merge upstream

Author: b-ahibbard

articles/api-center/includes/about-mcp-servers.md

@@ -6,7 +6,7 @@ author: dlepow
 
 ms.service: azure-api-center
 ms.topic: include
-ms.date: 05/12/2025
+ms.date: 07/16/2025
 ms.author: danlep
 ms.custom:
   - Include file
@@ -21,24 +21,9 @@ The [model context protocol](https://www.anthropic.com/news/model-context-protoc
 
 ### MCP architecture
 
-The following diagram illustrates the MCP architecture:
- 
-:::image type="content" source="media/about-mcp-servers/mcp-architecture.png" alt-text="Diagram of model context protocol (MCP) architecture.":::
-
-The architecture consists of the following components:
-
-| Component      | Description                                                                                     |
-|----------------|-------------------------------------------------------------------------------------------------|
-| **MCP hosts**  | LLM applications such as chat apps or AI assistants in your IDEs (like GitHub Copilot in Visual Studio Code) that need to access external capabilities |
-| **MCP clients**| Protocol clients, inside the host application, that maintain 1:1 connections with servers        |
-| **MCP servers**| Lightweight programs that each expose specific capabilities and provide context, tools, and prompts to clients |
-| **MCP protocol**| Transport layer in the middle        |
-
 MCP follows a client-server architecture where a host application can connect to multiple servers. Whenever your MCP host or client needs a tool, it connects to the MCP server. The MCP server then connects to, for example, a database or an API. MCP hosts and servers connect with each other through the MCP protocol.
 
-### Remote versus local MCP servers
-
-MCP utilizes a client-host-server architecture built on [JSON-RPC 2.0 for messaging](https://modelcontextprotocol.io/docs/concepts/architecture). Communication between clients and servers occurs over defined transport layers, and supports primarily two modes of operation:
+The MCP architecture is built on [JSON-RPC 2.0 for messaging](https://modelcontextprotocol.io/docs/concepts/architecture). Communication between clients and servers occurs over defined transport layers, and supports primarily two modes of operation:
 
 * **Remote MCP servers** - MCP clients connect to MCP servers over the internet, establishing a connection using HTTP and server-sent events (SSE), and authorizing the MCP client access to resources on the user's account using OAuth.
 

articles/api-center/register-discover-mcp-server.md

@@ -4,7 +4,7 @@ description: Learn about how Azure API Center can be a centralized registry for
 author: dlepow
 ms.service: azure-api-center
 ms.topic: concept-article
-ms.date: 07/22/2025
+ms.date: 08/04/2025
 ms.author: danlep 
 # Customer intent: As an API program manager, I want to register and discover  MCP servers as APIs in my API Center inventory.
 ms.custom:
@@ -74,6 +74,7 @@ For a live example of how Azure API Center can power your private, enterprise-re
 
 ## Related content
 
+* [About MCP servers in API Management](../api-management/mcp-server-overview.md)
 * [Import APIs to your API center from API Management](import-api-management-apis.md)
 * [Use the Visual Studio extension for API Center](build-register-apis-vscode-extension.md) to build and register APIs from Visual Studio Code.
 

articles/api-management/TOC.yml

@@ -236,7 +236,7 @@
   items:
   - name: AI gateway capabilities in API Management
     href: genai-gateway-capabilities.md
-  - name: Import LLM APIs
+  - name: Manage LLM APIs
     items:
     - name: Import Azure AI Foundry API
       href: azure-ai-foundry-api.md
@@ -248,12 +248,20 @@
       href: openai-compatible-google-gemini-api.md
     - name: Import Amazon Bedrock API
       href: amazon-bedrock-passthrough-llm-api.md
-  - name: Expose REST API as MCP server
-    href: export-rest-mcp-server.md
-  - name: Semantic caching for Azure OpenAI API requests
-    href: azure-openai-enable-semantic-caching.md
-  - name: Authenticate and authorize to Azure OpenAI
-    href: api-management-authenticate-authorize-azure-openai.md
+    - name: Semantic caching for LLM API requests
+      href: azure-openai-enable-semantic-caching.md
+    - name: Authenticate and authorize to Azure OpenAI
+      href: api-management-authenticate-authorize-azure-openai.md
+  - name: Manage MCP servers
+    items:
+    - name: MCP server capabilities
+      href: mcp-server-overview.md
+    - name: Expose REST API as MCP server
+      href: export-rest-mcp-server.md
+    - name: Expose existing MCP server
+      href: expose-existing-mcp-server.md
+    - name: Secure access to MCP servers
+      href: secure-mcp-servers.md
 - name: Manage APIs with policies
   items:
   - name: API Management policies overview

articles/api-management/api-management-features.md

@@ -52,7 +52,8 @@ Each API Management [pricing tier](api-management-key-concepts.md#api-management
 | Static IP                                                                                    | No          | Yes       | Yes   | No          |Yes      | No          | Yes     | No |
 | Export API to Power Platform                                                         | Yes          | Yes       | Yes    | Yes       | Yes       | Yes       | Yes     | Yes |
 | Export API to Postman                                                         | Yes          | Yes       | Yes    | Yes       | Yes       | Yes       | Yes     | Yes |
-| Export API to MCP server (preview)                                                        | No          | No       | Yes    | No       | Yes       | No       | Yes     | No |
+| Export API to MCP server (preview)                                                        | No          | No       | Yes    | Yes       | Yes       | Yes       | Yes     | Yes |
+| Expose existing MCP server (preview)                                                      | No          | No       | Yes    | Yes       | Yes       | Yes       | Yes     | Yes |
 
