Replit Static IPs

QuotaGuard gives your Replit backend two fixed outbound IP addresses, so the databases and APIs that allowlist by IP keep accepting your app through every deploy.

Replit runs each published app in a single-tenant Google Cloud project and hands the container a new egress IP on every deploy and restart, with no setting to reserve one. You add the two QuotaGuard IPs to the destination once and they hold.

Static covers most outbound calls. Shield adds SSL passthrough for data a security review will not let a proxy decrypt.

Databricks connected to a secure shield symbol with a lock, representing data protection.

Which Replit Deployments Get a Fixed IP, and Why It Rotates

Your Replit backend gets one fixed network identity on the deployment types that run server code, which are the apps that actually open outbound connections. It is set with a single Secret and no change to your hosting.

The rotation you are fighting is built into how Replit publishes. A published app is a snapshot running in your own single-tenant Google Cloud project, and each deploy or restart starts a fresh container with a fresh egress IP from Google's pool. There is no reserved-egress toggle on Replit.

Per-Deploy IP Rotation on Single-Tenant GCP

Replit hosts every published app in a dedicated Google Cloud project, in the US by default and the EU for enterprise on request. Compute, secrets, and storage are isolated per customer, which is good for tenancy but does nothing for your egress address.

The outbound IP is still drawn fresh from Google's range on each deploy, so a destination that pinned yesterday's address refuses today's connection. The rejection usually surfaces as a timeout or a generic auth error, not a message that names the IP, which is why it is easy to misread as an app bug.

Secrets-Capable Deployments: Autoscale, Reserved VM, Scheduled

QuotaGuard rides on a Secret, so it applies to the deployment types that support Secrets and run backend code: Autoscale, Reserved VM, and Scheduled. These are the apps that open outbound connections to your databases and APIs in the first place.

The connection URL goes in the Secrets panel under Tools and is injected as an encrypted environment variable at runtime, so the credential never lives in your code or your repository.

Static Deployments and Agent Apps

Static deployments serve files only. They have no Secrets, no server process, and make no outbound calls, so a static IP neither applies to them nor is available.

Apps built with Replit Agent are full-stack with a backend, which makes them incompatible with Static deployments. They run on Autoscale or Reserved VM, which is exactly where a fixed outbound IP belongs.

Flow diagram showing integration with QuotaGuard Static IPs leading to Databricks allow list configuration.
Flow diagram showing integration with QuotaGuard Static IPs leading to Databricks allow list configuration.
Flow diagram showing integration with QuotaGuard Static IPs leading to Databricks allow list configuration.

Wire the Proxy to the Way Your App Connects

One Secret gives every outbound call a fixed source IP. The wiring is short, and it depends on your HTTP client and on whether you are reaching an API or a raw-TCP database.

The QuotaGuard connection URL is injected as an environment variable, and from there the client picks it up. There is one difference between the common Python and Node paths that trips people, so it is worth getting right before you ship.

Python requests Reads It, Node Native fetch Does Not

Python's requests honors the HTTPS_PROXY environment variable automatically, so the Secret alone routes its calls through your static IPs.

Node's built-in fetch is different. It runs on Undici and ignores both the HTTPS_PROXY variable and the older https-proxy-agent library. You route native fetch by setting an Undici ProxyAgent as the global dispatcher with setGlobalDispatcher, or by enabling NODE_USE_ENV_PROXY on Node 24 and later. The node-fetch and axios libraries still accept an https-proxy-agent through their agent option, so the right fix depends on which client your app actually uses.

Databases Over Raw TCP Use QGTunnel

A PostgreSQL, MySQL, or MongoDB connection speaks raw TCP, not HTTP, so an HTTP proxy does not carry it. QGTunnel handles this layer instead.

QGTunnel intercepts the database connection and routes it through your static IPs transparently. Your driver connects to the normal host, including an external database your Replit app reaches by a connection-string environment variable, while egress arrives from the fixed pair.

Allowlist Both IPs on the Destination

Each subscription includes two static IPs in a load-balanced pair with automatic failover, and a request can exit from either address. Add both to the destination's allowlist, firewall, or security group in one pass.

Allowlisting only one means a failover to the second address starts getting rejected, which produces intermittent failures that are painful to trace.

Diagram showing BI tools, QuotaGuard Static proxy with fixed IPs, and Databricks SQL warehouses with fixed identity.

Static, Shield, and Where Your Egress Lives

Static satisfies the allowlist for most Replit apps, and the choice past that is about the data, not about getting the connection through.

The destination only ever sees a fixed IP, which is true on either product. What changes is whether a proxy in the path can read the traffic, and where in the world your egress sits.

Static for Most Replit Apps

QuotaGuard Static gives the fixed identity an external database or API needs, with no change to your Replit project beyond the Secret. It is the right default for general backend traffic from an Autoscale or Reserved VM app.

Shield for Regulated Data

QuotaGuard Shield uses SSL passthrough and never holds a key that could decrypt the session, which is the model HIPAA, PCI-DSS, and SOC 2 reviews require.

If your Replit app moves health or cardholder data, Shield is the supported path. QuotaGuard does not position Static for regulated data, even though it can carry the traffic.

