xbill for Google Developer Experts

Posted on Feb 15 • Originally published at xbill999.Medium on Feb 14

Secure MCP Development with Rust, Cloud Run, and Cloud Run Proxy

#googlecloudrun #mcps #rust #cloudrunproxy

Enabling Cloud Run Proxy support to secure remote access to MCP services.

What is this Tutorial Trying to Do?

The goal of the tutorial is to use Gemini CLI as a MCP client for secure access to remote MCP enabled services via the setup and configuration of the Cloud Run Proxy.

What is the Cloud Run Proxy?

The Cloud Run Proxy acts like a secure tunnel over the Internet and allows Cloud Run Services to be deployed with Authentication which limits the risk of unauthorized access.

The Cloud Run proxy provides a secure tunnel from your local environment to a Cloud Run Hosted Service:

gcloud run services proxy | Google Cloud SDK Documentation

Initial Environment Setup

The environment is meant to be run from a Bash like shell. You can run this from a Linux VM, ChromeOS Linux VM, Firebase Studio environment, or any environment that provides a basic shell. You will also need a working Docker environment.

What is Rust?

Rust is a high performance, memory safe, compiled language:

Rust

Rust provides memory safe operations beyond C/C++ and also can provide exceptional performance gains as it is compiled directly to native binaries.

Rust Setup

Instructions to install Rust are available here:

Getting started

For a Linux like environment the command looks like this:

curl — proto ‘=https’ — tlsv1.2 -sSf https://sh.rustup.rs | sh

Rust also depends on a working C compiler and OpenSSL setup. For a Debian 12 system — install the basic tools for development:

sudo apt install build-essential
sudo apt install libssl-dev
sudo apt install pkg-config
sudo apt-get install libudev-dev
sudo apt install make
sudo apt install git

Getting Started with Rust and MCP

When MCP was first released, there were several competing Rust frameworks that provided support for the protocol. Eventually, one official supported SDK was consolidated to provide a standard package for building MCP applications with Rust. This SDK is more like a toolbox that provides many options- clients/servers, different transports, and even more advanced integration options.

The official MCP Rust SDK (rmcp) is available here:

GitHub - modelcontextprotocol/rust-sdk: The official Rust SDK for the Model Context Protocol

Gemini CLI

If not pre-installed you can install the Gemini CLI to interact with the source files and provide real-time assistance:

sudo npm install -g @google/gemini-cli

Note- if you are an a non standard environment — you will need to make sure to have at least Node version 20 available in order to run Gemini CLI.

Testing the CLI Environment from the VM

Once you have all the tools and the correct Node.js version in place- you can test the startup of Gemini CLI. You will need to authenticate with a Key or your Google Account:

gemini

Where do I start?

The strategy for starting MCP development is a incremental step by step approach.

First, the basic development environment is setup with the required system variables, and a working Gemini CLI configuration.

Then, a system info Rust MCP Server is built with HTTP transport. This server is validated with Gemini CLI in the local environment.

This setup validates the connection from Gemini CLI to the local process via MCP. The MCP client (Gemini CLI) and the Rust MCP server both run in the same local environment.

This entire solution is then deployed to Google Cloud Run in secure mode.

Gemini- CLI is used with Google Cloud Run proxy to verify the secure connection.

Setup the Basic Environment

At this point you should have a working Rust environment and a working Gemini CLI installation. The next step is to clone the GitHub samples repository with support scripts:

cd ~
git clone https://github.com/xbill9/iap-https-rust

Then run init.sh from the cloned directory.

The script will attempt to determine your shell environment and set the correct variables:

cd iap-https-rust
source init.sh

If your session times out or you need to re-authenticate- you can run the set_env.sh script to reset your environment variables:

cd iap-https-rust
source set_env.sh

Variables like PROJECT_ID need to be setup for use in the various build scripts- so the set_env script can be used to reset the environment if you time-out.

Info Tool with HTTP Transport

One of the key features that the standard MCP libraries provide is abstracting various transport methods.

The high level MCP tool implementation is the same no matter what low level transport channel/method that the MCP Client uses to connect to a MCP Server.

The simplest transport that the SDK supports is the stdio (stdio/stdout) transport — which connects a locally running process. Both the MCP client and MCP Server must be running in the same environment.

The HTTP transport allows the MCP client and server to run on the sameo system or be distributed over the Internet.

