Google Cloud release notes

Cloud SQL for MySQL now supports using the lower_case_table_names flag for MySQL 8.0. For more information, see Configure database flags.

Vertex AI Matching Engine

Vertex AI Matching Engine now offers General Availability support for updating your indices using Streaming Update, which is real-time indexing for the Approximate Nearest Neighbor (ANN) service.

Release 1.13.3

Anthos clusters on bare metal 1.13.3 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.13.3 runs on Kubernetes 1.24.

Cloud Logging now supports the following regions:

• US

• EU

For more information, see Data regionality for Cloud Logging.

You can now use the ALTER INDEX statement to add columns into an index or drop non-key columns. For more information, see Alter an index.

The Document AI OCR Processor has the following new features:

• The OCR Processor now supports extracting embedded text from digital PDFs in public preview. A fallback to the optical OCR model is automatically triggered to extract text in the regions when the PDF being processed contains non-digital text. To opt into this feature, set process_options.ocr_config.enable_native_pdf_parsing=true in your API request to the OCR Processor.

• Added advanced versioning support to the Document AI OCR, which enables OCR users to pin to a historical model version. When enabled, OCR outputs are guaranteed to be consistent and virtually frozen, with zero behavioral drifts. To enable advanced versioning, select the release candidate version pretrained-ocr-v1.2-2022-11-10 in your Document AI console.

Support for the australia-southeast2 (Melbourne) region.

Support for the australia-southeast2 (Melbourne) region.

Pub/Sub Lite now supports export subscriptions. You can use an export subscription to export Pub/Sub Lite messages to a destination Pub/Sub topic. This feature is generally available (GA).

Storage Transfer Service now offers Preview support for tracking progress of a Transfer Job using Cloud Monitoring, allowing you to monitor the number of objects and amount of data copied by Storage Transfer Service in near real-time.

See Monitor transfer jobs for details.

The ITAR compliance regime is now generally available.

Automatic IAM database authentication for Cloud SQL for MySQL is now available. To get started using automatic IAM database authentication, see Cloud SQL IAM database authentication.

MySQL 5.7.38 has been upgraded to 5.7.39. For more information, see MySQL 5.7 release notes.

The image import tool now supports importing RHEL 9 images to Google Cloud.

Dataflow now supports regional placement for workers.

Dataplex BigLake integration is now available in preview. Dataplex BigLake integration allows upgrading a Cloud Storage bucket to managed, creating BigLake tables instead of external tables. This allows the manual application of column-level, row-level, and table-level policies.

Dialogflow CX now supports flow export to diagram in the draw.io XML format.

Advanced network DDoS protection is now Generally Available for network load balancers, protocol forwarding, and VMs with public IP addresses. Metering and billing of Managed Protection Plus protected resources and the data processing fee for the endpoint covered by advanced Network DDoS protection will begin on Jan 31, 2023. For more information, see Configure advanced DDoS protection and the Cloud armor pricing page.

Global external HTTP(S) load balancer is now supported with the GKE Gateway controller in Preview. You can now configure GKE clusters with control plane version 1.24 or later in Rapid channel to use a global external HTTP(S) load balancer to expose web services to the Internet, in a single cluster or multi-cluster architecture. You can benefit from many advanced traffic management capabilities offered by the new generation of Google Cloud global external HTTP(S) load balancers natively in GKE by using the Kubernetes Gateway API and specifying a new Gateway class. To see the difference between Gateway classes compatible with our GKE Gateway controller, see here.

Event Threat Detection, a built-in service of Security Command Center, launched the Initial Access: Dormant Service Account Action rule to Preview. This rule detects events where a dormant user-managed service account triggered an action. For more information, see Event Threat Detection rules.

A new series of enhancements for handling locality load balancing in proxyless mesh deployments is now available in GA. These enhancements let you do the following:

• Create and use a list of preferred load-balancing policies. With this feature, if your first preferred policy can't be used by a particular client, gRPC falls back to the next policy on the list.

• Use a custom load-balancing policy that you created and deployed with gRPC. As part of a related gRPC enhancement, a new set of APIs lets you capture metrics about query cost and server utilization. You can use these APIs to fine-tune your custom policy.

For more information about using these features, see Locality load balancing.

This release of Anthos attached clusters supports AKS and EKS cluster versions 1.21, 1.22, 1.23, 1.24 and 1.25.

This generation of Anthos attached clusters further streamlines the process of attaching your cluster to the Google Cloud infrastructure.

This release supports logging and monitoring of your cluster's status with full log examination through Google's Cloud Logging UI.

This release supports migration of your existing EKS and AKS clusters from the previous generation Anthos attached clusters product.

You can now dynamically update AWS node pool security groups. To do so your API role must have the ec2:ModifyInstanceAttribute and ec2:DescribeInstances permissions.

You can now dynamically updating AWS node pool tags. To do so, your API role must have the autoscaling:CreateOrUpdateTags, autoscaling:DeleteTags, ec2:CreateTags, ec2:DeleteTags, and ec2:DescribeLaunchTemplates permissions.

Elastic File System (EFS) dynamic provisioning is now available in GA for clusters at version 1.25 or later. To use this feature, you must add the following permissions to the control plane role:

• ec2:DescribeAvailabilityZones
• elasticfilesystem:DescribeAccessPoints
• elasticfilesystem:DescribeFileSystems
• elasticfilesystem:DescribeMountTargets
• elasticfilesystem:CreateAccessPoint
• elasticfilesystem:DeleteAccessPoint

You can now upload workload metrics using Google Managed Service for Prometheus with managed collection to Cloud Monarch. This has been upgraded from a preview feature to GA.

You can now enable and update CloudWatch metrics collection on AWS node pool's auto scaling group. To use this feature your API role must have the autoscaling:EnableMetricsCollection and autoscaling:DisableMetricsCollection permissions.

Added a new token manager (gke-token-manager) to generate tokens for control plane components. This eliminates a control-plane component dependency on kube-apiserver, removes the need for RBAC in token generation, and permits logging to begin earlier in the startup cycle.

As a preview feature, Google Cloud Monitoring can now ingest a set of control plane metrics from kube-apiserver, kube-scheduler, kube-controller manager and etcd.

Administrators can grant AWS cluster access to all members of a Google Group by granting the required RBAC permission to the group. For details, see Set up the Connect gateway with Google Groups.

You can now upload workload metrics using Google Managed Service for Prometheus with managed collection to Cloud Monarch. This has been upgraded from a preview feature to GA.

Azure ActiveDirectory is now supported in GA, letting cluster admins configure RBAC policies based on Azure AD groups for authorization in clusters and supporting retrieval of groups information for users belonging who belong to more than 200 groups.

Added a new token manager (gke-token-manager) to generate tokens for control plane components. This eliminates a control-plane component dependency on kube-apiserver, removes the need for RBAC in token generation, and permits logging to begin earlier in the startup cycle.

As a preview feature, Google Cloud Monitoring can now ingest a set of control plane metrics from kube-apiserver, kube-scheduler, kube-controller manager and etcd.

Administrators can grant Azure cluster access to all members of a Google Group by granting the required RBAC permission to the group. For details, see Set up the Connect gateway with Google Groups.

Anthos clusters on VMware 1.13.3-gke.26 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.13.3-gke.26 runs on Kubernetes 1.24.7-gke.1700.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.13, 1.12, and 1.11.

Preview: Batch supports VPC Service Controls, which lets you create perimeters that protect the resources and data of Google Cloud services that you explicitly specify. For more information about using VPC Service Controls with Batch, see Supported products and limitations.

You can now access and query Cloud SQL data over a private connection. This feature is generally available (GA).

You can now view a list of certificates managed by Certificate Manager in your project in the Cloud Console. You can also view detailed information about each certificate. For instructions, see Manage Certificates.

Load Balancing SSL certificates, previously available in the "Certificates" tab on the "Load Balancing" page, are now also available in the Certificate Manager page in the "Classic Certificates" tab.

Cloud Data Fusion integrates with Data Catalog for asset level lineage in Preview.

You can now allow other Google Cloud services, such as BigQuery, to access data in Cloud SQL for MySQL and make queries against this data over a private connection. For more information, see Create instances.

You can now allow other Google Cloud services, such as BigQuery, to access data in Cloud SQL for PostgreSQL and make queries against this data over a private connection. For more information, see Create instances.

M102 Release

• TensorFlow 2.11 is now available.
• PyTorch 1.13 is now available.
• Regular security patches and package upgrades.

M102 Release

• TensorFlow 2.11 is now available.
• PyTorch 1.13 is now available.
• Added support for Jupyter[Lab] Language Server Protocol.
• Regular security patches and package upgrades.

Eventarc support for creating triggers for direct events from the following sources is available in Preview:

• API Gateway
• Apigee Registry
• BeyondCorp
• Certificate Manager
• Cloud Data Fusion
• Cloud Functions
• Cloud Memorystore for Memcached
• Database Migration
• Datastream
• Eventarc
• Workflows

Event Threat Detection, a built-in service of Security Command Center, launched the following rules to Preview.

