Guide · Private Monitoring
Private MCP monitoring
Most MCP monitoring discussions assume your server is publicly reachable. Many real-world MCP servers aren't: they run inside corporate VPCs, on development laptops, behind restrictive firewalls, or in air-gapped research environments. Here's how to monitor each of these deployments without compromising the security boundary that made them private in the first place.
TL;DR
Three patterns cover almost all private MCP monitoring needs. (1) Credentialed probing: for auth-walled servers that are publicly addressed but require a token — provide a read-only probe credential to AliveMCP and probes work normally. (2) Agent-based collector: for VPC-internal servers — deploy a lightweight collector inside your network that probes the server and reports results to an external dashboard. (3) VPN relay: for servers behind corporate firewalls — tunnel probe traffic through a VPN exit node that has network access to the server. Pattern 1 is the simplest; pattern 2 is the most secure; pattern 3 is the fastest to set up for existing VPN infrastructure.
What "private" means for MCP servers
Before choosing a monitoring pattern, clarify which type of "private" you're dealing with:
- Auth-walled (publicly addressed, auth-gated): the server is on the public internet and responds to TCP connections, but returns 401/403 unless the request includes a valid Bearer token, API key, or OAuth credential. Most "internal" MCP servers for enterprise teams fall here — the endpoint is a public cloud URL, but access requires credentials. This is the simplest case: use credentialed probing.
- VPC-internal (not publicly addressed): the server runs on a private IP (10.x, 172.16.x, 192.168.x) inside a cloud VPC or on-premise network. External probe origins can't reach it at all — TCP connect times out. This requires either an agent-based collector inside the VPC or a VPN relay that bridges the external probe origin to the internal network.
- Localhost / development server: the server runs on a developer's machine or a CI runner. Only reachable from that machine. For development, monitoring is usually overkill — the developer can tell when their local server is down. For CI, a synthetic health check step in the CI pipeline is usually the right approach rather than an external monitoring service.
- Air-gapped: the server is on a network with no internet connectivity, by design. External monitoring tools fundamentally can't reach it. The monitoring has to be entirely in-network, with results exported out-of-band (periodic log pull, VPN-connected metrics sink).
Pattern 1: Credentialed probing for auth-walled servers
If your MCP server is publicly addressed but requires authentication, credentialed probing is the right solution. The principle: provide a dedicated read-only credential to your monitoring service. The monitoring service stores this credential encrypted and uses it exclusively for health probes — no human ever sees it in plaintext after initial entry.
Credential types AliveMCP supports:
- Bearer token (static API key): the most common. Add the token to the probe configuration; AliveMCP includes it as
Authorization: Bearer {token}on every probe request. Rotate the credential in your monitoring configuration when you rotate it in production. - OAuth 2.0 Client Credentials: provide a client ID and client secret; AliveMCP fetches and caches access tokens, refreshing them before expiry. Suitable for servers that use short-lived OAuth tokens and reject long-lived API keys.
- Custom header: some MCP servers use non-standard auth headers (X-API-Key, X-Auth-Token). AliveMCP supports arbitrary header injection for probes.
Security discipline for probe credentials: use a separate credential for monitoring rather than a production user credential. Grant only the permissions needed to call initialize and tools/list — typically read-only scope. Some servers let you create a "monitor" role with no tool-call permissions; use it. This limits blast radius if the monitoring credential is ever exposed. See credentialed MCP health check walkthrough for a step-by-step setup guide.
Pattern 2: Agent-based collector for VPC-internal servers
An agent-based collector is a lightweight process that runs inside your VPC, probes the MCP server from within the network, and reports results to an external monitoring backend. The key property: no inbound network access is needed — the collector initiates outbound connections to both the MCP server (inward, within the VPC) and the monitoring backend (outward, over the internet). This works even in strict network environments where inbound connections are blocked entirely.
Architecture:
[External monitoring dashboard]
↑ outbound HTTPS from collector
[Collector process — runs inside VPC]
↓ internal network TCP
[Private MCP server — 10.x.x.x]The collector needs two things: (1) network access to the MCP server (satisfied by being in the same VPC/subnet), and (2) outbound internet access to reach the monitoring backend (usually available by default in cloud VPCs; requires a NAT gateway in some configurations). No inbound port needs to be opened on the VPC security group.
Deployment: the collector can run as a Lambda function on a schedule, a Kubernetes CronJob, a Docker container on a small VM, or a systemd service on an existing server. It should be a thin wrapper: probe the MCP server, format the result as a JSON metric, POST it to the monitoring backend. See multi-tenant MCP probe collector for a reference architecture you can adapt for in-network deployment.
