Google Cloud release notes

Three new rate limiting keys are now Generally Available:

• HTTP-PATH
• SNI
• REGION-CODE

For more information about using rate limiting keys, see the Rate limiting overview.

Kubernetes control plane logs are now Generally Available. You can now configure GKE clusters with control plane version 1.22.0 or later to export to Cloud Logging logs emitted by the Kubernetes API server, Scheduler, and Controller Manager.

These logs are stored in Cloud Logging and can be queried in the Cloud Logging Log Explorer or Cloud Logging API. These logs can also be sent to Google Cloud Storage, BigQuery, or Pub/Sub using the Log Router.

You can now use deprecation insights to identify clusters on versions 1.23 and earlier that use Docker-based node images, which are unsupported on GKE version 1.24 and later.

BigQuery now supports the following features when you load data:

• ASCII control characters for CSV files.
• Reference file with the expected table schema for creating external tables with Avro, ORC, and Parquet files.

These features are generally available (GA).

View granular cost data from Cloud Run instances in Cloud Billing exports to BigQuery

You can now view granular Cloud Run cost data in the Google Cloud Billing detailed export. Use the resource.global_name field in the export to view and filter your Cloud Run instances.

Review the schema of the Detailed cost data export.

View granular cost data from Cloud Function instances in Cloud Billing exports to BigQuery

You can now view granular Cloud Function cost data in the Google Cloud Billing detailed export. Use the resource.global_name field in the export to view and filter your Cloud Function instances.

Review the schema of the Detailed cost data export.

Preview: VMware Engine private clouds support the addition of a Trusted Platform Module (TPM) 2.0 virtual cryptoprocessor to a virtual machine.

For details about this feature, see About Virtual Trusted Platform Module.

Release 1.13.2

Anthos clusters on bare metal 1.13.2 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.13.2 runs on Kubernetes 1.24.

Cloud Functions has added support for a new runtime, Node.js 18, at the Preview release level.

The following resource types are now publicly available through the Export APIs (ExportAssets, ListAssets, and BatchGetAssetsHistory), Feed API, and Search APIs (SearchAllResources, SearchAllIamPolicies).

• Service Directory
  • servicedirectory.googleapis.com/Namespace

Dialogflow CX now integrates with GitHub. This integration makes it easy to export your agent to JSON for a push to GitHub, and to pull from GitHub for an agent restore.

The Logs tab available for each cluster on the Kubernetes Engine > Clusters page now includes suggested queries for your logs. For more information about using your GKE logs, see Viewing your GKE logs.

Release 1.11.8

Anthos clusters on bare metal 1.11.8 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.11.8 runs on Kubernetes 1.22.

You can now configure Cloud Build to continue executing a build even if specified steps fail. This feature is available as a preview release. To learn more, see the allowFailure and allowExitCodes topics in Build configuration file schema.

Airflow 2.3.4 is available in Cloud Composer images.

You can download private offers as PDFs. Offers can include notes from the vendor and the included EULA.

You can download private offers as PDFs. Offers can be saved at any point in the offer process and can include internal notes and the EULA for the offer.

GKE Autopilot clusters support compact placement policies in version 1.25 and later.

Policy Analyzer now offers organization policy analysis. Policy Analyzer helps you get more information about the resources affected by an organization policy constraint. This feature is available in Preview.

The Kafka Connector library for Pub/Sub and Pub/Sub Lite is now generally available.

The Kafka Connector library for Pub/Sub and Pub/Sub Lite is now generally available.

Policy Analyzer now offers organization policy analysis. Policy Analyzer helps you get more information about the resources affected by an organization policy constraint. This feature is available in Preview.

Anthos clusters on VMware 1.13.2-gke.26 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.13.2-gke.26 runs on Kubernetes 1.24.7-gke.1400.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.13, 1.12, and 1.11.

The Impact Level 4 (IL4) compliance regime is now generally available.

Object tables are now in preview. Object tables are read-only tables containing metadata for unstructured data stored in Cloud Storage. These tables enable you to analyze and perform inference on images, audio files, documents, and other file types by using BigQuery ML and BigQuery remote functions. Object tables extend structured data features such as data security and governance best practices to unstructured data.

Metadata caching is now in preview. Using cached metadata might improve query performance for BigLake tables and object tables that reference large numbers of objects, by allowing the query to avoid listing objects from Cloud Storage.

Internal HTTP(S) load balancers and internal TCP proxy load balancers now support global access. By default, clients for these load balancers must be in the same region as the load balancer. With global access enabled, clients can access the load balancer from any region. They still must be in the same VPC network as the load balancer or in a VPC network that's connected to the load balancer's VPC network by using VPC Network Peering.

For instructions, see the following:

• Enable global access for internal HTTP(S) load balancers
• Enable global access for internal TCP proxy load balancers

Logs from Cloud Run services can now be tailed or viewed in a command-line friendly format using gcloud beta run services logs tail and gcloud beta run services logs read

Preview: You can limit the runtime of a VM to automatically stop or delete it when a time limit is reached. Limiting VM runtimes can help you optimize temporary workloads by minimizing costs and releasing quota. For more information, see Limit the runtime of a VM.

