Static Egress IP for DigitalOcean Kubernetes (DOKS): Three Options Compared

DigitalOcean Kubernetes has three ways to give your pods a static egress IP. Here's how they compare on cost, complexity, and what each one actually covers.

Your Three Options

Option 1: VPC NAT Gateway + Routing Agent (DigitalOcean native, recently GA'd). This is now the officially recommended approach. You create a VPC NAT Gateway, then use DOKS's routing agent to redirect all outbound cluster traffic through it. All pods on all nodes exit through the same static IP.

Option 2: Egress Droplet with a Reserved IP (older pattern, still works). You create a Droplet, assign it a DigitalOcean Reserved IP, enable IP forwarding on it, and configure iptables NAT rules so the Droplet masquerades outbound traffic behind the Reserved IP. Then you add static routes on your cluster nodes pointing default traffic through the Droplet's private IP. Every pod on those nodes exits through the Reserved IP. It works, but you're managing the NAT instance yourself. If the Droplet goes down, your egress goes down with it. DigitalOcean has a blueprint for this pattern if you want to follow their reference setup.

Option 3: QuotaGuard HTTP Proxy (application-level, no infrastructure changes). Add an environment variable to your deployment. Traffic from that specific service routes through two static IPs. Nothing else in your cluster changes.

What Each Option Actually Costs

DigitalOcean's VPC NAT Gateway runs $40/month per gateway, which includes 100 GiB of outbound transfer. Overage is $0.01/GiB. If your cluster is in multiple regions, that's $40 per region. The routing agent itself is free.

The egress Droplet approach costs whatever the Droplet costs (the cheapest option is around $6/month) plus the Reserved IP. If the Droplet is actively in use, the Reserved IP is included. You're also taking on the operational overhead of managing a NAT instance yourself.

QuotaGuard starts at $19/month on the Micro plan for shared IPs. That gives you two static IPs in a load-balanced pair with automated failover. It works across all your environments — Dev, Staging, Production — with the same IP pair and the same one-line configuration.

When to Use the Native NAT Gateway

The DO NAT Gateway makes sense when you want all outbound traffic from the entire cluster to exit through a single IP, you're only running on DigitalOcean, and you're fine paying $40/month per region for a managed service. It's the right call if you need to route non-HTTP traffic (database connections, custom TCP protocols) through a fixed IP and you don't want to manage a proxy at the application level.

The routing agent setup requires a few kubectl commands and a Helm chart. It's not complicated, but it touches your cluster's network routing globally. Every pod on every node routes through it. That's intentional if you want cluster-wide static egress. It's overkill if you only need one or two services to reach a firewalled API.

When to Use QuotaGuard Instead

The proxy approach is the better fit when you want to be selective about which services use the static IP — when you only need a fixed IP for one or two deployments calling a specific API, not for all cluster traffic. It's also the better option when you're running across multiple clouds or want the same static IPs to work on your Heroku, Render, or AWS workloads alongside DOKS. One account, same two IPs, everywhere.

Setup is a Kubernetes Secret and two environment variables in your deployment manifest. No Helm charts, no routing changes, no impact on other pods.

kubectl create secret generic quotaguard-proxy \
  --from-literal=QUOTAGUARDSTATIC_URL="http://username:password@us-east-static-01.quotaguard.com:9293"

apiVersion: apps/v1
kind: Deployment
metadata:
  name: your-api-service
spec:
  template:
    spec:
      containers:
      - name: app
        image: your-image
        env:
        - name: QUOTAGUARDSTATIC_URL
          valueFrom:
            secretKeyRef:
              name: quotaguard-proxy
              key: QUOTAGUARDSTATIC_URL
        - name: HTTP_PROXY
          valueFrom:
            secretKeyRef:
              name: quotaguard-proxy
              key: QUOTAGUARDSTATIC_URL
        - name: HTTPS_PROXY
          valueFrom:
            secretKeyRef:
              name: quotaguard-proxy
              key: QUOTAGUARDSTATIC_URL

Most languages pick up HTTP_PROXY and HTTPS_PROXY automatically. Python's requests library, Go's net/http, and Ruby's Net::HTTP all respect them. Node.js doesn't — you'll need to pass the proxy URL explicitly to your HTTP client. The full Kubernetes integration guide has working examples for each language.

For Database Connections and Non-HTTP Traffic

If you need a static IP for a PostgreSQL connection or any other non-HTTP protocol, the proxy approach alone won't cover it. HTTP proxies only handle HTTP/HTTPS traffic. For that case, QGTunnel — QuotaGuard's sidecar container — handles non-HTTP protocols without changing your connection strings. It runs as a sidecar in your pod and intercepts traffic at the network level.

The DO NAT Gateway handles this natively since it operates at the infrastructure level below the application stack.

Inbound Static IPs: When External Services Call Into Your Cluster

Everything above covers outbound traffic — your pods calling external APIs. There's a second problem that comes up with any two-way integration: external services sending webhooks or callbacks into your cluster also come from shifting IP ranges. Your firewall needs to allowlist them, but you can't pin down a moving target.

QuotaGuard Shield solves it by funneling those inbound requests through a fixed pair of static IPs. You allowlist two IPs on your firewall instead of chasing a changing range from the external service. For any DOKS workload receiving webhooks or callbacks — payment providers, CI/CD systems, third-party APIs — Shield is worth adding alongside the outbound setup.

Quick Decision Guide

Use the DO NAT Gateway if: you want cluster-wide static egress, you need non-HTTP protocol support without a sidecar, and $40/month per region fits your budget.

Use QuotaGuard if: you only need static IPs for specific services, you want the same IPs across multiple cloud platforms, or $19/month is more appropriate than $40/month for your use case.

Use the egress Droplet approach if: you want full control over your NAT instance, you're comfortable managing it yourself, and the managed options are more than you need.

QuotaGuard plans start at $19/month. Dedicated IPs that no other customer shares are available on the Enterprise plan at $219/month. See pricing here.