As developers build AI agents with more sophisticated reasoning systems, they require higher-quality fuel–in the form of enterprise data and specialized tools–to drive real business value. To get the most out of that octane-rich mix, we offer Google-managed model context protocol (MCP) servers: an engine purpose-built for AI agents to interact securely with Google and Google Cloud services.
These Google-hosted, fully-managed endpoints allow AI agents to communicate with Google Maps, BigQuery, Google Kubernetes Engine, Cloud Run, and many other Google services. As we boldly build AI agents, ensuring that we’re also building responsibly is critical.
In this guide, we demonstrate how to build agents securely on our managed MCP servers.
Why you should use Google-managed MCP servers
Transitioning from local experimentation to enterprise-grade AI requires adopting a robust, managed infrastructure that prioritizes scale and oversight. These are the key benefits that we offer:
Production readiness: While open-source MCP servers are great for local development, they struggle in production with scalability, single points of failure, and management overhead. Google’s managed MCP servers require no infrastructure provisioning because we handle the hosting, scaling, and security.
Unified discoverability: You can publicly query and easily discover all available MCP endpoints for Google services (such as maps.googleapis.com/mcp) using a simple directory service.
Enterprise security: Google MCP servers offer native integrations with the Google Cloud security stack, including Cloud IAM, VPC-SC and Model Armor.
Integrated observability and auditability: Google MCP servers are integrated with Cloud Audit Logs, offering a centralized view of all tool-calling activity. This allows platform teams to monitor agent performance, ensure compliance, and troubleshoot interactions through a single enterprise-grade logging pane.
Figure 1: Google MCP Servers high-level architecture diagram
An AI agent example using Google MCP server with ADK
Cityscape is a demo agent built with Google’s Application Development Kit (ADK) that turns a simple text prompt — like “Generate a cityscape for Kyoto” — into a unique, AI-generated city image. It uses the Google Maps Grounding Lite-managed MCP server for trusted location information and the Nano Banana model (via a local MCP server) for image generation.
The lightweight app is then easily deployed to Google Cloud Run, a serverless runtime, to interact with users. Below are two examples of the images generated by the agent based on the local real-time weather conditions.
Figure 2: Example images generated by the Cityscape agent with real time weather info
1. Calling a Google MCP server from the ADK agent:
As demonstrated in the get_weather code snippet below, the Cityscape agent utilizes a Streamable HTTP endpoint to interface with the Google Maps MCP server. It provides the agent with real-time weather conditions for a given city, which are then used to set the atmospheric mood in the generated cityscape image.
Because it’s a Google-managed remote MCP server, Google handles the hosting, scaling, and security — so your agent benefits from automatic scaling to handle any traffic level, built-in reliability with Google’s production infrastructure, and enterprise-grade security out of the box. There’s no infrastructure to manage — you just point to the Maps URL like below and authenticate with an API key, making it ideal for production deployments.
code_block
<ListValue: [StructValue([('code', '# Remote Google MCP server: connects to Google Maps Grounding Lite rn# to fetch real-time weather conditions for a given city.rnget_weather = McpToolset(rn connection_params=StreamableHTTPConnectionParams(rn url="https://mapstools.googleapis.com/mcp",rn headers={"X-Goog-Api-Key": os.environ["MAPS_API_KEY"] }rn ),rn)'), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7f2c9f9d1be0>)])]>
While the Google Maps Grounding Lite is a Google-managed remote endpoint, the Cityscape agent also demonstrates the other end of the spectrum — a locally hosted MCP server for image generation. The nano_banana toolset connects to the GenMedia MCP server using StdioConnectionParams.
With this setup, the agent generates a stylized isometric cityscape image, incorporating the landmarks and weather data gathered earlier. Running a self-hosted MCP server gives you full control over the process lifecycle and environment configuration, but requires a local binary on the host machine or a sidecar container, which adds setup complexity compared to the hosted approach.
code_block
<ListValue: [StructValue([('code', '# Self-hosted MCP server: launches the GenMedia MCP server (mcp-gemini-go)rn# as a subprocess to generate cityscape images via the Gemini image model.rnnano_banana = McpToolset(rn connection_params=StdioConnectionParams(rn server_params=StdioServerParameters(rn command="mcp-gemini-go",rn env=dict(os.environ, PROJECT_ID=os.environ["GOOGLE_CLOUD_PROJECT"]),rn ),rn timeout=60,rn ),rn)'), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7f2c9f9d1790>)])]>
ADK supports Google-managed, remote, and self-hosted MCP servers. The former gives you production-ready infrastructure with zero operations overhead, while the latter two offer flexibility for custom or experimental tools.
