Google Cloud release notes

Support for VPC Service Controls (Preview)

VPC Service Controls lets you define a security perimeter around the Apigee Integration Google Cloud service. For more information, see Set up VPC Service Controls for Apigee Integration.

You can now set default configurations at a project or organization level. This feature is now generally available (GA).

Cloud Spanner federated queries are now generally available (GA).

Storage Transfer Service now supports transfers from AWS S3 using self-hosted transfer agents. This feature provides a way to configure the data transfer path between AWS and Google Cloud and offers more control over performance.

See the documentation for details.

Querying Google Cloud Bigtable external data sources is now generally available (GA).

Importing a domain from Google Domains to Cloud Domains is available in Preview.

You can now launch clusters with the following Kubernetes versions:

• 1.23.8-gke.2000
• 1.22.12-gke.300
• 1.21.14-gke.2100

External TCP/UDP network load balancers can now be configured to handle IPv6 traffic from clients. To enable this, you must configure your subnet, backend VMs, and the forwarding rules to handle IPv6 traffic.

This feature is only available for backend service-based network load balancers.

For details, see:

• Backend service-based network load balancer overview

• Set up a backend service-based network load balancer

This feature is available in General Availability.

Generally Available: Internal and external IPv6 addresses for Google Compute Engine instances are available in all regions.

For more information, see Configuring IPv6 for instances and Creating instances with multiple network interfaces.

Connectivity Tests now includes a feature that performs live data plane analysis by testing connectivity between a VM and a Google network edge location. This feature is available for the following traffic flows:

• Between VM and non-Google Cloud network
• Between VM and Cloud SQL instances

In the Google Cloud console, you can see the results of this analysis in the column labeled Last live data plane analysis result. In the gcloud command-line and API responses, you can see the results in the probingDetails object.

Event Threat Detection, a built-in service of Security Command Center, launched the following rules to Preview.

• Discovery: Can get sensitive Kubernetes object check
• Privilege Escalation: Changes to sensitive Kubernetes RBAC objects
• Privilege Escalation: Create Kubernetes CSR for master cert
• Privilege Escalation: Creation of sensitive Kubernetes bindings
• Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentials
• Privilege Escalation: Launch of privileged Kubernetes container

These rules detect scenarios where a malicious actor attempted to query for or escalate privileges in Google Kubernetes Engine. For more information, see Event Threat Detection rules.

Beta stage support for the following integration:

• Service Account Credentials API

Internal and external IPv6 addresses are available in all regions in General Availability:

• Subnets: Dual-stack subnets that have both IPv4 and IPv6 subnet ranges.

• Routes: Subnet routes for IPv6 subnet ranges.

• Instances: Dual-stack instances with both IPv4 and IPv6 addresses, including instances with multiple network interfaces.

The new Cloud SQL System insights dashboard helps you detect and analyze system performance problems.

Generally available: You can now use the os-config troubleshoot command to help verify the setup of VM Manager. For more information, see Verifying VM Manager setup.

You can now schedule a custom cycle to refresh shadowed rule insights in Firewall Insights. For more information, see Schedule a custom refresh cycle.

Firewall Insights now identifies firewall misconfigurations for firewall rules which contain IPv6 IP address ranges. For more information, see Firewall Insights overview.

Text-to-Speech now offers these new voices. See the supported voices page for a complete list of voices and audio samples.

1. cloud-pt-BR-Standard-C
2. cloud-pt-BR-Wavenet-C

Beta stage support for the following integration:

• Integration Platform

Network firewall policies and regional firewall policies are now available in General Availability.

Added skip_polling so that connectors can execute asynchronously without waiting for the operation to complete.

Release 1.11.4

Anthos clusters on bare metal 1.11.4 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.11.4 runs on Kubernetes 1.23.

The Logs Explorer query results now show an icon for log entries that are part of error groups. You can click the icon to view details about the error group, exclude or show only log entries from the error group in the query results, or view related documentation. For more information, see Find log entries with error groups.

Generally available: NVIDIA® T4 GPUs are now available in the following additional regions and zones:

• Ashburn, Virginia, North America: us-east4-a

For more information about using GPUs on Compute Engine, see GPU platforms.

Added support for the IAMWorkforcePool resource.

Added spec.configmanagement.policyController.monitoring and spec.configmanagement.policyController.mutationEnabled fields to GKEHubFeatureMembership.

Added support for state-into-spec to StorageBucket.

Access Approval supports Secret Manager in Preview stage.

You can now launch clusters with the following Kubernetes versions:

• 1.23.8-gke.1700
• 1.22.12-gke.200
• 1.21.14-gke.2100

You can now launch clusters with the following Kubernetes versions:

• 1.23.8-gke.1700
• 1.22.12-gke.200
• 1.21.14-gke.2100

Release 1.12.1

Anthos clusters on bare metal 1.12.1 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.12.1 runs on Kubernetes 1.23.

The max_staleness materialized view option helps you achieve consistently high performance with controlled costs when processing large, frequently changing datasets. This feature is now in preview.

Network Load Balancing logging and Internal TCP/UDP Load Balancing logging are now available in Preview.

GKE total size control is now available in GKE version 1.24 clusters. For autoscaled node pools you can now set the minimum and maximum number of the total number of nodes across all zones, rather than specify a per zone limit. To learn more, see Cluster autoscaler.

The maximum number of Pods that can run on each node has increased from 110 to 256 with GKE version 1.23.5-gke.1300 or later. To learn more, see Optimizing IP address allocation.

RDB Snapshots are now Generally Available on Memorystore for Redis.

Serving controls can now be imported from and exported to files. This allows you to move serving controls between projects and do bulk edits and additions of serving controls within a project. This feature is available in Preview.

See the new documentation:

• Export serving controls
• Import serving controls

Configuring an internal TCP/UDP load balancer and network load balancer in Service Directory is available in GA.

Customer-managed encryption key (CMEK) organization policy constraints are now generally available (GA).

• constraints/gcp.restrictNonCmekServices allows you to control which resources require the use of CMEK.
• constraints/gcp.restrictCmekCryptoKeyProjects allows you to control the projects from which a Cloud KMS key can be used to validate requests.
• You can use both constraints together to enforce the use of CMEK from allowed projects.

New commands are now available gcloud alpha storage.

• Commands include the ability to create buckets, view metadata for buckets and objects, and edit metadata for buckets and objects.
• Note that all Cloud Storage gcloud commands continue to be in Preview.

Two Organization Policy constraints have launched into general availability to help ensure CMEK usage across an organization. For more information, see CMEK organization policies.

