MCP tunnels: govern private servers without exposing them
Blog post from Speakeasy
MCP tunnels provide a method for governing private servers without exposing them to the public internet, addressing the challenge of managing internal servers like Postgres or admin MCPs that are typically hidden behind firewalls. By running a tunnel client within the network that connects to the MCP server, an outbound-only connection to the Speakeasy control plane is established, securely proxying full MCP traffic without opening inbound firewall ports or requiring a public hostname. This solution maintains strong tenant isolation and enhances security by ensuring that only authorized traffic can reach the server, which is now part of the registry with auditable, policy-governed activity. Unlike vendor-specific tunnels that limit connectivity to particular infrastructures, Speakeasy tunnels are vendor-neutral, allowing integration with various agents like Claude, ChatGPT, and the Responses API through a single governed path, effectively creating an internal AI service mesh. This approach facilitates observability and access control for sensitive servers, offering a streamlined, cross-platform connection without compromising security, and is available for organizations to implement through configuration in the Speakeasy dashboard.
No tracked trend matches for this post yet.