The connection over HTTP will look similar to this:

    // 4. Setup MCP Service
    let service_factory = || Ok(SysUtils::new());
    let session_manager = LocalSessionManager::default();
    let config = StreamableHttpServerConfig::default();
    let service = StreamableHttpService::new(service_factory, session_manager.into(), config);

Running the Rust Code

First- switch the directory with the Rust version of the MCP sample code:

cd ~/iap-https-rust/proxy-rust

Run the release version on the local system:

xbill@penguin:~/iap-https-rust/proxy-rust$ make release

You can validate the final result by checking the messages:

xbill@penguin:~/iap-https-rust/proxy-rust$ make release
Building Release...
    Finished `release` profile [optimized] target(s) in 0.18s
xbill@penguin:~/iap-https-rust/proxy-rust$

The project can also be linted:

xbill@penguin:~/iap-https-rust/proxy-rust$ make lint
Linting code...
    Checking proxy-rust v0.3.0 (/home/xbill/iap-https-rust/manual)
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.55s
xbill@penguin:~/iap-https-rust/proxy-rust$

And a test run:

xbill@penguin:~/iap-https-rust/proxy-rust$ make test
Running tests...
    Finished `test` profile [unoptimized + debuginfo] target(s) in 0.08s
     Running unittests src/main.rs (target/debug/deps/proxy_rust-2cac7fbc2558208e)

running 7 tests
test tests::test_schema_generation ... ok
test tests::test_decode_iap_jwt ... ok
test tests::test_health_check ... ok
test tests::test_disk_usage ... ok
test tests::test_list_processes ... ok
test tests::test_collect_system_info_with_context ... ok
test tests::test_sysutils_proxy_rust ... ok

test result: ok. 7 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.11s

xbill@penguin:~/iap-https-rust/proxy-rust$

Running the Tool Locally

Once the release version has been built- the resulting binary can be executed directly in the local environment.

The quick summary of local system info can be run right from the Makefile:

xbill@penguin:~/iap-https-rust/proxy-rust$ make info
   Compiling proxy-rust v0.3.0 (/home/xbill/iap-https-rust/manual)
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 4.66s
     Running `target/debug/proxy-rust info`
DEBUG: Starting proxy-rust version 0.3.0-debug
DEBUG: Environment: PORT=8080
DEBUG: Sleeping for 10s before bind to allow environment to settle
DEBUG: Attempting to bind to 0.0.0.0:8080
DEBUG: Successfully bound to 0.0.0.0:8080
System Information Report
=========================

IAP Context & Identity
----------------------
Header Source: x-goog-iap-jwt-assertion
Status: No IAP JWT found (Expected in production Cloud Run environment)

HTTP Request Headers
--------------------
Status: No request headers captured (CLI mode or capture error)

IAP Setup Configuration
-----------------------
Status: No IAP configuration files found in current directory.

System Information
------------------
System Name: Debian GNU/Linux
Kernel Version: 6.6.99-09121-g16665fbb817c
OS Version: 12
Host Name: penguin

CPU Information
---------------
Number of Cores: 16

Memory Information
------------------
Total Memory: 6364 MB
Used Memory: 345 MB
Total Swap: 0 MB
Used Swap: 0 MB

Network Interfaces
------------------
lo : RX: 83702 bytes, TX: 83702 bytes (MAC: 00:00:00:00:00:00)
vethae45816 : RX: 126 bytes, TX: 1938 bytes (MAC: 8a:26:e4:92:66:8f)
eth0 : RX: 91353605 bytes, TX: 44286022 bytes (MAC: 00:16:3e:07:39:7b)
docker0 : RX: 0 bytes, TX: 0 bytes (MAC: 4e:a3:6a:33:b5:c6)
br-e70a18428e21 : RX: 168 bytes, TX: 636 bytes (MAC: d2:f5:fe:60:32:db)
vethbe6ba29 : RX: 126 bytes, TX: 1896 bytes (MAC: a2:53:6a:23:c8:b7)

System Information with MCP HTTP Transport

One of the key features that the MCP protocol provides is abstracting various transport methods.

The high level tool MCP implementation is the same no matter what low level transport channel/method that the MCP Client uses to connect to a MCP Server.

The HTTP transport allows the MCP client and server to run in the same environment or be distributed over the Internet.

First- switch the directory with the HTTP sample code:

xbill@penguin:~/iap-https-rust/proxy-rust$ make run
Running the Rust project...
    Finished `release` profile [optimized] target(s) in 0.12s
     Running `target/release/proxy-rust`
DEBUG: Starting proxy-rust version 0.3.0-debug
DEBUG: Environment: PORT=8080
DEBUG: Sleeping for 10s before bind to allow environment to settle
DEBUG: Attempting to bind to 0.0.0.0:8080
DEBUG: Successfully bound to 0.0.0.0:8080
{"timestamp":"2026-02-14T00:40:22.549096Z","level":"INFO","fields":{"message":"MCP Server starting on http://0.0.0.0:8080"},"target":"proxy_rust"}

This step validates that the tool can be started locally in streaming HTTP transport mode.