The following functions have been added:

• text.url_encode returns a string with percent-encoded reserved characters, including spaces
• text.url_encode_plus returns a string with percent-encoded reserved characters, and spaces replaced by pluses
• text.url_decode returns a string with pluses and percent-escaped characters converted to UTF-8

Release 1.10.7

Anthos clusters on bare metal 1.10.7 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.10.7 runs on Kubernetes 1.21.

The trigonometric SQL function CBRT is now generally available (GA). With this function, you can compute the cube root of a value.

The LOAD DATA statement is now available for Preview in Google Standard SQL for BigQuery. You can use the LOAD DATA statement to load data from one or more files into a table.

Cloud DLP can de-identify sensitive data stored in Cloud Storage. This feature is in generally available. For more information, see De-identification of sensitive data in storage.

Bucket tags are now available in Preview. You can apply tags to buckets for fine-grained access control.

TensorFlow Profiler integration: Debug model training performance for your custom training jobs. For details, see Profile model training performance using Profiler.

Enhancements to Bare Metal Solution resource management–Adds the following functionality:

• Change the operating system for a Bare Metal Solution server
• Enable hyperthreading on a Bare Metal Solution server
• View advanced networking information
• Implement IP address management
• Provision storage volume resources
• Remove storage volume resources

You can now add table widgets to custom dashboards that let you limit the number of table rows, display only those rows with the highest, or lowest values, and that display a visual indicator of the value as compared to the range of possible values. For more information, see Display data in tabular form on a dashboard.

Generally available: When you autoscale a MIG, you can view the reasons for why the autoscaler adds or removes VMs in your MIG. For more information, see Viewing autoscaler logs.

We now offer Preview support for Custom prediction routines (CPR). CPR lets you easily build custom containers for prediction with pre/post processing support.

You can now create BigQuery subscriptions in Pub/Sub to write messages directly to an existing BigQuery table.

You can now add user-defined labels to public and private Uptime checks. For more information, see Create public uptime checks.

Configurable dual-region storage is generally available (GA).

Preview: You can now merge or split your existing hardware resource commitments to create new upsized or downsized commitments. For more information, see Merge and split commitments.

Generally available: Use the Cloud console, the gcloud tool, or the API to configure a VM to shut down when a Cloud KMS key is revoked. For more information, see Configure VM shutdown on Cloud KMS key revocation.

Generally available: When you create VMs in bulk, you can now use the following new values with the TARGET_SHAPE flag:

• ANY: Use this value to place VMs in zones to maximize unused zonal reservations.
• BALANCED: Use this value to place VMs uniformly across zones.

Anthos clusters on VMware 1.11.2-gke.53 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.11.2-gke.53 runs on Kubernetes 1.22.8-gke.204.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.12, 1.11, and 1.10.

Inverse trigonometric SQL functions are now generally available (GA). These functions include:

• COT: Compute the cotangent for an angle.
• COTH: Compute the hyperbolic cotangent for an angle.
• CSC: Compute the cosecant for an angle.
• CSCH: Compute the hyperbolic cosecant for an angle.
• SEC: Compute the secant for an angle.
• SECH: Compute the hyperbolic secant for an angle.

Added support for ServiceDirectoryEndpoint resource.

Added support for the DLPStoredInfoType resource.

Added support for state-into-spec: absent to MonitoringAlertPolicy.

Added spec.iap.oauth2ClientIdRef field to ComputeBackendService.

Added spec.egressPolicies.egressTo.externalResources field to AccessContextManagerServicePerimeters,

Added spec.externalDataConfiguration.connectionId field to BigQueryTable.

Added spec.includeBuildLogs field to CloudBuildTrigger.

Added spec.cacheKeyPolicy.cdnPolicy.includeNamedCookies field to ComputeBackendService.

Added spec.enableUlaInternalIpv6 and spec.internalIpv6Range fields to ComputeNetwork.

Added spec.maxPortsPerVm field to ComputeRouterNats.

Added spec.advancedOptionsConfig field to ComputeSecurityPolicy.

Added spec.sslPolicyRef field to ComputeTargetHTTPSProxy.

Added spec.monitoringConfig.managedPrometheus field to ContainerCluster.

Added spec.sqlServerUserDetails field to SQLUser.

Added spec.schemaSettings field to PubSubTopic.

Added status.pscConnectionId and status.pscConnectionStatus fields to ComputeForwardingRule.

Added status.creationTime and status.managedZoneId fields to DNSManagedZones.

Added support for "reconcile resource immediately once its dependency is ready" feature for ComputeTargetPool, ComputeNetworkEndpointGroup, NetworkServicesGRPCRoute, NetworkServicesTLSRoute.

You can now have Google Cloud Deploy generate a skaffold.yaml configuration file for you when you create a release, based on a single Kubernetes manifest which you provide. This configuration file is suitable for learning and onboarding.

GKE node system configuration now supports setting the cgroup mode to use the cgroupv2 resource management subsystem.

Export filter for GCP logs

Previously, you could export DNS and Cloud Audit logs using the Chronicle panel within the GCP Cloud Console. You can now configure the default export filter to export additional log types. You can not only control the log types, but also the source projects producing these logs. Both inclusion and exclusion of logs are supported as well. In addition, semantic validation of the log filters can catch malformed log filters with invalid log types or identifiers. The filter language is defined by the Google logging query language that is shared with Cloud Logging.

For more information about the Export Log Filter Settings, see Exporting Google Cloud Logs to Chronicle.

You can now collect Couchbase logs and metrics from the Ops Agent, starting with version 2.18.2. For more information, see Monitoring third-party applications: Couchbase.

You can now collect Aerospike metrics from the Ops Agent, starting with version 2.18.2. For more information, see Monitoring third-party applications: Aerospike.

You can now collect Couchbase logs and metrics from the Ops Agent, starting with version 2.18.2. For more information, see Monitoring third-party applications: Couchbase.

You can now collect Vault metrics from the Ops Agent, starting with version 2.18.2. For more information, see Monitoring third-party applications: Vault.

The UI for dataset entry detail pages now includes a section that lets you see what entries are included in that dataset. Look for the new Entry list section when browsing dataset entries in Data Catalog.

General availability for the following integration:

• BigQuery Reservation API

BigLake is now generally available (GA). You can now create BigQuery ML models using data in Cloud Storage by using BigLake and publish BigLake tables as Analytics Hub listings.

Cloud Load Balancing introduces the internal regional TCP proxy load balancer. This is an Envoy proxy-based regional layer 4 load balancer that enables you to run and scale your TCP service traffic behind an internal regional IP address that is accessible only to clients in the same VPC network or clients connected to your VPC network.