 <sup>1</sup> Enables the use of Microsoft Entra ID (and Azure AD B2C or [Microsoft Entra External ID](/entra/external-id/customers/overview-customers-ciam)) as an identity provider for user sign in on the developer portal.<br/>
 <sup>2</sup> Including related functionality such as users, groups, issues, applications, and email templates and notifications.<br/>

articles/api-management/api-management-gateways-overview.md

@@ -77,12 +77,12 @@ The following tables compare features available in the following API Management
 | [Built-in cache](api-management-howto-cache.md) | ✔️ | ✔️ | ❌ | ❌ | ✔️ |
 | [External Redis-compatible cache](api-management-howto-cache-external.md) | ✔️ | ✔️ |✔️ | ✔️ | ❌ |
 | [Virtual network injection](virtual-network-concepts.md)  |  Developer, Premium | Premium v2 | ❌ | ✔️<sup>1,2</sup> | ✔️ |
-| [Inbound private endpoints](private-endpoint.md)  |  Developer, Basic, Standard, Premium | Standard v2 | ❌ | ❌ | ❌ |
+| [Inbound private endpoints](private-endpoint.md)  |  ✔️ | Standard v2 | ❌ | ❌ | ❌ |
 | [Outbound virtual network integration](integrate-vnet-outbound.md)  | ❌ | Standard  v2, Premium v2  |  ❌ | ❌ | ✔️ |
 | [Availability zones](zone-redundancy.md)  |  Premium | ❌  | ❌ | ✔️<sup>1</sup> | ❌ |
 | [Multi-region deployment](api-management-howto-deploy-multi-region.md) |  Premium | ❌ |  ❌ | ✔️<sup>1</sup> | ❌ |
 | [CA root certificates](api-management-howto-ca-certificates.md) for certificate validation |  ✔️ | ❌ | ❌ | ✔️<sup>3</sup> |  ❌ |
-| [Managed domain certificates](configure-custom-domain.md?tabs=managed#domain-certificate-options) |  Developer, Basic, Standard, Premium | ❌ | ✔️ | ❌ | ❌ |
+| [Managed domain certificates](configure-custom-domain.md?tabs=managed#domain-certificate-options) |  ✔️ | ❌ | ✔️ | ❌ | ❌ |
 | [TLS settings](api-management-howto-manage-protocols-ciphers.md) |  ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
 | **HTTP/2** (Client-to-gateway) | ✔️<sup>4</sup> | ✔️<sup>4</sup> |❌ | ✔️ | ❌ |
 | **HTTP/2** (Gateway-to-backend) |  ❌ | ✔️<sup>5</sup> | ❌ | ✔️<sup>5</sup> | ❌ |
@@ -114,8 +114,7 @@ The following tables compare features available in the following API Management
 | [Azure OpenAI and LLM](azure-openai-api-from-specification.md) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
 | [Circuit breaker in backend](backends.md#circuit-breaker)  |  ✔️ | ✔️ | ❌ | ✔️ | ✔️ |
 | [Load-balanced backend pool](backends.md#load-balanced-pool)  |  ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
-
-<sup>1</sup> Synthetic GraphQL subscriptions (preview) aren't supported.
+| [Pass-through MCP server](expose-existing-mcp-server.md) (preview) |  Basic, Standard, Premium | ✔️ | ❌ | ❌ | ❌ |
 
 ### Policies
 

articles/api-management/cors-policy.md

@@ -42,7 +42,7 @@ The `cors` policy adds cross-origin resource sharing (CORS) support to an operat
 |Name|Description|Required|Default|
 |----------|-----------------|--------------|-------------|
 |allow-credentials|The `Access-Control-Allow-Credentials` header in the preflight response will be set to the value of this attribute and affect the client's ability to submit credentials in cross-domain requests. Policy expressions are allowed.|No|`false`|
-|terminate-unmatched-request|Controls the processing of cross-origin requests that don't match the policy settings. Policy expressions are allowed.<br/><br/>When `OPTIONS` request is processed as a preflight request and `Origin` header doesn't match policy settings:<br/> - If the attribute is set to `true`, immediately terminate the request with an empty `200 OK` response<br/>- If the attribute is set to `false`, check inbound for other in-scope `cors` policies that are direct children of the inbound element and apply them. If no `cors` policies are found, terminate the request with an empty `200 OK` response. <br/><br/>When `GET` or `HEAD` request includes the `Origin` header (and therefore is processed as a simple cross-origin request), and doesn't match policy settings:<br/>- If the attribute is set to `true`, immediately terminate the request with an empty `200 OK` response.<br/> - If the attribute is set to `false`, allow the request to proceed normally and don't add CORS headers to the response.|No|`true`|
+|terminate-unmatched-request|Controls the processing of cross-origin requests that don't match the policy settings. Policy expressions are allowed.<br/><br/>When `OPTIONS` request is processed as a preflight request and `Origin` header doesn't match policy settings:<br/> - If the attribute is set to `true`, immediately terminate the request with an empty `200 OK` response<br/>- If the attribute is set to `false`, check inbound for other in-scope `cors` policies that are direct children of the inbound element and apply them. If no `cors` policies are found, terminate the request with an empty `200 OK` response. <br/><br/>When `GET` or `HEAD` request includes the `Origin` header (and therefore is processed as a simple cross-origin request), and doesn't match policy settings:<br/>- If the attribute is set to `true`, immediately terminate the request with an empty `200 OK` response.<br/> - If the attribute is set to `false`, allow the request to proceed normally and don't add CORS headers to the response.|No|`false`|
 
 ## Elements