<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:media="http://search.yahoo.com/mrss/"><channel><title>Networking</title><link>https://cloud.google.com/blog/products/networking/</link><description>Networking</description><atom:link href="https://cloudblog.withgoogle.com/blog/products/networking/rss/" rel="self"></atom:link><language>en</language><lastBuildDate>Wed, 08 Jul 2026 20:00:03 +0000</lastBuildDate><image><url>https://cloud.google.com/blog/products/networking/static/blog/images/google.a51985becaa6.png</url><title>Networking</title><link>https://cloud.google.com/blog/products/networking/</link></image><item><title>C4N, now GA: Delivering cloud’s highest per vCPU network and block storage I/O for x86 workloads</title><link>https://cloud.google.com/blog/products/compute/c4n-network-and-storage-optimized-vms/</link><description>&lt;div class="block-paragraph_advanced"&gt;&lt;p style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;As organizations scale modern workloads — from high-throughput databases and network/security appliances to real-time analytics and AI/ML inference — network and block storage performance can quickly become a bottleneck. Standard virtual machines often struggle to balance compute efficiency with the high-volume data-transfer demands of these applications.&lt;/span&gt;&lt;/p&gt;
&lt;p style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;At Google Cloud Next ‘26, &lt;/span&gt;&lt;a href="https://cloud.google.com/blog/products/compute/whats-new-in-compute-at-next26?e=48754805"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;we announced C4N in preview&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, our first network- and block-storage-optimized Google Compute Engine instance that’s purpose-built to eliminate I/O bottlenecks for demanding enterprise applications, and today, it is &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;generally available&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;. Built on Google's custom-designed &lt;/span&gt;&lt;a href="https://cloud.google.com/titanium?e=48754805"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Titanium&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; offload architecture, C4N instances offload network and storage tasks to dedicated hardware to unlock incredible performance and compute efficiency. C4N offers up to 400 Gbps of network bandwidth and a market-leading 95 million packets per second (MPPS) — &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;nearly 33% higher network bandwidth per vCPU and 224% faster packet processing performance than comparable Intel-based offerings at other hyperscalers&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;. This performance makes C4N a great fit for network-intensive applications such as virtual appliances (e.g., next-gen firewalls, virtual routers, load balancers, DDoS mitigation), large-scale data analytics, telco applications (5G UPF), distributed compute and CPU-based AI/ML workloads. &lt;/span&gt;&lt;/p&gt;
&lt;p style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;Paired with &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/compute/docs/disks/hd-types/hyperdisk-extreme"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Hyperdisk Extreme&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, our high-performance block storage, C4N also delivers Compute Engine’s highest block storage performance, scaling up to 25 GiB/s of storage bandwidth and 1M IOPS &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;— nearly 33% higher storage bandwidth and 39% more IOPS per vCPU versus comparable Intel-based offerings, &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;making them a strong choice for large-scale databases, high-performance file systems, in-memory databases, and other workloads that benefit from high block storage performance&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;. &lt;/span&gt;&lt;/p&gt;
&lt;p style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;Engineered specifically to deliver predictable, high-throughput I/O performance for networking, packets-per-second-bound and storage-optimized applications, C4N allows customers to scale network, storage, and compute resources more precisely to meet specific workload requirements, delivering significant TCO benefits by eliminating the need to over-provision resources just to meet I/O demands. &lt;/span&gt;&lt;/p&gt;
&lt;p style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;C4N is powered by 5th Gen Intel® Xeon® Scalable processors (code-named Emerald Rapids).&lt;/span&gt;&lt;/p&gt;
&lt;p style="padding-left: 40px;"&gt;&lt;span style="font-style: italic; vertical-align: baseline;"&gt;“Google Cloud’s introduction of C4N highlights how infrastructure innovation and a strong silicon foundation can help customers address increasingly data-intensive workloads. With Intel Xeon and Custom Infrastructure Processing Unit (IPU), C4N delivers the performance and efficiency needed for demanding network optimized environments.” &lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;– Srini Krishna, Intel Fellow, Data Center products, Intel&lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;strong style="vertical-align: baseline;"&gt;What’s new: Scaling massive data layers with C4N &lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Our network-optimized C4N instances are designed to deliver predictable, high-performance I/O at scale. By providing consistent bandwidth, packet-processing performance (PPS), and IOPS scaling across all VM shapes and sizes, C4N helps ensure your most demanding data workloads run reliably. To achieve this, we have built deep resiliency into every layer of our infrastructure — from the host and fabric layers to redundant top-of-rack (ToR) switches — delivering continuous performance for your applications.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Compared to general-purpose C4 VMs, the network-optimized C4N delivers significant performance gains across both network and block storage vectors.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Next-generation network performance&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Superior VM-to-VM network bandwidth&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;: &lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;Achieves up to 400 Gbps of VM-to-VM network bandwidth (an almost 4x increase in BW-per-vCPU over standard C4) and supports up to 50 Gbps single-flow bandwidth between C4N instances routed within the same VPC network. This provides non-blocking data delivery for high-throughput single-stream and multi-stream applications.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Enhanced VM-to-internet performance: &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;Benefits from an 8x increase in internet egress network bandwidth, reaching up to 200 Gbps. It also features a nearly 32x increase in internet egress packet processing performance, scaling up to 48 MPPS.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Optimized I/O for smaller shapes: &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;Keeps your cloud bill lean by delivering up to 25–50 Gbps of network bandwidth specifically for 2–16 vCPU shapes, great for accelerating I/O-bound tasks without needing to over-provision compute. Furthermore, these smaller shapes introduce predictable, steady-state baseline bandwidth limits to provide consistent performance at a lower cost.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Enhanced out-of-the-box networking&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;: gVNIC interfaces on C4N now start with more Tx/Rx queues by default, scaling with vCPUs up to a maximum of 64 (in comparison to 16 queues on C4/C4D).&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Shorter Google Cloud Storage transfer times: &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;C4N VMs now offer up to a 2x increase in bandwidth to retrieve and store large volumes of data from Cloud Storage, boosting performance for analytics, AI/ML, and backup workloads. &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Better yet, this &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;performance is available out of the box, with no add-ons. Designed for high performance from the get-go, C4N offers maximum performance without needing to purchase or configure premium add-ons like &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/compute/docs/networking/configure-vm-with-high-bandwidth-configuration"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Tier_1 networking&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;.&lt;/span&gt;&lt;/p&gt;
&lt;p style="text-align: justify;"&gt;&lt;strong style="vertical-align: baseline;"&gt;Dynamic storage performance with Hyperdisk&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;The C4N instance family, when combined with Hyperdisk, can help dynamically tune storage performance, latency, and throughput independently of your compute instance sizing to deliver high block storage performance for your applications. C4N supports the complete Hyperdisk portfolio, including Hyperdisk Balanced, Balanced High Availability, Extreme, Throughput, and ML block storage options.&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Hyperdisk Extreme:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; C4N with Hyperdisk Extreme provides low-latency, high-speed data access for modern databases and enterprise AI applications, with up to 25 GiB/s of block storage throughput and nearly 1M IOPS, a 2x increase in storage performance over C4. Also, exclusive to network optimized machine series such as C4N, we now offer Hyperdisk Extreme across all machine sizes — even down to the smallest 2 vCPU sizes.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Hyperdisk Balanced&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;: Delivering the highest throughput and IOPS for general-purpose block storage in the Compute Engine portfolio, Hyperdisk Balanced on C4N scales up to 20 GiB/s of block storage throughput and nearly 640K IOPS. This makes it a highly cost-effective option for running storage-intensive applications at scale.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Together, C4N’s network and storage optimizations combine for tremendous impact in &lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;real-world applications:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Web serving:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Up to 1.5x additional Nginx requests per second compared to C4 for typical web request sizes (100–300Kb), significantly boosting capacity for network-bound web applications&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Databases&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;: Up to 45% better queries per second (QPS) for MySQL when data resides primarily on disk than equivalent C4 VMs&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;What customers are saying&lt;/span&gt;&lt;/h3&gt;
&lt;p style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;Industry leaders are already proving that workload-optimized infrastructure is the engine for transformation. Here is how our customers are leveraging the network-optimized power of C4N:&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-paragraph_with_image"&gt;&lt;div class="article-module h-c-page"&gt;
  &lt;div class="h-c-grid uni-paragraph-wrap"&gt;
    &lt;div class="uni-paragraph
      h-c-grid__col h-c-grid__col--8 h-c-grid__col-m--6 h-c-grid__col-l--6
      h-c-grid__col--offset-2 h-c-grid__col-m--offset-3 h-c-grid__col-l--offset-3"&gt;

      






  

    &lt;figure class="article-image--wrap-small
      
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/images/ericsson_run6NFp.max-1000x1000.jpg"
        
          alt="ericsson"&gt;
        
        &lt;/a&gt;
      
    &lt;/figure&gt;

  





      &lt;p data-block-key="ijljq"&gt;&lt;i&gt;“5G Core workloads are inherently network-heavy, demanding high-throughput packet processing and deterministic latency that standard public cloud instances often struggle to maintain at scale. By leveraging the Google Cloud C4N compute family, we’ve found the ideal engine for Ericsson On-Demand. The C4N’s architectural focus on network-optimized compute allows our 5G Core-as-a-Service to reach unprecedented throughput levels — like our recent 1 Tbps milestone — while maintaining the carrier-grade reliability our customers expect. It’s no longer just about cloud-native; with C4N, we are delivering network-native performance in a public cloud environment.” -&lt;/i&gt; Eric Parsons, VP, Head of Ericsson On-Demand, Ericsson&lt;/p&gt;
    &lt;/div&gt;
  &lt;/div&gt;
&lt;/div&gt;

&lt;/div&gt;
&lt;div class="block-paragraph_with_image"&gt;&lt;div class="article-module h-c-page"&gt;
  &lt;div class="h-c-grid uni-paragraph-wrap"&gt;
    &lt;div class="uni-paragraph
      h-c-grid__col h-c-grid__col--8 h-c-grid__col-m--6 h-c-grid__col-l--6
      h-c-grid__col--offset-2 h-c-grid__col-m--offset-3 h-c-grid__col-l--offset-3"&gt;

      






  

    &lt;figure class="article-image--wrap-small
      
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/images/teradata.max-1000x1000.jpg"
        
          alt="teradata"&gt;
        
        &lt;/a&gt;
      
    &lt;/figure&gt;

  





      &lt;p data-block-key="ijljq"&gt;&lt;i&gt;“Teradata's Autonomous Knowledge Platform unifies production-grade AI, analytics, and data into a single integrated system — providing the context, governance, and performance backbone autonomous AI demands at scale. Customers rely on Teradata to run mission-critical, highly I/O-intensive workloads where performance and cost control directly determine value.&lt;/i&gt;&lt;/p&gt;&lt;p data-block-key="3645u"&gt;&lt;i&gt;Google Cloud C4N instances are well suited for these demanding workloads, delivering strong price-performance and supporting more efficient, optimized deployments. By leveraging C4N on Google Cloud, Teradata Cloud can help customers accelerate from insight to action — scaling enterprise intelligence with confidence and driving greater impact from their data and AI investments”&lt;/i&gt; - Kevin Dougherty, Senior Director of Product Management, Core Platform, Teradata&lt;/p&gt;
    &lt;/div&gt;
  &lt;/div&gt;
&lt;/div&gt;

&lt;/div&gt;
&lt;div class="block-paragraph_with_image"&gt;&lt;div class="article-module h-c-page"&gt;
  &lt;div class="h-c-grid uni-paragraph-wrap"&gt;
    &lt;div class="uni-paragraph
      h-c-grid__col h-c-grid__col--8 h-c-grid__col-m--6 h-c-grid__col-l--6
      h-c-grid__col--offset-2 h-c-grid__col-m--offset-3 h-c-grid__col-l--offset-3"&gt;

      






  

    &lt;figure class="article-image--wrap-small
      
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/images/netapp.max-1000x1000.jpg"
        
          alt="netapp"&gt;
        
        &lt;/a&gt;
      
    &lt;/figure&gt;

  





      &lt;p data-block-key="ijljq"&gt;&lt;i&gt;“With the next-generation network and storage bandwidth of C4N VMs, Google Cloud NetApp Volumes will unlock new levels of performance to support our customers’ most demanding AI workloads. By collaborating to extend Google Cloud NetApp Volumes support for the C4N VM family, Google and NetApp are deepening our partnership to address real customer challenges. Together, we’re delivering data-in-place AI and analytics solutions that simplify architectures, maximize performance, and turn data into impact.” -&lt;/i&gt; Pravjit Tiwana, Senior Vice President and General Manager of Cloud Storage and Services, NetApp&lt;/p&gt;
    &lt;/div&gt;
  &lt;/div&gt;
&lt;/div&gt;

&lt;/div&gt;
&lt;div class="block-paragraph_with_image"&gt;&lt;div class="article-module h-c-page"&gt;
  &lt;div class="h-c-grid uni-paragraph-wrap"&gt;
    &lt;div class="uni-paragraph
      h-c-grid__col h-c-grid__col--8 h-c-grid__col-m--6 h-c-grid__col-l--6
      h-c-grid__col--offset-2 h-c-grid__col-m--offset-3 h-c-grid__col-l--offset-3"&gt;

      






  

    &lt;figure class="article-image--wrap-small
      
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/images/sycomp.max-1000x1000.jpg"
        
          alt="sycomp"&gt;
        
        &lt;/a&gt;
      
    &lt;/figure&gt;

  





      &lt;p data-block-key="ijljq"&gt;&lt;i&gt;"Most Compute Engine instances ship with a single high-speed network interface. The new C4N doubles the bandwidth potential with two 200 GbE interfaces. That architectural shift is significant. It means we can dedicate both networks entirely to storage traffic, doubling the available bandwidth for data-intensive workloads, and achieving 2x storage performance over the previous generation. The C4N was announced just weeks ago and is already active in Sycomp's test environment, ensuring our customers can evaluate the latest GCP capabilities without delay. Google Cloud’s published maximum hyperdisk balanced performance for the C4N is 20 GiB/s. In our tests, with three storage servers Sycomp achieved 58.5 GiB/s on read and 58.6 GiB/s on write, with ten C4N storage servers we achieved 195 GiB/s read and write — 97% of the theoretical ceiling with zero platform-specific tuning. That's a strong starting point, and there's measurable room to close the remaining gap through configuration work we can finetune.&lt;/i&gt; &lt;b&gt;&lt;i&gt;The C4N isn't just faster — it changes the price-performance equation for storage workloads on Google Cloud.&lt;/i&gt;&lt;/b&gt;" - Scott Fadden, Senior HPC Solutions Architect, Sycomp&lt;/p&gt;
    &lt;/div&gt;
  &lt;/div&gt;
&lt;/div&gt;

&lt;/div&gt;
&lt;div class="block-paragraph_with_image"&gt;&lt;div class="article-module h-c-page"&gt;
  &lt;div class="h-c-grid uni-paragraph-wrap"&gt;
    &lt;div class="uni-paragraph
      h-c-grid__col h-c-grid__col--8 h-c-grid__col-m--6 h-c-grid__col-l--6
      h-c-grid__col--offset-2 h-c-grid__col-m--offset-3 h-c-grid__col-l--offset-3"&gt;

      






  

    &lt;figure class="article-image--wrap-small
      
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/images/clipper_db.max-1000x1000.jpg"
        
          alt="clipper db"&gt;
        
        &lt;/a&gt;
      
    &lt;/figure&gt;

  





      &lt;p data-block-key="ijljq"&gt;&lt;i&gt;“At ClipperDB Technologies, our mission is to drive down the cost and drive up the performance of large-scale Spark analytics. Google Cloud’s C4N instances are the perfect compute engine for our fully native architecture. C4N’s substantial increase in network bandwidth per vCPU combined with large memory configurations and 5th Generation Intel Xeon processors align with ClipperDB’s precise parallel cloud-store prefetching and caching, concurrent dataflow native batch pipelines, streaming no-copy exchange, and cloud store checkpoint fault tolerance to radically accelerate and cost reduce Spark workloads with disaggregated Cloud Storage datalakes.&lt;/i&gt;&lt;/p&gt;&lt;p data-block-key="4df30"&gt;&lt;i&gt;The results speak for themselves: across industry-standard TPC-DS benchmarks, ClipperDB+C4N delivered&lt;/i&gt; &lt;b&gt;&lt;i&gt;over 3x lower cost per query and up to 11x faster analytics&lt;/i&gt;&lt;/b&gt;&lt;i&gt;, all while maintaining 100% Spark compatibility. We can’t wait to see customers dramatically improve their Spark workload price-performance with C4N coupled with Clipper DB Accelerator." -&lt;/i&gt; John Busch, CEO, ClipperDB Technologies&lt;/p&gt;
    &lt;/div&gt;
  &lt;/div&gt;
&lt;/div&gt;

&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;h3 style="text-align: justify;"&gt;&lt;strong style="vertical-align: baseline;"&gt;A deeper look at C4N shapes and specs&lt;/strong&gt;&lt;/h3&gt;
&lt;p style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;C4N instances are available in nine different sizes ranging from 2-192 vCPUs and up to 1.5 TB of DDR5 memory, offering predefined shapes in high-cpu, standard, and high-mem configurations. &lt;/span&gt;&lt;/p&gt;
&lt;p style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;For applications that benefit from caching and high-speed, low-latency local storage, C4N VM instances are equipped with up to 12 TiB of latest Titanium SSDs (coming soon, Sign-up&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt; &lt;/span&gt;&lt;a href="https://forms.gle/ehRSqssSEavKt1Fh7" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;here&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; &lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;to request C4N Local-SSD preview access). For workloads that require direct access to the machine's resources (e.g., hypervisors, container platforms), &lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;where nested virtualization does not meet the workload’s performance requirements&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;, or have special performance monitoring or licensing needs, we are introducing C4N bare metal shapes. Coming soon, these native bare metal shapes will offer the same network and storage I/O performance as their virtual machine counterparts. Google Cloud customers can use C4N instances with Compute Engine and Google Kubernetes Engine (GKE), with support for other services coming soon.&lt;br/&gt;&lt;br/&gt;&lt;/span&gt;&lt;/p&gt;
&lt;div align="left"&gt;
&lt;div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"&gt;
&lt;div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"&gt;
&lt;div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"&gt;
&lt;div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"&gt;
&lt;div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"&gt;
&lt;div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"&gt;
&lt;div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"&gt;
&lt;div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"&gt;&lt;table&gt;&lt;colgroup&gt;&lt;col/&gt;&lt;col/&gt;&lt;col/&gt;&lt;col/&gt;&lt;col/&gt;&lt;col/&gt;&lt;col/&gt;&lt;col/&gt;&lt;/colgroup&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td rowspan="2" style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Name&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td rowspan="2" style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;vCPUs&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td rowspan="2" style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Memory&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;(GB)&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td rowspan="2" style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Local Storage&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;(GiB)&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td colspan="2" style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Network Bandwidth&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td rowspan="2" style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Hyperdisk Extreme Bandwidth&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;(MiB/s)&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td rowspan="2" style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Hyperdisk&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Extreme &lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt; IOPS&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;VM-VM&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;(Gbps)&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;VM-Internet&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;(Gbps)&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;C4n-highcpu&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;2 - 192&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;4 - 384&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;N/A&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;25 - 400&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;7 - 200&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;1.000 - 25,000&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;80,000 - 1M&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;C4n-standard&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;2 - 192&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;7 - 720&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;N/A&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;25 - 400&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;7 - 200&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;1.000 - 25,000&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;80,000 - 1M&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;C4n-standard-lssd&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;4 - 192&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;15 - 720&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;375 - 12,000&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;30 - 400&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;7 - 200&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;1.000 - 25,000&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;100,000 - 1M &lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;C4n-highmem&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;2 - 192&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;15 - 1,488&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;N/A&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;25 - 400&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;7 - 200&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;1.000 - 25,000&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;80,000 - 1M &lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;C4n-highmem-lssd&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;4 - 192&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;31 - 1,488&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;375 - 12,000&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;30 - 400&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;7 - 200&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;1.000 - 25,000&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;100,000 - 1M &lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p style="text-align: center;"&gt;&lt;em&gt;&lt;span style="vertical-align: baseline;"&gt;C4N machine series performance and specifications&lt;/span&gt;&lt;/em&gt;&lt;/p&gt;
&lt;h3 style="text-align: justify;"&gt;&lt;strong style="vertical-align: baseline;"&gt;How to get started&lt;/strong&gt;&lt;/h3&gt;
&lt;p style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;Whether you’re hosting heavy-duty distributed databases, running network virtualization appliances, or orchestrating large-scale data pipelines for AI, C4N is engineered to provide the throughput, scale, and efficiency your business demands. C4N instances are now generally available via on-demand, as Spot VMs, and via reservations. You can also take advantage of further cost savings by purchasing Committed Use Discounts (CUDs) or FlexCUDs in one- and three-year terms in the us-central1 (Iowa), us-east1 (South Carolina), us-east5 (Ohio), us-west1 (Oregon) and europe-west2 (London). For more information visit&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt; &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/compute/docs/network-optimized-machines"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Network Optimized Machine Type&lt;/span&gt;&lt;/a&gt;&lt;span style="font-style: italic; vertical-align: baseline;"&gt;. &lt;/span&gt;&lt;/p&gt;
&lt;p style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;Ready to establish a high-performance launchpad for innovation? Head straight to the &lt;/span&gt;&lt;a href="https://console.cloud.google.com/"&gt;&lt;span style="vertical-align: baseline;"&gt;Google Cloud console&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; to &lt;/span&gt;&lt;a href="https://console.cloud.google.com/compute/instancesAdd" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;spin up a C4N VM&lt;/span&gt;&lt;/a&gt;&lt;strong style="vertical-align: baseline;"&gt; &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;under the “Network Optimized” machine family. Stay up-to-date on regional availability by visiting our&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt; &lt;/span&gt;&lt;a href="https://cloud.google.com/compute/docs/regions-zones"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;regions and zones page&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; or contact your Google Cloud sales representative for more information.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;</description><pubDate>Wed, 08 Jul 2026 20:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/products/compute/c4n-network-and-storage-optimized-vms/</guid><category>Networking</category><category>Storage &amp; Data Transfer</category><category>Compute</category><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>C4N, now GA: Delivering cloud’s highest per vCPU network and block storage I/O for x86 workloads</title><description></description><site_name>Google</site_name><url>https://cloud.google.com/blog/products/compute/c4n-network-and-storage-optimized-vms/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Parinda Gandhi</name><title>Senior Product Manager</title><department></department><company></company></author><author xmlns:author="http://www.w3.org/2005/Atom"><name>Sajal Agarwal</name><title>Senior Product Manager</title><department></department><company></company></author></item><item><title>BGP route policies: Top 3 use cases by customer demand</title><link>https://cloud.google.com/blog/products/networking/bgp-route-policies-top-3-use-cases-by-customer-demand/</link><description>&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;When we first made &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/network-connectivity/docs/router/concepts/bgp-route-policies-overview"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;BGP route policies for Cloud Router&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; generally available over a year ago, our goal was to give network administrators deep, programmable control over how network paths are evaluated and propagated. Since then, we’ve been watching closely how our customers have adopted this feature. We've seen network engineering teams build incredibly sophisticated, resilient routing architectures that were previously difficult to achieve without third-party virtual appliances.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;This year, we launched &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/network-connectivity/docs/router/release-notes#March_24_2026"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;policy named sets for Cloud Router&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;. As routing environments grow more complex, managing individual prefixes or communities within these policies can become cumbersome. &lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Policy named sets solve this by allowing you to group lists of IPv4/IPv6 prefixes or BGP communities into a single, reusable entity. This significantly simplifies your configurations, making it easier to scale, manage, and update your routing rules across multiple Cloud Routers.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Powered by the Common Expression Language (CEL), BGP route policies allow you to define fine-grained, ordered rules to filter BGP routes and modify route attributes directly within Cloud Router.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;To celebrate the launch of policy named sets, we want to highlight three of the most impactful ways we've seen customers use BGP route policies over the past year, along with resources on how you can build them yourself.&lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;strong style="vertical-align: baseline;"&gt;1. The foundation: Route filtering and network protection&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Before manipulating traffic paths, network stability requires strict control over which routes are allowed into and out of your network. We've seen customers extensively use BGP route policies to filter out unwanted learned routes from peers or prevent specific subnet prefixes from being advertised out of their Virtual Private Cloud (VPC).&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Operating on a "fail open" model by default, many security-conscious organizations have adapted BGP route policies to create a "fail closed" environment — appending a "drop all" policy as the final term in their evaluation list. This helps enable absolute certainty over accepted network routes, preventing routing loops and ensuring traffic isn't BGP hijacked or inadvertently blackholed.&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Dive deeper:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; For a foundational look at how to set up CEL expressions for route filtering, check out our deep-dive guide:&lt;/span&gt; &lt;a href="https://medium.com/google-cloud/google-cloud-router-introduction-to-bgp-policies-9983ac7ab484" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Introduction to BGP policies&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;&lt;strong style="vertical-align: baseline;"&gt;2. Influencing traffic paths for active/standby architectures&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Achieving optimal traffic distribution often requires forcing traffic down a specific path, whether for cost optimization or managing active/standby interconnects. Customers have used BGP route policies to influence the preferred BGP route without touching their on-premises hardware.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;By dynamically modifying the BGP multi-exit discriminator (MED) attribute, network teams can make a specific peer preferred for incoming traffic. Conversely, if they want to steer traffic away from a congested or backup link, they are using AS-PATH prepending — adding one or more values to the route's AS-PATH to deprioritize it across the broader network.&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Dive deeper:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; To see the configuration steps for managing MED and AS-Path prepending, read:&lt;/span&gt;&lt;a href="https://medium.com/google-cloud/google-cloud-router-using-bgp-policies-to-influence-traffic-paths-b1f302bd0cca" rel="noopener" target="_blank"&gt;&lt;span style="vertical-align: baseline;"&gt; &lt;/span&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Using BGP policies to influence traffic paths&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;&lt;strong style="vertical-align: baseline;"&gt;3. Solving asymmetric routing with BGP communities&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;One of the most advanced and highly requested use cases we’ve seen over the last year is achieving traffic symmetry. When enterprises use stateful firewalls or specific network appliances on-premises, return traffic &lt;/span&gt;&lt;span style="font-style: italic; vertical-align: baseline;"&gt;must&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt; flow back through the exact same appliance it originated from. If it doesn't, the traffic is dropped.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Customers are successfully solving this by using BGP route policies to match against specific standard &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;BGP communities&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;. By tagging routes with specific communities on-premises, Cloud Router can read those tags via inbound policies and adjust the route preference by manipulating the MED accordingly. This helps ensure that Google Cloud inherently understands the stateful topology of the on-premises network and routes the return traffic symmetrically.&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Dive deeper:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; To learn how to architect stateful traffic symmetry using BGP community tags, explore:&lt;/span&gt; &lt;a href="https://medium.com/google-cloud/google-cloud-router-using-bgp-policies-to-use-bgp-communities-to-create-traffic-symmetry-4b4a959dccfa" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Using BGP communities to create traffic symmetry&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;&lt;strong style="vertical-align: baseline;"&gt;Get started today&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Taking control of your dynamic routing is now easier and more robust than ever. Using BGP route policies, it's a great time to optimize and secure your hybrid cloud connectivity.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;We recommend testing your BGP route policies in a staging environment to verify your CEL expressions and routing logic before rolling them out to production. To explore the technical documentation, check out the&lt;/span&gt; &lt;a href="https://docs.cloud.google.com/network-connectivity/docs/router/concepts/bgp-route-policies-overview"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;BGP route policies overview&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;</description><pubDate>Tue, 07 Jul 2026 16:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/products/networking/bgp-route-policies-top-3-use-cases-by-customer-demand/</guid><category>Infrastructure Modernization</category><category>Hybrid &amp; Multicloud</category><category>Developers &amp; Practitioners</category><category>Networking</category><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>BGP route policies: Top 3 use cases by customer demand</title><description></description><site_name>Google</site_name><url>https://cloud.google.com/blog/products/networking/bgp-route-policies-top-3-use-cases-by-customer-demand/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Olivier Vautrin</name><title>Product Manager</title><department></department><company></company></author><author xmlns:author="http://www.w3.org/2005/Atom"><name>Jonny Almaleh</name><title>Technical Solutions Consultant, Cloud Networking</title><department></department><company></company></author></item><item><title>Cloud Network Insights: end-to-end observability for the Cross-Cloud Network</title><link>https://cloud.google.com/blog/products/networking/cloud-network-insights-end-to-end-cross-cloud-observability/</link><description>&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;In today’s digital landscape, the network is no longer confined to a single data center or even a single cloud provider. Enterprises are increasingly adopting cross-cloud strategies, connecting Google Cloud workloads to on-premises environments, other clouds like AWS and Azure, and a vast array of internet-facing applications. While this flexibility drives innovation, it can also introduce significant operational complexity. When a user experiences degradation in application performance, the critical question remains: Is it the network, the application, or something else?&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;We are excited to announce the general availability of &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/network-intelligence-center/docs/cloud-network-insights/overview"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Cloud Network Insights&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, an out-of-the-box, Google Cloud-native solution that provides comprehensive visibility into network and digital experience performance across complex multi-cloud, and hybrid environments.&lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;strong style="vertical-align: baseline;"&gt;Closing the visibility gap with active monitoring&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Cloud Network Insights, offered in &lt;/span&gt;&lt;a href="https://investors.broadcom.com/news-releases/news-release-details/broadcom-expands-collaboration-google-cloud-cloud-network" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;partnership with Broadcom AppNeta&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, expands your observability beyond Google Cloud to your entire global deployment. By utilizing active synthetic probing, the solution monitors network routes even when no user traffic is present, allowing teams to be proactive rather than reactive.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Whether the source of degradation is in the cloud, &lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;on-premises data centers, internet applications,&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt; ISPs, or last-mile connectivity, Cloud Network Insights helps you pinpoint the exact location of the bottleneck.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Cloud Network Insights integrates directly into the &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/stackdriver/docs"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Google Cloud Observability suite&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, bringing sophisticated network intelligence into the tools you already use. With Cloud Network Insights, you get:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;End-to-end network path visibility:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Gain a hop-by-hop visualization of the network path between your sources and destinations. Monitor critical metrics like round-trip time (RTT), packet loss, and jitter across networks you don’t directly manage.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Digital experience insights:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Go beyond the network layer to monitor &lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;digital experience for web applications&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;. Measure DNS resolution times, HTTP response codes, and full browser page-load times to identify whether an application's degradation is due to the network or the application itself.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Proactive detection and alerting:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Use synthetic testing to identify performance dips before they impact your customers. Alarms are integrated with Cloud Monitoring and Cloud Logging, enabling alerting via email, Slack, or PagerDuty.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;SLA validation:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Arm your team with the data needed to verify if ISPs and service providers are meeting their performance commitments.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Rapid root-cause analysis: &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;Quickly differentiate between network problems, application-level issues, or browser performance impacts.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Integrated monitoring:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Access metrics and logs directly within Google Cloud, leveraging Cloud Monitoring and Cloud Logging for dashboards and alerting. Utilize the open partner ecosystem of Google Cloud as well as support for the OpenTelemetry protocol for metrics and logs, allowing direct ingestion by OTel SDKs and collectors.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Agentic workload monitoring:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Use synthetic testing to monitor connectivity and network performance to help ensure optimal connectivity to your agents and tools.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;&lt;/div&gt;
&lt;div class="block-image_full_width"&gt;






  
    &lt;div class="article-module h-c-page"&gt;
      &lt;div class="h-c-grid"&gt;
  

    &lt;figure class="article-image--large
      
      
        h-c-grid__col
        h-c-grid__col--6 h-c-grid__col--offset-3
        
        
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/original_images/1-network_paths_low_res.gif"
        
          alt="1-network paths low res"&gt;
        
        &lt;/a&gt;
      
        &lt;figcaption class="article-image__caption "&gt;&lt;p data-block-key="8nkv4"&gt;Network performance and multi-path routes to/from Google Cloud, AWS, and Azure in one view&lt;/p&gt;&lt;/figcaption&gt;
      
    &lt;/figure&gt;

  
      &lt;/div&gt;
    &lt;/div&gt;
  




&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;h3&gt;&lt;strong style="vertical-align: baseline;"&gt;How it works: active synthetic probing&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Cloud Network Insights uses active synthetic probing technology that consists of three main components: &lt;/span&gt;&lt;/p&gt;
&lt;ol&gt;
&lt;li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Monitoring Points:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; You deploy lightweight software agents, called Monitoring Points, into critical network segments, such as a central VPC, a remote branch, or an on-premises data center. These can be deployed as containers or virtual machines.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Synthetic probes:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; These Monitoring Points send small, frequent bursts of synthetic traffic (simulating a user or application) to a target destination. This allows you to monitor performance 24/7, even when no real users are on the network.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Data synchronization:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; The Monitoring Points send real-time performance telemetry to a central backend service. This data is then synchronized back to Google Cloud, with metrics exported to Cloud Monitoring, and alarms and events sent to Cloud Logging.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;h3&gt;&lt;strong style="vertical-align: baseline;"&gt;Core capabilities&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Cloud Network Insights&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt; supports two primary types of monitoring to give you a full picture of your infrastructure:&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;1. Network performance monitoring (Layers 3 and 4)&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;This provides a hop-by-hop visualization of the network between a source and a destination, including.&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Metrics captured:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Round-trip time (RTT), packet loss, jitter, and path changes.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Single-ended mode:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; The agent probes an external target (like a URL, IP address or an API endpoint) that doesn't have a Monitoring Point installed.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Dual-ended mode:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; The Monitoring Point probes another Monitoring Point. This provides richer data, including precise one-way latency and the ability to detect asymmetric routing (when data takes a different path going out than it does coming back).&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;&lt;/div&gt;
&lt;div class="block-image_full_width"&gt;






  
    &lt;div class="article-module h-c-page"&gt;
      &lt;div class="h-c-grid"&gt;
  

    &lt;figure class="article-image--large
      
      
        h-c-grid__col
        h-c-grid__col--6 h-c-grid__col--offset-3
        
        
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/images/2_d8twiu8.max-1000x1000.png"
        
          alt="2"&gt;
        
        &lt;/a&gt;
      
        &lt;figcaption class="article-image__caption "&gt;&lt;p data-block-key="21qbk"&gt;Network path metrics in Google Cloud console&lt;/p&gt;&lt;/figcaption&gt;
      
    &lt;/figure&gt;

  
      &lt;/div&gt;
    &lt;/div&gt;
  




&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;2. Digital experience monitoring (Layer 7)&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;With digital experience monitoring, you can track the end-to-end experience of a web application. Here, you can choose from:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Browser mode:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Uses a real browser engine (Selenium) to load full web pages, execute JavaScript, and render content. It measures complete page-load times to validate the actual user experience.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;HTTP mode:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Sends synthetic HTTP/S requests to a URL or API endpoint. This is a lightweight check for server availability, response time, and DNS/TLS performance.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;&lt;/div&gt;
&lt;div class="block-image_full_width"&gt;






  
    &lt;div class="article-module h-c-page"&gt;
      &lt;div class="h-c-grid"&gt;
  

    &lt;figure class="article-image--large
      
      
        h-c-grid__col
        h-c-grid__col--6 h-c-grid__col--offset-3
        
        
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/images/3_VbaHlX5.max-1000x1000.png"
        
          alt="3"&gt;
        
        &lt;/a&gt;
      
    &lt;/figure&gt;

  
      &lt;/div&gt;
    &lt;/div&gt;
  




