Network Segmentation for MCP

Zero-trust networking assumes the network is hostile — even inside the corporate perimeter. For MCP servers, this means every connection is authenticated and authorized regardless of the source network. Network segmentation enforces this by placing MCP servers, authorization servers, and downstream resources in separate network segments with explicit allow rules between them. An MCP server in segment A can reach the database in segment B on port 5432 but cannot reach the payment processor in segment C. If the MCP server is compromised, the attacker is contained to segment A and can only reach segment B on the explicitly allowed port.

Service mesh architectures (Istio, Linkerd, Consul Connect) provide network segmentation at the application layer. Each service gets a sidecar proxy that enforces mutual TLS, authorization policies, and traffic rules. MCP servers running in a service mesh get mTLS for free — the sidecar handles certificate management and rotation. Authorization policies can specify which services can call which endpoints: "only the MCP gateway service can reach the MCP tool server on /tools/execute." This is fine-grained segmentation without managing firewall rules.

Egress control is the most overlooked aspect of MCP network segmentation. Ingress rules (who can reach the MCP server) get attention. Egress rules (what the MCP server can reach) are often left wide open. A compromised MCP server with unrestricted egress can exfiltrate data to any endpoint on the internet. Lock down egress: allowlist the specific downstream services the MCP server needs (database on port 5432, authorization server on port 443, downstream API on its endpoint) and block everything else. Monitor egress for unexpected destinations.