69 min read

In Cloud Computing This Week [May 5th 2023]

May 5, 2023





Here's the weekly cloud round up of all things Hava, GCP, Azure and AWS for the week ending Friday May 5th 2023.

2 Weeks ago we released Architectural Monitoring Alerts in Private Beta. It's going GA next week, but if you would like access now please get in touch.

All the lastest Hava news can be found on our Linkedin Newsletter.

Subscribe On Linkedin

Of course we'd love to keep in touch at the other usual places. Come and say hello on:

Facebook.      Linkedin.     Twitter.


AWS Updates and Releases

Source: aws.amazon.com

New in AWS Security Hub: detailed tracking of finding changes with finding history feature

AWS Security Hub, a cloud security posture management service that performs security best practice checks, aggregates alerts, and facilitates automated remediation, now features a detailed history of changes that have occurred for each finding in your environment. This view provides an immutable trail of changes, indicating what fields were changed, by whom, and when. You can now get more visibility into the changes made to your findings over time, making it easier to identify and investigate any suspicious or unauthorized changes.

From the Security Hub console, navigate to the History tab within a specific finding to view a chronological list of all changes that have been made to the finding. The transparency of finding history helps you identify potential security risks more quickly and take proactive steps to mitigate them.

Security Hub is available globally and is designed to give you a comprehensive view of your security posture across your AWS resources. With Security Hub, you have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services and over 65 AWS Partner Network (APN) solutions. You can also continuously monitor your environment using automated security checks based on industry best practice standards.

Amazon Kinesis Data Analytics is now available in the Asia Pacific (Melbourne) region

Amazon Kinesis Data Analytics makes it easier to transform and analyze streaming data in real time with Apache Flink. Apache Flink is an open source framework and engine for processing data streams. Amazon Kinesis Data Analytics reduces the complexity of building and managing Apache Flink applications.

Amazon Kinesis Data Analytics for Apache Flink integrates with Amazon Managed Streaming for Apache Kafka (Amazon MSK), Amazon Kinesis Data Streams, Amazon OpenSearch Service, Amazon DynamoDB streams, Amazon Simple Storage Service (Amazon S3), custom integrations, and more using built-in connectors. You can learn more about Amazon Kinesis Data Analytics for Apache Flink here.

Amazon VPC IP Address Manager (IPAM) is now available in two additional AWS Regions

Amazon VPC IP Address Manager (IPAM) makes it easier for you to plan, track, and monitor IP addresses for your AWS workloads. Amazon VPC IPAM is now available in two additional Regions: Asia Pacific (Hyderabad), and Asia Pacific (Jakarta).

Amazon VPC IPAM allows you to easily organize your IP addresses based on your routing and security needs and set simple business rules to govern IP address assignments. Using IPAM, you can automate IP address assignment to VPCs, eliminating the need to use spreadsheet-based or homegrown IP address planning applications, which can be hard to maintain and time-consuming.

Amazon VPC IPAM automatically tracks critical IP address information, eliminating the need to manually track or do bookkeeping for IP addresses. IPAM retains your IP address monitoring data (up to a maximum of three years), which you can use to do retrospective analysis and audits for your network security and routing policies.

SageMaker announces ml.inf2 and ml.trn1 instances for model deployment

AWS are excited to announce the availability of ml.inf2 and ml.trn1 family of instances on Amazon SageMaker for deploying machine learning (ML) models for Real-time and Asynchronous inference. You can use these instances on SageMaker to achieve high performance at a low cost for generative artificial intelligence (AI) models, including large language models (LLMs) and vision transformers.

In addition, you can use SageMaker Inference Recommender to help you run load tests and evaluate the price-performance benefits of deploying your model on these instances.

ml.inf2 and ml.trn1 instances are powered by AWS Inferentia2 and Trainium accelerators respectively.

  • You can use ml.inf2 instances to run your ML applications on SageMaker for text summarization, code generation, video, and image generation, speech recognition, and more. ml.inf2 instances offer up to 384 GB of shared accelerator memory for performant generative AI inference.
  • ml.trn1 instances are similar to ml.inf2 instances but has 512 GB of shared accelerator memory; you can use these instances to deploy even larger models on SageMaker. In addition, these instances have up to 8 TB of local NVMe solid state drive (SSD) storage for fast workload access to large datasets and models.

ml.inf2 instances are available for model deployment on SageMaker in US East (Ohio) and ml.trn1 instances in US East (N. Virginia).

AWS Network Firewall now supports Reject action in stream exception policy

This week, AWS announces support for Reject action in stream exception policy of AWS Network Firewall to improve performance of latency-sensitive applications. AWS Network Firewall is a managed firewall service that makes it easy to deploy essential network protections for all your Amazon VPCs.

Previously, you could configure Drop or Continue actions in the stream exception policy to specify how Network Firewall should handle traffic when a network connection breaks midstream. The Drop action means Network Firewall drops all subsequent traffic in the session going through the firewall.

This means the TCP session remains open until the TCP timeout expires. The Continue action means Network Firewall rebalances the traffic among the available backend firewall hosts and continues to apply firewall rules without session initialization context. This impacts the behavior of the rules that depend on TCP session context.

Starting this week, you can configure Reject action in stream exception policy to handle midstream TCP connections. When a backend firewall host detects a midstream TCP connection, it drops the packet and sends a TCP reset (RST) to notify the sender and receiver that the TCP connection has been closed. The sender can then immediately establish a new TCP connection without waiting for a TCP timeout.

Amazon MSK adds support for Apache Kafka version 3.4.0

Amazon Managed Streaming for Apache Kafka (Amazon MSK) now supports Apache Kafka version 3.4.0 for new and existing clusters. Apache Kafka 3.4.0 includes several bug fixes and new features that improve performance. Key features include a fix to improve stability to fetch from the closest replica.

Amazon MSK will continue to use and manage Zookeeper for quorum management in this release. For a complete list of improvements and bug fixes, see the Apache Kafka release notes for 3.4.0.

Amazon MSK is a fully managed service for Apache Kafka and Kafka Connect that makes it easier for you to build and run applications that use Apache Kafka as a data store. Amazon MSK is 100% compatible with Apache Kafka, which enables you to quickly migrate your existing Apache Kafka workloads to Amazon MSK with confidence or build new ones from scratch.

With Amazon MSK, you can spend more time innovating on streaming applications and less time managing Apache Kafka clusters. To learn how to get started, see the Amazon MSK Developer Guide.

Amazon EMR on EKS launches vertical autoscaling to auto-tune application resources

We are excited to announce that Amazon EMR on EKS now supports vertical autoscaling, a feature to automatically tune the memory and CPU resources of EMR Spark Applications to adapt to the needs of the provided workload, offering a simplified mechanism for customers to tune resources, enhance reliability and optimize costs. Amazon EMR on EKS enables customers to run open-source big data frameworks such as Apache Spark on Amazon EKS without having to manage application provisioning themselves.

EMR Spark allows users to configure the amount of Memory and CPU cores that it will utilize. However, tuning these values has until now been a manual process for customers that can be complex. For instance, too little memory can result in out-of-memory exceptions but allocating too much can result in over-spending on idle resources. Vertical autoscaling automatically scales the memory and CPU allocated to an EMR Spark application based on its real-time and historic resource utilization. This simplifies the process of tuning resources and optimizing costs for an application while helping improve its reliability.

To learn more about this feature, please visit the AWS Big Data Blog post: Improve reliability and reduce costs of your Apache Spark workloads with vertical autoscaling on Amazon EMR on EKS. Refer to the Using vertical autoscaling with Amazon EMR Spark jobs section of the EMR on EKS documentation for additional details.Vertical autoscaling is supported on Amazon EMR on EKS 6.10 release and later, and available in all regions where Amazon EMR on EKS is currently available.

Amazon EMR on EKS now supports self-hosted notebooks for managed endpoints

AWS are excited to announce the addition of self-hosted Jupyter notebooks as another mechanism to run interactive workloads via managed endpoints. Amazon EMR on EKS enables customers to run open-source big data frameworks such as Apache Spark on Amazon EKS. Amazon EMR on EKS customers setup and use a managed endpoint (available in preview) to run interactive workloads using an integrated development environments (IDEs) such as EMR Studio.

AWS Customers currently rely on EMR Studio to run Jupyter notebooks for their interactive Spark workloads, which provides a managed notebooks solution without having to worry about customizing the execution environment where they run. With self-hosted Jupyter notebooks, customers that require such customization now have a choice of where they control the notebook execution environment, with the flexibility to decide where it runs and the ability to change how to access it, helping them meet their specific business needs.  

Zonal shift for Amazon Route 53 Application Recovery Controller now available in 18 additional Regions

Zonal shift for Amazon Route 53 Application Recovery Controller is now available in all standard AWS Regions. 

Zonal shift is a capability in Route 53 ARC that helps you quickly recover from application failures in an Availability Zone (AZ) by shifting traffic away from the AZ. You can start a zonal shift for a load balancer in the AWS Management Console, or you can use the AWS CLI or an SDK to start a zonal shift.

When the affected AZ has recovered, you can cancel the zonal shift to allow traffic to return to the AZ. Zonal shift is available for Application Load Balancers and Network Load Balancers with cross-zone load balancing turned off. 

With this update, zonal shift for Amazon Route 53 Application Recovery Controller is now also available in the US West (N. California), Africa (Cape Town), Asia Pacific (Hong Kong), Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Asia Pacific (Mumbai), Asia Pacific (Osaka), Asia Pacific (Seoul), Asia Pacific (Singapore), Canada (Central), Europe (London), Europe (Milan), Europe (Paris), Europe (Spain), Middle East (Bahrain), Europe (Zurich), Middle East (UAE), and South America (São Paulo) AWS Regions. Previously, zonal shift was available in the US East (N. Virginia), US East (Ohio), US West (Oregon), Asia Pacific (Jakarta), Asia Pacific (Sydney), Asia Pacific (Tokyo), Europe (Frankfurt), Europe (Ireland), and Europe (Stockholm) AWS Regions. 

AWS VSS application-consistent backups now supports PowerShell logging

AWS VSS application-consistent backups now allows customers to take application-consistent backups while PowerShell Logging is enabled. AWS VSS application-consistent backups now incorporates a parallel processing ability that enables its EC2 Windows customers achieve successful VSS backups in a broader range of environments.

With this launch, customers will see improved compatibility between VSS and applications such as antivirus and application monitoring that require PowerShell logging to be enabled. 

Volume Shadow Copy Service or VSS is a Microsoft technology that allows application data to be backed up while applications are still running, by coordinating between user applications that update data on disk and those that back up applications.

AWS VSS application-consistent backups enables customers to take application-consistent snapshots of their Amazon EC2 Windows instances and associated Elastic Block Store volumes. Customers can continue to use the VSS solution on AWS through AWS Systems Manager Run Command or through AWS Backup console. 

AWS Resilience Hub expands AWS Trusted Advisor and Amazon DynamoDB support

AWS Resilience Hub has expanded support for AWS Trusted Advisor and applications using Amazon DynamoDB. Resilience Hub provides a single place to define, validate, and track the resilience of your applications so that you can avoid unnecessary downtime caused by software, infrastructure, or operational disruptions.

As many variables can impact the resilience of your applications, preparing and protecting them from disruption should be continuous. When you use AWS Trusted Advisor with Resilience Hub, you can now receive a notification when an application has not been assessed in the previous 30 days. The notification prompts you to reassess the application to understand if any changes have occurred that would impact its resilience.

For applications using Amazon DynamoDB, Resilience Hub now provides a new set of alarms that alert you to resilience risks for on-demand and provisioned capacity modes and global tables. To access the new alarms, you may need to update the AWS Identity and Access Management (IAM) policy of the role you are using.

The new capabilities are available in all of the AWS Regions where Resilience Hub is supported. See the AWS Regional Services List for the most up-to-date availability information.

AWS CodePipeline is now available in AWS GovCloud (US-East)

This week, AWS announced the general availability of AWS CodePipeline in the AWS GovCloud (US-East) Region.

AWS CodePipeline is a fully managed continuous delivery service that helps you automate your release pipelines for fast and reliable application and infrastructure updates. CodePipeline automates the build, test, and deploy phases of your release process when there is a code change, based on the release model you define.

AWS Elemental MediaConvert now supports video passthrough

AWS Elemental MediaConvert now supports video passthrough for mezzanine video formats. You can now run MediaConvert jobs that preserve the original video essence without re-encoding for intra-frame-only video formats such as AVC Intra, Apple ProRes, VC3, and JPEG2000.

Video passthrough enables you to use MediaConvert for tasks like trimming content, changing audio tracks, and changing output containers without re-compressing video. Leaving the video unprocessed often results in faster job completion times and lower costs compared to equivalent jobs which transcode the video.

AWS Batch now includes dashboard customization on the console

This week, AWS are excited to announce the launch of the customizable dashboard feature on the AWS Batch console, providing a single view that displays resource metrics based on your specific needs. This feature allows you to redesign and target different types of widgets in your preferred order, making it easier to troubleshoot issues using widgets such as job logs, job queue metrics, etc. You can also add a container insights widget to track your compute environment utilization. 

Batch has added single job queue metrics, job logs, and container insights widgets to the Batch console dashboard. These widgets are added in addition to the previous widget set namely the job queue overview, jobs overview, and compute environment overview. There are a total of six widget types and you can have up to ten widgets of your choice in the dashboard at a given time. 

Amazon Kendra now supports content-based query suggestions

Amazon Kendra is an intelligent search service powered by machine learning, enabling organizations to provide relevant information to customers and employees, when they need it.

This week, AWS are excited to announce that Amazon Kendra now supports query suggestions seeded from indexed content, allowing you to provide a document-centric query auto-completion experience to your end-users.

Amazon Kendra query suggestions can help your users type their search queries faster and guide their experience by suggesting auto-completed queries as they type their query in the search box. So in addition to auto-completing queries based on popular user queries (already supported), you can now suggest queries based on document fields such as title, file name, author name, etc.

This allows, for instance, your end-users to quickly narrow down their search for documents based on titles they may partially remember, or find documents from a specific author by entering a few letters in the search box, and clicking on the suggested author name suggested below the search box.

AWS announces Multi-AZ with Standby for Amazon OpenSearch Service

This week, Amazon OpenSearch Service announces Multi-AZ with Standby, a new deployment option that enables 99.99% availability and consistent performance for business-critical workloads. With Multi-AZ with Standby, OpenSearch Service domains are resilient to potential infrastructure failures, such as a node or an Availability Zone (AZ) failure. Multi-AZ with Standby also ensures OpenSearch Service domains follow recommended best practices, simplifying configuration and management.

When Multi-AZ with Standby is enabled, OpenSearch Service reserves nodes in one of the AZs as standby; these nodes do not serve search requests and are primarily used for failover. Amazon OpenSearch Service monitors the underlying infrastructure for failures, and when a failure is identified, automatically promotes the standby nodes to active in less than a minute.

OpenSearch Service continues to serve indexing and search requests, and any impact is limited to the time it takes to perform the failover. With Multi-AZ with Standby, there is no re-distribution of data or resources during a failure, thereby ensuring that cluster performance is unaffected during a failover.

When creating or updating an existing Managed Cluster, customers can enable the Multi-AZ with Standby deployment option using the AWS Console, command line interface (CLI), or the AWS software development kit (AWS SDK). Multi-AZ with Standby is available for OpenSearch versions 1.3 and above. For information on Multi-AZ with Standby for Amazon OpenSearch Service, please see documentation.