&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Intelligence and automation&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Cloud Network Insights also offers a variety of monitoring and troubleshooting capabilities. &lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Proactive alarms: &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;Cloud Network Insights leverages auto-baselining to establish dynamic performance thresholds based on your historical metric data. If a metric deviates from your defined parameters, the system instantly triggers an event in Google Cloud, routing alerts directly to your team via email, Slack, or PagerDuty.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Monitoring policies:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; You can automate monitoring setups across large-scale environments by defining policies that dynamically create or remove paths based on custom tags. For instance, you can automatically track a core web application's performance from specific geographic regions.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Root-cause analysis:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Because Cloud Network Insights extends visibility into traditionally "unwatched" areas like ISPs and transit networks, it instantly pinpoints whether a slowdown is occurring within Google Cloud, at the ISP level, or inside another cloud environment like AWS or Azure.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;AI-driven insights:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; With integration to Gemini Cloud Assist, you can use natural language to interrogate Cloud Network Insights telemetry alongside your broader infrastructure data. Rather than manually pivoting between dashboards, ask Gemini to cross-reference specific Cloud Network Insights metrics against other Google Cloud metrics, reducing mean time to resolution (MTTR).&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;&lt;strong style="vertical-align: baseline;"&gt;What customers are saying&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;We are already seeing strong interest from customers looking to simplify their cross-cloud operations. Organizations like Sabre and Pexip are already using Cloud Network Insights to gain clarity in their hybrid environments.&lt;/span&gt;&lt;/p&gt;
&lt;p style="padding-left: 40px;"&gt;&lt;span style="font-style: italic; vertical-align: baseline;"&gt;"In an environment as complex and high-scale as Sabre’s, total visibility isn't just a luxury — it's a requirement for operational resilience. Cloud Network Insights will enable us to further shift our posture towards proactive optimization. By providing granular, real-time telemetry across our global cloud footprint, it helps eliminate the traditional 'black box' of the network, allowing our teams to resolve bottlenecks before they impact the traveler experience." &lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;- Alfredo Rodriguez, VP of Cloud and Infrastructure, Sabre&lt;/span&gt;&lt;/p&gt;
&lt;p style="padding-left: 40px;"&gt;&lt;span style="font-style: italic; vertical-align: baseline;"&gt;“Cloud Network Insights closes the 'visibility gap' between the private corporate network and the public cloud, empowering our joint customers to pinpoint performance bottlenecks in seconds rather than hours.”&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt; - Alan Davidson, CIO, Broadcom&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-video"&gt;



&lt;div class="article-module article-video "&gt;
  &lt;figure&gt;
    &lt;a class="h-c-video h-c-video--marquee"
      href="https://youtube.com/watch?v=MR6dUJKFU4I"
      data-glue-modal-trigger="uni-modal-MR6dUJKFU4I-"
      data-glue-modal-disabled-on-mobile="true"&gt;

      
        

        &lt;div class="article-video__aspect-image"
          style="background-image: url(https://storage.googleapis.com/gweb-cloudblog-publish/images/maxresdefault_TJbxQsH.max-1000x1000.jpg);"&gt;
          &lt;span class="h-u-visually-hidden"&gt;Pexip improves network health with Cloud Network Insights&lt;/span&gt;
        &lt;/div&gt;
      
      &lt;svg role="img" class="h-c-video__play h-c-icon h-c-icon--color-white"&gt;
        &lt;use xlink:href="#mi-youtube-icon"&gt;&lt;/use&gt;
      &lt;/svg&gt;
    &lt;/a&gt;

    
  &lt;/figure&gt;
&lt;/div&gt;

&lt;div class="h-c-modal--video"
     data-glue-modal="uni-modal-MR6dUJKFU4I-"
     data-glue-modal-close-label="Close Dialog"&gt;
   &lt;a class="glue-yt-video"
      data-glue-yt-video-autoplay="true"
      data-glue-yt-video-height="99%"
      data-glue-yt-video-vid="MR6dUJKFU4I"
      data-glue-yt-video-width="100%"
      href="https://youtube.com/watch?v=MR6dUJKFU4I"
      ng-cloak&gt;
   &lt;/a&gt;
&lt;/div&gt;

&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;h3&gt;&lt;strong style="vertical-align: baseline;"&gt;Get started today&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Navigating complex digital ecosystems shouldn't mean sacrificing visibility. Cloud Network Insights bridges the gap across multi-cloud and hybrid environments by combining deep network performance metrics with digital experience monitoring. Coupled with direct integrations into Google Cloud Observability and Gemini Cloud Assist, your teams are empowered with intelligent alerting, robust SLA validation, and rapid root-cause analysis. We look forward to helping you gain a clearer, unified view of your Cross-Cloud Network.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;You can get started in the Google Cloud &lt;/span&gt;&lt;a href="https://console.cloud.google.com/net-intelligence/cloud-network-insights/onboarding"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;console&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; today. To learn more:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Explore our&lt;/span&gt;&lt;a href="https://docs.cloud.google.com/network-intelligence-center/docs/cloud-network-insights/overview"&gt;&lt;span style="vertical-align: baseline;"&gt; &lt;/span&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;product documentation&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; for deep dives into deploying Monitoring Points and configuring policies.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Check out the latest&lt;/span&gt;&lt;a href="https://docs.cloud.google.com/network-intelligence-center/docs/release-notes"&gt;&lt;span style="vertical-align: baseline;"&gt; &lt;/span&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;release notes&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; to stay updated on new features.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Watch the &lt;/span&gt;&lt;a href="https://youtu.be/KJ_Qrztildw?si=XKqpAM9yL44HqsR5" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;overview video&lt;/span&gt;&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Hear more about the partnership between Google Cloud and Broadcom: &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;ul&gt;
&lt;li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;a href="https://youtu.be/XNaFAI5JWnU?si=yLk9SaSK7BbUIxJb" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Alan Davidson, CIO, Broadcom talks with Rob Enns, VP/GM, Google Cloud Networking&lt;/span&gt;&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;a href="https://youtu.be/nBdUPRbEFYw?si=BOJx67Lulrl5QDVR" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Michel Melillo, Head of Network Observability, Broadcom chats with Raj Gulani, Director of Product Management, Google Cloud&lt;/span&gt;&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;/ul&gt;&lt;/div&gt;</description><pubDate>Wed, 17 Jun 2026 19:30:00 +0000</pubDate><guid>https://cloud.google.com/blog/products/networking/cloud-network-insights-end-to-end-cross-cloud-observability/</guid><category>Infrastructure Modernization</category><category>Hybrid &amp; Multicloud</category><category>Developers &amp; Practitioners</category><category>Networking</category><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>Cloud Network Insights: end-to-end observability for the Cross-Cloud Network</title><description></description><site_name>Google</site_name><url>https://cloud.google.com/blog/products/networking/cloud-network-insights-end-to-end-cross-cloud-observability/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Poonam Yadav</name><title>Product Manager</title><department></department><company></company></author></item><item><title>Report: GKE Inference Gateway delivers up to 92% faster AI responses</title><link>https://cloud.google.com/blog/products/containers-kubernetes/gke-inference-gateway-prefix-caching-accelerates-ai-inference/</link><description>&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;As generative AI moves from experimental pilots to massive production environments, the efficiency of your infrastructure  becomes the ultimate differentiator. One way to get the most out of it and minimize costly accelerator idle time is to leverage the &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/kubernetes-engine/docs/concepts/about-gke-inference-gateway"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Google Kubernetes Engine (GKE) Inference Gateway&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, which intelligently routes generative AI workloads based on real-time model server metrics.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Instead of relying on traditional, naive round-robin load balancing — which frequently triggers expensive accelerator recomputation and spikes user latency — this native extension of the &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/kubernetes-engine/docs/concepts/gateway-api"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;GKE Gateway&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; utilizes advanced capabilities like &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/kubernetes-engine/docs/concepts/about-gke-inference-gateway"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;prefix caching&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; and &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/kubernetes-engine/docs/concepts/about-gke-inference-gateway"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;model-aware routing&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;. By ensuring requests land on the exact accelerator that is primed to process them right away, GKE transforms how you can serve your large language models (LLMs), with excellent hardware utilization and ultra-fast response times. &lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;In fact, according to an&lt;/span&gt;&lt;a href="https://www.principledtechnologies.com/Google/GKE-Inference-Gateway-study-0526.pdf" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt; independent benchmark report&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;GKE Inference Gateway outperforms the next leading managed Kubernetes service with 15.7% higher throughput, 92.8% shorter wait times, and 62.6% lower inter-token latency&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;. This performance takes LLM-based applications from sluggish and  expensive to fast and production-grade.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;That performance tracks with &lt;/span&gt;&lt;a href="https://www.snap.com/" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Snap&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;’s experience using GKE Inference Gateway. &lt;/span&gt;&lt;/p&gt;
&lt;p style="padding-left: 40px;"&gt;&lt;span style="font-style: italic; vertical-align: baseline;"&gt;“At Snap, we are integrating llm-d into our production AI infrastructure to facilitate high-performance inference at scale. By employing prefix-cache-aware routing, we have achieved prefix cache hit rates ranging up to 75-80%. We appreciate the open-source nature of llm-d, as it enables seamless integration with our Envoy-based Service Mesh.”&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt; - Vinay Kola, Senior Manager, Software Engineering, Snap Inc. &lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;In this blog, we take a closer look at GKE Inference Gateway’s prefix caching, complete with examples. We also provide more details about its benchmark results. Let’s jump in.&lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;strong style="vertical-align: baseline;"&gt;The secret to low-latency AI: Prefix caching&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Prefix caching&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; optimizes LLM performance by storing the KV cache (activation states) of long, repetitive prompt prefixes. When consecutive user requests share the same system instructions, context, or documentation, the model entirely skips reprocessing those tokens. GKE Inference Gateway reads incoming request prefixes and matches them to the specific pods that already hold that data in memory. This eliminates the "thinking" tax on your GPUs and TPUs, turning heavy reasoning loops into near-instant answers.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Use case 1:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;Documentation and codebase Q&amp;amp;A with retrieval-augmented generation (RAG) &lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;When querying massive enterprise repositories, you can ground your LLMs’ responses without any added latency by pinning entire documentation sets as static cached prefixes, using RAG.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Instead of forcing an LLM to re-read thousands of lines of API references or corporate wikis for every single user question, GKE Inference Gateway routes the query to a pod that already has that specific context warmed up in its KV cache. The LLM only has to compute the user's brief, dynamic question, completely bypassing expensive document re-evaluation.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-code"&gt;&lt;dl&gt;
    &lt;dt&gt;code_block&lt;/dt&gt;
    &lt;dd&gt;&amp;lt;ListValue: [StructValue([(&amp;#x27;code&amp;#x27;, &amp;#x27;[STATIC PREFIX - STAYS IN CACHE] You are an expert AI assistant specializing in technical documentation. Below is the complete API documentation for our software platform. Use this context to answer the user\&amp;#x27;s questions accurately. If the answer cannot be found in the documentation, say &amp;quot;I cannot find that in the provided context.&amp;quot; \r\n\r\n&amp;lt;documentation&amp;gt; [10,000+ words of API reference documentation, endpoints, error codes, etc.] &amp;lt;/documentation&amp;gt; \r\n\r\n[DYNAMIC SUFFIX - CHANGES PER REQUEST] User Question: How do I handle a 429 rate limit error using the Python SDK?&amp;#x27;), (&amp;#x27;language&amp;#x27;, &amp;#x27;&amp;#x27;), (&amp;#x27;caption&amp;#x27;, &amp;lt;wagtail.rich_text.RichText object at 0x7fb06534e100&amp;gt;)])]&amp;gt;&lt;/dd&gt;
&lt;/dl&gt;&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Use case 2: Multi-turn chat  &lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;You can also use prefix caching to maintain customer service interactions across thousands of simultaneous sessions without compounding compute costs. You can do so by caching permanent system personas and core business rules directly on the LLM server.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;In enterprise chat architectures, the base system prompt and reference tables remain completely identical across millions of customer interactions. GKE Inference Gateway handles these multi-turn conversations using context-aware routing to bypass repetitive token processing, so that your chatbot stays ultra-responsive even under peak traffic.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-code"&gt;&lt;dl&gt;
    &lt;dt&gt;code_block&lt;/dt&gt;
    &lt;dd&gt;&amp;lt;ListValue: [StructValue([(&amp;#x27;code&amp;#x27;, &amp;#x27;[STATIC PREFIX - STAYS IN CACHE] \r\n-System Persona: You are &amp;quot;FinBot&amp;quot;, a helpful, empathetic, and compliant virtual assistant for ABC Banking Solutions. You must strictly adhere to the following rules: 1. Never provide concrete investment advice. 2. Always verify if the user is asking about checking or savings. 3. Keep your answers under 3 sentences. 4. If a user is angry, offer to connect them to a human manager. \r\n\r\nHere is the current interest rate table for May 2026: \r\n- Savings: 4.2% APR \r\n- Checking: 0.5% APR \r\n- CD (12-month): 5.1% APR \r\n\r\n[DYNAMIC SUFFIX - CHANGES PER REQUEST] User: Hi, I\&amp;#x27;m trying to figure out how much I\&amp;#x27;d make if I locked away $10,000 for a year?&amp;#x27;), (&amp;#x27;language&amp;#x27;, &amp;#x27;&amp;#x27;), (&amp;#x27;caption&amp;#x27;, &amp;lt;wagtail.rich_text.RichText object at 0x7fb06534e190&amp;gt;)])]&amp;gt;&lt;/dd&gt;
&lt;/dl&gt;&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;h3&gt;&lt;strong style="vertical-align: baseline;"&gt;GKE outperforms alternative managed Kubernetes solutions&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;To validate these architectural advantages, Principled Technologies recently released an independent &lt;/span&gt;&lt;a href="https://www.principledtechnologies.com/Google/GKE-Inference-Gateway-study-0526.pdf" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;benchmark report&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; comparing GKE (equipped with the GKE Inference Gateway) against a standard third-party managed Kubernetes service utilizing conventional round-robin HTTP load balancing.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Tested on a Llama 3.1 8B Instruct shared prefix workload using identical hardware (eight NVIDIA A100 40GB GPUs) the results reveal a massive performance gap between the two Kubernetes services. &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;GKE didn't just win; it completely redefined inference efficiency across three critical metrics:&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Higher throughput:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; 15.7% more tokens processed per second, enabling higher request capacity or reduced hardware needs for the same workload&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Much faster time to first token (TTFT):&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; 92.8% shorter wait times, producing dramatically quicker perceived response starts for interactive scenarios&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;&lt;strong style="vertical-align: baseline;"&gt;Lower inter-token latency (ITL):&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; 62.6% reduction, resulting in smoother and faster token streaming after the first token &lt;/span&gt;&lt;/li&gt;
&lt;/ul&gt;&lt;/div&gt;
&lt;div class="block-image_full_width"&gt;






  
    &lt;div class="article-module h-c-page"&gt;
      &lt;div class="h-c-grid"&gt;
  

    &lt;figure class="article-image--large
      
      
        h-c-grid__col
        h-c-grid__col--6 h-c-grid__col--offset-3
        
        
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/images/1_-_Updated_Doc_chart.max-1000x1000.jpg"
        
          alt="1 - Updated Doc chart"&gt;
        
        &lt;/a&gt;
      
        &lt;figcaption class="article-image__caption "&gt;&lt;p data-block-key="g6g32"&gt;Figure 3: Mean latency (normalized time per output token) of GKE with GKE Inference Gateway and third-party managed Kubernetes service on the Llama 3.1-8B Instruct LLM on the Shared prefix use case. Both solutions used the same hardware. Source: Principled Technologies&lt;/p&gt;&lt;/figcaption&gt;
      
    &lt;/figure&gt;

  
      &lt;/div&gt;
    &lt;/div&gt;
  




&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;div align="left"&gt;
&lt;div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"&gt;
&lt;div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"&gt;
&lt;div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"&gt;
&lt;div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"&gt;&lt;table&gt;&lt;colgroup&gt;&lt;col/&gt;&lt;col/&gt;&lt;col/&gt;&lt;col/&gt;&lt;/colgroup&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"&gt; &lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;GKE&lt;/strong&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;3rd party Managed&lt;/strong&gt;&lt;strong style="vertical-align: baseline;"&gt;Kubernetes Service&lt;/strong&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;GKE Advantage&lt;/strong&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Mean output&lt;/strong&gt;&lt;strong style="vertical-align: baseline;"&gt;token throughput&lt;/strong&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;7,169.21 output&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;tokens per second&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;6,042.05 output&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;tokens per second&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;15.7% more output&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;token throughput&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Mean time to&lt;/strong&gt;&lt;strong style="vertical-align: baseline;"&gt;first token (TTFT)&lt;/strong&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;188.36 ms&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;2624.73 ms&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;92.8% less TTFT&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Mean inter-token&lt;/strong&gt;&lt;strong style="vertical-align: baseline;"&gt;latency (ITL)&lt;/strong&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;30.20 ms&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;81.03 ms&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;62.6% lower ITL&lt;/span&gt;&lt;/p&gt;
&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Figure 4: GKE with GKE Inference Gateway delivered superior AI inference compared to a third-party managed Kubernetes service using standard HTTP LB.&lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;span style="vertical-align: baseline;"&gt;Ready to accelerate your gen AI inference workloads?&lt;/span&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Whether you’re deploying inference workloads such as real-time customer support agents, dynamic coding assistants, or sub-second fraud detection models, infrastructure latency dictates your user experience. By ensuring shared prompt prefixes hit the active cache nearly 100% of the time, GKE Inference Gateway transforms your LLMs from sluggish, expensive reasoning engines into rapid, capital-efficient, production-grade powerhouses.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Ready to explore the performance advantage that GKE Inference Gateway can bring to your gen AI workloads? Access the full benchmark report &lt;/span&gt;&lt;a href="https://www.principledtechnologies.com/Google/GKE-Inference-Gateway-study-0526.pdf" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;here&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; and watch this explainer &lt;/span&gt;&lt;a href="https://youtu.be/RXX-LouimPY?si=dPGbP91TakSonOq9" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;video&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; to learn more.&lt;/span&gt;&lt;/p&gt;
&lt;hr/&gt;
&lt;p&gt;&lt;sup&gt;&lt;em&gt;&lt;span style="vertical-align: baseline;"&gt;A special thanks to Dan Sullivan, &lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;Senior Performance Architect&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;, Principled Technologies.&lt;/span&gt;&lt;/em&gt;&lt;/sup&gt;&lt;/p&gt;&lt;/div&gt;</description><pubDate>Tue, 09 Jun 2026 16:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/products/containers-kubernetes/gke-inference-gateway-prefix-caching-accelerates-ai-inference/</guid><category>Networking</category><category>AI &amp; Machine Learning</category><category>AI infrastructure</category><category>GKE</category><category>Containers &amp; Kubernetes</category><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>Report: GKE Inference Gateway delivers up to 92% faster AI responses</title><description></description><site_name>Google</site_name><url>https://cloud.google.com/blog/products/containers-kubernetes/gke-inference-gateway-prefix-caching-accelerates-ai-inference/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Bob Tian</name><title>Software Engineer</title><department></department><company></company></author><author xmlns:author="http://www.w3.org/2005/Atom"><name>Susan Wu</name><title>Outbound Product Manager</title><department></department><company></company></author></item><item><title>Experimenting with TPUs, GKE Managed DRANET, and Multi-cluster Inference Gateway</title><link>https://cloud.google.com/blog/topics/developers-practitioners/experimenting-with-tpus-gke-managed-dranet-and-multi-cluster-inference-gateway/</link><description>&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;What happens when your workload fails in one region but you need access to service? This is a common case for availability and uptime. With recent enhancement to the Kubernetes ecosystem and capabilities like &lt;/span&gt;&lt;a href="https://kubernetes.io/docs/concepts/scheduling-eviction/dynamic-resource-allocation/" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Dynamic Resource Allocation (DRA)&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; and &lt;/span&gt;&lt;a href="https://gateway-api-inference-extension.sigs.k8s.io/" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Inference Gateway.&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; &lt;span style="vertical-align: baseline;"&gt;I decided to experiment with these capabilities in Google Cloud for a simple test using an AI inference workload.&lt;/span&gt;&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;In this blog, we will explore this setup and you can also jump straight into the detailed configs in this codelab &lt;/span&gt;&lt;a href="https://codelabs.developers.google.com/codelabs/gke-inference-gateway-multi-cluster-tpus-dranet#0" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Build multi-cluster GKE Inference Gateway, with TPUs , Cloud Storage FUSE and managed DRANET.&lt;/span&gt;&lt;/a&gt;&lt;/p&gt;
&lt;h2&gt;&lt;span style="vertical-align: baseline;"&gt;Building blocks &lt;/span&gt;&lt;/h2&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;To build out this experiment, use the following products, features, and tools:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong&gt;&lt;span style="vertical-align: baseline;"&gt;Google Kubernetes Engine &lt;/span&gt;&lt;/strong&gt;&lt;a href="https://docs.cloud.google.com/kubernetes-engine/docs/how-to/allocate-network-resources-dra"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;&lt;strong&gt;(GKE) managed DRANET&lt;/strong&gt;&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;: This is a managed feature that lets you request and share resources among Pods. This supports &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/kubernetes-engine/docs/how-to/allocate-network-resources-dra#use-rdma-interfaces-gpu"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;GPUs&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, and &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/kubernetes-engine/docs/how-to/allocate-network-resources-dra#use-non-rdma-interfaces-tpu"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;TPUs&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;. In this test TPUs were used in two different regions with networking assigned using managed DRANET.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;a href="https://docs.cloud.google.com/kubernetes-engine/docs/concepts/about-multi-cluster-inference-gateway"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;&lt;strong&gt;Multi-cluster GKE Inference gateway&lt;/strong&gt;&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;: Load balances your AI/ML inference workloads across multiple GKE clusters. This works in a failover situation which is what my experiment intended to test. The type which supports this is the &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/kubernetes-engine/docs/concepts/gateway-api#gatewayclass"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Multi-cluster Cross-region internal Application Load Balancer&lt;/span&gt;&lt;/a&gt;&lt;strong style="vertical-align: baseline;"&gt; &lt;/strong&gt;&lt;code style="vertical-align: baseline;"&gt;gke-l7-cross-regional-internal-managed-mc&lt;/code&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;a href="https://docs.cloud.google.com/storage/docs/cloud-storage-fuse/overview"&gt;&lt;strong&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Cloud Storage FUSE&lt;/span&gt;&lt;/strong&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;: Provides a way to store data, models, checkpoints, and logs directly in Cloud Storage. To speed up the deployment, an open source gemma model was downloaded to this storage for retrieval. &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Virtual private Cloud (VPC)&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;: The foundational global network providing isolated, secure communication for the internal load balancers and compute nodes&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;a href="https://docs.cloud.google.com/kubernetes-engine/docs/fleets-overview"&gt;&lt;strong style="text-decoration: underline; vertical-align: baseline;"&gt;GKE Fleets&lt;/strong&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;: Fleets group the separate regional clusters under a unified management control plane&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;a href="https://docs.cloud.google.com/tpu/docs/v6e"&gt;&lt;strong style="text-decoration: underline; vertical-align: baseline;"&gt;TPU v6e&lt;/strong&gt;&lt;/a&gt;&lt;strong style="vertical-align: baseline;"&gt;:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Google's custom AI accelerators that provide the high-performance compute required to serve the model. The VM family type used was the  &lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;ct6e-standard-4t&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt; in a &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/tpu/docs/v6e#configurations"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;2x2 Slice&lt;/span&gt;&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;&lt;span style="vertical-align: baseline;"&gt;Design pattern example&lt;/span&gt;&lt;/h2&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;&lt;span style="vertical-align: baseline;"&gt;The aim is to deploy a LLM model (Gemma 3) onto 2 GKE clusters in different regions. Each cluster will use 4 TPU v6e chips. The model should be stored in Cloud Storage. The workload is served using GKE Inference Gateway which supports multi-clusters. The traffic should be routed to the region closest to the user and failover to the other region if one region fails.&lt;/span&gt;&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-image_full_width"&gt;






  
    &lt;div class="article-module h-c-page"&gt;
      &lt;div class="h-c-grid"&gt;
  

    &lt;figure class="article-image--large
      
      
        h-c-grid__col
        h-c-grid__col--6 h-c-grid__col--offset-3
        
        
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/images/1-build.max-1000x1000.png"
        
          alt="1-build"&gt;
        
        &lt;/a&gt;
      
    &lt;/figure&gt;

  
      &lt;/div&gt;
    &lt;/div&gt;
  




