ADK supports Google-managed, remote, and self-hosted MCP servers. The former gives you production-ready infrastructure with zero operations overhead, while the latter two offer flexibility for custom or experimental tools.
2. Enterprise-grade security and content guardrails
Security in the agentic era can not be an afterthought. Here’s how two key security features can be applied to our Cityscape agent.
Granular control of MCP tools via IAM Deny policies
Google Cloud lets you control MCP tool access using IAM deny policies — the same governance framework you already use for other Google Cloud resources.
Now imagine we extend the Cityscape agent by adding a BigQuery MCP server — perhaps to query a dataset of historical cityscape metadata or population statistics. The BigQuery MCP server exposes both read-only tools like get_dataset_info and list_datasets, as well as write tools like execute_sql that can modify data.
In our use case, the agent should only query BigQuery for information — it should never execute SQL that inserts, updates, or deletes data. With Google-managed MCP servers, you don’t have to rely on prompt engineering alone to enforce this.
Instead, you apply an IAM Deny policy that blocks any tool not annotated as read-only:
