GCP Digest Issue 5

27 July 2020
Back to homepage
The main highlights coming out of the first week of Next OnAir moves Google Cloud into very strategic enterprise positions albeit with offerings that differ greatly from the approach taken by other clouds (or no equivalent in other clouds).

First, the ability to use BigQuery while keeping your data in other clouds with BigQuery Omni. Second, Confidential VMs that allow your data to remain encrypted in-memory, and only decrypted right before hitting the CPU. Third, Assured Workloads for Government to use public cloud without a dedicated government cloud data center.

Short commentary: We are seeing the continual trend of Google Cloud preferring to govern things via software instead of via traditional physical and network separation. (After all, they have only one huge code repository in Google?) We have already seen this manifest itself via virtual software-defined global networks (so easy for customers). Now GCP takes it a step further with software guarding the use of government cloud without physical data center separation. As a software engineer, I can't help but feel that using software to govern things is always a risk (however inevitable that is nowadays with SaaS). There is always a chance that a bug in software causes things to go down, or causes huge security issues. We have already witnessed multiple (minor?) GCP outages in the past year which I observed to likely be caused by global network configuration issues, or something centrally managed like Cloud IAM. End of the day, pros and cons still apply to the cloud. The jury is still out on what is the best approach. 

On my end, I gave a talk on Cloud Build last week in a DevOps Malaysia meetup! In the talk, I explain in detail how to use Cloud Build, and give a demo deploying Ruby on Rails via Cloud Build in a real world example. Check it out!

Happy reading!
- Jonathan Lin

Multi-cloud analytics with BigQuery Omni

BigQuery Omni is a flexible, multi-cloud analytics solution that lets you cost-effectively access and securely analyze data across Google Cloud, Amazon Web Services (AWS), and Azure (coming soon), without leaving the familiar BigQuery user interface (UI). BigQuery Omni runs on Anthos clusters that are fully managed by Google Cloud (read: you do not pay for Anthos), allowing you to securely execute queries on other public clouds. I believe even the egress charges are covered by Google Cloud. You only pay for the familiar $5 per TB charge for BigQuery. BigQuery Omni is currently in private alpha. Check out the blog post.

Confidential Computing with Confidential VMs

As it stands, your data in Google Cloud is always encrypted-at-rest and in-transit, but decrypted in memory for use (e.g. in Compute Engine), which in itself is much better than what other clouds are doing (e.g. AWS allows unencrypted-at-rest storage in S3). Google Cloud goes even further with Confidential Computing, a breakthrough technology which encrypts data in-use—while it is being processed. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU). Now in beta, it is the first product in Google Cloud’s Confidential Computing portfolio, which helps customers protect sensitive data, especially in regulated industries. It leverages Asylo, an open-source framework for confidential computing. More in the blog post.

Assured Workloads for Government

When it comes to government workloads, AWS and Azure took the traditional approach of building separate data centers solely for government use, at the cost of slower pace of innovation. But these “government clouds” don’t come with the technology and benefits that a modern commercial cloud provides, and often require users to operate two distinct application and operation supply chains, adding cost, complexity, and risk. (GCP makes it sound like government clouds are lagging behind in features, true or false?) Now in private beta, Assured Workloads for Government, Google Cloud customers can quickly and easily create controlled environments where U.S. data location and personnel access controls are automatically enforced in any of their U.S. cloud regions. See the blog post.

Global HTTP(S) Load Balancing and CDN for serverless compute

Historically, serverless products like App Engine used a different HTTP load balancing system than VM-based products like Compute Engine. With the new External HTTP(S) Load Balancing integration, serverless offerings like App Engine (standard and flex), Cloud Functions and Cloud Run can now use the same fully featured enterprise-grade HTTP(S) load balancing capabilities as the rest of Google Cloud.

With this integration, you can now assign a single global anycast IP address to your service, manage its certificates and TLS configuration, integrate with Cloud CDN, and for Cloud Run and Functions—load balance across regions. And over the coming months, GCP will continue to add features like support for Cloud Identity-Aware Proxy (IAP) and Cloud Armor. 

If you ask me, Cloud Load Balancer is slowly but surely becoming more and more like an API Gateway of sorts; you can mix and match any sort of backend, regardless of whether they are serverless or not, within Google Cloud or without. See the blog post for more.

New traffic control features in External HTTP(S) load balancer

In April, Google Cloud announced two new actions supported by the URL map: redirects and rewrites. Now, the External HTTP(S) load balancer also supports HTTP to HTTPS redirects. Previously, you would need to implement the redirect in your backend, with increased computational costs, configurational complexity, latency and bandwidth consumption. In addition, the load balancer can also signal that the request should be sent to a different host, or to a different URL path. Essentially, you can now redirect and rewrite from HTTP to HTTPS in the load balancer.