&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;div data-draftjs-conductor-fragment='{"blocks":[{"key":"ct469","text":"Putting it together","type":"header-three","depth":0,"inlineStyleRanges":[],"entityRanges":[],"data":{}},{"key":"a673f","text":"To get access to the TPUs for your project in two regions you have to ensure you have the necessary quota in those regions.","type":"unstyled","depth":0,"inlineStyleRanges":[],"entityRanges":[{"offset":90,"length":15,"key":0}],"data":{}},{"key":"8ufpl","text":"Begin: Set up the environment","type":"unstyled","depth":0,"inlineStyleRanges":[{"offset":0,"length":6,"style":"BOLD"}],"entityRanges":[],"data":{}},{"key":"3hun0","text":"Create a standard VPC, with firewall rules and subnet in the same zone as the reservation.","type":"unordered-list-item","depth":0,"inlineStyleRanges":[],"entityRanges":[{"offset":9,"length":12,"key":1}],"data":{}},{"key":"afkbe","text":"Create a proxy-only subnet this will be used with the Internal regional application load balancer attached to the GKE inference gateway.","type":"unordered-list-item","depth":0,"inlineStyleRanges":[],"entityRanges":[{"offset":9,"length":17,"key":2}],"data":{}},{"key":"23sv0","text":"Set up firewall rules allowing traffic and health checks.","type":"unordered-list-item","depth":0,"inlineStyleRanges":[],"entityRanges":[],"data":{}},{"key":"b83on","text":"Reserve static internal IP addresses in both regions for the Gateway.","type":"unordered-list-item","depth":0,"inlineStyleRanges":[],"entityRanges":[],"data":{}},{"key":"5sqev","text":"Provision a Cloud Storage FUSE bucket and configure a dedicated IAM Service Account. Bind this to a Kubernetes Workload Identity so your pods can securely mount the bucket and read the model weights directly.","type":"unordered-list-item","depth":0,"inlineStyleRanges":[],"entityRanges":[],"data":{}},{"key":"65eu0","text":"Next: Create standard GKE clusters and node pools","type":"unstyled","depth":0,"inlineStyleRanges":[{"offset":0,"length":49,"style":"BOLD"}],"entityRanges":[],"data":{}},{"key":"3nj2n","text":"Deploy two separate GKE clusters in your chosen regions configured.","type":"unordered-list-item","depth":0,"inlineStyleRanges":[],"entityRanges":[],"data":{}},{"key":"d6395","text":"Enable the Gateway API (--gateway-api=standard) and the Cloud Storage FUSE CSI driver (--addons GcsFuseCsiDriver) during cluster creation.","type":"unordered-list-item","depth":0,"inlineStyleRanges":[{"offset":24,"length":22,"style":"CODE"},{"offset":87,"length":25,"style":"CODE"},{"offset":24,"length":22,"style":"ITALIC"},{"offset":87,"length":25,"style":"ITALIC"}],"entityRanges":[{"offset":55,"length":30,"key":3}],"data":{}},{"key":"37hd5","text":"Create dedicated TPU v6e node pools (ct6e-standard-4t) for both clusters.","type":"unordered-list-item","depth":0,"inlineStyleRanges":[{"offset":37,"length":16,"style":"CODE"},{"offset":37,"length":16,"style":"ITALIC"}],"entityRanges":[],"data":{}},{"key":"e6o1h","text":"Enable managed DRANET on these TPU node pools by setting the flags\n ---accelerator-network-profile=auto, and\n --node-labels=cloud.google.com/gke-networking-dra-driver=true.","type":"unordered-list-item","depth":0,"inlineStyleRanges":[{"offset":68,"length":35,"style":"CODE"},{"offset":110,"length":61,"style":"CODE"},{"offset":68,"length":35,"style":"ITALIC"},{"offset":110,"length":62,"style":"ITALIC"}],"entityRanges":[{"offset":31,"length":14,"key":4}],"data":{}},{"key":"e6iod","text":"Next: Establish the global mesh via Fleet Registration","type":"unstyled","depth":0,"inlineStyleRanges":[{"offset":0,"length":54,"style":"BOLD"}],"entityRanges":[],"data":{}},{"key":"8nj7o","text":"Register both GKE clusters to a unified GKE Fleet by following the fleet creation and registration setup.","type":"unordered-list-item","depth":0,"inlineStyleRanges":[],"entityRanges":[{"offset":66,"length":38,"key":5}],"data":{}},{"key":"6f71o","text":"Enable Multi-Cluster Service Discovery and Multi-Cluster Ingress on your fleet.","type":"unordered-list-item","depth":0,"inlineStyleRanges":[],"entityRanges":[],"data":{}},{"key":"cbent","text":"Designate your primary region as the configuration hub to act as the control plane for routing rules across both regions.","type":"unordered-list-item","depth":0,"inlineStyleRanges":[],"entityRanges":[],"data":{}},{"key":"2k3c3","text":"Next: Deploy the AI Workload","type":"unstyled","depth":0,"inlineStyleRanges":[{"offset":0,"length":28,"style":"BOLD"}],"entityRanges":[],"data":{}},{"key":"b56k8","text":"Use a temporary Kubernetes job to download the Gemma 3 (gemma-3-27b-it) model weights directly into your Cloud Storage bucket.","type":"unordered-list-item","depth":0,"inlineStyleRanges":[{"offset":56,"length":14,"style":"CODE"},{"offset":56,"length":14,"style":"ITALIC"}],"entityRanges":[],"data":{}},{"key":"lihp","text":"Define a ResourceClaimTemplate that explicitly requests the managed DRANET device class (deviceClassName: netdev.google.com) with the allocation mode set to \"All\".","type":"unordered-list-item","depth":0,"inlineStyleRanges":[{"offset":9,"length":21,"style":"CODE"},{"offset":89,"length":34,"style":"CODE"},{"offset":9,"length":21,"style":"ITALIC"},{"offset":89,"length":34,"style":"ITALIC"}],"entityRanges":[],"data":{}}],"entityMap":{"0":{"type":"LINK","mutability":"MUTABLE","data":{"url":"https://docs.cloud.google.com/kubernetes-engine/docs/how-to/tpus#ensure-quota-od-spot"}},"1":{"type":"LINK","mutability":"MUTABLE","data":{"url":"https://docs.cloud.google.com/vpc/docs/create-modify-vpc-networks#create-custom-network"}},"2":{"type":"LINK","mutability":"MUTABLE","data":{"url":"https://docs.cloud.google.com/load-balancing/docs/proxy-only-subnets#proxy_only_subnet_create"}},"3":{"type":"LINK","mutability":"MUTABLE","data":{"url":"https://cloud.google.com/kubernetes-engine/docs/concepts/cloud-storage-fuse-csi-driver"}},"4":{"type":"LINK","mutability":"MUTABLE","data":{"url":"https://docs.cloud.google.com/kubernetes-engine/docs/how-to/allocate-network-resources-dra#enable-dra-driver-tpu"}},"5":{"type":"LINK","mutability":"MUTABLE","data":{"url":"https://cloud.google.com/kubernetes-engine/docs/how-to/creating-fleets"}}}}'&gt;
&lt;h2 class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="czag4-0-0"&gt;&lt;span data-offset-key="czag4-0-0"&gt;Putting it together&lt;/span&gt;&lt;/h2&gt;
&lt;div class="Draftail-block--unstyled" data-block="true" data-editor="4apjo" data-offset-key="31jqe-0-0"&gt;
&lt;div class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="31jqe-0-0"&gt;&lt;span data-offset-key="31jqe-0-0"&gt;To get access to the TPUs for your project in two regions you have to ensure you have the &lt;/span&gt;&lt;a class="TooltipEntity" data-draftail-trigger="true" href="https://docs.cloud.google.com/kubernetes-engine/docs/how-to/tpus#ensure-quota-od-spot" role="button"&gt;&lt;span data-offset-key="31jqe-1-0"&gt;necessary quota&lt;/span&gt;&lt;/a&gt;&lt;span data-offset-key="31jqe-2-0"&gt; in those regions.&lt;/span&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;div class="Draftail-block--unstyled" data-block="true" data-editor="4apjo" data-offset-key="9e8ff-0-0"&gt;
&lt;div class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="9e8ff-0-0"&gt; &lt;/div&gt;
&lt;div class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="9e8ff-0-0"&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Begin:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Set up the environment. &lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Create a &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/vpc/docs/create-modify-vpc-networks#create-custom-network"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;standard VPC&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, with firewall rules and subnet in the same zone as the reservation.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Create a &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/load-balancing/docs/proxy-only-subnets#proxy_only_subnet_create"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;proxy-only subnet&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; this will be used with the Internal regional application load balancer attached to the GKE inference gateway&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Set up firewall rules allowing traffic and health checks.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Reserve static internal IP addresses in both regions for the Gateway.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Provision a Cloud Storage FUSE bucket and configure a dedicated IAM Service Account. Bind this to a Kubernetes Workload Identity so your pods can securely mount the bucket and read the model weights directly.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Next: &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;Create standard GKE clusters and node pools.&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Deploy two separate GKE clusters in your chosen regions configured.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Enable the Gateway API (&lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;--gateway-api=standard&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt;) and the&lt;/span&gt;&lt;a href="https://cloud.google.com/kubernetes-engine/docs/concepts/cloud-storage-fuse-csi-driver"&gt;&lt;span style="vertical-align: baseline;"&gt; &lt;/span&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Cloud Storage FUSE CSI driver&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; (&lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;--addons GcsFuseCsiDriver&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt;) during cluster creation.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Create dedicated TPU v6e node pools (&lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;ct6e-standard-4t&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt;) for both clusters.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Enable managed DRANET on these &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/kubernetes-engine/docs/how-to/allocate-network-resources-dra#enable-dra-driver-tpu"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;TPU node pools&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; by setting the flags &lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;---accelerator-network-profile=auto&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt;, and &lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;--node-labels=cloud.google.com/gke-networking-dra-driver=true&lt;/code&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Next: &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;Establish the global mesh via Fleet Registration.&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Register both GKE clusters to a unified GKE Fleet by following the&lt;/span&gt;&lt;a href="https://cloud.google.com/kubernetes-engine/docs/how-to/creating-fleets"&gt;&lt;span style="vertical-align: baseline;"&gt; &lt;/span&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;fleet creation and registration setup&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Enable Multi-Cluster Service Discovery and Multi-Cluster Ingress on your fleet.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Designate your primary region as the configuration hub to act as the control plane for routing rules across both regions.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Next: &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;Deploy the AI workload.&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Use a temporary Kubernetes job to download the Gemma 3 (&lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;gemma-3-27b-it&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt;) model weights directly into your Cloud Storage bucket.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Define a &lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;ResourceClaimTemplate&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt; that explicitly requests the managed DRANET device class (&lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;deviceClassName: netdev.google.com&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt; ) with the allocation mode set to "All".&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;/div&gt;&lt;/div&gt;
&lt;div class="block-code"&gt;&lt;dl&gt;
    &lt;dt&gt;code_block&lt;/dt&gt;
    &lt;dd&gt;&amp;lt;ListValue: [StructValue([(&amp;#x27;code&amp;#x27;, &amp;#x27;apiVersion: resource.k8s.io/v1\r\nkind: ResourceClaimTemplate\r\nmetadata:\r\n  name: all-netdev\r\n  namespace: default\r\nspec:\r\n  spec:\r\n    devices:\r\n      requests:\r\n      - name: req-netdev\r\n        exactly:\r\n          deviceClassName: netdev.google.com\r\n          allocationMode: All&amp;#x27;), (&amp;#x27;language&amp;#x27;, &amp;#x27;&amp;#x27;), (&amp;#x27;caption&amp;#x27;, &amp;lt;wagtail.rich_text.RichText object at 0x7fb065bb95e0&amp;gt;)])]&amp;gt;&lt;/dd&gt;
&lt;/dl&gt;&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Deploy your inference server (e.g. vLLM) on the TPU nodes in both regions. Ensure the pod spec utilizes node selectors for the 2x2 TPU topology, requests exactly 4 TPUs, and mounts the &lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;netdev&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt; claim. This guarantees your pods utilize the dedicated accelerator networking alongside standard Ethernet.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Next: &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;Configure the Multi-Cluster Inference Gateway.&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Install the necessary Custom Resource Definitions (CRDs) so Kubernetes can process specialized routing objects like the &lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;InferenceObjective&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt;.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Deploy an &lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;AutoscalingMetric&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt; to track hardware utilization, such as KV cache usage.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Use Helm to group the independent AI deployments from both regions into a single, logical &lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;InferencePool&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt;.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Deploy the Cross-Region Gateway and its associated &lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;HTTPRoute&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt; to manage incoming global traffic.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Apply health checks and backend policies to the pool to ensure load balancing relies on your custom hardware metrics.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Configure an &lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;InferenceObjective&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt; to instruct the gateway to route prompts to the region with the highest availability, avoiding overloaded TPUs.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-code"&gt;&lt;dl&gt;
    &lt;dt&gt;code_block&lt;/dt&gt;
    &lt;dd&gt;&amp;lt;ListValue: [StructValue([(&amp;#x27;code&amp;#x27;, &amp;#x27;apiVersion: gateway.networking.k8s.io/v1\r\nkind: Gateway\r\nmetadata:\r\n  name: cross-region-gateway\r\n  namespace: default\r\nspec:\r\n  gatewayClassName: gke-l7-cross-regional-internal-managed-mc\r\n  addresses:\r\n  - type: networking.gke.io/named-address-with-region\r\n    value: &amp;quot;regions/europe-west4/addresses/gemma-gateway-ip-europe-west4&amp;quot;\r\n  - type: networking.gke.io/named-address-with-region\r\n    value: &amp;quot;regions/us-east5/addresses/gemma-gateway-ip-us-east5&amp;quot;\r\n  listeners:\r\n  - name: http\r\n    protocol: HTTP\r\n    port: 80\r\n---\r\napiVersion: gateway.networking.k8s.io/v1\r\nkind: HTTPRoute\r\nmetadata:\r\n  name: gemma-route\r\n  namespace: default\r\nspec:\r\n  parentRefs:\r\n  - name: cross-region-gateway\r\n    kind: Gateway\r\n  rules:\r\n  - backendRefs:\r\n    - group: networking.gke.io\r\n      kind: GCPInferencePoolImport\r\n      name: gemma-pool\r\n      port: 8000\r\n---\r\napiVersion: networking.gke.io/v1\r\nkind: HealthCheckPolicy\r\nmetadata:\r\n  name: gemma-health-check\r\n  namespace: default\r\nspec:\r\n  targetRef:\r\n    group: networking.gke.io\r\n    kind: GCPInferencePoolImport\r\n    name: gemma-pool\r\n  default:\r\n    config:\r\n      type: HTTP\r\n      httpHealthCheck:\r\n        requestPath: /health\r\n        port: 8000\r\n---\r\napiVersion: networking.gke.io/v1\r\nkind: GCPBackendPolicy\r\nmetadata:\r\n  name: gemma-backend-policy\r\n  namespace: default\r\nspec:\r\n  targetRef:\r\n    group: networking.gke.io\r\n    kind: GCPInferencePoolImport\r\n    name: gemma-pool\r\n  default:\r\n    timeoutSec: 100\r\n    balancingMode: CUSTOM_METRICS\r\n    trafficDuration: LONG\r\n    customMetrics:\r\n      - name: gke.named_metrics.tpu-cache\r\n        dryRun: false\r\n        maxUtilizationPercent: 60\r\n---\r\napiVersion: autoscaling.gke.io/v1beta1\r\nkind: AutoscalingMetric\r\nmetadata:\r\n  name: tpu-cache\r\n  namespace: default\r\nspec:\r\n  selector:\r\n    matchLabels:\r\n      app: gemma-server\r\n  endpoints:\r\n  - port: 8000\r\n    path: /metrics\r\n    metrics:\r\n    - name: vllm:kv_cache_usage_perc\r\n      exportName: tpu-cache\r\n---\r\napiVersion: inference.networking.x-k8s.io/v1alpha2\r\nkind: InferenceObjective\r\nmetadata:\r\n  name: gemma-objective\r\n  namespace: default\r\nspec:\r\n  priority: 10\r\n  poolRef:\r\n    name: gemma-pool\r\n    group: &amp;quot;inference.networking.k8s.io&amp;quot;&amp;#x27;), (&amp;#x27;language&amp;#x27;, &amp;#x27;&amp;#x27;), (&amp;#x27;caption&amp;#x27;, &amp;lt;wagtail.rich_text.RichText object at 0x7fb065bb9d90&amp;gt;)])]&amp;gt;&lt;/dd&gt;
&lt;/dl&gt;&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;div data-draftjs-conductor-fragment='{"blocks":[{"key":"5k3m6","text":"Testing the Failover","type":"unstyled","depth":0,"inlineStyleRanges":[{"offset":0,"length":20,"style":"BOLD"}],"entityRanges":[],"data":{}},{"key":"38ue0","text":"Verify the highly available architecture by simulating a primary region outage. Once the primary deployment is taken offline, the Gateway automatically detects the failure and seamlessly reroutes all subsequent user requests to the active secondary cluster, ensuring continuous availability without dropping traffic.","type":"unstyled","depth":0,"inlineStyleRanges":[],"entityRanges":[],"data":{}},{"key":"44u08","text":"Next Steps","type":"header-three","depth":0,"inlineStyleRanges":[],"entityRanges":[],"data":{}},{"key":"3k54t","text":"Take a deeper dive into a hands-on codelab and more information on these features review the following.","type":"unstyled","depth":0,"inlineStyleRanges":[],"entityRanges":[],"data":{}},{"key":"ohd6","text":"Hands-on Codelab: Build multi-cluster GKE Inference Gateway, with TPUs , Cloud Storage FUSE and managed DRANET","type":"unordered-list-item","depth":0,"inlineStyleRanges":[],"entityRanges":[{"offset":18,"length":92,"key":0}],"data":{}},{"key":"4jgt1","text":"Document set: DRANET","type":"unordered-list-item","depth":0,"inlineStyleRanges":[],"entityRanges":[{"offset":14,"length":6,"key":1}],"data":{}},{"key":"ep7ne","text":"Documentation: AI Hypercomputer","type":"unordered-list-item","depth":0,"inlineStyleRanges":[],"entityRanges":[{"offset":15,"length":16,"key":2}],"data":{}},{"key":"3c9h1","text":"Want to ask a question, find out more or share a thought? Please connect with me on Linkedin.","type":"unstyled","depth":0,"inlineStyleRanges":[],"entityRanges":[{"offset":84,"length":8,"key":3}],"data":{}}],"entityMap":{"0":{"type":"LINK","mutability":"MUTABLE","data":{"url":"https://codelabs.developers.google.com/codelabs/gke-inference-gateway-multi-cluster-tpus-dranet"}},"1":{"type":"LINK","mutability":"MUTABLE","data":{"url":"https://docs.cloud.google.com/kubernetes-engine/docs/how-to/config-auto-net-for-accelerators"}},"2":{"type":"LINK","mutability":"MUTABLE","data":{"url":"https://docs.cloud.google.com/ai-hypercomputer/docs/overview"}},"3":{"type":"LINK","mutability":"MUTABLE","data":{"url":"https://www.linkedin.com/in/ammett/"}}}}'&gt;
&lt;div class="Draftail-block--unstyled" data-block="true" data-editor="cl1on" data-offset-key="czag4-0-0"&gt;
&lt;h3 class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="czag4-0-0"&gt;&lt;span data-offset-key="czag4-0-0"&gt;Testing the Failover&lt;/span&gt;&lt;/h3&gt;
&lt;/div&gt;
&lt;div class="Draftail-block--unstyled" data-block="true" data-editor="cl1on" data-offset-key="9un4f-0-0"&gt;
&lt;div class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="9un4f-0-0"&gt;&lt;span data-offset-key="9un4f-0-0"&gt;Verify the highly available architecture by simulating a primary region outage. Once the primary deployment is taken offline, the Gateway automatically detects the failure and seamlessly reroutes all subsequent user requests to the active secondary cluster, ensuring continuous availability without dropping traffic.&lt;/span&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;div class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="ef2kc-0-0"&gt; &lt;/div&gt;
&lt;h2 class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="ef2kc-0-0"&gt;&lt;span data-offset-key="ef2kc-0-0"&gt;Next Steps&lt;/span&gt;&lt;/h2&gt;
&lt;div class="Draftail-block--unstyled" data-block="true" data-editor="cl1on" data-offset-key="1r2f1-0-0"&gt;
&lt;div class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="1r2f1-0-0"&gt;&lt;span data-offset-key="1r2f1-0-0"&gt;Take a deeper dive into a hands-on codelab and more information on these features review the following.&lt;/span&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;ul class="public-DraftStyleDefault-ul" data-offset-key="6fjff-0-0"&gt;
&lt;li class="Draftail-block--unordered-list-item public-DraftStyleDefault-unorderedListItem public-DraftStyleDefault-reset public-DraftStyleDefault-depth0 public-DraftStyleDefault-listLTR" data-block="true" data-editor="cl1on" data-offset-key="6fjff-0-0"&gt;
&lt;div class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="6fjff-0-0"&gt;&lt;span data-offset-key="6fjff-0-0"&gt;Hands-on Codelab: &lt;/span&gt;&lt;a class="TooltipEntity" data-draftail-trigger="true" href="https://codelabs.developers.google.com/codelabs/gke-inference-gateway-multi-cluster-tpus-dranet" rel="noopener" role="button" target="_blank"&gt;&lt;span data-offset-key="6fjff-1-0"&gt;Build multi-cluster GKE Inference Gateway, with TPUs , Cloud Storage FUSE and managed DRANET&lt;/span&gt;&lt;/a&gt;&lt;/div&gt;
&lt;/li&gt;
&lt;li class="Draftail-block--unordered-list-item public-DraftStyleDefault-unorderedListItem public-DraftStyleDefault-depth0 public-DraftStyleDefault-listLTR" data-block="true" data-editor="cl1on" data-offset-key="9ku8e-0-0"&gt;
&lt;div class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="9ku8e-0-0"&gt;&lt;span data-offset-key="9ku8e-0-0"&gt;Document set: &lt;/span&gt;&lt;a class="TooltipEntity" data-draftail-trigger="true" href="https://docs.cloud.google.com/kubernetes-engine/docs/how-to/config-auto-net-for-accelerators" role="button"&gt;&lt;span data-offset-key="9ku8e-1-0"&gt;DRANET&lt;/span&gt;&lt;/a&gt;&lt;/div&gt;
&lt;/li&gt;
&lt;li class="Draftail-block--unordered-list-item public-DraftStyleDefault-unorderedListItem public-DraftStyleDefault-depth0 public-DraftStyleDefault-listLTR" data-block="true" data-editor="cl1on" data-offset-key="3fjdr-0-0"&gt;
&lt;div class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="3fjdr-0-0"&gt;&lt;span data-offset-key="3fjdr-0-0"&gt;Documentation: &lt;/span&gt;&lt;a class="TooltipEntity" data-draftail-trigger="true" href="https://docs.cloud.google.com/ai-hypercomputer/docs/overview" role="button"&gt;&lt;span data-offset-key="3fjdr-1-0"&gt;AI Hypercomputer&lt;/span&gt;&lt;/a&gt;&lt;/div&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;div class="Draftail-block--unstyled" data-block="true" data-editor="cl1on" data-offset-key="f0ecg-0-0"&gt;
&lt;div class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="f0ecg-0-0"&gt;&lt;span data-offset-key="f0ecg-0-0"&gt;Want to ask a question, find out more or share a thought? Please connect with me on &lt;/span&gt;&lt;a class="TooltipEntity" data-draftail-trigger="true" href="https://www.linkedin.com/in/ammett/" rel="noopener" role="button" target="_blank"&gt;&lt;span data-offset-key="f0ecg-1-0"&gt;Linkedin&lt;/span&gt;&lt;/a&gt;&lt;span data-offset-key="f0ecg-2-0"&gt;.&lt;/span&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;/div&gt;&lt;/div&gt;</description><pubDate>Tue, 02 Jun 2026 07:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/topics/developers-practitioners/experimenting-with-tpus-gke-managed-dranet-and-multi-cluster-inference-gateway/</guid><category>Networking</category><category>Developers &amp; Practitioners</category><media:content height="540" url="https://storage.googleapis.com/gweb-cloudblog-publish/images/0-hero-dra.max-600x600.png" width="540"></media:content><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>Experimenting with TPUs, GKE Managed DRANET, and Multi-cluster Inference Gateway</title><description></description><image>https://storage.googleapis.com/gweb-cloudblog-publish/images/0-hero-dra.max-600x600.png</image><site_name>Google</site_name><url>https://cloud.google.com/blog/topics/developers-practitioners/experimenting-with-tpus-gke-managed-dranet-and-multi-cluster-inference-gateway/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Ammett Williams</name><title>Developer Relations Engineer</title><department></department><company></company></author></item><item><title>How we evolved Google’s global and data center networks for the AI era</title><link>https://cloud.google.com/blog/products/networking/data-center-and-global-networks-built-for-ai-era/</link><description>&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Over the last 25 years of building Google’s global network, we’ve &lt;/span&gt;&lt;a href="https://cloud.google.com/blog/products/networking/google-global-network-principles-and-innovations?e=48754805"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;navigated major architectural eras&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; — from the Internet, to streaming, and the cloud. Today, we are squarely in the midst of a fourth: the AI era. The applications in the AI era are fundamentally different from the consumer and enterprise applications of the previous eras and impose a set of novel and demanding requirements — on compute resources, of course, but also on the network. &lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Consider the fundamental physical challenge, which is that it is far more difficult to move electrons (electrical power) than it is to move photons (data over fiber). Because the demand for AI compute frequently outpaces the space and power capacities of individual facilities, we strategically locate data centers near sustainable energy sources, or in locations with pathways to add clean energy sources to the local grid. Then, by utilizing the network to distribute AI workloads across campuses, we create a massive-scale, pooled hypercomputing resource that overcomes the power limitations of any single site.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-image_full_width"&gt;






  
    &lt;div class="article-module h-c-page"&gt;
      &lt;div class="h-c-grid"&gt;
  

    &lt;figure class="article-image--large
      
      
        h-c-grid__col
        h-c-grid__col--6 h-c-grid__col--offset-3
        
        
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/images/1_R90253L.max-1000x1000.jpg"
        
          alt="1"&gt;
        
        &lt;/a&gt;
      
    &lt;/figure&gt;

  
      &lt;/div&gt;
    &lt;/div&gt;
  




&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;To deliver this, we created an end-to-end, vertically integrated AI technology stack that comprises everything from chips to systems, to platforms and application and agentic ecosystems. This stack includes a portfolio of pre-built agents and applications; our &lt;/span&gt;&lt;a href="https://cloud.google.com/blog/products/ai-machine-learning/introducing-gemini-enterprise-agent-platform?e=48754805"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Gemini Enterprise Agent Platform&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; for you to build, scale, govern, and optimize your AI-enabled applications; world-class AI models; as well as our unified data platform. All this is anchored by our &lt;/span&gt;&lt;a href="https://cloud.google.com/solutions/ai-hypercomputer?e=48754805"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;AI Hypercomputer&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, a unified infrastructure that combines purpose-built hardware and open software, and that comes with flexible consumption options. Our network, forged through decades of innovation, is the essential fabric of the AI Hypercomputer. &lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-image_full_width"&gt;






  
    &lt;div class="article-module h-c-page"&gt;
      &lt;div class="h-c-grid"&gt;
  

    &lt;figure class="article-image--large
      
      
        h-c-grid__col
        h-c-grid__col--6 h-c-grid__col--offset-3
        
        
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/images/2_bZdv9ks.max-1000x1000.jpg"
        
          alt="2"&gt;
        
        &lt;/a&gt;
      
    &lt;/figure&gt;

  
      &lt;/div&gt;
    &lt;/div&gt;
  




&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;The network supporting this stack must meet the stringent bandwidth, scale, and performance needs of AI workloads. This applies not only within the campus, where the network must scale up and out, but also across the wide area network (WAN) along with high-bandwidth interconnects, to bring AI training data from its source to AI compute resources. &lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;To address these challenges, we’ve reimagined three key pillars of our network infrastructure: the fabric inside the AI Hypercomputer, the fabric across the AI Hypercomputer, and our global network. Let’s take a closer look at each of these. &lt;/span&gt;&lt;/p&gt;
&lt;h3 role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;1. The fabric inside AI Hypercomputer&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;The massive scale of today’s AI models, fueled by the explosive growth of foundational AI model parameters, makes AI training very compute- and network-intensive.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-image_full_width"&gt;






  
    &lt;div class="article-module h-c-page"&gt;
      &lt;div class="h-c-grid"&gt;
  

    &lt;figure class="article-image--large
      
      
        h-c-grid__col
        h-c-grid__col--6 h-c-grid__col--offset-3
        
        
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/images/3_eO2Dxet.max-1000x1000.jpg"
        
          alt="3"&gt;
        
        &lt;/a&gt;
      
    &lt;/figure&gt;

  
      &lt;/div&gt;
    &lt;/div&gt;
  




&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;This necessitates &lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;an exponential increase in required network bandwidth, with strict bounds on delay (e.g., tail latency) to accommodate AI workloads’ peculiar traffic patterns, which are characterized by sensitivity to performance variation and synchronized bursts, i.e., intense, coordinated, millisecond-level traffic spikes. Furthermore, since large-scale training jobs are uniquely vulnerable to failures and performance stragglers, maintaining high reliability and predictable performance is absolutely essential. &lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;To address the scale, low latency, and high predictability that modern AI workloads require — as well as protection from extreme bursts — we’ve adopted a "campus as a computer" philosophy, decoupling our network into three distinct domains: &lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;a scale-up domain for intra-pod connectivity&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;a dedicated east-west scale-out accelerator fabric&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;the &lt;/span&gt;&lt;a href="https://cloud.google.com/blog/products/networking/speed-scale-reliability-25-years-of-data-center-networking?e=48754805"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Jupiter&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; &lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;frontend network for north-south compute and storage access &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;This decoupled architecture provides three strategic advantages: it allows domains to evolve independently for faster innovation; provides a non-blocking scale-out network with massive training bandwidth; and helps ensure the network can be co-designed in lockstep with new ML accelerators, for superior hardware support.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Recently, we unveiled &lt;/span&gt;&lt;a href="https://cloud.google.com/blog/products/networking/introducing-virgo-megascale-data-center-fabric"&gt;&lt;strong style="text-decoration: underline; vertical-align: baseline;"&gt;Virgo Network&lt;/strong&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, our scale-out data center fabric specifically engineered for modern AI. Virgo utilizes high-radix switches and a flat, two-layer non-blocking topology to provide massive bisection bandwidth, while minimizing latency by reducing network tiers. Its multi-planar design, featuring independent control domains for each plane, provides hardware-level resilience and fault isolation. Furthermore, Virgo can expand across multiple data centers, removing physical building limitations and enabling flexible AI compute scaling.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-image_full_width"&gt;






  
    &lt;div class="article-module h-c-page"&gt;
      &lt;div class="h-c-grid"&gt;
  

    &lt;figure class="article-image--large
      
      
        h-c-grid__col
        h-c-grid__col--6 h-c-grid__col--offset-3
        
        
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/images/virgo_network_architecture_figure.max-1000x1000.jpg"
        
          alt="4"&gt;
        
        &lt;/a&gt;
      
    &lt;/figure&gt;

  
      &lt;/div&gt;
    &lt;/div&gt;
  




&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;The effectiveness of our network and accelerator codesign is perfectly illustrated by the recently debuted &lt;/span&gt;&lt;a href="https://blog.google/innovation-and-ai/infrastructure-and-cloud/google-cloud/eighth-generation-tpu-agentic-era/" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;eighth generation TPUs&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;. Within this architecture, Virgo Network can link 134,000 TPU 8t chips with up to 47 petabits/sec of non-blocking bi-sectional bandwidth in a single fabric. Virgo Network delivers up to 4x the bandwidth per TPU 8t accelerator over the previous generation, and 40% lower unloaded fabric latency for TPU 8t compared to the previous generation network for TPUs. In this setup, Virgo Network manages the raw accelerator traffic, while Jupiter provides reliable and rapid access to the global WAN and storage. When integrated with &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/ai-hypercomputer/docs/workloads/pathways-on-cloud/pathways-intro"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Pathways&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; and &lt;/span&gt;&lt;a href="https://github.com/jax-ml/jax" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;JAX&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, this AI Hypercomputer networking engine facilitates near-linear scaling for up&lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt; &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;to a million TPU 8t chips in a single logical cluster.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Autonomous reliability: protecting workload goodput&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; &lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Building a resilient megascale fabric represents only part of the challenge. &lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;In a cluster of hundreds of thousands of chips, hardware failures are a statistical certainty. A single stalled instance can stop an entire synchronous training job, wasting valuable compute cycles. As such, efficient fault localization is critical.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;We engineered Virgo Network with &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;autonomous reliability &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;capabilities to maximize workload efficiency at scale, a.k.a., &lt;/span&gt;&lt;a href="https://cloud.google.com/blog/products/ai-machine-learning/goodput-metric-as-measure-of-ml-productivity"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;goodput&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;. Expanding on our existing &lt;/span&gt;&lt;a href="https://cloud.google.com/blog/products/compute/stragglers-in-ai-a-guide-to-automated-straggler-detection?e=48754805"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;straggler detection&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, Virgo Network now also features automated &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;hang detection.&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; The moment a fail-stop event occurs, our specialized agents immediately localize the fault, isolate the faulty instance, and enable you to restore the training job from a checkpoint — getting your training timeline back on track, with minimal manual intervention. Learn more by watching this demo:&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-video"&gt;



&lt;div class="article-module article-video "&gt;
  &lt;figure&gt;
    &lt;a class="h-c-video h-c-video--marquee"
      href="https://youtube.com/watch?v=0yKGILWlngY"
      data-glue-modal-trigger="uni-modal-0yKGILWlngY-"
      data-glue-modal-disabled-on-mobile="true"&gt;

      
        

        &lt;div class="article-video__aspect-image"
          style="background-image: url(https://storage.googleapis.com/gweb-cloudblog-publish/images/maxresdefault_aGs9w20.max-1000x1000.jpg);"&gt;
          &lt;span class="h-u-visually-hidden"&gt;[Demo] Autonomous ML Reliability - Data Center Network&lt;/span&gt;
        &lt;/div&gt;
      
      &lt;svg role="img" class="h-c-video__play h-c-icon h-c-icon--color-white"&gt;
        &lt;use xlink:href="#mi-youtube-icon"&gt;&lt;/use&gt;
      &lt;/svg&gt;
    &lt;/a&gt;

    
  &lt;/figure&gt;
&lt;/div&gt;

&lt;div class="h-c-modal--video"
     data-glue-modal="uni-modal-0yKGILWlngY-"
     data-glue-modal-close-label="Close Dialog"&gt;
   &lt;a class="glue-yt-video"
      data-glue-yt-video-autoplay="true"
      data-glue-yt-video-height="99%"
      data-glue-yt-video-vid="0yKGILWlngY"
      data-glue-yt-video-width="100%"
      href="https://youtube.com/watch?v=0yKGILWlngY"
      ng-cloak&gt;
   &lt;/a&gt;
&lt;/div&gt;

&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;To complement these capabilities, we also use high-resolution, sub-millisecond telemetry to identify elusive network micro-bursts that are usually missed by conventional 30-second monitoring intervals. These high-resolution telemetry advancements enable more efficient network operations, better provisioning, and a lower mean time to recovery.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-video"&gt;



&lt;div class="article-module article-video "&gt;
  &lt;figure&gt;
    &lt;a class="h-c-video h-c-video--marquee"
      href="https://youtube.com/watch?v=jah2yf2rARg"
      data-glue-modal-trigger="uni-modal-jah2yf2rARg-"
      data-glue-modal-disabled-on-mobile="true"&gt;

      
        

        &lt;div class="article-video__aspect-image"
          style="background-image: url(https://storage.googleapis.com/gweb-cloudblog-publish/images/maxresdefault-1_rh3wgyf.max-1000x1000.jpg);"&gt;
          &lt;span class="h-u-visually-hidden"&gt;[Demo] High Resolution Network Telemetry: Data Center Network&lt;/span&gt;
        &lt;/div&gt;
      
      &lt;svg role="img" class="h-c-video__play h-c-icon h-c-icon--color-white"&gt;
        &lt;use xlink:href="#mi-youtube-icon"&gt;&lt;/use&gt;
      &lt;/svg&gt;
    &lt;/a&gt;

    
  &lt;/figure&gt;
&lt;/div&gt;

&lt;div class="h-c-modal--video"
     data-glue-modal="uni-modal-jah2yf2rARg-"
     data-glue-modal-close-label="Close Dialog"&gt;
   &lt;a class="glue-yt-video"
      data-glue-yt-video-autoplay="true"
      data-glue-yt-video-height="99%"
      data-glue-yt-video-vid="jah2yf2rARg"
      data-glue-yt-video-width="100%"
      href="https://youtube.com/watch?v=jah2yf2rARg"
      ng-cloak&gt;
   &lt;/a&gt;
&lt;/div&gt;

&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;h3 role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;2. The fabric across AI Hypercomputer&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;The exponential growth of modern AI workloads requires us to scale and distribute AI workloads across multiple campuses over a WAN. &lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;At the same time, traditional networks weren’t built for the high bandwidth and extreme burstiness of AI traffic, and often fail to detect microbursts that can lead to severe performance degradation. We have developed a suite of innovations to optimize WAN performance for cross-site AI deployments, including:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;A multi-shard global network that enables horizontal scaling. &lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;Our global network sustained a 10X WAN traffic growth from 2020 to 2025. &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;T&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;uning the fabric for essential availability, latency, and quality of service (QoS) attributes. Real-time microburst management helps ensure fair bandwidth allocation and infrastructure isolation across our multi-tenant infrastructure. &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Multi-shard isolation to ensure each network shard operates with its own control, data, and management planes. &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Combined with regional isolation and &lt;/span&gt;&lt;a href="https://dl.acm.org/doi/10.1145/3603269.3604867" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Protective Reroute&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, this architecture minimizes failure impact and shortens user-visible outages — delivering the beyond-nines reliability essential for AI workloads.  &lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Providing high-speed, flexible, and cost-effective interconnectivity is also a priority. AI training relies on vast datasets that are often located on-premises or across various clouds. Given the high cost of AI compute, minimizing idle time is essential; for instance, upgrading from a 100 Gbps link to a 3.2 Tbps connection reduces the time to transfer a petabyte of data from 22.2 hours to just 0.7 hours — a 97% reduction in AI compute idle time spent waiting for data. Our &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;AI-native Cloud Interconnect&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; is purpose-built for the high-bandwidth and low-latency needs of AI workloads, featuring an optimized data path with 400 Gbps links that scale in 3.2 Tbps increments to reach petabit-per-second capacity. It also offers traffic differentiation and flexible connection options, including direct fiber peering and colocation facilities. AI-native Cloud Interconnect supports petabit-scale data transfer with reliable, private connectivity necessary for your cross-cloud AI training and serving.&lt;/span&gt;&lt;/p&gt;
&lt;h3 role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;3. A resilient global network for the age of inference &lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Applications serving AI inference to a global user population or supporting an agentic enterprise are far more demanding than conventional web apps. The need for opportunistic use of expensive AI compute available at distant locations, distributed service dependencies, and the burstiness of the traffic demand high bandwidth network with a global footprint, as well as deep peering to SaaS providers, ISPs, and hyperscalers. To maintain responsiveness and "always-on" availability, applications need low latency and a highly resilient network.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-image_full_width"&gt;






  
    &lt;div class="article-module h-c-page"&gt;
      &lt;div class="h-c-grid"&gt;
  

    &lt;figure class="article-image--large
      
      
        h-c-grid__col
        h-c-grid__col--6 h-c-grid__col--offset-3
        
        
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/images/5_bogYf7C.max-1000x1000.jpg"
        
          alt="5"&gt;
        
        &lt;/a&gt;
      
    &lt;/figure&gt;

  
      &lt;/div&gt;
    &lt;/div&gt;
  




&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;With its connectivity, scale, and resilience, Google’s global network is well-equipped to handle the demands of the age of AI inference. Our network spans more than 10 million kilometers of terrestrial and subsea fiber, connects our 43 cloud regions, and features 200+ edge locations, providing the essential footprint for serving AI inference. Our Premium Tier network delivers the low latency and reliability needed for consistent, high-quality global user experience. By optimizing traffic entry and exit points, the network significantly boosts application performance, with &lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;resilience at the core of this "always-on" infrastructure. &lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;strong style="vertical-align: baseline;"&gt;Building the future, together &lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;As a Google Cloud customer, these network innovations are built directly into your environment. Google’s network delivers the massive scale, capacity, reliability and performance essential for your AI workloads. &lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;The AI era demands more than just raw compute; it necessitates a robust network fabric to scale. Our vertically integrated AI technology stack — from silicon to software ecosystems — is powered by the AI Hypercomputer to accelerate your transformation and make AI helpful for everyone. Whether through our megascale fabric, resilient global network for inference, or AI-native Cloud Interconnect, we ensure your AI journey is efficient and reliable. We look forward to building this future with you.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;</description><pubDate>Tue, 26 May 2026 16:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/products/networking/data-center-and-global-networks-built-for-ai-era/</guid><category>AI Hypercomputer</category><category>AI infrastructure</category><category>Infrastructure</category><category>Systems</category><category>Networking</category><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>How we evolved Google’s global and data center networks for the AI era</title><description></description><site_name>Google</site_name><url>https://cloud.google.com/blog/products/networking/data-center-and-global-networks-built-for-ai-era/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Bikash Koley</name><title>VP, Google Global Infrastructure</title><department></department><company></company></author><author xmlns:author="http://www.w3.org/2005/Atom"><name>Arjun Singh</name><title>Engineering Fellow, Google Cloud</title><department></department><company></company></author></item><item><title>What’s new with the Cross-Cloud Network at Next ‘26</title><link>https://cloud.google.com/blog/products/networking/whats-new-in-cloud-networking-at-next26/</link><description>&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;While generative AI sparked a revolution, the true paradigm shift is the rapid evolution from standalone AI models to multi-agent autonomous systems. In this new era, the network transcends basic connectivity to become the critical integration layer for your agentic enterprise.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;As AI agents and services surge, your core applications remain as vital as ever. To thrive in this rapidly evolving landscape, you need a planet-scale network to connect, protect, govern, deliver, and secure all your users, data, agents, AI services, and core applications across clouds and on-premises.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Google Cloud's Cross-Cloud Network provides this unified foundation, and is now used by 65% of the Fortune 100 and handles up to 27 exabytes of data per month. At Google Cloud Next, we are introducing networking innovations to accelerate your AI infrastructure, strengthen security, and simplify operations. &lt;/span&gt;&lt;/p&gt;
&lt;h2&gt;&lt;span style="vertical-align: baseline;"&gt;Optimized networking infrastructure for AI &lt;/span&gt;&lt;/h2&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;As we move toward an agentic world, the network must support massive-scale inference paired with reinforcement learning. At Google, we’ve spent years refining this cycle to power our own global AI services. Today, we’re announcing AI infrastructure network innovations that bring this same architecture directly to your workloads, across &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;agents&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;, &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;inference&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;, &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;training&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;, and beyond.&lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;span style="vertical-align: baseline;"&gt;Networking for agents&lt;/span&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;The &lt;/span&gt;&lt;a href="https://cloud.google.com/blog/products/ai-machine-learning/introducing-gemini-enterprise-agent-platform"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Gemini Enterprise Agent Platform&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; is a comprehensive enterprise environment designed to build, scale, govern, and optimize the next generation of autonomous agents. Key innovations being announced in preview include: &lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Agent Gateway:&lt;/strong&gt;&lt;strong style="vertical-align: baseline;"&gt; Air-traffic control for agentic traffic&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; &lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Agent Gateway understands MCP and A2A agentic protocols and provides an open, extensible, scalable way to enforce centralized governance policies to securely connect agents, models, and tools across runtimes.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Ambient networking: &lt;/strong&gt;&lt;strong style="vertical-align: baseline;"&gt;A seismic shift in service-to-service connectivity&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Ambient networking, a new integrated data plane for Google Kubernetes Engine (GKE) and Cloud Run, provides service discovery, zero-trust access, and traffic management without the need for complex and resource-heavy sidecar proxies. It reduces operational overhead and enables up to a 10x reduction in GKE resource usage for layer 4 (L4) mesh capabilities&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Ambient networking underpins two new capabilities:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Service bindings &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;automatically establish service-to-service connectivity, allowing developers to move faster to build and scale their agentic applications and services.&lt;/span&gt;&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Network Services Monitoring&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; bridges application and network observability gaps resulting in faster root-cause analysis and simplified troubleshooting.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Rich partner integrations and customizations&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;With the help of &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/service-extensions/docs/overview"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Service Extensions&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, we are developing solutions&lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt; &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;for identity, governance, and AI security for agent-to-anywhere traffic. Coming soon in preview to Agent Gateway are:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Identity and governance administration&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;: Offering delegated authorization to Cloud IAM and partner services from Okta, Ping, Saviynt, and Silverfort to enforce real-time, contextual governance policies based on application and business context.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Runtime security:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; As a universal enforcement point by integrating with Google Cloud’s Model Armor and partner solutions from Broadcom, Check Point, Cisco, CrowdStrike, Exabeam, F5, Netskope, Palo Alto Networks, Thales, and Zscaler. Together, these can help to secure agentic communications against emerging AI attack vectors.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;These innovations are built on an open foundation including Envoy and Kubernetes, providing strong, integrated governance in multicloud environments using standard Kubernetes Gateway APIs.&lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;span style="vertical-align: baseline;"&gt;Networking for inference&lt;/span&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;At Google we run inference at scale with optimized use of distributed GPU and TPU resources, automatic failover between regions for high availability, and optimized global request routing for fast end-user performance. GKE Inference Gateway delivers these capabilities to our cloud customers including the following new innovations:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Multi-region support &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;allows scaling inference services across regions, enabling cross-regional failover, optimized utilization, and reduced global latency (preview).&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Predictive latency boost&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; improves utilization with intelligent request routing based on predefined performance targets (preview).&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;&lt;strong style="vertical-align: baseline;"&gt;Disaggregated serving&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; leverages &lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;llm-d’s SGLang support, offering the flexibility to choose between vLLM and SGLang for model serving (&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;GA).&lt;/span&gt;&lt;/li&gt;
&lt;/ul&gt;&lt;/div&gt;
&lt;div class="block-pull_quote"&gt;&lt;div class="uni-pull-quote h-c-page"&gt;
  &lt;section class="h-c-grid"&gt;
    &lt;div class="uni-pull-quote__wrapper h-c-grid__col h-c-grid__col--8 h-c-grid__col-m--6 h-c-grid__col-l--6
      h-c-grid__col--offset-2 h-c-grid__col-m--offset-3 h-c-grid__col-l--offset-3"&gt;
      &lt;div class="uni-pull-quote__inner-wrapper h-c-copy h-c-copy"&gt;
        &lt;q class="uni-pull-quote__text"&gt;Gemini Enterprise Agent Platform reduced Time to First Token (TTFT) latency by over 35% for Qwen3-Coder by using GKE Inference Gateway.&lt;/q&gt;

        
      &lt;/div&gt;
    &lt;/div&gt;
  &lt;/section&gt;
&lt;/div&gt;

