To address high-severity kernel vulnerabilities (including CVE-2025-21756 and CVE-2025-38052) in Rocky Linux 8 and 9, updates are available for the Compute Engine images maintained by CIQ. If your VM instances use images dated before September 2025 (version v20250912), you must take action to ensure you continue to receive security patches.
How to determine if your Compute Engine VMs are affected
You are affected if your VM instance uses a Rocky Linux image from an -optimized-gcp or -optimized-gcp-nvidia family with a version date older than v20250912 (for example, rocky-linux-9-optimized-gcp-v20250807). To check your VM's source image, see View VM instance image details. You can view details for these image families in Rocky Linux OS details.
Action required
If your image version is v20250912 or later: Your VM is already configured to use the newer SIG/Cloud Next (SCN) repositories and is receiving security updates. No action is required.
If your image version is older than v20250912: Your VM is configured to use legacy SIG/Cloud repositories that no longer receive regular kernel updates and won't receive future security patches. While running sudo dnf update applies a one-time patch for the vulnerabilities listed, you must manually migrate the VM to the SCN repositories to receive ongoing updates by following the CIQ migration guide.
When you autoscale a managed instance group (MIG), you can monitor the configured group size and the size recommended by the autoscaler on a chart. For more information, see Monitor group size.
]]>For Red Hat Enterprise Linux (RHEL) operating system, VM Manager provides vulnerability scanning results based on the latest minor version for each major version released. If your VM runs an earlier minor version of RHEL, you might get inaccurate results in the vulnerability reports. For more information about supported operating systems for vulnerability reports, see supported operating systems.
]]>Generally available: You can use managed constraints with Organization Policy Service
for centralized, programmatic control of your Compute Engine resources.
Managed constraints replace legacy compute.* constraints and are identifiable
by the compute.managed.* prefix. They also include built-in support for safe
rollout tools like Policy Simulator and dry run mode.
For more information, see Organization policies for Compute Engine and Managed constraints.
]]>Generally available: You can apply compact placement policies to standalone Flex-start VMs. These policies let you colocate your standalone Flex-start VMs as close to each other as possible. Applying a compact placement policy minimizes network hops and improves the performance of latency-sensitive workloads. For more information, see About compact placement policies and About Flex-start VMs.
]]>Generally available: H4D VMs, designed for high performance computing (HPC) workloads, are now generally available. Based on 5th generation AMD EPYC Turin with Cloud RDMA 200 Gbps networking, H4D VMs offer 192 cores (SMT disabled), up to 1,488 GB of memory, and 3,750 GiB of Local SSD. H4D is optimized for tightly-coupled applications that scale across multiple nodes.
For more information, see H4D machine series.
]]>Generally available: You can use Hyperdisk Exapools for large-scale workloads, such as AI and machine learning, that require between 500 TiB and 5 EiB of block storage and more than 100 GiB/s of concurrent performance in a single zone. With Hyperdisk Exapools, you purchase storage and performance in bulk and share those resources across as many as 500,000 disks in a single project.
To use Hyperdisk Exapools with your projects, contact your account team to get access.
To learn more about Hyperdisk Exapools, see Hyperdisk Exapools overview.
]]>Control of MCP use with organization policies is deprecated. After March 17, 2026,
organization policies that use the gcp.managed.allowedMCPServices constraint
won't work, and you can control MCP use with IAM deny policies.
For more information about controlling MCP use, see Control MCP use with IAM.
After March 17, 2026, when you enable Compute Engine, the Compute Engine MCP server is automatically enabled.
]]>Generally available: You can use instance flexibility to improve resource availability when creating VMs in bulk in a region. With instance flexibility, you specify one or more suitable machine types for your workload. Compute Engine then provisions VMs from the list of machine types based on capacity and quota availability.
For more information, see About instance flexibility for VMs created in bulk and Create VMs in bulk with instance flexibility.
]]>Preview: You can use consistency groups of instant snapshots to back up a group of disks at the same point in time, ensuring data consistency across multiple disks. Consistency groups of instant snapshots offer the following benefits:
To learn more, see About instant snapshots.
