Illumio MCP server for AI agents

The Illumio MCP Server provides an interface to interact with Illumio PCE (Policy Compute Engine), enabling programmatic access to workload management, label operations, and traffic flow analysis through conversational AI.

Installation

Prerequisites

Python 3.8+
Access to an Illumio PCE instance
Valid API credentials for the PCE

Setting Up

Clone the repository:

git clone [repository-url]
cd illumio-mcp

Install dependencies:

pip install -r requirements.txt

Configuration

The recommended way to run the MCP server is using the uv command, which makes it easier to pass environment variables and run it in the background.

Using with Claude Desktop

Update your Claude Desktop configuration file:

On MacOS: ~/Library/Application\ Support/Claude/claude_desktop_config.json
On Windows: %APPDATA%/Claude/claude_desktop_config.json

Add the following to the custom_settings section:

"mcpServers": {
    "illumio-mcp": {
      "command": "uv",
      "args": [
        "--directory",
        "/Users/alex.goller/git/illumio-mcp",
        "run",
        "illumio-mcp"
      ],
      "env": {
        "PCE_HOST": "your-pce-host",
        "PCE_PORT": "your-pce-port",
        "PCE_ORG_ID": "1",
        "API_KEY": "api_key",
        "API_SECRET": "api_secret"
      }
    }
  }
}

Docker Deployment

The application is available as a Docker container from the GitHub Container Registry.

Pull the container

docker pull ghcr.io/alexgoller/illumio-mcp-server:latest

You can also use a specific version:

docker pull ghcr.io/alexgoller/illumio-mcp-server:1.0.0

Run with Claude Desktop

Create an environment file (e.g. ~/.illumio-mcp.env) with your PCE credentials:

PCE_HOST=your-pce-host
PCE_PORT=your-pce-port
PCE_ORG_ID=1
API_KEY=your-api-key
API_SECRET=your-api-secret

Add the configuration to your Claude Desktop config file:

{
    "mcpServers": {
        "illumio-mcp-docker": {
            "command": "docker",
            "args": [
                "run",
                "-i",
                "--init",
                "--rm",
                "-v",
                "/Users/YOUR_USERNAME/tmp:/var/log/illumio-mcp",
                "-e",
                "DOCKER_CONTAINER=true",
                "-e",
                "PYTHONWARNINGS=ignore",
                "--env-file",
                "/Users/YOUR_USERNAME/.illumio-mcp.env",
                "illumio-mcp:latest"
            ]
        }
    }
}

Run Standalone

Run the container directly:

docker run -i --init --rm \
  -v /path/to/logs:/var/log/illumio-mcp \
  -e DOCKER_CONTAINER=true \
  -e PYTHONWARNINGS=ignore \
  --env-file ~/.illumio-mcp.env \
  ghcr.io/alexgoller/illumio-mcp-server:latest

Available Tools

Workload Management

get-workloads: Retrieve all workloads from PCE
create-workload: Create an unmanaged workload with specified name, IP addresses, and labels
update-workload: Update an existing workload's properties
delete-workload: Remove a workload from PCE by name

Label Operations

create-label: Create a new label with key-value pair
delete-label: Remove an existing label by key-value pair
get-labels: Retrieve all labels from PCE

Traffic Analysis

get-traffic-flows: Get detailed traffic flow data with filtering options:
- Date range filtering
- Source/destination filtering
- Service (port/protocol) filtering
- Policy decision filtering
- Workload and IP list query options
- Results limiting
get-traffic-flows-summary: Get summarized traffic flow information

Policy Management

get-rulesets: Get rulesets from the PCE with optional filtering:
- Filter by name
- Filter by enabled status

IP Lists Management

get-iplists: Get IP lists from the PCE with optional filtering:
- Filter by name
- Filter by description
- Filter by IP ranges

Connection Testing

check-pce-connection: Verify PCE connectivity and credentials

Event Management

get-events: Get events from the PCE with optional filtering:
- Filter by event type
- Filter by severity (emerg, alert, crit, err, warning, notice, info, debug)
- Filter by status (success, failure)
- Limit number of results returned

Available Prompts

Ringfence Application

The ringfence-application prompt helps create security policies to isolate and protect applications.

Required Arguments:

application_name: Name of the application to ringfence
application_environment: Environment of the application to ringfence

Analyze Application Traffic

The analyze-application-traffic prompt provides detailed analysis of application traffic patterns.

Required Arguments:

application_name: Name of the application to analyze
application_environment: Environment of the application to analyze

Using MCP Prompts

Click "Attach from MCP" button in the interface
Choose from installed MCP servers
Fill in required prompt arguments
Click Submit to send the configured prompt

The MCP server will then send the configured prompt to Claude, which receives context through the Model Context Protocol, allowing specialized handling of Illumio-specific tasks.

How to install this MCP server

For Claude Code

To add this MCP server to Claude Code, run this command in your terminal:

claude mcp add-json "illumio-mcp" '{"command":"uv","args":["--directory","/Users/alex.goller/git/illumio-mcp","run","illumio-mcp"],"env":{"PCE_HOST":"your-pce-host","PCE_PORT":"your-pce-port","PCE_ORG_ID":"1","API_KEY":"api_key","API_SECRET":"api_secret"}}'

See the official Claude Code MCP documentation for more details.

For Cursor

There are two ways to add an MCP server to Cursor. The most common way is to add the server globally in the ~/.cursor/mcp.json file so that it is available in all of your projects.

If you only need the server in a single project, you can add it to the project instead by creating or adding it to the .cursor/mcp.json file.

Adding an MCP server to Cursor globally

To add a global MCP server go to Cursor Settings > Tools & Integrations and click "New MCP Server".

When you click that button the ~/.cursor/mcp.json file will be opened and you can add your server like this:

{
    "mcpServers": {
        "illumio-mcp": {
            "command": "uv",
            "args": [
                "--directory",
                "/Users/alex.goller/git/illumio-mcp",
                "run",
                "illumio-mcp"
            ],
            "env": {
                "PCE_HOST": "your-pce-host",
                "PCE_PORT": "your-pce-port",
                "PCE_ORG_ID": "1",
                "API_KEY": "api_key",
                "API_SECRET": "api_secret"
            }
        }
    }
}

Adding an MCP server to a project

To add an MCP server to a project you can create a new .cursor/mcp.json file or add it to the existing one. This will look exactly the same as the global MCP server example above.

How to use the MCP server

Once the server is installed, you might need to head back to Settings > MCP and click the refresh button.

The Cursor agent will then be able to see the available tools the added MCP server has available and will call them when it needs to.

You can also explicitly ask the agent to use the tool by mentioning the tool name and describing what the function does.

For Claude Desktop

To add this MCP server to Claude Desktop:

1. Find your configuration file:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json
Linux: ~/.config/Claude/claude_desktop_config.json

2. Add this to your configuration file:

{
    "mcpServers": {
        "illumio-mcp": {
            "command": "uv",
            "args": [
                "--directory",
                "/Users/alex.goller/git/illumio-mcp",
                "run",
                "illumio-mcp"
            ],
            "env": {
                "PCE_HOST": "your-pce-host",
                "PCE_PORT": "your-pce-port",
                "PCE_ORG_ID": "1",
                "API_KEY": "api_key",
                "API_SECRET": "api_secret"
            }
        }
    }
}

3. Restart Claude Desktop for the changes to take effect