​

Govern MCP tools by using an AI gateway (preview)

​

Prerequisites

• The AI gateway must be connected to the Microsoft Foundry resource. Follow the steps in Configure an AI gateway in your Foundry resources. Governance is activated at the Microsoft Foundry resource level. All governance functionality depends on this connection.
• You need permissions to manage API Management policies: the API Management Service Contributor or Owner role on the connected API Management instance. For more information, see Use role-based access control for API Management.
• The MCP server must support one of the following authentication methods:
  • Managed identity (Microsoft Entra)
  • Key-based (API key or token)
  • Custom OAuth identity passthrough
  • Unauthenticated (if applicable)

​

Key benefits

• Secure routing for all new MCP tools through a gateway endpoint
• Consistent access control and authentication enforcement
• Centralized observability for gateway traffic (such as logs and metrics)
• Unified policies for throttling, IP restrictions, and routing
• Seamless reuse of tools through public and private catalogs

​

Govern a tool

​

Add a tool

• Use the tool catalog by selecting Tools > Catalog. Then choose an MCP server to add.
• Add a custom tool by selecting Build > Tools > Custom > Model Context Protocol. Then paste your MCP server endpoint and select an authentication type.

​

Confirm routing

• Remote MCP server endpoint: Verify that it points to the AI gateway URL, not the original MCP server.
• Redirect URL: If you use custom OAuth identity passthrough, confirm that the redirect URL matches your OAuth app registration.
• Authentication method: Confirm the method (key-based or OAuth) aligns with your MCP server requirements.
• Agent usage: Note which agents reference this tool so you can test after applying policies.

​

Apply policies

• Rate limiting: Limit how many calls a project or user can make in one minute.
  Copy

  Ask AI

  <inbound>
    <base />
    <rate-limit-by-key calls="60" renewal-period="60" counter-key="@(context.Request.IpAddress)" />
  </inbound>
  
• IP filtering: Allow requests from only trusted networks.
  Copy

  Ask AI

  <inbound>
    <base />
    <ip-filter action="allow">
      <address>10.0.0.0/24</address> <!-- internal network -->
      <address>20.50.123.45</address> <!-- trusted app -->
    </ip-filter>
  </inbound> 
  
• Correlation ID: Add a unique request ID so that you can trace requests later in logs.
  Copy

  Ask AI

  <inbound>
    <base />
      <set-header name="X-Correlation-Id" exists-action="override"> 
      <value>@(context.RequestId)</value>
    </set-header>
  </inbound>
  
• Removal of sensitive headers: Clean up incoming requests to help protect credentials or session data.
  Copy

  Ask AI

  <inbound>
    <base />
    <set-header name="Cookie" exists-action="delete" />
    <set-header name="Referer" exists-action="delete" />
  </inbound>
  

• Simple routing control: If you have different backends (like ones for different geographies), you can route requests based on a header.
  Copy

  Ask AI

  <inbound>
    <base />
    <choose>
      <when condition="@(context.Request.Headers.GetValueOrDefault('X-Region','us') == 'eu')">
        <set-backend-service base-url="https://europe-api.contoso-mcp.net" />
      </when>
      <otherwise>
        <set-backend-service base-url="https://us-api.contoso-mcp.net" />
      </otherwise>
    </choose>
  </inbound>
  

​

Test with an agent

1. Open the Foundry portal and go to your project.
2. Create a new agent or open an existing one, and configure an MCP tool. For details, see Connect to Model Context Protocol servers.
3. In the agent’s chat interface, send a message that triggers the tool (for example, “List my repositories” for the GitHub MCP server). Verify that the response returns successfully.

​

Verify that governance is working

1. In the Foundry portal, open your MCP tool configuration. Confirm that the tool endpoint points to the AI gateway (not directly to your MCP server).
2. In the Azure portal, open the API Management instance connected to your Foundry resource. Review metrics and logs to confirm that requests appear when your agent calls the tool.

• Look for requests where the name of the API Management instance matches your MCP tool.
• Check Response codes for successful calls (2xx) and policy-blocked calls (429 for rate limits, 403 for IP filters).
• If you applied rate limiting, verify that the X-RateLimit-Remaining header decreases with each call.
• For log-level details, enable Diagnostic settings on your API Management instance and query Azure Monitor Logs.

​

Security considerations

• Treat API keys, tokens, and OAuth client secrets as secrets. Store shared credentials in a project connection and limit project access to authorized users.
• Apply the least-privilege principle for managed identity and Microsoft Entra access.
• Review which headers you forward to backends. Remove only headers that you don’t need, and avoid stripping required authentication headers.

​

Troubleshooting

​

Limitations

• AI gateways support only MCP tools. Foundry-based tools such as SharePoint, code-first MCP tools, tools with managed OAuth, or OpenAPI tools aren’t supported.
• AI gateways don’t log tool traces.
• Gateway routing is applied only at tool creation. Existing tools aren’t automatically mediated with AI gateways.
• API gateways support the application of API Management policies only in the Azure portal, not the Foundry portal.

​

Related content

• Connect to Model Context Protocol servers (preview)
• Set up authentication for Model Context Protocol (MCP) tools (preview)
• Discover and manage tools in the Foundry tool catalog (preview)