Microsoft Power Automate Static IPs

QuotaGuard gives your Power Automate cloud flows two fixed static IPs, so an API that only accepts allowlisted addresses lets your flow through on the first call.

Power Automate has no proxy field, no HTTP_PROXY, and no arbitrary code step. Its HTTP action egresses from Microsoft's shared connector ranges, which every tenant shares and which rotate over time. Point the HTTP action at a small relay that egresses through QuotaGuard and the target API sees two stable IPs instead.

Register both IPs on the allowlist once. They stay fixed on your subscription across plan changes.

A Power Automate cloud flow HTTP action calling a QuotaGuard relay so two static IPs reach a locked-down API

Reach an IP-allowlisted API from a Power Automate cloud flow

You satisfy a locked-down API's allowlist from a cloud flow by pointing the HTTP action at a small relay that egresses through QuotaGuard's two static IPs. The HTTP action already takes a method, a URL, headers, and a body, which is everything the relay needs.

Your flow logic does not change. Only the destination and two headers do.

Two headers on the HTTP action

The HTTP action calls the relay function URL and sends two headers. X-Relay-Key carries a shared secret, and X-Target-URL carries the real API you want to reach. The relay forwards the request through its QUOTAGUARDSTATIC_URL connection, and the target sees one of your two static IPs.

A relay you host, because the platform blocks the usual routes

Power Automate cannot set an HTTP proxy or run a sidecar, so you host a small relay function on AWS Lambda or a Google Cloud Function that egresses through QuotaGuard. A ready-to-run Python example and the reusable pattern are both published, so this is deploy and configure, not build. See the no-proxy relay pattern and the Lambda relay example.

Confirm the IP before you wire up the API

Point X-Target-URL at https://ip.quotaguard.com and the relay returns one of your two static IPs. Register both on the target's allowlist, then switch X-Target-URL to the real endpoint.

Power Automate HTTP action sending X-Relay-Key and X-Target-URL to a relay function that egresses through two static IPs to the target API

Swap Microsoft's shared egress for two IPs you control

Two fixed IPs tied to your subscription replace the shared Microsoft ranges a cloud flow otherwise sends from. The HTTP action's native egress comes from Microsoft's connector infrastructure, published as Azure service tags and shared across every tenant on the platform.

The native egress is shared and moves

Microsoft documents the outbound addresses for the HTTP action as the LogicApps, PowerPlatformPlex, and PowerPlatformInfra service tags, and connector actions as the AzureConnectors tag. Those ranges are large, shared with every other Power Automate customer, and change as Microsoft updates them.

Allowlisting those ranges is wide and unstable

To let a flow through by IP without a relay, you would have to allowlist entire Microsoft service tags. That opens the target to every tenant sharing those ranges and breaks whenever the ranges shift. Two dedicated static IPs close that gap.

The target sees only your pair

With the relay in place, the request leaves QuotaGuard from one of two IPs bound to your subscription. The target's allowlist stays two entries long, and it identifies your traffic specifically rather than all of Power Automate.

Wide shared Microsoft service-tag ranges on one side versus two dedicated QuotaGuard IPs on the target allowlist on the other

Keep both IPs online with a load-balanced pair

Each QuotaGuard subscription includes two static IPs behind a load balancer with health checks and automatic failover. Both belong to you, and both go on the target's allowlist.

QuotaGuard has run this static-IP service since 2013.

A load-balanced pair, not a single point

QuotaGuard issues two static IPs per subscription, load balanced with automatic failover. Allowlist both so traffic keeps flowing when one path drops.

Static for standard APIs, Shield for regulated data

QuotaGuard Static, direct from $19/month, fits standard HTTPS API calls. The payload is tunneled end to end and never decrypted at the proxy. For HIPAA, PCI-DSS, or SOC 2 data, QuotaGuard Shield, direct from $29/month, uses SSL passthrough so the connection is never terminated in the middle.

Run the exit near your API

Host the relay and the QuotaGuard exit in a region close to your target API to keep the extra hop short. QuotaGuard offers static exits across multiple AWS regions.

