QuotaGuard gives your Power Automate cloud flows two fixed static IPs, so an API that only accepts allowlisted addresses lets your flow through on the first call.
Power Automate has no proxy field, no HTTP_PROXY, and no arbitrary code step. Its HTTP action egresses from Microsoft's shared connector ranges, which every tenant shares and which rotate over time. Point the HTTP action at a small relay that egresses through QuotaGuard and the target API sees two stable IPs instead.
Register both IPs on the allowlist once. They stay fixed on your subscription across plan changes.
You satisfy a locked-down API's allowlist from a cloud flow by pointing the HTTP action at a small relay that egresses through QuotaGuard's two static IPs. The HTTP action already takes a method, a URL, headers, and a body, which is everything the relay needs.
Your flow logic does not change. Only the destination and two headers do.
The HTTP action calls the relay function URL and sends two headers. X-Relay-Key carries a shared secret, and X-Target-URL carries the real API you want to reach. The relay forwards the request through its QUOTAGUARDSTATIC_URL connection, and the target sees one of your two static IPs.
Power Automate cannot set an HTTP proxy or run a sidecar, so you host a small relay function on AWS Lambda or a Google Cloud Function that egresses through QuotaGuard. A ready-to-run Python example and the reusable pattern are both published, so this is deploy and configure, not build. See the no-proxy relay pattern and the Lambda relay example.
Point X-Target-URL at https://ip.quotaguard.com and the relay returns one of your two static IPs. Register both on the target's allowlist, then switch X-Target-URL to the real endpoint.

Two fixed IPs tied to your subscription replace the shared Microsoft ranges a cloud flow otherwise sends from. The HTTP action's native egress comes from Microsoft's connector infrastructure, published as Azure service tags and shared across every tenant on the platform.
Microsoft documents the outbound addresses for the HTTP action as the LogicApps, PowerPlatformPlex, and PowerPlatformInfra service tags, and connector actions as the AzureConnectors tag. Those ranges are large, shared with every other Power Automate customer, and change as Microsoft updates them.
To let a flow through by IP without a relay, you would have to allowlist entire Microsoft service tags. That opens the target to every tenant sharing those ranges and breaks whenever the ranges shift. Two dedicated static IPs close that gap.
With the relay in place, the request leaves QuotaGuard from one of two IPs bound to your subscription. The target's allowlist stays two entries long, and it identifies your traffic specifically rather than all of Power Automate.

Each QuotaGuard subscription includes two static IPs behind a load balancer with health checks and automatic failover. Both belong to you, and both go on the target's allowlist.
QuotaGuard has run this static-IP service since 2013.
QuotaGuard issues two static IPs per subscription, load balanced with automatic failover. Allowlist both so traffic keeps flowing when one path drops.
QuotaGuard Static, direct from $19/month, fits standard HTTPS API calls. The payload is tunneled end to end and never decrypted at the proxy. For HIPAA, PCI-DSS, or SOC 2 data, QuotaGuard Shield, direct from $29/month, uses SSL passthrough so the connection is never terminated in the middle.
Host the relay and the QuotaGuard exit in a region close to your target API to keep the extra hop short. QuotaGuard offers static exits across multiple AWS regions.

Common questions about Microsoft Power Automate static IPs and QuotaGuard.
Does every Power Automate flow need a static IP?
No. You need one only when the API your flow calls enforces an IP allowlist. If the target accepts any source IP, or you authenticate with API keys or OAuth alone, a static IP adds nothing. The allowlist check runs at the network layer before your credentials are read, so a valid token is still refused when the source IP is not on the list. That is why a flow can pass authentication in testing yet fail against a production API that pins by IP.
Why can I not just set a proxy in the HTTP action?
Power Automate's HTTP action exposes only the method, URL, headers, and body of the request. There is no proxy field, no HTTP_PROXY environment variable, and no arbitrary code step where you could open a tunnel. Routing through a relay function is the supported way to send outbound traffic from fixed IPs. The relay hosts on AWS Lambda or a Google Cloud Function and egresses through QuotaGuard, and your flow simply calls its URL.
How long does setup take?
Most of the work is deploying the published relay function and setting its QUOTAGUARDSTATIC_URL connection value, then pointing the HTTP action at the relay URL with the two headers. The relay code is ready to run, so there is nothing to write from scratch. Before you touch the target API, send X-Target-URL to https://ip.quotaguard.com to confirm the relay returns one of your two static IPs.
How many IPs do I get, and do I allowlist both?
You get two static IPs per QuotaGuard subscription, load balanced with automatic failover. Register both on the target's allowlist. Traffic can leave from either one, so allowlisting only a single IP causes intermittent refusals when the load balancer uses the other.
Do the IPs change if I change plans?
No. The two IPs are stable on your subscription and stay the same across plan changes, so you do not re-allowlist after an upgrade. Dedicated IPs are an Enterprise capability. On Static and Shield the pair is the fixed set you register once.
Should I use Static or Shield for my data?
Use QuotaGuard Static for standard HTTPS API calls. Your payload is tunneled end to end and never decrypted at the proxy. Choose QuotaGuard Shield only when you move regulated data covered by HIPAA, PCI-DSS, or SOC 2, because Shield uses SSL passthrough and does not terminate the connection in transit. If your traffic is ordinary API integration, Static is the right product.
What about inbound webhooks into Power Automate?
Inbound calls arrive through the "When an HTTP request is received" trigger, and QuotaGuard's static IPs govern outbound egress from your flows, so inbound webhooks do not route through QuotaGuard. The direction where the pair matters is outbound: when a partner needs to allowlist where your requests originate, the two static IPs are the addresses you give them. Secure the inbound trigger separately with its shared access signature URL and any IP restriction the trigger itself supports.
How do I update the allowlisted IPs later?
You rarely need to, because the pair is fixed for the life of your subscription. If you do change regions or subscriptions, read the current pair from the QuotaGuard dashboard, or send X-Target-URL to https://ip.quotaguard.com through the relay, and update the two entries on the target's allowlist. Keep both entries in place so failover between the two IPs never trips a refusal.
For over a decade, QuotaGuard has provided reliable, high-performance static IP and proxy solutions for cloud environments like Heroku, Kubernetes, and AWS.
Get the fixed identity and security your application needs today.