Establish APIM Gateway Requirement for MCP Servers
Implementation Effort: Low – Establishing the requirement is a policy decision; APIM already supports MCP server exposure with minimal configuration.
User Impact: Low – Applies to teams building or deploying MCP servers; end users are not affected.
Overview
Model Context Protocol (MCP) servers provide agents with access to external tools, data sources, and capabilities through a standardized interface. When agents call MCP servers, they are making outbound requests to services that may access sensitive data, invoke external APIs, or perform actions with real-world consequences. Requiring all MCP servers to be exposed through the APIM AI gateway ensures that these tool calls are subject to the same authentication, rate limiting, logging, and content safety inspection as direct model calls.
Without this requirement, MCP servers can be deployed as standalone endpoints that agents call directly, bypassing the centralized controls established at the AI gateway. This creates a governance gap — the organization has visibility and control over agent-to-model traffic through APIM, but agent-to-tool traffic flows outside the control plane. Threat actors who compromise an agent can use it to call MCP servers without rate limits or inspection, potentially accessing sensitive data or triggering external actions that the gateway would otherwise catch and block.
Azure API Management provides native support for exposing existing MCP servers through the gateway. This means organizations do not need to rebuild their MCP servers — the gateway acts as a proxy that applies policies to the traffic while forwarding requests to the underlying MCP server. The policies applied can include authentication validation, request/response logging, rate limiting, and content safety inspection, all configured at the gateway level without changes to the MCP server implementation.
This task supports Verify Explicitly by ensuring that every agent-to-tool call is authenticated and authorized at the gateway before reaching the MCP server. It supports Assume Breach by providing an independent control layer between agents and their tools — if an agent is compromised, the gateway limits what the attacker can do through the agent's tool connections. Organizations that do not establish this requirement have inconsistent control coverage, where model traffic is governed but tool traffic is not, leaving a lateral path that threat actors can exploit.