Docker and Kubernetes Egress: Static IPs Without NAT Infrastructure

Containers are great for running workloads. They're less great for controlling outbound IP addresses. Whether you're on ECS, EKS, GKE, or self-hosted Kubernetes, your container's egress IP depends on the node it's running on, the network plugin, and whatever NAT is happening between your pod and the internet.

If a partner, vendor, or customer needs to whitelist your outbound IP, this becomes a real infrastructure problem.

The Container Egress Problem

In Kubernetes, pods get IP addresses from the cluster's network CIDR. Those IPs are internal. When a pod makes an outbound request to the internet, the source IP gets translated (NAT'd) to the node's IP or, in managed services, to an IP from the cloud provider's NAT pool.

Amazon EKS pods egress through the node's primary ENI by default. The node's public IP is the source. But nodes are autoscaled. Each new node gets a different IP. You can't predict which node your pod will run on, so you can't predict the outbound IP.

Google GKE is similar. Pods egress through the node's IP. Nodes in a node pool share a pool of external IPs, but those rotate as nodes scale up and down.

Amazon ECS (Fargate) assigns task-level ENIs, but the public IP is ephemeral. It changes every time a task is restarted or redeployed. ECS on EC2 uses the container instance's IP, which has the same node-rotation problem as EKS.

Self-hosted Kubernetes depends entirely on your network setup. If your nodes are behind a NAT gateway with a static IP, you're already covered. If they're not, you have the same problem.

The Cloud-Native Fix

Each cloud provider offers a way to get static egress IPs, but it involves real infrastructure:

AWS: Create a VPC with private subnets. Attach a NAT Gateway with an Elastic IP. Route your EKS/ECS subnets through the NAT Gateway. Cost: ~$32/month for the NAT Gateway plus $0.045/GB data processing, plus the private subnet and routing table configuration.

GCP: Set up Cloud NAT with a reserved static IP. Attach it to the VPC your GKE cluster runs in. Cost: ~$32/month plus data processing charges.

Azure: Use a NAT Gateway with a static public IP on the subnet running your AKS cluster. Cost: ~$32/month plus data processing.

In all three cases, you're adding NAT infrastructure that applies to all egress traffic from the subnet, not just the specific connections that need static IPs. You're also managing VPC routing, subnet configuration, and NAT gateway monitoring.

For clusters that already have this infrastructure for other reasons, adding your containers to the private subnet is straightforward. For teams running containers on simpler setups (or on Fargate, which has limited VPC control), adding all this infrastructure just for IP whitelisting is overhead.

The Proxy Approach

Add QuotaGuard as a proxy for the specific outbound connections that need static IPs. No NAT gateway. No subnet reconfiguration. Set an environment variable on the container and route the relevant requests through it.

Kubernetes Deployment

Add the proxy URL as an environment variable in your pod spec:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  template:
    spec:
      containers:
        - name: my-app
          image: my-app:latest
          env:
            - name: QUOTAGUARD_URL
              valueFrom:
                secretKeyRef:
                  name: quotaguard-secret
                  key: proxy-url

Store the proxy URL in a Kubernetes secret:

kubectl create secret generic quotaguard-secret \
  --from-literal=proxy-url='http://user:pass@proxy.quotaguard.com:9293'

Application Code (Python)

import os
import requests

proxy_url = os.environ.get('QUOTAGUARD_URL')

def call_firewalled_api(url, data):
    proxies = {'http': proxy_url, 'https': proxy_url}
    return requests.post(url, json=data, proxies=proxies)

def call_public_api(url):
    return requests.get(url)  # No proxy needed

Application Code (Go)

package main

import (
    "net/http"
    "net/url"
    "os"
)

func newProxiedClient() *http.Client {
    proxyURL, _ := url.Parse(os.Getenv("QUOTAGUARD_URL"))
    return &http.Client{
        Transport: &http.Transport{
            Proxy: http.ProxyURL(proxyURL),
        },
    }
}

ECS Task Definition

For ECS, add the environment variable to your task definition:

{
  "containerDefinitions": [
    {
      "name": "my-app",
      "image": "my-app:latest",
      "environment": [
        {
          "name": "QUOTAGUARD_URL",
          "value": "http://user:pass@proxy.quotaguard.com:9293"
        }
      ]
    }
  ]
}

For production, use ECS secrets with AWS Secrets Manager instead of plaintext environment variables.

