QuotaGuard and AWS Lambda Integration Guide

Table of contents

QuotaGuard and AWS Lambda Integration Guide

QuotaGuard gives your AWS Lambda functions and other AWS services fixed, load-balanced static IP addresses for both outbound and inbound traffic.

Outbound (Egress): Set two environment variables, update your HTTP client to use the proxy, and every outbound request exits through your static IPs. No VPC changes, no NAT Gateway required. Use this when your Lambda function needs to reach firewalled APIs, databases, or payment processors that require a known source IP.

Inbound (Reverse Proxy): QuotaGuard assigns your application a stable static IP for inbound traffic. External systems — partner APIs, corporate firewalls, payment processors sending webhooks — connect to your QuotaGuard inbound IP, which forwards traffic to your Lambda or application endpoint. Use this when external services need to reach your application from a known, allowlisted destination IP.

Why AWS Workloads Need Static IPs

Outbound: Lambda Has No Fixed Identity

Lambda functions are stateless and ephemeral. AWS assigns them IP addresses dynamically from large shared pools. Every invocation may originate from a different IP address, and those addresses overlap with traffic from thousands of other AWS customers.

This creates problems when your function needs to connect to:

  • External APIs that require IP allowlisting for authentication or rate limiting
  • MongoDB Atlas, AWS RDS, or Aurora clusters behind strict firewall rules
  • Payment processors like Stripe, PayPal, or Braintree with IP-based fraud controls
  • Banking and financial APIs that only accept requests from known IP addresses
  • Corporate systems behind enterprise firewalls with explicit IP allowlists
  • Third-party SaaS platforms that restrict API access by IP

The result is 403 Forbidden or connection refused errors that have nothing to do with your code. Your credentials are valid. Your requests are correctly formed. The external service is blocking Lambda’s dynamic IP ranges.

Inbound: External Systems Need to Reach You

The same dynamic IP problem works in reverse. When external partners, corporate systems, or payment processors need to send traffic to your AWS application, they may require a known, stable destination IP for their own firewall configurations. AWS does not provide a simple static inbound IP for Lambda or serverless workloads.

QuotaGuard’s inbound proxy gives your application a permanent static IP that external systems can target. Webhooks, callbacks, and partner integrations connect to your QuotaGuard inbound IP, which forwards to your actual endpoint. Your endpoint URL can change without notifying external partners. The static IP stays the same.

Common inbound use cases on AWS:

  • Payment webhooks from Stripe, PayPal, or Braintree that require a whitelisted destination
  • Partner API callbacks from systems that only send to known IPs
  • Corporate integrations where your IT team needs to allowlist your application’s IP
  • IoT and device callbacks pre-configured with a fixed destination address

Native Option: NAT Gateway

AWS’s own solution for giving Lambda functions a static outbound IP is to attach them to a VPC and route egress through a NAT Gateway with an Elastic IP.

Feature NAT Gateway QuotaGuard
Monthly base cost ~$33–45/AZ $19/month
Two AZ setup (recommended) ~$70–150+/month $19/month
Data processing fees $0.045/GB None
Setup complexity VPC + subnets + route tables Environment variable
Setup time 1–3 hours ~2 minutes
VPC changes required Yes No
AWS Marketplace billing n/a Yes

Use NAT Gateway if you need all outbound traffic from your VPC to exit through a static IP, including traffic that cannot be routed through an HTTP or SOCKS5 proxy.

Use QuotaGuard if you have specific outbound connections that need a static identity: an external API, a firewalled database, a payment processor. You route those specific calls through the proxy. Everything else continues as normal. This is the common Lambda use case and is significantly cheaper.

Getting Started

After creating a QuotaGuard account, you will be redirected to your dashboard where you can find your proxy credentials and static IP addresses.

Choose the right proxy region. Select the QuotaGuard region that matches your Lambda function’s deployment region to minimize latency.

Lambda Region QuotaGuard Region
us-east-1 (N. Virginia) US-East (N. Virginia)
us-west-1 (Oregon) US-West (Oregon)
ca-central-1 (Montreal) CA-Central (Montreal)
eu-west-1 (Ireland) EU-West (Ireland)
eu-central-1 (Frankfurt) EU-Central (Frankfurt)
ap-northeast-1 (Tokyo) AP-Northeast (Tokyo)
ap-southeast-1 (Singapore) AP-Southeast (Singapore)
ap-southeast-2 (Sydney) AP-Southeast-2 (Sydney)
ap-south-1 (Mumbai) AP-South (Mumbai)
sa-east-1 (Sao Paulo) SA-East (Sao Paulo)

Your proxy URL will look like this:

http://username:password@us-east-static-01.quotaguard.com:9293

Finding Your Static IPs. Your two static IPs are displayed in the QuotaGuard dashboard. Both are active simultaneously for high availability. Add both IPs to any firewall allowlists you are configuring on the target service.

Configuring Lambda for HTTP and HTTPS Traffic

Set your QuotaGuard proxy URL as a Lambda environment variable, then pass it to your HTTP client. This is the complete setup for routing HTTP and HTTPS traffic through your static IPs.