Deploying to Cloud Run

After the HTTP version of the MCP server has been tested locally — it can be deployed remotely to Google Cloud Run.

First- switch to the directory with the HTTP MCP sample code:

xbill@penguin:~/iap-https-rust/proxy-rust$ make deploy

Deploy the project to Google Cloud Run with the pre-built cloudbuild.yaml and Dockerfile:

Submitting build to Google Cloud Build...
     Removed 0 files
Creating temporary archive of 9 file(s) totalling 95.1 KiB before compression.
Uploading tarball of [.] to [gs://comglitn_cloudbuild/source/1771029685.520524-4d4e525663fc48a28ced6ab95d8f02ff.tgz]
Created [https://cloudbuild.googleapis.com/v1/projects/comglitn/locations/global/builds/e043b0e3-4cc0-42d7-a33e-43b9ff52d8d3].
Logs are available at [https://console.cloud.google.com/cloud-build/builds/e043b0e3-4cc0-42d7-a33e-43b9ff52d8d3?project=1056842563084].
Waiting for build to complete. Polling interval: 1 second(s).

The Cloud Build will start:

BUILD
Starting Step #0
Step #0: Already have image (with digest): gcr.io/cloud-builders/docker
Step #0: Sending build context to Docker daemon 106.5kB
Step #0: Step 1/11 : FROM rust:1.93-bookworm AS builder
Step #0: 1.93-bookworm: Pulling from library/rust

It can take 15–30 minutes to complete the build.

The cloud build needs to pull in all the Rust libraries in the build environment and generate the entire package from scratch:

Step #1: Already have image (with digest): gcr.io/cloud-builders/gcloud
Step #1: Deploying container to Cloud Run service [sysutils-proxy-rust] in project [comglitn] region [us-central1]
Step #1: Deploying new service...
Step #1: Creating Revision.............................................................................................................................................................................................................................................................................................................................done
Step #1: Routing traffic.....done
Step #1: Done.
Step #1: Service [sysutils-proxy-rust] revision [sysutils-proxy-rust-00001-jtb] has been deployed and is serving 100 percent of traffic.
Step #1: Service URL: https://sysutils-proxy-rust-1056842563084.us-central1.run.app
Finished Step #1
PUSH
DONE

When the build is complete- an endpoint will be returned. The service endpoint in this example is :

https://sysutils-proxy-rust-1056842563084.us-central1.run.app

The actual endpoint will vary based on your project settings.

Review Service in Cloud Run

Navigate to the Google Cloud console and search for Cloud Run -

and then you can detailed information on the Cloud Run Service:

Cloud Logging

The remote server writes logs to stderr in standard JSON format. These logs are available from the deployed Cloud Run Service:

Validate HTTP connection

Once you have the Endpoint — you can attempt a connection- navigate to in your browser:

https://sysutils-proxy-rust-1056842563084.us-central1.run.app

You will need to adjust the exact URL to match the URL returned from Cloud Build.

You will get an error- this connection is expecting a message in the MCP format:

Error: Forbidden
Your client does not have permission to get URL / from this server.

Configure the Cloud Run Proxy in Gemini Settings

The stdio server checks the API key if it is provided. The set_key.sh scripts sets the environment variable from the Google Cloud settings. A sample Gemini setup is provided for this scenario as well:

 {
    "mcpServers": {
    "cloud-proxy-rust": {
      "httpUrl": "http://127.0.0.1:3000/mcp"
    }
  }
}

Verify Proxy is Enforced

Start Gemini CLI to test the connection to the Cloud Run Service. At this point the Cloud Run Proxy has not been activated so the connection will fail:

✕ Error during discovery for MCP server 'cloud-proxy-rust': fetch failed

 > /mcp list
Configured MCP servers:

🔴 cloud-proxy-rust - Disconnected

Enabling Cloud Run Proxy

Cloud Run Proxy will be used to secure the connection from the local environment to the remote service. The proxy service must be running at the same time as Gemini CLI to route your calls to the remote Cloud Run Service. The Cloud Run Proxy is not usually installed as part of the base Google Cloud CLI tools- so you will get prompted to install the package in your environment. To start the proxy- open a new window and run the sample script:

xbill@penguin:~/iap-https-rust/proxy-rust$ source startproxy-rust.sh 
--- Setting Google Cloud Environment Variables ---
Checking gcloud authentication status...
gcloud is authenticated.

