Google Cloud rolled a set of updates that affect cost, networking, and mesh hygiene across production clusters. The most impactful change for analytics teams is BigQuery Fluid Scaling reaching GA: autoscaling reservations now support per-second metering with no minimum billing duration for autoscaled capacity. Alongside that, Anthos Service Mesh (ASM) provides an in-cluster patch release on the 1.28 line (1.28.7-asm.3), Network Connectivity Center (NCC) moved Partner Cross-Cloud Interconnect for AWS into public preview, and several security and data/runtime components received patch upgrades.
BigQuery Fluid Scaling GA: what changed and the technical surface
BigQuery Fluid Scaling GA introduces autoscaling reservations with per-second metering and no minimum billing duration for autoscaled capacity. That changes how you size, monitor, and bill for variable analytics workloads: consumption and spend can now track much more closely to short-lived peaks.
What to verify before switching:
- Reservations/Autoscaler control surface: check the Reservations API and Cloud Console in your projects/locations/reservations to confirm the new "fluid" or "autoscaling reservations" option is available.
- Billing cadence: per-second metering reduces pro-rated waste for short spikes. Update cost models and reports that assume minute- or hour-level metering.
- Workload fit: fluid autoscaling is best for unpredictable, high-churn query patterns (ad-hoc analytics, interactive BI, ETL bursts). For long-running, steady high-throughput workloads, fixed reservations may still be more cost-effective.
Operational checks and validation:
- Baseline metrics: capture slot_utilization and reservation_utilization plus INFORMATION_SCHEMA job profiles over a representative window before changes.
- Autoscaling behavior: measure scale-up and scale-down latency and the impact on queue depth and tail latency. Although billing is per-second, throttling and scale latency are operational concerns.
- Cost allocation: update cost-export pipelines, labels, and chargeback models to account for per-reservation, per-second billing.
Migration guidance:
- Canary approach: deploy a canary reservation for a single namespace or team for at least one billing cycle. Compare query latency, queuing, and spend against an equivalent flat reservation.
- Rollback automation: have a documented rollback path to revert to fixed reservations or combine fluid and flat reservations if service levels regress.
- Alerts: add alerts for unexpected scale frequency, sustained reservation_utilization below a configured threshold (overprovisioning), and high sustained utilization (throttle risk).
Anthos Service Mesh 1.28.7-asm.3: in-cluster patch release
ASM 1.28.7-asm.3 is an in-cluster patch targeted at clusters already on the 1.28 line. It packages curated control-plane and sidecar images and focused fixes; it is not a feature release.
Practical steps for platform owners:
- Confirm artifacts: verify image digests and ASM release artifacts rather than relying on upstream Istio tags; ASM distributions include Google-curated patches.
- Validate sidecar compatibility: test EnvoyFilter CRs, SDS/certificate rotation, and any custom filters. Patch releases sometimes tweak timeouts or defaults that affect traffic shaping.
- Upgrade strategy: stage upgrades as canaries by workload criticality. Validate gRPC streams, long-lived connections, and sidecar injection behavior before fleet-wide rollout.
- Observability: monitor XDS stream stability, pilot/xds push rate, and envoy connected clients post-upgrade to detect rejections or crashloops.
Network Connectivity Center: Partner Cross-Cloud Interconnect for AWS (public preview)
NCC’s Partner Cross-Cloud Interconnect for AWS (public preview) provides a managed path for partner-provisioned circuits to connect AWS networks into an NCC hub. This centralizes routing and topology management in NCC instead of relying solely on per-account Direct Connect configurations.
Architectural and operational considerations:
- Centralized routing: NCC hubs can simplify route distribution and centralized policy enforcement, but they also change control-plane ownership and operational coordination.
- Partner provisioning and SLAs: partner-managed circuits shift operational responsibilities; clarify escalation paths and runbooks with providers before production use.
- Routing and failover: the solution uses BGP. Test failover scenarios, asymmetric routing, and path selection across primary/secondary circuits.
- Performance and cost: validate latency, throughput, and egress cost implications. A hub-and-spoke hop can change RTTs and egress patterns.
Pilot checklist:
- Trial in a non-production tenant and run synthetic latency/throughput tests.
- Validate BGP advertisements, route priorities, and ACL or inspection placement in the traffic path.
- Update multi-cloud network diagrams and RBAC for NCC configuration to reflect the new centralized anchor.
SecOps SOAR 6.3.87 and data/notebook component upgrades
SecOps SOAR 6.3.87 introduces scoped filtering on ingestion labels, customer-managed encryption keys (CMEK) for exports, and RBAC-aware export jobs. These changes tighten handling of SOC telemetry and exported artifacts.
Recommendations:
- CMEK: where compliance requires it, enable CMEK for export flows and validate key rotation and access controls.
- RBAC-aware exports: verify export service accounts have least-privilege permissions and that role bindings are correct for intended export scopes.
- Filtering: use ingestion-label filtering to reduce noise and limit exports to investigation-relevant artifacts.
Separately, connector and runtime bumps (Cloud Storage Connector, ZooKeeper, BigQuery Connector, Zeppelin, JupyterLab) require integration testing. Run smoke tests for scheduled Spark jobs, notebook kernels, and authentication flows to GCS/BigQuery before upgrade.
Actionable checklist for platform teams
- BigQuery: run a two-week canary on fluid autoscaling reservations; instrument slot_utilization, queue times, and query cost. Update forecasting and cost allocation to account for per-second billing.
- ASM: treat 1.28.7-asm.3 as a patch release for clusters on 1.28. Stage canaries, validate EnvoyFilter/SDS behavior, and automate staged rollouts.
- NCC: pilot Partner Cross-Cloud Interconnect for AWS in non-prod. Validate BGP failover, latency, and egress costs; define partner SLAs and runbook responsibilities.
- SecOps & data stack: enable CMEK and RBAC-aware exports where needed; schedule integration windows for connector/runtime upgrades and run compatibility tests.
- Automation & governance: add these release channels to your patch policy. Auto-approve critical security patches after pre-flight canaries, gate feature flips with feature flags, and sync billing/chargeback rules with new per-second metering.
Monitor Google Cloud release notes and assign cross-functional owners (network, security, data platform) for sign-offs on production rollouts. Focus on canaries, observability for new behaviors, and updates to cost and security automation to reflect the new primitives.
Sources
- Google Cloud release notes (global feed, last 60 days – BigQuery fluid scaling GA, Cloud Service Mesh 1.28.7-asm.3, NCC Partner Cross-Cloud Interconnect for AWS, SecOps SOAR 6.3.87, component upgrades)
- What’s new with Google Cloud (aggregated latest news and announcements hub)
- Google Cloud Press Corner (recent press releases and partnerships)