This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms, and theAdditional Terms for Generative AI Preview Products. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

This document describes how to use the Compute Engineremote Model Context Protocol (MCP) server to connect toCompute Engine from AI applications such asGemini CLI, ChatGPT, Claude, or in AIapplications that you're developing. The Compute Engine remote MCP server provides a comprehensive set of capabilities that let LLM agents perform a range of infrastructure management tasks including the following:

• Manage virtual machine (VM) instances.
• Manage instance group managers and instance templates.
• Manage disks and snapshots.
• Retrieve information about reservations and commitments..

  Model Context Protocol(MCP) standardizes how large language models (LLMs) and AI applications oragents connect to external data sources. MCP servers let you use their tools,resources, and prompts to take actions and get updated data from their backendservice.

  What's the difference between local and remote MCP servers?

  Local MCP servers

  Typically run on your local machine and use the standard inputand output streams (stdio) for communication between services on the samedevice.

  Remote MCP servers

  Run on the service's infrastructure and offer an HTTPendpoint to AI applications for communication between the AI MCP client andthe MCP server. For more information about MCP architecture, seeMCP architecture.

  Google and Google Cloud remote MCP servers

  Google and Google Cloud remote MCP servers have the followingfeatures and benefits:
  • Simplified, centralized discovery.
  • Managed global or regional HTTP endpoints.
  • Fine-grained authorization.
  • Optional prompt and response security withModel Armor protection.
  • Centralized audit logging.

  For information about other MCP servers and information about securityand governance controls available for Google Cloud MCP servers,seeGoogle Cloud MCP servers overview.

  Before you begin

  Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
  Roles required to select or create a project
  • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
  • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.
  Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.
  Go to project selector
  Verify that billing is enabled for your Google Cloud project.
  Make sure that you have the following role or roles on the project: Compute Instance Admin (v1), Compute SecurityAdmin, Service Account User, Service Usage Admin
  Check for the roles
  1. In the Google Cloud console, go to theIAM page.

     Go to IAM
  2. Select the project.

  3. In thePrincipal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

  4. For all rows that specify or include you, check theRole column to see whether the list of roles includes the required roles.
  Grant the roles
  1. In the Google Cloud console, go to theIAM page.

     Go to IAM
  2. Select the project.
  3. Clickperson_addGrant access.

  4. In theNew principals field, enter your user identifier. This is typically the email address for a Google Account.

  5. ClickSelect a role, then search for the role.
  6. To grant additional roles, clickaddAdd another role and add each additional role.
  7. ClickSave.

  In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

  Roles required to select or create a project

  • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
  • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.

  Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

  Go to project selector

  Verify that billing is enabled for your Google Cloud project.

  Make sure that you have the following role or roles on the project: Compute Instance Admin (v1), Compute SecurityAdmin, Service Account User, Service Usage Admin

  Check for the roles

  1. In the Google Cloud console, go to theIAM page.

     Go to IAM
  2. Select the project.

  3. In thePrincipal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

  4. For all rows that specify or include you, check theRole column to see whether the list of roles includes the required roles.

  Grant the roles

  1. In the Google Cloud console, go to theIAM page.

     Go to IAM
  2. Select the project.
  3. Clickperson_addGrant access.

  4. In theNew principals field, enter your user identifier. This is typically the email address for a Google Account.

  5. ClickSelect a role, then search for the role.
  6. To grant additional roles, clickaddAdd another role and add each additional role.
  7. ClickSave.
  1. Enable the Compute Engine API.

     Enable the Compute Engine API

  Required roles

  To get the permissions that you need to to enable the Compute Engine remote MCP server, ask your administrator to grant you theService Usage Admin (roles/serviceusage.serviceUsageAdmin) IAM role on your Google Cloud project. For more information about granting roles, seeManage access to projects, folders, and organizations.

  You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

  Roles for using the service

  To get the permission that you need to to make calls to the remote MCP server tools, ask your administrator to grant you theMCP Tool User (roles/mcp.toolUser) IAM role on your Google Cloud project. For more information about granting roles, seeManage access to projects, folders, and organizations.

  This predefined role contains the mcp.tools.call permission, which is required to to make calls to the remote MCP server tools.

  You might also be able to get this permission withcustom roles or otherpredefined roles.

  You also need the roles and permissions required to perform theCompute Engine operations. For more information, seeCompute Engine roles and permissions.

  Enable or disable the Compute Engine MCP server

  You can enable or disable the Compute Engine MCP serverin a project with thegcloud beta services mcp enable command. For moreinformation, see the following sections.

  Enable the Compute Engine MCP server in a project

  Note: After March 17, 2026, the Compute Engineremote MCP server is automatically enabled when you enable Compute Engine.

  If you're using different projects for your client credentials, such as serviceaccount keys, OAuth client ID or API keys, and for hosting your resources, thenyou must enable the Compute Engine service and theCompute Engine remote MCP server on both projects.

  To enable the Compute Engine MCP server in yourGoogle Cloud project, run the following command:

  gcloudbetaservicesmcpenableSERVICE\--project=PROJECT_ID

  Replace the following:

  • PROJECT_ID: the Google Cloud project ID.
  • SERVICE:compute.googleapis.com, the global service namefor Compute Engine.