The internal regional TCP proxy load balancer distributes TCP traffic to backends hosted on Google Cloud, on-premises, or other cloud environments.

For details, see the following:

• Internal TCP Proxy Load Balancing overview
• Set up an internal TCP proxy load balancer:
  • Instance group backends
  • Zonal NEG backends
  • Hybrid connectivity NEG backends

The following PostgreSQL minor versions and extension versions are now available:

• 14.3 is upgraded to 14.4.
• 13.6 is upgraded to 13.7.
• 12.10 is upgraded to 12.11.
• 11.15 is upgraded to 11.16.
• 10.20 is upgraded to 10.21.

If you use maintenance windows, then you might not yet have these versions. In this case, you'll see the new versions after your maintenance update occurs. To find your maintenance window or to manage maintenance updates, see Find and set maintenance windows.

Added information about checking the LC_COLLATE value for your databases before performing a major version upgrade of the databases for your Cloud SQL for PostgreSQL instance. For more information, refer to the Cloud SQL documentation.

Query Optimizer version 5 is generally available. Version 4 remains the default optimizer version in production.

You can now view and compare Kubernetes and Skaffold confguration files for releases, using Google Cloud Console.

You can now create BigQuery subscriptions in Pub/Sub to write messages directly to an existing BigQuery table. The change is being rolled out in a phased manner over the rest of the week.

Secure the link between a project and its billing account

In the Cloud Billing Console, you can now lock the link between a project and its Cloud Billing account, in order to prevent accidental changes to the billing state, such as disabling billing or moving the project to a different billing account. You can also unlock this protected state if you want to unlink a project from a Cloud Billing account.

Google Cloud projects contain all the resources required for a system to operate. To pay for the usage of the Cloud resources (such as Compute Engine or Storage), each project must be linked to an active Cloud Billing account. If you unlink the project from a billing account, you disable billing on that project. When billing is disabled on a project, all resources contained within the project will shut down, which can cause outages to your normal business operation.

To prevent unintentional outages due to billing issues, lock your valuable projects to their linked billing account. Locking creates a two-step process to change the billing state of a project, improving billing reliability and reducing accidental outages due to billing issues.

Learn how to secure the link between a project and a Cloud Billing account.

GKE Gateway integration with Cloud Certificate Manager is now available as Public Preview in GKE versions 1.20 and later. Use the new TLS features and high scale offered by Cloud Certificate Manager with GKE Gateway. For more information, see Gateway Security.

The constraint template library includes a new template: K8sRequireCosNodeImage. For reference, see Constraint template library.

The Advanced API Security's target assessment, which evaluates the security of target servers in your API, is now available. See Security scores in the Apigee UI to learn more.

Generally available: Compute Engine committed use discounts are now Generally Available for SUSE Linux Enterprise Server (SLES) image licenses. Learn more about discounted SLES image pricing and how to purchase a license commitment.

Kubernetes control plane metrics are now Generally Available. You can now configure GKE clusters with control plane version 1.23.6-gke.1500 or later to export to Cloud Monitoring certain metrics emitted by the Kubernetes API server, scheduler, and controller manager.

These metrics are stored in Cloud Monitoring in a Prometheus-compatible format. They can be queried by sending either a PromQL or MQL query to the Cloud Monitoring API. They can also be used anywhere within Cloud Monitoring, including in custom dashboards or alerting rules.

The container and kubernetes attributes were added to the Finding object.

The container attribute provides information about both Kubernetes and non-Kubernetes containers that are associated with a given finding. The kubernetes attribute provides information about Kubernetes resources that are associated with a given finding.

For more information, see the Security Command Center API documentation for the Finding object.

Anthos Service Mesh allows you to configure the minimum TLS version for your Istio workloads. See Configure minimum TLS version for your workloads for more information.

Generally available: NVIDIA® T4 GPUs are now available in the following additional regions and zones:

• Montréal, Québec, North America : northamerica-northeast1-c

For more information about using GPUs on Compute Engine, see GPU platforms.

Dataflow Prime is now in General Availability.

Anthos clusters on VMware 1.9.7-gke.8 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.9.7-gke.8 runs on Kubernetes 1.21.5-gke.1200.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.12, 1.11, and 1.10.

Time-to-live (TTL) policies now available in Preview.

Time-to-live (TTL) policies now available in Preview.

You can now find legacy secret keys for all reCAPTCHA Enterprise keys in the Google Cloud console. These keys can be useful if you are using a third-party plug-in/implementation that does not yet call the reCAPTCHA Enterprise API. For more information, see FAQs.

The App Engine legacy bundled services for PHP 7+ are now available at the General Availability release level. These APIs can be accessed through language-idiomatic libraries. Calls to these API are billed according to the standard rates.

You can now search your correlated log entries in the Logs Explorer. For more information, see Correlate log entries.

Cloud Run now supports container images in the Open Container Initiative (OCI) image format.

Dataproc Metastore is available in the following regions: us-west2 (Los Angeles), us-west3 (Salt Lake City), europe-west4 (Netherlands), europe-west6 (Zürich), and asia-east1 (Taiwan). For more information, see Dataproc Metastore locations.

Note that these services are immediately available through the gcloud CLI and the REST API. Cloud console availability will vary by region over the next few weeks.

Virtual Machine Threat Detection, a built-in service of Security Command Center Premium, is generally available (GA). VM Threat Detection detects cryptocurrency mining software, which is among the most common types of software installed in compromised cloud environments.

Detailed logging for objects copied between AWS S3, Azure Blob Storage, ADLS Gen 2, and Cloud Storage with Storage Transfer Service is now generally available (GA).

With detailed logs of individual objects available in Cloud Logging, you can verify what was transferred and perform additional data integrity checks. This launch simplifies monitoring, reporting, and troubleshooting. Read Cloud Logging for Storage Transfer Service for details.

NFS support for custom training is GA. For details, see Mount an NFS share for custom training.

Generally available: Internal and external IPv6 addresses for Google Compute Engine instances are available in all regions.

For more information, see Configuring IPv6 for instances and instance templates and Creating instances with multiple network interfaces.

You can now collect SAP HANA logs and metrics from the Ops Agent, starting with version 2.18.1. For more information, see Monitoring third-party applications: SAP HANA.

You can now collect Vault logs from the Ops Agent, starting with version 2.18.1. For more information, see Monitoring third-party applications: Vault.

You can now collect Flink metrics from the Ops Agent, starting with version 2.18.1. For more information, see Monitoring third-party applications: Flink.

