization. Previously, it was only available for reservation users. A new permission, bigquery.jobs.listExecutionMetadata, has been added to make it easier to gain access to the full UI.

Cost table report now supports updated filters, project ancestry, and report sharing

In the Cloud Billing Console Cost table report, we've updated the report's filters and invoice month selector to function similarly to the Cloud Billing Reports page and Cost breakdown page, added project ancestry functionality, and enabled report sharing.

Updated filters: You use the cost table report to access the details of your invoices and statements. The report's filters and other settings allow you to configure the report views when you are analyzing the usage and cost data. You can also download the cost table data to CSV for offline analysis. When you download the report to CSV, the data that downloads is limited by any filters that you have set and includes only the columns that you have selected to view.

Project ancestry: A new table column has been added to display project ancestry data. Starting with the January 2022 invoice month:

• Historical project metadata is available with the addition of Project hierarchy data.
• Usage and cost data that was grouped by Project is now grouped by Project hierarchy.
• You can now filter on Folders & Organizations, components of a project's ancestry, to analyze costs by project hierarchy.
• The values in the project hierarchy column are displayed only when you are viewing a flat table view or when you are viewing a nested table view grouped by Project > Service > SKU.
• The report returns a row for each distinct combination of Organization > Folder > Project, and the table includes columns for Project, Project ID, Project number, and Project hierarchy. The values listed in the Project hierarchy column show Organization name > Folder name.

Report sharing: Along with the updated report filters, the cost table report now supports URL bookmarking and sharing. As you configure your cost table report by setting the invoice month, table view cost grouping options, and report filters, the cost table URL updates to include your selections. You can save your report settings by bookmarking the URL. You can share the cost table report by copying the URL.

For more details about the cost table report and using the updated features and functionality, see the documentation.

The Cloud Logging API now supports the following regions:

• Europe:
  • europe-southwest1
  • europe-west6
  • europe-west8
  • europe-west9
• South America:
  • southamerica-west1

For more information, see Data Regionality for Cloud Logging.

You can now accept a maintenance update on your instance outside of the normal flow of scheduled maintenance.

While Cloud SQL schedules maintenance updates once every few months to ensure you have the latest maintenance version, you might want to use self-service maintenance if:

• You need an update sooner than your next scheduled maintenance event.
• You want to catch up to the latest maintenance version after skipping your most recent scheduled maintenance event.
• You want to gain more control over when maintenance is applied

Cloud SQL now supports maintenance changelogs. Maintenance changelogs provide information about updates available in new maintenance versions, such as database minor version upgrades and patches for security vulnerabilities. For links to current maintenance changelogs for each major database version, see Cloud SQL maintenance changelogs.

You can now accept a maintenance update on your instance outside of the normal flow of scheduled maintenance.

While Cloud SQL schedules maintenance updates once every few months to ensure you have the latest maintenance version, you might want to use self-service maintenance if:

• You need an update sooner than your next scheduled maintenance event.
• You want to catch up to the latest maintenance version after skipping your most recent scheduled maintenance event.
• You want to gain more control over when maintenance is applied

Cloud SQL now supports maintenance changelogs. Maintenance changelogs provide information about updates available in new maintenance versions, such as database minor version upgrades and patches for security vulnerabilities. For links to current maintenance changelogs for each major database version, see Cloud SQL maintenance changelogs.

The following PostgreSQL minor versions and extension versions are now available. If you use maintenance windows, you might not yet have these versions. In this case, you will see the new versions after your maintenance update occurs. To find your maintenance window or manage maintenance updates, see Finding and setting maintenance windows.

• 14.1 is upgraded to 14.2.
• 13.5 is upgraded to 13.6.
• 12.9 is upgraded to 12.10.
• 11.14 is upgraded to 11.15.
• 10.19 is upgraded to 10.20.

You can now accept a maintenance update on your instance outside of the normal flow of scheduled maintenance.

While Cloud SQL schedules maintenance updates once every few months to ensure you have the latest maintenance version, you might want to use self-service maintenance if:

• You need an update sooner than your next scheduled maintenance event.
• You want to catch up to the latest maintenance version after skipping your most recent scheduled maintenance event.
• You want to gain more control over when maintenance is applied

Cloud SQL now supports maintenance changelogs. Maintenance changelogs provide information about updates available in new maintenance versions, such as database minor version upgrades and patches for security vulnerabilities. For links to current maintenance changelogs for each major database version, see Cloud SQL maintenance changelogs.

