Inbound & Outbound Static IPs for Retool

Connect Retool apps to firewalled databases, internal APIs, and enterprise data sources with a dedicated, verifiable network identity.

Eliminate connection rejections from security groups and IP allowlists without moving off Retool or managing your own cloud networking.

Diagram showing Retool connected to a shield icon with a calendar inside, symbolizing secure integration.

Enterprise Connectivity & Allowlisting

Retool Cloud runs on shared AWS infrastructure where outbound IP addresses rotate constantly across large public cloud subnets.

Note: QuotaGuard is designed for connecting Retool apps to IP-restricted B2B resources like SQL databases, internal APIs, and enterprise data sources. This solution is not intended for scraping consumer sites that block cloud infrastructure.

Fixed IP Identity for Allowlisting

QuotaGuard provides a permanent, static outbound IP for your Retool deployment so your queries are always recognized and trusted by destination firewalls.

Your IT team or database administrator adds two IPs to the allowlist once. They never need to update it again regardless of Retool updates, infrastructure changes, or scaling events.

Dedicated IPs Your Account Controls

Retool publishes a broad list of shared IP ranges their cloud uses.

Adding all of them to your database allowlist opens access to every other Retool customer on that infrastructure.

QuotaGuard gives you two dedicated IPs that belong exclusively to your account. When your security team allowlists those addresses, they're allowlisting your Retool instance alone.

Secure Database Access

Safely connect Retool to restricted PostgreSQL, MySQL, SQL Server, and MongoDB Atlas instances that require a known source IP for authentication.

Lock your database security group or Atlas allowlist down to two fixed addresses and keep those ports closed to the rest of the internet.

Diagram showing encrypted data flow from a user interface to two secured servers with IP addresses 18.18.18.18 and 25.25.25.25.
Diagram showing encrypted data flow from a user interface to two secured servers with IP addresses 18.18.18.18 and 25.25.25.25.
Diagram showing encrypted data flow from a user interface to two secured servers with IP addresses 18.18.18.18 and 25.25.25.25.

Flexible Configuration for Cloud and Self-Hosted

QuotaGuard works with both Retool Cloud and self-hosted Retool deployments.

Setup method differs by deployment type.

Self-Hosted: Environment Variable Injection

For self-hosted Retool running on Docker or Kubernetes, add HTTP_PROXY and HTTPS_PROXY to your Retool container environment.

Every Retool resource inherits the static IP automatically: REST APIs, GraphQL, and all HTTP-based data sources. No per-resource configuration needed.

Retool Cloud: Middleware Pattern for Database Connections

Retool Cloud doesn't support global proxy environment variables. For direct database connections that require a static IP, the reliable approach is a lightweight middleware service deployed with QuotaGuard configured.

Retool talks to that service via a REST API resource. The middleware queries the database from your static IPs. Your database never sees a Retool Cloud address.

QGTunnel for Raw TCP Database Connections

For self-hosted Retool with direct PostgreSQL, MySQL, or MongoDB connections, QGTunnel provides transparent SOCKS5 proxying.

Wrap your Retool process with QGTunnel and your database driver connects to the original hostname while traffic exits from your static IPs.

No application code changes required.

Diagram showing Retool process connecting through QGTunnel SOCKS5 Proxy to QuotaGuard with static IPs 18.18.18.18 and 25.25.25.25, then secured connections to PostgreSQL, MySQL, and MongoDB databases.

Reliability for Internal Tool Workloads

Internal tools often power critical business workflows.

QuotaGuard's proxy layer is built with the availability those workloads require.

High-Availability IP Pair

Every QuotaGuard account gets two static IPs in a load-balanced pair with automatic failover.

Both IPs are active simultaneously. Add both to your database allowlists so your Retool apps stay connected even during maintenance windows.

Regional Data Residency

Match your QuotaGuard cluster to your Retool deployment region to minimize query latency and satisfy GDPR or HIPAA data residency requirements.

US-East for US-hosted Retool instances, EU for European deployments. Sensitive data stays within the required geographic boundary.