You can now collect SAP HANA logs and metrics from the Ops Agent, starting with version 2.18.1. For more information, see Monitoring third-party applications: SAP HANA.

You can now download third-party peer VPN configuration templates for Cloud VPN from the Google Cloud console. Use these templates to configure HA VPN tunnels on your peer VPN device. Configuration templates are currently available for the following vendor platform and software versions:

• Cisco Firepower, running ASA 9.13(1)2 or later
• Fortinet FortiGate 200E, running FortiOS 6.2.3 or later
• Juniper vSRX, running JunOS 18.4R3-S2 or later

For more information, see Download a peer VPN configuration template.

Cluster autoscaler Location Policy is now generally available in GKE version 1.24.1-gke.800. This change allows users to pick one of two different spreading policies. For more information see Location policy.

For enhanced security with built-in authentication, Cloud SQL now lets you set password policies at the instance and user levels.

You can now view aggregated Cloud Spanner statistics related to transactions, reads, queries, and lock contentions in GA in Cloud Monitoring.

Generally available: You can use the Cloud console to configure autoscaling based on unacknowledged messages in a Pub/Sub subscription. For more information, see Autoscale based on unacknowledged messages in Pub/Sub.

Generally available: NVIDIA® T4 GPUs are now available in the following additional regions and zones:

Ashburn, Virginia, North America : us-east4-c

For more information about using GPUs on Compute Engine, see GPU platforms.

Eventarc support for Customer-Managed Encryption Keys (CMEK) using the Cloud Console is available in Preview.

Manage your private offers, including approving an offer, by using the Private Offers page.

The Pipeline Templates feature is available in Preview. For documentation, refer to Create, upload, and use a pipeline template.

The features supported by pipeline templates include the following:

• Create a template registry using Artifact Registry (AR).
• Compile and publish a pipeline template.
• Create a pipeline run using the template and filter the runs.
• Manage (create, update, or delete) the pipeline template resources.

Private Service Connect supports publishing a service that is hosted on the following load balancers:

• Internal TCP/UDP load balancer with global access enabled
• Internal protocol forwarding (target instances)

These features are available in General Availability.

You can now launch Kubernetes 1.23 clusters.

Kubernetes 1.23.7-gke.1300 includes the following changes:

• Disable profiling endpoint (/debug/pprof) by default in kube-scheduler and kube-controller-manager.
• Update kube-apiserver and kubelet to only use Strong Cryptographic Ciphers.
• Add an instance metadata server (IMDS) emulator.

In a future release of 1.23 VolumeSnapshot v1beta1 APIs will no longer be served. Please update to VolumeSnapshot v1 APIs as soon as possible.

In Kubernetes 1.23 and higher, cluster Cloud Audit Logs is now available and is enabled by default.

CIS benchmarks are now available for Kubernetes 1.23 clusters.

You can now launch Kubernetes 1.23 clusters.

Kubernetes 1.23.7-gke.1300 includes the following changes:

• Disable profiling endpoint (/debug/pprof) by default in kube-scheduler and kube-controller-manager.
• Update kube-apiserver and kubelet to only use Strong Cryptographic Ciphers.

In a future release of 1.23 VolumeSnapshot v1beta1 APIs will no longer be served. Please update to VolumeSnapshot v1 APIs as soon as possible.

In Kubernetes 1.23 and higher, cluster Cloud Audit Logs is now available and is enabled by default.

CIS benchmarks are now available for Kubernetes 1.23 clusters.

Generally Available: A version of Rocky Linux is now available that is optimized for running on Compute Engine.

This version of Rocky Linux is configured to use the latest version of the Google virtual network interface (gVNIC) which is specifically designed to support workloads that require higher network bandwidths. For more information, see the Rocky Linux section of the Operating systems details documentation.

Preview: Tau T2A, Google Cloud's first general purpose VM family to run on Arm architecture, is now available. Tau T2A VMs are available in three regions.

For more information, see Arm VMs on Compute Engine.

VMware Engine nodes are now available in the following additional region:

• Zurich, Switzerland, Europe (europe-west6)

You can now run Arm-based workloads in Preview in Standard clusters with GKE version 1.24 and later, and in Autopilot clusters with GKE version 1.24.1-gke.1400 and later.

You can now select compute classes to run GKE Autopilot workloads that have specialized hardware requirements, such as Arm architecture. The Scale-Out compute class is available in Preview in Autopilot clusters running GKE version 1.24.1-gke.1400 and later.

Modernize VMs to run Anthos for VMs (A4VM)

Migrate to Containers has added a new modernization feature, which enables traditional VMs to run on Anthos for VMs. Anthos for VMs extends Anthos on bare metal (now known as Google Distributed Cloud Virtual) to let you run and manage containers and VMs on a unified, Google Cloud-connected platform in your data center or at the edge. For more information on this feature, see About Anthos for VMs.

Agent Assist now offers UI Modules as a public Preview feature. UI Modules are an out-of-the-box option for integrating Agent Assist features into your agent UI system. For more information, see the UI Modules documentation.

When creating a primary or read-pool instance, or scaling either one, you can choose a machine size as small as 2 vCPUs with 16 GB of RAM.

You can now select a job type when assigning a folder, organization, or project to a reservation in the Google Cloud console. This feature is now generally available (GA).

Transfer Appliance is now available in an additional size. The TA7 appliance offers up to 7TB of storage in a smaller form factor than our other appliances. It offers both online and offline transfer modes.

Learn more about the TA7 on the Specifications page, or order an appliance from the Cloud console.

Cloud Bigtable is available in the us-south1 (Dallas) and europe-southwest1 (Madrid) regions. For more information, see Bigtable locations.

DAG UI is now generally available (GA).

Cloud Run now writes Access Transparency logs, see Enabling Access Transparency.

You can enable high availability for read replicas. See Disaster recovery for additional information about the use of high-availability replicas in a disaster recovery configuration.

You can create external server replicas with HA enabled.

You can enable high availability for read replicas. See Disaster recovery for additional information about the use of high-availability replicas in a disaster recovery configuration.

You can create external server replicas with HA enabled.

The database major version upgrade feature of Cloud SQL for SQL Server is generally available. For more information, see Upgrade the database major version in-place.

You can use the Apache Beam SDK for Go to create batch and streaming Dataflow pipelines. This feature is now in General Availability.

You can now permanently abandon a release using Google Cloud Deploy.

You can now suspend a delivery pipeline using Google Cloud Deploy.

Activity logging can now be enabled on a a per-tenant basis. The feature is generally available.

Added support to deploy a workflow using a cross-project service account through the Google Cloud CLI.