Added IAMPolicyMember support for BinaryAuthorizationPolicy, CloudFunctionsFunction, DataprocCluster, NetworkSecurityAuthorizationPolicy, NetworkSecurityClientTLSPolicy, NetworkSecurityServerTLSPolicy, and RunService.

Automatic DNS configuration for Private Service Connect endpoints is available in General Availability.

For service producers: When you publish a managed service with Private Service Connect, you can optionally specify a domain name for the service.

For service consumers: When you create a Private Service Connect endpoint to connect to a managed service that has a specified domain name, a DNS entry for the Private Service Connect endpoint is created in a Service Directory DNS zone.

(Cloud Composer 2) Network tags are now applied to nodes in an environment's cluster.

Airflow schedulers and workers generate error log messages if pods for these components are evicted.

Cloud Composer automatically recreates and unpauses the Airflow monitoring DAG if it was deleted or paused.

You can now allocate up to 32 GiB of memory and up to 8 CPU to your Cloud Run services.

IAM Conditions now provides resource attributes for Cloud SQL backup sets. You can use these resource attributes to grant access to a subset of your Cloud SQL resources.

Added support for using Fleet Workload Identity to authenticate to Git repositories in Cloud Source Repositories. To learn more, see Grant Config Sync read-only access to Git.

Added a new --timeout flag to the nomos bugreport command. This flag configures the timeout for connecting to the cluster.

ConfigSync ignores the hidden directories .github, .gitlab, and the hidden file .gitlab-ci.yml.

Added field spec.networkInterface[].networkIpRef to ComputeInstance resource.

Config Controller is now supported in region asia-northeast1.

Filestore is now available in Santiago, Chile (southamerica-west1 region) for Basic HDD and Basic SSD instances.

You can now use a pre-built container to perform custom training with PyTorch 1.11.

Call logging is now generally available (GA).

Changed columns in the History table:

• Changed Date & time to Updated
• Changed Comment to Commit history
• Added ID, which is the ID of the revision as it appears in the registry API.

Artifact Registry is now available in europe-west8 region (Milan, Italy).

Cloud Bigtable is available in the europe-west8 (Milan) region. For more information, see Bigtable locations.

Support for europe-west8 region (Milan).

Support for europe-west8 region (Milan).

Support for europe-west8 region (Milan).

Cloud Spanner regional instances can now be created in Milan (europe-west8).

Cloud Storage is now available in Milan, Italy (europe-west8 region).

Cloud VPN is now available in region europe-west8 (Milan, Italy).

Pricing is available on the Cloud VPN pricing page.

Generally available: Milan, Italy europe-west8-a,b,c region has launched with general-purpose E2, N2, and N2D VMs available in all three zones.

See VM instance pricing for details.

Dataflow is now available in Milan (europe-west8).

Dataproc is now available in the europe-west8 region (Milan, Italy).

The europe-west8 region in Milan is now available.

Pub/Sub is now available in europe-west8 (Milan).

For auto mode VPC networks, added a new subnet 10.198.0.0/20 for the Milan europe-west8 region. For more information, see Auto mode IP ranges.

Pre-built PyTorch containers for PyTorch 1.11 are available for training. You can use these containers to train with CPUs, GPUs, or TPUs.

The following resource types are now publicly available through the Analyze Policy APIs (AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning):

• Database Migration Service
  • datamigration.googleapis.com/MigrationJob
  • datamigration.googleapis.com/ConnectionProfile

Backend subsetting for internal HTTP(S) load balancers improves performance and scalability by assigning a subset of backends to each of the proxy instances.

This feature is in Preview.

The following new region is now available: europe-west8.

Storage Transfer Service now provides more options for when to overwrite files that already exist in the destination. The new overwriteWhen field provides three options, that apply to all transfers, including those to or from file systems.

• NEVER provides defense in depth for archival cases, where data is not intended to be overwritten. Users no longer need to rely on a retention policy to protect their data.
• DIFFERENT uses ETags and checksum values to only overwrite a file if the contents have changed.
• ALWAYS overwrites any existing files with the same name. Avoids LIST operations on the destination when transferring into Cloud Storage.

