Use the Network Management API remote MCP server

This document shows you how to use the Network Management API remote MCP server to create, view, and delete Connectivity Tests.

The Network Management API remote MCP server is enabled when you enable the Network Management API.

Model Context Protocol (MCP) standardizes how large language models (LLMs) and AI applications or agents connect to external data sources. MCP servers let you use their tools, resources, and prompts to take actions and get updated data from their backend service.

What's the difference between local and remote MCP servers?

Local MCP servers: Typically run on your local machine and use the standard input and output streams (stdio) for communication between services on the same device.
Remote MCP servers: Run on the service's infrastructure and offer an HTTP endpoint to AI applications for communication between the AI MCP client and the MCP server. For more information about MCP architecture, see MCP architecture.

Google and Google Cloud remote MCP servers

Google and Google Cloud remote MCP servers have the following features and benefits:

Simplified, centralized discovery
Managed global or regional HTTP endpoints
Fine-grained authorization
Optional prompt and response security with Model Armor protection
Centralized audit logging

For information about other MCP servers and information about security and governance controls available for Google Cloud MCP servers, see Google Cloud MCP servers overview.

Before you begin

Make sure you have the following IAM roles.

Required roles

To get the permissions that you need to use the Network Management API MCP server, ask your administrator to grant you the following IAM roles on the project where you want to use the MCP server:

Make MCP tool calls: MCP Tool User (roles/mcp.toolUser)
Perform all operations on a connectivity test: Network Management Admin (roles/networkmanagement.admin)
Get and list connectivity tests: Network Management Viewer (roles/networkmanagement.viewer)
Run a connectivity test against specific Google Cloud resources: Compute Network Viewer (roles/compute.networkViewer)

For more information about granting roles, see Manage access to projects, folders, and organizations.

These predefined roles contain the permissions required to use the Network Management API MCP server. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to use the Network Management API MCP server:

Make MCP tool calls: mcp.tools.call
Create connectivity tests: networkmanagement.connectivitytests.create
Get a connectivity test: networkmanagement.connectivitytests.get
List connectivity tests: networkmanagement.connectivitytests.list
Delete a connectivity test: networkmanagement.connectivitytests.delete

You might also be able to get these permissions with custom roles or other predefined roles.

To see the exact permissions and roles that are required to run connectivity tests, see Permissions.

Authentication and authorization

The Network Management API remote MCP server uses the OAuth 2.0 protocol with Identity and Access Management (IAM) for authentication and authorization. All Google Cloud identities are supported for authentication to MCP servers.

The Network Management API remote MCP server doesn't accept API keys.

We recommend that you create a separate identity for agents that are using MCP tools so that access to resources can be controlled and monitored. For more information about authentication, see Authenticate to MCP servers.

Network Management API MCP OAuth scopes

OAuth 2.0 uses scopes and credentials to determine if an authenticated principal is authorized to take a specific action on a resource. For more information about OAuth 2.0 scopes at Google, read Using OAuth 2.0 to access Google APIs.

Network Management API uses the https://www.googleapis.com/auth/cloud-platform OAuth scope.

Additional scopes might be required on the resources accessed during a tool call.

Configure an MCP client to use the Network Management API MCP server

AI applications and agents, such as Claude or Gemini CLI, can instantiate an MCP client that connects to a single MCP server. An AI application can have multiple clients that connect to different MCP servers. To connect to a remote MCP server, the MCP client must know the remote MCP server's URL.

In your AI application, look for a way to connect to a remote MCP server. You are prompted to enter details about the server, such as its name and URL.

For the Network Management API MCP server, enter the following as required:

Server name: Network Management API MCP server
Server URL or Endpoint: https://networkmanagement.googleapis.com/mcp
Transport: HTTP
Authentication details: Depending on how you want to authenticate, you can enter your Google Cloud credentials, your OAuth Client ID and secret, or an agent identity and credentials. For more information about authentication, see Authenticate to MCP servers.
OAuth scope: the OAuth 2.0 scope to use when connecting to the Network Management API MCP server. Enter https://www.googleapis.com/auth/cloud-platform.

For host-specific guidance about setting up and connecting to an MCP server, see the following:

For more general guidance, see the following resources:

Available tools

To view details of available MCP tools and their descriptions for the Network Management API MCP server, see the Network Management API MCP reference.

List tools

Use the MCP inspector to list tools, or send a tools/list HTTP request directly to the Network Management API remote MCP server. The tools/list method doesn't require authentication.

POST /mcp HTTP/1.1
Host: networkmanagement.googleapis.com
Content-Type: application/json

{
  "jsonrpc": "2.0",
  "method": "tools/list"
}

Example use cases

The following are example use cases for the Network Management API MCP server:

Create a connectivity test
Get and list connectivity tests
Delete a connectivity test

Example prompt:

"Run a connectivity test from vm-1 to vm-2 on port 22 using the Network Management API MCP server."

After the test is created, follow the prompts to view and then delete the test resource.

How to interpret results:

Reachability result: a value of REACHABLE in reachabilityDetails indicates that the network configuration allows traffic.
Probing result: a value of REACHABLE in probingDetails confirms that the active probes sent between the endpoints were successful.
Traces: review the hop-by-hop trace to see which resources were included in the test.

Optional security and safety configurations

MCP introduces new security risks and considerations due to the wide variety of actions that you can do with the MCP tools. To minimize and manage these risks, Google Cloud offers default settings and customizable policies to control the use of MCP tools in your Google Cloud organization or project.

For more information about MCP security and governance, see AI security and safety.

What's next

Read the Network Management API MCP reference documentation
Learn more about Google Cloud MCP servers

Use the Network Management API remote MCP server Stay organized with collections Save and categorize content based on your preferences.