Data Mapping task enhancements

The Data Mapping task in Apigee Integrations now provides the following enhancements:

• Nested function support. You can pass one or more transformation functions as input parameters to another function.

• New transformation functions. You can use the following new transform functions for array-type variables:

  • FILTER - Filters the array elements that satisfy a given condition.
  • FOR_EACH - Applies one or more transformation functions for each element in an array.

• Subfield mapping support for JSON variables. You can view and search all the subfields of a JSON variable in the data mapping editor variable list.

For more information, see the Data Mapping task.

The July maintenance changelog is now available. For more information, use the links at Maintenance changelog.

The July maintenance changelog is now available. For more information, use the links at Maintenance changelog.

Recommender now offers role recommendations for Cloud Storage buckets. Role recommendations help you reduce excess permissions by suggesting role changes based on actual permission usage. This feature is available in Preview.

You can now launch clusters with the following Kubernetes versions:

• 1.23.7-gke.1500
• 1.22.10-gke.1500
• 1.21.13-gke.1600

You can now launch Kubernetes 1.23 clusters.

Anthos clusters on VMware v1.12.0-gke.446 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware v1.12.0-gke.446 runs on Kubernetes v1.23.5-gke.1504.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.12, 1.11, and 1.10.

Platform enhancements:

• General Availability (GA): Separate vSphere data centers for the admin cluster and the user clusters are supported.
• GA: Anthos Identity service LDAP authentication is supported.
• GA: User cluster control-plane node and admin cluster add-on node auto sizing is supported.

Security enhancements:

• Preview: Preparing credentials for user clusters as Kubernetes secrets before cluster creation.

  • The credential preparation feature prepares the credentials before a user cluster is created. After credential preparation, user cluster credentials are saved as versioned Kubernetes secrets in the admin cluster, and the template which is used for credential preparation can be deleted from the admin workstation. When creating a user cluster, it only needs to configure the namespace and the versions of the prepared secrets in the user cluster config file. Using this feature can help protect user cluster credentials.

• Preview: The gkectl update credentials command supports rotating the component access SA key for both the admin and the user clusters.

• The COS node image shipped in version 1.12.0 is qualified with the Center for Internet Security (CIS) L1 Server Benchmark.

• The gkectl update credentials command supports register service account key rotation.

Cluster lifecycle Improvements:

• Preview: You can configure the time duration of Pod Disruption Budget (PDB) violation timeout during a node drain. The default behavior is to always block on a PDB violation and to not force-delete pods during node drain, to avoid unexpected data corruption, and this default is unchanged. In certain cases, when users want to unblock the PDB violation deadlock with the bound timeout during cluster upgrade, they can apply the special annotation onprem.cluster.gke.io/pdb-violation-timeout: TIMEOUT on the machine objects.

Simplify day-2 operations

• Preview: Launched the enablement of Google Cloud Managed Service for Prometheus to track metrics in Anthos on vSphere clusters, and introduced two separate flags to enable logging and monitoring for user applications separately: EnableCloudLoggingForApplications and EnableGMPForApplications. The legacy flag EnableStackdriverForApplications is deprecated, and will be removed in a future release. Customers can monitor and alert on the applications using Prometheus with Google-managed Prometheus without managing and operating Prometheus. Customers can set enableGMPForApplications in the Stackdriver spec to enable Google Managed Prometheus for application metrics without any other manual steps, and the Google Managed Prometheus components are then set up automatically. See Enable Managed Service for Prometheus for user applications for details.

• All sample dashboards to monitor cluster health are available in Cloud Monitoring sample dashboards. Customers can install the dashboards with one click. See Install sample dashboards.

• Improvements to cluster diagnosis: The gkectl diagnose cluster command automatically runs when gkectl diagnose snapshot is run, and the output is saved in a new folder in the snapshot called /diagnose-report.

• The gkectl diagnose cluster command surfaces more detailed information for issues arising from virtual machine creation.

• A validation check for the existence of an OS image has been added to the gkectl update admin and gkectl diagnose cluster commands.

• A blocking preflight check has been added. This check validates that the vCenter.datastore specified in the cluster configuration file doesn't belong to a DRS-enabled datastore cluster.

Release 1.10.6

Anthos clusters on bare metal 1.10.6 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.10.6 runs on Kubernetes 1.21.

Azure workload identity federation is now available in preview for BigQuery Omni connections. This feature helps you secure data by allowing you to grant Google access to an application you manage in your Azure tenant so that neither you nor Google must manage application client secrets.

Carbon Footprint now reports carbon emissions broken down by scope 1, scope 2, and scope 3 categories, following the Greenhouse Gas (GHG) Protocol carbon reporting standards.

Cloud SQL for MySQL now supports setting timezone names as values for the time_zone parameter. Refer to the Cloud SQL documentation for a list of supported timezone names.

Workforce identity federation lets you authenticate and authorize users from external identity providers to access supported Google Cloud products. This feature is available in Preview.

The APPENDS change history TVF is now in preview. This table-valued function provides a history of table appends over a window of time.

InfoType categories were added to built-in infoTypes.

To get a list of built-in infoTypes, call the infoTypes.list method.

M94 Release

• Added support for PyTorch 1.12.
• Added more system libraries to the R Deep Learning Containers image.

M94 Release

• Added support for PyTorch 1.12.
• Added more system libraries to the R Deep Learning VM image.

Dialogflow CX now provides new client libraries for C++, C#, and Go.

Dialogflow ES now provides a new client library for C++.

The blue-green upgrade mechanism is now available to upgrade your GKE node pools, and can be selected per node pool instead of the default surge upgrade mechanism.

Tabular Workflows is available in Preview. For documentation, refer to Tabular Workflows on Vertex AI.

End-to-End AutoML workflow is available in Public Preview. For documentation, refer to End-to-End AutoML.

Artifact Registry is now available in the us-south1 region (Dallas, United States).

This release contains a new version of the Debug tab in the Apigee Proxy Editor. Following previous releases of new versions of the Overview and Develop tabs, this completes the initial release of the new Proxy Editor.

To view the new Debug tab, see Using Debug.

The Java 17 runtime for App Engine standard environment is now generally available.

The PHP 8.1 runtime for App Engine standard environment is now generally available.

The Python 3.10 runtime for App Engine standard environment is now generally available.

Config Sync supports syncing configurations stored as OCI images in Google Artifact Registry or Container Registry as a preview feature. To learn more, see Publish config images to Artifact Registry.

Added a field spec.override.reconcileTimeout in RootSync and RepoSync, for configuring the threshold for how long to wait for resources in an apply group to reconcile before giving up. An apply group consists of resources without direct or indirect dependencies on each others.