]]>You can autoscale a managed instance group (MIG) that has instance flexibility configured. Autoscaling lets the MIG create or delete virtual machine instances based on an increase or decrease in load. For more information, see About instance flexibility.
]]>Expanded coverage for compute flexible committed use discounts (CUDs) is available to all Cloud Billing accounts. All Cloud Billing accounts have been automatically migrated to the new spend-based CUD model and you no longer need to opt in to benefit from the expanded coverage. For the full list of eligible SKUs across Compute Engine, GKE, and Cloud Run, see SKU Groups - Compute Flexible CUD Eligible SKUs.
To learn more about compute flexible CUDs and how they apply to your usage, see the compute flexible CUDs documentation.
]]>Generally available: You can use Hyperdisk ML with the following machine series and Cloud TPU versions:
For more information, see About Hyperdisk ML.
]]>Generally available: The N4A machine family is powered by Google's latest
custom-designed Axion processor, built on Arm Neoverse N3 compute core and
powered by Titanium IPU. This machine family has between 1-64 vCPUs with up to
512 GB of memory, and supports Google Cloud Hyperdisk volume storage.
It is available in standard, highmem, highcpu, and custom machine types.
For detailed information, see
General-purpose machines.
See Regions and zones to learn where you can
create N4A VMs.
Generally available: You can create N4, C4, M4, and M3 VM instances in
Bangkok, Thailand asia-southeast3-a,b,c. To learn more about these
machine types, see
General-purpose machines and
Memory-optimized machines.
Generally available: You can view future resource availability before you create a future reservation request in calendar mode. This action helps increase the likelihood that Google Cloud approves your request. For more information, see View resource future availability.
]]>When you autoscale a regional managed instance group (MIG), you can view the reasons why the autoscaler adds or removes VMs in your MIG. Autoscaling reasons were previously available only for zonal MIGs. For more information, see Viewing autoscaler logs.
]]>Public Preview: The C4A VM family now offers a c4a-highmem-96-metal bare
metal instance. This machine type has 96 vCPUs and 768 GB of DDR5 memory,
Titanium I/O offload processing,
and supports Hyperdisk Balanced, Hyperdisk Extreme, and Hyperdisk ML storage volumes.
This bare metal instance is offered
in select regions and zones.
For more information, see
C4A machine series.
Generally available: The G4 accelerator-optimized machine series supports the flex-start provisioning model. When you specify the flex-start provisioning model for your G4 virtual machine (VM) instances, you receive a discount up to 50% for vCPUs, memory, and GPUs. Flex-start is ideal for fault-tolerant or temporary workloads that can benefit from lower costs by having a flexible start time. For more information, see About Flex-start VMs.
]]>Generally available: You can create future reservation requests in calendar mode to reserve GPU, TPU, or H4D resources for your virtual machine (VM) instances. Use these requests to obtain high-demand resources for creating VMs that you plan to run for up to 90 days, such as when you want to run model pre-training, model fine-tuning, or high performance computing (HPC) jobs. For more information, see About future reservation requests in calendar mode.
]]>Sole-tenancy is now supported for the following GPU machine types:
a2-ultragpu-node-96-1360-lssda2-megagpu-node-96-1360a2-highgpu-node-96-680a3-megagpu-node-208-1872-lssda3-highgpu-node-208-1872-lssdFor more information, see Sole-tenant nodes.
]]>Instance flexibility in regional managed instance
groups (MIGs) support the ANY target distribution shape. Selecting this shape
lets you maximize resource obtainability and the utilization of unused zonal
reservations. For more information, see
About instance flexibility in MIGs.
The memory-optimized X4 machine series offers additional bare metal machine types with 6 TB, 8 TB, and 12 TB of memory. For more information, see X4 machine series.
Workloads on A4 VMs might experience interruptions due to a firmware issue for NVIDIA B200 GPUs. To help prevent the issue, we recommend resetting the GPUs on A4 VMs at least once every 60 days. For more information, see the known issue.