No Noisy Neighbor Effect

Your static IPs are exclusively yours. Your Retool queries are never blocked because another customer sharing your cloud subnet triggered a security vendor.

Dedicated IP reputation means your critical internal tool traffic doesn't get caught in broad IP-range blocks.

Diagram showing data flow between US-EAST and EU regions with Retool servers connected via QuotaGuard secure static IPs.
Diagram showing data flow between US-EAST and EU regions with Retool servers connected via QuotaGuard secure static IPs.
Diagram showing data flow between US-EAST and EU regions with Retool servers connected via QuotaGuard secure static IPs.

FAQs

Technical Configuration and Setup for Railway Apps

Why can't I just allowlist Retool's published IP ranges?

Retool publishes the IP ranges their cloud infrastructure uses. Adding all of them to your database allowlist technically works, but it opens your database to every other Retool customer on that same infrastructure.

Most security teams won't accept that, and the list changes when Retool updates their infrastructure.

QuotaGuard's two dedicated IPs are yours alone. That's a much smaller, controlled attack surface.

Does this work with Retool Cloud or only self-hosted?

Both. Self-hosted Retool is the simpler setup: set HTTP_PROXY and HTTPS_PROXY in your container and every resource picks it up automatically.

Retool Cloud works via the middleware pattern for database connections, or directly for REST API and GraphQL resources that support proxy configuration.

See the Retool static IP setup guide for both configurations.

Can I use QuotaGuard for direct PostgreSQL or MySQL connections from Retool?

Yes, via QGTunnel on self-hosted Retool. The HTTP proxy handles REST and GraphQL traffic.

For raw TCP database connections, QGTunnel intercepts those connections transparently and routes them through your static IPs.

For Retool Cloud, the middleware pattern is the reliable path for direct database access.

How do I verify my Retool queries are using the static IP?

Create a Retool REST API resource pointed at https://ip.quotaguard.com and run a GET query.

The response returns the IP your request came from. It should match one of your two static IPs shown in the QuotaGuard dashboard.

Run it a few times to see both IPs in rotation.

Will the static IP change if I upgrade Retool or migrate servers?

No.

The static IPs are assigned to your QuotaGuard account, not to a specific server or container.

Upgrade Retool, migrate to new infrastructure, add more Retool instances.

Your two static IPs stay the same. Your database allowlist never needs to change after initial setup.

Can I use QuotaGuard with multiple Retool environments?

Yes.

Use separate QuotaGuard connection strings for your staging and production Retool instances to keep those environments isolated at the network level.

Your staging queries leave from different IPs than your production queries, and you can verify firewall connectivity in staging before it matters in production.

Is this suitable for HIPAA or PCI-regulated internal tools?

QuotaGuard Shield provides end-to-end encryption via SSL Passthrough for Retool deployments that handle PHI, payment card data, or other regulated information. Shield also assigns a fixed inbound static IP if your Retool instance needs to receive data from systems that only push to registered endpoints. See the Shield product page for details.

Still have questions?

We don’t outsource Support to non-Engineers.

Reach out directly to the Engineers who built Shield to discuss your specific architecture, integration challenges, or compliance constraints here 👇

Contact

🚀 Ready to Get Started? Choose Your QuotaGuard Path

QuotaGuard STATIC

Why: You need a rock-solid, fixed IP for general API access, AI workflows, or standard third-party integrations.
Best For: Developers, startups, and general application connectivity.
Key Feature: SOCKS5 support for secure database access.
Sign Up for QG Static for Retool

QuotaGuard SHIELD

Why: You handle HIPAA, PCI, or sensitive PII data and require End-to-End Encryption (E2EE) for full compliance.
Best For: Regulated industries, financial services, and healthcare.
Key Feature: SSL Passthrough and key isolation.
Sign Up for QG Shield for Retool

Trusted by Engineering Teams Everywhere

Reliability Engineered for the Modern Cloud

For over a decade, QuotaGuard has provided reliable, high-performance static IP and proxy solutions for cloud environments like Heroku, Kubernetes, and AWS.

Get the fixed identity and security your application needs today.

Start Free TrialTalk to an Engineer