Static IPs for Government API Whitelisting: HMRC, ZATCA, IRS, and Beyond

Point your cloud app at QuotaGuard Shield, submit the static IP to the agency's allowlist, and your government API traffic stays encrypted end-to-end.

Government APIs almost always require a static source IP. Tax authorities, customs agencies, e-invoicing platforms, and benefits systems run IP allowlists on their production endpoints. Your cloud app gets rotating outbound IPs by default. That mismatch is what breaks the connection, and it's why a question like "how do I connect to the government API from Azure when they need to whitelist my IP" keeps showing up on Microsoft's own community forums.

Government APIs Allowlist Source IPs to Satisfy Audit and Security Requirements

The pattern is the same across every jurisdiction. The agency publishes an API for tax filings, customs declarations, e-invoice clearance, benefits enrollment, or regulatory reporting. Before they let your system talk to production, they require you to register the IP addresses your requests will come from. Every call from an unregistered IP is rejected at the edge.

The reason is half security and half audit. The agency needs to know which business is making which call, and a registered IP tied to a registered taxpayer or operator is part of the chain of evidence. For some regimes the IP is also the firewall rule, full stop. If the address isn't on the list, the packet doesn't reach the API gateway.

Cloud platforms collide with this. App Service, Lambda, Functions, Cloud Run, Heroku dynos, and container platforms all draw outbound IPs from large shared pools. The address changes on deploy, on scale event, on platform maintenance. That's fine for calling commercial APIs. It's the exact wrong shape for a system that expects one stable address per registered operator.

Shield Uses SSL Passthrough So Tax and Citizen Data Stays Encrypted End-to-End

QuotaGuard has two products. Static is the standard HTTP/HTTPS proxy. Shield uses SSL passthrough, which means the TLS connection runs end-to-end between your app and the agency. QuotaGuard routes the packets without ever decrypting the payload.

For government API integrations, Shield is almost always the right choice. The data you're sending is regulated. Tax filings, citizen identifiers, health records, customs declarations, VAT invoices, benefits claims. If your compliance team or your customer's compliance team asks whether a third-party proxy sits in the middle of the TLS handshake and can see the data, the answer with Shield is no. QuotaGuard never decrypts it.

That distinction matters for HIPAA, PCI-DSS, and SOC 2 controls. It also matters for the internal review process at most banks, insurers, healthcare operators, and government contractors. Shield removes an entire category of question from that review.

Tax Authorities and Regulators Run the Most Common Whitelist Regimes

Saudi Arabia's ZATCA e-invoicing platform (FATOORA) is a concrete example. Phase 2 onboarding checklists explicitly include "ensure server IP whitelisting and firewall permissions" as a required step before integration with the clearance API. Every B2B invoice has to be submitted to ZATCA for clearance via API, and that API is IP-gated. Same pattern applies to many other national e-invoicing platforms rolling out across the Gulf, Europe, and Latin America.

The broader pattern covers tax filing APIs (VAT, payroll, corporate), customs declaration systems, e-invoicing clearance platforms, benefits eligibility checks, healthcare claims portals, and regulatory reporting endpoints. Any time an agency API sits behind "submit the IPs your system will connect from," a static outbound IP is what unblocks it.

QuotaGuard tip: most integrations use both a sandbox and a production endpoint with separate allowlists. Register the same QuotaGuard IP against both. Don't try to proxy sandbox traffic and not proxy production traffic. That's how teams end up with "it worked in staging" tickets that take days to untangle.

Setup Takes 2 Minutes. Submit the IP to the Agency Onboarding Portal

Sign up for QuotaGuard Shield. Set the environment variable on your app:

QUOTAGUARDSHIELD_URL=https://username:password@us-east-shield-01.quotaguard.com:9294

The us-east-shield-01 portion is the region. Pick the region closest to the government endpoint you're calling. For ZATCA, that's typically eu-central-shield-01 (Frankfurt) or a Gulf-facing region. For HMRC in the UK, eu-west-shield-01 (Ireland). For IRS endpoints, us-east-shield-01 (N. Virginia). QuotaGuard runs on 10 AWS regions and you can pick whichever is nearest to your destination.

Point your HTTP client at the proxy. In Python:

import os
import requests

proxies = {
    'https': os.environ['QUOTAGUARDSHIELD_URL']
}

response = requests.post(
    'https://api.agency.gov.example/clearance/submit',
    json={'invoice': '...'},
    proxies=proxies,
    cert=('client-cert.pem', 'client-key.pem')  # if mutual TLS is required
)

In .NET:

using System.Net;
using System.Net.Http;

var proxyUrl = Environment.GetEnvironmentVariable("QUOTAGUARDSHIELD_URL");
var uri = new Uri(proxyUrl);
var userInfo = uri.UserInfo.Split(':');

var handler = new HttpClientHandler
{
    Proxy = new WebProxy
    {
        Address = new Uri($"https://{uri.Host}:{uri.Port}"),
        Credentials = new NetworkCredential(userInfo[0], userInfo[1])
    },
    UseProxy = true
};

var client = new HttpClient(handler);
var response = await client.PostAsync(
    "https://api.agency.gov.example/clearance/submit",
    content
);

Make a test request and check the source IP the agency sees. QuotaGuard's dashboard also shows your assigned IPs directly. Submit that IP through whatever onboarding portal the agency runs. Most portals want the IP in CIDR notation, so a single address is X.X.X.X/32.

Once the allowlist propagates on the agency side, production calls work.

Dedicated IPs Cover Agencies That Reject Shared Proxy Ranges

Every Shield plan ships with static IPs, but the default tier gives you IPs from a shared pool. A small number of agencies specifically reject anything that looks like a known proxy or shared hosting range. Their threat model is fraud or impersonation, and shared infrastructure gets pre-blocked regardless of the actual traffic.

Shield Enterprise includes dedicated IPs that are assigned to your account only. If an agency rejected a shared-range IP during their onboarding checks, a dedicated IP usually clears the check. Dedicated IPs are Enterprise-only on both Static and Shield.

If you're building against an agency API and you don't know yet whether they'll accept a shared IP, start on a Starter or Production plan, run the onboarding submission, and upgrade to Enterprise only if the agency flags the IP. Most don't.

QuotaGuard Shield Pricing Starts at $29 per Month Direct

Shield direct plans at quotaguard.com: Starter at $29/month, Production at $59/month, Business at $109/month, Enterprise at $259/month. Dedicated IPs are Enterprise-only.

Trials are 3 days on standard plans and 7 days on Enterprise. A credit card is required to start the trial.

For a single government API integration, Starter or Production usually covers it. If you operate on behalf of many customers (a tax-tech or invoicing vendor, for example), Enterprise with dedicated IPs is the plan that keeps each customer cleanly separated on the audit trail.

Pricing and signup: quotaguard.com/products/pricing

Shield product page: quotaguard.com/products/quotaguard-shield