• Privilege Escalation: Anomalous Impersonation of Service Account for Admin Activity
• Privilege Escalation: Anomalous Multistep Service Account Delegation for Admin Activity
• Privilege Escalation: Anomalous Multistep Service Account Delegation for Data Access
• Privilege Escalation: Anomalous Service Account Impersonator for Admin Activity
• Privilege Escalation: Anomalous Service Account Impersonator for Data Access

These rules detect the unusual impersonation or delegation of a service account, as recorded in either the Admin Activity or Data Access audit logs. For more information, see Event Threat Detection rules.

Storage Transfer Service now offers GA Support for transferring data between file systems, including on-premises file systems and Filestore instances. This allows you to use the Transfer Service API, gcloud command line tool, or the Cloud console to migrate data from a self-managed file system to Filestore; accelerate data transfer from an on-premise file system to a cloud file system; or move data between on-premises systems.

You can also transfer specific files or objects using a manifest for file system to file system transfers.

Preview stage support for the following integrations:

• Batch

A workflow's source and details can now be updated independently through the Cloud Console using the Source and Details tabs for quicker editing.

Release 1.12.6

Anthos clusters on bare metal 1.12.6 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.12.6 runs on Kubernetes 1.23.

The following resource types are now publicly available through the Export APIs (ExportAssets, ListAssets, and BatchGetAssetsHistory), Feed API, and Search APIs (SearchAllResources, SearchAllIamPolicies).

• Transcoder
  • transcoder.googleapis.com/Job
  • transcoder.googleapis.com/JobTemplate

Zonal Cloud DNS zones are now available in GA.

You can create private DNS zones that are scoped only to a Google Cloud zone.

Configuring Cloud DNS scopes is now available in GA.

Cloud Data Fusion is available in the following regions:

• us-east5
• us-south1

For more information, see Locations and Pricing.

You can disable noisy or otherwise unnecessary threat IDs by using the --threat-exceptions flag when you create or update your Cloud IDS endpoint. IDS Threat Exceptions is now Generally Available. For more information, see the Cloud IDS overview

You can now use the Observability tab on the Kubernetes Engine Workloads page to see the five workloads consuming the most of a resource. For more information, see View cluster and workload observability metrics.

Cloud Router supports Multiprotocol BGP (MP-BGP) and can exchange IPv6 prefixes over IPv4 BGP sessions. Cloud Router supports IPv6 prefix advertisement for VPC networks with dual-stack subnets. You can enable IPv6 prefix exchange over IPv4 BGP sessions that are created for HA VPN tunnels. This feature is generally available.

Cloud Spanner now offers the Cloud Spanner change streams to Pub/Sub Dataflow template, which streams Cloud Spanner data change records and writes them into Pub/Sub topics.

You can now create a custom instance configuration and add optional read-only replicas to your custom instance configurations to scale reads and support low latency stale reads. For more information, see Regional and multi-region configurations.

Cloud VPN supports dual-stack HA VPN gateways that allow both IPv4 and IPv6 traffic. By using Multiprotocol BGP (MP-BGP) sessions in Cloud Router, HA VPN can connect your peer networks to VPC networks with dual-stack subnets. This feature is generally available.

Cloud DNS for GKE (cluster scope) is now Generally Available. You can now configure GKE clusters with control plane version 1.24.7-gke.800, 1.25.3-gke.700 or later to use Cloud DNS as the DNS provider for in-cluster name resolution, and replace the existing DNS service based on kube-dns.

GKE Autopilot clusters may now migrate the cluster's datapath provider to Dataplane V2. Migration is triggered during a control plane upgrade (see version requirements below). The migration is complete once all nodes running the legacy datapath have been recreated. Node pools created after the control plane upgrade will be created using Dataplane V2.

• For clusters running 1.24 without Dataplane V2, upgrading to 1.24.7-gke.300 or a higher 1.24 version will begin the migration to Dataplane V2.

• For clusters running 1.25 without Dataplane V2, upgrading to 1.25.3-gke.200 or a higher 1.25 version will begin the migration to Dataplane V2.

To determine whether you are in the process of migrating the datapath, run:

gcloud container clusters describe <CLUSTER> --region <REGION> --project <PROJECT> --format="value(networkConfig.datapathProvider)"

Clusters migrating to Dataplane V2 will have the datapath provider field of the cluster set to MIGRATE_TO_ADVANCED_DATAPATH.

Clusters that have migrated to Dataplane V2 will have the datapath provider field of the cluster set to ADVANCED_DATAPATH.

General Availability: VPC Peering supports the exchange of IPv6 routes between peered VPC networks.

You can now launch clusters with the following Kubernetes versions:

• 1.23.13-gke.2000
• 1.24.7-gke.2000
• 1.25.3-gke.1900

Release 1.14.0

Anthos clusters on bare metal 1.14.0 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.14.0 runs on Kubernetes 1.25.

Improved cluster lifecycle functionalities:

• Upgraded from Kubernetes version 1.24 to 1.25.

• Enabled customers to run the latest health and preflight checks by running the command bmctl check cluster –check-image-version=latest. Setting the check-image-version flag to 'latest' ensures that clusters are examined for more recent issues, including issues discovered after a release.

• Preview: Added support of Control group v2 (cgroup v2).

• GA: Added automatic reservation of CPU and memory resources on cluster nodes so that system daemons have the resources they require.

• Optimized the consumption of resources by components such as cluster-operator, cap-manager, preflight-check operator, and lifecycle-controllers-manager.

• GA: Enabled automatic and periodic health checks on all clusters.

Networking:

• Preview: Added support for turning on kube-proxy-free mode for cluster objects. WARNING: This operation is not reversible. Once enabled, it cannot be disabled.

• Changed behavior of Dataplane V2 so that it drops a packet if no service backends are available. Previously, the packet was passed to the kernel stack.

• Enabled automatic API rate limit adjustments in Dataplane V2.

Observability:

• Added severity level to container logs.

• Enabled collection of uptime and other Kubernetes resource metrics from the kubelet summary API.

• Enabled Stackdriver log forwarder in the bootstrap cluster. This log forwarder publishes bootstrap container logs to Cloud Logging.

Security and Identity:

• GA: Added feature enabling cluster administrators to configure RBAC policies based on Azure Active Directory (AD) groups. Groups information for users belonging to more than 200 groups can now be retrieved.

• GA: Added secure computing mode (seccomp) support. Running containers with a seccomp profile improves the security of a cluster because it restricts the system calls that containers are allowed to make to the kernel.

• Added annotation in the cluster configuration file which allows customers to disable the kubelet read-only port. After disabling the read-only port, customers have to change their cluster configurations so that workloads use the kubelet secure port.

VM Runtime:

• GA: Added support for guest OS booting of UEFI. Previously, only BIOS was supported.

• Preview: Enabled Terraform scripting to create VMs on an Anthos cluster. For more information, including usage instructions, an input reference, and examples, see the terraform-google-anthos-vm GitHub repository.

• Preview: Add support for non-uniform memory access (NUMA) awareness. When enabled, all communication within the VM is local to the NUMA node, thus avoiding the performance cost of data transactions with remote memory locations.

• Preview: Enabled multicast traffic for VMs.

• Added Anthos VM Runtime preflight checks to validate hardware accelerator configuration.

• Enabled configuration of storage's volume mode (block or filesystem) and access modes, such as RWO and RWX.

• Enabled means to configure the storage class of a scratch space. A scratch space is sometimes required when importing or uploading a VM disk image.

• Added support for configuring cloud-init, using virtctl.

• Enabled ability to disable auto-installation of the guest agent binary. After the initial guest agent installation, yoiu can set the autoInstallGuestAgent flag to false so that the binary doesn't mount in subsequent restarts.

• Enabled the support of multiple network interfaces, by default, for all clusters.

• Improved security for creating a VM with kubectl virt create. If an initial password is specified, it is now stored in a secret and not as a VM annotation.

• Reduced the permissions of the network controller.

• Changed default to always use Asynchronous IO mode (AIO) in order to reduce QEMU memory pressure.

• Added VM creation and disk provisioning times to Prometheus metrics.

• Added support for the Tesla T4 GPU.

• Enabled reset of GPU card to its original status when GPU functionality is disabled.

• Enabled ability to disable Anthos VM Runtime when it's in the enabling state and custom resource definitions haven't yet been installed.

• Added the following command, which allows you to display the VM screen: kubectll virt vnc --screenshot VM_NAME.

• Fixed the IP address update for Windows guest VMs.

• Resolved the MacVTap interface creation failure which occurred when the name of the interface was too long.

• Fixed attaching VM disk using SATA driver.

• Fixed issue so that setting disableCDIUploadProxyVIP to true correctly disables the cdi-uploadproxy service.

• Fixed issue so that specifying a PersistentVolumeClaim (PVC) with an empty underlying PersistentVolume (PV) correctly creates the underlying empty disk format (raw or qcow2).

• Enforced VM names to follow the standard RFC1123 format.

• Fixed issue so that ISO image is correctly imported from a Cloud Storage bucket.

• Fixed benign crash looping of the NVIDIA device plugin and the Multi-Instance GPU (MIG) manager when all GPU cards are allocated to a VM.

• Fixed issue so that virt-launcher Pod can be created when advanced compute is enabled.

You can now use any configured service account in your Cloud project as the app-level default service account, while creating and updating your App Engine applications.

You can now use any configured service account in your Cloud project as the app-level default service account, while creating and updating your App Engine applications.

You can now use any configured service account in your Cloud project as the app-level default service account, while creating and updating your App Engine applications.

