Cloudflare has outlined a reference architecture for scaling Model Context Protocol (MCP) deployments across the enterprise, positioning centralized governance, remote server infrastructure, and cost controls as key requirements for production-ready agent systems.
The announcement comes amid growing scrutiny of MCP-based systems, as recent research highlights risks such as prompt injection, supply chain attacks, and exposed or misconfigured servers, with some studies demonstrating arbitrary code execution and data exfiltration across MCP integrations.
MCP, an open standard for connecting AI agents to external tools and data sources, separates the agent-facing client from backend servers that interface with corporate resources. This abstraction allows agents to autonomously retrieve data and perform actions, but also introduces new trust boundaries between models, tools, and sensitive systems. Researchers note that MCP’s architecture expands attack surfaces compared to traditional LLM usage, as a single prompt can trigger chains of actions across multiple systems.
Academic analysis further suggests that these risks are not limited to implementation flaws, but stem from protocol-level design choices that can amplify attack success rates in agent-tool systems.
Cloudflare argues locally deployed MCP servers represent a significant security liability, as they often rely on unvetted software and lack centralized oversight. Instead, the company has adopted a model in which MCP servers are deployed remotely on its developer platform and managed by a centralized team.
Authentication is handled through Cloudflare Access, which integrates with single sign-on (SSO), multi-factor authentication (MFA), and contextual signals such as device posture and location. MCP server portals provide a unified interface for discovering and accessing authorized servers, while also enabling administrators to enforce policies such as data loss prevention (DLP) rules and fine-grained tool exposure.
Source: CloudFlare
On the cost control side, the architecture also incorporates an ‘AI Gateway’, positioned between MCP clients and the underlying language models. This allows organizations to route requests across different model providers while enforcing usage limits and monitoring token consumption at a per-user level.
The company also introduced "Code Mode", designed to address the growing complexity of MCP tool definitions. Rather than exposing every API operation to the model, Code Mode collapses tool interfaces into a small set of dynamic entry points, allowing models to discover and invoke tools on demand. Cloudflare reports this can reduce token usage by up to 99.9%, mitigating context window limitations.
While these architectural controls address immediate concerns around security and cost, some analysts argue that the underlying challenge may be less about individual features and more about how MCP fits into the broader architecture of agent systems. Forrester notes that protocols such as MCP are often mistaken for governance layers, when in practice they function more like transport or interoperability mechanisms, comparable to RPC or messaging systems rather than policy engines.
This distinction becomes significant as enterprises begin to introduce centralized control layers. Recent research suggests that governance, observability, and policy enforcement are emerging as a separate "control plane" concern in agent architectures, sitting above both tool integration and orchestration layers. In this context, approaches such as Cloudflare’s can be seen as part of a wider movement toward externalizing control, rather than something inherent to MCP itself.