AWS Directory Service supports smart card authentication in AWS GovCloud (US-East) Region

Starting this week, you can use Common Access Card (CAC) and Personal Identity Verification (PIV) smart cards to authenticate users into Amazon WorkSpaces through your self-managed Active Directory (AD) and AWS Directory Service AD Connector in the AWS GovCloud (US-East) Region. Additionally, you can now use the AWS Management Console to configure smart card authentication with AWS Directory Service. 

When enabled, users select their smart card at the WorkSpaces login screen and enter a PIN to authenticate, instead of using a username and password. From there, the Windows or Linux virtual desktop uses the smart card to authenticate with Active Directory from the native desktop operating system.

Smart card support is available on WorkSpaces when using  the WorkSpaces Streaming Protocol (WSP). With AWS Directory Service and Amazon WorkSpaces with WSP, users can use smart cards to authenticate into a WorkSpaces instance (pre-session authentication) or into protected applications from within a WorkSpaces instance (in-session authentication).

Amazon RDS for PostgreSQL now supports pgvector for simplified ML model integration

Amazon Relational Database Service (RDS) for PostgreSQL now supports the pgvector extension to store embeddings from machine learning (ML) models in your database and to perform efficient similarity searches. Embeddings are numerical representations (vectors) created from generative AI that capture the semantic meaning of text input into a large language model (LLM). pgvector can store and search embeddings from Amazon Bedrock, Amazon SageMaker, and more.

By using pgvector on Amazon RDS, you can simply set up, operate, and scale databases for your ML-enabled applications. The pgvector extension allows you to build ML capabilities into your e-commerce, media, health applications, and more to find similar items within a catalog. For example, a streaming service can use pgvector to provide a list of film recommendations similar to the one you just watched.

The pgvector extension is available on all database instances in Amazon RDS running PostgreSQL 15.2 and higher in all AWS Regions, including the AWS GovCloud (US) Regions.

Amazon WorkSpaces is now available in the AWS GovCloud (US-East) Region

Amazon WorkSpaces is now available in the AWS GovCloud (US-East) Region, an isolated AWS Region designed to host sensitive data and regulated workloads in the cloud for customers who have U.S. federal, state, or local government security and compliance requirements.

For a list of regions where WorkSpaces is available, see the AWS Region Table. With this launch, you can now use Amazon WorkSpaces cloud desktops to help address data sovereignty requirements without the cost and complexity of building on-premises Virtual Desktop Infrastructure (VDI).

Amazon WorkSpaces is a fully managed desktop virtualization service for Windows, Amazon Linux, and Ubuntu that allows you to access resources from any supported device. You can add or remove WorkSpaces to meet your dynamic workforce's needs and still provide end users with a more responsive experience.

Amazon WorkSpaces pricing provides monthly subscription or hourly metering options per virtual desktop instances. See Amazon WorkSpaces Pricing for more information.

Amazon Virtual Private Cloud now supports Bring Your Own IP in Asia Pacific (Hyderabad) Region

Starting today, Bring Your Own IP (BYOIP) is available in Asia Pacific (Hyderabad) Region.

BYOIP allows you to bring your own IPv4 and IPv6 addresses to AWS and advertise them on the internet. You can create Elastic IP addresses from your BYOIPv4 addresses and use them with AWS resources, such as EC2 instances, Network Load Balancers, and NAT gateways.

The Elastic IP addresses you create from BYOIPv4 addresses work in the same way as Elastic IP addresses you get from AWS. The BYOIPv6 addresses also work in the same way as AWS provided IPv6 addresses. For example, you can associate these IPv6 addresses to subnets, Elastic Network Interfaces (ENI), and EC2 instances within your VPC. Additionally, you can use your BYOIPv6 for private connectivity to your on-premises networks by advertising them over AWS Direct Connect.

AWS announces new AWS Direct Connect location in Phoenix

This week, AWS announced the opening of a new AWS Direct Connect location within the EdgeConnex PHX01 data center in Phoenix, Arizona. By connecting your network to AWS at the new location, you gain private, direct access to all public AWS Regions (except those in China), AWS GovCloud Regions, and AWS Local Zones.

The new location is the second in Phoenix, the 35th Direct Connect location in the United States, and offers dedicated 10 Gbps and 100 Gbps connections, with optional MACsec encryption available.

The Direct Connect service enables you to establish a private, physical network connection between AWS and your data center, office, or colocation environment. These private connections can provide a more consistent network experience than those made over the public internet.

Using the Direct Connect SiteLink feature, you can send data between Direct Connect locations to create private network connections between the offices and data centers in your global network.

AWS CloudFormation Hooks is now available in 2 additional AWS Regions

This week, AWS CloudFormation has expanded the availability of AWS CloudFormation Hooks to the Middle East (Dubai) and Asia Pacific (Jakarta) Regions. With this launch, customers can deploy Hooks in these newly supported AWS Regions to help keep resources secure and compliant.

AWS CloudFormation Hooks is a feature that allows customers to invoke custom logic to automate actions or inspect resource configurations prior to a create, update or delete CloudFormation stack operation. With AWS CloudFormation Hooks, customers can now validate resource properties and send a warning, or prevent the provisioning operation to help them keep resources secure and compliant.

Announcing Private API support for AWS AppSync GraphQL APIs

AWS AppSync is a fully managed service that enables developers to build scalable, performant APIs that connect applications to data and events. Today, we announce the general availability of Private API support for AWS AppSync. With Private APIs, you can now create GraphQL APIs that can only be accessed from your Amazon Virtual Private Cloud (“VPC”).

With AppSync Private APIs, you need to only configure your API as “private” and AppSync will automatically limit access to your API’s GraphQL and realtime subscription endpoints to interface VPC Endpoints in a shared AWS account. Traffic to a Private API uses connections that are designed to be secure and does not leave the Amazon network.

AWS Console Mobile Application launches push notifications

Amazon Web Services (AWS) is announcing the general availability of of Push Notifications for the AWS Console Mobile Application. You can now use AWS User Notifications to create actionable push notifications from AWS services, such as CloudWatch, to be delivered to your mobile device when a resource requires your attention.

You can then receive push notifications, and learn more about events while on-the-go without needing to return to your computer. If you want to see more detail about a notification from your device’s lock screen, you can simply tap the notification, authenticate, and be directed to the relevant details screen inside the app.

The Console Mobile App lets users view and manage a select set of resources to stay informed and connected with their AWS resources while on-the-go. The login process supports biometrics authentication (on supported devices), making access to AWS resources simple, secure, and quick.

AWS Network Firewall now supports Suricata HOME_NET variable override

AWS Network Firewall now allows you to override the Suricata HOME_NET variable making it easy to use AWS managed rule groups in firewalls that are deployed in a centralized deployment model. Managed rule groups are collections of predefined, ready-to-use rules that AWS writes and maintains for you.

The Suricata HOME_NET variable of the managed rule group has the Classless Inter-Domain Routing (CIDR) range which is inspected by the AWS Network Firewall. Previously, you were unable to override HOME_NET variable as it used the CIDR ranges of VPC where the firewall is deployed.

If your firewall uses a central inspection VPC, AWS Network Firewall populates HOME_NET with CIDR ranges of the inspection VPC, instead of the application (spoke) VPCs which you want to filter. 

Starting today, you can override the HOME_NET variable in firewall policy to include the CIDR ranges of all the VPCs that you want to inspect. This allows you to protect your application VPCs using managed rule groups in centralized firewall deployment.

There is no additional charge to use this feature. You can override the Suricata HOME_NET variable in firewall policy using the Amazon VPC Console, AWS CLI, or the Network Firewall API. This feature is available in all AWS Regions where AWS Network Firewall is available.

