QuotaGuard and Google Cloud Run / Cloud Functions Integration Guide
Table of contents
- Why Cloud Run and Cloud Functions Need a Static IP
- Getting Started
- Step 1: Set the Proxy as an Environment Variable
- Step 2: Route Outbound Traffic Through the Proxy
- Testing Your Service Is Using the Static IP
- A Note on the Native Cloud NAT Path
- Troubleshooting
- QuotaGuard Static vs QuotaGuard Shield
- Ready to Get Started?
QuotaGuard Static IPs give your Cloud Run services and Cloud Functions two fixed outbound IP addresses from one environment variable, with no VPC connector or Cloud NAT to build. Set QUOTAGUARDSTATIC_URL, route your outbound calls through it, and every request exits from one of your two static IPs.
Why Cloud Run and Cloud Functions Need a Static IP
By default, Cloud Run and Cloud Functions send outbound traffic from a dynamic, shared Google IP pool, and the address changes from request to request. An API or database that only accepts a known source IP rejects them, and there is no fixed address you can allowlist.
Getting Started
After creating a QuotaGuard account, you are redirected to your dashboard, where you can find your proxy credentials and two static IP addresses.
Choose the right proxy region: Select the QuotaGuard region closest to your Cloud Run or Cloud Functions region to minimize latency. The region is set at sign-up. Changes after sign-up require contacting support.
Step 1: Set the Proxy as an Environment Variable
For a Cloud Run service, set it on deploy or update:
gcloud run deploy my-service \
--set-env-vars QUOTAGUARDSTATIC_URL="http://username:password@<your-quotaguard-proxy-host>:9293"
For a Cloud Function (2nd gen or 1st gen), set it on deploy:
gcloud functions deploy my-function \
--set-env-vars QUOTAGUARDSTATIC_URL="http://username:password@<your-quotaguard-proxy-host>:9293"
You can also set it in the console under Edit & Deploy New Revision > Variables & Secrets for Cloud Run, or the equivalent runtime environment variables panel for Cloud Functions.
Step 2: Route Outbound Traffic Through the Proxy
Attach the proxy to the calls that need a static IP.
Node.js
const { ProxyAgent, fetch } = require('undici');
const dispatcher = new ProxyAgent(process.env.QUOTAGUARDSTATIC_URL);
const res = await fetch('https://api.example.com/data', { dispatcher });
console.log(await res.json());
Python
import os, requests
p = os.environ["QUOTAGUARDSTATIC_URL"]
r = requests.get("https://api.example.com/data", proxies={"http": p, "https": p})
print(r.json())
Go
proxyURL, _ := url.Parse(os.Getenv("QUOTAGUARDSTATIC_URL"))
client := &http.Client{Transport: &http.Transport{Proxy: http.ProxyURL(proxyURL)}}
resp, _ := client.Get("https://api.example.com/data")
defer resp.Body.Close()
For a database connection over SOCKS5, use QuotaGuard’s SOCKS5 proxy on port 1080, or run QGTunnel inside your container image for a transparent tunnel.
Testing Your Service Is Using the Static IP
Cloud Run and Cloud Functions are serverless, so test through an endpoint rather than a shell. Add a temporary route or function that fetches the IP check endpoint through the proxy:
import os, requests
def check(request):
p = os.environ["QUOTAGUARDSTATIC_URL"]
return requests.get("https://ip.quotaguard.com", proxies={"http": p, "https": p}).json()
Deploy and call it. Expected response:
{"ip":"<one of your two QuotaGuard static IPs>"}
The returned IP must be one of the two static IPs in your QuotaGuard dashboard. Call it more than once to see both (load-balanced).
A Note on the Native Cloud NAT Path
Google’s native answer is to attach the service to a VPC with Direct VPC egress or a Serverless VPC Access connector, route all egress through a Cloud NAT gateway, and reserve a static IP for that gateway. It works, and it is the right choice for some architectures. It also has real operational weight: you build and maintain the VPC connector, the Cloud Router, and the NAT gateway per region, and Cloud NAT allocates a fixed number of source ports per IP, so high-concurrency workloads can exhaust ports and start timing out until you add more NAT IPs. QuotaGuard is one environment variable, gives you two IPs that work across every GCP region and every other platform you run, and adds nothing to your VPC. Choose whichever fits. This page documents the QuotaGuard path.
Troubleshooting
407 Proxy Authentication Required
The credentials are wrong. Confirm the QUOTAGUARDSTATIC_URL value matches your QuotaGuard dashboard exactly.
Wrong IP returned
The proxy is not attached to the request. Confirm you applied the dispatcher, proxies dict, or transport on the specific call, and that the env var is read at runtime.
Connection timeout
Confirm the service has outbound internet access and that nothing blocks port 9293. If you also have a VPC connector with all-traffic egress, it may be routing around the proxy; route only the calls you intend through QuotaGuard.
QuotaGuard Static vs QuotaGuard Shield
| Feature | QuotaGuard Static | QuotaGuard Shield |
|---|---|---|
| Protocol | HTTP / HTTPS / SOCKS5 | HTTPS / SOCKS5 over TLS |
| Customer-to-proxy hop | Plaintext | TLS-encrypted |
| HTTPS payload | Tunneled end-to-end, never decrypted at the proxy | Tunneled end-to-end, never decrypted at the proxy |
| Best for | Most apps | Regulated data or environments that require TLS on every hop |
| Starting price | $19/month | $29/month |
For most Cloud Run and Cloud Functions apps, Static is the right product. Choose QuotaGuard Shield if your workload handles regulated data or your environment requires TLS between your app and the proxy itself.
Ready to Get Started?
Get in touch or create a free trial account.
Read: Google Cloud Run Static IP Without Cloud NAT