Cloudflare's Reference Architecture Secures Enterprise MCP Deployments

Cloudflare has aggressively adopted the Model Context Protocol (MCP) as a core component of its artificial intelligence strategy. This shift extends beyond engineering, with employees across product, sales, marketing, and finance teams now using "agentic" workflows to boost daily efficiency. "Agentic" workflows allow AI agents to autonomously pursue goals and take actions. However, adopting agentic workflows with MCP introduces significant security risks. These include authorization sprawl, prompt injection, and supply chain vulnerabilities. To secure this broad company-wide adoption, Cloudflare integrated a suite of security controls from both its Cloudflare One (SASE) platform and its Cloudflare Developer platform. This approach allows the company to govern AI usage with MCP without slowing down its workforce.

Cloudflare is sharing its best practices for securing MCP workflows by combining different platform components into a unified security architecture for the autonomous AI era. The Model Context Protocol is an open standard enabling developers to build a two-way connection between AI applications and necessary data sources. In this architecture, the MCP client serves as the integration point with the large language model (LLM) or other AI agent. The MCP server sits between the MCP client and the corporate resources.

This separation between MCP clients and MCP servers allows agents to autonomously pursue goals and take actions. It also maintains a clear boundary between the AI (integrated at the MCP client) and the credentials and APIs of the corporate resource (integrated at the MCP server). Cloudflare's workforce constantly uses MCP servers to access information within various internal resources. These include project management platforms, the internal wiki, documentation, and code management platforms, among others.

The separation between MCP clients and MCP servers allows agents to autonomously pursue goals and take actions.

Cloudflare quickly realized that locally-hosted MCP servers posed a significant security liability. Local MCP server deployments might rely on unvetted software sources and versions, increasing the risk of supply chain or tool injection attacks. Furthermore, they prevent IT and security administrators from managing these servers. This leaves individual employees and developers responsible for choosing and updating their MCP servers, which is an unsustainable strategy.

Instead, Cloudflare established a centralized team to manage its remote MCP servers. This centralized approach provides significantly better visibility and control over the entire MCP infrastructure. Centralized management ensures all servers are consistently updated and adhere to strict security standards. This mitigates the risks associated with decentralized deployments, creating a more secure environment for the entire organization.

To further support enterprise MCP deployments, Cloudflare is introducing two new concepts. First, they are launching Code Mode with MCP server portals, designed to drastically reduce token costs associated with MCP usage. Second, they describe how to use Cloudflare Gateway for Shadow MCP detection, a crucial tool for discovering unauthorized remote MCP servers within the network. These innovations, alongside Cloudflare products like Cloudflare Access and AI Gateway, form a proactive and unified security architecture.