Anthos clusters on VMware 1.10.3-gke.49 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.10.3-gke.49 runs on Kubernetes 1.21.5-gke.1200.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.10, 1.9, and 1.8.

The UI for managing Apigee instances has been updated and improved:

• You can now specify a list of accepted Cloud projects that can privately connect to the instance's service attachment.
• The New Instance dialog is replaced by a dedicated Create new instance configuration page with fields for specifying or creating a disk encryption key and for editing the list of accepted projects.
• The Edit instance dialog is replaced by a dedicated page that lets you add or remove environments and edit the list of accepted projects that can privately connect to the instance's service attachment.
• The UI now lets you select the disk encryption key from a list and provides a convenient flow if you want to create a new key.
• The UI for deleting an instance has changed. There is now a DELETE button on the Instance details page.

For more information, see Managing instances.

mTLS communication between Cassandra clients and Cassandra nodes

Apigee hybrid now supports mTLS communication between Cassandra clients (MART, Sync, and MP) and Cassandra nodes. For related ports used, see feedbackSecure ports usage. (Implemented in Apigee hybrid v1.7.0)

Custom metrics scaling

Apigee hybrid v1.7.0 now supports custom metrics scaling using the metrics:appStackdriverExporter and metrics:proxyStackdriverExporter configuration properties. See metrics in the Configuration properties reference. (Implemented in Apigee hybrid v1.7.0)

OAuth JWT access tokens

Apigee hybrid v1.7.0 now supports JWT operations that allow the OAuthV2 policy to generate, verify, and refresh access tokens that conform to the JWT token standard. See Using JWT OAuth tokens. (Implemented in Apigee hybrid v1.7.0)

Cloud Logging

Apigee hybrid v1.7.0 now supports the <CloudLogging> element in the MessageLogging policy that lets you log messages to Cloud Logging. (Implemented in Apigee hybrid v1.7.0)

** PublishMessage policy**

Apigee hybrid v1.7.0 now supports the PublishMessage policy that lets you publish your API proxy flow information to a Google Cloud Pub/Sub topic.

• Policy document: PublishMessage policy

  (Implemented in Apigee hybrid v1.7.0)

GraphQL policy now supports JSON-encoded payloads. (Implemented in Apigee X, March 15, 2022)

The PHP 8.1 runtime for App Engine standard environment is now available at the Preview release level.

The Python 3.10 runtime for App Engine standard environment is now available in Preview.

Google Drive Plugins version 1.4.0 is generally available (GA). For more information, see the CDAP Hub release log.

Preview: You can now customize the number of visible CPU cores.

Cloud Build default pools now support regional builds at the preview release stage. To learn more, see Cloud Build locations.

Cloud Build now supports regional build triggers at the preview release stage. To learn more, see Cloud Build locations.

Dataplex Data Quality tasks support running data quality validations on BigQuery tables that may not be part of a Dataplex lake, and on GCS data that's available as a BigQuery external table.

You can now restrict resource creation of global security configuration to comply with data residency requirements by using organization policies, which affect Google Cloud services such as Compute Engine and Identity-Aware Proxy (IAP). This capability is available as a Preview launch.

The data profiler for BigQuery is generally available (GA). The data profiler is a fully-managed service that continuously scans data across your entire organization to give you general awareness of what data you have, and specific visibility into where sensitive data is stored and processed. For more information, see Data profiles for BigQuery data.

In the Logs Explorer, pinning log entries has been improved and new options to view pinned log entries in different resource contexts have been added. To learn more, see Pin log entries.

You can now define template variables and permanent filters for your dashboards. For more information, see Create a template variable or permanent filter.

You can now grant access to Cloud Optimization IAM roles to a user, a group, or a service account to perform create or get operations in the context of a batchOptimizeTours request.

You can now create models that can solve up to 120 mns (instead of 60 mns) using automatic checkpoints in a batchOptimizeTour request to solve complex problems.

You can now set a soft_max_load with related costs on your vehicles to balance the load limit across your fleet.

You can now define a default value for a non-key table column when creating or altering a table. Using the DEFAULT keyword, a schema author can provide a fallback for a column when an insert statement or mutation doesn't explicitly specify a value.