You can now use any configured service account in your Cloud project as the app-level default service account, while creating and updating your App Engine applications.

You can now use any configured service account in your Cloud project as the app-level default service account, while creating and updating your App Engine applications.

You can now use any configured service account in your Cloud project as the app-level default service account, while creating and updating your App Engine applications.

You can now use any configured service account in your Cloud project as the app-level default service account, while creating and updating your App Engine applications.

You can now use any configured service account in your Cloud project as the app-level default service account, while creating and updating your App Engine applications.

You can now use any configured service account in your Cloud project as the app-level default service account, while creating and updating your App Engine applications.

You can now use any configured service account in your Cloud project as the app-level default service account, while creating and updating your App Engine applications.

You can now use any configured service account in your Cloud project as the app-level default service account, while creating and updating your App Engine applications.

You can now use any configured service account in your Cloud project as the app-level default service account, while creating and updating your App Engine applications.

You can now use any configured service account in your Cloud project as the app-level default service account, while creating and updating your App Engine applications.

You can now use any configured service account in your Cloud project as the app-level default service account, while creating and updating your App Engine applications.

Data lineage is available in Preview in Cloud Composer 2.

Data lineage is a Dataplex feature that lets you track how data moves through your systems: where it comes from, where it is passed to, and what transformations are applied to it.

Database Migration Service now supports high availability (HA) instances for MySQL and PostgreSQL database migrations. To find out how to configure connectivity for a high availability instance, click here. To learn how to configure a high availability instance when creating a migration job, click here.

The cloudfunctions.googleapis.com/v2 API now supports reading 1st gen functions, using the get and list methods. Function responses contain an Environment field that differentiates between 1st and 2nd gen functions.

You can use the filter field to restrict the response to only 2nd gen functions, for example: filter=environment="GEN_2".

Note that 1st gen functions in europe-west5 can't be read from the v2 API as the region is not available yet in 2nd gen.

If you are using an older version of gcloud, the gcloud functions list command may show 1st gen functions twice. Updating to a newer version of gcloud should fix this.

You can use the new Map view on the VM Instances dashboard to visualize the health of the resources in your fleet. Using the map, you can group VMs by resource labels, like "instance group" or "zone", and color the VMs by the value of a metric, like CPU utilization, to highlight hotspots and anomalies in your fleet.

The Cloud SQL System insights dashboard now shows additional metrics and an events timeline. You can also use the Auto refresh function to keep the dashboard up to date.

Generally available: NVIDIA® T4 GPUs are now available in the following region and zones:

• Hong Kong, APAC: asia-east2-a,c

For more information about using GPUs on Compute Engine, see GPU platforms.

Added support for DataCatalogTaxonomy resource. This resource has been auto-generated and is in alpha stability.

Added spec.maxTimeTravelHours to BigQueryDataset.

Added spec.build.step.script to CloudBuildTrigger.

Added spec.sourceDiskRef and status.sourceDiskId to ComputeDisk.

Added spec.rules to ComputeRouterNAT.

Added spec.clusterAutoscaling.autoProvisioningDefaults.diskSize to ContainerCluster.

Added status.member to IAMServiceAccount.

Added spec.settings.timeZone to SQLInstance.

Compact placement policy is now generally available. Set up a compact placement policy to specify that nodes within the node pool should be placed in closer physical proximity to each other within a zone. Having nodes closer to each other can reduce network latency between nodes, which can be useful for tightly-coupled batch workloads.

Reserving static regional internal IPv6 addresses is available in Preview.

The AlloyDB index advisor helps you optimize your databases by observing the queries your databases handle, and then recommending new indexes based on these observations.

Support for moving a Cloud Spanner instance is now generally available. You can request to move your Spanner instance from any instance configuration to any other instance configuration, including between regional and multi-region configurations. For more information, see Move an instance.

An update to Spanner change streams provides two new data capture types for change records:

• NEW_VALUES mode captures only new values in non-key columns, and no old values. Keys are always captured.
• NEW_ROW mode captures the full new row, including columns that are not included in updates. No old values are captured.

Note that existing change streams remain set to OLD_AND_NEW_VALUES.

Dataplex auto data quality (AutoDQ) is now available in Preview. Dataplex auto data quality helps data users build trust in their data with a turnkey and automated product that encapsulates the entire process of data quality.

Dataplex data profiling is now available in Preview. Dataplex data profiling helps data users build deeper understanding about their data by identifying common data characteristics. Dataplex utilizes this information to recommend the data quality rules as well.

Dialogflow CX now supports interaction logging export to BigQuery.

Dialogflow CX added sentiment analysis support in the following regions for English (en), French (fr), Italian (it), German (de), and Spanish (es) languages:

• asia-southeast1
• europe-west1
• europe-west2
• europe-west3
• northamerica-northeast1

The Form Parser now supports Generic Entity Extraction in Public Preview, covering the following entity types:

• email: email address
• phone: phone number
• url: website URLs
• date_time: partial or full date/time/period
• address: full address or street address in a single line
• person: partial or full name of a person
• organization: full name of an organization
• quantity: a number specifying quantity or percentage
• price: a number specifying monetary amount
• id: a number specifying identity
• page_number: a number specifying page number

The Form Parser has the following feature enhancements:

• The Form Parser key-value pair (entity and checkbox) extraction and table extraction now support 200+ languages that are supported by the underlying multi-language OCR model. This language expansion is in Public Preview, with key-value pair internationalization backed by quality benchmarks in selected languages such as Simplified Chinese, Traditional Chinese, Japanese, and Korean.

• Table extraction in Form Parser is now powered by an enhanced vision-based table parsing model.

These enhanced features are automatically enabled for Form Parser processor version pretrained-parser-v2.0-2022-11-10 and all future versions. Note that this is a Release Candidate version, which is subject to further changes before graduating to the Stable version.

Release 1.12.5

Anthos clusters on bare metal 1.12.5 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.12.5 runs on Kubernetes 1.23.

Operating systems updates for Bare Metal Solution servers–The following OS is now supported on general-purpose servers:

• Red Hat Enterprise Linux (RHEL) 8.4

Other formatting revisions have been added to the Bare Metal Solution operating systems page and the SAP HANA on Bare Metal Solution operating systems page to make them easier to use.

More options are now available when you create and manage repricing configurations for your customers. This includes the option to add one override per SKU group (currently only Google Marketplace and Maps groups) to provide further discounts or markups for your customers.

A snapshot of product SKUs for each SKU group can be downloaded as a CSV from the partner Sales Console. Use this feature for greater control and transparency of partner program discounts. Visit the rebilling overview to learn more about this feature.

Rebilling data exported to BigQuery now includes the columns: CustomerRepricingConfigName, ChannelPartnerRepricingName, and Tags. The first full month with this data will be Jan, 2023. For more information see the Rebilling Table Schema and sample export queries.

Tags are attached to resources and support inheritance, centralized management, nomenclature standardization, and policy engine integration. For Cloud Billing, Tags help map costs across your organization. In cost reporting, you can query on Tags to perform Cost Management tasks like chargebacks, audits, and other cost allocations.

The Key Usage dashboard in the Google Cloud console and the new KMS Inventory REST API are now in Preview.

For more information about the Key Usage dashboard, see View key usage.

For more information about the KMS Inventory REST API, see KMS Inventory API.

For example curl commands using the KMS Inventory REST API, see View key usage and View keys by project.

Healthcheck probes are now at general availability (GA).

Added the dataproc.googleapis.com/job/state metric to track the status of Dataproc Jobs states (such as, RUNNING or PENDING). This metric is collected by default and is not chargeable to customers.

Dataproc job IDs are now queryable and viewable from MQL(Monitoring Query Language), and the metric can be used for long-running job monitoring and alerting.

M101 Release

• TensorFlow patch version upgrades:
  • From 2.8.3 to 2.8.4.
  • From 2.9.2 to 2.9.3.
  • From 2.10.0 to 2.10.1.
• TensorFlow 1.15 Deep Learning Containers images are now deprecated.
• Regular security patches and package upgrades.

M101 Release

• TensorFlow patch version upgrades:
  • From 2.8.3 to 2.8.4.
  • From 2.9.2 to 2.9.3.
  • From 2.10.0 to 2.10.1.
• TensorFlow 1.15 Deep Learning VM images are now deprecated.
• Regular security patches and package upgrades.

Storage Transfer Service offers Preview support for event-driven transfers - serverless, real-time replication from AWS S3 to Cloud Storage, and between Cloud Storage buckets. With this new capability, you can accelerate your event-driven analytics pipeline, enable automatic replication across Cloud Storage buckets, create a backup copy of data in a different region or project, or perform live migration.

Learn more about Event-driven transfers.

M101 Release

The M101 release of Vertex AI Workbench includes the following:

• TensorFlow patch version upgrades:
  • From 2.8.3 to 2.8.4.
  • From 2.9.2 to 2.9.3.
  • From 2.10.0 to 2.10.1.
• TensorFlow 1.15 on Vertex AI Workbench is now deprecated.
• Added *.notebooks.cloud.google.com as part of the domains required for users to access Notebooks API. Removed *.datalab.cloud.google.com.
• Regular security patches and package upgrades.

A list.prepend function is available to support creating a copy of a list with a new element added to the beginning.

