chore: How to Deploy MongoDB MCP Server on Azure Container Apps? (#680)

Author: anshulkhantwal

README.md

@@ -23,6 +23,8 @@ A Model Context Protocol server for interacting with MongoDB Databases and Mongo
     - [Command-Line Arguments](#command-line-arguments)
     - [MCP Client Configuration](#mcp-configuration-file-examples)
     - [Proxy Support](#proxy-support)
+- [🚀 Deploy on Public Clouds](#deploy-on-public-clouds)
+  - [Azure Cloud](#azure)
 - [🤝 Contributing](#contributing)
 
 <a name="getting-started"></a>
@@ -702,6 +704,14 @@ connecting to the Atlas API, your MongoDB Cluster, or any other external calls
 to third-party services like OID Providers. The behaviour is the same as what
 `mongosh` does, so the same settings will work in the MCP Server.
 
+## 🚀Deploy on Public Clouds
+
+You can deploy the MongoDB MCP Server to your preferred cloud provider using the deployment assets under `deploy/`. Each guide explains the prerequisites, configuration, and automation scripts that streamline the rollout.
+
+### Azure
+
+For detailed Azure instructions, see [deploy/azure/README.md](deploy/azure/README.md).
+
 ## 🤝Contributing
 
 Interested in contributing? Great! Please check our [Contributing Guide](CONTRIBUTING.md) for guidelines on code contributions, standards, adding new tools, and troubleshooting information.

deploy/azure/README.md

@@ -0,0 +1,79 @@
+# Deploy MongoDB MCP Server on Azure Container Apps
+
+## Overview
+
+This directory contains an Azure Bicep template (`bicep/main.bicep`) and supporting parameter files for deploying the infrastructure required to run the MongoDB MCP (Model Context Protocol) server. Use this guide to prepare prerequisites, select the appropriate parameter file, and run the deployment end-to-end.
+
+## Prerequisites
+
+- Azure CLI (2.55.0 or later) installed and signed in (`az login`).
+- Azure subscription with permissions to deploy the required resources.
+- MongoDB MCP server container image available in dockerhub registry (mongodb/mongodb-mcp-server:latest).
+
+## Parameter Files
+
+Two sample parameter files are provided to help you tailor deployments:
+
+- `bicep/params.json`: Baseline configuration that deploys the MongoDB MCP server with authentication disabled or using default settings. Use this when testing in development environments or when external authentication is not required.
+- `bicep/paramsWithAuthEnabled.json`: Extends the baseline deployment and enables Microsoft Entra ID (Azure AD) authentication using managed identity and client application IDs. Use this when you want the server protected with Azure AD authentication via managed identity.
+
+> **Tip:** Update the image reference, secrets, networking, and any other environment-specific values in the chosen parameter file before deployment.
+
+## Deploy the Bicep Template
+
+1. **Set common variables (PowerShell example):**
+
+   ```powershell
+   $location = "eastus"
+   $resourceGroup = "mongodb-mcp-demo-rg"
+   $templateFile = "bicep/main.bicep"
+   $parameterFile = "bicep/params.json"            # or bicep/paramsWithAuthEnabled.json
+   ```
+
+2. **Create the resource group (if it does not exist):**
+
+   ```powershell
+   az group create --name $resourceGroup --location $location
+   ```
+
+3. **Validate the deployment (optional but recommended):**
+
+   ```powershell
+   az deployment group what-if \
+      --resource-group $resourceGroup \
+      --template-file $templateFile \
+      --parameters @$parameterFile
+   ```
+
+4. **Run the deployment:**
+
+   ```powershell
+   az deployment group create \
+      --resource-group $resourceGroup \
+      --template-file $templateFile \
+      --parameters @$parameterFile
+   ```
+
+5. **Monitor outputs:** Review the deployment outputs and logs for connection endpoints, credential references, or other values needed to complete integration.
+
+## Post-Deployment Checklist
+
+- After the Azure Container Apps deployment completes, access the MCP server by visiting the application’s public endpoint with /mcp appended. Example: https://[CONTAINER_APP_NAME].<region>.azurecontainerapps.io/mcp.
+
+## Updating the Deployment
+
+To apply changes:
+
+1. Update the parameter file or `main.bicep` as needed.
+2. Re-run the `az deployment group create` command with the same resource group.
+3. Use `az deployment group what-if` to preview differences before applying them.
+
+## Cleanup
+
+Remove the deployed resources when no longer needed:
+
+```powershell
+az group delete --name $resourceGroup --yes --no-wait
+```
+
+> **Reminder:** Deleting the resource group removes all resources inside it. Ensure any persistent data or backups are retained elsewhere before running the cleanup command.