A new three-continent, nine-replica multi-region instance configuration is available for Cloud Spanner: nam-eur-asia3 (Iowa/South Carolina/Belgium/Netherlands/Taiwan/Oklahoma).

Generally available: NVIDIA A100 GPUs are now available in the following additional regions and zones:

• Tokyo, Japan, APAC: asia-northeast1-a,c

For more information about using GPUs on Compute Engine, see GPU platforms. For pricing information, review the pricing tables for the Accelerator-optimized machine type family.

Access Transparency supports Secret Manager in GA stage. For the complete list of services that Access Transparency supports, see Supported services.

When you create a new cluster using Kubernetes version 1.22, you can now configure custom logging parameters.

As a preview feature, you can now choose Windows as your node pool image type when you create node pools with Kubernetes version 1.22.8.

You can now set the autoscaler's minimum node count to zero.

This release of Anthos Clusters on AWS improves your ability to update your cluster configuration, including

• control plane security group IDs
• control plane proxy
• control plane and node pool SSH
• node pool security group IDs
• node pool root volume
• node pool encryption
• node pool proxy

You can now view most common asynchronous cluster and nodepool boot errors in the long running operation error field.

As a preview feature, you can now configure nodes to be dedicated hosts.

When you create a new cluster using Kubernetes version 1.22, you can now configure custom logging parameters.

As a preview feature, you can now choose Windows as your node pool image type when you create node pools with Kubernetes version 1.22.8.

You can now set the autoscaler's minimum node count to zero.

This release of Anthos Clusters on Azure adds the ability to update your

• control plane and node pool VM size
• cluster annotations
• Azure admin users
• control plane root volume size

You can now set the autoscaler's minimum node count to zero.

You can now view most common asynchronous cluster and nodepool boot errors in the long running operation error field.

The App Engine legacy bundled services for Go 1.12+ are now available at the General Availability release level. These APIs can be accessed through language-idiomatic libraries. Calls to these API are billed according to the standard rates.

The App Engine legacy bundled services for Java 11/17 are now available at the General Availability release level. These APIs can be accessed through language-idiomatic libraries. Calls to these API are billed according to the standard rates.

The App Engine legacy bundled services for PHP 7+ are now available at the Preview release level. These APIs can be accessed through language-idiomatic libraries. Calls to these API are billed according to the standard rates.

The App Engine legacy bundled services for Python 3 are now available at the General Availability release level. These APIs can be accessed through language-idiomatic libraries. Calls to these API are billed according to the standard rates.

Cloud Composer now supports CMEK encryption using keys stored in External Key Managers.

Tau T2D VMs are now available in the following regions and zones:

• Las Vegas, NV (us-west4-a,b)
• São Paulo, Chile, South America (southamerica-east1-a,b,c)
• St. Ghislain, Belgium (europe-west1-c)

N2 general-purpose VMs are available in Salt Lake City, UT (us-west3-a,b,c).

See VM instance pricing for details.

Added support for ApigeeEnvironment resource.

Added field spec.cluster[].autoscalingConfig to BigtableInstance resource.

Added field spec.edgeSecurityPolicy to ComputeBackendBucket resource.

Added field spec.type to ComputeSecurityPolicy resource.

Added field spec.schedule.repeatInterval to StorageTransferJob resource

Egress NAT policy to configure IP masquerade is now generally available on GKE Autopilot clusters with Dataplane v2 in versions 1.22.7-gke.1500+ or 1.23.4-gke.1600+. For configuration examples of Egress NAT policy, see Egress NAT Policy documentation.

Customer-managed encryption key (CMEK) organization policy constraints are now available in Preview.

• constraints/gcp.restrictNonCmekServices allows you to control which resources require the use of CMEK.
• constraints/gcp.restrictCmekCryptoKeyProjects allows you to control the projects from which a Cloud KMS key can be used to validate requests.

You can use both constraints together to enforce the use of CMEK from allowed projects.

To learn more, see Customer-managed encryption keys (CMEK) organization policies. To add CMEK organization policies now, see Add Cloud SQL organization policies.

Customer-managed encryption key (CMEK) organization policy constraints are now available in Preview.