The constraint template library includes a new template: K8sRequiredResources. For reference see Constraint template library.

This release contains the Public Preview of Advanced API Security, which protects your APIs from unwanted requests, including attacks by malicious clients such as bots, and evaluates the security level of your API configurations.

Advanced API Security lets you:

• Create security reports to detect bots and other threats to your APIs.
• View security scores, which rate the security of your APIs and provide recommendations for improving security.

You are now able to configure the storage utilization target for a cluster when you use autoscaling for Cloud Bigtable. This feature is generally available (GA).

Preview: View your Google Kubernetes Engine (GKE) costs in Cloud Billing reports and cost data export to BigQuery

You can view your GKE costs by cluster, namespace, and pod labels in the Detailed cost export, and the built-in reports in the Google Cloud console.

Cloud Billing export to BigQuery

In the Detailed cost export to BigQuery, you can use the labels.key column to filter the data by these label keys:

• goog-k8s-cluster-name: Filter your GKE resources by cluster.
• k8s-namespace: Filter your GKE resources by namespace.
• k8s-label: View all your GKE resources.

Cloud Billing reports

In the Cloud Billing report, Cost breakdown report, and Cost Table report, you can use the Label selector to filter and group your data by cluster or namespace, using one of these label keys:

• goog-k8s-cluster-name: Filter or group your GKE resources by cluster.
• k8s-namespace: Filter or group your GKE resources by namespace.

To start viewing and analyzing your GKE cost data, see these pages:

• Enable cost allocation for your GKE clusters
• Enable the Detailed cost data export
• Review the schema of the Detailed cost data export
• View your Cloud Billing reports

Managed Service for Prometheus: You can now query Cloud Monitoring metrics by using PromQL. For more information, see Mapping Monitoring metric names to PromQL.

The ANALYZE DDL command allows administrators to manually update the query statistics package that the optimizer uses to build query execution plans. This complements the existing automatic updates to provide faster feedback cycles when data, queries, or indexes change frequently.

Generally available: You can now create shared reservations of Compute Engine zonal resources using the Google Cloud Console. Learn about shared reservations and creating a shared reservation.

Metadata federation is generally available (GA).

Metadata federation lets you access metadata that is stored in multiple Dataproc Metastore instances.

To set up a federation, you create a federation service and then configure multiple Dataproc Metastore instances as your backend metastores. The federation service then exposes a single gRPC endpoint, which you can use to access metadata across all of your metastore instances.

Private Service Connect for Dataproc Metastore is generally available (GA).

VPC Service Control support

Document AI VPC Service Controls provide additional security for your resources and services. To learn more about VPC Service Controls, see the VPC Service Controls overview.

To learn about the limitations when using Document AI with VPC Service Controls, see the supported products and limitations.

Eventarc support for Customer-Managed Encryption Keys (CMEK) using the Google Cloud CLI is available in Preview.

Filestore High Scale SSD tier is generally available (GA).

Google Cloud Armor now supports TCP Proxy load balancers and SSL proxy load balancers in General Availability For more information, see the security policy overview.

Advanced network DDoS protection is now available for network load balancers, protocol forwarding, and VMs with public IP addresses in public preview. For more information, see Configure advanced DDoS protection.

The contacts and indicator.signatures attributes were added to the Finding object.

• The contacts attribute is a map containing the contacts for the given finding. The key represents the type of contact, and the value contains a list of all contacts of that type.
• The indicator.signatures[] attribute lists matched signatures that indicate that a given process is present in the environment.

For more information, see the API documentation for the Finding object.

Support to add individual VPC networks to a perimeter is now available in Preview.

Previously, the entire VPC host project was added to a perimeter. VPC Service Controls now supports the following enhancements (Preview release):

• You can now add individual VPC networks as members of a perimeter.
• You can create an ingress rule to authorize individual VPC networks to access a perimeter.

Feature: Vertex AI Experiments is generally available (GA). Vertex AI Experiments helps users track and compare multiple experiment runs and analyze key model metrics.

Features supported by Experiments include:

• Vary and track parameters and metrics.
• Compare parameters, metrics, and artifacts between pipeline runs.
• Track steps and artifacts to capture the lineage of experiments.
• Compare vertex pipelines against Notebook experiments.

Release 1.12.0

Anthos clusters on bare metal 1.12.0 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.12.0 runs on Kubernetes 1.23.

Improved cluster lifecycle functionalities:

• Upgraded Anthos clusters on bare metal to use Kubernetes version 1.23. 

• Upgraded container runtime to containerd 1.5.

• Updated preflight check to forward default SSH key if no key is provided.

• Added support for new GCPAccounts field in the cluster configuration file. This field enables the assignment of a cluster-admin role to end-users.

• Added labels to control plane, control plane load balancer, and load balancer node pools, so that these different node pools can be distinguished from each other.

• Added nodepool reference label to nodes so that worker nodes can be listed in the UI.

Observability:

• GA: Added Summary API metrics. These metrics are scraped from the Kubernetes Summary API and provide CPU, memory, and storage metrics for Pods, containers, and Nodes.

• Added separate flags to enable logging and monitoring for user applications separately: EnableCloudLoggingForApplications and EnableGMPForApplications. The legacy flag EnableStackdriverForApplications will be deprecated and removed in future releases.

• Preview: Added Google Cloud Managed Service for Prometheus to collect application metrics and monitor cluster health.

• Upgraded GKE Metrics Agent (gke-metrics-agent) from version 1.1.0 to 1.8.3. This tool scrapes metrics from each cluster node and publishes them in Cloud Monitoring.

• Added the following resource utilization metrics. For more information about these and other metrics, see View Anthos clusters on bare metal metrics:

  • container/cpu/request_utilization
  • container/cpu/limit_utilization
  • container/memory/request_utilization
  • container/memory/limit_utilization
  • node/cpu/allocatable_utilization
  • node/memory/allocatable_utilization
  • pod/volume/utilization

• Added sample dashboards for monitoring cluster health to Cloud Monitoring sample dashboards. Customers can install these dashboards with one click.



• Scoped down the RBAC permissions of stackdriver-operator, a component that performs logging and monitoring.

Security:

• AIS CA deprecation. AIS certs are now signed by cluster CA.

• Changed ca-rotation container image so that it uses a distroless rather than a Debian-based image.

• RBAC permissions of the cluster-operator component have been eliminated or reduced to address elevated permissions.

• GA: Anthos Identity Service LDAP authentication support.