deploy/azure/bicep/main.bicep

@@ -0,0 +1,212 @@
+@description('Name of the Container Apps Environment. Leave blank to create a new one.')
+param containerAppEnvName string = ''
+
+@description('Location of resources')
+param location string = resourceGroup().location
+
+@description('Name of the Container App')
+param containerAppName string = 'mongo-mcp-server-app'
+
+@description('Docker image to deploy')
+param containerImage string = 'mongodb/mongodb-mcp-server:latest'
+
+@description('Container CPU (vCPU) as string. Allowed: 0.25 - 2.0 in 0.25 increments')
+@allowed([
+  '0.25'
+  '0.5'
+  '0.75'
+  '1.0'
+  '1.25'
+  '1.5'
+  '1.75'
+  '2.0'
+])
+param containerCpu string = '1.0'
+
+// Convert CPU string to number (Bicep lacks float type; json() parses to number)
+var containerCpuNumber = json(containerCpu)
+
+@description('Container Memory (GB)')
+@allowed([
+  '0.5Gi'
+  '1Gi'
+  '2Gi'
+  '4Gi'
+])
+param containerMemory string = '2Gi'
+
+@description('Container App Environment Variables')
+param appEnvironmentVars object = {
+  MDB_MCP_READ_ONLY: 'true' // set to 'false' to enable write operations
+  MDB_MCP_HTTP_PORT: '8080'
+  MDB_MCP_HTTP_HOST: '::'
+  MDB_MCP_TRANSPORT: 'http'
+  MDB_MCP_LOGGERS: 'disk,mcp,stderr'
+  MDB_MCP_LOG_PATH: '/tmp/mongodb-mcp'
+}
+
+@description('Authentication mode toggle for the Container App. NOAUTH disables platform auth; MicrosoftMIBasedAuth enables Azure AD auth and enforces 401 for unauthenticated requests.')
+@allowed([
+  'NOAUTH'
+  'MicrosoftMIBasedAuth'
+])
+param authMode string = 'NOAUTH'
+
+@description('Azure AD Application (client) ID used when authMode is MicrosoftMIBasedAuth. Leave blank for NOAUTH.')
+param authClientId string = ''
+
+@description('Issuer URL (OpenID issuer) when authMode is MicrosoftMIBasedAuth. Example: https://login.microsoftonline.com/<tenant-id>/v2.0 or https://sts.windows.net/<tenant-id>/v2.0')
+param authIssuerUrl string = ''
+
+@description('Azure AD Tenant ID (GUID) used when authMode is MicrosoftMIBasedAuth. Provided separately to avoid hard-coded cloud endpoints in template logic.')
+param authTenantId string = ''
+
+@description('Optional array of allowed client application IDs. If empty, all applications are allowed (not recommended).')
+param authAllowedClientApps array = []
+
+@secure()
+@description('MongoDB Connection String')
+param mdbConnectionString string
+
+// Create Container App Environment if not provided
+resource containerAppEnv 'Microsoft.App/managedEnvironments@2024-02-02-preview' = if (empty(containerAppEnvName)) {
+  name: 'mcp-env-${uniqueString(resourceGroup().id)}'
+  location: location
+  properties: {}
+}
+
+// Get the Container App Environment resource ID (either existing or newly created)
+var envResourceId = empty(containerAppEnvName) 
+  ? containerAppEnv.id 
+  : resourceId('Microsoft.App/managedEnvironments', containerAppEnvName)
+
+// Build environment variables array
+var envVarsArray = [
+  for item in items(appEnvironmentVars): {
+    name: item.key
+    value: string(item.value)
+  }
+]
+
+// Additional environment variables injected when MicrosoftMIBasedAuth is enabled (merged after user-provided vars so user can override if desired)
+var authEnvVars = authMode == 'MicrosoftMIBasedAuth'
+  ? concat([
+      {
+        name: 'MDB_MCP_HTTP_AUTH_MODE'
+        value: 'azure-managed-identity'
+      }
+      {
+        // Tenant ID of the Azure AD tenant
+        name: 'MDB_MCP_AZURE_MANAGED_IDENTITY_TENANT_ID'
+        value: authTenantId
+      }
+      {
+        // Client ID of the Azure AD App representing your container app
+        name: 'MDB_MCP_AZURE_MANAGED_IDENTITY_CLIENT_ID'
+        value: authClientId
+      }
+    ], length(authAllowedClientApps) > 0 ? [
+      {
+        // Comma-separated list of allowed Client App IDs for access
+        // (only listed Client Apps are allowed if client apps specified)
+        name: 'MDB_MCP_AZURE_MANAGED_IDENTITY_ALLOWED_APP_IDS'
+        value: join(authAllowedClientApps, ',')
+      }
+    ] : [])
+  : [
+      {
+        name: 'MDB_MCP_HTTP_AUTH_MODE'
+        value: 'none'
+      }
+    ]
+
+// Deploy Container App
+resource containerApp 'Microsoft.App/containerApps@2024-02-02-preview' = {
+  name: containerAppName
+  location: location
+  identity: {
+    type: 'SystemAssigned'
+  }
+  properties: {
+    managedEnvironmentId: envResourceId
+    configuration: {
+      ingress: {
+        external: true
+        targetPort: int(appEnvironmentVars.MDB_MCP_HTTP_PORT)
+        transport: 'auto'
+      }
+      secrets: [
+        {
+          name: 'mdb-mcp-connection-string'
+          value: mdbConnectionString
+        }
+      ]
+    }
+    template: {
+      containers: [
+        {
+          name: 'mcpserver'
+          image: containerImage
+          resources: {
+            cpu: containerCpuNumber
+            memory: containerMemory
+          }
+          env: concat(
+            envVarsArray,
+            authEnvVars,
+            [
+              {
+                name: 'MDB_MCP_CONNECTION_STRING'
+                secretRef: 'mdb-mcp-connection-string'
+              }
+            ]
+          )
+        }
+      ]
+      scale: {
+        minReplicas: 1
+        maxReplicas: 1
+        rules: [] // disables autoscaling
+      }
+    }
+  }
+}
+
+// Container App Authentication (child resource) - only deployed when MicrosoftMIBasedAuth selected
+resource containerAppAuth 'Microsoft.App/containerApps/authConfigs@2024-10-02-preview' = if (authMode == 'MicrosoftMIBasedAuth') {
+  name: 'current'
+  parent: containerApp
+  properties: {
+    platform: {
+      enabled: true
+      // runtimeVersion optional
+    }
+    globalValidation: {
+      unauthenticatedClientAction: 'Return401'
+      redirectToProvider: 'azureActiveDirectory'
+    }
+    identityProviders: {
+      azureActiveDirectory: {
+        enabled: true
+        registration: {
+          clientId: authClientId
+          openIdIssuer: authIssuerUrl
+        }
+        validation: {
+          allowedAudiences: [
+            authClientId
+          ]
+          // defaultAuthorizationPolicy allows restriction to specific client applications
+          defaultAuthorizationPolicy: length(authAllowedClientApps) > 0 ? {
+            allowedApplications: authAllowedClientApps
+          } : null
+          jwtClaimChecks: length(authAllowedClientApps) > 0 ? {
+            allowedClientApplications: authAllowedClientApps
+          } : null
+        }
+      }
+    }
+  }
+}
+
+output containerAppUrl string = containerApp.properties.configuration.ingress.fqdn