AlloyDB cross-region replication replicates your primary cluster's data and resources. It makes the data and resources available in different regions, allowing disaster recovery in the event of an outage in the primary region.

The constraint template library includes a new template: K8sBlockAllIngress. For reference see Constraint template library.

The constraint template library includes a new template: K8sBlockCreationWithDefaultServiceAccount. For reference see Constraint template library.

The constraint template library includes a new template: K8sBlockObjectsOfType. For reference see Constraint template library.

The constraint template library includes a new template: K8sEnforceCloudArmorBackendConfig. For reference see Constraint template library.

The constraint template library includes a new template: K8sEnforceConfigManagement. For reference see Constraint template library.

The constraint template library includes a new template: K8sRequireDaemonsets. For reference see Constraint template library.

The constraint template library includes a new template: K8sRequireDefaultDenyEgressPolicy. For reference see Constraint template library.

The constraint template library includes a new template: K8sRequireValidRangesForNetworks. For reference see Constraint template library.

The constraint template library includes a new template: K8sRestrictRbacSubjects. For reference see Constraint template library.

The following enhancements are made to Config Sync metrics:

• Enhanced the histogram distribution bounds for the parser_duration_seconds and apply_duration_seconds metrics to support longer durations.
• Enhanced the last_sync_timestamp metric to prevent timeseries with empty commits.
• Added a new label called controller into the apply_operations metric to track whether the operation is from the applier or the remediator.
• Support the errorclass label of the reconciler_errors metric correctly.

For more details, see Monitor Config Sync.

Added resource tags to all Config Sync metrics to identify the source component. For more information, see Config Sync Metric Tags.

Anthos clusters on VMware 1.11.6-gke.18 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.11.6-gke.18 runs on Kubernetes 1.22.15-gke.3300.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.13, 1.12, and 1.11.

GA release of Simplified Onboarding for Apigee X (Pay-as-you-go) in the Google Cloud console.

With this release, new Apigee customers using Pay-as-you-go pricing can quickly configure Apigee using a simplified onboarding flow accessible from the Google Cloud console.

• The new onboarding UI provides stepped navigation consistent with other products available in the console.
• Apigee X (Pay-as-you-go) provisioning is simplified but remains flexible. Default settings are provided, with the option to customize as needed.
• Improved contextual help streamlines decision-making during onboarding.

See Before you begin and Get started in the Cloud Console for more details on provisioning Apigee X with Pay-as-you-go pricing from the Google Cloud console.

The demo query guide helps you query a public dataset from Google Trends and is now in preview.

The following changes were made to UDM Search. You can now do the following:

• Use enhanced filtering to include Bottom 30 values in addition to Top 30 values for each UDM Field in search results
• Use 'field[key] = value' exact match to search the 'additional' and 'labels' fields
• Pin fields (using the push pin icon) in Quick Filter to save them as a favorite. They will appear at the top of the Quick Filters list
• Save column layouts and load them
• Escape special characters by using backslashes and double-quotes

Cloud Bigtable now lets you restore from a backup to a different project. This feature is generally available (GA). To learn more, see Bigtable backups.

The ability to configure deletion protection for a Cloud Bigtable table is now generally available (GA). This setting prevents deletion of the table, its column families, and the instance containing the table. See Modify deletion protection for instructions.

Preview: Get estimated costs in the Google Cloud console

You can now estimate the cost of Compute Engine and Cloud Storage workloads in the Google Cloud console. The Cost Estimation tool provides estimates that also include any custom contract prices on your Cloud Billing account. These cost estimates can help you make more informed business decisions.

Learn about estimating costs in the Google Cloud console.

Generally available: You can merge your active hardware resource commitments into one larger commitment to track and manage them as a single entity. You can now also merge your commitments by using the Google Cloud Console. For more information, see Merging commitments.

AutoProvision service will return an operation ID for immediate completed operations.

Enable operation service for Document AI Warehouse v1 service.

Partially supports Google AIP-160 syntax (https://google.aip.dev/160) in search query. Search query now supports literals, logical operators, negation operators, comparison operators, and functions.

VPC Service Controls for Document AI Warehouse are publicly supported.

Performance Dashboard now shows latency metrics between VMs and Internet endpoints:

• In the Project performance view, Performance Dashboard shows latency between VMs across all Google Cloud regions and Internet endpoints.
• In the Google Cloud performance view, Performance Dashboard shows latency metrics for regions where you have VM instances and the Internet locations communicating with the VMs.

The Malicious URL Observed detector of Container Threat Detection, a built-in service of Security Command Center Premium, is now generally available.

The detector checks URLs observed in arguments passed by executables against known phishing and malware URLs to determine if they are malicious.

You can see the full details of the detector's findings only if you upgrade to the refreshed findings display in the Security Command Center dashboard.

For more information, see the following pages:

• Container Threat Detection overview
• Findings Workflow Improvements

Sensitive Actions Service, a built-in service of Security Command Center Premium, is now generally available.

Sensitive Actions Service detects when actions are taken in your Google Cloud organization, folders, and projects that could be damaging to your business if they were to be taken by a malicious actor.

For more information, see Sensitive Actions Service overview.

You can now enable the email verification feature of MFA from the Google Cloud console. For instructions, see Configure Multi-factor authentication.

The Go 1.18 and Go 1.19 runtimes for App Engine standard environment are now available in Preview.

The Node.js 18 runtime for App Engine standard environment is now available in Preview.

BeyondCorp Enterprise integration with Microsoft Intune is generally available (GA).

With this integration, you can collect real-time information about the devices in your organization using Microsoft Intune, and use this information to manage your devices and control access to your organizational resources using BeyondCorp Enterprise.

You can now retrieve information about a Cloud Bigtable query to help you evaluate the query's performance. This feature is generally available (GA). For more information, see Get query stats.

Cloud Data Fusion is available in the following region:

• me-west1

For more information, see Locations and Pricing.

Preview: You can now query asset metadata via the Cloud Asset Inventory API or the Cloud console, without needing to export the data to a BigQuery table first. This feature is available as a preview for Security Command Center Premium customers.

• Documentation
• Go to Cloud Asset Inventory query in the Cloud console

(Cloud Composer 2) Environment snapshots and Scheduled snapshots are now generally available (GA) for Cloud Composer 2 versions 2.1.1 and later.

Scheduled snapshots provide additional support for running disaster recovery scenarios.

Cloud Data Fusion version 6.8.0 is in Preview. This release is in parallel with the CDAP 6.8.0 release.

Features in 6.8.0:

• Replication from Oracle to BigQuery using Datastream is generally available (GA).

• Cloud Data Fusion supports BigQuery batch source pushdown.

• Cloud Data Fusion supports AND triggers. You can create OR and AND triggers. Previously, all triggers were OR triggers.

Cloud Run support for a new second generation execution environment is now at generally availability (GA).

Cloud Run support for network file systems such as NFS, NDB, 9P, CIFS/Samba, and Ceph, as well as Cloud Filestore and Cloud Storage FUSE, is now at general availability (GA.)

On the Error Reporting page, use the new resource filter to filter error groups by resource type. For more information, see Filter errors.

Support for refactoring applications running on JBoss Enterprise Application Platform or WildFly application platform to containers, which lets you deploy the application as containers on GKE, GKE Autopilot clusters, Anthos clusters, and Cloud Run, released for Public Preview. See Migrate JBoss Servers.

Support for refactoring Apache 2 Linux based applications to containers, which lets you deploy Apache 2 application components as containers on GKE, GKE Autopilot clusters, Anthos clusters, and Cloud Run, released for Public Preview. See Migrate Apache 2 Servers.

Enhanced control on the verbosity of backend logs. You can now use the migctl logging set-verbosity <verbosity> command, where verbosity 0 corresponds to info logs only and verbosity 1 shows debug logs. See migctl reference.

A new suite of client-side metrics for the Cloud Bigtable client for Java is generally available (GA) in versions 2.16.0 and later. To learn more about using the new monitoring metrics for performance optimization and troubleshooting, see the Client-side metrics overview.

(Cloud Composer 2) The Composer Local Development CLI tool is now available to help streamline testing and developing using local Airflow environments with Composer 2.

Cloud DNS per resource IAM permissions are available in GA.

Currently, health check probes for hybrid NEGs originate from Google's centralized health checking mechanism. If you cannot allow traffic that originates from the Google health check ranges to reach your hybrid endpoints and would prefer to have the health check probes originate from your own private IP addresses instead, speak to your Google account representative to get your project allowlisted for distributed Envoy health checks.

This feature is available in General availability for allowlisted projects only.

New SQL syntax, RETURNING in the PostgreSQL dialect and THEN RETURN in Google Standard SQL, selects and returns data from rows that were just updated as part of a DML statement. This is especially useful for getting values from default or generated columns and can reduce latency over equivalent multi-statement transactions. The preview supports the Java, JDBC, Python, and Go Spanner clients as well as PostgreSQL drivers that connect through PGAdapter.

Dataproc Metastore administrator interface is available in preview.

The administrator interface provides you with a centralized tool to inspect and manage the metadata stored in your Dataproc Metastore service.

You can now set the minimum observation period for the IAM recommender to 30 or 60 days instead of the default period of 90 days. For more information, see Configure role recommendation generation. This feature is available in Preview.

The kernelRootkit attribute was added to the Finding object of the Security Command Center API.