• constraints/gcp.restrictNonCmekServices allows you to control which resources require the use of CMEK.
• constraints/gcp.restrictCmekCryptoKeyProjects allows you to control the projects from which a Cloud KMS key can be used to validate requests.

You can use both constraints together to enforce the use of CMEK from allowed projects.

To learn more, see Customer-managed encryption keys (CMEK) organization policies. To add CMEK organization policies now, see Add Cloud SQL organization policies.

Customer-managed encryption key (CMEK) organization policy constraints are now available in Preview.

• constraints/gcp.restrictNonCmekServices allows you to control which resources require the use of CMEK.
• constraints/gcp.restrictCmekCryptoKeyProjects allows you to control the projects from which a Cloud KMS key can be used to validate requests.

You can use both constraints together to enforce the use of CMEK from allowed projects.

To learn more, see Customer-managed encryption keys (CMEK) organization policies. To add CMEK organization policies now, see Add Cloud SQL organization policies.

Storage Transfer Service now offers a predefined role to simplify permission assignment to transfer agents. The roles/storagetransfer.transferAgent role grants a minimum set of permissions required for the service to communicate with agents and eliminates the need to assign each permission individually.

The role should be granted to the user account or service account being used to authenticate the agents. See the On-premises agent account documentation for more details.

The following new connectors are available for Apigee:

• Apache Kafka connection
• Cloud Spanner connection
• Cloud SQL for SQL Server connection
• MySQL connection
• PostgreSQL connection
• Redis connection
• ServiceNow connection

Cloud SQL for PostgreSQL supports in-place major version upgrades in Preview. You can upgrade your instance's major version to a more recent version. For more information, see Upgrade the database major version in-place.

Cloud SQL for SQL Server supports in-place upgrades in Preview. You can upgrade your instance's major version or edition. For more information, see Upgrade the database major version in-place.

The dataproc:dataproc.performance.metrics.listener.enabled cluster property, which is enabled by default, listens on port 8791 on all master nodes to extract performance-related telemetry Spark metrics. The metrics are published to the Dataproc service for it to use to set better defaults and improve the service. To opt-out of this feature, set dataproc:dataproc.performance.metrics.listener.enabled=false when creating a Dataproc cluster.

Eventarc is now available in the following regions:

• australia-southeast2 (Melbourne, Australia)
• northamerica-northeast2 (Toronto, Ontario, North America)
• southamerica-west1 (Santiago, Chile, South America)

You can now use customer-managed encryption keys (CMEK) to protect data at rest in Filestore's High Scale SSD Tier instances.

• High Scale SSD instances stop and restart automatically when the state of an associated key changes
• This feature is currently in Preview

TCP Proxy and SSL Proxy load balancers now support Google Cloud Armor. For more information, see the Cloud Armor security policy overview.

This feature is available in Preview.

New Version of Lending W2 Processor

We have released a new Release Candidate version of the W2 Processor. This version is experimental and has the following features:

• Quality improvement on SSN and EIN fields.
• Support for box 12 fields, including both codes and values.
• Fine grained predictions of EmployeeName, EmployeeAddress, and EmployerNameAndAddress which are no longer part of the output and replaced with additional fields.

BigLake is now available in Preview. BigLake is a storage engine that allows you to query and unify cross-cloud data lakes and warehouses. Additionally, it provides fine-grained access controls to your tables, allowing you to set access policies on a column or row basis.

BigQuery now supports the creation of search indexes and a SEARCH function. This feature is in Preview. This enables you to use Google Standard SQL to efficiently find data elements in unstructured text and semi-structured data.

Generally available: You can now set the number of threads per core on a VM.

Added support for ApigeeOrganization resource.

Added support for NetworkServicesTLSRoute resource.

Added spec.destination.loggingLogBucketRef to LoggingLogSink.

Config Controller is now supported in region northamerica-northeast1

Config Sync now supports depends-on. You can now specify apply and delete ordering using the new config.kubernetes.io/depends-on annotation. To learn more, see Declare resource dependencies between resource objects.

The iamBindings[] and nextSteps attributes were added to the Finding object.

• The iamBindings[] attribute provides a list of IAM bindings associated with the finding.
• The nextSteps attribute provides recommended actions you can take to address the finding.

For more information, see the API documentation for the Finding object.