Announcing AWS User Notifications general availability

Amazon Web Services (AWS) is announcing the general availability of AWS User Notifications, a new service that enables you to centrally setup and view notifications from AWS services, such as AWS Health events, Amazon CloudWatch alarms, or Amazon EC2 instance state changes, in a consistent, human-readable format.

You can view notifications across accounts, regions, and services in a Console Notifications Center, and configure delivery channels where you want to receive these notifications, like email, AWS Chatbot, and AWS Console Mobile App. Notifications include URLs to direct to resources on the AWS Console, where you can take take additional actions.

With User Notifications, you specify which events you want to be notified about, and in which channels. Any user with User Notifications permissions can enable notifications for use cases like CloudWatch alarm state changes, and Health events.  For example, email jane@example.com whenever an EC2 instance in region IAD or FRA with tag ‘production’ changes state to “stopped”. In addition, you can aggregate multiple events into a single notification for an easy top-level view. 

Configuring and viewing notifications in the Console Notifications Center is offered at no additional cost.

AWS announces Amazon WorkSpaces Core in AWS GovCloud (US) Regions

Amazon WorkSpaces Core is now available in the AWS GovCloud (US-East) Region and AWS GovCloud (US-West) Region. These are isolated AWS Regions designed to host sensitive data and regulated workloads in the cloud for customers who have U.S. federal, state, or local government security and compliance requirements. For a list of regions where WorkSpaces is available, see the AWS Region Table

Amazon WorkSpaces Core provides cloud-based, fully managed virtual desktop infrastructure (VDI) accessible to third-party VDI management solutions via API.

Aurora Serverless v2 is now available in AWS GovCloud (US) regions

Amazon Aurora Serverless v2, the next version of Aurora Serverless, is now available in 26 regions including AWS GovCloud (US-West) and AWS GovCloud (US-East) Regions.

Aurora Serverless is an on-demand, automatic scaling configuration for Amazon Aurora. Aurora Serverless v2 scales instantly to support even the most demanding applications. It adjusts capacity in fine-grained increments to provide just the right amount of database resources for an application’s needs. You don’t need to manage database capacity, and you only pay for the resources consumed by your application.

Aurora Serverless v2 provides the full breadth of Amazon Aurora capabilities, including Multi-AZ support, Global Database, Performance Insights, and read replicas. Amazon Aurora Serverless v2 is ideal for a broad set of applications.

For example, enterprises that have hundreds of thousands of applications, or software as a service (SaaS) vendors that have multi-tenant environments with hundreds or thousands of databases, can use Aurora Serverless v2 to manage database capacity across the entire fleet.

AWS Well-Architected Tool Deepens Integration with AWS Service Catalog AppRegistry

AWS is pleased to announce an enhancement to the AWS Well-Architected (WA) Tool integration with AWS Service Catalog AppRegistry (AR). This integration allows customers to now filter their AWS Trusted Advisor checks based on resources defined within application, helping surface the most relevant checks in the Well-Architected console.

In addition to adding an application to an existing workload in WA, customers can also view their workload ARN, workload name, and medium and high risk counts per application within the AppRegistry Console, making it easier to see which applications have Well-Architected reviews associated with them.

Amazon Rekognition improves accuracy of content moderation for images and videos

Amazon Rekognition content moderation is a deep learning-based feature that can detect inappropriate, unwanted, or offensive images and videos, making it easier to find and remove such content at scale. Starting today, Amazon Rekognition content moderation comes with an improved model for image and video moderation that significantly improves the detection of explicit, violence, and suggestive content.

AWS Customers can now detect explicit and violence content with higher accuracy to improve the end-user experience, protect their brand identity, and ensure that all content complies with their industry regulation and policies.

This update is now available in all AWS regions supported for Amazon Rekognition Content Moderation. To try the new model, visit the Amazon Rekognition console for image and video moderation. To learn more, read the Amazon Rekognition Content Moderation documentation.

Amazon SNS now supports message data protection in five additional regions

You can now use Amazon Simple Notification Service (SNS) message data protection in five additional AWS Regions: Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Europe (Spain), Europe (Zurich), and Middle East (UAE).

Amazon SNS message data protection is a set of capabilities that leverage pattern matching, machine learning models, and content policies to help security and engineering teams facilitate real-time data protection in their applications that use Amazon SNS to exchange high volumes of data.

With message data protection for Amazon SNS, you can discover and protect certain types of personally identifiable information (PII) and protected health information (PHI) data that is in motion between your applications. This can help support your compliance objectives, for example, with regulations such as the Health Insurance Portability and Accountability Act (HIPAA), General Data Privacy Regulation (GDPR), Payment Card Industry Data Security Standard (PCI-DSS), and Federal Risk and Authorization Management Program (FedRAMP).

Message data protection enables topic owners to define and apply data protection policies that scan messages in real-time for sensitive data to provide detailed audit reports of findings, block message delivery, and de-identify data within a payload via redaction or masking.

Amazon Inspector now allows customers to search its vulnerability intelligence database

Amazon Inspector now allows customers to search its vulnerability intelligence database if any of the Inspector scanning types is activated. With this expanded capability, customers can retrieve the details for any vulnerability stored in Inspector vulnerability database and covered by Inspector’s scanning engine by simply providing a Common Vulnerability and Enumerations (CVE) ID, for example, “CVE-2023-1264“. This allows customers to confirm the CVEs covered by Inspector scanning engine and do preliminary research on a CVE. Inspector customers can access the search capabilities using both Inspector console and APIs.

Amazon Inspector is a vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure across your entire AWS Organization. Once activated, Amazon Inspector automatically discovers all of your Amazon Elastic Compute Cloud (EC2) instances, container images in Amazon Elastic Container Registry (ECR), and AWS Lambda functions, at scale, and continuously monitors them for known vulnerabilities, giving you a consolidated view of vulnerabilities across your compute environments.

Amazon Inspector also provides a highly-contextualized vulnerability risk score by correlating vulnerability information with environmental factors such as external network accessibility to help you prioritize the highest risks to address.

AWS Health now publishes service health events to Amazon EventBridge in primary and backup Regions

AWS Health now publishes service health events to Amazon EventBridge. Previously, you could receive only account-specific events on this channel. Now, you can also receive events about the overall health of AWS services. This enables you to get a full picture of service issues that might affect the performance of your applications. 

AWS Health provides ongoing visibility into the performance of your AWS resources and services. You can use AWS Health events to learn how service and resource changes might affect your applications running on AWS. Service health events provide information about overall service availability, reported publicly on the service health view of the AWS Health Dashboard.

You can use this feature to easily collect, filter, and deliver service health events directly to your teams, run workflows that integrate with tools of your choice, or automate responses to important health events. Additionally, AWS Health now supports setting up EventBridge rules in a backup AWS Region, enabling you to add an extra layer of resilience to your workflows.

You can create a rule in US West (Oregon), which serves as a backup for all other AWS Regions in the standard partition, to continue receiving event information even if your primary Region is affected by an operational issue. If your primary Region is US West (Oregon), the EventBridge endpoint in US East (N. Virginia) Region will serve as its backup.

Amazon Neptune is now available in AWS Middle East (UAE) Region

Amazon Neptune is now available in the AWS Middle East (UAE) Region on engine versions and later. You can now create Neptune clusters using R5, R5d, R6g, and T3 instance types in the AWS Middle East (UAE) Region.

Amazon Neptune is a fast, reliable, and fully managed graph database as a service that makes it easier to build and run applications that work with highly connected datasets. You can build applications using Apache TinkerPop Gremlin or openCypher on the Property Graph model, or using the SPARQL query language on the W3C Resource Description Framework (RDF).

Neptune also offers enterprise features such as high availability, automated backups, and network isolation to help customers quickly deploy applications to production.