&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;p style="padding-left: 40px;"&gt;&lt;span style="font-style: italic; vertical-align: baseline;"&gt;“Before GKE Inference Gateway, managing our inference stack with Ray Serve created a complex, dual-orchestration layer that was a significant burden on our small operations team. Moving to the Inference Gateway and native Kubernetes deployments was the 'North Star' architecture we needed to simplify management and achieve robust production stability with a GKE-native batteries-included solution.”&lt;/span&gt;&lt;span style="font-style: italic; vertical-align: baseline;"&gt; &lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;- &lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;Mikhail Lubinets, Lead HPC Engineer, Technology Innovation Institute&lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;span style="vertical-align: baseline;"&gt;Networking for training&lt;/span&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;At Google, we build and run the largest AI models in the world — and we built a network to support that. Some of the new enhancements are:&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Massive scale with &lt;/strong&gt;&lt;strong style="vertical-align: baseline;"&gt;Virgo Network&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;This new &lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;non-blocking data center fabric&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt; removes latency barriers: &lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span&gt;&lt;strong style="vertical-align: baseline;"&gt;Virgo&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; can link up-to 134,000 chips with 47 Petabits/sec of non-blocking bi-sectional bandwidth to deliver 1.7K Exaflops of compute. &lt;/span&gt;&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;With &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;enhancements in Pathways and JAX&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;, you can further connect these Virgo fabrics to scale to over 1 million TPU chips in a single training cluster.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;We are also making Virgo Network&lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt; available on NVIDIA Vera Rubin NVL72&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;, supporting up to 960,000 GPUs.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;For more on Virgo Network, check out this &lt;/span&gt;&lt;a href="https://cloud.google.com/blog/products/networking/introducing-virgo-megascale-data-center-fabric"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;blog&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;. &lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Accelerator network profiles&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; &lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;It’s easier than ever to handle the complex networking prerequisites for accelerator-equipped GKE node pools with &lt;/span&gt;&lt;a href="https://cloud.google.com/blog/products/networking/introducing-managed-dranet-in-google-kubernetes-engine"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;DRANET&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, which improves bandwidth for distributed AI/ML workloads by up to 60% (GA).&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;AI-native Cloud Interconnect&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;SLA-backed, and optimized for efficiency, Cloud Interconnect supports petabit-scale data transfers and is available with a fixed price option. Cloud Interconnect now supports:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;400 Gbps circuits with up to 3.2 Tbps in a single connection (GA)&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Partner Cross-Cloud Interconnect for AWS (GA), CoreWeave (in preview soon), and Lumen (in preview soon)&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;&lt;span style="vertical-align: baseline;"&gt;Cross-Cloud Network for AI and core applications&lt;/span&gt;&lt;/h2&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;The Cross-Cloud Network helps ensure you can securely connect users, data, locations, applications, services, and infrastructure anywhere in the world, at planetary scale. We designed our global multi-shard network to scale horizontally to meet the demands of the AI era and enable us to accommodate our 10x WAN traffic growth from 2020 to 2025.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;These are some of the improvements we’re making to the Cross-Cloud Network: &lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;span style="vertical-align: baseline;"&gt;Ultra Low Latency Solution for financial exchanges &lt;/span&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;In partnership with CME Group, we are bringing the world's leading derivatives marketplace to Google Cloud. To support CME Group’s performance requirements, we developed an ultra low latency (ULL) networking and compute solution. This fully managed cloud environment will allow CME Group and its clients to migrate its core trading systems to Google Cloud. &lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Now in preview, the solution is designed to meet the unique and exacting requirements of running financial exchanges in the cloud. It includes several new technologies:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Deterministic high-performance compute &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;powered by ULL networking, with bare metal and VM form factors, delivers a comprehensive portfolio for your trading compute needs. &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Scalable multicast data distribution &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;with hardware-based ultra-low latency enables reliable one-to-many market data sharing.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Nanosecond-level clock sync &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;enabled by &lt;/span&gt;&lt;a href="https://cloud.google.com/blog/products/networking/understanding-the-firefly-clock-synchronization-protocol/"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Firefly&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, a novel clock synchronization system. Firefly achieves sub-10ns NIC-to-NIC synchronization to support high-frequency trading.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Advanced network observability &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;with 64-bit nanosecond timestamps, support for multiple traffic-mirroring destinations and multicast traffic, and support for auditing and regulatory requirements.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Low-latency inference &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;allowing exchange participants to connect their AI-driven services to the exchange’s infrastructure. &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p style="padding-left: 40px;"&gt;&lt;span style="font-style: italic; vertical-align: baseline;"&gt;“&lt;/span&gt;&lt;span style="font-style: italic; vertical-align: baseline;"&gt;The Google Cloud Ultra Low Latency Solution provides the level of performance necessary for CME Group futures and options markets to run in the cloud, expanding access to clients worldwide.” &lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;- Sunil Cutinho, CIO, CME Group&lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;span style="vertical-align: baseline;"&gt;Cross-cloud observability for networks, applications, and agents&lt;/span&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Whether you’re running core applications or new AI agents, you need visibility into your network infrastructure. &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;Cloud Network Insights&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;, now in preview, offers network performance monitoring (NPM) and digital experience monitoring (DEM) to dramatically reduce the mean time to detect and mitigate network-related agent, application, and API issues.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Cloud Network Insights is enabled by technologies from Broadcom’s AppNeta and powered by AI-enabling natural language queries through Gemini Cloud Assist.&lt;/span&gt;&lt;/p&gt;
&lt;p style="padding-left: 40px;"&gt;&lt;span style="font-style: italic; vertical-align: baseline;"&gt;"In an environment as complex and high-scale as Sabre’s, total visibility isn't just a luxury — it's a requirement for operational resilience. Cloud Network Insights will enable us to further shift our posture from reactive troubleshooting to proactive optimization. By providing granular, real-time telemetry across our global cloud footprint, it helps eliminate the traditional 'black box' of the network, allowing our teams to resolve bottlenecks before they impact the traveler experience."&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt; - Alfredo Rodriguez, VP Cloud Platform Infrastructure, Sabre Corporation&lt;/span&gt;&lt;/p&gt;
&lt;p style="padding-left: 40px;"&gt;&lt;span style="font-style: italic; vertical-align: baseline;"&gt;“Cloud Network Insights closes the 'visibility gap' between the private corporate network and the public cloud, empowering our joint customers to pinpoint performance bottlenecks in seconds rather than hours.”&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt; - Alan Davidson, CIO, Broadcom&lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;span style="vertical-align: baseline;"&gt;Cross-Cloud Network for distributed applications&lt;/span&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Multicloud and hybrid networks require secure, reliable, and high-performance connectivity. New enhancements for our foundational networking services and tools include:&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Private Service Connect &lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Private Service Connect traffic volume grew 4x in 2025 and it now supports &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/vpc/docs/private-service-connect-compatibility"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;40+ Google and third-party published services&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, enabling secure private global access to your managed services. &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Private Service Connect endpoint-based security &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;allows for granular authorization policies for producer-to-consumer service communications (preview).&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Gemini Cloud Assist for Private Service Connect&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; provides for automated troubleshooting (preview).&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt; &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;Cloud-native IP address management (IPAM)&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Cloud Number Registry &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;is an IPAM solution powered by agentic technologies. Network admins can easily find free IP ranges, track utilization, and allocate resources (preview). It also integrates with Infoblox Universal DDI for Cross-Cloud Network IPAM discovery and enforcement.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Hybrid Subnets&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; allow you to migrate legacy workloads from on-premises to a VPC without needing to change hard-coded IP addresses (GA).&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Cloud NAT &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;allows you to connect your IPv6-only workloads to private IPv4 destinations using the combined power of DNS64 and private NAT64 (in preview soon).&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Network Connectivity Center (NCC)&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; &lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Partner Cross-Cloud Interconnect for AWS is available as a connectivity type in NCC (preview).&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Support for static routes using an &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;internal load balancer as the next hop&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; allows the integration of Secure Web Proxy and third-party network security virtual appliances (GA).&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Support for &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;privately used public IP&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; (PUPI) allows the exchange of PUPI IPv4 addresses with VPC spokes and producer VPC spokes (GA).&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Granular networking charge visibility&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Cost Explorer and the new App Optimize API now provide attribution of associated Data Transfer costs to the originating resources for Google Cloud products (in preview soon).&lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;span style="vertical-align: baseline;"&gt;Cross-Cloud Network for internet-facing services&lt;/span&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;As part of Cross-Cloud Network, the &lt;/span&gt;&lt;a href="https://cloud.google.com/solutions/cross-cloud-network#deliver-internet-facing-apps-and-content"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Global Front End&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; simplifies how you deliver, scale, and protect web, API, and AI workloads. New capabilities include: &lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Global Front End Enterprise delivers&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; simplified consumption by combining capabilities from global Cloud Load Balancing, Google Cloud Armor, Cloud CDN, and Service Extensions with up to 15% lower TCO (in preview soon). &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Post quantum cryptography &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;(PQC) helps secure your workloads with industry-standard algorithms that provide a layered defense against both classical and quantum adversaries.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Google tag gateway,&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; enabling advertisers to serve tags from their own domain, which can significantly improve the accuracy and resilience of measurement signals (GA soon).&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;In addition, &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;Cloud CDN&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;, an important part of the Global Front End, now offers:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Built-in image optimization &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;to help you deliver content that best fits your end users’ screens and saves on bandwidth costs (in preview soon).&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;GKE Gateway support&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; so you can enable and manage caching services using GKE APIs (GA).&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;&lt;span style="vertical-align: baseline;"&gt;Cross-Cloud Network’s Cloud WAN for global enterprises&lt;/span&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Cloud WAN is a fully managed, reliable global backbone to connect your enterprise. New capabilities include:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Expanded geographic reach: &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;Our network spans more than 10 million kilometers of terrestrial and subsea fiber, and Network Connectivity Center’s site-to-site data transfer is now available in over &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/network-connectivity/docs/network-connectivity-center/concepts/locations"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;25 countries&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;NCC Gateway &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;enables third-party secure service edge (SSE) integrations from Palo Alto Networks (GA soon) and Symantec (preview).&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;The Verified Peering Provider program&lt;/strong&gt;&lt;strong style="vertical-align: baseline;"&gt;, &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;which offers highly reliable internet connectivity to Google, now has dramatically expanded availability through &lt;/span&gt;&lt;a href="https://peering.google.com/#/options/verified-peering-provider" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;175+ providers worldwide&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Last mile connectivity&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;: Provision site-to-cloud private connectivity in minutes with preferred partners from the Google Cloud console (in preview soon).&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p style="padding-left: 40px;"&gt;&lt;span style="font-style: italic; vertical-align: baseline;"&gt;“Cloud WAN enables Dun &amp;amp; Bradstreet to evolve our global network via composable, cloud-native constructs. Leveraging NCC, we’ve built a resilient, high-performance platform that simplifies operations and optimizes costs. This foundation supports continued modernization and AI-driven workloads. We expect to extend this architecture as new patterns emerge, maintaining our blueprints-first approach.”&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt; - Josh Barry, VP, Network Engineering, Dun &amp;amp; Bradstreet&lt;/span&gt;&lt;/p&gt;
&lt;h2&gt;&lt;span style="vertical-align: baseline;"&gt;AI-powered security against evolving threats&lt;/span&gt;&lt;/h2&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;The threat landscape is evolving faster than ever, with AI-driven attacks. Staying ahead requires the latest defenses. Cross-Cloud Network relies on Cloud NGFW and Cloud Armor for advanced security capabilities. Here’s the latest on those offerings.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Cloud NGFW &lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Advanced malware sandbox &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;uses AI models trained on data from 70k+ customers &lt;/span&gt;&lt;a href="https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/datasheets/advanced-wildfire" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;to stop 99% of known and unknown malware&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, including evasive zero-days. Advanced malware sandbox is powered by Palo Alto Networks Advanced Wildfire (in preview soon).&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Internal Application and proxy Network Load Balancer &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;support helps to enforce consistent, service-centric security for abstracted services like GKE, Cloud Run, and Private Service Connect traffic (preview).&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Project-level policies &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;allow for creating and managing Cloud NGFW endpoints, security profiles, and security profile groups at the project level (in preview soon).&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Cloud Armor &lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Managed rules, &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;built-in rulesets across 15 threat categories, deliver automated threat protection against a broad set of attacks and zero-day CVEs. This is powered by Thales Imperva based on visibility to &lt;/span&gt;&lt;a href="https://engage-cybersec.thalesgroup.com/rs/727-WRL-406/images/EMEA-2025-Partner-Connect-05-Shailes-Nanda.pdf" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;1.5 trillion web requests each month&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; (in preview soon).&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Google Cloud Fraud Defense integration&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; helps to &lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;discern the legitimacy and authorization of bots, humans, and agents. &lt;/span&gt;&lt;a href="https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-fraud-defense-the-next-evolution-of-recaptcha"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Fraud Defense&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; is the evolution of reCAPTCHA, which protects over 14 million domains from fraud and abuse.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Adaptive protection for Network Load Balancers &amp;amp; VMs&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; brings advanced machine learning to L3/L4 traffic, to detect and mitigate volumetric DDoS attacks (in preview soon).&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;A simplified user experience&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; with a visual rule builder makes custom rule creation easier (in preview soon).&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;&lt;strong style="vertical-align: baseline;"&gt;AI-powered network operations&lt;/strong&gt;&lt;/h2&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Finally, new AI-powered technologies in &lt;/span&gt;&lt;a href="https://cloud.google.com/products/gemini/cloud-assist"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Gemini Cloud Assist&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; can help automate manual tasks, ease troubleshooting, predict reliability issues, improve security, and help optimize your network to reduce toil and improve reliability with new specialist agents. These include:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;A network security agent&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; that streamlines network security operations by assisting with policy generation, recommendations, and impact analysis (in preview soon).&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;A network agent &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;that optimizes workload placement for performance and reliability, and also provides advanced cost estimation for observability services (in preview soon).&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Additionally, to enable customers and partners to build their own agents, we are releasing &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;Network observability MCP tools and agent skills.&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; This will allow their agents to leverage connectivity tests, and allows for natural language querying of VPC Flow Logs (both in preview).&lt;/span&gt;&lt;/p&gt;
&lt;h2&gt;&lt;strong style="vertical-align: baseline;"&gt;The network that scales with you&lt;/strong&gt;&lt;/h2&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;We built our Cross-Cloud Network on the same global infrastructure that powers Google’s largest AI and internet services. This provides you with a blazing-fast, planet-scale foundation that is both secure by design and open by principle, allowing you to integrate your trusted partners across any environment.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;As we move into the agentic era, our flexible, future-proof solutions ensure you can quickly adopt the latest AI technologies while maintaining the reliability of your core applications. &lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Whatever comes next, we’ve built the network to help you lead it. &lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;Attend our networking sessions at Next ’26 to learn more, or learn more about the &lt;/span&gt;&lt;a href="https://cloud.google.com/solutions/cross-cloud-network?e=48754805"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Cross-Cloud Network&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;!&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;</description><pubDate>Wed, 22 Apr 2026 12:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/products/networking/whats-new-in-cloud-networking-at-next26/</guid><category>Hybrid &amp; Multicloud</category><category>Infrastructure Modernization</category><category>Developers &amp; Practitioners</category><category>Google Cloud Next</category><category>Networking</category><media:content height="540" url="https://storage.googleapis.com/gweb-cloudblog-publish/images/GCN26_102_BlogHeader_2436x1200_Opt_5_Dark.max-600x600.jpg" width="540"></media:content><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>What’s new with the Cross-Cloud Network at Next ‘26</title><description></description><image>https://storage.googleapis.com/gweb-cloudblog-publish/images/GCN26_102_BlogHeader_2436x1200_Opt_5_Dark.max-600x600.jpg</image><site_name>Google</site_name><url>https://cloud.google.com/blog/products/networking/whats-new-in-cloud-networking-at-next26/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Rob Enns</name><title>VP/GM of Cloud Networking</title><department></department><company></company></author></item><item><title>Introducing Virgo Network, Google’s scale-out AI data center fabric</title><link>https://cloud.google.com/blog/products/networking/introducing-virgo-megascale-data-center-fabric/</link><description>&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;The AI era requires a fundamental rethink of physical cloud architecture — networking, in particular. With foundational model parameters growing exponentially, traditional general-purpose networks are reaching their breaking points. To fuel the next decade of machine learning, Google designed Virgo Network, a new megascale AI data center fabric that embraces a "campus-as-a-computer" philosophy, and that underpins our &lt;/span&gt;&lt;a href="https://cloud.google.com/solutions/ai-hypercomputer?e=48754805"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;AI Hypercomputer&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Legacy network designs simply cannot handle some of the constraints of modern AI:&lt;/span&gt;&lt;/p&gt;
&lt;ol&gt;
&lt;li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Massive scale:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Training demands now exceed the power and space of a single data center, requiring unified, multi-data-center domains.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Explosive bandwidth growth:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Because foundational model training is heavily network-bound, the required bandwidth per accelerator has surged significantly over the last few years, creating throughput and congestion bottlenecks for older architectures.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Synchronized bursts:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Intense, millisecond-level traffic spikes (figure 1) put immense pressure on network buffers. The outcome is that even a single "straggler" node can throttle the entire cluster’s performance.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;&lt;strong style="vertical-align: baseline;"&gt;Low latency: &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;ML serving requires fast, consistent response times to deliver real-time inference, making strict latency control a critical architectural constraint.&lt;/span&gt;&lt;/li&gt;
&lt;/ol&gt;&lt;/div&gt;
&lt;div class="block-image_full_width"&gt;






  
    &lt;div class="article-module h-c-page"&gt;
      &lt;div class="h-c-grid"&gt;
  

    &lt;figure class="article-image--large
      
      
        h-c-grid__col
        h-c-grid__col--6 h-c-grid__col--offset-3
        
        
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/images/1_Sub-millisecond_line-rate_bursts_of_an_A.max-1000x1000.png"
        
          alt="1 Sub-millisecond line-rate bursts of an AI training workload"&gt;
        
        &lt;/a&gt;
      
        &lt;figcaption class="article-image__caption "&gt;&lt;p data-block-key="s0df9"&gt;Figure 1: Sub-millisecond line-rate bursts of an AI training workload&lt;/p&gt;&lt;/figcaption&gt;
      
    &lt;/figure&gt;

  
      &lt;/div&gt;
    &lt;/div&gt;
  




&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;h3&gt;&lt;span style="vertical-align: baseline;"&gt;Reimagining the data center network&lt;/span&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Meeting the demands of the AI era requires a fundamental shift away from general-purpose network design towards a specialized flat, low-latency network architecture. To address the unique scale and latency constraints, we leverage our proven &lt;/span&gt;&lt;a href="https://cloud.google.com/blog/products/networking/speed-scale-reliability-25-years-of-data-center-networking?e=48754805"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Jupiter&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; network for north-south traffic and are introducing a new fabric for east-west communication. The resulting architecture consists of three distinct and specialized layers that operate as one unified compute domain:&lt;/span&gt;&lt;/p&gt;
&lt;ol&gt;
&lt;li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Scale-up domain:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; A high-bandwidth, low-latency interconnect fabric designed for tightly coupled communication between accelerators within a single pod. &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Scale-out accelerator fabric (east-west):&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; A dedicated accelerator-to-accelerator remote direct memory access (RDMA) fabric optimized for massive horizontal scale across pods. This layer is engineered for deterministic latency and maximum resilience, to provide high “&lt;/span&gt;&lt;a href="https://cloud.google.com/blog/products/ai-machine-learning/goodput-metric-as-measure-of-ml-productivity"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;goodput&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;” for the ML workload.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Jupiter front-end network (north-south):&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; A high-capacity fabric that provides fast, reliable access to distributed storage and general-purpose compute resources. It ensures that data access does not become a bottleneck for training and serving workloads, and is also used to scale-across multiple sites for very large training runs.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;This architectural decoupling provides key strategic advantages:&lt;/span&gt;&lt;/p&gt;
&lt;ol&gt;
&lt;li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Independent evolution:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; We can evolve and upgrade each network domain independently, preventing system-wide disruptions while accelerating the innovation cycle. &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Dedicated scale-out bandwidth:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; A non-blocking network delivers massive bisectional bandwidth to accelerators for critical training tasks.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;&lt;strong style="vertical-align: baseline;"&gt;ML and network co-design:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; The network is built in lockstep with each new generation of ML accelerators, helping ensure the fabric is matched to the hardware it supports.&lt;/span&gt;&lt;/li&gt;
&lt;/ol&gt;&lt;/div&gt;
&lt;div class="block-image_full_width"&gt;






  
    &lt;div class="article-module h-c-page"&gt;
      &lt;div class="h-c-grid"&gt;
  

    &lt;figure class="article-image--large
      
      
        h-c-grid__col
        h-c-grid__col--6 h-c-grid__col--offset-3
        
        
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/images/2_Data_center_network_architecture.max-1000x1000.png"
        
          alt="2 Data center network architecture"&gt;
        
        &lt;/a&gt;
      
        &lt;figcaption class="article-image__caption "&gt;&lt;p data-block-key="s0df9"&gt;Figure 2: Data center network architecture&lt;/p&gt;&lt;/figcaption&gt;
      
    &lt;/figure&gt;

  
      &lt;/div&gt;
    &lt;/div&gt;
  




&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;h3&gt;&lt;span style="vertical-align: baseline;"&gt;Introducing Virgo Network: Megascale data center fabric&lt;/span&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Virgo Network is a scale-out fabric designed for the extreme requirements of modern AI workloads. Built on high-radix switches that reduce network layers by allowing more ports per switch, it employs a flat, two-layer non-blocking topology. Compared with traditional datacenter networks, this significantly reduces latency by minimizing network tiers. It features a multi-planar design with independent control domains to connect accelerators (figure 3). The accelerator racks also connect with the Jupiter north-south fabric to access compute and storage services. Together, this streamlined architecture delivers the massive bisection bandwidth and deterministic low latency necessary for both distributed training and serving workloads.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-image_full_width"&gt;






  
    &lt;div class="article-module h-c-page"&gt;
      &lt;div class="h-c-grid"&gt;
  

    &lt;figure class="article-image--large
      
      
        h-c-grid__col
        h-c-grid__col--6 h-c-grid__col--offset-3
        
        
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/images/3_Megascale_data_center_fabric_Virgo_Netwo.max-1000x1000.png"
        
          alt="3 Megascale data center fabric (Virgo Network)"&gt;
        
        &lt;/a&gt;
      
        &lt;figcaption class="article-image__caption "&gt;&lt;p data-block-key="s0df9"&gt;Figure 3: Megascale data center fabric (Virgo Network)&lt;/p&gt;&lt;/figcaption&gt;
      
    &lt;/figure&gt;

  
      &lt;/div&gt;
    &lt;/div&gt;
  




&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Virgo Network is the foundation of our next-generation accelerator designs and delivers the following advantages:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Massive fabric scale&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;: &lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;Virgo Network can link 134,000 chips (TPU 8t) with up to 47 petabits/sec of non-blocking bi-sectional bandwidth in a single fabric.&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt; &lt;/span&gt;&lt;/li&gt;
&lt;li role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Generational performance leap&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;: With up to 4x the bandwidth per accelerator (TPU 8t) over the previous generation, Virgo Network delivers the bandwidth you need to get the full power of every chip. &lt;/span&gt;&lt;/li&gt;
&lt;li role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Predictable low latency&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;: Virgo Network delivers 40% lower unloaded fabric latency for TPUs compared to previous generation leading to more predictable performance for latency sensitive AI workloads.&lt;/span&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;&lt;span style="vertical-align: baseline;"&gt;Improving reliability at scale&lt;/span&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;In a system supporting hundreds of thousands of chips, hardware failures are inevitable. Because a single faulty component can disrupt a synchronized training job, reliability at scale is a primary focus. To maximize workload goodput, we designed the Virgo Network architecture around fault isolation, deep observability, and the rapid mitigation of hangs and stragglers.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;At this scale, system-wide resilience requires a solid network foundation. Virgo Network integrates independent switching planes that provide robust fault isolation, protecting cluster-wide goodput from being degraded by localized hardware failures.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-image_full_width"&gt;






  
    &lt;div class="article-module h-c-page"&gt;
      &lt;div class="h-c-grid"&gt;
  

    &lt;figure class="article-image--large
      
      
        h-c-grid__col
        h-c-grid__col--6 h-c-grid__col--offset-3
        
        
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/images/4_How_fail-stop_and_fail-slow_impact_MTTR.max-1000x1000.png"
        
          alt="4 How fail-stop and fail-slow impact MTTR"&gt;
        
        &lt;/a&gt;
      
        &lt;figcaption class="article-image__caption "&gt;&lt;p data-block-key="s0df9"&gt;Figure 4: How fail-stop and fail-slow impact MTTR&lt;/p&gt;&lt;/figcaption&gt;
      
    &lt;/figure&gt;

  
      &lt;/div&gt;
    &lt;/div&gt;
  




&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Building on this foundation, we optimize the software and orchestration stack to maximize mean-time between interruptions (MTBI) and minimize mean-time to recovery (MTTR) through two primary areas:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Observability:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Reliability at scale requires high-fidelity visibility. We use sub-millisecond telemetry to monitor network systems. This deep visibility allows us to detect transient congestion, optimize buffer management, and pinpoint the root causes of slowdowns across the hardware and software stack.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Identifying stragglers and hangs:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Proactive monitoring is critical for identifying nodes that are experiencing performance degradation (stragglers) or that have stopped responding completely (hangs). By rapidly localizing these bottlenecks, with automated &lt;/span&gt;&lt;a href="https://cloud.google.com/blog/products/compute/stragglers-in-ai-a-guide-to-automated-straggler-detection?e=48754805"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;straggler&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; and newly added hang detection, we accelerate the training job and protect it from localized slowdowns.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;&lt;span style="vertical-align: baseline;"&gt;The foundation of the AI Hypercomputer&lt;/span&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Virgo Network is a reimagined scale-out data center network custom-built for the stringent demands of modern AI workloads. This flat, multi-planar architecture unifies accelerators across pods into a single compute domain, addressing the bandwidth and scale limitations of traditional networks. By providing robust fault isolation directly at the hardware level, Virgo Network serves as the foundation for system-wide resilience, protecting synchronized workloads from localized hardware faults. &lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Ultimately, Virgo Network delivers the scale, predictable latency, and reliability necessary to accelerate the agentic AI era. To learn more about how we are building infrastructure for the future of AI, visit our&lt;/span&gt;&lt;a href="https://cloud.google.com/ai-infrastructure"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt; AI infrastructure solutions page&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, explore the &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/architecture/ai-ml"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;technical documentation&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, or attend the dedicated breakout &lt;/span&gt;&lt;a href="https://www.googlecloudevents.com/next-vegas/session-library?session_id=3913087&amp;amp;name=how-google&amp;amp;" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;session&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; at Google Cloud Next.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;</description><pubDate>Wed, 22 Apr 2026 12:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/products/networking/introducing-virgo-megascale-data-center-fabric/</guid><category>Infrastructure</category><category>AI &amp; Machine Learning</category><category>Google Cloud Next</category><category>Systems</category><category>AI infrastructure</category><category>Networking</category><media:content height="540" url="https://storage.googleapis.com/gweb-cloudblog-publish/images/GCN26_102_BlogHeader_2436x1200_Opt_2_Dark.max-600x600.jpg" width="540"></media:content><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>Introducing Virgo Network, Google’s scale-out AI data center fabric</title><description></description><image>https://storage.googleapis.com/gweb-cloudblog-publish/images/GCN26_102_BlogHeader_2436x1200_Opt_2_Dark.max-600x600.jpg</image><site_name>Google</site_name><url>https://cloud.google.com/blog/products/networking/introducing-virgo-megascale-data-center-fabric/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Benny Siman-Tov</name><title>Senior Director Product Management</title><department></department><company></company></author><author xmlns:author="http://www.w3.org/2005/Atom"><name>Arjun Singh</name><title>Engineering Fellow, Google Cloud</title><department></department><company></company></author></item><item><title>Next ‘26: Redefining security for the AI era with Google Cloud and Wiz</title><link>https://cloud.google.com/blog/products/identity-security/next26-redefining-security-for-the-ai-era-with-google-cloud-and-wiz/</link><description>&lt;div class="block-aside"&gt;&lt;dl&gt;
    &lt;dt&gt;aside_block&lt;/dt&gt;
    &lt;dd&gt;&amp;lt;ListValue: [StructValue([(&amp;#x27;title&amp;#x27;, &amp;#x27;Our news today from Next ‘26&amp;#x27;), (&amp;#x27;body&amp;#x27;, &amp;lt;wagtail.rich_text.RichText object at 0x7fb064d38c70&amp;gt;), (&amp;#x27;btn_text&amp;#x27;, &amp;#x27;&amp;#x27;), (&amp;#x27;href&amp;#x27;, &amp;#x27;&amp;#x27;), (&amp;#x27;image&amp;#x27;, None)])]&amp;gt;&lt;/dd&gt;
&lt;/dl&gt;&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;The AI era demands a new security era. Organizations are facing the dual challenge of harnessing the potential of AI while &lt;/span&gt;&lt;a href="https://cloud.google.com/blog/topics/threat-intelligence/defending-enterprise-ai-vulnerabilities?e=48754805"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;defending against its malicious use&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, and Google Cloud can help you adapt and thrive.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;The latest research from Google Cloud shows that adversaries are using AI to &lt;/span&gt;&lt;a href="https://cloud.google.com/transform/new-mandiant-report-boost-basics-with-ai-to-counter-adversaries/"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;accelerate the speed, scale, and sophistication of attacks&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;. Meanwhile, &lt;/span&gt;&lt;a href="https://cloud.google.com/security/resources/m-trends?e=48754805"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;M-Trends 2026&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; also showed that increased threat actor coordination has driven down the time to hand-off from an initial access to a secondary threat actor from eight hours to 22 seconds in the last three years.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Today at Google Cloud Next, we are showcasing how Google Cloud can help you defend against increasingly sophisticated threats at machine speed, protect AI and multicloud environments, and secure cloud workloads at scale. &lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;strong style="vertical-align: baseline;"&gt;Delivering agentic defense &lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Our full-stack AI approach, from the chips to the models, gives you a competitive advantage with better integration and velocity to help protect customers. Not only can Google action insights from the world’s largest threat observatory and Mandiant frontline experts, but we also bring cutting-edge insights and breakthroughs from Google DeepMind, to help make your platforms more secure. &lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Today we are introducing three new agents in &lt;/span&gt;&lt;a href="https://cloud.google.com/security/products/security-operations"&gt;&lt;strong style="text-decoration: underline; vertical-align: baseline;"&gt;Google Security Operations&lt;/strong&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; to help you defend at the speed of AI. &lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Threat Hunting agent&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;, now in preview, can help teams proactively hunt for novel attack patterns and stealthy adversary behaviors that bypass traditional defenses. &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Detection Engineering agent&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;, now in preview, can identify coverage gaps and create new detections for threat scenarios, reducing toil and transforming detection creation from a manual craft into an automated science. &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;&lt;strong style="vertical-align: baseline;"&gt;Third-Party Context agent, &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;coming soon to preview, can enrich your workflows with contextual data from third-party content. &lt;/span&gt;&lt;/li&gt;
&lt;/ul&gt;&lt;/div&gt;
&lt;div class="block-image_full_width"&gt;






  
    &lt;div class="article-module h-c-page"&gt;
      &lt;div class="h-c-grid"&gt;
  

    &lt;figure class="article-image--large
      
      
        h-c-grid__col
        h-c-grid__col--6 h-c-grid__col--offset-3
        
        
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/original_images/1_-_Threat_Hunt_Initiation.gif"
        
          alt="1 - Threat Hunt Initiation"&gt;
        
        &lt;/a&gt;
      
        &lt;figcaption class="article-image__caption "&gt;&lt;p data-block-key="mhwgf"&gt;Initiating a threat hunt with the Threat Hunting agent&lt;/p&gt;&lt;/figcaption&gt;
      
    &lt;/figure&gt;

  
      &lt;/div&gt;
    &lt;/div&gt;
  




&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Our &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;Triage and Investigation agent&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; processed over &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;5 million alerts&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; in the last year, reducing a typical 30-minute manual analysis to 60 seconds with Gemini.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;“Operational resilience and cybersecurity are the bedrock of customer trust at BBVA. By integrating advanced artificial intelligence, such as the Triage and Investigation agent, we are able to scale in new ways," said Diego Martinez Blanco, head of Security Technology, BBVA. &lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;“It handles the initial heavy lifting and filters out false positives so we can prioritize issues that require human attention. The agent's transparent explanations allow our team to understand recommendations and ultimately dedicate our resources to more complex investigations,” he said.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;You can build your own security agents with &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;remote Google Cloud model context protocol (MCP) server support for Google Security Operations&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;, now generally available. To make it even easier, you can also access the MCP server client directly from the Google Security Operations chat interface, available in preview. &lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-pull_quote"&gt;&lt;div class="uni-pull-quote h-c-page"&gt;
  &lt;section class="h-c-grid"&gt;
    &lt;div class="uni-pull-quote__wrapper h-c-grid__col h-c-grid__col--8 h-c-grid__col-m--6 h-c-grid__col-l--6
      h-c-grid__col--offset-2 h-c-grid__col-m--offset-3 h-c-grid__col-l--offset-3"&gt;
      &lt;div class="uni-pull-quote__inner-wrapper h-c-copy h-c-copy"&gt;
        &lt;q class="uni-pull-quote__text"&gt;Organizations leveraging an intelligence-led, AI-augmented approach to modern security operations with Google Cloud&amp;#x27;s agentic defense can realize a strong ROI.&lt;/q&gt;

        
          &lt;cite class="uni-pull-quote__author"&gt;
            
            
              &lt;span class="uni-pull-quote__author-meta"&gt;
                
                  &lt;strong class="h-u-font-weight-medium"&gt;Christopher Kissel&lt;/strong&gt;&lt;br /&gt;
                
                
                  Research Vice President, IDC
                
              &lt;/span&gt;
            
          &lt;/cite&gt;
        
      &lt;/div&gt;
    &lt;/div&gt;
  &lt;/section&gt;
&lt;/div&gt;

&lt;/div&gt;
&lt;div class="block-image_full_width"&gt;






  
    &lt;div class="article-module h-c-page"&gt;
      &lt;div class="h-c-grid"&gt;
  

    &lt;figure class="article-image--large
      
      
        h-c-grid__col
        h-c-grid__col--6 h-c-grid__col--offset-3
        
        
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/original_images/2_-_Threat_Hunt_report.gif"
        
          alt="2 - Threat Hunt report"&gt;
        
        &lt;/a&gt;
      
        &lt;figcaption class="article-image__caption "&gt;&lt;p data-block-key="mhwgf"&gt;Findings report created by the Threat Hunting agent&lt;/p&gt;&lt;/figcaption&gt;
      
    &lt;/figure&gt;

  
      &lt;/div&gt;
    &lt;/div&gt;
  