Analytics Hub is now available in Preview. Analytics Hub is a new service in BigQuery that lets you create secure data exchanges and share analytics assets within and across organizations. This platform allows data providers to publish listings that reference shared datasets. Analytics Hub subscribers can then view and subscribe to these listings.

Public Preview: Data Catalog is integrated with Analytics Hub, enabling you to work with linked datasets. For more information, see Analytics Hub documentation and updated Data Catalog search syntax.

Dataflow now supports Runner v2 in GA for all languages.

Dialogflow CX now supports Access Transparency logging of Google personnel access to Dialogflow data.

Vertex AI Model Registry is available in Preview. Vertex AI Model Registry is a searchable repository where you can manage the lifecycle of your ML models. From the Vertex AI Model Registry, you can better organize your models, train new versions, and deploy directly to endpoints.

Vertex AI Workbench is generally available (GA). Vertex AI Workbench is a single notebook surface for all your data science needs that lets you access BigQuery data and Cloud Storage from within JupyterLab, execute notebook code in Vertex AI custom training and Spark, use custom containers, manage costs with idle timeout, and secure your instances with VPC Service Controls and customer managed encryption keys (CMEK).

Features supported include:

• Google-managed instances and the latest GPU support
• Idle shutdown for managed notebooks instances
• Custom containers
• End-user and service account authentication
• Native plug-ins for BigQuery and Cloud Storage
• In-notebook Spark connect to Dataproc clusters
• Jobs support via the managed notebooks executor on Vertex AI custom training and Spark
• One-click deploy for NGC containers
• VPC Service Controls
• Customer managed encryption keys (CMEK)

The Vertex AI Workbench managed notebooks executor is generally available (GA). Use the executor to run notebook files on a schedule or as a one-time execution. You can use parameters in your execution to make specific changes to each run. For example, you might specify a different dataset to use, change the learning rate on your model, or change the version of the model. For more information, see Run notebook files with the executor.

You can now create reCAPTCHA WAF site keys to implement the reCAPTCHA Enterprise for WAF and Google Cloud Armor integration. For more information, see Implement the reCAPTCHA Enterprise for WAF and Google Cloud Armor integration.

BigQuery Omni now supports cross-cloud transfer. This feature is in Preview. For more information, see Cross-cloud transfer (AWS) and Cross-cloud transfer (Azure).

This release of Certificate Manager adds support for target SSL proxies and the global external HTTP(S) load balancer (preview).

The Cloud Bigtable HBase replication library lets you replicate data from HBase to Bigtable. You can use the replication library in conjunction with existing migration tools to migrate your HBase data to Bigtable without pausing writes or taking your application offline. The replication library is now generally available (GA).

Cloud Spanner now allows you to export a subset of your database tables to Google Cloud Storage as Avro files.

With dual-region storage, users can now specify two regions within the same continent to create a dual-region of their choosing. This feature is now in Preview.

Dialogflow CX now provides a setting to lock agent editing.

Dialogflow CX system functions have new list-related functions: APPEND, GET, and REMOVE.

Retail Search is generally available.

For available features, see Features and capabilities.

For an overview of the steps to take to implement Retail Search, see Implementing the Retail API. To begin setting up Retail Search, go to Before you begin.

Anthos component releases for March, 2022

Anthos clusters on VMware:

• March 3, 2022: 1.10.2 patch release
• March 15, 2022: 1.8.8 patch release
• March 24, 2022: 1.9.5 patch release

Anthos clusters on bare metal:

• March 14, 2022: 1.8.9 patch release
• March 23, 2022: 1.9.6 patch release
• March 31, 2022: 1.10.3 patch release
• March 31, 2022: 1.11.0 quarterly minor release

Anthos clusters on AWS:

• March 21, 2022: region announcement

Anthos clusters on Azure:

• March 21, 2022: region announcement

Anthos Config Management:

• March 22, 2022: 1.11.0 quarterly minor release

Anthos Service Mesh:

• March 2, 2022: 1.12.4 patch release
• March 10, 2022: 1.10.6 & 1.11.8 & 1.12.5 patch release
• March 30, 2022: 1.13.1 patch release

Connect:

• N/A

Cloud Run for Anthos:

• N/A

Migrate for Anthos and GKE:

• March 28, 2022: 1.11.0 quarterly minor release

Cloud Logging:

• March 11, 2022: release updates
• March 21, 2022: release updates
• March 25, 2022: release updates

Cloud Monitoring:

• March 4, 2022: release updates
• March 11, 2022: release updates
• March 28: release updates

Delete dialogs will now remain open while the delete operation is being processed.

