Google Cloud spent six hours on July 14 trying to figure out why its own network broke a feature specifically designed not to break, before admitting the company had done it to itself.
The trouble started around 10:00 PDT, when customers using Google Cloud VMware Engine’s stretched cluster feature began losing network connectivity across multiple regions. Stretched clusters exist for one reason: they pool resources across two physical sites and keep both in sync so a failure at one location doesn’t take down a customer’s virtual servers.
Storage and compute stayed up throughout the incident, and virtual machines kept running, but customers simply couldn’t reach them, which somewhat defeats the purpose of paying for a resilience feature in the first place.
Google’s incident report initially pointed to “an underlying network connectivity issue affecting the infrastructure that links the zones within a stretch cluster,” warning that the problem was causing synchronization issues between zones. A later update got more specific, blaming inter-zone communication failures and something called BGP session flapping, essentially unstable routing between the cluster zones and a component called the witness appliance. Without a stable connection to that witness appliance, the affected clusters couldn’t safely confirm which zone held the accurate, up-to-date state, so synchronization stalled entirely.
By 16:05 PDT, Google came clean: the company traced the disruption to a recent configuration change on its own end. As of this writing, Google hasn’t given customers a timeline for full remediation, leaving businesses in the four affected regions, Australia Southeast 1 and 2, Europe West 3, and North America Northeast 2, waiting to find out when the resilience they’re paying for actually comes back online.
Customers running VMware elsewhere have their own reason to move quickly right now, regardless of Google’s outage. Broadcom disclosed seven vulnerabilities in VMware’s Avi Load Balancer this week, including one, CVE-2026-47865, that scored a near-maximum 9.8 on the severity scale.
The flaw is an authentication bypass that could let an attacker with network access slip past the login mechanism entirely and reach the Avi control plane, a serious problem given the tool connects to VMware Cloud Foundation, Kubernetes Service, and resources spread across public clouds. Broadcom has already shipped patches for all seven flaws.