Docker Compose (Local Development)

services:
  my-app:
    image: my-app:latest
    environment:
      - QUOTAGUARD_URL=${QUOTAGUARD_URL}

QGTunnel for TCP Connections

If your containers need to reach a firewalled database, SFTP server, or other TCP service, add QGTunnel to your container image:

FROM python:3.12-slim

WORKDIR /app
COPY . .

# Add QGTunnel
RUN curl https://s3.amazonaws.com/quotaguard/qgtunnel-latest.tar.gz | tar xz

# Wrap the application startup
CMD ["bin/qgtunnel", "python", "app.py"]

Create the tunnel configuration in the QuotaGuard dashboard, download the .qgtunnel config file, and include it in your container image. Your database connection strings stay the same with transparent mode.

Selective Proxying

Most container egress doesn't need a static IP. Internal service-to-service calls, pulls from container registries, calls to public APIs. Only the specific connections to firewalled services need to route through the proxy.

Keep your proxy usage targeted to the connections that actually require it. This minimizes latency and bandwidth costs on the proxy.

Getting Started

Sign up for QuotaGuard Static. Add the proxy URL as a secret in your Kubernetes cluster or ECS task definition. Update your application code to use the proxy for firewalled connections. Give your partners the two static IPs from the dashboard.

QuotaGuard Static starts at $19/month. For compliance requirements, QuotaGuard Shield starts at $29/month with SSL passthrough for end-to-end encryption.

QuotaGuard Static IP Blog

Practical notes on routing cloud and AI traffic through Static IPs.

Tutorials & Integration Guides

Give Google App Engine a Static Outbound IP for Firewall Allowlisting

Route Google App Engine outbound traffic through QuotaGuard Static and get a fixed IP your firewall rules can trust. Setup takes 2 minutes.

Docker and Kubernetes Egress: Static IPs Without NAT Infrastructure

The Container Egress Problem

The Cloud-Native Fix

The Proxy Approach

Kubernetes Deployment

Application Code (Python)

Application Code (Go)

ECS Task Definition

Docker Compose (Local Development)

QGTunnel for TCP Connections

Selective Proxying

Getting Started

QuotaGuard Static IP Blog

Give Google App Engine a Static Outbound IP for Firewall Allowlisting

Give Airtable Automations a Static Outbound IP for Firewall Allowlisting

Give Your Groq API Calls a Static IP to Bypass Cloudflare Blocks

Static IPs for Government API Whitelisting: HMRC, ZATCA, IRS, and Beyond

Give GKE Workloads a Stable Outbound IP Without NAT Gateways or Node Management

Why Cloud Hosting Gives You a Dynamic Outbound IP

Connect Replit to Azure SQL Server With a Static IP Using QGTunnel

Firewalls Require Static IPs ... and That Requirement Survives Every New Architecture

Fix Gemini API "Blocked IP Address" Errors With a Static Outbound IP

Fix Facebook API "This IP Can't Make Requests" Errors on Heroku With a Static IP

Give GitHub Actions a Static Outbound IP for Artifactory and Firewall Whitelisting

Give Your Python WooCommerce Script a Static IP Your Firewall Can Whitelist

Fixed Outbound IP for Loveable Apps Calling the Binance API

Interactive Brokers API Static IP: Fix IP Restrictions for Cloud Deployments

Kotak Neo Static IP: Fix Your Trading API After the SEBI Deadline

Kite Connect Static IP: Fix Your Zerodha Bot on Heroku or Railway

Fix Upstox "Static IP Restriction" Block on Your Cloud Bot

Dhan API Static IP: Fix Your Cloud Bot After the SEBI Deadline

SEBI's Static IP Mandate Is Live: Fix Your Cloud Trading Bot Now

Bybit API 403 on Cloud Platforms: It's a CDN Block, Not an Auth Error

Static IP for Crypto Trading Bots: Binance, OKX, Bybit, Kraken, and Bitfinex

OKX API Key Keeps Getting Deleted? Fix the 14-Day Auto-Deletion Problem

Binance API IP Whitelist: Fix Key Expiry and Enable Withdrawals on Cloud Platforms