  The Compute Engine remote MCP server is enabled for use in your Google Cloud Project. If theCompute Engine service isn't enabled for yourGoogle Cloud project, you're prompted to enablethe service before enabling the Compute Engine remote MCPserver.

  As a security best practice, we recommend that you enable MCP servers only forthe services required for your AI application to function.

  Disable the Compute Engine MCP server in a project

  To disable the Compute Engine MCP server in yourGoogle Cloud project, run the following command:

  gcloudbetaservicesmcpdisableSERVICE\--project=PROJECT_ID

  The Compute Engine MCP server is disabled for use inyour Google Cloud project.

  Authentication and authorization

  Compute Engine MCP servers use theOAuth 2.0protocol withIdentity and Access Management (IAM)for authentication and authorization. AllGoogle Cloud identitiesare supported for authentication to MCP servers.

  We recommend that you create a separate identity for agents that are using MCPtools so that access to resources can be controlled and monitored. For more information aboutauthentication, seeAuthenticate to MCP servers.

  Compute Engine MCP OAuth scopes

  OAuth 2.0 uses scopes and credentials to determine if an authenticatedprincipal is authorized to take a specific action on a resource. For moreinformation about OAuth 2.0 scopes at Google, readUsing OAuth 2.0 to access Google APIs.

  Compute Engine has the following MCP tool OAuth scopes:

  Scope URI for gcloud CLI	Description
  https://www.googleapis.com/auth/compute.read-only	Only allows access to read data.
  https://www.googleapis.com/auth/compute.read-write	Allows access to read and modify data.

  Additional scopes might be required on the resources accessed during a toolcall. To view a list of scopes required forCompute Engine, seeCompute Engine API.

  Configure an MCP client to use the Compute Engine MCP server

  AI applications and agents, such as Claude or GeminiCLI, can instantiate an MCP client that connects to a single MCP server. An AIapplication can have multiple clients that connect to different MCP servers.To connect to a remote MCP server, the MCP client must know the remote MCP server's URL.

  In your AI application, look for a way to connect to a remote MCP server. Youare prompted to enter details about the server, such as its name and URL.

  For the Compute Engine MCP server, enter the following asrequired:

  • Server name: Compute Engine MCP server
  • Server URL orEndpoint: compute.googleapis.com/mcp
  • Transport: HTTP
  • Authentication details: Depending on how you want to authenticate, you canenter your Google Cloud credentials, your OAuth Client IDand secret, or an agent identity and credentials. For more information onauthentication, seeAuthenticate to MCP servers.

  For host-specific guidance about setting up and connecting to MCP server,see the following:

  • Claude.ai
  • Gemini CLI

  For more general guidance, see the following resources:

  • Connect to remote MCP servers.
  • Configure MCP in an AI application.

  Available tools

  To view details of available MCP tools and their descriptions for theCompute Engine MCP server, see theCompute Engine MCP reference.

  List tools

  Use theMCP inspector to list tools, or send atools/list HTTP request directly to the Compute Engineremote MCP server. Thetools/list method doesn't require authentication.

  POST /mcp HTTP/1.1Host: compute.googleapis.comContent-Type: application/json{  "jsonrpc": "2.0",  "method": "tools/list",}

  Example use cases

  The following sample use cases describe how you can use theCompute Engine MCP server to manage Compute Engine resources:

  • Inspect and manage resources. For example, to understand resource allocationand configuration in your project, you can list all compute instances. You can also find all running compute instances in a zone that have a specific accelerator attached, and show their location and name for resource management.
  • Clean up unused resources to reduce operational costs. For example,identify and clean up disk snapshots in a zone that are no longer associatedwith a source disk, or identify and delete stopped VM instances that have costly GPU resources attached.
  • Optimize instance performance. For example, resize an under-provisionedVM instance to a larger machine type in the same family, and confirm the successfulupdate.
  • Provision specialized VMs for AI workloads with zone flexibility. Forexample, create a VM instance with a specific GPU accelerator attached, inany zone in a specified region where it is available.
  • Troubleshoot and validate instance configurations. For example, retrieveconfiguration details for a specific VM instance where the job is frozen,reboot it, and confirm the underlying accelerator and disk are attached.

  Sample prompts

  The following are sample prompts that you can use to perform tasks by usingthe Compute Engine MCP server:

  • List all VMs inPROJECT_ID, including the VM name and zone.
  • Show the instance details forVM_NAME.
  • InREGION, find all disk snapshots for which the source diskno longer exists.
  • Change the machine type ofVM_NAME to the next largest machine typein the same machine family, send notification when it's back online, and confirm the new machine type.
  • Find all running VMs inREGION with NVIDIA accelerators, and show the zone and name for these VMs.
  • Create a VM inZONE with an NVIDIA T4 accelerator attached. Name the VMmy-nvidiat4-vm.
  • Find all stopped VMs inREGION with NVIDIA Tesla T4 accelerators, and delete them.

  Replace the following:

  • PROJECT_ID: the Google Cloud project ID.
  • REGION: the name of the region where your resources exist.
  • ZONE: the name of the zone where your VMs exist.
  • VM_NAME: the name of your VM instance.

