If you're running apps on Koyeb and need to connect to a database or API that requires IP whitelisting, you've probably discovered the problem: Koyeb doesn't provide static outbound IP addresses.
This guide explains why that matters, what your options are, and how to set up a static IP proxy for your Koyeb services in about 10 minutes.
The Problem: Koyeb's Dynamic IP Ranges
Koyeb runs your containers on shared infrastructure. When your app makes an outbound request, it comes from one of many IP addresses in their pool. These IPs rotate and change without notice.
Koyeb's documentation is explicit about this limitation:
"We do not currently provide a list of static outbound IP addresses that your Services may be deployed to... IP addresses may be added or removed from the pool without notice."
They offer a workaround: query their DNS records to get current IP ranges and whitelist those. The problem? You'd need to whitelist dozens of IPs that can change at any time. Most security teams won't accept that.
When You Actually Need Static IPs
Not every Koyeb app needs static IPs. Here's when you do:
- MongoDB Atlas, Amazon RDS, or Supabase with IP access lists enabled
- Corporate APIs behind firewalls that only allow known IPs
- Banking and financial services that require IP verification
- Legacy SOAP services that whitelist clients
- Compliance requirements that need auditable egress points
If you're just calling public APIs like Stripe, Twilio, or SendGrid, you probably don't need this.
The Solution: HTTP/SOCKS Proxy
The standard approach is routing your outbound traffic through a proxy service that provides static IPs. Your Koyeb app connects to the proxy, and the proxy forwards your request using a fixed IP address.
Here's how it works:
Koyeb App (dynamic IP) → Proxy Service → External API (sees static IP)The external API only sees the proxy's IP address, which is static and can be whitelisted permanently.
Setting Up QuotaGuard with Koyeb
I'll walk through the setup using QuotaGuard, since that's what I run. The concepts apply to any HTTP proxy service.
Step 1: Get Your Proxy URL
After creating an account, you'll get a proxy URL that looks like this:
http://username:password@us-east-static-01.quotaguard.com:9293You'll also see your two static IP addresses. These never change, so you can whitelist them immediately.
Step 2: Add the Proxy URL to Koyeb Secrets
Store your credentials securely using Koyeb's secrets feature:
koyeb secret create QUOTAGUARDSTATIC_URL --value "http://user:pass@proxy.quotaguard.com:9293"Step 3: Reference the Secret in Your Service
Pass the secret as an environment variable when you deploy:
koyeb service update my-app/my-service \
--env "QUOTAGUARDSTATIC_URL=@QUOTAGUARDSTATIC_URL"Step 4: Configure Your HTTP Client
Here's how to use the proxy in common languages:
Python (requests)
import os
import requests
proxy_url = os.environ.get('QUOTAGUARDSTATIC_URL')
proxies = {
'http': proxy_url,
'https': proxy_url
}
response = requests.get('https://api.example.com/data', proxies=proxies)
print(response.json())Node.js (axios)
const axios = require('axios');
const { HttpsProxyAgent } = require('https-proxy-agent');
const proxyUrl = process.env.QUOTAGUARDSTATIC_URL;
const agent = new HttpsProxyAgent(proxyUrl);
axios.get('https://api.example.com/data', { httpsAgent: agent })
.then(response => console.log(response.data));Install the proxy agent first: npm install https-proxy-agent
Go
package main
import (
"net/http"
"net/url"
"os"
)
func main() {
proxyURL, _ := url.Parse(os.Getenv("QUOTAGUARDSTATIC_URL"))
client := &http.Client{
Transport: &http.Transport{
Proxy: http.ProxyURL(proxyURL),
},
}
resp, _ := client.Get("https://api.example.com/data")
defer resp.Body.Close()
}Database Connections (SOCKS5)
HTTP proxies work for API calls, but database connections use different protocols. For PostgreSQL, MySQL, or MongoDB, you need a SOCKS5 proxy.
QuotaGuard provides SOCKS5 on port 1080. Here's a Python example connecting to PostgreSQL:
import os
import socks
import socket
import psycopg2
# Configure SOCKS proxy globally
socks.set_default_proxy(
socks.SOCKS5,
"us-east-static-01.quotaguard.com",
1080,
username=os.environ.get('QUOTAGUARD_USER'),
password=os.environ.get('QUOTAGUARD_PASS')
)
socket.socket = socks.socksocket
# Now connect to your database normally
conn = psycopg2.connect(
host='your-database.example.com',
database='mydb',
user='dbuser',
password='dbpass'
)Install PySocks: pip install PySocks
Testing Your Setup
Before whitelisting IPs in production, verify the proxy is working. Make a request to ip.quotaguard.com, which returns your outbound IP:
curl -x $QUOTAGUARDSTATIC_URL https://ip.quotaguard.com
# Returns: {"ip":"52.34.188.175"}The IP should match one of the static IPs in your QuotaGuard dashboard.
Latency Considerations
Adding a proxy means adding a network hop. In practice:
| Configuration | Additional Latency |
|---|---|
| Same region (Koyeb fra + QG EU) | 10-20ms |
| Cross-region | 50-100ms |
For most API and database workloads, this is negligible. If latency is critical, match your proxy region to your Koyeb region.
Alternatives
Koyeb recommends third-party proxy services in their documentation. Your main options are:
- QuotaGuard (that's us). HTTP and SOCKS5 proxies, 10 AWS regions, starts at $19/month.
- Fixie. Similar offering, Heroku-focused but works with Koyeb.
- Noble IP. Smaller player, simpler pricing.
All three solve the same problem. The main differentiators are regional coverage, protocol support (HTTP vs SOCKS), and compliance features.
Next Steps
If your Koyeb app needs to connect to IP-restricted services, here's your path forward:
- Sign up for a proxy service and get your static IPs
- Whitelist those IPs in your database or API provider
- Add the proxy URL to Koyeb secrets
- Update your HTTP client to use the proxy
- Test with
ip.quotaguard.com
The whole process takes about 10 minutes. Once it's set up, you won't have to think about IP whitelisting again.
Ready to get started? Check out our Koyeb integration page or view the full documentation.
.webp)