What data leaves the network: only probe results (success/fail per layer, latency measurements, tools count, schema hash). The actual tool definitions, tool call responses, and any server-side data stay inside the network. The collector never sends a copy of the server's response body — only derived metrics from it.
Pattern 3: VPN relay for corporate firewall environments
If your organization has an existing VPN infrastructure that has network access to the MCP server, you can route probe traffic through a VPN exit node that lives inside the network boundary. The monitoring service connects to the VPN exit node (which is internet-accessible), and the exit node forwards probe traffic to the MCP server on the internal network.
This is the fastest pattern to implement if your org already has a VPN server with appropriate network access — the setup is a single forwarding rule rather than deploying a new collector process. It's also the most operationally complex to maintain: VPN certificates expire, forwarding rules accumulate technical debt, and VPN infrastructure changes (provider migrations, key rotation) break the probe path silently.
Alternatives to full VPN for simpler cases: tools like Cloudflare Tunnel, ngrok, or Tailscale Funnel can expose a specific internal endpoint to a specific external source without a full VPN. These are faster to set up and easier to audit than a general VPN relay. The trade-off is that they add a third-party intermediary to the monitoring path — evaluate whether that's acceptable for your data classification requirements.
Development and CI environments
For a local development MCP server, external monitoring is rarely worth the setup cost. The developer knows the server is down when their agent stops working. The useful monitoring in development is a health check script that the developer runs to confirm the server is up after a code change — this catches environment configuration problems (missing env vars, wrong port) before the developer blames their agent for something the server caused.
For CI pipelines that spin up an MCP server for integration tests, add a health check step that waits for the server to be ready before running tests:
#!/bin/bash
# Wait for MCP server to pass initialize probe
for i in $(seq 1 30); do
if curl -sf http://localhost:3000/mcp \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{}},"id":1}' \
| grep -q '"result"'; then
echo "MCP server ready"
exit 0
fi
sleep 2
done
echo "MCP server failed to start within 60 seconds"
exit 1This is more reliable than checking whether the process is running or the port is open — it validates that the server actually responds to MCP protocol, not just that the TCP port is accepting connections.
Security trade-offs across the three patterns
| Pattern | Data that leaves the network | Inbound ports required | Credential exposure surface |
|---|---|---|---|
| Credentialed probing | Probe results (latency, success/fail, tools count) | None (server is already public) | Probe credential stored at monitoring provider |
| Agent-based collector | Probe results only (no response body) | None (collector dials out) | Monitoring API key stored on collector host |
| VPN relay | Probe results + raw probe traffic through VPN | VPN port on relay host | VPN credentials + monitoring provider credentials |
The agent-based collector has the smallest security footprint: no inbound ports, no probe credential at the monitoring provider, and only derived metrics leave the network. For high-security environments, it's the right choice even if it takes more setup time than the VPN relay.
Related questions
Can I use AliveMCP to monitor a server at localhost or a private IP?
Not directly — AliveMCP's probe origins are external and can't reach localhost or private IPs by definition. For localhost servers, the CI health check script pattern in this guide is the right approach. For VPC-internal servers, deploy an agent-based collector inside the VPC that reports results to AliveMCP via the metrics API (Team tier).
Does AliveMCP store a copy of my tool definitions when probing an auth-walled server?
AliveMCP stores a hash of the tools/list response (for schema drift detection) and the tool count. It does not store the full tool definitions — the probe computes the hash in-memory and discards the response body. Your tool names, descriptions, and input schemas are never persisted in AliveMCP's storage.
What's the minimum credential scope for a monitoring probe credential?
Read-only access to call initialize and tools/list. If your server has a role system, create a "monitor" role that can only call these two methods and cannot call any tool. This way, if the monitoring credential is compromised, the attacker can discover your server's tool surface but can't actually invoke any tool operations.
How do I rotate the probe credential without monitoring gaps?
Create the new credential before revoking the old one. Update the probe configuration in AliveMCP to use the new credential. Verify that probes are succeeding with the new credential (check the last probe result in the dashboard). Then revoke the old credential. This zero-downtime rotation avoids a window where no valid credential exists in the monitoring configuration.
Further reading
- Credentialed MCP health check walkthrough — step-by-step setup
- MCP authentication primer — OAuth, API keys, and credential scoping
- MCP server health check — the four-layer probe sequence
- Multi-tenant MCP probe collector — reference architecture
- MCP server uptime API — programmatic access to probe results
- AliveMCP — uptime monitoring for every public and auth-walled MCP endpoint