The kernelRootkit attribute contains information about a kernel rootkit that triggered a finding, including the following:

• Name of the rootkit, if available.
• Whether unexpected modifications were made to the kernel's code, read-only data memory, or certain important kernel data structures.

For more information, see the Security Command Center API documentation for the Finding object.

The Pipeline Templates feature is now generally available (GA). The Your Templates tab is supported by Artifact Registry and allows you to publish and curate pipeline and component templatess. For documentation, refer to Create, upload, and use a pipeline template.

(New environments only) Creating Cloud Composer 2 environments no longer depends on the constraints/compute.requireOsLogin organization policy setting.

(Cloud Composer 2) Cloud Composer 2 environments now include the composer-user-workloads namespace that you can use to run user-defined workloads.

The number of concurrent database restore operations per instance that Cloud Spanner supports has increased from five to ten. For more information, see Backup and restore limits.

Preview: Confidential Space is designed to let parties share sensitive data with a mutually agreed upon workload, while they retain confidentiality and ownership of that data. Such data might include personally identifiable information (PII), protected health information (PHI), intellectual property, cryptographic secrets, and more. Confidential Space helps create isolation so that data is only visible to the workload and the original owners of the data.

Eventarc support for customer-managed encryption keys (CMEK) is generally available (GA).

Event Threat Detection, a built-in service of Security Command Center, launched the Initial Access: Database Superuser Writes to User Tables rule to General Availability. This rule detects events where a Cloud SQL superuser (postgres for PostgreSQL servers or root for MySQL users) writes to non-system tables. For more information, see Event Threat Detection rules.

The AlloyDB Clusters page of the Google Cloud console displays summary cards and a resource table that provide an overview on the overall health of your databases. This helps you monitor the real-time performance of your database fleet.

BigQuery now supports querying Apache Iceberg tables that are created by open source engines. This feature is in preview.

Google Cloud Platform Plugins version 0.20.4 is generally available (GA) in Cloud Data Fusion versions 6.7.1 and 6.7.2. This version includes Dataplex Source and Sink plugins in GA. For more information, see the CDAP Hub release log.

Google Cloud Platform Plugins version 0.19.3 is generally available (GA) in Cloud Data Fusion version 6.6.0. This version includes Dataplex Source and Sink plugins in GA. For more information, see the CDAP Hub release log.

The NEW_ZEALAND_IRD_NUMBER infoType detector is available in all regions.

The VAT_NUMBER infoType detector is available in all regions. Currently, this detector identifies VAT numbers from France, Germany, Hungary, Indonesia, Italy, and the Netherlands.

For more information about all built-in infoTypes, see InfoType detector reference.

Dataplex Source and Sink plugins are generally available (GA) in Cloud Data Fusion for ingesting and processing data.

Error Reporting is a Virtual Private Cloud (VPC) supported service.

The Agent Assist Smart Reply feature now supports French (Canada) in addition to English (United states). See the language support page for details.

Users can generate Supply chain Levels for Software Artifacts (SLSA) build provenance information for standalone Java and Python packages when they upload artifacts to Artifact Registry using new fields available in the Cloud Build config file. This feature is in public preview. For more information, see Build and test Java applications and Build and test Python applications.

AutoML image model updates

AutoML image classification and object detection now support a higher-accuracy model type. This model is available in Preview.

For information about how to train a model using the higher accuracy model type, see Begin AutoML model training.

Batch prediction is currently not supported for this model type.

Cloud Logging for Vertex AI Pipelines is now generally available (GA). For more information, see View pipeline job logs.

Three new rate limiting keys are now Generally Available:

• HTTP-PATH
• SNI
• REGION-CODE

For more information about using rate limiting keys, see the Rate limiting overview.

Kubernetes control plane logs are now Generally Available. You can now configure GKE clusters with control plane version 1.22.0 or later to export to Cloud Logging logs emitted by the Kubernetes API server, Scheduler, and Controller Manager.

These logs are stored in Cloud Logging and can be queried in the Cloud Logging Log Explorer or Cloud Logging API. These logs can also be sent to Google Cloud Storage, BigQuery, or Pub/Sub using the Log Router.

You can now use deprecation insights to identify clusters on versions 1.23 and earlier that use Docker-based node images, which are unsupported on GKE version 1.24 and later.

BigQuery now supports the following features when you load data:

• ASCII control characters for CSV files.
• Reference file with the expected table schema for creating external tables with Avro, ORC, and Parquet files.

These features are generally available (GA).

View granular cost data from Cloud Run instances in Cloud Billing exports to BigQuery

You can now view granular Cloud Run cost data in the Google Cloud Billing detailed export. Use the resource.global_name field in the export to view and filter your Cloud Run instances.

Review the schema of the Detailed cost data export.

View granular cost data from Cloud Function instances in Cloud Billing exports to BigQuery

You can now view granular Cloud Function cost data in the Google Cloud Billing detailed export. Use the resource.global_name field in the export to view and filter your Cloud Function instances.

Review the schema of the Detailed cost data export.

Preview: VMware Engine private clouds support the addition of a Trusted Platform Module (TPM) 2.0 virtual cryptoprocessor to a virtual machine.

For details about this feature, see About Virtual Trusted Platform Module.

Release 1.13.2

Anthos clusters on bare metal 1.13.2 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.13.2 runs on Kubernetes 1.24.

Cloud Functions has added support for a new runtime, Node.js 18, at the Preview release level.

The following resource types are now publicly available through the Export APIs (ExportAssets, ListAssets, and BatchGetAssetsHistory), Feed API, and Search APIs (SearchAllResources, SearchAllIamPolicies).

• Service Directory
  • servicedirectory.googleapis.com/Namespace

Dialogflow CX now integrates with GitHub. This integration makes it easy to export your agent to JSON for a push to GitHub, and to pull from GitHub for an agent restore.

The Logs tab available for each cluster on the Kubernetes Engine > Clusters page now includes suggested queries for your logs. For more information about using your GKE logs, see Viewing your GKE logs.

Release 1.11.8

Anthos clusters on bare metal 1.11.8 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.11.8 runs on Kubernetes 1.22.

You can now configure Cloud Build to continue executing a build even if specified steps fail. This feature is available as a preview release. To learn more, see the allowFailure and allowExitCodes topics in Build configuration file schema.

Airflow 2.3.4 is available in Cloud Composer images.

You can download private offers as PDFs. Offers can include notes from the vendor and the included EULA.

You can download private offers as PDFs. Offers can be saved at any point in the offer process and can include internal notes and the EULA for the offer.

GKE Autopilot clusters support compact placement policies in version 1.25 and later.

Policy Analyzer now offers organization policy analysis. Policy Analyzer helps you get more information about the resources affected by an organization policy constraint. This feature is available in Preview.

The Kafka Connector library for Pub/Sub and Pub/Sub Lite is now generally available.

The Kafka Connector library for Pub/Sub and Pub/Sub Lite is now generally available.

Policy Analyzer now offers organization policy analysis. Policy Analyzer helps you get more information about the resources affected by an organization policy constraint. This feature is available in Preview.

Vertex AI Prediction

You can now perform some simple filtering and transformation on the batch input in your BatchPredictionJob requests without having to write any code in the prediction container. This feature is in Preview. For more information, see Filter and transform input data.

Anthos clusters on VMware 1.13.2-gke.26 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.13.2-gke.26 runs on Kubernetes 1.24.7-gke.1400.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.13, 1.12, and 1.11.

The Impact Level 4 (IL4) compliance regime is now generally available.

Object tables are now in preview. Object tables are read-only tables containing metadata for unstructured data stored in Cloud Storage. These tables enable you to analyze and perform inference on images, audio files, documents, and other file types by using BigQuery ML and BigQuery remote functions. Object tables extend structured data features such as data security and governance best practices to unstructured data.

Metadata caching is now in preview. Using cached metadata might improve query performance for BigLake tables and object tables that reference large numbers of objects, by allowing the query to avoid listing objects from Cloud Storage.

Internal HTTP(S) load balancers and internal TCP proxy load balancers now support global access. By default, clients for these load balancers must be in the same region as the load balancer. With global access enabled, clients can access the load balancer from any region. They still must be in the same VPC network as the load balancer or in a VPC network that's connected to the load balancer's VPC network by using VPC Network Peering.

For instructions, see the following:

• Enable global access for internal HTTP(S) load balancers
• Enable global access for internal TCP proxy load balancers

Logs from Cloud Run services can now be tailed or viewed in a command-line friendly format using gcloud beta run services logs tail and gcloud beta run services logs read

Preview: You can limit the runtime of a VM to automatically stop or delete it when a time limit is reached. Limiting VM runtimes can help you optimize temporary workloads by minimizing costs and releasing quota. For more information, see Limit the runtime of a VM.

Dataproc Serverless for Spark supports Spark and System metrics. These metrics are enabled by default. Spark driver and executor metrics can be customised using overrides.

Starting November 17, 2022, newly created private clouds will utilize IP address layout (IP Plan) version 2.0 subnet allocations. HCX addressing is now included in the management CIDR allocation, simplifying the process of starting data center VM migrations. IP Plan version 2.0 also enables additional scale and features delivered to your public cloud in upcoming releases.