Dataproc Serverless for Spark supports Spark and System metrics. These metrics are enabled by default. Spark driver and executor metrics can be customised using overrides.

Starting November 17, 2022, newly created private clouds will utilize IP address layout (IP Plan) version 2.0 subnet allocations. HCX addressing is now included in the management CIDR allocation, simplifying the process of starting data center VM migrations. IP Plan version 2.0 also enables additional scale and features delivered to your public cloud in upcoming releases.

Stretched private clouds are now available in the europe-west3 (Frankfurt) region. You can use stretched private clouds to stretch vSphere/vSAN clusters across zones and protect against zone level failures. This functionality enables high levels of availability for business critical applications.

GKE Autopilot clusters support signaling to GKE that a particular node is problematic in version 1.24 and later.

Preview: Connectivity to Private Service Connect endpoints used to access a managed service is supported over VLAN attachments for Cloud Interconnect

Generally available: You can double the default size limit for a managed instance group (MIG): Zonal MIGs support up to 2,000 VMs and regional MIGs support up to 4,000 VMs. For more information, see Increase the group's size limit.

The Identity Document Proofing Processor is designed to help predict the validity of ID documents with four different signals:

• is_identity_document detection: predict whether an image contains a recognized identity document.
• suspicious_words detection: predict whether words are present that aren't typical on IDs.
• image_manipulation detection: predict whether the image was altered or tampered via an image editing tool.
• online_duplicate detection: predict whether the image can be found online.

Filestore Backups for High Scale and Enterprise tier instances is available in Preview.

Filestore Multishares for GKE is now generally available.

Event Threat Detection, a built-in service of Security Command Center Premium, has launched the Initial Access: Excessive Permission Denied Actions rule to Preview. This rule detects events where a principal repeatedly triggers permission denied errors across multiple methods and services.

For more information about Event Threat Detection findings, see Event Threat Detection rules.

Preview: Private Service Connect endpoints with consumer HTTP(S) controls now support accessing regional Google APIs and managed services using the following load balancers:

• Regional internal HTTP(S) load balancer
• Regional external HTTP(S) load balancer

Agent Assist has launched backend modules as a GA feature. Backend modules is an out-of-the-box solution that provides an effective backend infrastructure, making integrating Agent Assist with your agent system faster and easier. See the backend modules basics and integration guide for details.

The Agent Assist Console is now GA. The Console now also includes built-in workflow tutorials that walk you through creating a dataset, training and testing a model, and creating a conversation profile. Sample datasets and demo models are now provided as well. To see the new Console tutorials, navigate to the Console and click the Get started button under the feature you'd like to test.

Agent Assist now supports sentiment analysis of voice data as a private Preview feature. For more information, see the Agent Assist private features documentation. To gain access to the private documentation, please contact your Google representative.

Agent Assist now supports CCAI Transcription as a GA feature. CCAI Transcription allows you to convert streaming audio data into text transcripts in real time, allowing you to implement Agent Assist features for use with voice data. See the documentation for details.

UDM Search

UDM Search is a new Chronicle search feature which enables you to find UDM events within your Chronicle instance. You can search both for individual UDM events and groups of UDM events tied to shared search terms. UDM search includes a number of search features, enabling you to navigate through your UDM data:

• Quick Filters—Fast access to saved searches and search history.
• Event Viewer—View the raw log and UDM for the event.
• Search Manager—Comprehensive view of your saved searches and search history.

There is also a new UDM search API method available for the Chronicle Search API.

Be sure to review Google's recommended best practices for conducting searches using UDM Search. UDM searches can require substantial computational resources to complete if they are not constructed carefully. Performance also varies depending on the size and complexity of the data in your Chronicle instance.

Cloud Bigtable now lets you retrieve metadata about a table, giving you greater observability when troubleshooting. This feature is generally available (GA). For more information, see Table stats.

Time to live (TTL) is now supported in PostgreSQL-dialect databases. With TTL, you can reduce storage costs, improve query performance, and simplify data retention by automatically removing unneeded data based on user-defined policies.

Added support for the JSONB data type in the Cloud Spanner PostgreSQL dialect. For more information, see Work with JSONB data.

For online document translations, you can increase the page limit for native PDF documents to 300 pages.

Generally available: Use the new distribution shape ANY SINGLE ZONE in a regional managed instance group (MIG) to automatically select a single zone that has available resources within your quota. Recommended for workloads that require low latency, high-bandwidth connections between VMs or when you want to avoid inter-zone network traffic costs.

Added spec.gcRules to BigtableGCPolicy (Issues #624, #542, #482, #345, #300).

Added spec.load.jsonExtension to BigQueryJob.

Added spec.externalDataConfiguration.avroOptions to BigQueryTable.

Added spec.compressionMode to ComputeBackendBucket.

Added spec.compressionMode to ComputeBackendService.

Added spec.advancedOptionsConfig.jsonCustomConfig to ComputeSecurityPolicy.

Added spec.managementConfig.fullManagementConfig to ConfigControllerInstance.

Added spec.nodeConfig.guestAccelerator[].gpuSharingConfig and spec.notificationConfig.pubsub.filter to ContainerCluster.