Region and Residency

Replit hosts published apps in the US by default, and in the EU for enterprise on request. Your egress, though, is QuotaGuard's to place.

QuotaGuard runs in 11 AWS regions with US or EU residency, so you can put the fixed identity close to the destination your app calls and meet data-locality requirements at the same time. Region is set at signup, and support can move it later.

World map with green location markers and steps: Add New IPs, Verify Traffic, Remove Old IPs for no outage.
World map with green location markers and steps: Add New IPs, Verify Traffic, Remove Old IPs for no outage.
World map with green location markers and steps: Add New IPs, Verify Traffic, Remove Old IPs for no outage.

FAQs

Common questions about Replit Static IPs and QuotaGuard.

Does my Replit app need a static IP?

Only if it connects to something that allowlists by IP, such as a database firewall, a partner API, or a payment provider.

Replit gives the container a fresh egress IP on every deploy and restart, so a destination that pinned the old address starts refusing the connection.

You can confirm what the destination sees by routing a request through the proxy to https://ip.quotaguard.com, which returns the static IP.

If nothing you call restricts by source IP, you do not need one.

Which Replit deployment types does this work with?

Autoscale, Reserved VM, and Scheduled deployments, because they run backend code and support Secrets.

Static deployments serve files only, have no Secrets, and make no server-side outbound calls, so a static IP does not apply to them.

Apps built with Replit Agent are full-stack and are not compatible with Static deployments, so they already run on Autoscale or Reserved VM, where this setup applies.

How do I route the proxy in Node versus Python?

Python's requests reads the HTTPS_PROXY environment variable automatically, so adding the Secret is enough.

Node's built-in fetch runs on Undici and ignores both HTTPS_PROXY and the https-proxy-agent library, so you set an Undici ProxyAgent as the global dispatcher with setGlobalDispatcher, or enable NODE_USE_ENV_PROXY on Node 24 and later.

If you use node-fetch or axios instead of native fetch, those accept an https-proxy-agent through their agent option.

Does this work for database connections, not just APIs?

Yes. HTTP and HTTPS APIs route through the proxy set as a Secret, and raw TCP databases route through QGTunnel.

PostgreSQL, MySQL, and MongoDB speak TCP rather than HTTP, so QGTunnel intercepts the connection and sends it through your static IPs while your driver connects to the normal host.

You add the two IPs to the database's firewall or security group once.

Should I use QuotaGuard Static or Shield?

Static satisfies the allowlist and is enough for most Replit apps.

Use Shield when the data is regulated under HIPAA, PCI-DSS, or SOC 2, or when a security policy requires that no proxy can decrypt traffic.

Shield uses SSL passthrough, so it routes the encrypted session without ever holding a key to read it.

The allowlist sees a static IP on either product, so the choice is about the data, not connectivity.

Will my IPs change when I redeploy?

No.

The two static IPs belong to your QuotaGuard subscription, not to the Replit container.

A deploy or restart cycles Replit's underlying egress IP, but your traffic still exits through the QuotaGuard pair, so the destination keeps seeing the same two addresses.

You allowlist them once and never revisit it as Replit cycles the container.

Can I get a dedicated IP for my Replit app?

Yes.

Dedicated IPs are included on QuotaGuard Enterprise plans, which are $219 per month for Static and $269 per month for Shield on direct billing.

On Starter, Production, and Business the two IPs are still static but shared with other QuotaGuard customers.

A dedicated pair matters when a destination's allowlist must contain only your traffic, with no other organization originating from the same address.

What about inbound traffic and webhooks to my Replit app?

QuotaGuard's outbound proxy covers your app calling out, and inbound covers a partner or service reaching your app on a fixed address.

If a webhook sender or enterprise system requires a known, stable endpoint IP, QuotaGuard Static includes inbound proxy on direct plans from $19 per month, and Shield covers the inbound path when that traffic is regulated. Inbound uses the same two static IPs as your outbound traffic.

Still have questions?

We don’t outsource Support to non-Engineers.

Reach out directly to the Engineers who built Shield to discuss your specific architecture, integration challenges, or compliance constraints here 👇

Contact

🚀 Ready to Get Started? Choose Your QuotaGuard Path

QuotaGuard STATIC

Why: You need a rock-solid, fixed IP for general API access, AI workflows, or standard third-party integrations.
Best For: Developers, startups, and general application connectivity.
Key Feature: SOCKS5 support for secure database access.
Sign Up for QG Static for Replit

QuotaGuard SHIELD

Why: You handle HIPAA, PCI, or sensitive PII data and require End-to-End Encryption (E2EE) for full compliance.
Best For: Regulated industries, financial services, and healthcare.
Key Feature: SSL Passthrough and key isolation.
Sign Up for QG Shield for Replit

Trusted by Engineering Teams Everywhere

Reliability Engineered for the Modern Cloud

For over a decade, QuotaGuard has provided reliable, high-performance static IP and proxy solutions for cloud environments like Heroku, Kubernetes, and AWS.

Get the fixed identity and security your application needs today.

Start Free TrialTalk to an Engineer