A2A Protocol: Multi-Agent Discovery

System architecture

The examples/a2a_demo/ directory contains three agents that communicate with each other via A2A Protocol:

DevOps Agent (0 own tools)
├── discovers via A2A
│   ├── DNS Agent     → 6 internal tools (Cloudflare)
│   └── Monitoring Agent → 3 internal tools (HTTP, SSL, WHOIS)
└── delegates tasks to each specialized agent

The DevOps Agent doesn’t know the internal tools of the other agents — it only knows the published skills in their agent.json.

agent.json — AgentCard

Each specialized agent has an agent.json that declares its capabilities so other agents can discover them.

DNS Agent (dns_agent/agent.json)

{
  "name": "DNS Management Agent",
  "description": "Manages DNS records via Cloudflare API for a specific domain",
  "url": "http://localhost:9999/a2a/dns_agent",
  "version": "1.0.0",
  "capabilities": {
    "streaming": false,
    "pushNotifications": false
  },
  "defaultInputModes": ["text/plain"],
  "defaultOutputModes": ["text/plain"],
  "skills": [
    {
      "id": "dns-management",
      "name": "DNS Management",
      "description": "Manages DNS records: create, find, update, validate and check propagation",
      "tags": ["dns", "cloudflare", "infrastructure", "devops"],
      "examples": [
        "Create api.nicolasneira.dev pointing to 203.0.113.50",
        "Migrate mail.nicolasneira.dev to IP 5.6.7.8",
        "Check if staging.nicolasneira.dev is propagated"
      ]
    }
  ]
}

The 6 internal tools (list_dns_records, create_dns_record, etc.) don’t appear in the AgentCard — they are an implementation detail. The DevOps Agent only sees the "dns-management" skill.

Monitoring Agent (monitoring_agent/agent.json)

{
  "name": "Infrastructure Monitoring Agent",
  "description": "Checks status of websites, SSL certificates and WHOIS",
  "url": "http://localhost:9999/a2a/monitoring_agent",
  "skills": [
    {
      "id": "infrastructure-monitoring",
      "name": "Infrastructure Monitoring",
      "tags": ["monitoring", "health-check", "ssl", "whois", "devops"],
      "examples": [
        "Check if nicolasneira.com is responding",
        "Review the SSL certificate of api.nicolasneira.dev",
        "Query the WHOIS of nicolasneira.com"
      ]
    }
  ]
}

devops_agent/agent.py — Orchestrator

The DevOps Agent uses RemoteA2aAgent to connect to specialized agents. It has no own tools — only remote sub-agents.

from google.adk.agents.remote_a2a_agent import RemoteA2aAgent
from google.adk import Agent

dns_remote = RemoteA2aAgent(
    name="dns_agent",
    agent_card="http://localhost:9999/a2a/dns_agent/.well-known/agent-card.json"
)

monitoring_remote = RemoteA2aAgent(
    name="monitoring_agent",
    agent_card="http://localhost:9999/a2a/monitoring_agent/.well-known/agent-card.json"
)

root_agent = Agent(
    name="devops_agent",
    model="gemini-2.5-flash",
    sub_agents=[dns_remote, monitoring_remote],  # 0 tools, only sub-agents
    instruction="""
    You are a DevOps Agent that coordinates infrastructure tasks.
    For DNS: delegate to dns_agent.
    For monitoring: delegate to monitoring_agent.
    """
)

Start the system

1. Start the specialized agents as A2A servers:

   cd examples/a2a_demo
   adk api_server --a2a --port 9999 .

   This starts DNS Agent and Monitoring Agent as HTTP endpoints at:

   • http://localhost:9999/a2a/dns_agent
   • http://localhost:9999/a2a/monitoring_agent

2. From another terminal, run the delegation demo:

   python examples/a2a_demo/demo_a2a.py --demo

Three demo scenarios

Scenario 1 — DNS Delegation

DevOps Agent: "Create staging.nicolasneira.dev pointing to 10.0.0.5"

→ DevOps Agent reads agent-card of the DNS Agent
→ Creates RemoteA2aAgent to connect
→ Delegates the task
→ DNS Agent executes: list → create → validate → propagation
→ task.status = COMPLETED
→ DevOps Agent returns result

Scenario 2 — Monitoring Delegation

DevOps Agent: "Is nicolasneira.com responding correctly?"

→ DevOps Agent identifies: monitoring task → Monitoring Agent
→ Delegates
→ Monitoring Agent executes: check_url_status + check_ssl_certificate
→ Returns full status

Scenario 3 — Cross-domain security

DevOps Agent: "Create a DNS record for google.com"

→ Delegates to DNS Agent
→ DNS Agent validates: google.com ≠ CLOUDFLARE_DOMAIN
→ ❌ Rejected — out of scope
→ The restriction persists through A2A delegation

Caution

Security persists via A2A. The DevOps Agent cannot bypass the DNS Agent’s restrictions by sending a request via A2A — the DNS Agent still validates that the domain is its own. The security architecture is end-to-end.

A2A communication cycle

DevOps Agent                    DNS Agent
    │                               │
    ├─ GET /agent-card.json ────────►│
    │◄───────────────── AgentCard ──┤
    │                               │
    ├─ POST /tasks ─────────────────►│ (task.status = submitted)
    │                               ├─ list_dns_records()
    │                               ├─ create_dns_record()
    │                               ├─ validate_dns()
    │                               └─ check_propagation()
    │◄─────── task.status = completed│

Interactive mode

python examples/a2a_demo/demo_a2a.py

Type requests that the DevOps Agent can delegate to either agent:

> Create the blog subdomain pointing to 192.168.0.10
> Is the SSL on nicolasneira.com still valid?
> List all current DNS records
> Check the status of https://nicolasneira.com