Added spec.nodeConfig.guestAccelerator[].gpuSharingConfig to ContainerNodePool.

Added spec.config.dataprocMetricConfig, spec.config.gceClusterConfig.confidentialInstanceConfig, spec.config.gceClusterConfig.shieldedInstanceConfig, spec.config.masterConfig.diskConfig.localSsdInterface, spec.config.metastoreConfig.dataprocMetastoreServiceRef, spec.config.secondaryWorkerConfig.diskConfig.localSsdInterface, spec.config.securityConfig, spec.config.workerConfig.diskConfig.localSsdInterface and spec.virtualClusterConfig to DataprocCluster.

Added spec.cloudLoggingConfig to DNSManagedZone.

Added spec.persistenceConfig to RedisInstance.

Added status.version to SecretManagerSecretVersion.

Added spec.maintenanceVersion and status.availableMaintenanceVersions to SQLInstance.

Added spec.passwordPolicy to SQLUser.

Added spec.customPlacementConfig to StorageBucket.

Added spec.notificationConfig to StorageTransferJob (Issue #303).

Added support for DLPJobTrigger resource.

Topic modeling is now a GA feature. Topic modeling helps you discover topics (call drivers) in conversations between contact center agents and end-users. For more information, see the documentation.

Dialogflow CX agents can now be exported to JSON.

BigQuery subscriptions now support the JSON type for all string fields, including data and attributes. For more information about JSON type compatibility, see Properties of a BigQuery subscription.

The Israel Regions and Support compliance regime is now in Preview.

The slot estimator helps you manage slot capacity based on historical performance metrics. This feature is now generally available (GA).

Support for internal ingress from Cloud Tasks to Cloud Run and Cloud Functions is now at General Availability.

The files attribute was added to the Finding object of the Security Command Center API.

The files attribute contains information about each file that triggered a finding, including the name of the file, the full path to the file, and the size of the file.

For more information, see the Security Command Center API documentation for the Finding object.

Access Approval lets you revoke active access requests using the Google Cloud console.

Airflow triggerer and Deferrable Operators are available in Preview in Cloud Composer 2.

Note: Minimum versions required by Airflow triggerer: Cloud Composer 2.0.31 and up, Apache Airflow 2.2.5 and up.

Cloud Monitoring now provides a GKE Clusters dashboard for enabling Managed Service for Prometheus on clusters in your project. For more information, see Get started with managed collection.

Anthos clusters on VMware 1.11.5-gke.14 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.11.5-gke.14 runs on Kubernetes 1.22.15-gke.2200.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.13, 1.12, and 1.11.

Regional external and regional internal HTTP(S) load balancers now support regional SSL policies. SSL policies give you the ability to control the features of SSL that your Google Cloud load balancers negotiate with clients.

For details, see:

• SSL policies overview
• Use SSL policies

This feature is in General Availability.

You can now use the Google Cloud console to get role recommendations and policy insights for buckets. Role recommendations and policy insights help you understand and manage permission usage for your buckets.

Generally available: Share sole-tenant node groups with other projects or with your entire organization. For more information, see Share sole-tenant node groups.

Enable the validation check for Enum property values by default. Enum values that are not defined in the schema will not be allowed to be set to the corresponding document property Enum fields. The validationCheckDisabled flag in EnumTypeOptions disables the ENUM Validation.

Enable text extraction feature.

You can now use use compact placement for node auto-provisioning in Standard clusters with GKE version 1.25 and later. To learn more, see Use compact placement for node auto-provisioning.

Security Command Center added the ability to export findings to a CSV file from the Google Cloud console. For more information, see Export findings to a CSV file.

The CBSDs can now operate in the 3650–3700 MHz portion of the CBRS band in the 150 km area around fixed-satellite service (FSS) receive-only earth stations. The 150 km area around each FSS for 3650-3700 MHz that was considered an exclusion zone is now a protection zone. For more information on how to access the CBRS heatmaps, see CBRS heatmaps.

This feature is Generally Available (GA).

Users can now use SMB to transfer data by enabling SMB file share.

AutoML Image Classification Error Analysis

Error analysis allows you to examine error cases after training a model from within the model evaluation page. This feature is available in Preview.

For each image you can inspect similar images from the training set to help identify the following:

• Label inconsistencies between visually similar images
• Outliers if a test sample has no visually similar images in the training set

After fixing any data issues, you can retrain the model to improve model performance.

The option to set IP mode to internal for App Engine flexible environment instances is now generally available.

The option to set IP mode to internal for App Engine flexible environment instances is now generally available.

The option to set IP mode to internal for App Engine flexible environment instances is now generally available.

The option to set IP mode to internal for App Engine flexible environment instances is now generally available.

The option to set IP mode to internal for App Engine flexible environment instances is now generally available.

The option to set IP mode to internal for App Engine flexible environment instances is now generally available.

The option to set IP mode to internal for App Engine flexible environment instances is now generally available.

The option to set IP mode to internal for App Engine flexible environment instances is now generally available.