Stretched private clouds are now available in the europe-west3 (Frankfurt) region. You can use stretched private clouds to stretch vSphere/vSAN clusters across zones and protect against zone level failures. This functionality enables high levels of availability for business critical applications.

GKE Autopilot clusters support signaling to GKE that a particular node is problematic in version 1.24 and later.

The Vertex AI Pipelines email notification component is now generally available (GA). This component enables you to configure your pipeline to send up to three emails upon success or failure of a pipeline run. For more information, see Configure email notifications and the Email notification component.

Preview: Connectivity to Private Service Connect endpoints used to access a managed service is supported over VLAN attachments for Cloud Interconnect

Generally available: You can double the default size limit for a managed instance group (MIG): Zonal MIGs support up to 2,000 VMs and regional MIGs support up to 4,000 VMs. For more information, see Increase the group's size limit.

The Identity Document Proofing Processor is designed to help predict the validity of ID documents with four different signals:

• is_identity_document detection: predict whether an image contains a recognized identity document.
• suspicious_words detection: predict whether words are present that aren't typical on IDs.
• image_manipulation detection: predict whether the image was altered or tampered via an image editing tool.
• online_duplicate detection: predict whether the image can be found online.

Filestore Backups for High Scale and Enterprise tier instances is available in Preview.

Filestore Multishares for GKE is now generally available.

Event Threat Detection, a built-in service of Security Command Center Premium, has launched the Initial Access: Excessive Permission Denied Actions rule to Preview. This rule detects events where a principal repeatedly triggers permission denied errors across multiple methods and services.

For more information about Event Threat Detection findings, see Event Threat Detection rules.

Preview: Private Service Connect endpoints with consumer HTTP(S) controls now support accessing regional Google APIs and managed services using the following load balancers:

• Regional internal HTTP(S) load balancer
• Regional external HTTP(S) load balancer

Agent Assist has launched backend modules as a GA feature. Backend modules is an out-of-the-box solution that provides an effective backend infrastructure, making integrating Agent Assist with your agent system faster and easier. See the backend modules basics and integration guide for details.

The Agent Assist Console is now GA. The Console now also includes built-in workflow tutorials that walk you through creating a dataset, training and testing a model, and creating a conversation profile. Sample datasets and demo models are now provided as well. To see the new Console tutorials, navigate to the Console and click the Get started button under the feature you'd like to test.

Agent Assist now supports sentiment analysis of voice data as a private Preview feature. For more information, see the Agent Assist private features documentation. To gain access to the private documentation, please contact your Google representative.

Agent Assist now supports CCAI Transcription as a GA feature. CCAI Transcription allows you to convert streaming audio data into text transcripts in real time, allowing you to implement Agent Assist features for use with voice data. See the documentation for details.

UDM Search

UDM Search is a new Chronicle search feature which enables you to find UDM events within your Chronicle instance. You can search both for individual UDM events and groups of UDM events tied to shared search terms. UDM search includes a number of search features, enabling you to navigate through your UDM data:

• Quick Filters—Fast access to saved searches and search history.
• Event Viewer—View the raw log and UDM for the event.
• Search Manager—Comprehensive view of your saved searches and search history.

There is also a new UDM search API method available for the Chronicle Search API.

Be sure to review Google's recommended best practices for conducting searches using UDM Search. UDM searches can require substantial computational resources to complete if they are not constructed carefully. Performance also varies depending on the size and complexity of the data in your Chronicle instance.

Cloud Bigtable now lets you retrieve metadata about a table, giving you greater observability when troubleshooting. This feature is generally available (GA). For more information, see Table stats.

Time to live (TTL) is now supported in PostgreSQL-dialect databases. With TTL, you can reduce storage costs, improve query performance, and simplify data retention by automatically removing unneeded data based on user-defined policies.

Added support for the JSONB data type in the Cloud Spanner PostgreSQL dialect. For more information, see Work with JSONB data.

For online document translations, you can increase the page limit for native PDF documents to 300 pages.

Generally available: Use the new distribution shape ANY SINGLE ZONE in a regional managed instance group (MIG) to automatically select a single zone that has available resources within your quota. Recommended for workloads that require low latency, high-bandwidth connections between VMs or when you want to avoid inter-zone network traffic costs.

Added spec.gcRules to BigtableGCPolicy (Issues #624, #542, #482, #345, #300).

Added spec.load.jsonExtension to BigQueryJob.

Added spec.externalDataConfiguration.avroOptions to BigQueryTable.

Added spec.compressionMode to ComputeBackendBucket.

Added spec.compressionMode to ComputeBackendService.

Added spec.advancedOptionsConfig.jsonCustomConfig to ComputeSecurityPolicy.

Added spec.managementConfig.fullManagementConfig to ConfigControllerInstance.

Added spec.nodeConfig.guestAccelerator[].gpuSharingConfig and spec.notificationConfig.pubsub.filter to ContainerCluster.

Added spec.nodeConfig.guestAccelerator[].gpuSharingConfig to ContainerNodePool.

Added spec.config.dataprocMetricConfig, spec.config.gceClusterConfig.confidentialInstanceConfig, spec.config.gceClusterConfig.shieldedInstanceConfig, spec.config.masterConfig.diskConfig.localSsdInterface, spec.config.metastoreConfig.dataprocMetastoreServiceRef, spec.config.secondaryWorkerConfig.diskConfig.localSsdInterface, spec.config.securityConfig, spec.config.workerConfig.diskConfig.localSsdInterface and spec.virtualClusterConfig to DataprocCluster.

Added spec.cloudLoggingConfig to DNSManagedZone.

Added spec.persistenceConfig to RedisInstance.

Added status.version to SecretManagerSecretVersion.

Added spec.maintenanceVersion and status.availableMaintenanceVersions to SQLInstance.

Added spec.passwordPolicy to SQLUser.

Added spec.customPlacementConfig to StorageBucket.

Added spec.notificationConfig to StorageTransferJob (Issue #303).

Added support for DLPJobTrigger resource.

Topic modeling is now a GA feature. Topic modeling helps you discover topics (call drivers) in conversations between contact center agents and end-users. For more information, see the documentation.

Dialogflow CX agents can now be exported to JSON.

BigQuery subscriptions now support the JSON type for all string fields, including data and attributes. For more information about JSON type compatibility, see Properties of a BigQuery subscription.

Added support for a new recurring fees

Apigee X now supports optional recurring fees charged to API developers. For more information on fees, see Understanding billing.

The Israel Regions and Support compliance regime is now in Preview.

The slot estimator helps you manage slot capacity based on historical performance metrics. This feature is now generally available (GA).

Support for internal ingress from Cloud Tasks to Cloud Run and Cloud Functions is now at General Availability.

The files attribute was added to the Finding object of the Security Command Center API.

The files attribute contains information about each file that triggered a finding, including the name of the file, the full path to the file, and the size of the file.

For more information, see the Security Command Center API documentation for the Finding object.

Access Approval lets you revoke active access requests using the Google Cloud console.

Airflow triggerer and Deferrable Operators are available in Preview in Cloud Composer 2.

Note: Minimum versions required by Airflow triggerer: Cloud Composer 2.0.31 and up, Apache Airflow 2.2.5 and up.

Cloud Monitoring now provides a GKE Clusters dashboard for enabling Managed Service for Prometheus on clusters in your project. For more information, see Get started with managed collection.

Anthos clusters on VMware 1.11.5-gke.14 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.11.5-gke.14 runs on Kubernetes 1.22.15-gke.2200.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.13, 1.12, and 1.11.

Added support for a new setup fee

Apigee X now supports an optional setup fee charged to new API developers. For more information on fees, see Understanding billing.

Regional external and regional internal HTTP(S) load balancers now support regional SSL policies. SSL policies give you the ability to control the features of SSL that your Google Cloud load balancers negotiate with clients.

For details, see:

• SSL policies overview
• Use SSL policies

This feature is in General Availability.

You can now use the Google Cloud console to get role recommendations and policy insights for buckets. Role recommendations and policy insights help you understand and manage permission usage for your buckets.

Generally available: Share sole-tenant node groups with other projects or with your entire organization. For more information, see Share sole-tenant node groups.

Enable the validation check for Enum property values by default. Enum values that are not defined in the schema will not be allowed to be set to the corresponding document property Enum fields. The validationCheckDisabled flag in EnumTypeOptions disables the ENUM Validation.

Enable text extraction feature.

You can now use use compact placement for node auto-provisioning in Standard clusters with GKE version 1.25 and later. To learn more, see Use compact placement for node auto-provisioning.

Security Command Center added the ability to export findings to a CSV file from the Google Cloud console. For more information, see Export findings to a CSV file.

The CBSDs can now operate in the 3650–3700 MHz portion of the CBRS band in the 150 km area around fixed-satellite service (FSS) receive-only earth stations. The 150 km area around each FSS for 3650-3700 MHz that was considered an exclusion zone is now a protection zone. For more information on how to access the CBRS heatmaps, see CBRS heatmaps.

This feature is Generally Available (GA).

Users can now use SMB to transfer data by enabling SMB file share.

AutoML Image Classification Error Analysis

Error analysis allows you to examine error cases after training a model from within the model evaluation page. This feature is available in Preview.

For each image you can inspect similar images from the training set to help identify the following:

• Label inconsistencies between visually similar images
• Outliers if a test sample has no visually similar images in the training set

After fixing any data issues, you can retrain the model to improve model performance.