Networking:

• Preview: Enabled creation of IPv6 and Dual Stack LoadBalancer services. Border Gateway Protocol (BGP) is used for Dualstack clusters. Advertising IPv4 and IPv6 routes over IPv4 sessions is supported.

• Preview: Added Network Connectivity Gateway feature support to provide HA VPN between Google Cloud and an on-premises Anthos cluster.

The BeyondCorp Enterprise client connector is now generally available. The client connector extends identity and context-aware access to non-web applications by creating a secure connection from endpoint devices to apps running in both Google Cloud and non-Google Cloud environments.

For more information, see Securing client-server applications.

You can now set the view field in the tables.get() API method to indicate which table information is returned. Setting the value to BASIC reduces latency by omitting some storage statistics.

The Per-folder Roles Registration feature is rolled out to all regions.

Customers enrolled in Key Access Justifications will now see justifications listed in Cloud Audit Logs for Cloud KMS.

You can now collect Apache Flink logs from the Ops Agent, starting with version 2.17.0. For more information, see Monitoring third-party applications: Flink.

Query insights is now generally available. Query Insights helps you visually detect and identify query performance issues for Cloud Spanner databases. You can also dig deeper and analyse the query details to know the root cause of these issues.

To learn more, see Detect query performance issues with Query Insights.

Not-equal (!=), IN, and NOT_IN query filters now available in all client libraries:

• Java
• Python
• PHP
• Node.js
• C#
• Go
• Ruby

You can now give multiple containers time-shared access to the full compute resources of a single NVIDIA GPU accelerator. Time-sharing GPUs is generally available in GKE version 1.23.7-gke.1400 and later. For more information, refer to Time-sharing GPUs on GKE.

Expanded overwrite options are new generally available (GA). The overwriteWhen field can be used to specify whether data that already exists in the destination should be overwritten always, never, or only when ETags and checksum values indicate that the file has changed.

Metadata preservation options are now generally available (GA). This includes the option of preserving POSIX attributes and symlinks when transferring to, from, and between POSIX filesystems; as well as object ACLs, CMEK, temporary holds, and object creation time when transferring between Cloud Storage buckets.

See Metadata preservation for details.

Transfer Appliance now supports monitoring of the amount of data stored on your appliance, and whether online transfer is enabled, through Cloud Monitoring. See Monitor Transfer Appliance for details.

Cloud Bigtable now gives you the option to undelete a table for up to seven days from the time of deletion using the gcloud CLI. This feature is generally available (GA).

The Cloud Healthcare API offers single-region support in the asia-southeast2 (Jakarta, Indonesia) region.

A second June maintenance changelog is now available. For more information, use the links at Maintenance changelog.

A second June maintenance changelog is now available. For more information, use the links at Maintenance changelog.

The fix to the silent data corruption when using the CREATE INDEX CONCURRENTLY or REINDEX CONCURRENTLY SQL commands in PostgreSQL 14 (BUG #17485) is now available in the self-service maintenance release POSTGRES_14_2.R20220331.02_012 for PostgreSQL 14.2.

After applying the self service maintenance, you can fix any silent data corruption if it already happens using REINDEX CONCURRENTLY SQL command on the specific indexes, or reindexdb client command for your entire instance.

A second June maintenance changelog is now available. For more information, use the links at Maintenance changelog.

Newly published documentation about the issuer switch features and API is available here: Issuer switch documentation

Vertex AI Forecasting is available in GA. The following features are available:

• Forecasting with ARIMA+
• Explainable AI for Forecasting
• Hierarchical Forecasting
• Model training with AutoML or Seq2Seq+
• Forecasting window configuration during model training
• Holiday effect modeling during model training

You can now enable platform logging for reCAPTCHA Enterprise API calls. For more information, see Working with platform logs.

Regional support for default pools and build triggers is now generally available. To learn more, see Cloud Build locations.

Cloud Composer supports Per-folder Roles Registration.

Improved performance when searching for large FHIR resources in the FHIR viewer.

Cloud SQL for MySQL supports in-place major version upgrades in Preview. You can upgrade your instance's major version to a more recent version. For more information, see Upgrade the database major version in-place.

Object Lifecycle Management now supports new conditions and a new action.

• The MatchesPrefix and MatchesSuffix conditions allow you to restrict lifecycle actions to objects with specific prefixes and suffixes.

• The AbortIncompleteMultipartUpload action allows you to remove abandoned XML API multipart uploads.

GA: You can now use the SSH troubleshooting tool from the Cloud console to help you determine the cause of failed SSH connections. For more information, see SSH troubleshooting tool.

Support for Firebase Realtime Database is in Preview.

Support for schema extensions in Managed Microsoft AD is available for Preview. Learn how to extend the schema.

The maximum amount of active VMs has been increased from 100 to 200 VMs.

Cloud Bigtable is available in the us-east5 (Columbus) region. For more information, see Bigtable locations.

You can now collect Jetty metrics from the Ops Agent, starting with version 2.17.0. For more information, see Monitoring third-party applications: Jetty.

You can now view the configuration of charts on a dashboard while the dashboard is in read-only mode. For more information, see Show the chart configuration.

You can now create dual-stack clusters in Alpha Compute Engine API-enabled projects with GKE versions 1.24.1-gke.1000 and later. With dual-stack networking, GKE assigns an IPv4 and an IPv6 address to the cluster nodes and Pods. You can create dual-stack Services of type ClusterIP or NodePort. This feature is now available in Preview. For more information, see the Dual-stack networking.

Release 1.11.3

Anthos clusters on bare metal 1.11.3 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.11.3 runs on Kubernetes 1.22.

Apigee Integration trials

Starting with this release, Apigee Integrations is available in an Apigee Eval org which lets you try out the integrations feature without getting billed for the usage. For information, see Enable integrations in an eval org.

Updates to SetIntegrationRequest policy

The SetIntegrationRequest policy has the following updates:

• Support for ref attribute in the <Parameter>, <ParameterArray>, and <Value> elements. By using this attribute, you can assign flow variable values to the parameters.

• Empty  <Parameter> and <ParameterArray> elements are supported. However, if these elements are empty, Apigee treats the element value as null.

• Empty <Value> element is not supported. If the element is empty, Apigee reports an error.

The BI Engine preferred tables feature lets you limit BI Engine acceleration to a specified set of tables. This feature is now in preview.

CloudSQL for PostgreSQL now supports replication from an external server.

The PostgreSQL interface is now generally available, making the capabilities of Cloud Spanner accessible from the PostgreSQL ecosystem. It includes a core subset of the PostgreSQL SQL dialect, support for the psql command-line tool, native language clients, and integration into existing Google tools. For more information, see PostgreSQL interface.