Enhancements to Bare Metal Solution resource management–Adds the following self-service functionality:

• Manage networks–You can create, attach, detach, and delete networks. You can also add, update, and delete VLAN attachments.
• Manage boot volume snapshots–You can create, delete, and restore boot volume snapshots.
• Manage NFS file storage–You can create, update, and delete NFS storage volumes.
• Advanced networking–You can add connections to multiple networks on a single server. You can now view advanced networking information through the Google Cloud console too.
• Labels–You can organize your Bare Metal Solution resources by using labels. You can add labels to servers, networks, storage volumes, and NFS file storage.
• Manage the power state of servers–You can turn power on and off for your server and restart your server. You can also check the status of a server.

You can now transfer data from Amazon S3 and Azure Blob Storage to BigQuery using the LOAD DATA statement. This feature is generally available (GA) and includes support for the following features:

• Transfer files that are hive partitioned.
• Load semi-structured JSON source data into BigQuery without providing a schema by using JSON columns in the destination table.
• Encrypt destination tables using customer managed encryption keys.
• Transfer data to US multi-region and US-EAST-4 regions.

Alerts and IOC Matches

The Alerts and Indicators of Compromise (IOC) page displays all the alerts and IOCs currently impacting your enterprise. It provides tools that enable you to filter and view your alerts and IOCs.

• Alerts can be designated by your security infrastructure, by your security personnel, or by Chronicle Uppercase.

• IOCs are designated automatically by Chronicle. Chronicle is always absorbing data from both your own infrastructure and numerous other security data sources. It automatically correlates suspicious security indicators with your security data. If a match is found (for example, a suspicious domain is found within your enterprise), Chronicle labels the event as an IOC and displays it on the IOC matches tab.

You can also still navigate to the Enterprise Insights page using the link provided at the top of the Alerts and IOCS page. To view CBN alerts, you still need to use the Enterprise Insights page.

Alert view

Alert view shows a variety of information with regards to a specific alert, including:

• Alert Status

• Alert Details—Displays an alert's creation time, recent updates, and its associated rule.

• Decision States—Displays the verdict for the alert and if it is an indication of a security issue. History—Displays the history of changes made to the alert by your security team. For alerts originating from Chronicle SOAR, Alert view also includes the number and a link to the associated Chronicle SOAR case. You can pivot to your Chronicle SOAR account using this link.

Chronicle SOAR Authentication

You can authenticate with your Chronicle SOAR account from Chronicle. Once you have authenticated with your Chronicle SOAR account, you can pivot between your Chronicle account and your Chronicle SOAR account as needed.

Chronicle SOAR Cases

Chronicle SOAR ingests alerts from a variety of sources. You can conduct additional investigations of Chronicle SOAR cases from Chronicle or pivot to Chronicle SOAR. You can pivot to your Chronicle SOAR Cases from the Chronicle application menu. For more information on Chronicle SOAR cases, see the Chronicle SOAR documentation.

Chronicle SOAR Playbooks

Chronicle SOAR Playbooks define a series of automatic steps taken when triggered by an incoming alert and can be used to investigate and respond to security issues. You can pivot to your Chronicle SOAR Playbooks from the Chronicle application menu. For more information on Chronicle SOAR Playbooks, see the Chronicle SOAR documentation.

Expanded Cloud Storage monitoring dashboards are now available in Preview.

• Available metrics include server and client error rates, write request counts, network ingress rates, and network egress rates.
• Dashboards can be filtered by bucket location.
• Dashboards are customizable, including the ability to set up alerts.

In addition to the project-wide dashboard, per-bucket dashboards are available in a new Observability tab in the Bucket Details for each bucket.

Support for VPC Service Controls is in Preview.

Curate which products are available for your Organization to use with Private Marketplace (Preview). You can add products to collections and share these collections with your organization, folders, or projects.

Learn more about Private Marketplace.

GKE Gateway for Single Cluster is now generally available in GKE version 1.24 and later. Use the Gateway API to express the intent of your inbound HTTP(S) traffic into your GKE cluster and the Gateway controller will instrument and fully manage the external and/or internal HTTP(S) load balancer(s) that forwards traffic to your applications. For complete details about the GKE Gateway controller, refer to the following documentation.

You can use the Google Cloud console to view authentication activities, which indicate when your service accounts and keys were last used to call a Google API.

Feature Transform Engine is available in Preview. For documentation, refer to Feature engineering.

Release 1.12.4

Anthos clusters on bare metal 1.12.4 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.12.4 runs on Kubernetes 1.23.

DNS Resolution is generally available (GA). You can use domain or hostnames for sources instead of IP addresses for pipeline design-time activities, such as getting schema, wrangling, and previewing pipelines.

Cloud Spanner now supports cross-region and cross-project backup use cases. You can copy a backup of your database from one instance to another instance in a different region or project to provide additional data protection and compliance capabilities.

The Autoclass feature is now available.

• When enabled, Autoclass transitions the storage classes of your objects automatically based on their access patterns.
• Currently, Autoclass can only be enabled at the time of bucket creation.

M100 Release

• Regular package updates.

M100 Release

• Migrated the Docker proxy agent to use a systemctl service.
• Regular package updates.

M100 Release

The M100 release of Vertex AI Workbench includes the following:

• Fixed a bug that prevented an instance with a GPU from starting.
• Regular package updates.
• Miscellaneous bug and display fixes.