]]>Generally available: The general purpose C4 machine series now supports the following machine types on Intel's Xeon 6 processor (Granite Rapids):
c4-standard-288-lssd-metalc4-highmem-288-lssd-metalTo learn more, see the C4 machine series.
For more information, see Machine types that automatically attach Local SSD disks and Bare metal instances on Compute Engine.
Preview: You can use the Compute Engine remote Model Context Protocol (MCP) server to let LLM agents manage Compute Engine resources, such as VMs and disks. This server provides a standardized interface for AI applications to securely and reliably interact with Compute Engine resources using natural language or autonomous workflows.
If you clone a source disk that's encrypted with a customer-supplied encryption key or customer-managed encryption key, you must use the same key to encrypt the clone.
For more information, see Create a clone of an encrypted source disk.
]]>Preview: VM Extension Manager lets you manage Compute Engine guest agent extensions on your virtual machines (VMs). You can use VM Extension Manager to install and manage extensions, such as Ops Agent and Agent for SAP, on your Compute Engine VMs at scale, without connecting to each VM.
Use VM Extension Manager to create policies that install extensions on your VMs. You can install extensions based on a specific criteria, such as VM labels, for both existing and new VMs that match the criteria. VM Extension Manager automates the lifecycle of extensions across your entire fleet of VMs and monitors their health status while they are running.
For more information, see the following:
]]>C4 machine type virtual machine (VM) instances running on sole tenant nodes might encounter unexpected VM terminations due to host errors or VM creation failures. For more information, see known issues.
]]>Public Preview: You can now access the VM metadata server using IPv6 connectivity from single-stack IPv6 VM instances. For more information, see About VM metadata.
]]>For the Windows operating system, gVNIC driver version 2.0.15 is available.
This version fixes the handling for highly fragmented TSO packets. Without this updated driver version, you might experience intermittent network connectivity loss on Windows VMs that use any Compute Engine machine types. The affected versions are 2.0.7 - 2.0.14.
Symptoms include ARP resolution failures and an inability to reach local subnet IPs, including the metadata server. We recommend upgrading your Windows instances to this latest version of the driver. To learn about upgrading, read the Windows components section of the Guest environment documentation.
]]>Preview: The general purpose C4 machine series now supports the following machine types on Intel's Xeon 6 processor (Granite Rapids):
c4-standard-288-lssd-metalc4-highmem-288-lssd-metalTo learn more, see the C4 machine series.
For more information, see Machine types that automatically attach Local SSD disks and Bare metal instances on Compute Engine.
You can autoscale a regional managed instance group
(MIG) that has the target distribution shape set to ANY or ANY_SINGLE_ZONE.
These shapes are particularly beneficial for batch workloads.
For more information about target distribution shapes, see
Regional MIG target distribution shape.
Preview: Future reservation requests in calendar mode support reserving
capacity for a3-megagpu-8g and a3-highgpu-8g machine types. Use future
reservation requests in calendar mode to obtain resources for running model
pre-training, model fine-tuning, simulation, and inference workloads. For more
information, see
About future reservation requests in calendar mode.
The Windows guest agent identifies administrator accounts and groups using
string matching. Therefore, credential management features only function
correctly when you use English language names for user accounts and groups,
for example, Administrators. If you use non-English language names, credential
management features such as generating or resetting passwords might not function
as expected. For more information about managing Windows user accounts, see
Manage accounts and credentials on Windows VMs and
Known issues for Windows VM instances.
Generally available: Two new features that provide better observability for Compute Engine reservations and deeper insights into their capacity usage and costs:
consumedReservation field in the VM instance details showing the
full resource name of the consumed reservation, providing reservation
consumption status on VMs and better visibility for resource management and
troubleshooting.compute.googleapis.com/reservation_name: the short name of the
Compute Engine reservation.compute.googleapis.com/reservation_project_id: the Project ID owning
the Compute Engine reservation.For more information, see the following:
]]>