Preview: You can now get cost insights in the Recommender API, and use them to detect anomalies in your costs. For example, you see a cost insight in the API if your costs for a day are significantly higher or lower than your typical daily costs.

• Learn about using cost insights to detect anomalies in your costs.
• Read an overview of insights in Recommender.

Private Service Connect supports publishing a service that is hosted on an internal regional TCP proxy load balancer in a service producer VPC network. The backends can be located in Google Cloud, in other clouds, in an on-premises environment, or any combination of these locations.

This feature is available in Preview.

Added the ability to sort by Name and Created fields in the Apps and Teams tables. Click the column heading to sort.

The Data Collectors UI is now generally available.

A search bar has been added to the new Proxy Editor Develop view. This lets you search for items within a proxy or sharedflow bundle.

Query queues are now available in preview for on-demand and flat-rate customers. When query queues are enabled, BigQuery automatically determines the query concurrency rather than setting a fixed limit. Flat-rate customers can override this setting with a custom concurrency target. Additional queries beyond the concurrency target are queued until processing resources become available.

You can enable an instance to publish to a subscriber that is external (or internal) to Cloud SQL. In this scenario, Cloud SQL for SQL Server can act as a publisher to an external subscriber. This functionality, which is generally available, uses transactional replication.

For more information, see Configure external replicas.

In Cloud SQL, you can use SQL Server Audit capabilities to track and log server-level and database-level events. This functionality is generally available.

For more information, see SQL Server database auditing.

Added support for PubSubSchema resource.

Added spec.cdnPolicy.cacheKeyPolicy field to ComputeBackendBucket.

Dataproc Metastore: For 1.5 images, added a spark.hadoop.hive.eager.fetch.functions.enabled Spark Hive client property to control whether the client fetches all functions from Hive Metastore during initialization. The default setting is true, which preserves the existing behavior of fetching all functions. If set to false, the client will not fetch all functions during initialization, which can help reduce high latency during initialization, particularly when there are many functions and the Metastore is not located in the client's region.

The Dialogflow CX search feature is now GA (generally available).

Inventory retrieval for Local VMWare, Google Compute Engine, and Migrate for Compute Engine v5 source providers

A VM inventory is now available for local VMWare, Google Computer Engine, and Migrate 4 Computer Engine v5 source providers and is accessible through both Cloud Console and migctl. Using this feature, the list of candidate VMs for migration can be viewed for a given source, including the VM ID required to start a new migration.

• To access the inventory through Cloud Console: go to your sources page, and select a source from the dropdown.

• To access the inventory through migctl run the migctl source list-vms <my-source> command.

Tomcat health probes

Tomcat deployments will use Kubernetes readiness and liveness probes by default. Users can disable or modify those probes while editing the migration plan. Use health probes to provide better pod management and reduce down time during scaling and rolling updates. To learn more about the available probes, see Set Tomcat health probes.

Linux Service Manager health probes

Linux Service Manager deployments will use Kubernetes readiness and liveness probes by default. Users can select which services are probed while editing the migration plan. Use health probes to provide better pod management and reduce down time during scaling and rolling updates. To learn more about the available probes, see Set Linux v2kServiceManager health probes.

Migration fit assessment

Migrate to Containers offers a fit assessment tool that runs on a VM workload to determine the workload's fit for migration to a container. To learn more about the tool see, Using the fit assessment tool.

Windows features

The following functions were added to the Windows IIS migration flow:

• MSVC Runtime support - The migration flow will discover Microsoft Visual C++ runtime libraries installed on the source VM and will allow installing these runtimes on the migrated container.
• PATH environment variable extraction - The migration flow will discover additional PATH variable entries and will add them to the PATH variable in the migrated container.

Workflows can invoke private on‑premises, Compute Engine, Google Kubernetes Engine (GKE), or other Google Cloud endpoints that are Identity-Aware Proxy (IAP)-enabled.

Cloud Load Balancing introduces a new version of the external HTTP(S) load balancer. The new global external HTTP(S) load balancer with advanced traffic management capabilities contains many of the features of our existing classic HTTP(S) load balancer, but with an ever-growing list of traffic management capabilities such as weighted traffic splitting, request mirroring, outlier detection, fault injection, and so on.

For details on the new load balancer, see:

• External HTTPS(S) Load Balancing overview
• Load balancer features (External HTTP(S) > Global )
• Setting up a global external HTTP(S) load balancer
• Traffic management for global external HTTP(S) load balancers

This load balancer is available in General Availability.

Datastore now supports the not-equal (!=), IN and NOT_IN query filters. The filters are now available in the Google Cloud console and the following client libraries:

• Java
• Python
• PHP
• Node.js

A feature for protecting tag values from being deleted has launched into general availability. If a tag value has a tag hold, it cannot be deleted by users unless the tag hold is first deleted. For more information about tag holds, see Protecting tag values with tag holds.

Support for IAM resource-level policies for Vertex AI featurestore and entityType resources is available in Preview.

Anthos clusters on VMware 1.10.5-gke.26 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.10.5-gke.26 runs on Kubernetes 1.21.5-gke.1200.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.11, 1.10, and 1.9.

Preview: Windows VMs now support SSH connections from the gcloud CLI. For more information, see Connect to Windows VMs using SSH.

Support for 3rd generation AMD EPYC Milan processors on general purpose N2D machine types is now generally available, featuring:

• AMD Secure Encrypted Virtualization (SEV) which can encrypt the memory of the VM to protect data in-use

Support for compute-optimized C2D machine types is now generally available, featuring:

• 3rd generation AMD EPYC Milan processors
• AMD Secure Encrypted Virtualization (SEV) which can encrypt the memory of the VM to protect data in-use
• Large VM sizes
• Optimized for high-performance computing (HPC)

Datastream now supports the use of tags on its resources, which include private connectivity configurations, connection profiles, and streams. Tags are key-value pairs that you can apply to your Datastream resources for fine-grained access control. To learn more, see Access control with tags. To use tags, see Manage tags.

You can now order Transfer Appliance from the Cloud console, as well as view, track, and manage your orders and appliances. For more info, see the Order Transfer Appliance page.

The ability to restrict resource creation of global security configuration to comply with data residency requirements is now GA.

Advanced networking capabilities for Bare Metal Solution–Enables you to use the following features:

• Add multiple VLANs on the same bonded server interface.
• Configure multiple VLAN attachments over a Partner Interconnect connection to your Bare Metal Solution environment.
• Connect the Bare Metal Solution environment to more than one Virtual Private Cloud (VPC) in your Google Cloud project.
• Use network templates to enable a flexible