The option to set IP mode to internal for App Engine flexible environment instances is now generally available.

The option to set IP mode to internal for App Engine flexible environment instances is now generally available.

The option to set IP mode to internal for App Engine flexible environment instances is now generally available.

The option to set IP mode to internal for App Engine flexible environment instances is now generally available.

The option to set IP mode to internal for App Engine flexible environment instances is now generally available.

The option to set IP mode to internal for App Engine flexible environment instances is now generally available.

The option to set IP mode to internal for App Engine flexible environment instances is now generally available.

The option to set IP mode to internal for App Engine flexible environment instances is now generally available.

Enhancements to Bare Metal Solution resource management–Adds the following self-service functionality:

• Manage networks–You can create, attach, detach, and delete networks. You can also add, update, and delete VLAN attachments.
• Manage boot volume snapshots–You can create, delete, and restore boot volume snapshots.
• Manage NFS file storage–You can create, update, and delete NFS storage volumes.
• Advanced networking–You can add connections to multiple networks on a single server. You can now view advanced networking information through the Google Cloud console too.
• Labels–You can organize your Bare Metal Solution resources by using labels. You can add labels to servers, networks, storage volumes, and NFS file storage.
• Manage the power state of servers–You can turn power on and off for your server and restart your server. You can also check the status of a server.

You can now transfer data from Amazon S3 and Azure Blob Storage to BigQuery using the LOAD DATA statement. This feature is generally available (GA) and includes support for the following features:

• Transfer files that are hive partitioned.
• Load semi-structured JSON source data into BigQuery without providing a schema by using JSON columns in the destination table.
• Encrypt destination tables using customer managed encryption keys.
• Transfer data to US multi-region and US-EAST-4 regions.

Alerts and IOC Matches

The Alerts and Indicators of Compromise (IOC) page displays all the alerts and IOCs currently impacting your enterprise. It provides tools that enable you to filter and view your alerts and IOCs.

• Alerts can be designated by your security infrastructure, by your security personnel, or by Chronicle Uppercase.

• IOCs are designated automatically by Chronicle. Chronicle is always absorbing data from both your own infrastructure and numerous other security data sources. It automatically correlates suspicious security indicators with your security data. If a match is found (for example, a suspicious domain is found within your enterprise), Chronicle labels the event as an IOC and displays it on the IOC matches tab.

You can also still navigate to the Enterprise Insights page using the link provided at the top of the Alerts and IOCS page. To view CBN alerts, you still need to use the Enterprise Insights page.

Alert view

Alert view shows a variety of information with regards to a specific alert, including:

• Alert Status

• Alert Details—Displays an alert's creation time, recent updates, and its associated rule.

• Decision States—Displays the verdict for the alert and if it is an indication of a security issue. History—Displays the history of changes made to the alert by your security team. For alerts originating from Chronicle SOAR, Alert view also includes the number and a link to the associated Chronicle SOAR case. You can pivot to your Chronicle SOAR account using this link.

Chronicle SOAR Authentication

You can authenticate with your Chronicle SOAR account from Chronicle. Once you have authenticated with your Chronicle SOAR account, you can pivot between your Chronicle account and your Chronicle SOAR account as needed.

Chronicle SOAR Cases

Chronicle SOAR ingests alerts from a variety of sources. You can conduct additional investigations of Chronicle SOAR cases from Chronicle or pivot to Chronicle SOAR. You can pivot to your Chronicle SOAR Cases from the Chronicle application menu. For more information on Chronicle SOAR cases, see the Chronicle SOAR documentation.

Chronicle SOAR Playbooks

Chronicle SOAR Playbooks define a series of automatic steps taken when triggered by an incoming alert and can be used to investigate and respond to security issues. You can pivot to your Chronicle SOAR Playbooks from the Chronicle application menu. For more information on Chronicle SOAR Playbooks, see the Chronicle SOAR documentation.

Expanded Cloud Storage monitoring dashboards are now available in Preview.

• Available metrics include server and client error rates, write request counts, network ingress rates, and network egress rates.
• Dashboards can be filtered by bucket location.
• Dashboards are customizable, including the ability to set up alerts.

In addition to the project-wide dashboard, per-bucket dashboards are available in a new Observability tab in the Bucket Details for each bucket.

Support for VPC Service Controls is in Preview.

Curate which products are available for your Organization to use with Private Marketplace (Preview). You can add products to collections and share these collections with your organization, folders, or projects.

Learn more about Private Marketplace.

GKE Gateway for Single Cluster is now generally available in GKE version 1.24 and later. Use the Gateway API to express the intent of your inbound HTTP(S) traffic into your GKE cluster and the Gateway controller will instrument and fully manage the external and/or internal HTTP(S) load balancer(s) that forwards traffic to your applications. For complete details about the GKE Gateway controller, refer to the following documentation.

You can use the Google Cloud console to view authentication activities, which indicate when your service accounts and keys were last used to call a Google API.

Feature Transform Engine is available in Preview. For documentation, refer to Feature engineering.

Release 1.12.4

Anthos clusters on bare metal 1.12.4 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.12.4 runs on Kubernetes 1.23.

DNS Resolution is generally available (GA). You can use domain or hostnames for sources instead of IP addresses for pipeline design-time activities, such as getting schema, wrangling, and previewing pipelines.

Cloud Spanner now supports cross-region and cross-project backup use cases. You can copy a backup of your database from one instance to another instance in a different region or project to provide additional data protection and compliance capabilities.

The Autoclass feature is now available.

• When enabled, Autoclass transitions the storage classes of your objects automatically based on their access patterns.
• Currently, Autoclass can only be enabled at the time of bucket creation.

M100 Release

• Regular package updates.

M100 Release

• Migrated the Docker proxy agent to use a systemctl service.
• Regular package updates.

M100 Release

The M100 release of Vertex AI Workbench includes the following:

• Fixed a bug that prevented an instance with a GPU from starting.
• Regular package updates.
• Miscellaneous bug and display fixes.

Preview: You use the private.googleapis.com and restricted.googleapis.com VIPs to access Google APIs and services using IPv6 addresses. For more information, see the following pages:

• Use the VIPs from VMs with internal IPv6 addresses
• Use the VIPs from VMs with external IPv6 addresses
• Use the VIPs from on-premises hosts with IPv6 addresses
• Use restricted.googleapis.com with VPC Service Controls

In the Cloud console, the Add data feature lets you access popular ways to search for and ingest data sources that work with BigQuery. For an example, see viewing listings in Analytics Hub. This feature is now generally available (GA).

Users can now customize Slack notifications for their builds using notifier templates. To learn more, see Configure Slack notifications.

The ExcludeByHotword type was added as a type of ExclusionRule. With this new type, you can do the following:

• Exclude a column from inspect findings if the column name matches a regular expression.
• Exclude a finding from inspect findings if that finding is proximate to a string that matches a regular expression.

Previously, you could do these only by setting up a hotword rule that lowers the likelihood of the matching findings.

For more information on excluding findings, see Exclusion rules.

You can now dynamically include your log content in your alert notifications for easier troubleshooting. For more information about extracting log content into labels, see Create a log-based alert (Monitoring API).

You can now dynamically include your log content in your alert notifications for easier troubleshooting. For more information about extracting log content into labels, see Create a log-based alert (Monitoring API).

Generally available: Memory-optimized M3 virtual machine instances are available in the following regions and zones:

• Frankfurt, Germany (europe-west3-a,b)
• Eemshaven, Netherlands (europe-west4-a,b)
• Council Bluffs, Iowa, USA (us-central1-a,b)
• Las Vegas, Nevada, USA (us-west4-a,b)

See VM instance pricing for details.

If a Dataproc Metastore service uses the gRPC endpoint protocol, a Dataproc or self-managed cluster located in any region can attach to the service.

The following languages are now GA (generally available) for Dialogflow CX:

• Bulgarian (bg)
• Catalan (ca)
• Croatian (hr)
• Czech (cs)
• Greek (el)
• Hebrew (iw)
• Hmong (hmn)
• Hungarian (hu)
• Serbian (sr)
• Slovak (sk)
• Somali (so)

The following new features have been introduced in this release of Google Distributed Cloud Edge:

• Anthos VM Runtime replaces Kubevirt in Google Distributed Cloud Edge starting with this release. To continue using your existing virtual machines, you must shut them down and back them up before your Distributed Cloud Edge deployment is upgraded to release 1.2.0, and then re-create them as described in Manage virtual machines.
• A new Google Distributed Cloud Edge hardware configuration is available. This new configuration supports GPU-based workloads that run on NVIDIA Tesla T4 GPUs in both containers and virtual machines. To order a GPU-enabled configuration, see Order Google Distributed Cloud Edge. To learn more about running workloads on GPUs, see Manage GPU workloads.
• Google Distributed Cloud Edge now supports the following networking features:
  • (Preview) Cross-project VPN Connections. To learn more, see Manage cross-project VPN Connections.
  • (Preview) MacVLAN driver support for creating secondary network interfaces for Pods running containerized workloads. The MacVLAN driver is not supported on Pods running virtual machines. To learn more, see Configure a secondary network interface on a Pod using the MacVLAN driver.
  • (Preview) Multi-network support for creating secondary network interfaces for Pods. To learn more, see Configure a secondary network interface on a Pod using Distributed Cloud Edge multi-networking.
  • (Preview) ClusterDNS resource. To learn more, see ClusterDNS resource.