Amazon EFS Replication is now available in all AWS Regions

Amazon Elastic File System (EFS) Replication is now available in 10 more AWS Regions: Africa (Cape Town), Asia Pacific (Hong Kong), Asia Pacific (Hyderabad), Asia Pacific (Jakarta), Asia Pacific (Melbourne), Europe (Milan), Europe (Spain), Europe (Zurich), Middle East (Bahrain), Middle East (UAE), in addition to the 19 AWS Regions and 2 AWS GovCloud (US) Regions where it was previously supported. With this launch, EFS Replication is available in all AWS Regions where EFS is supported.

Amazon EFS provides serverless, fully elastic file storage that makes it simple to set up and run file workloads in the cloud. Amazon EFS Replication enables you to easily maintain a separate, up-to-date copy of your file system for compliance, localized data access, and testing/development use cases.

You can automatically replicate data across AWS Regions, without needing to manually monitor and synchronize data changes. Before today, EFS Replication was available in 19 AWS Regions and 2 AWS GovCloud (US) Regions. Starting today, you can use EFS Replication in 10 additional AWS Regions, allowing you to easily replicate your file data in all AWS Regions where EFS is supported.

Amazon SNS now supports FIFO topics in five additional regions

You can now use Amazon Simple Notification Service (SNS) FIFO topics in five additional AWS Regions: Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Europe (Spain), Europe (Zurich), and Middle East (UAE). You can use Amazon SNS FIFO topics, in combination with Amazon Simple Queue Service (SQS) FIFO queues, to build applications that require messages to be sent and processed in a strict sequence and without duplicates.  

Amazon SNS is a fully managed, reliable, and highly available pub/sub messaging service that enables you to decouple microservices, distributed systems, and serverless applications. Both Standard and FIFO topics support publishing messages in batch and fanning out messages to multiple subscriptions with high durability, filtering, encryption, and privacy, while FIFO topics provide the added benefit of ordering and deduplication of messages.

Using Amazon SNS FIFO topics and Amazon SQS FIFO queues together, you can build modern applications that leverage a publish/subscribe architecture without writing custom code for message ordering and deduplication.

Amazon Connect forecasting, capacity planning, and scheduling is now available in Canada Central

Amazon Connect forecasting, capacity planning, and scheduling, a feature of Amazon Connect, helps you to predict, allocate, and verify that the right number of agents are scheduled at the right time to meet your operational goals with minimal overstaffing.

Machine learning (ML)–powered capabilities allow you to anticipate contact volume and arrival rates, convert forecasts into projected staffing needs, and assign daily shifts to the right number of agents. With forecasting, capacity planning, and scheduling, you can help optimize internal operations, meet service goals, and improve agent and customer satisfaction.

Amazon GuardDuty Malware Protection adds on-demand scanning

Amazon GuardDuty Malware Protection adds a new capability that allows customers to initiate on-demand malware scans of Amazon Elastic Compute Cloud (Amazon EC2) instances, including instances used to host container workloads. Scans can be initiated using the GuardDuty console, or programmatically via the API, without the need to deploy security software and are designed to have no performance impact to running workloads.

When potential malware is identified, GuardDuty generates actionable security findings with information such as the threat and file name, the file path, the Amazon EC2 instance ID, resource tags and, in the case of containers, the container ID and the container image used. This capability builds on the existing Malware Protection capability of GuardDuty-initiated scans that when enabled, automatically initiates a malware scan when GuardDuty detects suspicious behavior indicative of malware on the instance.

Customers across many industries and geographies use GuardDuty, including more than 90% of AWS’s 2,000 largest customers. GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. 

AWS Elemental MediaConnect adds support for SRT failover

Starting this week, AWS Elemental MediaConnect supports failover for streams that have SRT caller or listener sources. You can configure SRT failover via the AWS Management Console, CloudFormation, the AWS CDK, or the MediaConnect API.

You use SRT failover by adding two SRT sources to your flow in the same mode (both must be either caller or listener) with identical content. This works with either standard or VPC sources. In the event the primary source is interrupted, MediaConnect will switch to the secondary source after 500 milliseconds, ensuring the outputs on your MediaConnect flow continue to receive a stream. In addition to SRT sources, failover is supported with the Zixi push, RIST, RTP, and RTP-FEC source types.

Announcing the general availability of AWS Local Zones in Auckland

AWS Local Zones is now available in Auckland, New Zealand. You can now use AWS Local Zones in Auckland to deliver applications that require single-digit millisecond latency or local data processing.

In early 2022, AWS announced plans to launch AWS Local Zones in over 30 metro areas across 27 countries outside of the US. In addition to Auckland, AWS Local Zones are also available in 15 metro areas outside of the US (Bangkok, Buenos Aires, Copenhagen, Delhi, Helsinki, Hamburg, Kolkata, Lagos, Muscat, Perth, Queretaro, Lima, Santiago, Taipei, and Warsaw). Local Zones are also available in 16 metro areas in the US (Atlanta, Boston, Chicago, Dallas, Denver, Houston, Kansas City, Las Vegas, Los Angeles, Miami, Minneapolis, New York City, Philadelphia, Phoenix, Portland, and Seattle).

AWS IoT Core announces TLS 1.3 support through Configurable Endpoints

AWS IoT Core, a managed cloud service that lets customers securely connect Internet of Things (IoT) devices the cloud and manage them at scale, announces support for Transport Layer Security (TLS) 1.3 through Configurable Endpoints. TLS 1.3 provides two major improvements in security and performance - it removes legacy features and older cipher suites in previous versions of TLS, and offers better performance through a simplified handshake process.

With this launch, AWS IoT customers can also use TLS 1.3 in AWS IoT Core Device Advisor, a fully managed test capability to help developers test their IoT devices for reliable and secure connectivity with AWS IoT Core.

With this launch, we are expanding the Configurable Endpoints feature, launched on 3/25/2021, so that customers can configure desired TLS version(s) to establish secure connections to AWS IoT Core and meet specific security compliance requirements.

The feature is backwards compatible, enabling IoT developers to connect both TLS 1.2 and TLS 1.3 capable devices to their respective endpoints. To configure TLS 1.3, customers can can navigate to the ‘settings’ section within the AWS IoT Console or use the CreateDomainConfiguration API to select the desired TLS policy.

Amazon Aurora Serverless v1 now supports PostgreSQL 13

Amazon Aurora Serverless v1 now supports PostgreSQL major version 13. PostgreSQL 13 includes improved functionality and performance from enhancements such as de-duplication of B-tree index entries, improved performance for queries that use partitioned tables, incremental sorting to accelerate data sorts, parallel processing of indexes with the VACUUM command, more ways to monitor activity within a PostgreSQL database, new security capabilities, and more. 

Aurora Serverless v1 also supports in-place upgrade from PostgreSQL 11 to 13. Instead of backing up and restoring the database to the new version, you can upgrade with just a few clicks in the AWS Management Console or using the latest AWS SDK or CLI. No new cluster is created in the process which means you keep the same endpoints and other characteristics of the cluster.

The upgrade completes in minutes and can be applied immediately or during the maintenance window. Your database cluster will be unavailable during the upgrade. Review the Aurora documentation to learn more.

AWS SimSpace Weaver Snapshots are now generally available

This week, AWS are excited to announce AWS SimSpace Weaver Snapshots, a new feature that allows SimSpace Weaver developers to save the state of their simulations at a specific point in time.

SimSpace Weaver is a fully managed compute service that helps customers deploy large spatial simulations in the cloud. With SimSpace Weaver, developers can create seamless virtual worlds with millions of objects that can interact with each another in real time without ever worrying about managing the back-end infrastructure. 

Taking a snapshot in SimSpace Weaver is similar to taking a snapshot of a database. Snapshots save the data for every entity in the simulation to a snapshot file that is uploaded and stored in Amazon S3. To pick up where the simulation left off, provide the S3 URI of the snapshot in the Start Simulation API to launch a new simulation using that snapshot.