&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;&lt;span style="vertical-align: baseline;"&gt;Security teams can also automate response actions with &lt;/span&gt;&lt;a href="https://cloud.google.com/blog/products/identity-security/rsac-26-supercharging-agentic-ai-defense-with-frontline-threat-intelligence"&gt;&lt;strong style="text-decoration: underline; vertical-align: baseline;"&gt;agentic automation&lt;/strong&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; &lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;in Google Security Operations. To further move teams from manual triage to agentic defense, we introduced &lt;/span&gt;&lt;a href="https://cloud.google.com/blog/products/identity-security/bringing-dark-web-intelligence-into-the-ai-era"&gt;&lt;strong style="text-decoration: underline; vertical-align: baseline;"&gt;dark web intelligence&lt;/strong&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; in Google Threat Intelligence, now in preview. Internal tests show it can &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;analyze millions of daily external events with 98% accuracy&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; to elevate threats that truly matter.&lt;/span&gt;&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;"IDC found that organizations experienced measurable operational gains, including substantial reductions in mean time to detect and mean time to respond, fewer false positives, and higher analyst productivity with AI-powered context and automation. These operational improvements translate into significant &lt;/span&gt;&lt;a href="https://services.google.com/fh/files/misc/gti_idc_business_value_report.pdf" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;business outcomes&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, such as shorter disruption periods, lower incident-related costs, and improved executive confidence in security posture and decision-making," said Christopher Kissel, research vice president, IDC. "Organizations leveraging an intelligence-led, AI-augmented approach to modern security operations with Google Cloud's agentic defense can realize a strong ROI." &lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;&lt;strong style="vertical-align: baseline;"&gt;New partner-supported workflows for Google Security Operations&lt;/strong&gt;&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Today, we are also announcing a robust cohort of &lt;/span&gt;&lt;a href="https://cloud.google.com/blog/products/identity-security/next26-announcing-new-partner-supported-workflows-for-google-security-operations"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;new partner integrations&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; for Google Security Operations. Designed to deliver high-fidelity security workflows right out of the box, our latest participating Google Cloud Security integration ecosystem partners include Darktrace, Gigamon, and SAP.&lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;span style="vertical-align: baseline;"&gt;Protecting AI and cloud applications across any infrastructure&lt;/span&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;AI and cloud applications are built across multiple platforms and models. To protect them end-to-end, we want to make it easier and faster to mitigate risk, regardless of where and how you build. This support includes major cloud environments like Amazon Web Services, Google Cloud, Microsoft Azure, and Oracle Cloud; software-as-a-service (SaaS) environments like OpenAI; and even custom hosted environments. &lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;a href="https://cloud.google.com/blog/products/identity-security/google-completes-acquisition-of-wiz?e=48754805"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Wiz, now a part of Google Cloud&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, expands and deepens our ability to protect the apps you build and run. Wiz empowers you to quickly and securely adopt AI, while also helping protect the AI development lifecycle. &lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Wiz announced its &lt;/span&gt;&lt;a href="https://www.wiz.io/blog/introducing-wiz-ai-app" rel="noopener" target="_blank"&gt;&lt;strong style="text-decoration: underline; vertical-align: baseline;"&gt;AI-Application Protection Platform&lt;/strong&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; (AI-APP) at the RSA Conference, providing deep visibility, risk posture, and runtime analysis for your AI applications. Wiz also announced &lt;/span&gt;&lt;a href="https://www.wiz.io/blog/introducing-wiz-agents" rel="noopener" target="_blank"&gt;&lt;strong style="text-decoration: underline; vertical-align: baseline;"&gt;Wiz Security Agents&lt;/strong&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; and &lt;/span&gt;&lt;a href="https://www.wiz.io/blog/introducing-wiz-workflows" rel="noopener" target="_blank"&gt;&lt;strong style="text-decoration: underline; vertical-align: baseline;"&gt;Wiz Workflows&lt;/strong&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, helping you identify and respond to risks and threats at machine speed.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Today, we’re taking our commitment to secure customers in any cloud, platform, and AI environment further. Wiz now &lt;/span&gt;&lt;a href="https://www.wiz.io/blog/wiz-databricks-security-graph" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;supports Databricks&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; as well as new agent studios like AWS Agentcore, Gemini Enterprise Agent Platform, Microsoft Azure Copilot Studio, and Salesforce Agentforce, so customers gain visibility however their teams choose to build.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;In addition, Wiz continues to support security ecosystems with integrations to the outer layer of the cloud, including &lt;/span&gt;&lt;a href="http://wiz.io/blog/wiz-apigee-integration-for-api-discovery" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Google Cloud Apigee&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, &lt;/span&gt;&lt;a href="https://www.cloudflare.com/press/press-releases/2026/cloudflare-partners-with-wiz-to-secure-the-global-ai-attack-surface/" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Cloudflare AI Security for Apps&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, and the &lt;/span&gt;&lt;a href="https://www.wiz.io/blog/introducing-wiz-vercel-integration" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Vercel platform&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, further extending the power of the Wiz Security Graph. We’ve also updated how we integrate security detections from Wiz Defend with Google Security Operations and Mandiant Threat Defense to help analysts more easily configure automatic threat information forwarding.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Wiz is also announcing new capabilities designed to secure the AI-native development lifecycle, helping teams to innovate faster and more securely:  &lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Secure vibe-coded applications: &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;Wiz is announcing a new integration, generally available in May, that runs Wiz security scanning directly inside the Lovable platform so vulnerabilities, secrets, and misconfigurations caught by Wiz surface in Lovable's built-in security view, right where teams are already building.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Secure AI-generated code&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;: &lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;Wiz removes risks from AI-generated code the moment it is created. Inline AI security hooks integrate directly into IDEs and agent workflows to evaluate prompts and scan AI-generated output instantly, injecting security guardrails before the code is ever committed.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Agent-based remediation&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;: Wiz Skills equip coding agents and AI-native IDEs with full code-to-cloud context and validated attack surface findings from the Wiz Security Graph. These capabilities enable teams to trigger automated, agent-driven remediation workflows either locally from the developer's individual IDE or globally at the repository and pull request level within your version control system.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Eliminate shadow AI&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;: Wiz’s dynamic &lt;/span&gt;&lt;a href="https://www.wiz.io/academy/ai-security/ai-bom-ai-bill-of-materials" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;AI-Bill of Materials&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; (AI-BOM)&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt; automatically inventories all AI frameworks, models, and IDE extensions across your environment. This provides complete visibility into what is writing code across your stack, allowing you to track sanctioned corporate tools like Gemini Code Assist and GitHub Copilot while simultaneously uncovering unapproved shadow AI plugins.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;You can learn more about the &lt;/span&gt;&lt;a href="https://wiz.io/blog/wiz-at-google-cloud-next" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Wiz announcements here&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;.&lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;span style="vertical-align: baseline;"&gt;Securing your agents and the agentic web&lt;/span&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;In addition to securing your cloud and AI workloads, Google Cloud’s secure-by-design foundation can help you innovate at the speed of AI — from agents to fraud defense to the web.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Securing and governing agents with the Gemini Enterprise Agent Platform&lt;br/&gt;&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;To build, orchestrate, govern, and optimize agents&lt;/span&gt;&lt;span style="font-style: italic; vertical-align: baseline;"&gt;, &lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;today we are announcing &lt;/span&gt;&lt;a href="https://cloud.google.com/blog/products/ai-machine-learning/introducing-gemini-enterprise-agent-platform"&gt;&lt;strong style="text-decoration: underline; vertical-align: baseline;"&gt;Gemini Enterprise Agent Platform&lt;/strong&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; including:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Agent Identity&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; to enable access management and &lt;/span&gt;&lt;a href="https://cloud.google.com/transform/these-4-ai-governance-tips-help-counter-shadow-agents"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;AI governance at scale&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;. Our new&lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt; &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;capability provides agents unique identities to operate autonomously with specific authentication flows, and with scoped human delegation.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Agent Gateway, &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;which&lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt; &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;enables policy enforcement for all agent-to-agent and agent-to-tool connections. It governs your enterprise agent traffic and understands agent protocols like MCP and Agent2Agent (A2A) to inspect and secure every agent interaction.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Model Armor&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;,&lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt; &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;our runtime protection for model and agent interactions, now integrates with Agent Gateway, &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/agent-builder/agent-engine/overview"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Agent Runtime&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;, and &lt;/span&gt;&lt;/a&gt;&lt;a href="https://docs.cloud.google.com/model-armor/model-armor-langchain-integration"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Langchain&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; available in preview, and &lt;/span&gt;&lt;a href="https://firebase.google.com/" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Firebase&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, generally available, to help developers add inline enforcement and sanitization of agent traffic and interactions without the need to change code. These integrations expand Model Armor's protection against runtime risks such as prompt injections, tool poisoning, and sensitive data leakage across &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/model-armor/integrations"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Google Cloud services and our AI portfolio&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;. &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Securing the agentic web with Google Cloud Fraud Defense and Chrome Enterprise&lt;br/&gt;&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;Today, we are evolving reCAPTCHA with the &lt;/span&gt;&lt;a href="https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-fraud-defense-the-next-evolution-of-recaptcha"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;launch of &lt;/span&gt;&lt;strong style="text-decoration: underline; vertical-align: baseline;"&gt;Google Cloud Fraud Defense&lt;/strong&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, generally available. This comprehensive platform is designed to discern the legitimacy and authorization of bots, humans, and agents. Using the same scale and signals that protect Google’s own ecosystem, Fraud Defense will soon offer in preview agent-specific capabilities for human users and AI agents that can help secure the digital commerce journey, from account creation and login to payment and checkout.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Our commitment to securing AI extends to the browser, a vital endpoint for interacting with AI. &lt;/span&gt;&lt;a href="https://cloud.google.com/blog/products/chrome-enterprise/new-ways-to-navigate-the-ai-era-with-googles-enterprise-platforms-and-devices"&gt;&lt;strong style="text-decoration: underline; vertical-align: baseline;"&gt;Chrome Enterprise&lt;/strong&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; provides comprehensive data protection for the AI era with the visibility and controls needed to embrace AI safely without compromising corporate data:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;AI-aware extension threat detections&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;, now in preview, can surface advanced extension telemetry that helps security teams detect and respond to anomalous AI agent activity. &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;New &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;shadow AI reporting&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;, generally available soon, can help you gain visibility into the shadow AI landscape by flagging employee use of unsanctioned web-based AI and SaaS applications. &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;&lt;strong style="vertical-align: baseline;"&gt;What’s new in Trusted Cloud&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;We continue to offer new security controls and enhance capabilities across identity, data, and  networking on our cloud platform to help you secure your environments. Today we’re announcing the following updates:&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Simplifying permissions with modern IAM&lt;br/&gt;&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;To help achieve least privilege quickly and simply, we’ve streamlined our predefined roles catalog with easy-to-use administrator, editor, and viewer roles, such as the &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/iam/docs/role-picker-gemini"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;IAM role picker&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; and the ability to &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/docs/authentication/reauthentication"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;re-authenticate sensitive actions&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Data security&lt;br/&gt;&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;We are announcing several new capabilities for our cloud platform data security portfolio to help protect your most sensitive data and accelerate AI transformation.&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Confidential Computing&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;: In partnership with NVIDIA, today we’re announcing &lt;/span&gt;&lt;a href="https://cloud.google.com/security/products/confidential-computing"&gt;&lt;strong style="text-decoration: underline; vertical-align: baseline;"&gt;Confidential Computing&lt;/strong&gt;&lt;/a&gt;&lt;strong style="vertical-align: baseline;"&gt; support for G4 VMs&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;, featuring NVIDIA RTX PRO 6000 Blackwell Server Edition GPUs on Google Compute Engine (GCE) Confidential G4 VMs, available in preview globally, to help strengthen confidentiality and integrity for a wide spectrum of sensitive AI workloads. In partnership with Intel, we’re also introducing the &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;preview of C4 Confidential VMs&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;, bringing Intel TDX to 6th Gen Xeon processors to help protect diverse AI and &lt;/span&gt;&lt;a href="https://cloud.google.com/blog/products/compute/c4-vms-based-on-intel-6th-gen-xeon-granite-rapids-now-ga"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;analytics workloads&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; while providing industry-leading compute density and performance.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Cloud Key Management Services (KMS)&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;: We are announcing the new &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;Confidential External Key Manager (cEKM)&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; in preview, giving you the flexibility to host and protect external keys in any region and maintain verifiable control within a confidential environment.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Post-quantum cryptography (PQC)&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;: We are introducing &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;KMS Quantum Safe Key Imports&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;, available&lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt; &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;in preview, to help you bring your own keys with quantum-safe algorithms. &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Secret Manager&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;: To help prevent password leaks and mitigate prompt injection risks, we are announcing the general availability of the native integration of our &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;Secret Manager with Agent Development Kit&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;. &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Network security &lt;br/&gt;&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;Google Cloud’s Cross-Cloud Network security products offer several new capabilities:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Cloud NGFW: &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;We’re announcing the &lt;/span&gt;&lt;a href="https://cloud.google.com/security/products/firewall?e=48754805"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Cloud NGFW&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;advanced malware sandbox&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;, in preview later this year, to help defend against highly evasive zero-day threats. This capability is powered by &lt;/span&gt;&lt;a href="https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/datasheets/advanced-wildfire" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Palo Alto Networks Advanced Wildfire&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, trained on data from &lt;/span&gt;&lt;a href="https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/datasheets/advanced-wildfire" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;more than 70,000 Palo Alto Networks customers to stop 99% of known and unknown malware&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;. &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Cloud Armor: &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;We have released new &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/armor/docs"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Cloud Armor&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; managed rules, powered by Thales Imperva&lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt; &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;and&lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt; &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;available in preview, to detect Layer 7 application attacks and zero-day CVEs (like &lt;/span&gt;&lt;a href="https://cloud.google.com/blog/products/identity-security/responding-to-cve-2025-55182"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;React2Shell&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;). &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Advancing Google Cloud security with SCC&lt;br/&gt;&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;As our Google Cloud-native security solution, Security Command Center (SCC) establishes a cloud security baseline to protect both your traditional and AI applications on Google Cloud:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;AI agents, models, and MCP servers are secured by providing continuous discovery and comprehensive risk analysis to identify threats, vulnerabilities, and misconfigurations.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;SCC will add deep runtime visibility to uncover shadow AI for your Google Cloud workloads. Coming soon in preview, SCC will automatically discover unmanaged agentic workloads — including agents, MCP servers hosted on Cloud Run, GKE, and inference endpoints running on GKE, and surface those as posture findings in SCC.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Our enhanced &lt;/span&gt;&lt;a href="https://cloud.google.com/security/products/security-command-center?e=48754805"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Security Command Center Standard tier&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; provides data security posture management, compliance, vulnerability management, and risk analysis to help any Google Cloud customer establish strong security, compliance and risk coverage from the start at no additional costs. &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;&lt;span style="vertical-align: baseline;"&gt;Take the next step&lt;/span&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;When you make Google part of your security team, you gain the power of an intelligence-driven, AI-native defense; the freedom of an open cloud that’s secure-by-design; and the industry's most-battle tested experts as an extension of your organization. &lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;For more on these new innovations and how you can secure what’s next, &lt;/span&gt;&lt;a href="https://www.googlecloudevents.com/next-vegas/session-library?session_id=3818847&amp;amp;name=secure-what&amp;amp;" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;tune in to watch our security spotlight&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;. And be sure to check out the many great security breakout sessions — live and on-demand — to learn more about all of our Next ‘26 announcements.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;</description><pubDate>Wed, 22 Apr 2026 12:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/products/identity-security/next26-redefining-security-for-the-ai-era-with-google-cloud-and-wiz/</guid><category>AI &amp; Machine Learning</category><category>Networking</category><category>Developers &amp; Practitioners</category><category>Google Cloud Next</category><category>Security &amp; Identity</category><media:content height="540" url="https://storage.googleapis.com/gweb-cloudblog-publish/images/GCN26_102_BlogHeader_2436x1200_Opt_3_Dark.max-600x600.jpg" width="540"></media:content><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>Next ‘26: Redefining security for the AI era with Google Cloud and Wiz</title><description></description><image>https://storage.googleapis.com/gweb-cloudblog-publish/images/GCN26_102_BlogHeader_2436x1200_Opt_3_Dark.max-600x600.jpg</image><site_name>Google</site_name><url>https://cloud.google.com/blog/products/identity-security/next26-redefining-security-for-the-ai-era-with-google-cloud-and-wiz/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Francis deSouza</name><title>COO, Google Cloud and President, Security Products</title><department></department><company></company></author></item><item><title>Cross-cloud infrastructure innovation for the agentic enterprise</title><link>https://cloud.google.com/blog/products/compute/cross-cloud-infrastructure-at-next26/</link><description>&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;The era of agentic AI is accelerating from human- to machine-speed operations, while also creating profound stress on legacy technology infrastructure. This new reality pushes foundational systems to their limits: agents generate thousands of internal messages and complex queries, spawning more agents, all of which can rapidly overwhelm traditional networks and databases, and expose new security vulnerabilities.&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt; &lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Unlocking AI's full potential in the era of agents requires a secure, adaptive foundation. We call it &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;cross-cloud infrastructure for the agentic enterprise&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; – and at Google Cloud Next ‘26, we’re launching a powerful set of new innovations across four areas:&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;What’s new:&lt;/strong&gt;&lt;/p&gt;
&lt;ol&gt;
&lt;li role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Fluid compute: &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;Google Compute Engine and Kubernetes services work together to enable cost-effective, high-speed AI agents and enterprise workloads with new compute and orchestration capabilities. &lt;/span&gt;&lt;/li&gt;
&lt;li role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Secure cross-cloud connectivity: &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;Agent Gateway, Cloud Armor, and other tools deliver a secure, governed, and simplified networking foundation for AI agents, including observability of agentic traffic across clouds.&lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt; &lt;/strong&gt;&lt;/li&gt;
&lt;li role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Unified data layer: &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;Smart Storage, Knowledge Catalog, and other innovations transform passive data archives into dynamic reasoning engines, giving AI agents the context they need to execute.&lt;/span&gt;&lt;/li&gt;
&lt;li role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Digital sovereignty: &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;Confidential External Key Management and new features in Google Distributed Cloud bring Google’s leading models and AI enablers wherever your data lives.&lt;/span&gt;&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Let’s take a closer look at all the news for each of these four areas.&lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;span style="vertical-align: baseline;"&gt;Fluid compute&lt;/span&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Agentic workloads are dynamic and unpredictable, impacting both traditional enterprise applications and the AI agents themselves. Fluid compute is enabled by Google Compute Engine and Google Kubernetes services working together to dynamically adapt and shift weight in real-time, enabling cost-effective, high-speed AI agents and operational enterprise workloads for all customers. &lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;While our &lt;/span&gt;&lt;a href="https://cloud.google.com/blog/products/compute/ai-infrastructure-at-next26"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;AI Hypercomputer delivers raw power for large-scale AI model training&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, fluid compute addresses the needs of operational workloads and agents. As agents move toward reasoning and reinforcement learning, CPUs are reclaiming a central role, excelling at the "branchy" logic, complex control flows, and secure execution sandboxes (like those for agentic orchestration, RL, SLM inference, and RAG) that agent workflows demand. CPUs also provide the critical isolation needed for secure agent execution, complementing the parallel processing strength of GPUs and TPUs used in training.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;We are introducing new CPU families, GKE capabilities, and Hyperdisk block storage capabilities to run traditional workloads and AI agents securely at scale, including:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Google C4N Series&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;: These VMs help ensure your enterprise workloads don't slow down under the demands of agentic AI by processing up to 95 million packets per second, up to 40% faster than other leading hyperscalers.&lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt; &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;This eliminates I/O bottlenecks for demanding workloads like security appliances, streaming media, and open source databases, even when utilizing smaller instance sizes.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Google M4N Series with Hyperdisk Extreme&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;: M4N removes data pipeline bottlenecks and eliminates overprovisioning to deliver industry leading per-core IOPS and throughput required to handle massive data I/O from agents, analytics, and mission-critical databases. M4N provides 26.57 GB of RAM per vCPU, allowing you to scale mission-critical workloads cost-effectively on fewer cores. For example, M4N with Hyperdisk Extreme reduces Oracle workload total cost of ownership by over 20% compared to leading hyperscale clouds.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;GKE Agent Sandbox: &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;This solution secures agents with trusted gVisor isolation and handles demand spikes, launching up to 300 sandboxes per second, per cluster. Backed by the only managed sandbox technology available among leading hyperscale clouds, it achieves up to 30% better price-performance than competitors when running AI agents on GKE Agent Sandbox with Google Axion N4A. &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p style="padding-left: 40px;"&gt;&lt;span style="font-style: italic; vertical-align: baseline;"&gt;“Wayfair's AI strategy is built on years of systematic infrastructure modernization on Google Cloud — migrating our core eCommerce engine and databases off legacy systems, decomposing monolithic services into cloud-native architecture, and unifying our data and analytics platform. That foundation is what makes everything else possible. Today, Gemini Enterprise Agent Platform is powering everything from catalog enrichment to generative shopping experiences that help customers create a home that's just right for them — and it's the same foundation preparing us for the agentic era, where AI doesn't just assist but actively drives discovery, personalization, and commerce across every customer touchpoint and across our business.”&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt; - Fiona Tan, Chief Technology Officer, Wayfair&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Explore all our latest compute innovations in &lt;/span&gt;&lt;a href="https://cloud.google.com/blog/products/compute/whats-new-in-compute-at-next26"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;this blog&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;. &lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;span style="vertical-align: baseline;"&gt;Secure cross-cloud connectivity &lt;/span&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Agentic AI replaces predictable human requests with autonomous “reasoning loops,” in which agents call other agents that, in turn, call LLMs, triggering massive, sudden surges in compute and machine-to-machine traffic. This shift creates unique challenges for network predictability and security of non-human identities. Optimized for agentic AI, our Cross-Cloud Network moves data across diverse environments, connecting employees, customers, and agents with visibility and security. New in Cross-Cloud Network are:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Agent Gateway:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Governs and orchestrates your enterprise agentic traffic as the “air traffic controller” in &lt;/span&gt;&lt;a href="https://cloud.google.com/blog/products/ai-machine-learning/introducing-gemini-enterprise-agent-platform"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Gemini Enterprise Agent Platform&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;. It natively understands agent protocols like MCP and A2A to inspect and govern every agent interaction. By integrating with Google and third-party identity and AI safety services, it enables deep inspection to verify access, block attacks, and protect sensitive data, maintaining compliance across your core business.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Cloud Network Insights&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;: Delivers broad visibility across your hybrid and multi-cloud infrastructure to drive faster troubleshooting and network resolutions. Continuously monitor your end-to-end agent, network and web performance across Google Cloud, AWS, Azure, data centers, internet applications, and agentic workloads. Using synthetic traffic analytics, Cloud Network Insights provides hop-by-hop network path visibility to help you pinpoint the source of degradations and is coupled with AI-powered insights from Gemini Cloud Assist to deliver more autonomous operations.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Enhanced Cloud Next Generation Firewall (NGFW) and Cloud Armor&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;: Provides machine-speed, AI-powered protection to combat the rapid explosion of AI-generated polymorphic malware and zero-day exploits. Cloud NGFW advanced malware sandbox delivers real-time inline prevention of AI-generated threats, while Cloud Armor managed rules provides automated protection against both known and unknown Common Vulnerabilities and Exposures (CVEs). Together with Model Armor, these services analyze the intent and content of AI agent communications.  &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Discover more about how we &lt;/span&gt;&lt;a href="https://cloud.google.com/blog/products/networking/whats-new-in-cloud-networking-at-next26"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;optimized networking for AI&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; in and outside of the data center. &lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;span style="vertical-align: baseline;"&gt;Unified data layer&lt;/span&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;AI agents are only as powerful as the data they can access and the context they’re given. More applications and platforms are using structured and unstructured data, but it can be difficult to catalog, find, and act on that data at scale, leading to less effective agent interactions. To close the gap, your agents need all of your data brought together into a cohesive, queryable knowledge engine, or unified data layer. This way, your agents can identify and access accurate sources. At Next ‘26, we’re enhancing the unified data layer with:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Smart Storage&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;: This solution transforms dark data into a powerful knowledge asset for AI agents and training by embedding new semantic intelligence directly into your data objects. With new Google Cloud Storage capabilities like automated annotation, entity extraction, and semantic search, your agents can instantly find and use the specific data they need — whether it's hidden in spreadsheets, PDFs, or other unstructured formats across your entire organization. This significantly speeds up the development and deployment of your AI solutions. Learn more about &lt;/span&gt;&lt;a href="https://cloud.google.com/blog/products/storage-data-transfer/next26-storage-announcements"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;storage innovations to accelerate your AI workloads&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;. &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Knowledge Catalog&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;: Knowledge Catalog maps business meaning across your entire data estate, providing a grounded source of truth so agents can deliver the most accurate results. This foundation enables AI training and inferencing and doesn’t require you to migrate your data; your agents interact with it directly, wherever it lives, with full context and governance, making modernization easier.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Part of our &lt;/span&gt;&lt;a href="https://cloud.google.com/transform/shift-system-of-action-architecting-the-agentic-data-cloud-AI"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Agentic Data Cloud&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, Smart Storage and Knowledge Catalog can take your data from a passive archive into a dynamic reasoning engine.&lt;/span&gt;&lt;/p&gt;
&lt;p style="padding-left: 40px;"&gt;&lt;span style="font-style: italic; vertical-align: baseline;"&gt;“AI is critical to making our customers’ smart home and security solutions more intelligent and convenient. By leveraging Google Cloud’s Smart Storage, we auto-annotate rich metadata delivered in BigQuery. We’ve scaled and accelerated our data discovery and curation efforts, speeding up our AI development process from months to weeks, continuously delivering innovations that build trust and enhance the overall home experience.”&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt; - Brandon Bunker, VP of Product, AI, Vivint&lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;span style="vertical-align: baseline;"&gt;Digital sovereignty&lt;/span&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;In the agentic era, digital sovereignty is a fundamental requirement for public sector and enterprise customers looking to accelerate innovation — without sacrificing control. There’s no one-size-fits-all solution, which is why we’ve designed a comprehensive set of offerings to meet different sovereign AI needs anywhere: public cloud, on-premises, or hybrid. New capabilities in our sovereign AI portfolio include: &lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Confidential External Key Management:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Organizations can use Confidential External Key Management to maintain complete possession, custody, and control of your encryption keys and the policies that govern them. Confidential External Key Management leverages &lt;/span&gt;&lt;a href="https://cloud.google.com/security/products/confidential-computing"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Confidential Compute&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; to host the key management endpoint in a tamper-proof environment within Google Cloud. You are in control and determine where your keys are stored, who can access them, and under what circumstances. Even highly privileged Google administrators cannot access your keys without authorization, which you can revoke at any time. Your data, your control.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Gemini on Google Distributed Cloud: &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;With Gemini on GDC, companies can securely deploy Gemini in sensitive environments, while meeting data sovereignty needs. Your choice of deployment models includes managed software on your connected hardware or a fully disconnected, air-gapped solution. You can now scale with Google's leading AI capabilities even in the most restricted, high-security environments — from powerful Gemini models to advanced coding, search, and other agentic capabilities.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;In addition, Google Distributed Cloud supports an end-to-end AI stack, combining our latest-generation AI infrastructure with Gemini models to accelerate and enhance all your sovereign AI workloads. This stack includes:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;NVIDIA Blackwell GPUs:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; NVIDIA Blackwell (NVIDIA HGX B200) and NVIDIA Blackwell Ultra platforms (NVIDIA HGX B300) GPUs accelerate AI performance, leveraging fifth-gen NVIDIA NVLink to deliver data-center scale bandwidth directly to your environment.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;New VM families:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; New A4 family offerings provide the ability to handle the most demanding inference tasks, delivering a 2.25x increase in peak compute. Memory-Optimized M2 and M3&lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt; &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;brings the&lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt; &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;high memory-to-vCPU ratios needed for massive ERP and data analytics workloads on-premises.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Enhanced storage: &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;Eliminate storage bottlenecks with 6x storage capacity per zone and a 10x performance boost, giving you the ability to do AI reasoning on-premises. Now, your data infrastructure moves at the speed of AI reasoning.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p style="padding-left: 40px;"&gt;&lt;span style="font-style: italic; vertical-align: baseline;"&gt;"&lt;/span&gt;&lt;span style="font-style: italic; vertical-align: baseline;"&gt;Our customers demand high-performance, private AI inference without the risks of multi-tenancy. Google Distributed Cloud allows us to provide dedicated, low-latency environments that meet strict sensitive data requirements. With the ability to run Gemini on B200s and B300s, we can significantly increase inference speeds and provide the token throughput our clients need to scale."&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt; &lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;- &lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;Dave Driggers, CEO &amp;amp; Co-founder, Cirrascale Cloud Services&lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;span style="vertical-align: baseline;"&gt;Transforming vision into reality &lt;/span&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;When these product areas converge, your infrastructure evolves into a high-performing, secure, adaptive foundation for the agentic era. We're not just offering tools; we're providing the architectural blueprint to enable enterprises and the public sector to rapidly embrace the full power of AI and agents with confidence.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;To learn more about key industry trends for AI Infrastructure, read our &lt;/span&gt;&lt;a href="https://cloud.google.com/resources/content/state-of-infrastructure-in-the-agentic-ai-era?utm_source=cgc-blog&amp;amp;utm_medium=blog&amp;amp;utm_campaign=FY26-Q1-GLOBAL-STO121-website-dl-State-AI-Infra-172614&amp;amp;utm_content=state-of-infra-agentic-ai-era-report&amp;amp;utm_term=state-of-infra-agentic-ai-era-report"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;State of Infrastructure in the Agentic AI Era report&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;. &lt;/span&gt;&lt;/p&gt;&lt;/div&gt;</description><pubDate>Wed, 22 Apr 2026 12:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/products/compute/cross-cloud-infrastructure-at-next26/</guid><category>Networking</category><category>Storage &amp; Data Transfer</category><category>Infrastructure</category><category>Google Cloud Next</category><category>Compute</category><media:content height="540" url="https://storage.googleapis.com/gweb-cloudblog-publish/images/GCN26_102_BlogHeader_2436x1200_Opt_4_Light.max-600x600.jpg" width="540"></media:content><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>Cross-cloud infrastructure innovation for the agentic enterprise</title><description></description><image>https://storage.googleapis.com/gweb-cloudblog-publish/images/GCN26_102_BlogHeader_2436x1200_Opt_4_Light.max-600x600.jpg</image><site_name>Google</site_name><url>https://cloud.google.com/blog/products/compute/cross-cloud-infrastructure-at-next26/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Nirav Mehta</name><title>VP, Product Management, Compute Platforms</title><department></department><company></company></author><author xmlns:author="http://www.w3.org/2005/Atom"><name>Muninder Sambi</name><title>VP, Google Distributed Cloud</title><department></department><company></company></author></item><item><title>Evolving Media CDN for the world’s most demanding broadcast and streaming workloads</title><link>https://cloud.google.com/blog/products/networking/media-cdn-and-trends-in-content-delivery/</link><description>&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;strong style="font-style: italic; vertical-align: baseline;"&gt;Editor’s note: &lt;/strong&gt;&lt;span style="font-style: italic; vertical-align: baseline;"&gt;In this post, we share joint insights from Raj Gulani, Director of Product Management for Network Experiences, and Dan Rayburn, Industry analyst with 30-plus years of experience covering streaming media.&lt;/span&gt;&lt;/p&gt;
&lt;hr/&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;In our combined experience observing and building within the media industry, one truth remains constant: the landscape is always evolving. Audience expectations for flawless, broadcast-quality streaming have become the undisputed baseline, while the scale of global live events continues to push the technical boundaries of content delivery.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;From our shared perspective, the most successful platforms are no longer defined solely by their ability to handle massive scale. Instead, they are distinguished by their evolution — how they adapt to solve the complex operational and financial challenges that broadcasters and streaming services face every day. This post offers a joint look at some of these key industry demands and how platforms are innovating to meet them.&lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;span style="vertical-align: baseline;"&gt;The need for scale, flexibility, and efficiency&lt;/span&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;The need to support massive audiences during live global events like the Super Bowl, FIFA World Cup, and IPL is a given. In response to this clear industry trend, content delivery networks (CDN) must continuously scale their infrastructure to support peak traffic demand. We’ve seen this firsthand with Google Cloud’s &lt;/span&gt;&lt;a href="https://cloud.google.com/cdn"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Media CDN&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, which shares infrastructure with Youtube, has had to actively respond to customer capacity needs with &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/media-cdn/docs/locations"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;infrastructure presence&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; in relevant regions, especially for live events.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-image_full_width"&gt;






  
    &lt;div class="article-module h-c-page"&gt;
      &lt;div class="h-c-grid"&gt;
  

    &lt;figure class="article-image--large
      
      
        h-c-grid__col
        h-c-grid__col--6 h-c-grid__col--offset-3
        
        
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/images/image1_fkBSKm8.max-1000x1000.png"
        
          alt="image1"&gt;
        
        &lt;/a&gt;
      
    &lt;/figure&gt;

  
      &lt;/div&gt;
    &lt;/div&gt;
  




&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Beyond raw capacity, however, a more nuanced story is unfolding around the need for greater architectural flexibility and more predictable cost models. We believe the focus has rightly shifted to providing smarter tools that help manage traffic, improve performance, and control costs. Here are a few examples of this:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Flexible caching architectures:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; One of the key challenges in global delivery is minimizing latency and cost. The introduction of features like flexible shielding – supported today in South Africa, the Middle East, and the US – is a direct answer to this. Such features allow traffic to be managed within a region, avoiding the performance and cost penalties of fetching content from a distant origin.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Solving for interoperability:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; As workflows become more complex, platforms need to be better integrated. We have seen a focus on addressing common origin compatibility issues through tactical engineering solutions. Examples include adding support for HEAD requests, increasing maximum segment sizes to 25MiB to accommodate 4K/8K content, and enabling multi-part range requests. These kinds of updates are crucial for ensuring a platform works with a customer’s existing infrastructure, not against it.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;The shift to predictable cost models:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; In a maturing industry, operators need financial predictability. The move toward offering monthly savings plans, which provide TCO benefits for a committed level of use, is an important step beyond pure pay-as-you-go pricing models.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;The critical need for broadcast-grade visibility: &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;In our analysis of streaming operations, a lack of real-time visibility is a recurring point of failure. For a major live event, customers cannot wait for next business day response times and require more immediate intervention to ensure the live event runs flawlessly — it’s a fundamental requirement. The use of tools like monitoring as a service (MaaS) during major live events highlights the industry's shift toward proactive, data-driven operations. By providing a "broadcast operating center" view into everything from origin health to end-user quality of service, such tools empower engineering teams to identify and mitigate potential problems before they impact the audience.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;A shared outlook on the future: &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;The evolution of content delivery platforms is a clear indicator of the media industry's priorities. The focus is increasingly on providing data-driven scaling, sophisticated operational tooling, and tangible architectural and financial benefits. This move toward solving specific, complex challenges demonstrates a maturing market, and it’s a direction we both believe is critical for the future of broadcasting and streaming.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;For technical leaders looking to benchmark their current infrastructure against these trends, exploring modern edge architectures is a logical next step. You can learn more about implementing flexible caching and broadcast grade visibility by visiting the &lt;/span&gt;&lt;a href="https://cloud.google.com/cdn#video-streaming"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Media CDN documentation&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;</description><pubDate>Fri, 17 Apr 2026 17:30:00 +0000</pubDate><guid>https://cloud.google.com/blog/products/networking/media-cdn-and-trends-in-content-delivery/</guid><category>Google Cloud Next</category><category>Networking</category><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>Evolving Media CDN for the world’s most demanding broadcast and streaming workloads</title><description></description><site_name>Google</site_name><url>https://cloud.google.com/blog/products/networking/media-cdn-and-trends-in-content-delivery/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Raj Gulani</name><title>Director, Product Management, Network Experiences</title><department></department><company></company></author><author xmlns:author="http://www.w3.org/2005/Atom"><name>Dan Rayburn</name><title>Industry Analyst and Streaming Media Expert</title><department></department><company></company></author></item><item><title>Migrating to Google Cloud’s Application Load Balancer: A practical guide</title><link>https://cloud.google.com/blog/products/networking/migrate-on-prem-application-load-balancing-to-google-cloud/</link><description>&lt;div class="block-paragraph_advanced"&gt;&lt;p style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;Migrating your existing application load balancer infrastructure from an on-premises hardware solution to Cloud Load Balancing offers substantial advantages in scalability, cost-efficiency, and tight integration within the Google Cloud ecosystem. Yet, a fundamental question often arises: "What about our current load balancer configurations?"&lt;/span&gt;&lt;/p&gt;
&lt;p style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;Existing on-premises load balancer configurations often contain years of business-critical logic for traffic manipulation. The good news is that not only can you fully migrate existing functionalities, but this migration also presents a significant opportunity to modernize and simplify your traffic management.&lt;/span&gt;&lt;/p&gt;
&lt;p style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;This guide outlines a practical approach for migrating your existing load balancer to Google Cloud’s Application Load Balancer. It addresses common functionalities, leveraging both its declarative configurations and the innovative, event-driven Service Extensions edge compute capability.&lt;/span&gt;&lt;/p&gt;
&lt;h3 style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;A simple, phased approach to migration&lt;/span&gt;&lt;/h3&gt;
&lt;p style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;Transitioning from an imperative, script-based system to a cloud-native, declarative-first model requires a structured plan. We recommend a straightforward, four-phase approach.&lt;/span&gt;&lt;/p&gt;
&lt;h4 style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;Phase 1: Discovery and mapping&lt;/span&gt;&lt;/h4&gt;
&lt;p style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;Before commencing any migration, you must understand what you have. Analyze and categorize your current load balancer configurations. What is each rule's intent? Is it performing a simple HTTP-to-HTTPS redirect? Is it engaged in HTTP header manipulation (addition or removal)? Or is it handling complex, custom authentication logic? &lt;/span&gt;&lt;/p&gt;
&lt;p style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;Most configurations typically fall into two primary categories:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"&gt;
&lt;p role="presentation" style="text-align: justify;"&gt;&lt;strong style="vertical-align: baseline;"&gt;Common patterns:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Logic that is common to most web applications, such as redirects, URL rewrites, basic header manipulation, and IP-based access control lists (ACLs).&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"&gt;
&lt;p role="presentation" style="text-align: justify;"&gt;&lt;strong style="vertical-align: baseline;"&gt;Bespoke business logic:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Complex logic unique to your application, like custom proprietary token authentication, advanced header extraction / replacement, dynamic backend selection based on HTTP attributes, or HTTP response body manipulation. &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h4 style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;Phase 2: Choose your Google Cloud equivalent&lt;/span&gt;&lt;/h4&gt;
&lt;p style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;Once your rules are categorized, the next step involves mapping them to the appropriate Google Cloud feature. This is not a one-to-one replacement; it's a strategic choice.&lt;/span&gt;&lt;/p&gt;
&lt;p style="text-align: justify;"&gt;&lt;strong style="vertical-align: baseline;"&gt;Option 1: the declarative path (for ~80% of rules)&lt;br/&gt;&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;For the majority of common patterns, leveraging the Application Load Balancer's built-in declarative features is usually the best approach. Instead of a script, you define the desired state in a configuration file. This is simpler to manage, version-control, and scale.&lt;/span&gt;&lt;/p&gt;
&lt;p style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;Common patterns to declarative feature mapping:  &lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="3" style="list-style-type: square; vertical-align: baseline;"&gt;
&lt;p role="presentation" style="text-align: justify;"&gt;&lt;strong style="vertical-align: baseline;"&gt;Redirects/rewrites&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; -&amp;gt; &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;Application Load Balancer URL maps&lt;/strong&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="3" style="list-style-type: square; vertical-align: baseline;"&gt;
&lt;p role="presentation" style="text-align: justify;"&gt;&lt;strong style="vertical-align: baseline;"&gt;ACLs/throttling&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; -&amp;gt; &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;Google Cloud Armor security policies&lt;/strong&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="3" style="list-style-type: square; vertical-align: baseline;"&gt;
&lt;p role="presentation" style="text-align: justify;"&gt;&lt;strong style="vertical-align: baseline;"&gt;Session persistence&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; -&amp;gt; &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;backend service configuration&lt;/strong&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p style="text-align: justify;"&gt;&lt;strong style="vertical-align: baseline;"&gt;Option 2: The programmatic path (for complex, bespoke rules)&lt;br/&gt;&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;When dealing with complex, bespoke business logic, you have a programmatic equivalent: &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/service-extensions/docs/overview"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Service Extensions&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, a powerful edge compute capability that allows you to inject custom code (written in Rust, C++ or Go) directly into the load balancer's data path. This approach gives you flexibility in a modern, managed, and high-performance framework.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-image_full_width"&gt;