Python (requests) 

import requests
import os

# Set QUOTAGUARDSTATIC_URL as a Lambda environment variable
proxy_url = os.getenv("QUOTAGUARDSTATIC_URL")

proxies = {
    "http": proxy_url,
    "https": proxy_url
}

def lambda_handler(event, context):
    response = requests.get(
        "https://api.your-allowlisted-service.com/data",
        proxies=proxies
    )
    return {
        "statusCode": 200,
        "body": response.json()
    }

Node.js (axios) 

const axios = require("axios");
const { HttpsProxyAgent } = require("https-proxy-agent");

// Set QUOTAGUARDSTATIC_URL as a Lambda environment variable
const proxyUrl = process.env.QUOTAGUARDSTATIC_URL;
const agent = new HttpsProxyAgent(proxyUrl);

exports.handler = async (event) => {
    const response = await axios.get(
        "https://api.your-allowlisted-service.com/data",
        { httpsAgent: agent }
    );
    return {
        statusCode: 200,
        body: JSON.stringify(response.data)
    };
};

Install the required package:

npm install https-proxy-agent

Node.js (native https) 

const https = require("https");
const { HttpsProxyAgent } = require("https-proxy-agent");

const proxyUrl = process.env.QUOTAGUARDSTATIC_URL;
const agent = new HttpsProxyAgent(proxyUrl);

exports.handler = async (event) => {
    return new Promise((resolve, reject) => {
        https.get(
            "https://api.your-allowlisted-service.com/data",
            { agent },
            (res) => {
                let data = "";
                res.on("data", (chunk) => data += chunk);
                res.on("end", () => resolve({
                    statusCode: 200,
                    body: data
                }));
            }
        ).on("error", reject);
    });
};

Java (HttpClient) 

import java.net.*;
import java.net.http.*;
import java.io.IOException;

public class Handler implements RequestHandler<APIGatewayProxyRequestEvent, APIGatewayProxyResponseEvent> {

    private static final String proxyUrl = System.getenv("QUOTAGUARDSTATIC_URL");

    @Override
    public APIGatewayProxyResponseEvent handleRequest(
            APIGatewayProxyRequestEvent event, Context context) throws IOException {

        URI proxyUri = URI.create(proxyUrl);
        InetSocketAddress proxyAddress = new InetSocketAddress(
            proxyUri.getHost(), proxyUri.getPort()
        );

        String userInfo = proxyUri.getUserInfo();
        String[] credentials = userInfo.split(":");

        HttpClient client = HttpClient.newBuilder()
            .proxy(ProxySelector.of(proxyAddress))
            .authenticator(new Authenticator() {
                @Override
                protected PasswordAuthentication getPasswordAuthentication() {
                    return new PasswordAuthentication(
                        credentials[0], credentials[1].toCharArray()
                    );
                }
            })
            .build();

        HttpRequest request = HttpRequest.newBuilder()
            .uri(URI.create("https://api.your-allowlisted-service.com/data"))
            .build();

        HttpResponse<String> response = client.send(
            request, HttpResponse.BodyHandlers.ofString()
        );

        return new APIGatewayProxyResponseEvent()
            .withStatusCode(response.statusCode())
            .withBody(response.body());
    }
}

Setting the Environment Variable

In the Lambda console, go to Configuration > Environment variables > Edit and add:

Key:   QUOTAGUARDSTATIC_URL
Value: http://username:password@us-east-static-01.quotaguard.com:9293

Using the AWS CLI:

aws lambda update-function-configuration \
  --function-name your-function-name \
  --environment "Variables={QUOTAGUARDSTATIC_URL=http://username:password@us-east-static-01.quotaguard.com:9293}"

Using Terraform:

resource "aws_lambda_function" "my_function" {
  function_name = "my-function"

  environment {
    variables = {
      QUOTAGUARDSTATIC_URL = "http://username:password@us-east-static-01.quotaguard.com:9293"
    }
  }
}

Database Connections (MongoDB Atlas, RDS, Aurora)

The HTTP proxy environment variable approach works for HTTP and HTTPS traffic. For TCP database connections you need SOCKS5 or QGTunnel.

MongoDB Atlas supports native SOCKS5 proxy configuration in its drivers across Node.js, Python, Go, Ruby, and Java. See the full setup guide with code examples for every language:

Developer guides for Python specifically:

PostgreSQL, MySQL, and other TCP databases use QGTunnel, which creates a local TCP tunnel so your database client connects to localhost while traffic routes through your static IP. No changes to your database connection string are required beyond pointing at localhost.

For the full library of language and database combinations, see the QuotaGuard Developer Guides.

Setting Up Inbound Proxy

QuotaGuard’s inbound proxy assigns your AWS application a permanent static IP for incoming traffic. External systems connect to your static IP and QuotaGuard forwards the traffic to your actual application endpoint.