deploy/azure/bicep/params.json

@@ -0,0 +1,24 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "containerAppEnvName": { "value": "container-app-env" },
+    "containerAppName": { "value": "mongo-mcp-server-app-without-auth" },
+    "containerImage": { "value": "mongodb/mongodb-mcp-server:latest" },
+    "containerCpu": { "value": "1.0" },
+    "containerMemory": { "value": "2Gi" },
+    "appEnvironmentVars": {
+      "value": {
+        "MDB_MCP_READ_ONLY": "false",
+        "MDB_MCP_HTTP_PORT": "8080",
+        "MDB_MCP_HTTP_HOST": "::",
+        "MDB_MCP_TRANSPORT": "http",
+        "MDB_MCP_LOGGERS": "disk,mcp,stderr",
+        "MDB_MCP_LOG_PATH": "/tmp/mongodb-mcp",
+        "MDB_MCP_DISABLED_TOOLS": "explain,export,atlas-create-access-list,atlas-create-db-user,drop-database,drop-collection,delete-many"
+      }
+    },
+    "authMode": { "value": "NOAUTH" },
+    "mdbConnectionString": { "value": "<MONGODB_CONNECTION_STRING>" }
+  }
+}

deploy/azure/bicep/paramsWithAuthEnabled.json

@@ -0,0 +1,31 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "containerAppEnvName": { "value": "container-app-env" },
+    "containerAppName": { "value": "mongo-mcp-server-app-with-auth" },
+    "containerImage": { "value": "mongodb/mongodb-mcp-server:latest" },
+    "containerCpu": { "value": "1.0" },
+    "containerMemory": { "value": "2Gi" },
+    "appEnvironmentVars": {
+      "value": {
+        "MDB_MCP_READ_ONLY": "false",
+        "MDB_MCP_HTTP_PORT": "8080",
+        "MDB_MCP_HTTP_HOST": "::",
+        "MDB_MCP_TRANSPORT": "http",
+        "MDB_MCP_LOGGERS": "disk,mcp,stderr",
+        "MDB_MCP_LOG_PATH": "/tmp/mongodb-mcp",
+        "MDB_MCP_DISABLED_TOOLS": "explain,export,atlas-create-access-list,atlas-create-db-user,drop-database,drop-collection,delete-many"
+      }
+    },
+    "mdbConnectionString": { "value": "<MONGODB_CONNECTION_STRING>" },
+
+    "authMode": { "value": "MicrosoftMIBasedAuth" },
+    "authClientId": { "value": "<AUTH_CLIENT_ID>" },
+    "authIssuerUrl": { "value": "<AUTH_ISSUER_URL>" },
+    "authTenantId": { "value": "<AUTH_TENANT_ID>" },
+    "authAllowedClientApps": {
+      "value": ["<AUTH_ALLOWED_CLIENT_APP_1>", "<AUTH_ALLOWED_CLIENT_APP_2>"]
+    }
+  }
+}