Why Cloud Hosting Gives You a Dynamic Outbound IP

We hear the same thing from customers every week. They've picked a modern PaaS like Render, Railway, Fly.io, Heroku, you name it and and then hit a wall: their app calls an external API that requires a fixed source IP for firewall allowlisting, and their hosting provider gives them a different IP on every deploy, every restart, sometimes every request.

The platform isn't broken. It's working exactly as designed. Understanding why helps you fix it fast.

Cloud Platforms Assign Dynamic IPs Because That's the Architecture

Modern cloud platforms run workloads on shared, autoscaling infrastructure. Your container spins up on whatever host node has capacity. The node has a shared IP pool. Your app gets whatever egress IP that node is using at that moment.

This isn't a cost-cutting shortcut. It's the architecture that makes autoscaling work. If every container had a dedicated IP, the host would need to hold a routable IPv4 address in reserve for every possible scale-out slot — before the app even needs it. IPv4 addresses cost money. There are only 4.3 billion of them and almost all are allocated. A platform that needs to spin up 10,000 containers on demand can't pre-provision 10,000 static IPs.

Some platforms do offer static egress as a premium feature. Fly.io has dedicated egress IPs at the enterprise tier. Render has static outbound IPs on their paid plans. But even when a platform offers it, you're often locked into their pricing, their infrastructure, and their support queue. And if you run apps on multiple platforms, or switch platforms, you're back to square one.

A Proxy Solves the Problem Across Every Platform at Once

The fix isn't to find a host that does static IPs natively. The fix is to route your outbound traffic through a proxy that always exits from the same IP. Your app runs wherever it runs. The proxy provides the consistent identity that downstream firewalls care about.

QuotaGuard Static is that proxy. It runs on AWS infrastructure. You get two static IPs (for redundancy), and they never change unless you ask us to change them. You give your firewall team those two IPs, they add them to the allowlist, and you're done.

QuotaGuard tip: from our support tickets, the most common misconfiguration is routing all outbound traffic through the proxy instead of just the calls that need allowlisting. Route selectively. It's faster and far easier to debug when something goes wrong.

Setup Takes About Two Minutes on Any Cloud Platform

Add the add-on or sign up at quotaguard.com. Copy the QUOTAGUARDSTATIC_URL environment variable into your app's config. Point your HTTP client at it for the calls that need the fixed IP. Done.

Here's what that looks like in Python using requests:

import os
import requests

proxy_url = os.environ.get("QUOTAGUARDSTATIC_URL")

proxies = {
    "http": proxy_url,
    "https": proxy_url,
}

response = requests.get("https://api.example.com/data", proxies=proxies)

Node.js with https-proxy-agent:

import { HttpsProxyAgent } from "https-proxy-agent";
import https from "https";

const proxyUrl = process.env.QUOTAGUARDSTATIC_URL;
const agent = new HttpsProxyAgent(proxyUrl);

https.get("https://api.example.com/data", { agent }, (res) => {
  // handle response
});

Ruby with Net::HTTP:

require "uri"
require "net/http"

proxy = URI.parse(ENV["QUOTAGUARDSTATIC_URL"])

Net::HTTP.new("api.example.com", 443,
  proxy.host, proxy.port,
  proxy.user, proxy.password
).tap do |http|
  http.use_ssl = true
end

Same pattern on Heroku, Render, Railway, Fly.io, AWS Lambda, Kubernetes — the environment variable is the same, the code is the same, the IPs are the same.

Regulated Industries Need Shield Instead of Static

If your app handles financial data, health records, payment information, or anything covered by HIPAA or PCI-DSS, use QuotaGuard Shield instead of Static.

Shield uses SSL passthrough. The TLS connection runs end-to-end between your app and the destination. QuotaGuard routes the packets but never decrypts them. That's what satisfies the HIPAA requirement that a third-party intermediary not have access to PHI in transit. It also satisfies PCI-DSS controls around data handling by third parties.

The setup is identical. The environment variable is QUOTAGUARDSHIELD_URL instead of QUOTAGUARDSTATIC_URL. The IPs are stable and allowlistable just the same.

Pricing Starts at $19 Per Month and Scales With Traffic

Direct plans: Starter ($19/mo), Production ($49/mo), Business ($89/mo), Enterprise ($219/mo). Enterprise is the only tier with dedicated IPs — if someone on your team is asking about dedicated IPs for a non-enterprise workload, that's worth a conversation about whether you actually need them.

On Heroku marketplace the tiers are Starter (free), Spike ($5/mo), Micro ($19/mo), Medium ($49/mo), Large ($89/mo), Enterprise ($219/mo).

Trial is three days on standard plans, seven days on Enterprise. Credit card required either way.

See full pricing here.

Gigalixir Apps Get QuotaGuard as a Native Add-On

If you're running Elixir, Phoenix, Ruby, Node.js, Python, or Go on Gigalixir, QuotaGuard Static is available directly as an add-on. Gigalixir is a production-stable PaaS with zero-downtime deploys, managed PostgreSQL, and per-second billing. The same dynamic IP problem applies there, and the same proxy fix works. Add QuotaGuard Static from the Gigalixir add-on marketplace and set the environment variable.

Your Firewall Allowlist Works as Soon as Your App Routes Through QuotaGuard

The platform's dynamic IP architecture isn't going away. It's a feature, not a bug — it's why autoscaling works. The right answer isn't to find a host that pins your container to a dedicated IP. The right answer is a proxy layer that decouples your app's hosting from the outbound identity your firewall cares about.

Two static IPs. One environment variable. Two minutes of setup. That's the fix.

Get started with QuotaGuard Static or QuotaGuard Shield if you need HIPAA or PCI-DSS compliance.