When you create a LoadBalancer service in GKE, the Google Cloud controllers automatically create the following firewall rules and apply them to the GKE nodes to allow inbound connections on the Service port:

• Internal load balancer with GKE subsetting or external load balancer with regional backend services (RBS): k8s2-[cluster-id]-[namespace]-[service-name]-[suffixhash]
• Internal load balancer without GKE subsetting or external load balancer with target pool: k8s-fw-[loadbalancer-hash]

These rules now include the load balancer IP address in the destination ranges field to further control the inbound connections to the nodes. You can use the gcloud compute firewall-rules describe command to check a relevant firewall. The new field in the output is similar to the following:

destinationRanges:
- [LOADBALANCER_VIRTUAL_IP_ADDRESS]

Support for schema extensions in Managed Microsoft AD is generally available. Learn how to extend the schema.

Support for the migration of users from an existing domain to Managed Microsoft AD is available in Preview. Learn how to enable permissions for migrating an on-premises domain with SID History.

Security Command Center released two new error detectors:

• KTD blocked by admission controller
• KTD image pull failure

These detectors report configuration errors that prevent the Container Threat Detection service from functioning properly.

Remediation guidance is provided for each finding type. For more information, see Security Command Center errors.

Beta stage support for the following integration:

• Config Controller

reCAPTCHA Enterprise offers the recommended score threshold system that allows users to calculate the best threshold value to take action against suspected bots based on the key's score history. Users can see this information on the reCAPTCHA Enterprise metrics page on the Google Cloud console.

Apigee support for using Private Service Connect (PSC) for client-to-Apigee (northbound) traffic is now GA. In addition, we now support using PSC for northbound routing in multi-region configurations. For details, see Expanding Apigee to multiple regions. See also Northbound networking with Private Service Connect and Migrate northbound routing to Private Service Connect.

The Logs tab available for each cluster on the Kubernetes Engine > Clusters page now includes suggested queries for your logs. For more information about using your GKE logs, see Viewing your GKE logs.

Vertex AI Prediction

You can now use A2 machine types to serve predictions.

Vertex ML Metadata

You can now filter contexts, executions, and artifacts by association and attribution.

Custom training on Vertex AI now supports NVIDIA A100 80GB GPUs on a2-ultragpu-1g/2g/4g/8g machines. For details, see Configure compute resources for custom training.

SQL functions for managing wrapped keysets are generally available (GA). You can now perform the following actions natively in BigQuery with fewer risks and steps:

• Create a wrapped keyset
• Rotate a wrapped keyset
• Rewrap a wrapped keyset
• Encrypt and decrypt a column with a wrapped keyset

Included with this release are the following new key management functions:

• KEYS.NEW_WRAPPED_KEYSET
• KEYS.ROTATE_WRAPPED_KEYSET
• KEYS.REWRAP_KEYSET

The following resource types are now publicly available through the analyze policy APIs (AnalyzeIamPolicy and AnalyzeIamPolicyLongrunning).

• Org Policies
  • orgpolicy.googleapis.com/Policy

You can now add table widgets to custom dashboards that let you limit the number of table rows, persiste specific columns, display only those rows with the highest, or lowest values, and that display a visual indicator of the value as compared to the range of possible values. For more information, see Display data in tabular form on a dashboard.

Support for the NHibernate ORM is now generally available, enabling you to use Cloud Spanner as a backend database for the NHibernate framework. For more information, see NHibernate Dialect for Cloud Spanner.

You can now easily identify clusters that use certificates incompatible with Kubernetes version 1.23. Kubernetes 1.23 deprecation insights are now available in Preview for clusters of at least version 1.22.6-gke.1000.

Vertex AI Prediction

Custom prediction routines (CPR) are now Generally Available. CPR lets you easily build custom containers for prediction with pre/post processing support.

VPC-SC for managed Anthos Service Mesh is generally available (GA) in the rapid channel.

The query execution graph is now in preview. You can use the query execution graph to diagnose query performance issues, and to receive query performance insights.

M99 Release

• Fixed a bug where Jupyter widgets through ipywidgets were causing errors and not displaying.
• Regular package updates.

M99 Release

• Fixed a bug where Jupyter widgets through ipywidgets were causing errors and not displaying.
• Updated TPU versions for TensorFlow 2.8, 2.9, and 2.10 Deep Learning VMs.
• Improved error messages for debugging custom container Deep Learning VMs that were instantiated with a GPU but without installing NVIDIA drivers.
• Regular package updates.

End-user authentication is being made available to managed Anthos Service Mesh in the rapid release channel. See the preceding release note for rollout timelines.

Anthos clusters on VMware 1.13.1-gke.35 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.13.1-gke.35 runs on Kubernetes 1.24.2-gke.1900.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.13, 1.12, and 1.11.

• Increased logging granularity for the cluster backup operation including indicating status for each step of the process.

Cluster lifecycle improvements in 1.13 and later

Preview: You can use the Google Cloud console to create user clusters, delete user clusters, and to add and remove node pools from a user cluster. To explore the new feature, try out the tutorial Create an Anthos on bare metal user cluster on Compute Engine VMs using the console.

Build environment variables support is now generally available.

Build environment variables support is now generally available.

Build environment variables support is now generally available.

Build environment variables support is now generally available.

Build environment variables support is now generally available.

Build environment variables support is now generally available.

The BigQuery migration assessment is now available for Amazon Redshift in preview. You can use this feature to assess the complexity of migrating from your Amazon Redshift data warehouse to BigQuery.

The Cloud Router BGP MD5 authentication feature is Generally Available (GA). For more information, see Use MD5 authentication.

The image import tool now supports importing Ubuntu 22.04 LTS and Windows 11 images to Google Cloud.

BigQuery subscriptions now support the Avro logical types timestamp-micros, date, and time-micros. For more information about schema compatibility between a Pub/Sub topic and a BigQuery table, see Schema compatibility.

The feature for listing all tags that are attached to or inherited by your resources has entered general availability. For more information, see Creating and managing tags.

You can now use the Cloud Console UI to create and manage tags. For more information, see Creating and managing tags.

Beta stage support for the following integration:

• BigQuery Data Policy API

Private Service Connect supports internal regional TCP proxy load balancers as a service attachment target in General Availability. This lets you create hybrid TCP/UDP services where a clients in a VPC network can connect to an on-premise service by going through Private Service Connect and a TCP proxy with hybrid NEGs to reach a hybrid endpoint.

You can now launch clusters with the following Kubernetes versions:

• 1.22.15-gke.1400
• 1.23.12-gke.1400
• 1.24.6-gke.1300

Release 1.13.1

Anthos clusters on bare metal 1.13.1 is now available for download. To upgrade, see Upgrading Anthos on bare metal. Anthos clusters on bare metal 1.13.1 runs on Kubernetes 1.24.

The max_staleness materialized view option helps you achieve consistently high performance with controlled costs when processing large, frequently changing datasets. This feature is now in preview.

Column-level data masking is now generally available (GA). You can use data masking to selectively obscure column data for groups of users, while still allowing access to the column.

Cloud HSM resources are now available in the following regions:

• europe-southwest1
• europe-west9
• me-west1

For information about which locations are supported by Cloud KMS, Cloud HSM, and Cloud EKM, see Cloud KMS locations.

Cloud Load Balancing introduces the internal regional TCP proxy load balancer. This is an Envoy proxy-based regional layer 4 load balancer that enables you to run and scale your TCP service traffic behind an internal regional IP address that is accessible only to clients in the same VPC network or clients connected to your VPC network.

The internal regional TCP proxy load balancer distributes TCP traffic to backends hosted on Google Cloud, on-premises, or other cloud environments.

For details, see the following:

• Internal TCP Proxy Load Balancing overview
• Set up an internal TCP proxy load balancer:
  • Instance group backends
  • Zonal NEG backends
  • Hybrid connectivity NEG backends

This capability is in General Availability.

Cloud SWG is available in Preview. Cloud SWG provides a secure web gateway that helps you secure egress web traffic (HTTP/S). Contact your sales representative to sign up and use Cloud SWG.

Dataproc Serverless for Spark now allows the customization of driver and executor memory using the following properties:

• spark.driver.memory
• spark.driver.memoryOverhead
• spark.executor.memory
• spark.executor.memoryOverhead

Dataproc Serverless for Spark now outputs approximate_usage after a workload finishes that shows the approximate DCU and shuffle storage resource consumption by the workload.

A new Release Candidate (RC) version of the Document OCR Processor, pretrained-ocr-v1.1-2022-09-12, is available in the US and EU. This RC can detect document defects.

• If the document is considered to be defective, the API now returns the same 5 document defect types supported by the Intelligent Document Quality Processor:
  • quality/defect_blurry
  • quality/defect_noisy
  • quality/defect_dark
  • quality/defect_faint
  • quality/defect_text_too_small
• In addition, it now supports 3 more defect types:
  • quality/defect_document_cutoff
  • quality/defect_text_cutoff
  • quality/defect_glare
• The defect detection results are in the image_quality_scores field on the Page object in the returned JSON. This additional feature adds latency comparable to OCR processing to the process call.