Two static IPs behind a load balancer with health checks and automatic failover, both registered on the target allowlist

FAQs

Common questions about Microsoft Power Automate static IPs and QuotaGuard.

Does every Power Automate flow need a static IP?

No. You need one only when the API your flow calls enforces an IP allowlist. If the target accepts any source IP, or you authenticate with API keys or OAuth alone, a static IP adds nothing. The allowlist check runs at the network layer before your credentials are read, so a valid token is still refused when the source IP is not on the list. That is why a flow can pass authentication in testing yet fail against a production API that pins by IP.

Why can I not just set a proxy in the HTTP action?

Power Automate's HTTP action exposes only the method, URL, headers, and body of the request. There is no proxy field, no HTTP_PROXY environment variable, and no arbitrary code step where you could open a tunnel. Routing through a relay function is the supported way to send outbound traffic from fixed IPs. The relay hosts on AWS Lambda or a Google Cloud Function and egresses through QuotaGuard, and your flow simply calls its URL.

How long does setup take?

Most of the work is deploying the published relay function and setting its QUOTAGUARDSTATIC_URL connection value, then pointing the HTTP action at the relay URL with the two headers. The relay code is ready to run, so there is nothing to write from scratch. Before you touch the target API, send X-Target-URL to https://ip.quotaguard.com to confirm the relay returns one of your two static IPs.

How many IPs do I get, and do I allowlist both?

You get two static IPs per QuotaGuard subscription, load balanced with automatic failover. Register both on the target's allowlist. Traffic can leave from either one, so allowlisting only a single IP causes intermittent refusals when the load balancer uses the other.

Do the IPs change if I change plans?

No. The two IPs are stable on your subscription and stay the same across plan changes, so you do not re-allowlist after an upgrade. Dedicated IPs are an Enterprise capability. On Static and Shield the pair is the fixed set you register once.

Should I use Static or Shield for my data?

Use QuotaGuard Static for standard HTTPS API calls. Your payload is tunneled end to end and never decrypted at the proxy. Choose QuotaGuard Shield only when you move regulated data covered by HIPAA, PCI-DSS, or SOC 2, because Shield uses SSL passthrough and does not terminate the connection in transit. If your traffic is ordinary API integration, Static is the right product.

What about inbound webhooks into Power Automate?

Inbound calls arrive through the "When an HTTP request is received" trigger, and QuotaGuard's static IPs govern outbound egress from your flows, so inbound webhooks do not route through QuotaGuard. The direction where the pair matters is outbound: when a partner needs to allowlist where your requests originate, the two static IPs are the addresses you give them. Secure the inbound trigger separately with its shared access signature URL and any IP restriction the trigger itself supports.

How do I update the allowlisted IPs later?

You rarely need to, because the pair is fixed for the life of your subscription. If you do change regions or subscriptions, read the current pair from the QuotaGuard dashboard, or send X-Target-URL to https://ip.quotaguard.com through the relay, and update the two entries on the target's allowlist. Keep both entries in place so failover between the two IPs never trips a refusal.

🚀 Ready to Get Started? Choose Your QuotaGuard Path

QuotaGuard STATIC

Why: You need a rock-solid, fixed IP for general API access, AI workflows, or standard third-party integrations.
Best For: Developers, startups, and general application connectivity.
Key Feature: SOCKS5 support for secure database access.
Sign Up for QG Static

QuotaGuard SHIELD

Why: You handle HIPAA, PCI, or sensitive PII data and require End-to-End Encryption (E2EE) for full compliance.
Best For: Regulated industries, financial services, and healthcare.
Key Feature: SSL Passthrough and key isolation.
Sign Up for QG Shield

Trusted by Engineering Teams Everywhere

Reliability Engineered for the Modern Cloud

For over a decade, QuotaGuard has provided reliable, high-performance static IP and proxy solutions for cloud environments like Heroku, Kubernetes, and AWS.

Get the fixed identity and security your application needs today.