Preview: You use the private.googleapis.com and restricted.googleapis.com VIPs to access Google APIs and services using IPv6 addresses. For more information, see the following pages:

• Use the VIPs from VMs with internal IPv6 addresses
• Use the VIPs from VMs with external IPv6 addresses
• Use the VIPs from on-premises hosts with IPv6 addresses
• Use restricted.googleapis.com with VPC Service Controls

In the Cloud console, the Add data feature lets you access popular ways to search for and ingest data sources that work with BigQuery. For an example, see viewing listings in Analytics Hub. This feature is now generally available (GA).

Users can now customize Slack notifications for their builds using notifier templates. To learn more, see Configure Slack notifications.

The ExcludeByHotword type was added as a type of ExclusionRule. With this new type, you can do the following:

• Exclude a column from inspect findings if the column name matches a regular expression.
• Exclude a finding from inspect findings if that finding is proximate to a string that matches a regular expression.

Previously, you could do these only by setting up a hotword rule that lowers the likelihood of the matching findings.

For more information on excluding findings, see Exclusion rules.

You can now dynamically include your log content in your alert notifications for easier troubleshooting. For more information about extracting log content into labels, see Create a log-based alert (Monitoring API).

You can now dynamically include your log content in your alert notifications for easier troubleshooting. For more information about extracting log content into labels, see Create a log-based alert (Monitoring API).

Generally available: Memory-optimized M3 virtual machine instances are available in the following regions and zones:

• Frankfurt, Germany (europe-west3-a,b)
• Eemshaven, Netherlands (europe-west4-a,b)
• Council Bluffs, Iowa, USA (us-central1-a,b)
• Las Vegas, Nevada, USA (us-west4-a,b)

See VM instance pricing for details.

If a Dataproc Metastore service uses the gRPC endpoint protocol, a Dataproc or self-managed cluster located in any region can attach to the service.

The following languages are now GA (generally available) for Dialogflow CX:

• Bulgarian (bg)
• Catalan (ca)
• Croatian (hr)
• Czech (cs)
• Greek (el)
• Hebrew (iw)
• Hmong (hmn)
• Hungarian (hu)
• Serbian (sr)
• Slovak (sk)
• Somali (so)

The following new features have been introduced in this release of Google Distributed Cloud Edge:

• Anthos VM Runtime replaces Kubevirt in Google Distributed Cloud Edge starting with this release. To continue using your existing virtual machines, you must shut them down and back them up before your Distributed Cloud Edge deployment is upgraded to release 1.2.0, and then re-create them as described in Manage virtual machines.
• A new Google Distributed Cloud Edge hardware configuration is available. This new configuration supports GPU-based workloads that run on NVIDIA Tesla T4 GPUs in both containers and virtual machines. To order a GPU-enabled configuration, see Order Google Distributed Cloud Edge. To learn more about running workloads on GPUs, see Manage GPU workloads.
• Google Distributed Cloud Edge now supports the following networking features:
  • (Preview) Cross-project VPN Connections. To learn more, see Manage cross-project VPN Connections.
  • (Preview) MacVLAN driver support for creating secondary network interfaces for Pods running containerized workloads. The MacVLAN driver is not supported on Pods running virtual machines. To learn more, see Configure a secondary network interface on a Pod using the MacVLAN driver.
  • (Preview) Multi-network support for creating secondary network interfaces for Pods. To learn more, see Configure a secondary network interface on a Pod using Distributed Cloud Edge multi-networking.
  • (Preview) ClusterDNS resource. To learn more, see ClusterDNS resource.

When you create a LoadBalancer service in GKE, the Google Cloud controllers automatically create the following firewall rules and apply them to the GKE nodes to allow inbound connections on the Service port:

• Internal load balancer with GKE subsetting or external load balancer with regional backend services (RBS): k8s2-[cluster-id]-[namespace]-[service-name]-[suffixhash]
• Internal load balancer without GKE subsetting or external load balancer with target pool: k8s-fw-[loadbalancer-hash]

These rules now include the load balancer IP address in the destination ranges field to further control the inbound connections to the nodes. You can use the gcloud compute firewall-rules describe command to check a relevant firewall. The new field in the output is similar to the following:

destinationRanges:
- [LOADBALANCER_VIRTUAL_IP_ADDRESS]

Support for schema extensions in Managed Microsoft AD is generally available. Learn how to extend the schema.

Support for the migration of users from an existing domain to Managed Microsoft AD is available in Preview. Learn how to enable permissions for migrating an on-premises domain with SID History.

Security Command Center released two new error detectors:

• KTD blocked by admission controller
• KTD image pull failure

These detectors report configuration errors that prevent the Container Threat Detection service from functioning properly.

Remediation guidance is provided for each finding type. For more information, see Security Command Center errors.

Beta stage support for the following integration:

• Config Controller

Apigee support for using Private Service Connect (PSC) for client-to-Apigee (northbound) traffic is now GA. In addition, we now support using PSC for northbound routing in multi-region configurations. For details, see Expanding Apigee to multiple regions. See also Northbound networking with Private Service Connect and Migrate northbound routing to Private Service Connect.