The following resource types are now publicly available through the Export APIs (ExportAssets and BatchGetAssetsHistory), the Feed API, and the Search APIs (SearchAllResources and SearchAllIamPolicies):

• Org Policies
  • orgpolicy.googleapis.com/Policy
• BigQuery
  • All onboarded resources in the two new regions: aws-us-east-1; azure-eastus2.

The following resource types are now publicly available through the Export APIs (ExportAssets and BatchGetAssetsHistory) and the Feed API:

• Cloud Resource Manager Tags
  • cloudresourcemanager.googleapis.com/TagBinding

Snapshots are available in Preview.

(Airflow 2) The max_connections limit in databases is increased. The values are 3 times higher than the default values in Cloud SQL.

Database Migration Service now supports migrating Oracle workloads into Cloud SQL for PostgreSQL. Click here to access the documentation.

Generally available: You can now autoscale both regional and zonal managed instance groups based on a Cloud Monitoring metric that provides an aggregated value for the group. You can also apply filters to group metrics to further scope the scaling signal. For more information, see Scaling based on Cloud Monitoring metrics.

Eventarc is now available in the asia-south2 (Delhi, India) region.

VMware Engine nodes are now available in the following additional zone:

• Ashburn, Northern Virginia, North America (us-east4-b)

BigQuery ML and Vertex AI Model Registry integration is available in preview. With this integration, BigQuery ML models can be sent to the Vertex AI Model Registry where you can manage the lifecycle of all your ML models. From the Vertex AI Model Registry, you can organize your BigQuery ML models and deploy directly to endpoints.

Cost analysis by project ancestry, including folder-level costs, now available in BigQuery Export and Reports

Viewing your costs by project ancestry helps you do things like analyze costs by folder or organization. For example, if you use folders in an organization to represent cost centers (such as DevOps or Finance), you can effectively configure your report or query to group all costs by those cost centers.

Billing Reports

In the Cloud Billing Console Reports page, you can now Group by Project hierarchy and filter on Folders & Organizations, to analyze costs by project ancestry (such as folders or organizations).

• Group costs by project ancestry – In the Reports page, when you group by Project hierarchy, the report returns a row for each unique combination of Organization > Folder > Project, and the table includes columns for Project, Project ID, Project number, and Project hierarchy. The values listed in the Project hierarchy column show Organization name > Folder name.

• Filter costs by project ancestor(s) – In the Reports page, when you filter by Folders & Organizations, the report returns costs for all projects that are associated with any of the selected folders/organizations in their project ancestry.

In the Cloud Billing Console Cost breakdown report, you can now filter on Folders & Organizations, to analyze costs by project ancestry (such as folders or organizations).

• Filter costs by project ancestor(s) – In the Cost breakdown report, when you filter by Folders & Organizations, the report returns costs and credits aggregated for all projects that are associated with any of the selected folders/organizations in their project ancestry.

To learn more about organizations, folders, and project hierarchy, see Billing reports: Analyzing your costs by project hierarchy.

Cloud Billing data export to BigQuery

In the Cloud Billing usage cost data that exports to BigQuery, you can now see resource hierarchy metadata that describes a project's ancestry, including:

• project.ancestors.resource_name – An identifier containing the resource hierarchy type and ID (for example, folders/234)
• project.ancestors.display_name – A name that you create for the resource (for example, DevOps)

The project.ancestors metadata is available in both the Standard usage cost export and Detailed usage cost export. To help make resource hierarchy levels easier to identify in the BigQuery data tables, the ancestor data includes the resource display name (a human-readable name that you create) and the relative resource hierarchy names (immutable ID numbers representing each project/folder/organization).

For more details about project.ancestry_numbers and project.ancestors, see

• Understand the Cloud Billing data tables in BigQuery
• Query examples to use resource hierarchy filters to review project ancestry

Cloud Data Fusion version 6.6.0 is generally available (GA).

Cloud Functions (1st gen) has added support for Google-managed Artifact Registry at the Preview release level.