Step 1: Configure your inbound endpoint

  1. Log in to your QuotaGuard dashboard
  2. Navigate to Setup > Inbound
  3. Enter your application’s URL — your Lambda function URL, an API Gateway endpoint, an ALB, or any reachable URL
  4. QuotaGuard generates a unique inbound URL that resolves to your two static IPs

Example inbound URL:

a62b1d0b4983db763450411fd393b3ce-us-east-1.getstatica.com

Step 2: Provide your static IPs to external systems

Your two static IPs are shown in the dashboard. Give these to any external system that needs to allowlist your application:

  • Payment processors requiring a destination IP for webhook delivery
  • Partner IT teams configuring outbound firewall rules
  • IoT devices pre-configured with a fixed callback IP

Step 3: Point external traffic to the inbound URL

Configure external systems to send traffic to your QuotaGuard inbound URL instead of directly to your Lambda or API Gateway URL. QuotaGuard handles the forwarding transparently.

Common AWS inbound patterns:

Payment processor  ->  QuotaGuard static IP  ->  Your API Gateway endpoint
Corporate partner  ->  QuotaGuard static IP  ->  Your Lambda function URL
IoT device         ->  QuotaGuard static IP  ->  Your ALB or application endpoint

Your actual endpoint can change at any time without requiring external partners to update their firewall rules. The static IP remains constant.

AWS Fargate

Fargate containers configure the proxy the same way as Lambda: set the QUOTAGUARDSTATIC_URL environment variable in your task definition and route HTTP/HTTPS calls through the proxy in your application code.

In your ECS task definition:

{
  "containerDefinitions": [
    {
      "name": "your-container",
      "image": "your-image",
      "environment": [
        {
          "name": "QUOTAGUARDSTATIC_URL",
          "value": "http://username:password@us-east-static-01.quotaguard.com:9293"
        }
      ]
    }
  ]
}

The same Python, Node.js, and Java code examples above apply directly to Fargate containers.

AWS Marketplace Billing

QuotaGuard is available directly on the AWS Marketplace. This means:

  • Billing consolidates to your existing AWS invoice. No separate vendor account, no additional credit card.
  • Procurement has already approved AWS as a vendor. At larger organizations, adding a new vendor requires a review process. QuotaGuard through the Marketplace skips that step.
  • AWS committed spend. If your organization has an Enterprise Discount Program or Private Pricing Agreement with AWS, Marketplace purchases count toward your committed spend.

Both products are available on the Marketplace:

Testing Your Configuration

Verify your static IP configuration before updating any external allowlists. Hit ip.quotaguard.com through your proxy and confirm the returned IP matches one of your two static IPs shown in the dashboard.

Python:

import requests
import os

proxy_url = os.getenv("QUOTAGUARDSTATIC_URL")
proxies = {"http": proxy_url, "https": proxy_url}

def lambda_handler(event, context):
    response = requests.get("https://ip.quotaguard.com", proxies=proxies)
    return {
        "statusCode": 200,
        "body": response.text  # Should return one of your two static IPs
    }

Node.js:

const axios = require("axios");
const { HttpsProxyAgent } = require("https-proxy-agent");

exports.handler = async (event) => {
    const agent = new HttpsProxyAgent(process.env.QUOTAGUARDSTATIC_URL);
    const response = await axios.get("https://ip.quotaguard.com", { httpsAgent: agent });
    return {
        statusCode: 200,
        body: JSON.stringify(response.data)  // Should return one of your two static IPs
    };
};

Troubleshooting

We genuinely enjoy hearing from customers. If something isn’t working, please reach out directly at quotaguard.com/contact. Our support team are real engineers who built this product and we will work through the problem with you.

Below are the most common issues and what to check first.

Requests not routing through the proxy

  1. Confirm QUOTAGUARDSTATIC_URL is set as an environment variable on the Lambda function
  2. Verify your HTTP client is using the proxy — check that proxies=proxies or httpsAgent: agent is present in every request you want proxied
  3. Test with https://ip.quotaguard.com to confirm which IP your requests are exiting from
  4. AWS SDK calls to services like S3 and DynamoDB use their own internal networking and will not route through the proxy. This is expected behavior.

407 Proxy Authentication Required

Your credentials are incorrect. Verify the username and password match what is shown in your dashboard, that no extra spaces were included when copying the URL, and that the format is correct: http://username:password@hostname:9293.

Database connection refused

  1. Verify both QuotaGuard static IPs are added to your database firewall or security group
  2. Confirm you are using the SOCKS5 port (1080) for database connections, not the HTTP proxy port (9293)
  3. For RDS and Aurora, check that the security group inbound rules allow TCP on the database port from both QuotaGuard IPs
  4. For MongoDB Atlas, confirm both IPs appear in Network Access with a status of Active

Cold start latency

Establishing a proxy connection adds a small amount of latency on Lambda cold starts — typically 10–50ms. Use provisioned concurrency for latency-sensitive functions, and always choose the QuotaGuard region that matches your Lambda deployment region.

Still stuck? Contact our support team. We’ll debug it with you directly.

Ready to Get Started?

Ready to Get Started?

Get in touch or create a free trial account

Try QuotaGuard Now

Back to top ↑

Copyright © 2009 - 2026 QuotaGuard. All rights reserved.