  Optional security and safety configurations

  MCP introduces new security risks and considerations due to the wide variety ofactions that you can do with the MCP tools. To minimize and manage these risks,Google Cloud offers default settings and customizable policies tocontrol the use of MCP tools in your Google Cloudorganization or project.

  For more information about MCP security and governance, seeAI security and safety.

  Use Model Armor

  Model Armor is aGoogle Cloud service that's designed to enhance the security andsafety of your AI applications. It works by proactively screening LLM promptsand responses, protecting against various risks and supporting responsible AIpractices. Whether you deploy AI in your cloud environment, or onexternal cloud providers, Model Armor can help youprevent malicious input, verify content safety, protect sensitive data, maintaincompliance, and enforce your AI safety and security policies consistently acrossyour diverse AI landscape.

  Model Armor is only available inspecific regional locations. If Model Armor isenabled for a project, and a call to that project comes from an unsupportedregion, Model Armor makes a cross-regional call.For more information, seeModel Armor locations.

  Caution: If a request fails, Model Armor logs theentire payload. This might expose sensitive information in the logs.

  Enable Model Armor

  To enable Model Armor on your

  Google Cloud project, run the followinggcloud CLI command:

  gcloudservicesenablemodelarmor.googleapis.com\--project=PROJECT_ID

  ReplacePROJECT_ID with yourGoogle Cloud project ID.

  Configure protection for Google and Google Cloud remote MCP servers

  To protect your MCP tool calls and responses, you create aModel Armor floor setting and then enableMCP content security for your project. A floor setting defines the minimumsecurity filters that apply across the project. This configuration applies aconsistent set of filters to all MCP tool calls and responses withinthe project.

  Tip: Don't enable the prompt injection and jailbreak filter unless your MCP traffic carries natural language data.

  1. Set up a Model Armor floor setting with MCP sanitizationenabled. For more information, seeConfigure Model Armor floorsettings.

     Note: If the agent and the MCP server are in different projects, you can create floor settings in both projects (the client project and the resource project). In this case, Model Armor is invoked twice, once for each project.

     See the following example command:

     gcloudmodel-armorfloorsettingsupdate\--full-uri='projects/PROJECT_ID/locations/global/floorSetting'\--enable-floor-setting-enforcement=TRUE\--add-integrated-services=GOOGLE_MCP_SERVER\--google-mcp-server-enforcement-type=INSPECT_AND_BLOCK\--enable-google-mcp-server-cloud-logging\--malicious-uri-filter-settings-enforcement=ENABLED\--add-rai-settings-filters='[{"confidenceLevel": "HIGH", "filterType": "DANGEROUS"}]'

     ReplacePROJECT_ID with your Google Cloud projectID.

     Note the following settings:

     • INSPECT_AND_BLOCK: The enforcement type that inspects content for the Google MCP server and blocks prompts andresponses that match the filters.
     • ENABLED: The setting that enables a filter orenforcement.
     • HIGH: The confidence level for the Responsible AI - Dangerous filter settings. You can modify this setting, thoughlower values might result in more false positives. For more information,seeConfigure floor settings.

  2. For your project, enable Model Armor protection for remote MCP servers.

     gcloudbetaservicesmcpcontent-securityaddmodelarmor.googleapis.com--project=PROJECT_ID

     ReplacePROJECT_ID with your Google Cloudproject ID. After you run this command, Model Armor sanitizesall MCP tool calls and responses from the project, regardless of where thecalls and responses originate.

  3. To confirm that Google MCP traffic is sent to Model Armor,run the following command:

     gcloudbetaservicesmcpcontent-securityget--project=PROJECT_ID

     ReplacePROJECT_ID with the Google Cloud project ID.

  Disable Model Armor in a project

  To disable Model Armor on a Google Cloud project, run thefollowing command:

  gcloudbetaservicesmcpcontent-securityremovemodelarmor.googleapis.com\--project=PROJECT_ID

  ReplacePROJECT_ID with the Google Cloud projectID.

  Google MCP traffic won't be scanned by Model Armor for thespecified project.

  Disable scanning MCP traffic with Model Armor

  If you want to use Model Armor in a project, and you want to stopscanning Google MCP traffic with Model Armor, run the followingcommand:

  gcloudmodel-armorfloorsettingsupdate\--full-uri='projects/PROJECT_ID/locations/global/floorSetting'\--remove-integrated-services=GOOGLE_MCP_SERVER

  ReplacePROJECT_ID with the Google Cloud projectID.

  Model Armor won't scan MCP traffic in the project.

  Control MCP use with IAM deny policies

  Identity and Access Management (IAM) deny policies help yousecure Google Cloud remote MCP servers. Configure these policies to blockunwanted MCP tool access.

  For example, you can deny or allow access based on:

  • The principal.
  • Tool properties like read-only.
  • The application's OAuth client ID.

  For more information, seeControl MCP use with Identity and Access Management.

  What's next

  • Read theCompute Engine MCP reference documentation.
  • Learn more aboutGoogle Cloud MCP servers.