You can now specify PATCH requests in a FHIR bundle. This feature is available in Preview. See Executing a PATCH request in a FHIR bundle for more information.

Cloud SQL for MySQL now supports minor versions 8.0.27 and 8.0.28. To upgrade your existing instance to the new version, see Upgrade the database minor version.

Google Cloud Armor now supports TCP Proxy load balancers and SSL proxy load balancers in public preview. For more information, see the security policy overview.

Release 1.11.0

Anthos clusters on bare metal 1.11.0 is now available for download. To upgrade, see Upgrade Anthos on bare metal. Anthos clusters on bare metal 1.11.0 runs on Kubernetes 1.22.

Improved cluster lifecycle functionalities:

• Upgraded Anthos clusters on bare metal to use Kubernetes version 1.22.

• Updated cert-manager to version 1.5.4.

• Added error messaging in the bmctl command line interface to better surface cluster installation or upgrade failure.

• Incorporated audit logs into bmctl snapshots.

• Added ability for registry mirror users to customize containerd configuration and have it automatically mirror public registry hosts other than gcr.io.

• Changed bmctl update command so that it extracts manifests before updating a cluster.

• Added feature so that a cluster's kubeconfig file automatically renews when the cluster is upgraded and the kubeconfig Secret is renewed whenever cluster reconciliation takes place.

• Added support for Red Hat Enterprise Linux (RHEL) and CentOS 8.5.

• Added warning to bmctl command that docker containerRuntime will not be supported in version 1.13 of Anthos cluster on bare metal.

• Added support for specifying CIDR blocks in the NoProxy section of the cluster's configuration file.

• Added Service CIDR to NoProxy section of a cluster's configuration file by default in order to fix a multinic in proxy environment issue.

• Fixed a multi-NIC in proxy environment issue. Whenever the NO_PROXY environment variable is set, it includes the Service CIDR from the cluster specification.

Networking:

• GA: Added egress Network Address Translation (NAT) gateway capability to provide persistent, deterministic routing for egress traffic from clusters. For more information, see Configure an egress NAT gateway for external communication.

• GA: Added option for BGP bundled load balancer which advertises Load Balancer (LB) Virtual IP addresses (VIPs) to the network using the Border Gateway Protocol (BGP). This feature supports topologies across multiple subnets and can provide greater load-balancing bandwidth than bundled Layer 2 mode.

• GA: Enabled SR-IOV. This feature allows you to configure Virtual Functions (VFs) on the supported devices on the nodes of their cluster. It also allows you to define the kernel module you want to bind to the VF.

• GA: Enabled IPv4/IPv6 dual-stack support. Clusters can be deployed in a dual-stack network in which IPv4 and IPv6 addresses are assigned to both nodes and pods. By default, IPv4 is in island mode and IPv6 is in flat mode (a simplified network topology).

• GA: Enabled static flat network (without BGP). This feature lets you configure a flat mode network for IPv4 addresses. A pod's IPv4 address is visible and routable within the same Layer 2 domain, without having to masquerade as the node's IP address.

• Preview: Enabled Dynamic Flat IP with Border Gateway Protocol (BGP) support. This feature lets you configure flat mode using BGP in clusters with the help of Anthos Network Gateway and BGP. In this mode, the pod's IP address is visible and routable without masquerading across multiple subdomains. Currently supports advertising IPv4 and IPv6 routes over IPv4 sessions.

• Fixed issue in which new MAC addresses of re-imaged nodes weren't updated.

Observability:

• GA: Enabled collection of multiple network interfaces (multinic) logs from clusters. Logs are collected as system logs and are sent to Cloud Logging without charge to the customer.

• Preview: Added Summary API metrics. These metrics provide CPU, memory, and storage statistics about pods, containers, and nodes.

• Updated fluent-bit (stackdriver-log-forwarder) cri parser to avoid matching time fields multiple times.

• Upgraded kube-state-metrics from version 1.9 to 2.4. This service generates metrics about Kubernetes API objects such as deployments, nodes, and pods.

• Upgraded Metric Server from version 0.3.6 to 0.4.5. Metrics Server retrieves metrics from kubelets and exposes them through the Kubernetes Metrics API.

Security:

• Preview: Added secure computing mode (seccomp) support. Running containers with a seccomp