The Logs tab available for each cluster on the Kubernetes Engine > Clusters page now includes suggested queries for your logs. For more information about using your GKE logs, see Viewing your GKE logs.

Vertex AI Prediction

You can now use A2 machine types to serve predictions.

Vertex ML Metadata

You can now filter contexts, executions, and artifacts by association and attribution.

Custom training on Vertex AI now supports NVIDIA A100 80GB GPUs on a2-ultragpu-1g/2g/4g/8g machines. For details, see Configure compute resources for custom training.

SQL functions for managing wrapped keysets are generally available (GA). You can now perform the following actions natively in BigQuery with fewer risks and steps:

• Create a wrapped keyset
• Rotate a wrapped keyset
• Rewrap a wrapped keyset
• Encrypt and decrypt a column with a wrapped keyset

Included with this release are the following new key management functions:

• KEYS.NEW_WRAPPED_KEYSET
• KEYS.ROTATE_WRAPPED_KEYSET
• KEYS.REWRAP_KEYSET

The following resource types are now publicly available through the analyze policy APIs (AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning).

• Org Policies
  • orgpolicy.googleapis.com/Policy

You can now add table widgets to custom dashboards that let you limit the number of table rows, persiste specific columns, display only those rows with the highest, or lowest values, and that display a visual indicator of the value as compared to the range of possible values. For more information, see Display data in tabular form on a dashboard.

Support for the NHibernate ORM is now generally available, enabling you to use Cloud Spanner as a backend database for the NHibernate framework. For more information, see NHibernate Dialect for Cloud Spanner.

You can now easily identify clusters that use certificates incompatible with Kubernetes version 1.23. Kubernetes 1.23 deprecation insights are now available in Preview for clusters of at least version 1.22.6-gke.1000.

Vertex AI Prediction

Custom prediction routines (CPR) are now Generally Available. CPR lets you easily build custom containers for prediction with pre/post processing support.

VPC-SC for managed Anthos Service Mesh is generally available (GA) in the rapid channel.

The query execution graph is now in preview. You can use the query execution graph to diagnose query performance issues, and to receive query performance insights.

M99 Release

• Fixed a bug where Jupyter widgets through ipywidgets were causing errors and not displaying.
• Regular package updates.

M99 Release

• Fixed a bug where Jupyter widgets through ipywidgets were causing errors and not displaying.
• Updated TPU versions for TensorFlow 2.8, 2.9, and 2.10 Deep Learning VMs.
• Improved error messages for debugging custom container Deep Learning VMs that were instantiated with a GPU but without installing NVIDIA drivers.
• Regular package updates.

End-user authentication is being made available to managed Anthos Service Mesh in the rapid release channel. See the preceding release note for rollout timelines.

Anthos clusters on VMware 1.13.1-gke.35 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.13.1-gke.35 runs on Kubernetes 1.24.2-gke.1900.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.13, 1.12, and 1.11.

• Increased logging granularity for the cluster backup operation including indicating status for each step of the process.

Cluster lifecycle improvements in 1.13 and later

Preview: You can use the Google Cloud console to create user clusters, delete user clusters, and to add and remove node pools from a user cluster. To explore the new feature, try out the tutorial Create an Anthos on bare metal user cluster on Compute Engine VMs using the console.

Build environment variables support is now generally available.

Build environment variables support is now generally available.

Build environment variables support is now generally available.

Build environment variables support is now generally available.

Build environment variables support is now generally available.

Build environment variables support is now generally available.

The BigQuery migration assessment is now available for Amazon Redshift in preview. You can use this feature to assess the complexity of migrating from your Amazon Redshift data warehouse to BigQuery.

The Cloud Router BGP MD5 authentication feature is Generally Available (GA). For more information, see Use MD5 authentication.

The image import tool now supports importing Ubuntu 22.04 LTS images to Google Cloud.

BigQuery subscriptions now support the Avro logical types timestamp-micros, date, and time-micros. For more information about schema compatibility between a Pub/Sub topic and a BigQuery table, see Schema compatibility.

The feature for listing all tags that are attached to or inherited by your resources has entered general availability. For more information, see Creating and managing tags.

You can now use the Cloud Console UI to create and manage tags. For more information, see Creating and managing tags.

Beta stage support for the following integration:

• BigQuery Data Policy API

Private Service Connect supports internal regional TCP proxy load balancers as a service attachment target in General Availability. This lets you create hybrid TCP/UDP services where a clients in a VPC network can connect to an on-premise service by going through Private Service Connect and a TCP proxy with hybrid NEGs to reach a hybrid endpoint.

You can now launch clusters with the following Kubernetes versions:

• 1.22.15-gke.1400
• 1.23.12-gke.1400
• 1.24.6-gke.1300

Release 1.13.1

Anthos clusters on bare metal 1.13.1 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.13.1 runs on Kubernetes 1.24.

The max_staleness materialized view option helps you achieve consistently high performance with controlled costs when processing large, frequently changing datasets. This feature is now in preview.

Column-level data masking is now generally available (GA). You can use data masking to selectively obscure column data for groups of users, while still allowing access to the column.