A URL redirect is usually a conversation between the user (browser) and the load balancer, but with the new URL rewrite feature, the URL redirect only affects communication between the load balancer and the backend. There is no need to go back all the way to the browser for the redirection (the traditional redirect). Another capability enabled by these new Cloud Load Balancing features is making routing decisions based on HTTP headers and/or query parameters, rather than just the host and path of the URL. Check out the blog post.

Recommendations AI

Recommendations AI is now in beta. Recommendations AI places greater emphasis on each individual customer rather than on an item, thus piecing together the history of a customer’s shopping journey and serving them with personalized product recommendations. Recommendations AI also excels at handling recommendations in scenarios with long-tail products and cold-start users and items. Its “context hungry” deep learning models use item and user metadata to draw insights across millions of items at scale and constantly iterate on those insights in real-time in a way that is impossible for manually curated rules to keep up with. It also delivers a simplified model management experience in a scalable managed service with an intuitive UI. Check out the blog post

Proxyless gRPC in Traffic Director

Many organizations turn to a service mesh to solve tedious and complicated networking problems, especially when using microservices. However, adopting a service mesh has traditionally meant (1) managing infrastructure (a control plane), and (2) running sidecar proxies (the data plane) that handle networking on behalf of your applications.

To solve the first problem, we already have Traffic Director, a Google Cloud-managed control plane. Google Cloud has also now announced a new approach to solving the second problem, i.e. you shouldn't need to manage a fleet of sidecar proxies. With Traffic Director support for proxyless gRPC services, you can bring proxyless gRPC applications to your proxy-based service mesh or even have a fully proxyless service mesh.

Proxyless gRPC is built on the simple idea: If Traffic Director can configure sidecar proxies to do load balancing on behalf of a gRPC client, why not have it just configure the gRPC client directly? Check out the blog post for more.

Google Cloud customers unite on C2C

C2C (Customer to Community) is a new, independent community for Google Cloud customers. It brings together IT executives, developers, and other cloud professionals from Google Cloud customers across the globe. It hopes to build a community where Google Cloud customers can learn, connect, and share knowledge, we can harness our collective power to create an even better cloud to address customer needs.

Some benefits of joining C2C:
  • Opportunities to make connections and learn from other customers, including sharing knowledge and best practices through virtual and in-person events;
  • Expanded access to Google Cloud experts and content, such as knowledge forums, white papers, and methodologies;
  • Early and exclusive access to Google Cloud product roadmaps, with opportunities to provide feedback and act as customer-advisors.
It is now open to all customers in North America and EMEA (Europe, the Middle East and Africa). Asian folks will have to wait (a bit longer). See the blog post.

Google Cloud ISV/SaaS Centre of Excellence

Frankly, slightly vague about what this is about. The Google Cloud ISV/SaaS Center of Excellence (CoE) is a new resource to help independent software vendors (ISVs), aka software companies. ISV Solution Architects within the CoE bring product, technology and solution architecture expertise across Google Cloud and other Google product areas. There is little detail in the blog post about what exactly a Center of Excellence resource is. Is it a forum? Is it a document? Is it a helpdesk to ask for help regarding solutions architecture?

Meet and Chat, right in Gmail

G Suite now intelligently brings together the people, content, and tasks you need to make the most of your time. Core tools like video, chat, email, files, and tasks will be integrated together (into Gmail), so that you can more easily stay on top of things, from anywhere. Watch the introductory YouTube video.

New G Suite security features

A couple of interesting new G Suite security features:
  • Brand Indicators for Message Identification (BIMI) enables organizations, who authenticate their emails using DMARC, to validate ownership of their corporate logos and securely transmit them to Google.
  • Google Meet: Increased control for meeting hosts over who can “knock” and join their meetings, as well as advanced safety locks (e.g. hosts can decide which methods of joining require explicit approval, etc.)
  • Google Chat: When a link is sent to you via Chat, it will be checked against real-time data from Safe Browsing and flagged if it’s found to be malicious. Also, you’ll be able to report and block Chat Rooms if you suspect malicious activity in one.
More in the blog post.

Beta? GA?

The list below is best-effort and not meant to be exhaustive.

Entered GA
Entered Beta For more product updates, visit Google Cloud release notes


  • Next OnAir (Weekly for 9 weeks, starting July 14)


For way more, check out TWiGCP's past two issues.

See you next time!

Send me GCP Digest

One newsletter, every two weeks.

We care about the protection of your data. Read our Privacy Policy.