Snapshots can be used for backup and restore purposes to preserve the progress of your long-running simulations or used to launch various branching simulation scenarios from a specific point in time. Snapshots can be created from the AWS Management Console, via the AWS CLI, or directly from SimSpace Weaver applications.

Snapshots are now generally available in all SimSpace Weaver regions including US East (N. Virginia), US East (Ohio), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Europe (Frankfurt), Europe (Ireland), and Europe (Stockholm).

AWS Security Hub adds four new integration partners

AWS Security Hub has added four new integration partners to help customers with their cloud security posture monitoring. The additions of Trend Micro, Claroty, New Relic, and Metric Stream bring Security Hub to 91 integrations. 

Trend Micro sends findings from their Cloud One platform to Security Hub, helping enhance visibility of AWS and Cloud One event details. Claroty sends findings from their xDome product to Security Hub, giving customers visibility into security events related to their industrial, healthcare, enterprise, and extended Internet of Things environments. With findings from Security Hub in New Relic VM, customers can view security signals alongside performance telemetry in context across their application stack.

MetricStream CyberGRC consumes Security Hub findings, helping customers manage, measure and mitigate cyber risk; gain visibility and quantified risk insights; prioritize cyber investments; and comply with IT policies with built in frameworks. 

Security Hub is available globally and is designed to give you a comprehensive view of your security posture across your AWS resources. With Security Hub, you have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services and over 65 AWS Partner Network (APN) solutions. You can also continuously monitor your environment using automated security checks based on industry best practice standards.

AWS Compute Optimizer identifies and filters Microsoft SQL Server workloads

AWS Compute Optimizer now supports inferred workload type filtering on Amazon EC2 instance recommendations. The inferred workload type feature utilizes Machine Learning and automatically detects the applications that might be running on your AWS resources.

By leveraging the inferred workload type filter, customers can easily pinpoint cost-saving opportunities based on the specific workload running on their EC2 instances. In addition, AWS Compute Optimizer now supports Microsoft SQL Server as an inferred workload type.

Starting this week, AWS customers can categorize cost-saving opportunities by supported inferred workload types. This means application owners, e.g. SQL Server database administrators can filter EC2 instance rightsizing recommendations that are running Microsoft SQL Server database workloads to find relevant savings opportunities.

With the improved workload visibility for recommendations, customers can identify relevant recommendations and take actions. Compute Optimizer also detects Nginx, Memchached, Amazon EMR, Apache Cassandra, Apache Hadoop, PostgresSql, Redis and Kafka workloads.

AWS Compute Optimizer now supports filtering by tags

AWS Compute Optimizer now supports the ability to filter your rightsizing recommendations by tags. This includes tag keys, tag key and value pairs, or combinations of both. Tag filtering will be available on these rightsizing recommendations pages: Amazon Elastic Compute Cloud (EC2) instance types, Amazon Elastic Block Store (EBS) volumes, AWS Lambda functions, and Amazon Elastic Container Service (ECS) services on AWS Fargate.

With today’s launch, you can now filter the recommendations you see in the Compute Optimizer console by tags, or tag key:value pairs. Previously you had to export your recommendations or access them via API and filter them via name, region, the finding reason code (e.g. EC2 finding reasons), or join them with external data.

By filtering on commonly used tags for cost allocation or operational management purposes, such as business unit, or environment, you can easily identify rightsizing opportunities that fit your requirements.

Amazon Sagemaker Data Wrangler now supports image data preparation

Amazon SageMaker Data Wrangler reduces the time it takes to aggregate and prepare data for machine learning (ML) from weeks to minutes. With SageMaker Data Wrangler, you can simplify the process of data preparation and feature engineering, and complete each step of the data preparation workflow, including data selection, exploration, cleansing, and processing from a single visual interface.

Starting this week, you can use new capabilities of Amazon SageMaker Data Wrangler to prepare image data for labeling, training or inference. You can preview and import images from Amazon S3, use a variety of built-in image transforms to clean, standardize and improve quality of your image data.

These built-in transforms include resize, drop duplicates, rotation, flip, greyscale, enhance contrast, blur and add noise, etc. Data Wrangler also supports advanced use cases such as detecting outliers or extract texts from images using custom code and built-in code snippets. These code snippets include examples of how to utilize a pre-trained model using Amazon Sagemaker Jumpstart to perform advanced analysis or transformations by calling a pre-deployed model endpoint.

After you create a recipe on the sampled image data in the interactive mode, you can create a PySpark job via the visual interface to scale the processing on all the images in your dataset.  

Amazon Redshift launches ra3.xlplus instances in additional Middle East, Europe and Asia Pacific Regions

Amazon Redshift ra3.xlplus instances are now available in the Middle East (UAE), Europe (Spain), Europe (Zurich), Asia Pacific (Hyderabad) and Asia Pacific (Jakarta) Regions. Amazon Redshift ra3 instances with Redshift Managed Storage (RMS) allow you to scale and pay for compute and storage independently for fast query performance and to optimize costs.

It also enables you to more securely and more easily share live data across Amazon Redshift clusters. Amazon Redshift ra3.16xlarge and ra3.4xlarge instances are already available in those regions. With this announcement, we will be launching ra3.xlplus instance types in those regions.

To upgrade your cluster to a ra3 cluster, you can take a snapshot of your existing Amazon Redshift cluster and restore it to an ra3 cluster, or do a resize from your existing cluster to a new ra3 cluster.

To learn more about Amazon Redshift ra3 nodes, see the Amazon Redshift RA3 feature page and the Amazon Redshift documentation for Amazon Redshift RA3. You can find more information on pricing by visiting the Amazon Redshift pricing page. For a complete list of AWS Regions where Redshift RA3 instances are available please consult the Redshift Cluster Management Guide.



Google Cloud Releases and Updates
Source: cloud.google.com


Anthos Attached Clusters 

Anthos Clusters on AWS

You can now launch clusters with the following Kubernetes versions:

  • 1.24.11-gke.1000
  • 1.25.7-gke.1000
  • 1.26.2-gke.1001
  • Updated OS image to Ubuntu 22.04. cgroupv2 is now used as the default control group configuration.

    • Ubuntu 22.04 uses cgroupv2 by default. We recommend that you check if any of your applications access the cgroup filesystem. If they do, they must be updated to use cgroupv2.
  • Improved monitoring by exporting metrics for control plane components.

  • Enabled sending Kubernetes resource metadata to Google Cloud Platform, improving both the user interface and cluster metrics. For the metadata to be ingested properly, customers need to enable the Config Monitoring for Ops API.

  • Enabled kubelet graceful node shutdown. Non-system Pods are given 15 seconds to terminate, after which system Pods (with the system-cluster-critical or system-node-critical priority classes) have 15 seconds to gracefully terminate.

  • Newly-created clusters now use etcd v3.4.21 for improved stability. Existing clusters of previous versions were already using etcd v3.5.x and will not be downgraded to v3.4.21 during cluster upgrade; these clusters will instead use v3.5.6.

  • Clusters now have per-node-pool subnet security group rules instead of VPC-wide rules:

    • Previously, the control plane allowed inbound traffic from the entire primary IP range of the VPC on ports TCP/443 and TCP/8123, which are used by node pools.
    • Now, the control plane narrows the allowed inbound traffic to each IP range of the node pool subnets on ports TCP/443 and TCP/8123; multiple node pools can share one subnet.
    • This change supports node pools running outside of the VPC's primary IP range and improves the security of the control plane.
    • If you relied on the VPC-wide security group rule for allowing traffic from outside of the cluster (e.g. from a bastion host for kubectl), then as part of the upgrade you should create a security group, add a VPC-wide rule to it, and attach the security group to the control plane (via the AwsCluster.controlPlane.securityGroupIds field).
  • Preview: Enabled node auto repair. This feature continuously monitors the health of each node in a node pool. Please contact your account team to opt into the preview.