Zapier Static IP: Allowlist Zapier's Outbound Requests in 10 Minutes

Fly.io Static Outbound IP: The Complete Fix (Including Deploys)

Vercel Static Outbound IP: Fix GitHub and Prismic Allowlisting Without Paying $100/Month

Give Your MCP Server a Static Egress IP for Enterprise Allowlisting

QuotaGuard Is Listed on AWS Marketplace and Counts Toward Your Committed Spend

Static IP for Vapi.ai Voice Agents: Fix Firewall Blocks on Custom LLM and Webhook Traffic

GKE Autopilot Static IP for Egress Traffic: Fixed Outbound IP Without NAT Gateway Complexity

Static IP on No-Code Platforms: Why Some Work and Some Don't

Why Your Legitimate Cloud App Gets Blocked as a Bot (And How to Check)

Proximo Down Again? Migrate to a Static IP Proxy That Has Support

Connect a Heroku App to AWS RDS with a Static IP

Retool Static IP: Connect Retool to Firewalled Databases and APIs

Railway Static IP: Fixed Egress for Railway Apps in 10 Minutes

Static Egress IP for DigitalOcean Kubernetes (DOKS): Three Options Compared

Google Cloud Run Static IP: Why Cloud NAT Causes Timeouts (and the Simpler Fix)

n8n Cloud Static IP: Fixed Egress in 10 Minutes

AWS Lambda Static IP Without NAT Gateway: Save $70+/Month

Your Replit App's IP Address Changes Every Deployment. Here's the Fix.

How to Route PyMongo Through a SOCKS Proxy on PythonAnywhere, Netlify, and Other Platforms That Restrict Custom Binaries

Why Your MongoDB Connection Is Eating Your SOCKS Proxy Bandwidth (And How to Fix It)

How to Add Static IPs to Apps Built with Emergent AI

Heroku Is Entering "Sustaining Engineering" Mode. Here's What That Means for Your Static IPs.

Docker and Kubernetes Egress: Static IPs Without NAT Infrastructure

Sending Webhooks to Firewalled Endpoints: Why Your Outbound IP Matters

SFTP from Serverless: How to Get a Static IP for File Transfer

Salesforce API and Trusted IP Ranges: Static IPs for Serverless Integrations

Static IPs for Google Cloud Functions and Cloud Run

GitHub Actions and Static IPs: Deploying to Firewalled Servers from CI/CD

QGTunnel: Static IPs for Database Connections, FTP, SFTP, and Other TCP Traffic

AI Agents and Firewall Whitelisting: Static IPs for LLM-Powered Workflows

Static IPs for Azure Functions, Data Factory, and Power Automate

SOC 2 Egress Control: How Static IPs Help You Pass the Network Security Question

GDPR Data Residency: Why Your Proxy Infrastructure Matters

PCI-DSS Requirement 4 and Proxies: Why SSL Passthrough Matters for Payment Traffic

HIPAA-Compliant Static IPs: How SSL Passthrough Keeps PHI Encrypted in Transit

The Real Cost of Static IPs: NAT Gateway vs. Proxy Service vs. Rolling Your Own

Static IPs on Netlify and Railway: What's Available and What's Not

Render's /24 Static IP Range: When 256 Addresses Is Too Many

Heroku's Rotating IPs: How to Get a Static IP Without Private Spaces

Serverless Functions and IP Whitelisting: The 0.0.0.0/0 Trap

Make/Integromat and IP Whitelisting: Why Zone Detection Isn't Enough

n8n Cloud and Static IPs: How to Whitelist When You Have 22 Rotating Addresses

Zapier and Static IPs: How to Whitelist a Zap Without Opening Your Firewall to All of AWS

How to Fix Ruby DNS Resolution Errors When Using QGTunnel with Third-Party APIs