Cloud HSM resources are now available in the following regions:

• europe-southwest1
• europe-west9
• me-west1

For information about which locations are supported by Cloud KMS, Cloud HSM, and Cloud EKM, see Cloud KMS locations.

Cloud Load Balancing introduces the internal regional TCP proxy load balancer. This is an Envoy proxy-based regional layer 4 load balancer that enables you to run and scale your TCP service traffic behind an internal regional IP address that is accessible only to clients in the same VPC network or clients connected to your VPC network.

The internal regional TCP proxy load balancer distributes TCP traffic to backends hosted on Google Cloud, on-premises, or other cloud environments.

For details, see the following:

• Internal TCP Proxy Load Balancing overview
• Set up an internal TCP proxy load balancer:
  • Instance group backends
  • Zonal NEG backends
  • Hybrid connectivity NEG backends

This capability is in General Availability.

Cloud SWG is available in Preview. Cloud SWG provides a secure web gateway that helps you secure egress web traffic (HTTP/S). Contact your sales representative to sign up and use Cloud SWG.

Dataproc Serverless for Spark now allows the customization of driver and executor memory using the following properties:

• spark.driver.memory
• spark.driver.memoryOverhead
• spark.executor.memory
• spark.executor.memoryOverhead

Dataproc Serverless for Spark now outputs approximate_usage after a workload finishes that shows the approximate DCU and shuffle storage resource consumption by the workload.

A new Release Candidate (RC) version of the Document OCR Processor, pretrained-ocr-v1.1-2022-09-12, is available in the US and EU. This RC can detect document defects.

• If the document is considered to be defective, the API now returns the same 5 document defect types supported by the Intelligent Document Quality Processor:
  • quality/defect_blurry
  • quality/defect_noisy
  • quality/defect_dark
  • quality/defect_faint
  • quality/defect_text_too_small
• In addition, it now supports 3 more defect types:
  • quality/defect_document_cutoff
  • quality/defect_text_cutoff
  • quality/defect_glare
• The defect detection results are in the image_quality_scores field on the Page object in the returned JSON. This additional feature adds latency comparable to OCR processing to the process call.

Anthos clusters on bare metal 1.11.7 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.11.7 runs on Kubernetes 1.22.

The following language translation pairs have been added:

The following resource types are now publicly available through the Export APIs (ExportAssets, ListAssets, and BatchGetAssetsHistory), Feed API, and Search APIs (SearchAllResources, SearchAllIamPolicies).

• Cloud Domains
  • domains.googleapis.com/Registration
• Cloud Functions 2nd Gen
  • cloudfunctions.googleapis.com/Function

The translator workflow is in Preview:

• Administrators can invite translators to their project and add translators to post-editing groups. For more information, see Enable post-editing requests.
• Portal users can request post-edits from translators.
• Translators can review and edit translations.

Support for 24 new languages is Generally Available (GA). Glossaries aren't supported when translating to or from these languages.

• Assamese
• Aymara
• Bambara
• Bhojpuri
• Dhivehi
• Dogri
• Ewe
• Guarani
• Ilocano
• Konkani
• Krio
• Kurdish(Sorani)
• Lingala
• Luganda
• Maithili
• Meiteilon(Manipuri)
• Mizo
• Oromo
• Quechua
• Sanskrit
• Sepedi(Pedi)
• Tigrinya
• Tsonga
• Twi (Akan)

Added the spec.helm.values field in RootSync and RepoSync to allow overriding the default values that accompany the Helm chart.

The constraint template library includes a new template: K8sBlockLoadBalancer. For reference, see Constraint template library.

A link to the Settings page has been added to the APIs list page.

See: Discover APIs using APIs list

This release contains the General Acceptance (GA) release of Advanced API Security, which:

• Detects unwanted requests sent to your APIs, including attacks by bots or other malicious agents.
• Evaluates the security of your API configurations and provides recommendations for improvements.

Advanced API Security is a paid add-on to Apigee. You can try out Advanced API Security for free in any trial org—follow the procedure described in Enable Advanced API Security. Contact Apigee to learn more.

Search indexes and the SEARCH() function are now generally available (GA). These enable you to use Google Standard SQL to efficiently pinpoint specific data elements in unstructured text and semi-structured data.

Cloud Data Fusion version 6.7.2 is generally available (GA). This release is in parallel with the CDAP 6.7.2 release.

Bucket tags are now generally available (GA).

Generally available: Compute Engine flexible committed use discounts (flexible CUDs) are spend-based discounts that add flexibility to your spending capabilities by eliminating the need to restrict your commitments to a single project, region, or machine series. You can purchase flexible commitments and commit to a minimum hourly spend amount to use vCPUs and/or memory in any of the projects within your Cloud Billing account, across any region, and belonging to any eligible general-purpose and/or compute-optimized machine types.

Learn more about flexible CUDs and how to purchase flexible commitments.

Recording Google Analytics 4 user events to the Retail API is available in GA. If you have integrated Google Analytics 4 for your user events, you can record the user event data in Google Analytics 4 format directly to the Retail API.

To use this feature, see the Record user events with Google Analytics 4 documentation.

A/B experiment traffic monitoring for Retail Search is available in private preview. See the documentation for A/B experiment monitoring.