  • Preview: Added support for AWS spot instance node pools. Spot instance node pools are pools of Amazon EC2 Spot Instances that are available on AWS at a lower cost.

  • GA: Enabled node pool creation with ARM-based (Graviton) instance types.

Anthos Clusters on Azure

You can now launch clusters with the following Kubernetes versions:

  • 1.24.11-gke.1000
  • 1.25.7-gke.1000
  • 1.26.2-gke.1001
  • Updated OS image to Ubuntu 22.04. cgroupv2 is now used as the default control group configuration.

    • Ubuntu 22.04 uses cgroupv2 by default. We recommend that you check if any of your applications access the cgroup filesystem. If they do, they must be updated to use cgroupv2.
  • Improved monitoring by exporting metrics for control plane components.

  • Enabled sending Kubernetes resource metadata to Google Cloud Platform, improving both the user interface and cluster metrics. For the metadata to be ingested properly, customers need to enable the Config Monitoring for Ops API.

  • Newly-created clusters now use etcd v3.4.21 for improved stability. Existing clusters of previous versions were already using etcd v3.5.x and will not be downgraded to v3.4.21 during cluster upgrade; these clusters will instead use v3.5.6.

  • Preview: Enabled node auto repair. This feature continuously monitors the health of each node in a node pool. Please contact your account team to opt into the preview.

Anthos Clusters on VMware

Anthos clusters on VMware 1.15.0-gke.581 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.15.0-gke.581 runs on Kubernetes 1.26.2-gke.1001.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.15, 1.14, and 1.13.

  • Preview: Support for vSphere 8.0

  • Preview: Support for VM-Host affinity for user cluster node pools

  • Preview: Support for High availability control plane for admin clusters

  • Preview: Support for system metrics collection using Google Cloud Managed Service for Prometheus

  • Preview: You can now filter application logs by namespace, Pod labels and content regex.

  • Preview: Support for storage policy in user clusters

  • Preview: You can now use gkectl diagnose snapshot --upload=true to upload a snapshot. And gkectl helps generate the Cloud Storage bucket with the format gs://anthos-snapshot[uuid]/vmware/$snapshot-name.

  • GA: Support for upgrade and rollback of node pool version

  • GA: gkectl get-config is a new command that locally generates cluster configuration files from an existing admin or user cluster.

  • GA: Support for multi-line parsing of Go and Java logs

  • GA: Support for manual load balancing in user clusters that enable ControlplaneV2

  • GA: Support for update of private registry credentials

  • GA: Metrics and logs in the bootstrap cluster are now uploaded to Google Cloud through Google Cloud's operations suite to provide better observability on admin cluster operations.

  • GA: vSphere CSI is now enabled for Windows node pools.

  • Fully managed Cloud Monitoring Integration dashboards. The new Integration Dashboard is automatically installed. You cannot make changes to the following dashboards, because they are fully managed by Google. However, you can make a copy of a dashboard and customize the copied version:

    • Anthos Cluster Control Plane Uptime
    • Anthos Cluster Node Status
    • Anthos Cluster Pod Status
    • Anthos Cluster Utilization Metering
    • Anthos Cluster on VMware VM Status

Anthos clusters on VMware 1.14.4-gke.54 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.14.4-gke.54 runs on Kubernetes 1.25.8-gke.1500.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.14, 1.13, and 1.12.

Added admin cluster CA certificate validation to the admin cluster upgrade preflight check.

  • Fixed an issue where the Connect Agent continued using the older image after registry credential update.

  • Fixed an issue where the cluster autoscaler did not work when Controlplane V2 was enabled.

  • Fixed an issue where a cluster might not be registered when the initial membership creation attempt failed.

  • Fixed an issue where ClusterRoleBindings in the admin cluster were accidentally deleted upon user cluster deletion. This fix removes dependency on ClusterRole, ClusterRoleBinding and ServiceAccount objects in the admin cluster.

  • Fixed an issue where a preflight check for Seesaw load balancer creation failed if the Seesaw group file already existed.

  • Disabled motd news on the ubuntu_containerd image.

  • Fixed an issue where gkectl check-config failed at Manual LB slow validation with a nil pointer error.

  • Fix an issue where enabling Cloud Audit Logs with gkectl update did not work.

Anthos Config Management

The constraint template library's K8sEnforceConfigManagement template adds new requireDriftPrevention and requireRootSync parameters, which requires enabling referential constraints. For reference, see Constraint template library.

The constraint template library includes a new template: K8sContainerEphemeralStorageLimit. For reference, see the Constraint template library.

The constraint template library includes a new template: K8sDisallowedRepos. For reference, see the Constraint template library.

The constraint template library includes a new template: K8sRestrictNfsUrls. For reference, see the Constraint template library.

Added new metric labels: commit and type. These tags make it easier to detect when an error has been resolved. If you have a custom otel-collector ConfigMap, you should update it to filter out these tags for the Kubernetes exporter. For more information, see Config Sync Metric Labels.

Added a --name flag to nomos status to support filtering status by RootSync or RepoSync names. For more information, see nomos status flags

Changed error message ResourceFightWarning to ResourceFightError so that resource fighting conflict can be exposed as errors in nomos status and RootSync/RepoSync status.

Upgraded bundled Kustomize version from v4.5.2 to v5.0.1. Config Sync leverages the Kustomize executable to render the configurations under the hood. For more information, see the full changelog for Kustomize v5.0.0.

Upgraded bundled Helm version from v3.6.3 to v3.11.2. Config Sync leverages the Helm executable to render the configurations under the hood. For more information, see the changelog for Helm v3.11.0.

Policy Controller has been updated to include a more recent build of OPA Gatekeeper (hash: effa347).

App Engine standard environment Ruby / Go / Java / Node.js / PHP / Python


Memory limits for second-generation runtimes have been increased to better support the growing memory utilization of many newer runtimes.

Application Integration

Application Integration is now available in the following locations:

  • Melbourne (australia-southeast2)
  • Finland (europe-north1)
  • Paris (europe-west9)
  • Madrid (europe-southwest1)
  • Doha (me-central1)
  • Tel Aviv (me-west1)

For more information about the supported locations, see Application Integration locations.


You can now use configuration YAML files to transform SQL code when you translate SQL queries from your source database. Configuration YAML files can be used with the batch SQL translator, the interactive SQL translator, and the batch translation Python client. This feature is now in preview.

The table clones feature of BigQuery is now generally available (GA).

You can now add descriptions to the columns of a view. To do this, use the CREATE VIEW or ALTER COLUMN DDL statements. This feature is in preview.

If you use query queues, then you can set the interactive and batch queue timeouts in your default configuration. This feature is in preview.


Exclusions for Curated Detections

You can now configure exclusions to more finely tune the results of the Curated Detections provided by the Google Cloud Threat Intelligence (GCTI) team.

UDM Search Pivot Table

The UDM Search Pivot Table enables you to further analyze your UDM search results, giving you the following capabilities:

  • Group search results by up to five UDM fields.
  • Perform aggregations (sum, count, count distinct, average, stddev, min, and max) on up to to five values within the UDM fields (for example, domains, users, and products).
  • Sort results of the pivot table (ascending, descending)

This feature is being enabled for global customers in a phased manner and is expected to fully roll out over the next month.

Cloud Data Loss Prevention

The discovery service can now generate the following observation finding types in Security Command Center:

  • Data sensitivity
  • Data risk

These findings provide the calculated sensitivity and data risk levels of the BigQuery tables that you profile. Use this information to inform your response plans when you investigate vulnerabilities and threats involving BigQuery tables.

For more information, see Publish data profiles to Security Command Center.

Cloud Database Migration Service

Database Migration Service now supports faster migrations from PostgreSQL source databases to a destination Cloud SQL for PostgreSQL instance. The feature improves the performance of migrating data and constraints (including primary keys, foreign keys, and indexes).