  
    &lt;div class="article-module h-c-page"&gt;
      &lt;div class="h-c-grid"&gt;
  

    &lt;figure class="article-image--large
      
      
        h-c-grid__col
        h-c-grid__col--6 h-c-grid__col--offset-3
        
        
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/images/image1_bkebSe1.max-1000x1000.jpg"
        
          alt="image1"&gt;
        
        &lt;/a&gt;
      
        &lt;figcaption class="article-image__caption "&gt;&lt;p data-block-key="s1mli"&gt;This flowchart helps you decide the appropriate Google Cloud feature for each configuration&lt;/p&gt;&lt;/figcaption&gt;
      
    &lt;/figure&gt;

  
      &lt;/div&gt;
    &lt;/div&gt;
  




&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;h4 style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;Phase 3: Test and validate&lt;/span&gt;&lt;/h4&gt;
&lt;p style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;Once you’ve chosen the appropriate path for your configurations, you are ready to &lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;deploy your new Application Load Balancer configuration in a staging environment that mirrors your production setup. Thoroughly test all application functionality, paying close attention to the migrated logic. Use a combination of automated testing and manual QA to validate the redirects, security policies, and that the custom Service Extensions logic are behaving as expected.&lt;/span&gt;&lt;/p&gt;
&lt;h4 style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;Phase 4: Phased cutover (canary deployment)&lt;/span&gt;&lt;/h4&gt;
&lt;p style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;Don't flip a single switch for all your traffic; instead, implement a phased migration strategy. Start the transitioning process by routing a small percentage of production traffic (e.g., 5-10%) to your new Google Cloud load balancer. During this initial period, be sure to monitor key metrics like latency, error rates, and application performance. As you gain confidence, you can progressively increase the percentage of traffic routed to the Application Load Balancer. Always have a clear rollback plan to revert back to the legacy infrastructure in the event you encounter critical issues.&lt;/span&gt;&lt;/p&gt;
&lt;h3 style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;Best practices for a smooth migration&lt;/span&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Drawing from our practical experience, we have compiled the following recommendations to assist you in planning your load balancer migrations. &lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation" style="text-align: justify;"&gt;&lt;strong style="vertical-align: baseline;"&gt;Analyze first, migrate second:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; A thorough analysis of your existing configurations is the most critical step. Don't "lift and shift" logic that is no longer needed.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation" style="text-align: justify;"&gt;&lt;strong style="vertical-align: baseline;"&gt;Prefer declarative:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Always default to Google Cloud's managed, declarative features (URL Maps, Cloud Armor) first. They are simpler, more scalable, and require less maintenance.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation" style="text-align: justify;"&gt;&lt;strong style="vertical-align: baseline;"&gt;Use Service Extensions strategically:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Reserve Service Extensions for the complex, bespoke business logic that declarative features cannot handle.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation" style="text-align: justify;"&gt;&lt;strong style="vertical-align: baseline;"&gt;Monitor everything:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Continuously monitor both your existing load balancers and Google Cloud load balancers during the migration. Watch key metrics like traffic volume, latency, and error rates to detect and address issues instantly.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation" style="text-align: justify;"&gt;&lt;strong style="vertical-align: baseline;"&gt;Train your team:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Ensure your team is trained on Cloud Load Balancing concepts. This will empower them to effectively operate and maintain the new infrastructure.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;Migrating from the existing on-premises load balancer infrastructure is more than just a technical task, it's an opportunity to modernize your application delivery. By thoughtfully mapping your current load balancing configurations and capabilities to either declarative Application Load Balancer features or programmatic Service Extensions, you can build a more scalable, resilient, and cost-effective infrastructure destined for future demands.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;To get started, review the &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/load-balancing/docs/application-load-balancer"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Application Load Balancer&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; and &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/service-extensions/docs/overview"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Service Extensions&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; features and advanced capabilities to come up with the right design for your application. For more guidance and complex use cases, contact your &lt;/span&gt;&lt;a href="https://cloud.google.com/contact"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Google Cloud team&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;</description><pubDate>Fri, 10 Apr 2026 16:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/products/networking/migrate-on-prem-application-load-balancing-to-google-cloud/</guid><category>Cloud Migration</category><category>Developers &amp; Practitioners</category><category>Networking</category><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>Migrating to Google Cloud’s Application Load Balancer: A practical guide</title><description></description><site_name>Google</site_name><url>https://cloud.google.com/blog/products/networking/migrate-on-prem-application-load-balancing-to-google-cloud/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Gopinath Balakrishnan</name><title>Customer Engineer, Google Cloud</title><department></department><company></company></author><author xmlns:author="http://www.w3.org/2005/Atom"><name>Xiaozang Li</name><title>Customer Engineer, Google Cloud</title><department></department><company></company></author></item><item><title>Experimenting with GPUs: GKE managed DRANET and Inference Gateway AI Deployment</title><link>https://cloud.google.com/blog/topics/developers-practitioners/experimenting-with-gpus-gke-managed-dranet-and-inference-gateway-ai-deployment/</link><description>&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Building and serving models on infrastructure is a strong use case for businesses. In Google Cloud, you have the ability to design your AI infrastructure to suit your workloads. Recently, I experimented with Google Kubernetes Engine &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/kubernetes-engine/docs/how-to/allocate-network-resources-dra"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;(GKE) managed DRANET&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; while deploying a model for inference with NVIDIA B200 GPUs on GKE. In this blog, we will explore this setup in easy to follow steps.&lt;/span&gt;&lt;/p&gt;
&lt;h2&gt;&lt;span style="vertical-align: baseline;"&gt;What is DRANET &lt;/span&gt;&lt;/h2&gt;
&lt;p&gt;&lt;a href="https://kubernetes.io/docs/concepts/scheduling-eviction/dynamic-resource-allocation/" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Dynamic Resource Allocation (DRA)&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; is a feature that lets you request and share resources among Pods. DRANET allows you to request and allocate networking resources for your Pods, including network interfaces that support TPUs &amp;amp; Remote Direct Memory Access (RDMA). In my case, the use of high-end GPUs.&lt;/span&gt;&lt;/p&gt;
&lt;h2&gt;&lt;span style="vertical-align: baseline;"&gt;How GPU RDMA VPC works &lt;/span&gt;&lt;/h2&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;The &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/vpc/docs/rdma-network-profiles#overview"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;RDMA network&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; is set up as an isolated VPC, which is regional and assigned a network profile type. In this case, the network profile type is RoCEv2. This VPC is dedicated for GPU-to-GPU communication. The GPU VM families have RDMA capable NICs that connect to the RDMA VPC. The GPUs communicate between multiple nodes via this low latency, high speed rail aligned setup.&lt;/span&gt;&lt;/p&gt;
&lt;h2&gt;&lt;span style="vertical-align: baseline;"&gt;Design pattern example&lt;/span&gt;&lt;/h2&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Our aim was to deploy a LLM model (Deepseek) onto a GKE cluster with &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/compute/docs/accelerator-optimized-machines#a4-vms"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;A4 nodes&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; that support 8 B200 GPUs and serve it via &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/kubernetes-engine/docs/concepts/about-gke-inference-gateway"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;GKE Inference gateway&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; privately. To set up an &lt;a href="https://docs.cloud.google.com/ai-hypercomputer/docs/overview"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;AI Hypercomputer&lt;/span&gt;&lt;/a&gt; GKE cluster, you can use the Cluster Toolkit, but in my case, I wanted to test the &lt;span style="vertical-align: baseline;"&gt;GKE managed &lt;/span&gt;DRANET dynamic setup of the networking that supports RDMA for the GPU communication.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-image_full_width"&gt;






  
    &lt;div class="article-module h-c-page"&gt;
      &lt;div class="h-c-grid"&gt;
  

    &lt;figure class="article-image--large
      
      
        h-c-grid__col
        h-c-grid__col--6 h-c-grid__col--offset-3
        
        
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/images/1-archgpu.max-1000x1000.png"
        
          alt="1-archgpu"&gt;
        
        &lt;/a&gt;
      
    &lt;/figure&gt;

  
      &lt;/div&gt;
    &lt;/div&gt;
  




&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;This design utilizes the following services to provide an end-to-end solution:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;VPC:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Total of 3 VPC. One VPC manually created, two created automatically by &lt;span style="vertical-align: baseline;"&gt;GKE managed &lt;/span&gt;DRANET, one standard and one for RDMA.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;GKE:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; To deploy the workload.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;GKE Inference gateway:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; To expose the workload internally using a regional internal Application Load Balancers type gke-l7-rilb.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;A4 VM’s:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; These support RoCEv2 with NVIDIA B200 GPU.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;&lt;span style="vertical-align: baseline;"&gt;Putting it together &lt;/span&gt;&lt;/h2&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;To get access to the A4 VM a &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/ai-hypercomputer/docs/consumption-models#comparison"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;future reservation&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; was used. This is linked to a specific zone.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Begin:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Set up the environment &lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Create a &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/vpc/docs/create-modify-vpc-networks#create-custom-network"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;standard VPC&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, with firewall rules and subnet in the same zone as the reservation.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Create a &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/load-balancing/docs/proxy-only-subnets#proxy_only_subnet_create"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;proxy-only subnet&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; this will be used with the Internal regional application load balancer attached to the GKE inference gateway&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Next&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;: Create a standard GKE cluster node and default node pool.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-code"&gt;&lt;dl&gt;
    &lt;dt&gt;code_block&lt;/dt&gt;
    &lt;dd&gt;&amp;lt;ListValue: [StructValue([(&amp;#x27;code&amp;#x27;, &amp;#x27;gcloud container clusters create $CLUSTER_NAME \\\r\n    --location=$ZONE \\\r\n    --num-nodes=1 \\\r\n    --machine-type=e2-standard-16 \\\r\n    --network=${GVNIC_NETWORK_PREFIX}-main \\\r\n    --subnetwork=${GVNIC_NETWORK_PREFIX}-sub \\\r\n    --release-channel rapid \\\r\n    --enable-dataplane-v2 \\\r\n    --enable-ip-alias \\\r\n    --addons=HttpLoadBalancing,RayOperator \\\r\n    --gateway-api=standard \\\r\n    --enable-ray-cluster-logging \\\r\n    --enable-ray-cluster-monitoring \\\r\n    --enable-managed-prometheus \\\r\n    --enable-dataplane-v2-metrics \\\r\n    --monitoring=SYSTEM&amp;#x27;), (&amp;#x27;language&amp;#x27;, &amp;#x27;&amp;#x27;), (&amp;#x27;caption&amp;#x27;, &amp;lt;wagtail.rich_text.RichText object at 0x7fb0643e5730&amp;gt;)])]&amp;gt;&lt;/dd&gt;
&lt;/dl&gt;&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Once that is complete you can connect to your cluster:&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-code"&gt;&lt;dl&gt;
    &lt;dt&gt;code_block&lt;/dt&gt;
    &lt;dd&gt;&amp;lt;ListValue: [StructValue([(&amp;#x27;code&amp;#x27;, &amp;#x27;gcloud container clusters get-credentials $CLUSTER_NAME --zone $ZONE --project $PROJECT&amp;#x27;), (&amp;#x27;language&amp;#x27;, &amp;#x27;&amp;#x27;), (&amp;#x27;caption&amp;#x27;, &amp;lt;wagtail.rich_text.RichText object at 0x7fb064f0f670&amp;gt;)])]&amp;gt;&lt;/dd&gt;
&lt;/dl&gt;&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Create a &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/kubernetes-engine/docs/how-to/allocate-network-resources-dra#enable-dra-driver-gpu"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;GPU node pool&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; (this example uses, A4 VM with reservation) and additionals flags: &lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;code style="vertical-align: baseline;"&gt;---accelerator-network-profile=auto&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt; (GKE automatically adds the gke.networks.io/accelerator-network-profile: auto label to the nodes) &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;code style="vertical-align: baseline;"&gt;--node-labels=cloud.google.com/gke-networking-dra-driver=true &lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt;(Enables DRA for high-performance networking)&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-code"&gt;&lt;dl&gt;
    &lt;dt&gt;code_block&lt;/dt&gt;
    &lt;dd&gt;&amp;lt;ListValue: [StructValue([(&amp;#x27;code&amp;#x27;, &amp;#x27;gcloud beta container node-pools create $NODE_POOL_NAME \\\r\n  --cluster $CLUSTER_NAME \\\r\n  --location $ZONE \\\r\n  --node-locations $ZONE \\\r\n  --machine-type a4-highgpu-8g \\\r\n  --accelerator type=nvidia-b200,count=8,gpu-driver-version=latest \\\r\n  --enable-autoscaling --num-nodes=1 --total-min-nodes=1 --total-max-nodes=3 \\\r\n  --reservation-affinity=specific \\\r\n--reservation=projects/$PROJECT/reservations/$RESERVATION_NAME/reservationBlocks/$BLOCK_NAME \\\r\n   --accelerator-network-profile=auto \\\r\n--node-labels=cloud.google.com/gke-networking-dra-driver=true&amp;#x27;), (&amp;#x27;language&amp;#x27;, &amp;#x27;&amp;#x27;), (&amp;#x27;caption&amp;#x27;, &amp;lt;wagtail.rich_text.RichText object at 0x7fb064f0f2b0&amp;gt;)])]&amp;gt;&lt;/dd&gt;
&lt;/dl&gt;&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Next:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Create a ResourceClaimTemplate, which will be used to attach the networking resources to your deployments. The &lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;deviceClassName: mrdma.google.com &lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt;is used for GPU workloads:&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-code"&gt;&lt;dl&gt;
    &lt;dt&gt;code_block&lt;/dt&gt;
    &lt;dd&gt;&amp;lt;ListValue: [StructValue([(&amp;#x27;code&amp;#x27;, &amp;#x27;apiVersion: resource.k8s.io/v1\r\nkind: ResourceClaimTemplate\r\nmetadata:\r\n  name: all-mrdma\r\nspec:\r\n  spec:\r\n    devices:\r\n      requests:\r\n      - name: req-mrdma\r\n        exactly:\r\n          deviceClassName: mrdma.google.com\r\n          allocationMode: All&amp;#x27;), (&amp;#x27;language&amp;#x27;, &amp;#x27;&amp;#x27;), (&amp;#x27;caption&amp;#x27;, &amp;lt;wagtail.rich_text.RichText object at 0x7fb064f0f8b0&amp;gt;)])]&amp;gt;&lt;/dd&gt;
&lt;/dl&gt;&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;h2&gt;&lt;span style="vertical-align: baseline;"&gt;Deploy model and inference&lt;/span&gt;&lt;/h2&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;&lt;span style="vertical-align: baseline;"&gt;Now that a cluster and node pool is setup,&lt;/span&gt; we can deploy a model and serve it via Inference gateway. In my experiment I used DeepSeek but this could be any model.&lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;span style="vertical-align: baseline;"&gt;Deploy model and services&lt;/span&gt;&lt;/h3&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;The&lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt; nodeSelector: gke.networks.io/accelerator-network-profile: auto &lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt;is used to assign to the GPU node&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;The&lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt; resourceClaims: &lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt;attaches the resource we defined for networking&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong&gt;&lt;span style="vertical-align: baseline;"&gt;Create a secret (&lt;/span&gt;&lt;a href="https://huggingface.co/docs/hub/security-tokens#how-to-manage-user-access-tokens" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;I used Hugging Face&lt;/span&gt;&lt;/a&gt;&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;&lt;strong&gt; token)&lt;/strong&gt;:&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-code"&gt;&lt;dl&gt;
    &lt;dt&gt;code_block&lt;/dt&gt;
    &lt;dd&gt;&amp;lt;ListValue: [StructValue([(&amp;#x27;code&amp;#x27;, &amp;#x27;kubectl create secret generic hf-secret \\\r\n  --from-literal=hf_token=${HF_TOKEN}&amp;#x27;), (&amp;#x27;language&amp;#x27;, &amp;#x27;&amp;#x27;), (&amp;#x27;caption&amp;#x27;, &amp;lt;wagtail.rich_text.RichText object at 0x7fb064f0f2e0&amp;gt;)])]&amp;gt;&lt;/dd&gt;
&lt;/dl&gt;&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;strong&gt;&lt;span style="vertical-align: baseline;"&gt;Deployment&lt;/span&gt;&lt;/strong&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-code"&gt;&lt;dl&gt;
    &lt;dt&gt;code_block&lt;/dt&gt;
    &lt;dd&gt;&amp;lt;ListValue: [StructValue([(&amp;#x27;code&amp;#x27;, &amp;#x27;apiVersion: apps/v1\r\nkind: Deployment\r\nmetadata:\r\n  name: deepseek-v3-1-deploy\r\nspec:\r\n  replicas: 1\r\n  selector:\r\n    matchLabels:\r\n      app: deepseek-v3-1\r\n  template:\r\n    metadata:\r\n      labels:\r\n        app: deepseek-v3-1\r\n        ai.gke.io/model: deepseek-v3-1\r\n        ai.gke.io/inference-server: vllm\r\n        examples.ai.gke.io/source: user-guide\r\n    spec:\r\n      containers:\r\n      - name: vllm-inference\r\n        image: us-docker.pkg.dev/vertex-ai/vertex-vision-model-garden-dockers/pytorch-vllm-serve:20250819_0916_RC01\r\n        resources:\r\n          requests:\r\n            cpu: &amp;quot;190&amp;quot;\r\n            memory: &amp;quot;1800Gi&amp;quot;\r\n            ephemeral-storage: &amp;quot;1Ti&amp;quot;\r\n            nvidia.com/gpu: &amp;quot;8&amp;quot;\r\n          limits:\r\n            cpu: &amp;quot;190&amp;quot;\r\n            memory: &amp;quot;1800Gi&amp;quot;\r\n            ephemeral-storage: &amp;quot;1Ti&amp;quot;\r\n            nvidia.com/gpu: &amp;quot;8&amp;quot;\r\n          claims:\r\n          - name: rdma-claim\r\n        command: [&amp;quot;python3&amp;quot;, &amp;quot;-m&amp;quot;, &amp;quot;vllm.entrypoints.openai.api_server&amp;quot;]\r\n        args:\r\n        - --model=$(MODEL_ID)\r\n        - --tensor-parallel-size=8\r\n        - --host=0.0.0.0\r\n        - --port=8000\r\n        - --max-model-len=32768\r\n        - --max-num-seqs=32\r\n        - --gpu-memory-utilization=0.90\r\n        - --enable-chunked-prefill\r\n        - --enforce-eager\r\n        - --trust-remote-code\r\n        env:\r\n        - name: MODEL_ID\r\n          value: deepseek-ai/DeepSeek-V3.1\r\n        - name: HUGGING_FACE_HUB_TOKEN\r\n          valueFrom:\r\n            secretKeyRef:\r\n              name: hf-secret\r\n              key: hf_token\r\n        volumeMounts:\r\n        - mountPath: /dev/shm\r\n          name: dshm\r\n        livenessProbe:\r\n          httpGet:\r\n            path: /health\r\n            port: 8000\r\n          initialDelaySeconds: 1800\r\n          periodSeconds: 10\r\n        readinessProbe:\r\n          httpGet:\r\n            path: /health\r\n            port: 8000\r\n          initialDelaySeconds: 1800\r\n          periodSeconds: 5\r\n      volumes:\r\n      - name: dshm\r\n        emptyDir:\r\n            medium: Memory\r\n      nodeSelector:\r\n        gke.networks.io/accelerator-network-profile: auto\r\n      resourceClaims:\r\n      - name: rdma-claim\r\n        resourceClaimTemplateName: all-mrdma\r\n---\r\napiVersion: v1\r\nkind: Service\r\nmetadata:\r\n  name: deepseek-v3-1-service\r\nspec:\r\n  selector:\r\n    app: deepseek-v3-1\r\n  type: ClusterIP\r\n  ports:\r\n    - protocol: TCP\r\n      port: 8000\r\n      targetPort: 8000\r\n---\r\napiVersion: monitoring.googleapis.com/v1\r\nkind: PodMonitoring\r\nmetadata:\r\n  name: deepseek-v3-1-monitoring\r\nspec:\r\n  selector:\r\n    matchLabels:\r\n      app: deepseek-v3-1\r\n  endpoints:\r\n  - port: 8000\r\n    path: /metrics\r\n    interval: 30s&amp;#x27;), (&amp;#x27;language&amp;#x27;, &amp;#x27;&amp;#x27;), (&amp;#x27;caption&amp;#x27;, &amp;lt;wagtail.rich_text.RichText object at 0x7fb064f0fd60&amp;gt;)])]&amp;gt;&lt;/dd&gt;
&lt;/dl&gt;&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;h3&gt;&lt;span style="vertical-align: baseline;"&gt;Deploy GKE Inference Gateway&lt;/span&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;This &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/kubernetes-engine/docs/how-to/deploy-gke-inference-gateway#prepare-environment"&gt;install needed Custom Resource Definitions (CRDs) in your GKE cluster:&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;For GKE versions &lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;1.34.0-gke.1626000&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt; or later, install only the alpha &lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;InferenceObjective&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt; CRD:&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-code"&gt;&lt;dl&gt;
    &lt;dt&gt;code_block&lt;/dt&gt;
    &lt;dd&gt;&amp;lt;ListValue: [StructValue([(&amp;#x27;code&amp;#x27;, &amp;#x27;kubectl apply -f https://github.com/kubernetes-sigs/gateway-api-inference-extension/raw/v1.0.0/config/crd/bases/inference.networking.x-k8s.io_inferenceobjectives.yaml&amp;#x27;), (&amp;#x27;language&amp;#x27;, &amp;#x27;&amp;#x27;), (&amp;#x27;caption&amp;#x27;, &amp;lt;wagtail.rich_text.RichText object at 0x7fb065a2f070&amp;gt;)])]&amp;gt;&lt;/dd&gt;
&lt;/dl&gt;&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;h3&gt;&lt;span style="vertical-align: baseline;"&gt;Create Inference pool  &lt;/span&gt;&lt;/h3&gt;&lt;/div&gt;
&lt;div class="block-code"&gt;&lt;dl&gt;
    &lt;dt&gt;code_block&lt;/dt&gt;
    &lt;dd&gt;&amp;lt;ListValue: [StructValue([(&amp;#x27;code&amp;#x27;, &amp;#x27;helm install deepseek-v3-pool \\\r\n  oci://registry.k8s.io/gateway-api-inference-extension/charts/inferencepool \\\r\n  --version v1.0.1 \\\r\n  --set inferencePool.modelServers.matchLabels.app=deepseek-v3-1 \\\r\n  --set provider.name=gke \\\r\n  --set inferenceExtension.monitoring.gke.enabled=true&amp;#x27;), (&amp;#x27;language&amp;#x27;, &amp;#x27;&amp;#x27;), (&amp;#x27;caption&amp;#x27;, &amp;lt;wagtail.rich_text.RichText object at 0x7fb065a2f880&amp;gt;)])]&amp;gt;&lt;/dd&gt;
&lt;/dl&gt;&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;h3&gt;&lt;span style="vertical-align: baseline;"&gt;Create the Gateway, HTTPRoute and InferenceObjective&lt;/span&gt;&lt;/h3&gt;&lt;/div&gt;
&lt;div class="block-code"&gt;&lt;dl&gt;
    &lt;dt&gt;code_block&lt;/dt&gt;
    &lt;dd&gt;&amp;lt;ListValue: [StructValue([(&amp;#x27;code&amp;#x27;, &amp;#x27;# 1. The Regional Internal Gateway (ILB)\r\napiVersion: gateway.networking.k8s.io/v1\r\nkind: Gateway\r\nmetadata:\r\n  name: deepseek-v3-gateway\r\n  namespace: default\r\nspec:\r\n  gatewayClassName: gke-l7-rilb\r\n  listeners:\r\n  - name: http\r\n    protocol: HTTP\r\n    port: 80\r\n    allowedRoutes:\r\n      namespaces:\r\n        from: Same\r\n---\r\n# 2. The HTTPRoute (Routing to the Pool)\r\napiVersion: gateway.networking.k8s.io/v1\r\nkind: HTTPRoute\r\nmetadata:\r\n  name: deepseek-v3-route\r\n  namespace: default\r\nspec:\r\n  parentRefs:\r\n  - name: deepseek-v3-gateway\r\n  rules:\r\n  - matches:\r\n    - path:\r\n        type: PathPrefix\r\n        value: /\r\n    backendRefs:\r\n    - group: inference.networking.k8s.io\r\n      kind: InferencePool\r\n      name: deepseek-v3-pool\r\n---\r\n# 3. The Inference Objective (Performance Logic)\r\napiVersion: inference.networking.x-k8s.io/v1alpha2\r\nkind: InferenceObjective\r\nmetadata:\r\n  name: deepseek-v3-objective\r\n  namespace: default\r\nspec:\r\n  poolRef:\r\n    name: deepseek-v3-pool&amp;#x27;), (&amp;#x27;language&amp;#x27;, &amp;#x27;&amp;#x27;), (&amp;#x27;caption&amp;#x27;, &amp;lt;wagtail.rich_text.RichText object at 0x7fb065a2f700&amp;gt;)])]&amp;gt;&lt;/dd&gt;
&lt;/dl&gt;&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Once complete, you can create a test VM in your main VPC and make a call to the IP address of the GKE Inference Gateway:&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-code"&gt;&lt;dl&gt;
    &lt;dt&gt;code_block&lt;/dt&gt;
    &lt;dd&gt;&amp;lt;ListValue: [StructValue([(&amp;#x27;code&amp;#x27;, &amp;#x27;curl -N -s -X POST &amp;quot;http://$GATEWAY_IP/v1/chat/completions&amp;quot; \\\r\n  -H &amp;quot;Content-Type: application/json&amp;quot; \\\r\n  -d \&amp;#x27;{\r\n    &amp;quot;model&amp;quot;: &amp;quot;deepseek-ai/DeepSeek-V3.1&amp;quot;,\r\n    &amp;quot;messages&amp;quot;: [{&amp;quot;role&amp;quot;: &amp;quot;user&amp;quot;, &amp;quot;content&amp;quot;: &amp;quot;Box A: red. Box B: blue. Box C: empty. Move A to C, Move B to A, Swap B and C. Where is red?&amp;quot;}],\r\n    &amp;quot;stream&amp;quot;: true\r\n  }\&amp;#x27; | stdbuf -oL grep &amp;quot;data: &amp;quot; | sed -u \&amp;#x27;s/^data: //\&amp;#x27; | grep -v &amp;quot;\\[DONE\\]&amp;quot; | \\\r\n  jq --unbuffered -rj \&amp;#x27;.choices[0].delta | (.reasoning_content // .reasoning // .content // empty)\&amp;#x27;&amp;#x27;), (&amp;#x27;language&amp;#x27;, &amp;#x27;&amp;#x27;), (&amp;#x27;caption&amp;#x27;, &amp;lt;wagtail.rich_text.RichText object at 0x7fb065a2fb20&amp;gt;)])]&amp;gt;&lt;/dd&gt;
&lt;/dl&gt;&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;h2&gt;&lt;span style="vertical-align: baseline;"&gt;Next Steps&lt;/span&gt;&lt;/h2&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Take a deeper dive into GKE managed DRANET and GKE Inference Gateway, review the following.&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Blog: &lt;/span&gt;&lt;a href="https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-device-management-with-dra-dynamic-resource-allocation?e=48754805"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;DRA: A new era of Kubernetes device management with Dynamic Resource Allocation&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Document set: &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/kubernetes-engine/docs/how-to/config-auto-net-for-accelerators"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;DRANET&lt;/span&gt;&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Documentation: &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/ai-hypercomputer/docs/overview"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;AI Hypercomputer&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Want to ask a question, find out more or share a thought? Please connect with me on &lt;/span&gt;&lt;a href="https://www.linkedin.com/in/ammett/" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Linkedin&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;</description><pubDate>Wed, 08 Apr 2026 10:05:00 +0000</pubDate><guid>https://cloud.google.com/blog/topics/developers-practitioners/experimenting-with-gpus-gke-managed-dranet-and-inference-gateway-ai-deployment/</guid><category>Networking</category><category>Developers &amp; Practitioners</category><media:content height="540" url="https://storage.googleapis.com/gweb-cloudblog-publish/images/0-hero-dranet.max-600x600.png" width="540"></media:content><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>Experimenting with GPUs: GKE managed DRANET and Inference Gateway AI Deployment</title><description></description><image>https://storage.googleapis.com/gweb-cloudblog-publish/images/0-hero-dranet.max-600x600.png</image><site_name>Google</site_name><url>https://cloud.google.com/blog/topics/developers-practitioners/experimenting-with-gpus-gke-managed-dranet-and-inference-gateway-ai-deployment/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Ammett Williams</name><title>Developer Relations Engineer</title><department></department><company></company></author></item><item><title>See beyond the IP and secure URLs with Google Cloud NGFW</title><link>https://cloud.google.com/blog/products/identity-security/see-beyond-the-ip-and-secure-urls-with-google-cloud-ngfw/</link><description>&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;In a cloud-first world, traditional IP-based defenses are no longer enough to protect your perimeter. As services migrate to shared infrastructure and content delivery networks, relying on static IP addresses and FQDNs can create security gaps.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Because single IP addresses can host multiple services, and IPs addresses can change frequently, we are introducing domain filtering with a wildcard capability in Cloud Next Generation Firewall (NGFW) Enterprise. This new capability provides increased security and granular policy controls.&lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;span style="vertical-align: baseline;"&gt;Why domain and SNI filtering matters&lt;/span&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;The Cloud NGFW URL filtering service performs deep inspections of HTTP payloads to secure workloads against threats from both public and internal networks. This service elevates security controls to the application layer and helps restrict access to malicious domains. &lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Key use cases include: &lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Granular egress control&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;: This capability enables the precise allowing and blocking of connections based on domain names and SNI information found in egress HTTP(S) messages. By inspecting Layer 7 (L7) headers, it offers significantly finer control than traditional filtering based solely on IP addresses and FQDNs, which can be inefficient when a single IP hosts multiple services.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Control access without decrypting&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;: For organizations that prefer not to perform full TLS decryption on their traffic, Cloud NGFW can still enforce security policies by controlling traffic based on SNI headers provided during the TLS handshake. This allows for effective domain-level filtering while maintaining end-to-end encryption for privacy or compliance reasons.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Reduced operational overhead&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;: Implementing domain-based filtering helps reduce the constant maintenance typically required to track frequently changing IP addresses and DNS records. By focusing on stable domain identities rather than dynamic network attributes, security teams can minimize the manual effort involved in updating firewall rulebases.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Flexible matching&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;: The service utilizes matcher strings within URL lists, supporting limited wildcard domains to define criteria for both domains and subdomains. For example, using a wildcard like &lt;/span&gt;&lt;span style="font-style: italic; vertical-align: baseline;"&gt;*.example.com&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt; allows a single filter to cover all associated subdomains, providing a more scalable solution than defining thousands of individual FQDN entries.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Improved security: &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;URL filtering significantly enhances the security posture by protecting against sophisticated flaws like SNI header spoofing. By evaluating L7 headers before allowing access to an application, Cloud NGFW ensures that attackers cannot bypass security controls by simply spoofing lower-layer identifiers. &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;&lt;span style="vertical-align: baseline;"&gt;How Cloud NGFW URL filtering works&lt;/span&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;The URL filtering service functions by inspecting traffic at L7 using a distributed architecture. &lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-image_full_width"&gt;






  
    &lt;div class="article-module h-c-page"&gt;
      &lt;div class="h-c-grid"&gt;
  

    &lt;figure class="article-image--large
      
      
        h-c-grid__col
        h-c-grid__col--6 h-c-grid__col--offset-3
        
        
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/images/image1_zzP0Xt6.max-1000x1000.png"
        
          alt="image1"&gt;
        
        &lt;/a&gt;
      
        &lt;figcaption class="article-image__caption "&gt;&lt;p data-block-key="6nmqq"&gt;Cloud NGFW URL filtering service&lt;/p&gt;&lt;/figcaption&gt;
      
    &lt;/figure&gt;

  
      &lt;/div&gt;
    &lt;/div&gt;
  




&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;You can get started with URL filtering in three simple steps.&lt;/span&gt;&lt;/p&gt;
&lt;ol&gt;
&lt;li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Deploy Cloud NGFW endpoints&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;: &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;ol&gt;
&lt;li aria-level="2" style="list-style-type: lower-alpha; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;The first step is to &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/firewall/docs/configure-firewall-endpoints#create-firewall-endpoint"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;create and deploy a Cloud NGFW endpoint&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; in a zone. The &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/firewall/docs/about-firewall-endpoints"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;NGFW endpoint&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; is an organization level resource. Please ensure you have the right permission before deploying the endpoint.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="2" style="list-style-type: lower-alpha; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Once the endpoint is deployed you can &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/firewall/docs/configure-firewall-endpoint-associations#create-end-assoc-network"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;associate it to one or more VPCs&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; of your choice.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Create security profiles and security profile groups:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;ol&gt;
&lt;li aria-level="2" style="list-style-type: lower-alpha; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;The &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/firewall/docs/about-security-profiles#url-filtering-profile"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;URL filtering security profile&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; holds the URL filters with matcher strings and an action (allow or deny).&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="2" style="list-style-type: lower-alpha; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;The &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/firewall/docs/about-security-profile-groups"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;security profile group&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; acts as a container for these security profiles, which is then referenced by a firewall policy rule. &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/firewall/docs/configure-urlf-security-profiles#create-urlf-security-profile"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Create URL filtering security profiles&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; with desired URLs, wildcard FQDNs and &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/firewall/docs/configure-security-profile-groups#create-security-profile-group"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;add them to a security profile group&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="2" style="list-style-type: lower-alpha; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Once the security profile group is created, you will need to reference the security profile group in firewall policies.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Policy enforcement:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;ol&gt;
&lt;li aria-level="2" style="list-style-type: lower-alpha; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;You enable the service by configuring a hierarchical or global network firewall policy rule using the &lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;apply_security_profile_group&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt; action, specifying the name of your security profile group. &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;/ol&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;For more information about configuring a firewall policy rule, see the following:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;a href="https://docs.cloud.google.com/firewall/docs/using-firewall-policies#create-ingress-rule-target-vm"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Create an ingress hierarchical firewall policy rule&lt;/span&gt;&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;a href="https://docs.cloud.google.com/firewall/docs/using-firewall-policies#create-egress-rule-target-vm"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Create an egress hierarchical firewall policy rule&lt;/span&gt;&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;a href="https://docs.cloud.google.com/firewall/docs/use-network-firewall-policies#create-ingress-rule-target-vm"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Create an ingress global network firewall policy rule&lt;/span&gt;&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;a href="https://docs.cloud.google.com/firewall/docs/use-network-firewall-policies#create-egress-rule-target-vm"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Create an egress global network firewall policy rule&lt;/span&gt;&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;&lt;span style="vertical-align: baseline;"&gt;Getting started&lt;/span&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Get started with Cloud NGFW URL filtering by visiting our &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/firewall/docs/about-url-filtering"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;documentation&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; and &lt;/span&gt;&lt;a href="https://codelabs.developers.google.com/cloud-ngfw-enterprise-urlf" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;codelab&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;</description><pubDate>Tue, 07 Apr 2026 17:30:00 +0000</pubDate><guid>https://cloud.google.com/blog/products/identity-security/see-beyond-the-ip-and-secure-urls-with-google-cloud-ngfw/</guid><category>Networking</category><category>Developers &amp; Practitioners</category><category>Security &amp; Identity</category><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>See beyond the IP and secure URLs with Google Cloud NGFW</title><description></description><site_name>Google</site_name><url>https://cloud.google.com/blog/products/identity-security/see-beyond-the-ip-and-secure-urls-with-google-cloud-ngfw/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Uttam Ramesh</name><title>Product Manager</title><department></department><company></company></author><author xmlns:author="http://www.w3.org/2005/Atom"><name>Susan Wu</name><title>Outbound Product Manager</title><department></department><company></company></author></item><item><title>Envoy: A future-ready foundation for agentic AI networking</title><link>https://cloud.google.com/blog/products/networking/the-case-for-envoy-networking-in-the-agentic-ai-era/</link><description>&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;In today's agentic AI environments, the network has a new set of responsibilities.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;In a traditional application stack, the network mainly moves requests between services. But as discussed in a recent white paper,&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt; &lt;/span&gt;&lt;a href="https://services.google.com/fh/files/misc/cloud_infrastructure_in_the_agent_native_era.pdf" rel="noopener" target="_blank"&gt;&lt;span style="font-style: italic; vertical-align: baseline;"&gt;Cloud Infrastructure in the Agent-Native Era&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;,&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt; in an agentic system the network sits in the middle of model calls, tool invocations, agent-to-agent interactions, and policy decisions that can shape what an agent is allowed to do. The rapid proliferation of agents, often built on diverse frameworks, necessitates a consistent enforcement of governance and security across all agentic paths at scale. To achieve this, the enforcement layer must shift from the application level to the underlying infrastructure. That means the network can no longer operate as a blind transport layer. It has to understand more, enforce better, and adapt faster. This shift is precisely where Envoy comes in.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;As a high-performance distributed proxy and universal data plane, Envoy is built for massive scale. Trusted by demanding enterprise environments, including Google Cloud, it supports everything from single-service deployments to complex service meshes using Ingress, Egress, and Sidecar patterns. Because of its deep extensibility, robust policy integration, and operational maturity, Envoy is uniquely suited for an era where protocols change quickly and the cost of weak control is steep. For teams building agentic AI, Envoy is more than a concept: it's a practical, production-ready foundation.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-image_full_width"&gt;






