Model Armor integration with Google Cloud MCP servers
Preview This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.
This document shows you how to configure Model Armor to help protectyour data and secure content when sending requests to Google Cloudservices that expose Model Context Protocol (MCP) tools and servers.
Model Armor helps secure your agentic AI applications bysanitizing MCP tool calls and responses. This process mitigates risks such asprompt injection and sensitive data disclosure.
Before you begin
- Enable the MCP servers that you want to use. For more information, seeEnable or disable MCP servers.
- Enable the Model Armor API in your project. For moreinformation, seeEnableAPIs.
- If you have data residency requirements, you must configure a log sink toroute logs to a compliant storage location before you enableCloud Logging in the next procedure. Configuring a log sink helps ensurethat Model Armor logs are stored in the appropriate regionalbuckets. For more information, seeRegionalize yourlogs.
Configure protection for Google and Google Cloud remote MCP servers
To protect your MCP tool calls and responses, you create aModel Armor floor setting and then enableMCP content security for your project. A floor setting defines the minimumsecurity filters that apply across the project. This configuration applies aconsistent set of filters to all MCP tool calls and responses withinthe project.
Tip: Don't enable the prompt injection and jailbreak filter unless your MCP traffic carries natural language data.Set up a Model Armor floor setting with MCP sanitizationenabled. For more information, seeConfigure Model Armor floorsettings.
Note: If the agent and the MCP server are in different projects, you can create floor settings in both projects (the client project and the resource project). In this case, Model Armor is invoked twice, once for each project.See the following example command:
gcloudmodel-armorfloorsettingsupdate\--full-uri='projects/PROJECT_ID/locations/global/floorSetting'\--enable-floor-setting-enforcement=TRUE\--add-integrated-services=GOOGLE_MCP_SERVER\--google-mcp-server-enforcement-type=INSPECT_AND_BLOCK\--enable-google-mcp-server-cloud-logging\--malicious-uri-filter-settings-enforcement=ENABLED\--add-rai-settings-filters='[{"confidenceLevel": "HIGH", "filterType": "DANGEROUS"}]'
Replace
PROJECT_IDwith your Google Cloud projectID.Note the following settings:
INSPECT_AND_BLOCK: The enforcement type that inspects content for the Google MCP server and blocks prompts andresponses that match the filters.ENABLED: The setting that enables a filter orenforcement.HIGH: The confidence level for the Responsible AI - Dangerous filter settings. You can modify this setting, thoughlower values might result in more false positives. For more information,seeConfigure floor settings.
For your project, enable Model Armor protection for remote MCP servers.
gcloudbetaservicesmcpcontent-securityaddmodelarmor.googleapis.com--project=PROJECT_IDReplace
PROJECT_IDwith your Google Cloudproject ID. After you run this command, Model Armor sanitizesall MCP tool calls and responses from the project, regardless of where thecalls and responses originate.To confirm that Google MCP traffic is sent to Model Armor,run the following command:
gcloudbetaservicesmcpcontent-securityget--project=PROJECT_IDReplace
PROJECT_IDwith the Google Cloud project ID.
Verify Model Armor protection
After you configure Model Armor protection for MCP servers, you canverify that it's working by sending a request that contains content that shouldbe blocked and checking that Model Armor blocks it. The followingsteps assume that you have enabled Logging forModel Armor as described inConfigure protection for Google and Google Cloud remote MCP servers.
- In the project where you enabled Model Armor protection,call an MCP tool with a harmful value in one of its parameters.For example, if you enabled the Malicious URIfilter, include a phishing test URL in a parameter, such as
http://testsafebrowsing.appspot.com/s/phishing.html. - Verify that the MCP tool call is blocked. Depending on the MCP server andclient, you might receive an error or an empty response, indicating that therequest was blocked by a security policy.
In the Google Cloud console, go to theLogs Explorer page.
In theQuery pane, enter the following query:
resource.type="model-armor_managed_service"logName="projects/PROJECT_ID/logs/modelarmor.googleapis.com%2Fdetection"Replace
PROJECT_IDwith your project ID.ClickRun query.
Examine the results in theQuery results section. IfModel Armor blocked the request, you see a log entry detailingthe detected threat, such as
MALICIOUS_URI_DETECTED.
Disable Model Armor in a project
To disable Model Armor on a Google Cloud project, run thefollowing command:
gcloudbetaservicesmcpcontent-securityremovemodelarmor.googleapis.com\--project=PROJECT_IDReplacePROJECT_ID with the Google Cloud projectID.
Google MCP traffic won't be scanned by Model Armor for thespecified project.
Disable scanning MCP traffic with Model Armor
If you want to use Model Armor in a project, and you want to stopscanning Google MCP traffic with Model Armor, run the followingcommand:
gcloudmodel-armorfloorsettingsupdate\--full-uri='projects/PROJECT_ID/locations/global/floorSetting'\--remove-integrated-services=GOOGLE_MCP_SERVERReplacePROJECT_ID with the Google Cloud projectID.
Model Armor won't scan MCP traffic in the project.
What's next
- Learn more aboutModel Armor.
- Learn more aboutGoogle Cloud MCP servers.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.