2. Enterprise-grade security and content guardrails
Security in the agentic era can not be an afterthought. Here’s how two key security features can be applied to our Cityscape agent.
Granular control of MCP tools via IAM Deny policies
Google Cloud lets you control MCP tool access using IAM deny policies — the same governance framework you already use for other Google Cloud resources.
Now imagine we extend the Cityscape agent by adding a BigQuery MCP server — perhaps to query a dataset of historical cityscape metadata or population statistics. The BigQuery MCP server exposes both read-only tools like get_dataset_info and list_datasets, as well as write tools like execute_sql that can modify data.
In our use case, the agent should only query BigQuery for information — it should never execute SQL that inserts, updates, or deletes data. With Google-managed MCP servers, you don’t have to rely on prompt engineering alone to enforce this.
Instead, you apply an IAM Deny policy that blocks any tool not annotated as read-only:
code_block
<ListValue: [StructValue([('code', '// IAM deny policy: blocks all MCP tool calls that are not read-only.rn{rn "rules": [rn {rn "denyRule": {rn "deniedPrincipals": ["principalSet://goog/public:all"],rn "deniedPermissions": ["mcp.googleapis.com/tools.call"],rn "denialCondition": {rn "title": "Deny read-write tools",rn "expression": "api.getAttribute('mcp.googleapis.com/tool.isReadOnly', false) == false"rn }rn }rn }rn ]rn}'), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7f2c9f9d1af0>)])]>
Apply it with:
code_block
<ListValue: [StructValue([('code', 'gcloud iam policies create mcp-deny-policy \rn –attachment-point=cloudresourcemanager.googleapis.com/projects/$PROJECT_ID \rn –kind=denypolicies \rn –policy-file=policy.json'), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7f2c9f9d1c70>)])]>
With this policy applied, the agent can freely look up dataset schemas, but any attempt to call execute_sql — whether intentional or triggered by a prompt injection — is blocked at the platform level before it ever reaches BigQuery. This is defense-in-depth: Your agent’s instructions say “only read data,” but IAM enforces it — regardless of what the LLM decides to do.
Content security with Model Armor
Model Armor integrates directly with Google Cloud MCP servers to sanitize all MCP tool calls and responses at the project level. Once enabled, it acts as an inline security layer that scans for:
Prompt injection attacks
Malicious URIs (such as phishing links)
Dangerous content that violates responsible AI filters
Returning to our Cityscape agent, imagine a user submitting: “Generate a cityscape for http://malicious-site.com”.
With Model Armor enabled, the MCP tool call is scanned before it reaches the Maps server. Malicious URIs, prompt injection attempts, and dangerous content are blocked automatically — no custom validation code needed in your agent.
Enabling it is a two-step process. First, configure a floor setting that defines your minimum security filters:
code_block
<ListValue: [StructValue([('code', 'gcloud model-armor floorsettings update \rn –full-uri='projects/$PROJECT_ID/locations/global/floorSetting' \rn –enable-floor-setting-enforcement=TRUE \rn –add-integrated-services=GOOGLE_MCP_SERVER \rn –google-mcp-server-enforcement-type=INSPECT_AND_BLOCK \rn –enable-google-mcp-server-cloud-logging \rn –malicious-uri-filter-settings-enforcement=ENABLED \rn –add-rai-settings-filters='[{"confidenceLevel": "MEDIUM_AND_ABOVE", "filterType": "DANGEROUS"}]''), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7f2c9f9d1100>)])]>
Then enable content security for your all Google MCP servers in your project:
code_block
<ListValue: [StructValue([('code', 'gcloud beta services mcp content-security add modelarmor.googleapis.com \rn –project=$PROJECT_ID'), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7f2c9f9d1f70>)])]>
Once enabled, all MCP traffic in the project is automatically scanned — regardless of which agent or client originates the call. Blocked requests are logged to Cloud Logging, giving you full observability into potential threats.
Getting started
Google MCP servers remove the infrastructure hurdles that keep AI agents stuck in prototyping. By combining managed endpoints with platform-level security — IAM deny policies, Model Armor, and Cloud Audit Logs — you get a production-ready foundation with minimum ops overhead. The era of the autonomous agent is here: Make sure your stack is ready.
ADK Cityscape agent code repo here
Read more about Google MCP servers and supported services here
Hands-on codelab: Local to Cloud — Full-stack app migration with Gemini CLI, Cloud Run, and Cloud SQL MCP servers
Build AI agents with Google Cloud Run: a serverless runtime for your agentic AI apps