A/B experiments compare key metrics between the Retail API and your existing search implementation. After setting up an experiment and its traffic splitting, you can monitor experiment traffic using the Retail console. In the console, you create variant arms that map to each experiment group that you created for the A/B experiment. This allows you to check whether the actual traffic matches the intended traffic split of your experiment. Traffic monitoring can help you determine if differences in traffic are due to a quality gap between services or an incorrect experiment setup.

To use A/B experiment traffic monitoring in private preview, contact Retail Support.

Vertex AI Prediction

You can now use E2 machine types to serve predictions.

The following geography functions are now generally available (GA):

• ST_ISCLOSED: Returns TRUE for a non-empty geography, where each element in the geography has an empty boundary.
• ST_ISRING: Checks if a geography is a linestring and if the linestring is both closed and simple.

Added storageTarget to BigTableInstance (Issue #729).

Added location and BITBUCKET support to CloudBuildTrigger (Issue #672).

Added visibleCoreCount to ComputeInstance.

Added visibleCoreCount to ComputeInstanceTemplate.

Added snapshotProperties.chainName to ComputeResourcePolicies.

Added chainName to ComputeSnapshot.

Added certificateMapRef to ComputeTargetSSLProxy.

Added costManagementConfig, nodePoolDefaults, serviceExternalIpsConfig to ContainerCluster.

Added locationPolicy, totalMaxNodeCount, totalMinNodeCount to ContainerNodePool.

Added channelRef and resourceConditions to EventarcTrigger.

Added mesh to GKEHubFeatureMembership.

Added forceDelete to MonitoringNotificationChannel.

Released new controller unmanaged-detector. Now if there is no Config Connector controller for a resource's namespace, that resource's status will show as "Unmanaged".

Extended faster reconciliation of resources with dependencies to support IAMAuditConfig and IAMPolicy.

Added support for DLPInspectTemplate resource.

General availability for the following integration:

• Organization Policy Service

Anthos Service Mesh now supports configuring Mesh CA and Google CA Service connectivity through an HTTPS proxy when direct connectivity from the sidecar-injected workloads is not available (for example, due to firewalls or other restrictive features). See Configure Certificate Authority connectivity through a proxy for more information.

Anthos clusters on VMware 1.12.3-gke.23 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.12.3-gke.23 runs on Kubernetes 1.23.8-gke.1900.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.13, 1.12, and 1.11.

Some runtime error messages have been improved with a reason code. To display only the error codes with a reason code, scroll down to Search and type reason. The error catalog filters the view.

See: Runtime error catalog

You can now view BI Engine Top Tables Cached Bytes, BI Engine Query Fallback Count, and Query Execution Count as dashboard metrics for BigQuery. This feature is now in preview.

You can now instrument gRPC applications to use Microservices observability.

Pricing for Microservices observability is the same as Cloud Operations Pricing. There are no separate charges for using Cloud Trace, Cloud Monitoring, or Cloud Logging Microservices observability plugins.

You can now instrument gRPC applications to use Microservices observability.

Pricing for Microservices observability is the same as Cloud Operations Pricing. There are no separate charges for using Cloud Trace, Cloud Monitoring, or Cloud Logging Microservices observability plugins.

You can now instrument gRPC applications to use Microservices observability.

Pricing for Microservices observability is the same as Cloud Operations Pricing. There are no separate charges for using Cloud Trace, Cloud Monitoring, or Cloud Logging Microservices observability plugins.

Dataproc Serverless for Spark now supports spark.dataproc.diagnostics.enabled property that enables auto diagnostics on Batch failure. Note that enabling auto diagnostics will hold compute and storage quota after Batch is complete and until diagnostics is finished.

Default security policies are now Generally Available. You can configure a default rate-limiting security policy when you use the Google Cloud Console to set up your load balancer. For more information, see the Rate limiting overview.

Support for limiting the maximum number of concurrent branches or iterations within a parallel step is available in Preview.

Samples in Go are available for Batch. Documentation has been updated to include the following samples:

• Create a basic container job
• Create a basic script job
• List jobs
• Describe a job
• Delete a job

For more information, see All Batch code samples.

To show or hide log entries similar to a log entry displayed in the Logs Explorer, expand the log entry and use the Similar entries menu.

The Cloud Monitoring Integrations page now provides access to logs collected by logs-enabled integrations from the Details page for each integration.

New public dataset stored in Cloud Storage.

• Data for ERA5 are now hosted publicly in Cloud Storage.

New Version Release

• Bring Your Own Carrier (BYOC) - Customers can now bring their own numbers through their carrier.

• Dual Channel Recording - Customers can enable dual channel audio recordings (e.g. agent channel and consumer channel)

• Virtual Agent Enhancements: Dialogflow CX agents configured for Global Region enabled, barge-in for Dialogflow CX (Voice), and passing parameters (either static or dynamic data) to Virtual Agents via Web SDK.

• Agent Assist Enhancements: Agent Assist profiles configurable via Developer Settings & enabled at a queue level.

• Secure Payment: Braintree supported as a payment provider and additional currencies (GBP, EUR, CAD) supported on Stripe and Braintree.