  
    &lt;div class="article-module h-c-page"&gt;
      &lt;div class="h-c-grid"&gt;
  

    &lt;figure class="article-image--large
      
      
        h-c-grid__col
        h-c-grid__col--6 h-c-grid__col--offset-3
        
        
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/images/1_xPxMxF4.max-1000x1000.jpg"
        
          alt="1"&gt;
        
        &lt;/a&gt;
      
    &lt;/figure&gt;

  
      &lt;/div&gt;
    &lt;/div&gt;
  




&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;h3&gt;&lt;span style="vertical-align: baseline;"&gt;Agentic AI changes the networking problem&lt;/span&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Agentic workloads still often use HTTP as a transport, but they break some of the assumptions that traditional HTTP intermediaries rely on. Protocols such as&lt;/span&gt;&lt;a href="https://modelcontextprotocol.io/docs/getting-started/intro" rel="noopener" target="_blank"&gt;&lt;span style="vertical-align: baseline;"&gt; &lt;/span&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Model Context Protocol&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; (MCP) and&lt;/span&gt;&lt;a href="https://github.com/google/A2A" rel="noopener" target="_blank"&gt;&lt;span style="vertical-align: baseline;"&gt; &lt;/span&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Agent2agent&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; (A2A) use&lt;/span&gt;&lt;a href="https://www.jsonrpc.org/specification" rel="noopener" target="_blank"&gt;&lt;span style="vertical-align: baseline;"&gt; &lt;/span&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;JSON-RPC&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; or&lt;/span&gt;&lt;a href="https://grpc.io" rel="noopener" target="_blank"&gt;&lt;span style="vertical-align: baseline;"&gt; &lt;/span&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;gRPC&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; over HTTP, adding protocol-level phases such as MCP initialization, where client and server exchange their capabilities, on top of standard HTTP request/response semantics. The key aspects of agentic systems that require intermediaries to adapt include:&lt;/span&gt;&lt;/p&gt;
&lt;ol&gt;
&lt;li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Diverse enterprise governance imperatives. &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;The primary challenge is satisfying the wide spectrum of non-negotiable enterprise requirements for safety, security, data privacy, and regulatory compliance. These needs often go beyond standard network policies and require deep integration with internal systems, custom logic, and the ability to rapidly adapt to new organizational rules or external regulations. This demands a highly extensible framework where enterprises can plug in their specific governance models.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Policy attributes live inside message bodies, not headers.&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Unlike traditional web traffic where policy inputs like paths and headers are readily accessible, agentic protocols frequently bury critical attributes (e.g., model names, tool calls, resource IDs) deep within JSON-RPC or gRPC payloads. This shift requires intermediaries to possess the ability to parse and understand message contents to apply context-aware policies.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Handling diverse and evolving protocol characteristics. &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;Agentic protocols are not uniform. Some, like MCP with Streamable HTTP, can introduce stateful interactions requiring session management across distributed proxies (e.g., using &lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;Mcp-Session-Id&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt;). The need to support such varied behaviors, along with future protocol innovations, reinforces the necessity of an inherently adaptable and extensible networking foundation.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;These factors mean enterprises need more than just connectivity. The network must now serve as a central point for enforcing the crucial governance needs mentioned earlier. This includes providing capabilities like centralized security, comprehensive auditability, fine-grained policy enforcement, and dynamic guardrails, all while keeping pace with the rapid evolution of protocols and agent behaviors. Put simply, agentic AI transforms the network from a mere transit path into a critical control point.&lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;span style="vertical-align: baseline;"&gt;Why Envoy fits this shift&lt;/span&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Envoy is a strong fit for agentic AI networking for three reasons. Envoy is:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Battle-tested.&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Enterprises already rely on Envoy in high-scale, security-sensitive environments, making it a credible platform to anchor a new generation of traffic management and policy enforcement.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Extensible.&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Envoy can be extended through native filters, Rust modules, WebAssembly (Wasm) modules, and &lt;/span&gt;&lt;a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/ext_proc_filter" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;external processing&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; patterns. That gives platform teams room to adopt new protocols without having to rebuild their networking layer every time the ecosystem changes.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Operationally useful today.&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Envoy already acts as a gateway, enforcement point, observability layer, and integration surface for control planes. That makes it a practical choice for organizations that need to move now, not after the standards settle.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Building on these core strengths, Envoy has introduced specific architectural advancements to meet the unique demands of agentic networking:&lt;/span&gt;&lt;/p&gt;
&lt;h4&gt;&lt;span style="vertical-align: baseline;"&gt;1. Envoy understands agent traffic&lt;/span&gt;&lt;/h4&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;The first requirement for agentic networking is simple: The gateway needs to understand what the agent is actually trying to do.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;That’s harder than it sounds. In protocols such as MCP, A2A, and OpenAI-style APIs, important policy signals may live inside the request body. Traditional HTTP proxies are optimized to treat bodies as opaque byte streams. That design is efficient, but it limits what the proxy can enforce. For protocols that use JSON messages, a proxy may need to buffer the entire request body to locate attribute values needed for policy application — especially when those attributes appear at the end of the JSON message. Business logic specific to gen AI protocols, such as rate limiting based on consumed tokens, may also require parsing server responses.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Envoy addresses this by deframing protocol messages carried over HTTP and exposing useful attributes to the rest of the filter chain. The extensibility model for gen AI protocols was guided by two goals:&lt;/span&gt;&lt;/p&gt;
&lt;ol&gt;
&lt;li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Easy reuse of existing HTTP extensions that work with gen AI protocols out of the box, such as RBAC or tracers.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Easy access to deframed messages for gen-AI-specific extensions, so that developers can focus on gen AI business logic without needing to deal with HTTP or JSON envelopes.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Based on these goals, new extensions for gen AI protocols are still built as HTTP extensions and configured in the HTTP filter chain. This provides flexibility to mix HTTP-native business logic, such as OAuth or mTLS authorization, with gen AI protocol logic in a single chain. A deframing extension parses the protocol messages carried by HTTP and provides an ambient context with extracted attributes, or even the entirety of parsed messages, to downstream extensions via well-known filter state and metadata values.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Instead of forcing every policy component to parse JSON envelopes or protocol-specific message formats on its own, Envoy makes those attributes available as structured metadata. Once the gateway has deframed protocol messages, existing Envoy extensions such as &lt;/span&gt;&lt;a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/ext_authz_filter" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;ext_authz&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; or RBAC can read protocol properties to evaluate policies using protocol-specific attributes such as tool names for MCP, message attributes for A2A, or model names for OpenAI.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Access logs can include message attributes for enhanced monitoring and auditing. The protocol attributes are also available to the &lt;/span&gt;&lt;a href="https://cel.dev/" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Common Expression Language&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; (CEL) runtime, simplifying creation of complex policy expressions in RBAC or composite extensions.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-image_full_width"&gt;






  
    &lt;div class="article-module h-c-page"&gt;
      &lt;div class="h-c-grid"&gt;
  

    &lt;figure class="article-image--large
      
      
        h-c-grid__col
        h-c-grid__col--6 h-c-grid__col--offset-3
        
        
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/images/2_t4lf1kG.max-1000x1000.png"
        
          alt="2"&gt;
        
        &lt;/a&gt;
      
    &lt;/figure&gt;

  
      &lt;/div&gt;
    &lt;/div&gt;
  




&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Buffering and memory management&lt;br/&gt;&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;Envoy is designed to use as little memory as possible when proxying HTTP requests. However, parsing agentic protocols may require an arbitrary amount of buffer space, especially when extensions require the entire message to be in memory. The flexibility of allowing extensions to use larger buffers needs to be balanced with adequate protection from memory exhaustion, especially in the presence of untrusted traffic.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;To achieve this, Envoy now provides a per-request buffer size limit. Buffers that hold request data are also integrated with the overload manager, enabling a full range of protective actions under memory pressure, such as reducing idle timeouts or resetting requests that consume the most memory for an extended duration. These changes pave the way for Envoy to serve as a gateway and policy-enforcement point for gen AI protocols without compromising its resource efficiency.&lt;/span&gt;&lt;/p&gt;
&lt;h4&gt;&lt;span style="vertical-align: baseline;"&gt;2. Envoy enforces policy on things that matter&lt;/span&gt;&lt;/h4&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Understanding traffic is only useful if the gateway can act on it.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;In agentic systems, policy is not just about which service an agent can reach. It’s about which tools an agent can call, which models it can use, what identity it presents, how much it can consume, and what kinds of outputs require additional controls. Those are higher-value decisions than simple layer-4 or path-based controls, and they are exactly the kinds of controls enterprises care about when agents are allowed to take action on their behalf.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Envoy is well-positioned here because it can combine transport-level security with application-aware policy enforcement. Teams can authenticate workloads with mTLS and SPIFFE identities, then enforce protocol-specific rules with RBAC, external authorization, external processing, access logging, and CEL-based policy expressions.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;This capability is crucial because it lets platform teams decouple agent development from enforcement. Developers can focus on building useful agents, while operators enforce a consistent zero-trust posture at the network layer, even as tools, models, and protocols continue to change.&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;A prime example of this zero-trust decoupling is the critical "user-behind-agent" scenario, where an AI agent must execute tasks on a human user's behalf. Traditionally, handing user credentials directly to an application introduces severe security risks — if the agent is compromised or manipulated via prompt injection, an attacker could exfiltrate or misuse those credentials. By offloading identity management to Envoy, the proxy can automatically insert user delegation tokens into outbound requests at the infrastructure layer. Because the agent never directly holds the sensitive credential, the risk of a compromised agent misusing or leaking the token is completely neutralized, ensuring actions remain strictly bound to the user's actual permissions.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Case study: Restricting an agent to specific GitHub MCP tools&lt;br/&gt;&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;Consider an agent that triages GitHub issues.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;The GitHub MCP server may expose dozens of tools, but the agent may only need a small read-only subset, such as &lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;list_issues&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt;, &lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;get_issue&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt;, and &lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;get_issue_comments&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt;. In most enterprises, that difference matters. A useful agent should not automatically become an unrestricted one.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;With Envoy in front of the MCP server, the gateway can verify the agent identity using SPIFFE during the mTLS handshake, parse the MCP message via &lt;/span&gt;&lt;a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/mcp/v3/mcp.proto#envoy-v3-api-msg-extensions-filters-http-mcp-v3-mcp" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;the deframing filter&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, extract the requested method and tool name, and enforce a policy that allows only the approved tool calls for that specific agent identity. RBAC uses metadata created by the MCP deframing filter to check the method and tool name in the MCP message:&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-code"&gt;&lt;dl&gt;
    &lt;dt&gt;code_block&lt;/dt&gt;
    &lt;dd&gt;&amp;lt;ListValue: [StructValue([(&amp;#x27;code&amp;#x27;, &amp;#x27;envoy.filters.http.rbac:\r\n  &amp;quot;@type&amp;quot;: type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute\r\n  rbac:\r\n    rules:\r\n      policies:\r\n        github-issue-reader-policy:\r\n          permissions:\r\n            - and_rules:\r\n                rules:\r\n                  - sourced_metadata:\r\n                      metadata_matcher:\r\n                        filter: envoy.http.filters.mcp\r\n                        path: [{ key: &amp;quot;method&amp;quot; }]\r\n                        value: { string_match: { exact: &amp;quot;tools/call&amp;quot; } }\r\n                  - sourced_metadata:\r\n                      metadata_matcher:\r\n                        filter: envoy.http.filters.mcp\r\n                        path: [{ key: &amp;quot;params&amp;quot; }, { key: &amp;quot;name&amp;quot; }]\r\n                        value:\r\n                          or_match:\r\n                            value_matchers:\r\n                              - string_match: { exact: &amp;quot;list_issues&amp;quot; }\r\n                              - string_match: { exact: &amp;quot;get_issue&amp;quot; }\r\n                              - string_match: { exact: &amp;quot;get_issue_comments&amp;quot; }\r\n          principals:\r\n            - authenticated:\r\n                principal_name:\r\n                  exact: &amp;quot;spiffe://cluster.local/ns/github-agents/sa/issue-triage-agent&amp;quot;&amp;#x27;), (&amp;#x27;language&amp;#x27;, &amp;#x27;&amp;#x27;), (&amp;#x27;caption&amp;#x27;, &amp;lt;wagtail.rich_text.RichText object at 0x7fb05befbc40&amp;gt;)])]&amp;gt;&lt;/dd&gt;
&lt;/dl&gt;&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;That’s the real value: Policy is enforced centrally, close to the traffic, and in terms that match the agent's actual behavior.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-image_full_width"&gt;






  
    &lt;div class="article-module h-c-page"&gt;
      &lt;div class="h-c-grid"&gt;
  

    &lt;figure class="article-image--large
      
      
        h-c-grid__col
        h-c-grid__col--6 h-c-grid__col--offset-3
        
        
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/images/3_jtbLCMn.max-1000x1000.png"
        
          alt="3"&gt;
        
        &lt;/a&gt;
      
    &lt;/figure&gt;

  
      &lt;/div&gt;
    &lt;/div&gt;
  




&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Beyond static rules: External authorization&lt;br/&gt;&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;A complex compliance policy that can’t be expressed using RBAC rules can be implemented in an external authorization service using the &lt;/span&gt;&lt;a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/ext_authz_filter" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;ext_authz&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; protocol. Envoy provides MCP message attributes along with HTTP headers in the context of the ext_authz RPC. It can also forward the agent's SPIFFE identity from the peer certificate:&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-code"&gt;&lt;dl&gt;
    &lt;dt&gt;code_block&lt;/dt&gt;
    &lt;dd&gt;&amp;lt;ListValue: [StructValue([(&amp;#x27;code&amp;#x27;, &amp;#x27;http_filters:\r\n  - name: envoy.filters.http.ext_authz\r\n    typed_config:\r\n      &amp;quot;@type&amp;quot;: type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz\r\n      grpc_service:\r\n        envoy_grpc:\r\n          cluster_name: auth_service_cluster\r\n      include_peer_certificate: true\r\n      metadata_context_namespaces:\r\n        - envoy.http.filters.mcp&amp;#x27;), (&amp;#x27;language&amp;#x27;, &amp;#x27;&amp;#x27;), (&amp;#x27;caption&amp;#x27;, &amp;lt;wagtail.rich_text.RichText object at 0x7fb05befbcd0&amp;gt;)])]&amp;gt;&lt;/dd&gt;
&lt;/dl&gt;&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;This allows external services to make authorization decisions based on the full combination of agent identity, MCP method, tool name, and any other protocol attributes, without the agent or the MCP server needing to be aware of the policy layer.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Protocol-native error responses&lt;br/&gt;&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;When Envoy denies a request, the error should be meaningful to the calling agent. For MCP traffic, Envoy can use &lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;local_reply_config&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt; to map HTTP error codes to appropriate JSON-RPC error responses. For example, a 403 Forbidden can be mapped to a JSON-RPC response with &lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;isError: true&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt; and a human-readable message, ensuring the agent receives a protocol-appropriate denial rather than an opaque HTTP status code.&lt;/span&gt;&lt;/p&gt;
&lt;h4&gt;&lt;span style="vertical-align: baseline;"&gt;3. Envoy supports stateful agent interactions at scale&lt;/span&gt;&lt;/h4&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Not all agent traffic is stateless. Some protocols, including Streamable HTTP for MCP, can rely on session-oriented behavior. That creates a new challenge for intermediaries, especially when traffic flows through multiple gateway instances to achieve scale and resilience. An MCP session effectively binds the agent to the server that established it, and all intermediaries need to know this to direct incoming MCP connections to the correct server.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;If a session is established on one backend, later requests in that conversation need to reach the right destination. That sounds straightforward for a single-proxy deployment, but it becomes more complicated in horizontally scaled systems, where multiple Envoy instances may handle different requests from the same agent.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Passthrough gateway&lt;br/&gt;&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;In the simpler passthrough mode, Envoy establishes one upstream connection for each downstream connection. Its primary use is enforcing centralized policies, such as client authorization, RBAC, rate limiting, and authentication, for external MCP servers. The session state transferred between intermediaries needs to include only the address of the server that established the session over the initial HTTP connection, so that all session-related requests are directed to that server.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Session state transfer between different Envoy instances is achieved by appending encoded session state to the MCP session ID provided by the MCP server. Envoy removes the session-state suffix from the session ID before forwarding the request to the destination MCP server. This session stickiness is enabled by configuring Envoy's &lt;/span&gt;&lt;a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/stateful_session/envelope/v3/envelope.proto" rel="noopener" target="_blank"&gt;&lt;code style="text-decoration: underline; vertical-align: baseline;"&gt;envoy.http.stateful_session.envelope&lt;/code&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; extension.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-image_full_width"&gt;






  
    &lt;div class="article-module h-c-page"&gt;
      &lt;div class="h-c-grid"&gt;
  

    &lt;figure class="article-image--large
      
      
        h-c-grid__col
        h-c-grid__col--6 h-c-grid__col--offset-3
        
        
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/images/4_j0wGyAp.max-1000x1000.png"
        
          alt="4"&gt;
        
        &lt;/a&gt;
      
    &lt;/figure&gt;

  
      &lt;/div&gt;
    &lt;/div&gt;
  




&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Aggregating gateway&lt;br/&gt;&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;In aggregating mode, Envoy acts as a single MCP server by aggregating the capabilities, tools, and resources of multiple backend MCP servers. In addition to enforcing policies, this simplifies agent configuration and unifies policy application for multiple MCP servers.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Session management in this mode is more complicated because the session state also needs to include mapping from tools and resources to the server addresses and session IDs that advertised them. The session ID that Envoy provides to the agent is created before tools or resources are known, and the mapping has to be established later, after the MCP initialization phases between Envoy and the backend MCP servers are complete.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;One approach, currently implemented in Envoy, is to combine the name of a tool or resource with the identifier and session ID of its origin server. The exact tool or resource names are typically not meaningful to the agent and can carry this additional provenance information. If unmodified tool or resource names are desirable, another approach is to use an Envoy instance that does not have the mapping, and then recreate it by issuing a &lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;tools/list&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt; command before calling a specific tool. This trades latency for the complexity of deploying an external global store of MCP sessions, and is currently in planning based on user feedback.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-image_full_width"&gt;






  
    &lt;div class="article-module h-c-page"&gt;
      &lt;div class="h-c-grid"&gt;
  

    &lt;figure class="article-image--large
      
      
        h-c-grid__col
        h-c-grid__col--6 h-c-grid__col--offset-3
        
        
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/images/5_61xwM79.max-1000x1000.png"
        
          alt="5"&gt;
        
        &lt;/a&gt;
      
    &lt;/figure&gt;

  
      &lt;/div&gt;
    &lt;/div&gt;
  




&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;This matters because it moves Envoy beyond simple traffic forwarding. It allows Envoy to serve as a reliable intermediary for real agent workflows, including those spanning multiple requests, tools, and backends.&lt;/span&gt;&lt;/p&gt;
&lt;h4&gt;&lt;span style="vertical-align: baseline;"&gt;4. Envoy supports agent discovery&lt;/span&gt;&lt;/h4&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Envoy is adding support for the A2A protocol and agent discovery via a well-known AgentCard endpoint. AgentCard, a JSON document with agent capabilities, enables discovery and multi-agent coordination by advertising skills, authentication requirements, and service endpoints. The AgentCard can be provisioned statically via direct response configuration or obtained from a centralized agent registry server via xDS or ext_proc APIs. A more detailed description of A2A implementation and agent discovery will be published in a forthcoming blog post.&lt;/span&gt;&lt;/p&gt;
&lt;h4&gt;&lt;span style="vertical-align: baseline;"&gt;5. Envoy is a complete solution for agentic networking challenges&lt;/span&gt;&lt;/h4&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Building on the same foundation that enabled policy application for MCP protocol in demanding deployments, Envoy is adding support for OpenAI and transcoding of agentic protocols into RESTful HTTP APIs. This transcoding capability simplifies the integration of gen AI agents with existing RESTful applications, with out-of-the-box support for OpenAPI-based applications and custom options via dynamic modules or Wasm extensions. In addition to transcoding, Envoy is being strengthened in critical areas for production readiness, such as advanced policy applications like quota management, comprehensive telemetry adhering to&lt;/span&gt;&lt;a href="https://opentelemetry.io/docs/specs/semconv/gen-ai/" rel="noopener" target="_blank"&gt;&lt;span style="vertical-align: baseline;"&gt; &lt;/span&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;OpenTelemetry semantic conventions for generative AI systems&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, and integrated guardrails for secure agent operation.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;Guardrails for safe agents&lt;br/&gt;&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;The next significant area of investment is centralized management and application of guardrails for all agentic traffic. Integrating policy enforcement points with external guardrails presently requires bespoke implementation and this problem area is ripe for standardization.&lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;span style="vertical-align: baseline;"&gt;Control planes make this operational&lt;/span&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;The gateway is only part of the story. To achieve this policy management and rollout at scale, a separate control plane is required to dynamically configure the data plane using the xDS protocol, also known as the universal data plane API.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;That is where control planes become important. Cloud Service Mesh, alongside open-source projects such as &lt;/span&gt;&lt;a href="https://aigateway.envoyproxy.io/" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Envoy AI Gateway&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; and &lt;/span&gt;&lt;a href="https://github.com/kubernetes-sigs/kube-agentic-networking" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;kube-agentic-networking&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, uses Envoy as the data plane while giving operators higher-level ways to define and manage policy for agentic workloads.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;This combination is powerful: Envoy provides the enforcement and extensibility in the traffic path, while control planes provide the operating model teams need to deploy that capability consistently.&lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;span style="vertical-align: baseline;"&gt;Why this matters now&lt;/span&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;The shift towards agentic systems and gen AI protocols such as MCP, A2A, and OpenAI necessitates an evolution in network intermediaries. The primary complexities Envoy addresses include:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Deep protocol inspection.&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Protocol deframing extensions extract policy-relevant attributes (tool names, model names, resource paths) from the body of HTTP requests, enabling precise policy enforcement where traditional proxies would only see an opaque byte stream.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Fine-grained policy enforcement.&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; By exposing these internal attributes, existing Envoy extensions like RBAC and ext_authz can evaluate policies based on protocol-specific criteria. This allows network operators to enforce a unified, zero-trust security posture, ensuring agents comply with access policies for specific tools or resources.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Stateful transport management.&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Envoy supports managing session state for the Streamable HTTP transport used by MCP, enabling robust deployments in both passthrough and aggregating gateway modes, even across a fleet of intermediaries.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Agentic AI protocols are still in their early stages, and the protocol landscape will continue to evolve. That’s exactly why the networking layer needs to be adaptable. Enterprises should not have to rebuild their security and traffic infrastructure every time a new agent framework, transport pattern, or tool protocol gains traction. They need a foundation that can absorb change without sacrificing control.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Envoy brings together three qualities that are hard to get in one place: proven production maturity, deep extensibility, and growing protocol awareness for agentic workloads. By leveraging Envoy as an agent gateway, organizations can decouple security and policy enforcement from agent development code.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;That makes Envoy more than just a proxy that happens to handle AI traffic. It makes Envoy a future-ready foundation for agentic AI networking.&lt;/span&gt;&lt;/p&gt;
&lt;hr/&gt;
&lt;p&gt;&lt;sup&gt;&lt;span style="font-style: italic; vertical-align: baseline;"&gt;Special thanks to the additional co-authors of this blog: Boteng Yao, Software Engineer, Google and Tianyu Xia, Software Engineer, Google and Sisira Narayana, Sr Product Manager, Google.&lt;/span&gt;&lt;/sup&gt;&lt;/p&gt;&lt;/div&gt;</description><pubDate>Fri, 03 Apr 2026 16:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/products/networking/the-case-for-envoy-networking-in-the-agentic-ai-era/</guid><category>Containers &amp; Kubernetes</category><category>AI &amp; Machine Learning</category><category>GKE</category><category>Developers &amp; Practitioners</category><category>Networking</category><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>Envoy: A future-ready foundation for agentic AI networking</title><description></description><site_name>Google</site_name><url>https://cloud.google.com/blog/products/networking/the-case-for-envoy-networking-in-the-agentic-ai-era/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Yan Avlasov</name><title>Staff Software Engineer, Google</title><department></department><company></company></author><author xmlns:author="http://www.w3.org/2005/Atom"><name>Erica Hughberg</name><title>Product and Product Marketing Manager, Tetrate</title><department></department><company></company></author></item><item><title>Introducing multi-cluster GKE Inference Gateway: Scale AI workloads around the world</title><link>https://cloud.google.com/blog/products/containers-kubernetes/multi-cluster-gke-inference-gateway-helps-scale-ai-workloads/</link><description>&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;The world of artificial intelligence is moving fast, and so is the need to serve models reliably and at scale. Today, we're thrilled to announce the preview of &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;multi-cluster GKE Inference Gateway&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; to enhance the scalability, resilience, and efficiency of your AI/ML inference workloads across multiple Google Kubernetes Engine (GKE) clusters — even those spanning different Google Cloud regions.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Built as an extension of the&lt;/span&gt; &lt;a href="https://cloud.google.com/kubernetes-engine/docs/concepts/gateway-api"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;GKE Gateway API&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, the multi-cluster Inference Gateway leverages the power of &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/kubernetes-engine/docs/concepts/multi-cluster-gateways"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;multi-cluster Gateways&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; to provide intelligent, model-aware load balancing for your most demanding AI applications.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-image_full_width"&gt;






  
    &lt;div class="article-module h-c-page"&gt;
      &lt;div class="h-c-grid"&gt;
  

    &lt;figure class="article-image--large
      
      
        h-c-grid__col
        h-c-grid__col--6 h-c-grid__col--offset-3
        
        
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/images/1_gRilinA.max-1000x1000.jpg"
        
          alt="1"&gt;
        
        &lt;/a&gt;
      
    &lt;/figure&gt;

  
      &lt;/div&gt;
    &lt;/div&gt;
  




&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;h3&gt;&lt;strong style="vertical-align: baseline;"&gt;Why multi-cluster for AI inference?&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;As AI models grow in complexity and users become more global, single-cluster deployments can face limitations:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Availability risks:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Regional outages or cluster maintenance can impact service.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Scalability caps:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Hitting hardware limits (GPUs/TPUs) within a single cluster or region.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Resource silos:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Underutilized accelerator capacity in one cluster can’t be used by another&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Latency:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Users far from your serving cluster may experience higher latency&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;The multi-cluster GKE Inference Gateway addresses these challenges head-on, providing a variety of features and benefits:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Enhanced high reliability and fault tolerance:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Intelligently route traffic across multiple GKE clusters, including across different regions. If one cluster or region experiences issues, traffic is automatically re-routed, minimizing downtime.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Improved scalability and optimized resource usage:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Pool and leverage GPU/TPU resources from various clusters. Handle demand spikes by bursting beyond the capacity of a single cluster and efficiently utilize available accelerators across your entire fleet.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Globally optimized, model-aware routing:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; The Inference Gateway can make smart routing decisions using advanced signals. With &lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;GCPBackendPolicy&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt;, you can configure load balancing based on real-time custom metrics, such as the model server's KV cache utilization metric, so that requests are sent to the best-equipped backend instance. Other modes like in-flight request limits are also supported.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Simplified operations:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Manage traffic to a globally distributed AI service through a single Inference Gateway configuration in a dedicated GKE "config cluster," while your models run in multiple "target clusters."&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;&lt;strong style="vertical-align: baseline;"&gt;How it works&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;In GKE Inference Gateway there are two foundational resources,&lt;/span&gt; &lt;code style="vertical-align: baseline;"&gt;InferencePool&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt; and &lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;InferenceObjective&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt;. An&lt;/span&gt; &lt;code style="vertical-align: baseline;"&gt;InferencePool&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt; acts as a resource group for pods that share the same compute hardware (like GPUs or TPUs) and model configuration, helping to ensure scalable and high-availability serving. An&lt;/span&gt; &lt;code style="vertical-align: baseline;"&gt;InferenceObjective&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt; defines the specific model names and assigns serving priorities, allowing Inference Gateway to intelligently route traffic and multiplex latency-sensitive tasks alongside less urgent workloads.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-image_full_width"&gt;






  
    &lt;div class="article-module h-c-page"&gt;
      &lt;div class="h-c-grid"&gt;
  

    &lt;figure class="article-image--large
      
      
        h-c-grid__col
        h-c-grid__col--6 h-c-grid__col--offset-3
        
        
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/images/2_ek1kPQE.max-1000x1000.png"
        
          alt="2"&gt;
        
        &lt;/a&gt;
      
    &lt;/figure&gt;

  
      &lt;/div&gt;
    &lt;/div&gt;
  




&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;With this release, the system uses Kubernetes Custom Resources to manage your distributed inference service. &lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;InferencePool&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt; resources in each "target cluster" group model-server backends. These backends are exported and become visible as &lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;GCPInferencePoolImport&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt; resources in the "config cluster." Standard &lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;Gateway&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt; and &lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;HTTPRoute&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt; resources in the config cluster define the entry point and routing rules, directing traffic to these imported pools. Fine-grained load-balancing behaviors, such as using &lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;CUSTOM_METRICS&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt; or &lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;IN_FLIGHT&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt; requests, are configured using the &lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;GCPBackendPolicy&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt; resource attached to &lt;/span&gt;&lt;code style="vertical-align: baseline;"&gt;GCPInferencePoolImport&lt;/code&gt;&lt;span style="vertical-align: baseline;"&gt;.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;This architecture enables use cases like global low-latency serving, disaster recovery, capacity bursting, and efficient use of heterogeneous hardware.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;For more information about GKE Inference Gateway core concepts check out our &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/kubernetes-engine/docs/concepts/about-gke-inference-gateway#understand_key_concepts"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;guide&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;.&lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;strong style="vertical-align: baseline;"&gt;Get started today&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;As you scale your AI inference serving workloads to more users in more places, we're excited for you to try multi-cluster GKE Inference Gateway. To learn more and get started, check out the documentation:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;a href="https://cloud.google.com/kubernetes-engine/docs/concepts/about-multi-cluster-inference-gateway"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;About multi-cluster GKE Inference Gateway&lt;/span&gt;&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;a href="https://cloud.google.com/kubernetes-engine/docs/how-to/setup-multicluster-inference-gateway"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Set up multi-cluster GKE Inference Gateway&lt;/span&gt;&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;a href="https://cloud.google.com/kubernetes-engine/docs/how-to/customize-backend-multicluster-inference-gateway"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Customize backend configurations with GCPBackendPolicy&lt;/span&gt;&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;&lt;/div&gt;</description><pubDate>Tue, 17 Mar 2026 16:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/products/containers-kubernetes/multi-cluster-gke-inference-gateway-helps-scale-ai-workloads/</guid><category>AI &amp; Machine Learning</category><category>GKE</category><category>Networking</category><category>Developers &amp; Practitioners</category><category>AI infrastructure</category><category>Containers &amp; Kubernetes</category><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>Introducing multi-cluster GKE Inference Gateway: Scale AI workloads around the world</title><description></description><site_name>Google</site_name><url>https://cloud.google.com/blog/products/containers-kubernetes/multi-cluster-gke-inference-gateway-helps-scale-ai-workloads/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Arman Rye</name><title>Senior Product Manager</title><department></department><company></company></author><author xmlns:author="http://www.w3.org/2005/Atom"><name>Andres Guedez</name><title>Senior Staff Software Engineer</title><department></department><company></company></author></item><item><title>The AI-native core: Highly resilient telco architecture using Google Kubernetes Engine</title><link>https://cloud.google.com/blog/products/networking/gke-for-telco-building-a-highly-resilient-ai-native-core/</link><description>&lt;div class="block-paragraph_advanced"&gt;&lt;p style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;The telecommunications industry has reached a critical tipping point. Traditional, on-premises-heavy data center models are struggling under the weight of escalating infrastructure costs and an under utilization due to availability and compliance requirements. But the AI era demands exponential scale and beyond-nines reliability. The question for operators is no longer &lt;/span&gt;&lt;span style="font-style: italic; vertical-align: baseline;"&gt;if&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt; they should modernize, but which architectural path will help them do that fastest.&lt;/span&gt;&lt;/p&gt;
&lt;p style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;Modernization isn't a "rip and replace" event; it’s a strategic choice. Today, we’re showcasing how &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;Google Kubernetes Engine (GKE)&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; can serve as a high-performance foundation for two versatile deployment strategies: &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;cloud-centric evolution&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; and &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;strategic hybrid modernization&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;.&lt;/span&gt;&lt;/p&gt;
&lt;h3 style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;The two paths to network modernization&lt;/span&gt;&lt;/h3&gt;
&lt;p style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;E&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;very operator has a unique appetite for risk, regulatory landscape, and investment base, with some prioritizing agility, and others emphasizing the need for local control. You can use GKE to support both approaches:&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong style="vertical-align: baseline;"&gt;1. Cloud- centric modernization: Agility at scale&lt;/strong&gt;&lt;/p&gt;
&lt;p style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;This path is for operators looking to fully harness the cloud's elasticity. Whether you’re migrating your own containerized network functions (CNFs) or &lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;building a cloud-native service like &lt;/span&gt;&lt;a href="https://www.ericsson.com/en/core-network/on-demand" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Ericsson-on-Demand&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, the goal is the same: move the heavy lifting to Google Cloud.&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation" style="text-align: justify;"&gt;&lt;strong style="vertical-align: baseline;"&gt;The benefit:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; By running mission-critical workloads like &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;Voice Core&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; or &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;Policy Control Functions&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; on Google's global fiber backbone, operators can scale instantly for peak events and move toward "zero-human-touch" operations.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation" style="text-align: justify;"&gt;&lt;strong style="vertical-align: baseline;"&gt;The economics:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Transition from heavy upfront CAPEX to a "pay-as-you-grow" model. You no longer need to over-provision hardware that sits idle; the cloud absorbs the bursts for you.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation" style="text-align: justify;"&gt;&lt;strong style="vertical-align: baseline;"&gt;Time to market&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;: Accelerate time to market for new services like fixed wireless access, IoT and private 5G.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p style="text-align: justify;"&gt;&lt;strong&gt;&lt;span style="vertical-align: baseline;"&gt;2. Strategic hybrid modernization: Cloud agility, local control&lt;/span&gt;&lt;/strong&gt;&lt;/p&gt;
&lt;p style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;For many telcos, a hybrid approach offers a better balance. Here, operators can selectively move agile control plane components and data analytics to the cloud while keeping latency-sensitive user-plane functions on premises or at the edge.&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation" style="text-align: justify;"&gt;&lt;strong style="vertical-align: baseline;"&gt;The benefit:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Optimize for ultra-low latency and meet strict data sovereignty requirements by keeping data plane traffic local, while still gaining the AI-driven insights and orchestration power of the cloud.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation" style="text-align: justify;"&gt;&lt;strong style="vertical-align: baseline;"&gt;The versatility:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Using GKE, you can run your control plane workloads in the cloud and data plane services directly in your own data centers or at the network edge, enjoying a unified operational model across your environments.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;Engineering the "telco-grade" foundation&lt;/span&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Today, we are proud to showcase how GKE has evolved into the industry's most specialized platform for containerized network functions (CNFs), backed by massive momentum from operators and equipment vendor partners&lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;.&lt;/strong&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-image_full_width"&gt;