Pausing command execution:

This command requires the `cloud-run-proxy` component to be installed. Would you like to install the `cloud-run-proxy` component to 
continue command execution? (Y/n)? y

ERROR: (gcloud.run.services.proxy) 
You cannot perform this action because the Google Cloud CLI component manager 
is disabled for this installation. You can run the following command 
to achieve the same result for this installation:

sudo apt-get install google-cloud-cli-cloud-run-proxy

xbill@penguin:~/$ sudo apt-get install google-cloud-cli-cloud-run-proxy
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  google-cloud-cli-cloud-run-proxy
0 upgraded, 1 newly installed, 0 to remove and 80 not upgraded.
Need to get 7,674 kB of archives.
After this operation, 21.4 MB of additional disk space will be used.
Get:1 https://packages.cloud.google.com/apt cloud-sdk/main amd64 google-cloud-cli-cloud-run-proxy amd64 538.0.0-0 [7,674 kB]
Fetched 7,674 kB in 1s (7,569 kB/s)                        
Selecting previously unselected package google-cloud-cli-cloud-run-proxy.
(Reading database ... 137857 files and directories currently installed.)
Preparing to unpack .../google-cloud-cli-cloud-run-proxy_538.0.0-0_amd64.deb ...
Unpacking google-cloud-cli-cloud-run-proxy (538.0.0-0) ...
Setting up google-cloud-cli-cloud-run-proxy (538.0.0-0) ...
Processing triggers for google-cloud-cli (529.0.0-0) ...
Processing triggers for google-cloud-cli-anthoscli (529.0.0-0) ...
Scanning processes...

Once the Google Cloud CLI package has been enabled — restart the proxy:

xbill@penguin:~/iap-https-rust/proxy-rust$ source startproxy-rust.sh 
--- Setting Google Cloud Environment Variables ---
Checking gcloud authentication status...
gcloud is authenticated.

You should see a message similar to this once it has started:

--- Environment setup complete ---
Starting Local Proxy
Proxying to Cloud Run service [sysutils-proxy-rust] in project [comglitn] region [us-central1]
http://127.0.0.1:3000 proxies to https://sysutils-proxy-rust-fgasxpwzoq-uc.a.run.app

Connect to Cloud Run MCP server

Once the Cloud Run proxy as been activated — keep it running and start a new terminal window. Start a fresh connection over the proxy to Gemini CLI:

 > /mcp list
Configured MCP servers:

🟢 cloud-proxy-rust - Ready (3 tools)
  Tools:
  - disk_usage
  - list_processes
  - sysutils_proxy_rust

and the tool can be inside the Cloud Run environment:

 > call mcp tool sysutils_proxy_rust
╭────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Action Required │
│ │
│ ? sysutils_proxy_rust (cloud-proxy-rust MCP Server) {} │
│ │
│ MCP Server: cloud-proxy-rust │
│ Tool: sysutils_proxy_rust │
│ Allow execution of MCP tool "sysutils_proxy_rust" from server "cloud-proxy-rust"? │
│ │
│ 1. Allow once │
│ 2. Allow tool for this session │
│ 3. Allow all server tools for this session │
│ ● 4. Allow tool for all future sessions │
│ 5. No, suggest changes (esc) │
│ │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
╭────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ ✓ sysutils_proxy_rust (cloud-proxy-rust MCP Server) {} │
│ │
│ System Information Report │
│ ========================= │
│ │
│ IAP Context & Identity │
│ --- │
│ Header Source: x-goog-iap-jwt-assertion │
│ Status: No IAP JWT found (Expected in production Cloud Run environment) │
│ │
│ HTTP Request Headers │
│ --- │
│ Status: No request headers captured (CLI mode or capture error) │
│ │
│ IAP Setup Configuration │
│ --- │
│ Status: No IAP configuration files found in current directory. │
│ │
│ System Information │
│ --- │
│ System Name: Debian GNU/Linux │
│ Kernel Version: 4.4.0 │
│ OS Version: 12 │
│ Host Name: localhost │
│ │
│ CPU Information │
│ --- │
│ Number of Cores: 2 │
│ │
│ Memory Information │
│ --- │
│ Total Memory: 1024 MB │
│ Used Memory: 5 MB │
│ Total Swap: 0 MB │
│ Used Swap: 0 MB │
│ │
│ Network Interfaces │
│ --- │
│ │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
✦ The system information report for the current environment has been generated. I am ready for your next command.

This validates the local vs Cloud Run environment as the system information returned is from the Cloud Run server- not the local environment.

Summary

The strategy for using Rust for MCP development with Gemini CLI was validated with a incremental step by step approach.

A minimal HTTP transport MCP Server was started from Rust source code and validated in the same local environment.

This MCP server was then deployed to Google Cloud Run as a secure service. The Cloud Run proxy was activated to secure the connection and validated with Gemini CLI running as a MCP client.

This approach can be extended to more complex deployments using other MCP transports and Cloud based options.

DEV Community