Cloud Monitoring

Observability for Google Kubernetes Engine: You can now enable GKE control plane metrics from the Observability tab for your GKE cluster. You can also preview the available charts and metrics before you enable the metrics. For more information, see Configuring collection of control plane metrics.

Cloud Run

CPU allocation recommender now automatically recommends CPU allocation changes based on traffic received by your Cloud Run service over the past month. (In Preview)

Cloud Spanner

Cloud Spanner now supports new query capabilities for PostgreSQL dialect databases:

  • Set operations (such as UNION and INTERSECT) with ORDER BY, LIMIT, or OFFSET, or in subqueries
  • Parameterized LIMIT and OFFSET operations
  • Statement hints for configuring the query optimizer (such as optimizer_version and optimizer_statistics_package)

Cloud Spanner sampled query plans are now available in Preview. You can view samples of historic query plans and compare the performance of a query over time. For more information, see Sampled query plans.

Cloud SQL for PostgreSQL

Fast migration for Cloud SQL is now available. This feature improves the performance of data migrations from an external source to a destination Cloud SQL instance.

Cloud SQL for SQL Server

You can now disable simultaneous multithreading (SMT) while creating or editing instances and read replicas. This might reduce your SQL Server licensing fees. To understand the impact of disabling SMT on your instance's performance, we recommend that you perform load testing on your instance. 

Container Optimised OS


 Fallback to installing compatible drivers when installer is invoked for certain GPU devices and incompatible drivers.

Fixed an issue where chronyd does not restart after failure, resulting in the system time being out of sync.

Updated ncurses to v6.4p20220423. This resolves CVE-2023-29491.

Upgraded net-misc/curl to v8.0.1. This resolves CVE-2023-27534.

Fallback to installing compatible drivers when installer is invoked for certain GPU devices and incompatible drivers.

Fixed an issue where chronyd does not restart after failure, resulting in the system time being out of sync.

Updated ncurses to v6.4p20220423. This resolves CVE-2023-29491.

Upgraded net-misc/curl to v8.0.1. This resolves CVE-2023-27534.


Dataform is generally available (GA).

Dataform Release configurations are available.

Dataform Workflow configurations are available.

Deep Learning VM Images

  • M108 release - The image name common-container-experimental was changed to common-container. The related image family name wasn't changed.

  • Miscellaneous software updates.


 Dialogflow CX now provides the ADD_DATE system function.


 In GKE version 1.26, for VPC peering-based private clusters that were created after 2020-08, the Konnectivity service will be initialized but not used. Traffic from kube-apiserver to nodes continues to route directly.

The managed Cloud Storage FUSE CSI driver for GKE is now available in Preview in GKE versions 1.26.3 and later. You can use this driver to consume Cloud Storage buckets for GKE workloads.

GCP are working on automatically enabling the PD CSI Driver on upgrades to 1.25, for clusters with the add-on disabled. There are no cost implications for enabling the driver, and it requests only a small amount of node resources. This upgrade enables gce-pd volumes to continue working on Kubernetes clusters version 1.25 and greater. You can still disable the driver manually after upgrade. For more details, please read here.

Google Cloud VMware Engine 

After installing Windows Server 2022 update KB5022842 (OS Build 20348.1547), guest OS can not boot up when virtual machine(s) is configured with secure boot enabled. For more information, see Virtual Machine with Windows Server 2022 KB5022842 (OS Build 20348.1547) configured with secure boot enabled not booting up. To work around this issue, you can do one of the following:

  • Skip KB5022842 and use KB5023705
  • Disable "Secure Boot" on affected VMs

reCAPTCHA Enterprise

 reCAPTCHA Enterprise Mobile SDK v18.2.0 is now available for iOS.

This version contains the following changes:

  • The SDK is now built with Xcode 14.
  • A few parameters in the RecaptchaAction class are deprecated and will be removed in the major release.
  • New parameters are added in the RecaptchaAction class and they have the following effects:
    • A String is returned instead of RecaptchaToken in execute() calls.
    • A timeout parameter is added to both execute and getClient APIs.
  • Fixed a bug where the client becomes unusable in some scenarios.
  • Added a speculative fix for a rare crash.
  • Added a new interoperability pod dependency in support of future Firebase integration.

Vertex AI Vision

Updated pricing structure begins

Vertex AI Vision functionality is now available under an updated billing framework and discounting schedule. See the pricing page for more information.

Vertex AI Workbench

The M108 release of Vertex AI Workbench user-managed notebooks includes the following:

  • Miscellaneous software updates.


The Cloud Workflows service agent has the ability to consume quota and billing for a project through the serviceusage.services.use permission. This allows workflows to count quota and apply billing to the correct project when making calls to other Google APIs.


Microsoft Azure Releases And Updates
Source: azure.microsoft.com

General availability: Azure IoT Edge supports Red Hat Enterprise Linux 9

The latest Azure IoT Edge releases provide official packages for Red Hat Enterprise Linux 9 on AMD64 devices.

Public preview: Azure Cold Storage


Azure Cold Storage, as the most cost-effective access tier with near real-time read latency for infrequently accessed unstructured data is available for public preview.

Public Preview: Palo Alto Networks SaaS Cloud NGFW Integration with Virtual WAN

The first security software-as-a-service (SaaS) solution to be integrated in Azure Virtual WAN, allowing you to protect your workloads with a highly available NGFW.

Generally Available: Ebsv5 and Ebdsv5 NVMe-enabled VM sizes

The new NVMe-enabled VM sizes of the Ebsv5 and Ebdsv5 VM offer the highest remote storage IOPS and throughput performance of any Azure VMs to date. 

Generally Available: Azure Backup Server V4


V4 is the latest upgrade for Microsoft Azure Backup Server (MABS). Azure Backup Server can now be installed on Windows Server 2022 with SQL Server 2022 as its database. MABS V4 brings key enhancements in the areas of workload support, performance and security.

Generally available: Serverless SQL for Azure Databricks

Serverless SQL for Azure Databricks is now generally available. This capability provides instant compute to users for their BI and SQL workloads, with minimal management required.

Preview: Cloud Next-Generation Firewall (NGFW) Palo Alto Networks - an Azure Native ISV Service

The first ISV next-generation firewall service natively integrated in Azure.

Generally available: Zone Redundant Storage for Azure Disks is available in Southeast Asia, Australia East and Qatar Central.

Zone Redundant Storage (ZRS) for Azure Disks is now available on Azure Premium SSD and Standard SSD in Southeast Asia, Australia East and Qatar Central.

Generally available: Azure Event Hubs Dedicated self-serve scalable clusters for mission critical Kafka, AMQP and HTTPs workloads


Run you mission critical Kafka, AMQP and HTTPS event streaming workloads with consitenct low latency.




Have you tried Hava automated diagrams for AWS, Azure, GCP and Kubernetes.  Get back your precious time and sanity and rid yourself of manual drag and drop diagram builders forever.

Not knowing exactly what is in your cloud accounts, or those of your client's can be a worry. What exactly is running in there and what is it costing? What obsolete resources are you still being charged for? What legacy dev/test environments can be switched off? What open ports are inviting in hackers? You can answer all these questions with Hava.
Hava automatically generates accurate fully interactive cloud infrastructure and security diagrams when connected to your AWS, Azure, GCP accounts or stand alone K8s clusters. Once diagrams are created, they are kept up to date, hands free. 

When changes are detected, new diagrams are auto-generated and the superseded documentation is moved to a version history. Older diagrams are also interactive, so can be opened and individual resources inspected interactively, just like the live diagrams.
Check out the 14 day free trial here (No credit card required and includes a forever free tier):

Learn More!


Topics: aws azure gcp news
Team Hava

Written by Team Hava

The Hava content team