Google and Google Cloud services can be used in your AI applications with enterprise-ready governance, security, and access control through our remote Model Context Protocol (MCP) servers.
MCP is an open source protocol developed by Anthropic that standardizes how AI applications connect to data sources.
In addition to offering remote MCP servers, Google Cloud offers several solutions for publishing your own MCP servers. Users connect to published MCP servers over HTTP and can authenticate and interact with them according to the MCP specification. For more information, see MCP server publishing.
How MCP works
MCP lets an AI application communicate with external services through a standardized set of components:
- MCP server
- A program that exposes capabilities of a service, like an API or database, to AI applications through standardized MCP interfaces.
- MCP host
- The main AI application that you're using or building—for example, Claude, VS Code, Gemini CLI, or Cursor IDE.
- MCP client
- A software component within the MCP host that handles communication between your AI application and the MCP server.
Local versus remote MCP servers
Local MCP servers typically run on your local machine and use the standard input and output streams (stdio) for communication between services on the same device.
Remote MCP servers run on the service's infrastructure and offer an HTTP endpoint to AI applications for communication between the AI MCP client and the MCP server.
For more information, see MCP architecture.
Google and Google Cloud remote MCP servers
Google and Google Cloud remote MCP servers have the following features and benefits:
- MCP discovery: Once a server is configured for use in your project, AI
applications can discover the server's capabilities, like tools, prompts,
and resources, by using MCP discovery methods like
tools/list,prompts/list, andresources/list. - Toolsets: Select a specific toolset from an MCP server to prevent overloading your agent's context with too many tools.
- Administrative controls: Control MCP use with Identity and Access Management (IAM) policies.
- Authentication and Authorization: Google and Google Cloud remote MCP servers are compliant with the MCP authorization specification. Only agents, MCP clients, and end-users with established identities can authenticate and use MCP tools, prompts, and resources.
- Fine-grained authorization policies: Use IAM to control who can do what on which Google Cloud resources with MCP tools, prompts, and resources.
- Model Armor: Scan MCP calls and responses to help protect against security risks and enforce your AI security policies.
For a list of Google and Google Cloud remote MCP servers, see Supported products.
MCP server features
MCP servers support the following features:
- Tools: Let AI take actions like calling APIs.
- Prompts: Predefined inputs provided by MCP servers that can help users interact with tools more effectively—you can use prompts provided by a server, but you can't define your own.
- Resources: Allow servers to share data that provides context to language models, such as files, database schemas, or application-specific information.
For more information, see Manage MCP servers.
Authentication
To authenticate to Google and Google Cloud MCP servers that require authentication, use your Google credentials or create an identity for your AI application. For more information, see Authenticate to MCP servers.
Control access with Identity and Access Management
Identity and Access Management (IAM) deny policies help you secure Google Cloud MCP servers. For more information, see Control MCP use with IAM.
Toolsets
Agents can become slow, confused, and expensive to run when you load too many tools into context. To help you limit the tools available to your agent, some Google and Google Cloud MCP servers offer logical groups of MCP tools called toolsets. Each toolset has its own HTTP endpoint and functions as a virtual MCP server. You can configure a toolset the same way you configure an MCP server. For more information about configuring MCP servers, see Configure MCP in an AI application.
To determine if an MCP server offers toolsets, review the server's MCP reference documentation linked from our Supported products page.
Model Armor protection
Model Armor helps secure your agentic AI applications by sanitizing MCP tool calls and responses. This process mitigates risks such as prompt injection, sensitive data disclosure, and tool poisoning.
To enable Model Armor for MCP endpoints, see Configure Model Armor protection for Google Cloud MCP servers.
MCP Publishing
If you want to create and publish your own MCP server for other people to use, then you can use the following MCP publishing options, depending on your needs:
- Apigee users with an existing API can publish their API as an MCP server.
- Developers who want to create their own MCP server can host it on Cloud Run.