  
    &lt;div class="article-module h-c-page"&gt;
      &lt;div class="h-c-grid"&gt;
  

    &lt;figure class="article-image--large
      
      
        h-c-grid__col
        h-c-grid__col--6 h-c-grid__col--offset-3
        
        
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/images/5g_workload_optimized_infrastructure.max-1000x1000.png"
        
          alt="5g workload optimized infrastructure"&gt;
        
        &lt;/a&gt;
      
    &lt;/figure&gt;

  
      &lt;/div&gt;
    &lt;/div&gt;
  




&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;p style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;It’s achieved this thanks to a variety of capabilities.&lt;/span&gt;&lt;/p&gt;
&lt;p style="text-align: justify;"&gt;&lt;strong style="vertical-align: baseline;"&gt;Connectivity and isolation&lt;/strong&gt;&lt;/p&gt;
&lt;p style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;Standard Kubernetes wasn't designed for the complex traffic separation that telcos require. GKE bridges this gap with:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation" style="text-align: justify;"&gt;&lt;strong style="vertical-align: baseline;"&gt;Multi-networking API:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; A native Kubernetes way to manage multiple interfaces per Pod, bringing standard Network Policies to every interface.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation" style="text-align: justify;"&gt;&lt;strong style="vertical-align: baseline;"&gt;Simulated L2 networking:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; A "migration superpower" that allows legacy applications to maintain their Layer-2 operational model while running on a modern cloud-native stack.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation" style="text-align: justify;"&gt;&lt;strong style="vertical-align: baseline;"&gt;The telco CNI:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Support for &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/kubernetes-engine/docs/concepts/multus-ipvlan-whereabouts"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Multus, IPvlan, and Whereabouts&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; on specialized Ubuntu images. This allows operators to isolate management, control, and user planes with surgical precision.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p style="text-align: justify;"&gt;&lt;strong style="vertical-align: baseline;"&gt;Persistent reachability&lt;/strong&gt;&lt;/p&gt;
&lt;p style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;In a world of ephemeral containers, telco functions need stability. GKE enables this through:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation" style="text-align: justify;"&gt;&lt;strong style="vertical-align: baseline;"&gt;GKE IP route:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; We’ve integrated equal-cost multi-path (ECMP)-like functionality directly into the GKE dataplane. If a workload fails, it is automatically and rapidly removed from the service path, providing high availability without complex external router configurations.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation" style="text-align: justify;"&gt;&lt;strong style="vertical-align: baseline;"&gt;Persistent IP:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; GKE provides the static IP support that 5G core functions require for consistent reachability across their lifecycle without NAT that isn't available on standard Kubernetes.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p style="text-align: justify;"&gt;&lt;strong style="vertical-align: baseline;"&gt;Sub-second convergence&lt;/strong&gt;&lt;/p&gt;
&lt;p style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;For&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt; telcos, every millisecond of downtime is a lost connection. GKE’s dataplane via &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;HA Policy&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; is optimized for near-zero downtime with &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;ultra-fast failure detection and convergence&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;, offering operators the choice between self-managed recovery or fully Google-managed failure detection.&lt;/span&gt;&lt;/p&gt;
&lt;h3 style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;Shifting from "saving" to "solving" with AI&lt;/span&gt;&lt;/h3&gt;
&lt;p style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;For operators, t&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;he ultimate goal of modernization is to transition to an autonomous&lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt; network&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;. By running the core network functions on a platform adjacent to Google Cloud AI and data platforms such as &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;Vertex AI&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; and&lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt; BigQuery&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;, they can turn telemetry into actionable changes to optimize the network. Some use cases and benefits that modernization enables include:&lt;/span&gt;&lt;/p&gt;
&lt;ol&gt;
&lt;li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"&gt;
&lt;p role="presentation" style="text-align: justify;"&gt;&lt;strong style="vertical-align: baseline;"&gt;Predictive AIOps:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Use AI to identify performance degradation and trigger automated healing before a call ever drops. Use the cloud for on-demand burst capacity during sporting events or service launches. Or use the data from your GKE-hosted 5G core to fuel AI-powered automation that anticipates issues before they impact subscribers.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"&gt;
&lt;p role="presentation" style="text-align: justify;"&gt;&lt;strong style="vertical-align: baseline;"&gt;Intent-driven programmability:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Shift from expensive, reactive operations and cut down new deployment setup times from several weeks to a couple of hours. &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"&gt;
&lt;p role="presentation" style="text-align: justify;"&gt;&lt;strong style="vertical-align: baseline;"&gt;Monetize insights:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Leverage AI on cloud-native data to identify and capture entirely new revenue opportunities in addition to &lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;rightsizing your networks&lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;.&lt;/strong&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;h3 style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;Your journey, your terms&lt;/span&gt;&lt;/h3&gt;
&lt;p style="text-align: justify;"&gt;&lt;span style="vertical-align: baseline;"&gt;The future of telco is intelligent, resilient, and incredibly flexible. Whether you are taking your first step into a hybrid deployment or launching a fully cloud-hosted core, Google Cloud is your strategic partner. &lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Join us at MWC: Visit booth #2H40 in Hall 2 to see these solutions in action, including live demonstrations of mobile core running on GKE.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;</description><pubDate>Wed, 04 Mar 2026 08:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/products/networking/gke-for-telco-building-a-highly-resilient-ai-native-core/</guid><category>Containers &amp; Kubernetes</category><category>GKE</category><category>Telecommunications</category><category>Networking</category><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>The AI-native core: Highly resilient telco architecture using Google Kubernetes Engine</title><description></description><site_name>Google</site_name><url>https://cloud.google.com/blog/products/networking/gke-for-telco-building-a-highly-resilient-ai-native-core/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Abhi Maras</name><title>Senior Product Manager, Google Cloud</title><department></department><company></company></author><author xmlns:author="http://www.w3.org/2005/Atom"><name>Maciej Skrocki</name><title>Software Engineer, Google Cloud</title><department></department><company></company></author></item><item><title>Designing private network connectivity for RAG-capable gen AI apps</title><link>https://cloud.google.com/blog/products/networking/design-private-connectivity-for-rag-ai-apps/</link><description>&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;The flexibility of Google Cloud allows enterprises to build secure and reliable architecture for their AI workloads. In this blog we will look at a reference architecture for &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/architecture/private-connectivity-rag-capable-gen-ai"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;private connectivity for retrieval-augmented generation&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; (RAG)-capable generative AI applications. This architecture is for scenarios where communications of the overall system must use private IP addresses and must not traverse the internet.&lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;strong style="vertical-align: baseline;"&gt;The power of RAG&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;RAG is a powerful technique used to optimize the output of large language models (LLMs) by grounding them in specific, authoritative knowledge bases outside of their original training data. RAG allows an application to retrieve relevant information from your documents, datasources, or databases in real time. This retrieved context is then provided to the model alongside the user’s query, helping to ensure that the AI’s responses are accurate, verifiable, and highly relevant to your business. This improves the quality of responses and reduces hallucinations. &lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;This approach is helpful because it allows you to direct generative AI to use a designated source of truth, rather than relying solely on the model's pre-existing knowledge, and without needing to retrain or fine-tune the model itself. &lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;strong style="vertical-align: baseline;"&gt;Design pattern example&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;To understand how to think about setting up your network for private connectivity for a RAG application in a regional design, let's look at the design pattern.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;The setup comprises an &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;external network&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; (on-prem and other clouds) and &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;Google Cloud environments&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; consisting of a &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;routing project&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;, a &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;Shared VPC host project for RAG&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;, and three specialized service projects: &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;data ingestion&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;, &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;serving&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;, and &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;frontend&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;This design utilizes the following services to provide an end-to-end solution:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;a href="https://docs.cloud.google.com/network-connectivity/docs/interconnect/concepts/overview"&gt;&lt;strong style="text-decoration: underline; vertical-align: baseline;"&gt;Cloud Interconnect&lt;/strong&gt;&lt;/a&gt;&lt;strong style="vertical-align: baseline;"&gt; or &lt;/strong&gt;&lt;a href="https://docs.cloud.google.com/network-connectivity/docs/vpn/concepts/topologies#vpn-overview"&gt;&lt;strong style="text-decoration: underline; vertical-align: baseline;"&gt;Cloud VPN&lt;/strong&gt;&lt;/a&gt;&lt;strong style="vertical-align: baseline;"&gt;:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; To securely connect from your on-premises or other clouds to the routing VPC network&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;a href="https://docs.cloud.google.com/network-connectivity/docs/network-connectivity-center/concepts/overview"&gt;&lt;strong style="text-decoration: underline; vertical-align: baseline;"&gt;Network Connectivity Center&lt;/strong&gt;&lt;/a&gt;&lt;strong style="vertical-align: baseline;"&gt;:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Used as an orchestration framework to manage connectivity between the routing VPC network and the RAG VPC network via VPC spokes and hybrid spokes&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;a href="https://docs.cloud.google.com/network-connectivity/docs/router/concepts/overview"&gt;&lt;strong style="text-decoration: underline; vertical-align: baseline;"&gt;Cloud Router&lt;/strong&gt;&lt;/a&gt;&lt;strong style="vertical-align: baseline;"&gt;:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; In the routing project, facilitates dynamic BGP route exchange between the external network and Google Cloud&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;a href="https://cloud.google.com/vpc/docs/private-service-connect"&gt;&lt;strong style="text-decoration: underline; vertical-align: baseline;"&gt;Private Service Connect&lt;/strong&gt;&lt;/a&gt;&lt;strong style="vertical-align: baseline;"&gt;:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Provides a private endpoint in the routing VPC network to reach the Cloud Storage bucket for data ingestion without traversing the public internet&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;a href="https://docs.cloud.google.com/vpc/docs/shared-vpc"&gt;&lt;strong style="text-decoration: underline; vertical-align: baseline;"&gt;Shared VPC&lt;/strong&gt;&lt;/a&gt;&lt;strong style="vertical-align: baseline;"&gt;:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Host project architecture that allows multiple service projects to use a common, centralized VPC network&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Google &lt;/strong&gt;&lt;a href="https://docs.cloud.google.com/armor/docs/cloud-armor-overview"&gt;&lt;strong style="text-decoration: underline; vertical-align: baseline;"&gt;Cloud Armor&lt;/strong&gt;&lt;/a&gt;&lt;strong style="vertical-align: baseline;"&gt; and Application &lt;/strong&gt;&lt;a href="https://docs.cloud.google.com/load-balancing/docs/application-load-balancer"&gt;&lt;strong style="text-decoration: underline; vertical-align: baseline;"&gt;Load Balancer&lt;/strong&gt;&lt;/a&gt;&lt;strong style="vertical-align: baseline;"&gt;:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Placed in the frontend service project to provide security and traffic management for user interaction&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="https://cloud.google.com/security/vpc-service-controls"&gt;&lt;strong style="text-decoration: underline; vertical-align: baseline;"&gt;VPC Service Controls&lt;/strong&gt;&lt;/a&gt;&lt;strong style="vertical-align: baseline;"&gt;:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Creates a managed security perimeter around all resources to mitigate data exfiltration risks&lt;/span&gt;&lt;/li&gt;
&lt;/ul&gt;&lt;/div&gt;
&lt;div class="block-image_full_width"&gt;






  
    &lt;div class="article-module h-c-page"&gt;
      &lt;div class="h-c-grid"&gt;
  

    &lt;figure class="article-image--large
      
      
        h-c-grid__col
        h-c-grid__col--6 h-c-grid__col--offset-3
        
        
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/images/1-rag-gen-ai.max-1000x1000.png"
        
          alt="1-rag-gen-ai"&gt;
        
        &lt;/a&gt;
      
    &lt;/figure&gt;

  
      &lt;/div&gt;
    &lt;/div&gt;
  




&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;h3&gt;&lt;strong style="vertical-align: baseline;"&gt;The traffic flow &lt;/strong&gt;&lt;/h3&gt;
&lt;h4&gt;&lt;strong style="vertical-align: baseline;"&gt;RAG population flow&lt;/strong&gt;&lt;/h4&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;In the diagram, the &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;green dashed line&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; shows the &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;RAG population flow&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;, which describes how data travels from data engineers to vector storage.&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;From the external network, data travels over Cloud Interconnect or Cloud VPN.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;In the routing projects it uses the &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;Private Service Connect endpoint&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; to get to the Cloud Storage bucket.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;From the &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;Cloud Storage bucket&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; in the Data Ingestion service project, the &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;data ingestion subsystem&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; processes the raw data. &lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;The AI model creates vectors from the chunks, returns them to the data ingestion subsystem, which writes them to the &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;RAG datastore&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; in the serving service project.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h4&gt;&lt;strong style="vertical-align: baseline;"&gt;Inference flow&lt;/strong&gt;&lt;/h4&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;In the diagram, the &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;orange dashed line&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; shows the &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;inference flow&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;, which describes customer or user requests.&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;The request travels over Cloud Interconnect or Cloud VPN to the routing VPC network and then over the VPC spoke to the &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;RAG VPC network&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;The request reaches the Application Load&lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt; &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;Balancer&lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt; &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;protected by&lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt; Cloud Armor&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;; once allowed, it passes it to the &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;frontend subsystem&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;The frontend subsystem forwards the request to the &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;serving subsystem&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;, which augments the prompt with data from the &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;RAG datastore&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; and generates a response via the AI model.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;The system generates a response via the AI model, and the grounded response is returned along the same path to the requestor.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h4&gt;&lt;strong style="vertical-align: baseline;"&gt;Management and routing&lt;/strong&gt;&lt;/h4&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;In the diagram, the &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;blue dotted lines&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; represent the &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;Network Connectivity Center hybrid and VPC spokes&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; that manage the control plane and route orchestration between the routing network and the RAG VPC network. This ensures that routes learned from the external network are appropriately propagated across the environment.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Please read the entire architecture document &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/architecture/private-connectivity-rag-capable-gen-ai"&gt;&lt;strong style="text-decoration: underline; vertical-align: baseline;"&gt;Private connectivity for RAG-capable generative AI applications&lt;/strong&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; to understand the specific including IAM permissions, VPC Service Controls, and deployment considerations.&lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;strong style="vertical-align: baseline;"&gt;Next steps&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Take a deeper dive into the Cross-Cloud Network, and other guides about generative AI with RAG:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Document set: &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/architecture/rag-reference-architectures"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Generative AI with RAG&lt;/span&gt;&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Document: &lt;/span&gt;&lt;a href="https://cloud.google.com/architecture/ccn-distributed-apps-design"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Cross-Cloud Network for distributed applications &lt;/span&gt;&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Blog: &lt;/span&gt;&lt;a href="https://cloud.google.com/blog/topics/developers-practitioners/build-your-first-adk-agent-workforce?e=48754805"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Build Your First ADK Agent Workforce&lt;/span&gt;&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Want to ask a question, find out more or share a thought? Please connect with me on &lt;/span&gt;&lt;a href="https://www.linkedin.com/in/ammett/" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Linkedin&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;</description><pubDate>Mon, 02 Mar 2026 17:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/products/networking/design-private-connectivity-for-rag-ai-apps/</guid><category>AI &amp; Machine Learning</category><category>Hybrid &amp; Multicloud</category><category>Developers &amp; Practitioners</category><category>Networking</category><media:content height="540" url="https://storage.googleapis.com/gweb-cloudblog-publish/images/0-rag-hero.max-600x600.png" width="540"></media:content><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>Designing private network connectivity for RAG-capable gen AI apps</title><description></description><image>https://storage.googleapis.com/gweb-cloudblog-publish/images/0-rag-hero.max-600x600.png</image><site_name>Google</site_name><url>https://cloud.google.com/blog/products/networking/design-private-connectivity-for-rag-ai-apps/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Ammett Williams</name><title>Developer Relations Engineer</title><department></department><company></company></author></item><item><title>Firefly: Illuminating the path to nanosecond-level clock sync in the data center</title><link>https://cloud.google.com/blog/products/networking/understanding-the-firefly-clock-synchronization-protocol/</link><description>&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;From the high-frequency trading floors of Wall Street to orchestrating cloud data centers, the ability to synchronize events with nanosecond accuracy is critical. Yet, achieving this level of temporal precision across thousands of interconnected devices in a modern data center is fraught with challenges like clock drift, network jitter, and path asymmetries. And doing so on cloud-hosted infrastructure has traditionally been impossible, preventing a certain class of applications from running there. &lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;This is where Firefly, a clock synchronization system developed by researchers and engineers at Google, comes in. Firefly isn't just a clock synchronization protocol; it's a software-driven approach that combines theoretical insights and practical engineering to deliver ultra-accurate, scalable, and cost-effective time synchronization on commodity hardware within a demanding data center environment.&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt; &lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;strong style="vertical-align: baseline;"&gt;The nanosecond race: Why precise timing matters&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Precise clock synchronization is the foundation of distributed systems. It is non-negotiable in financial exchanges, where regulatory requirements mandate sub-100µs external synchronization to Coordinated Universal Time, or UTC, and fairness demands sub-10ns internal clock synchronization. In high-frequency trading, a minuscule timing advantage can translate to significant financial gains, making accurate timestamping critical for market integrity. Beyond finance, numerous data center operations, including database consistency, distributed logging, virtual machine management, and network telemetry, rely on accurate temporal ordering of events. And as data centers scale, the need for a robust, scalable synchronization solution becomes even more important.&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;But achieving nanosecond-level synchronization in a dynamic data center environment is difficult. Several factors conspire to undermine precision:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Clock drift:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Crystal oscillators, which are fundamental to all clocks, have inherent imperfections that cause them to gradually deviate over time. Although these deviations were considered minor previously, they are substantial when targeting sub-10ns.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Jitter:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Network components such as switches and network interface cards (NICs) introduce unpredictable delays. These delays, often stemming from queuing in network buffers or the intricate processing of packets, can manifest as jitter, disrupting the timing of synchronization messages.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Asymmetry:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; The network path between two devices is rarely symmetrical. Differences in cable lengths, the number of hops, or the internal workings of network equipment can cause signals to take different amounts of time to travel in opposite directions. This asymmetry can introduce significant errors when estimating one-way delays and clock offsets.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Scalability:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; As data centers expand to house tens of thousands of servers, any synchronization solution must be able to scale efficiently without becoming a bottleneck or requiring disproportionate resources.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Fault tolerance:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; In a distributed system, failures are inevitable. A synchronization protocol must be resilient to the loss or misbehavior of individual nodes or network links, so that the overall synchronization accuracy is not compromised.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;&lt;strong style="vertical-align: baseline;"&gt;Firefly: Bridging software and theory&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Firefly uses a multi-faceted strategy to tackle these challenges, distinguishing itself from prior synchronization protocols. Its core innovations lie in its architectural design and its theoretical underpinnings.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-image_full_width"&gt;






  
    &lt;div class="article-module h-c-page"&gt;
      &lt;div class="h-c-grid"&gt;
  

    &lt;figure class="article-image--large
      
      
        h-c-grid__col
        h-c-grid__col--6 h-c-grid__col--offset-3
        
        
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/original_images/1-architecture_v1.jpg"
        
          alt="1-architecture"&gt;
        
        &lt;/a&gt;
      
    &lt;/figure&gt;

  
      &lt;/div&gt;
    &lt;/div&gt;
  




&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;1. &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;Layered synchronization:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Firefly employs a novel layered synchronization technique. Instead of relying on a central clock, which can be a single point of failure or introduce delays, it first establishes tight internal synchronization amongst NICs within the data center. Each NIC in the network constantly communicates with a set of its peers, comparing times and making adjustments. From this "swarm" of devices emerges a highly stable and accurate consensus time that the entire group agrees upon. This internal synchronization is rapid and robust, effectively shielding it from external timing disturbances. Concurrently, Firefly synchronizes the entire swarm to UTC. Decoupling of these two processes is crucial, as it prevents external factors like time-server jitter or drift from directly impacting internal synchronization.&lt;/span&gt;&lt;/p&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;2. &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;Distributed consensus over Random graphs:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Unlike traditional hierarchical approaches that can be brittle and susceptible to single points of failure, Firefly uses a distributed consensus algorithm built on a d-regular random graph. This means each NIC communicates with a randomly selected set of 'd' peers. Theoretical analysis, as presented in &lt;/span&gt;&lt;a href="https://dl.acm.org/doi/10.1145/3718958.3750502" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;the Firefly research paper&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;, demonstrates that such random graphs offer significant advantages:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Faster convergence: Random graphs promote a more rapid dissemination of clock information across the network, leading to quicker synchronization.&lt;/span&gt;&lt;/li&gt;
&lt;li role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Scalability: The theoretical bounds show that random graphs can maintain synchronization accuracy even as the size of the network grows, provided the number of peers ('d') scales logarithmically with the total number of nodes.&lt;/span&gt;&lt;/li&gt;
&lt;li role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Resilience to asymmetry: The diverse probing paths inherent in random graphs help to average out and mitigate the impact of path asymmetries.&lt;/span&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;3. &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;Mitigating jitter and asymmetry in practice: &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;Beyond the theoretical advantages of random graphs, Firefly incorporates practical techniques to further refine accuracy:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;RTT filtering: By analyzing round-trip time (RTT) measurements, Firefly can identify and discard probe samples that are likely affected by queuing jitter, thereby improving the accuracy of delay estimations.&lt;/span&gt;&lt;/li&gt;
&lt;li role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Path profiling: Firefly actively probes network paths to identify and favor those with minimal asymmetry. This proactive approach helps to select the most reliable paths for synchronization.&lt;/span&gt;&lt;/li&gt;
&lt;li role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;Leveraging hardware: Where available, Firefly can utilize features like &lt;/span&gt;&lt;a href="https://docs.commscope.com/bundle/fastiron-10010-managementguide/page/GUID-A2A87D89-1224-4694-817A-D91F70D5F850.html" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Transparent Clock (TC)&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; in network switches to accurately account for in-switch delays, further reducing measurement error.&lt;/span&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p role="presentation"&gt;&lt;span style="vertical-align: baseline;"&gt;4. &lt;/span&gt;&lt;strong style="vertical-align: baseline;"&gt;Robustness and fault tolerance:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Firefly’s use of distributed consensus, combined with its averaging mechanisms, makes it inherently resilient to failures. By not relying on a single time server or a fixed hierarchical structure, the system can gracefully handle the loss or misbehavior of individual nodes.&lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;strong style="vertical-align: baseline;"&gt;Performance in the real world&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;The results discussed in our &lt;/span&gt;&lt;a href="https://dl.acm.org/doi/10.1145/3718958.3750502" rel="noopener" target="_blank"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;Firefly research paper&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; are compelling:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Internal synchronization:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Firefly consistently achieves sub-10ns NIC-to-NIC synchronization when used in conjunction with Google's latest data center fabric technology. This can be used to determine order of events like packets, logs, remote procedure calls (RPCs) across machines.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;&lt;strong style="vertical-align: baseline;"&gt;External synchronization:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; The system also delivers significantly better synchronization to UTC than the 100µs regulatory requirement for financial exchanges.&lt;/span&gt;&lt;/li&gt;
&lt;/ul&gt;&lt;/div&gt;
&lt;div class="block-image_full_width"&gt;






  
    &lt;div class="article-module h-c-page"&gt;
      &lt;div class="h-c-grid"&gt;
  

    &lt;figure class="article-image--large
      
      
        h-c-grid__col
        h-c-grid__col--6 h-c-grid__col--offset-3
        
        
      "
      &gt;

      
      
        
        &lt;img
            src="https://storage.googleapis.com/gweb-cloudblog-publish/images/2-graph_h5KX17K.max-1000x1000.jpg"
        
          alt="2-graph"&gt;
        
        &lt;/a&gt;
      
        &lt;figcaption class="article-image__caption "&gt;&lt;p data-block-key="ry130"&gt;The offset between a pair of clocks that are six hops away in a Firefly-synced network, measured by an oscilloscope via 1 pulse per second.&lt;/p&gt;&lt;/figcaption&gt;
      
    &lt;/figure&gt;

  
      &lt;/div&gt;
    &lt;/div&gt;
  




&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;The accompanying video illustrates the accuracy of NIC-to-NIC synchronization, as quantified by an oscilloscope utilizing a one-pulse-per-second (1PPS) signal from the NICs. Each row corresponds to a NIC clock, with the rising edge indicating the precise moment the NIC clock attains an integer second. The oscilloscope observations confirm that all measured NICs exhibit close synchronization, maintaining alignment within a few nanoseconds.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-video"&gt;



&lt;div class="article-module article-video "&gt;
  &lt;figure&gt;
    &lt;a class="h-c-video h-c-video--marquee"
      href="https://youtube.com/watch?v=KB3z34OO9QU"
      data-glue-modal-trigger="uni-modal-KB3z34OO9QU-"
      data-glue-modal-disabled-on-mobile="true"&gt;

      
        

        &lt;div class="article-video__aspect-image"
          style="background-image: url(https://storage.googleapis.com/gweb-cloudblog-publish/images/maxresdefault_GLx4Roj.max-1000x1000.jpg);"&gt;
          &lt;span class="h-u-visually-hidden"&gt;Firefly: Sub-10ns NIC-to-NIC clock synchronization for datacenters&lt;/span&gt;
        &lt;/div&gt;
      
      &lt;svg role="img" class="h-c-video__play h-c-icon h-c-icon--color-white"&gt;
        &lt;use xlink:href="#mi-youtube-icon"&gt;&lt;/use&gt;
      &lt;/svg&gt;
    &lt;/a&gt;

    
  &lt;/figure&gt;
&lt;/div&gt;

&lt;div class="h-c-modal--video"
     data-glue-modal="uni-modal-KB3z34OO9QU-"
     data-glue-modal-close-label="Close Dialog"&gt;
   &lt;a class="glue-yt-video"
      data-glue-yt-video-autoplay="true"
      data-glue-yt-video-height="99%"
      data-glue-yt-video-vid="KB3z34OO9QU"
      data-glue-yt-video-width="100%"
      href="https://youtube.com/watch?v=KB3z34OO9QU"
      ng-cloak&gt;
   &lt;/a&gt;
&lt;/div&gt;

&lt;/div&gt;
&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;These results are particularly impressive given that Firefly operates purely in software on commodity hardware, avoiding the need for expensive, specialized synchronization equipment. This makes ultra-accurate time synchronization accessible to a broader range of data center applications.&lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;strong style="vertical-align: baseline;"&gt;A foundation for future applications&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Firefly's success in delivering nanosecond-level accuracy in a scalable and cost-effective manner has far-reaching implications:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Democratizing high-precision timing: &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;Firefly allows cloud-hosted financial services that traditionally rely on expensive dedicated hardware, to achieve the required precision using standard cloud infrastructure.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Enabling new applications:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; The availability of precise, synchronized clocks across data center devices can unlock new possibilities in areas like fine-grained network telemetry and congestion control, time-coordinated distributed systems, and deterministic fabric for ML workloads.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Transforming data center operations:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; By creating a tightly integrated and precisely timed computing entity, Firefly can enhance data centers’ overall efficiency, reliability, and performance.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;In conclusion, Firefly represents a significant advancement in the field of clock synchronization. By ingeniously combining theoretical insights into graph theory and consensus algorithms with practical network engineering techniques, it overcomes the long-standing challenges of achieving nanosecond-level precision in complex, distributed environments. As data centers continue to evolve, systems like Firefly will be instrumental in building the high-performance, reliable, and fair infrastructure of the future.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;
&lt;div class="block-aside"&gt;&lt;dl&gt;
    &lt;dt&gt;aside_block&lt;/dt&gt;
    &lt;dd&gt;&amp;lt;ListValue: [StructValue([(&amp;#x27;title&amp;#x27;, &amp;#x27;2026 AI Agent Trends in Financial Services&amp;#x27;), (&amp;#x27;body&amp;#x27;, &amp;lt;wagtail.rich_text.RichText object at 0x7fb064f7a940&amp;gt;), (&amp;#x27;btn_text&amp;#x27;, &amp;#x27;Read it now.&amp;#x27;), (&amp;#x27;href&amp;#x27;, &amp;#x27;https://cloud.google.com/resources/content/ai-agent-trends-financial-services-2026&amp;#x27;), (&amp;#x27;image&amp;#x27;, &amp;lt;GAEImage: FSI_Confirmation email_500x450&amp;gt;)])]&amp;gt;&lt;/dd&gt;
&lt;/dl&gt;&lt;/div&gt;</description><pubDate>Mon, 23 Feb 2026 17:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/products/networking/understanding-the-firefly-clock-synchronization-protocol/</guid><category>Infrastructure</category><category>Systems</category><category>Networking</category><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>Firefly: Illuminating the path to nanosecond-level clock sync in the data center</title><description></description><site_name>Google</site_name><url>https://cloud.google.com/blog/products/networking/understanding-the-firefly-clock-synchronization-protocol/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Rohit Dalal</name><title>Product Manager, Google</title><department></department><company></company></author><author xmlns:author="http://www.w3.org/2005/Atom"><name>Yuliang Li</name><title>Software Engineer</title><department></department><company></company></author></item><item><title>Google Distributed Cloud brings public-cloud-like networking to air-gapped environments</title><link>https://cloud.google.com/blog/products/networking/google-distributed-cloud-gdc-air-gapped-1-15-networking/</link><description>&lt;div class="block-paragraph_advanced"&gt;&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Organizations in highly regulated industries often struggle to balance the rigid security of air-gapped environments with the need for the agility and flexibility that the cloud provides. To address this, Google Distributed Cloud (GDC) air-gapped 1.15 introduces new networking features in preview that give you more direct control and visibility without compromising your security posture, as well as a new IPAM feature in general availability that simplifies &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/subnets-overview#subnet-groups"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;subnet management&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt;. These preview features are Cloud NAT, enhanced connectivity for standard clusters, and advanced HTTP and HTTPS health checks in load balancers. Together, they make it easier for you to manage complex workloads in a secure environment. &lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;strong style="vertical-align: baseline;"&gt;Manage outbound traffic with Cloud NAT&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Cloud NAT for GDC air-gapped replaces previous egress solutions and gives you more control over how your instances communicate with other networks, on par with public cloud functionality. Cloud NAT provides several benefits:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Configurable egress IPs:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; You can assign and manage multiple egress IP addresses for your outbound traffic so you can identify exactly which workloads are communicating.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Customizable timeouts:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Manage connection lifecycles by adjusting timeouts for different types of traffic.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Granular control:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Administrators can create specific subnets for egress IPs, while application operators define how pods and VMs route their traffic.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;&lt;strong style="vertical-align: baseline;"&gt;Connect standard clusters directly to your organization&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;In a secure environment, isolation should not result in disconnected silos. With the latest release, standard clusters include networking updates that help you communicate across your organization while maintaining strict security boundaries, helping you manage your environment more effectively. The updates include:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Direct pod communication:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Your standard cluster pods can now communicate directly with workloads in your organization’s Default VPC. This simplifies how you connect standard clusters and shared clusters.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Flexible firewall policies:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; You can use both Project Network Policy and Kubernetes Network Policy APIs to set granular rules for traffic entering and leaving your pods and nodes.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Managed load balancing:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; You can create internal and external load balancers using standard Kubernetes Service APIs, while GDC manages the underlying configuration for you.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Pods within a standard cluster can now connect to other pods directly or through a ClusterIP. While traffic to the Infra VPC remains blocked, you can send traffic to shared cluster workloads through GDC internal load balancers. This ensures your applications can reach necessary services quickly.&lt;/span&gt;&lt;/p&gt;
&lt;h3&gt;&lt;strong style="vertical-align: baseline;"&gt;Improve reliability with Load Balancer HTTP and HTTPS health checks&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Previously, L4 load balancing health checks only monitored basic TCP connectivity, only confirming if a port was open. GDC air-gapped load balancers now support HTTP and HTTPS health checks, which allow you to verify if an application is actually functioning correctly. By checking status codes and response content, you can:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Confirm application health: &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;Verify that services are responding correctly, not just that the server is powered on.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Increase reliability:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Automatically detect and route traffic away from applications experiencing internal errors.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"&gt;
&lt;p role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Improve visibility:&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt; Access better data regarding the health of your VM-based workloads to manage performance before issues arise.&lt;/span&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;&lt;strong style="vertical-align: baseline;"&gt;Make subnet management easier with subnet groups&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;Previously, a child subnet could only reference a single parent subnet. With the introduction of the subnet group, a child subnet can now reference a subnet group that may contain multiple parent subnets. This provides the following benefits:&lt;/span&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Overcome the challenges of immutable subnet CIDR: &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;While subnet CIDR range is immutable, subnet group simplifies scaling up IP resources by attaching a new subnet to a subnet group. You can reference a subnet group instead of a single parent subnet for easy scale-up.&lt;/span&gt;&lt;/li&gt;
&lt;li role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Automatically identify a parent subnet:&lt;/strong&gt;&lt;strong style="vertical-align: baseline;"&gt; &lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;Now you can reference a subnet group as parent rather than as a single subnet. By using a subnet group in this way, you don't need to manually identify a parent subnet that has available IP resources: inste&lt;/span&gt;&lt;span style="vertical-align: baseline;"&gt;ad, GDC IPAM automatically finds a subnet in the subnet group with enough available IP space as its parent.&lt;/span&gt;&lt;/li&gt;
&lt;li role="presentation"&gt;&lt;strong style="vertical-align: baseline;"&gt;Start with smaller CIDRs for easier planning&lt;/strong&gt;&lt;span style="vertical-align: baseline;"&gt;: Using subnet groups to scale IP resources also means that you can start with smaller and discontinuous CIDRs when creating new parent subnets, making IP resource utilization more efficient and the planning process easier.&lt;/span&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;&lt;strong style="vertical-align: baseline;"&gt;Get started&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;&lt;span style="vertical-align: baseline;"&gt;To learn more about these features, please refer to our &lt;/span&gt;&lt;a href="https://docs.cloud.google.com/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/networking-overview"&gt;&lt;span style="text-decoration: underline; vertical-align: baseline;"&gt;documentation&lt;/span&gt;&lt;/a&gt;&lt;span style="vertical-align: baseline;"&gt; or contact your Google Cloud account team.&lt;/span&gt;&lt;/p&gt;&lt;/div&gt;</description><pubDate>Tue, 10 Feb 2026 17:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/products/networking/google-distributed-cloud-gdc-air-gapped-1-15-networking/</guid><category>Hybrid &amp; Multicloud</category><category>Networking</category><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>Google Distributed Cloud brings public-cloud-like networking to air-gapped environments</title><description></description><site_name>Google</site_name><url>https://cloud.google.com/blog/products/networking/google-distributed-cloud-gdc-air-gapped-1-15-networking/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Michael Yitayew</name><title>Product Manager</title><department></department><company></company></author><author xmlns:author="http://www.w3.org/2005/Atom"><name>Philip Bai</name><title>Product Manager</title><department></department><company></company></author></item></channel></rss>