Zoho Static IPs

QuotaGuard gives your Zoho Deluge outbound calls two fixed IP addresses, so any API that requires a static allowlisted IP accepts them. Zoho One, Zoho CRM, Zoho Creator, and Zoho Flow all call external APIs through Deluge, and many of those APIs gate access by source IP.

Deluge cannot set an HTTP proxy and cannot run a sidecar. Its requests leave from Zoho's shared cloud ranges, which rotate and are shared across tenants, so an allowlisted API sees an unrecognized address and refuses the call. QuotaGuard closes that gap with a small relay you host: Deluge calls the relay, the relay forwards the request through QuotaGuard, and the target API sees one of your two static IPs.

You register those two IPs with the target API once. They stay fixed while Zoho's addresses keep rotating.

Zoho Deluge outbound call routed through a hosted relay and QuotaGuard's two static IPs into an allowlisted API

Deluge Reaches Allowlisted APIs Through a Relay You Control

Your Zoho integration gets a fixed outbound identity by calling a relay you host, because Deluge has no proxy setting of its own. The relay is a small forwarding function you run on AWS Lambda or a Google Cloud Function. It is the piece that sets the proxy Deluge cannot.

Deluge sends its request to the relay with two headers: a secret key that authorizes the call, and the full URL of the API you actually want to reach. The relay checks the key, then forwards the request through QuotaGuard to that target. The method, body, and auth headers pass through unchanged.

invokeUrl Calls a Relay Instead of a Proxy

Deluge's invokeUrl task can call any URL, so it calls the relay's URL and passes the target API as a header. There is nothing to install inside Zoho and no proxy field to configure, because the relay does the proxying on Zoho's behalf.

The Target API Sees Two Static IPs, Not Zoho's

The relay forwards every request through QuotaGuard, so the target API sees one of your two static IPs. Zoho's rotating egress address and the relay host's own IP are never in the path the target inspects, which means you allowlist the two QuotaGuard IPs and nothing else.

One Relay Serves Every Zoho Product

Any Deluge context that runs invokeUrl uses the same relay, including Zoho CRM functions, Zoho Creator, and Zoho Flow custom functions. The relay is platform-neutral, so the same deployment also serves Bubble, Zapier, and other platforms that cannot set a proxy.

Zoho invokeUrl calling a relay function URL with X-Relay-Key and X-Target-URL headers, the relay forwarding through QuotaGuard so the target sees a static IP

Static Fits Most Zoho Work, Shield Covers Regulated Data

Static is the right QuotaGuard product for most Zoho integrations, and Shield covers the regulated ones. The relay's call to the target is HTTPS either way, so the choice comes down to whether the data is regulated, not whether the connection is encrypted.

Static for Standard Zoho API Calls

QuotaGuard Static gives Deluge a fixed identity for outbound HTTPS calls, which satisfies an allowlist requirement without any change to Zoho itself. The HTTPS payload is tunneled end to end and never decrypted at the proxy, so Static is sufficient for standard business API calls.

Shield for HIPAA, PCI, and SOC 2 Workflows

QuotaGuard Shield uses SSL passthrough, so QuotaGuard never decrypts the data flowing between the relay and the target. Choose Shield when your Zoho integration handles regulated data, such as health, payment, or PII records, and your auditors require that no third party can read data in transit.

The Relay Deploys on Lambda or Google Cloud

The relay runs as an AWS Lambda function or a Google Cloud Function, using the same secret-key and target-URL contract. QuotaGuard publishes a ready-to-run Python Lambda example, so the forwarding code is not something you write from scratch.

One QuotaGuard identity serving Zoho, Bubble, and Zapier, with a Static path and a Shield SSL passthrough path

Two Load-Balanced Static IPs Keep Every Zoho Call Consistent

Every request from Zoho leaves through the same two static IPs, and they stay available even if one has a problem. Reliability at the connectivity layer is what keeps an allowlisted integration from breaking during a deploy or a regional event.

QuotaGuard has provided static IP infrastructure since 2013, on a high-availability architecture with health checks and automatic failover.

A Load-Balanced Pair With Automatic Failover

Each subscription includes two static IP addresses behind a load balancer. If one IP has a problem, traffic routes through the second automatically, with no manual intervention. Both IPs go on the target API's allowlist, and requests use whichever responds.

Eleven AWS Regions for Low-Latency Routing

You select a QuotaGuard region at sign-up. Choose the one closest to the target API, and deploy the relay in the matching cloud region, to keep round-trip latency low. Region changes after sign-up are handled by QuotaGuard support.

Your IPs Stay Fixed Through Plan Changes

Upgrade or downgrade with a button click and your two static IPs stay the same. That matters because you have already registered them on the target API's allowlist, so a plan change does not force you to update the allowlist or risk a rejected request.

A load-balanced pair of two static IPs with health checks and automatic failover in front of an allowlisted API

FAQs

Common questions about Zoho static IPs and QuotaGuard.

Does my Zoho integration need a static IP?

Only when the API Zoho calls enforces IP allowlisting. If the target API rejects requests from unregistered IPs, Deluge's rotating egress will fail, and you need a fixed IP. If the target has no IP allowlist, you don't. The quickest way to tell is to check whether the API's security settings have an IP allowlist or firewall list that you populate. If they do, Zoho's dynamic egress is the reason your calls get refused.

How does setup work if Deluge can't set a proxy?

You host a small relay function and point Deluge's invokeUrl calls at it. Deluge cannot set a proxy, so the relay sets it instead: it receives the call, forwards it through QuotaGuard, and returns the response. You deploy the relay once on AWS Lambda or a Google Cloud Function, set two environment variables (your QuotaGuard connection URL and a secret key), and register your two static IPs with the target API. QuotaGuard publishes the Lambda relay as a ready-to-use example.

Should I use QuotaGuard Static or Shield for Zoho?

Static is sufficient for most Zoho integrations. The relay's call to the target is HTTPS and stays encrypted end to end on Static already. Use Shield if your integration is subject to PCI, SOC 2, or HIPAA, or if your security policy requires that no third party can decrypt data in transit. Shield uses SSL passthrough, so QuotaGuard never sees the payload. The only configuration change is using the Shield connection URL in place of the Static one on the relay.

How many IPs do I register with the target API?

Two. Every QuotaGuard subscription includes two load-balanced static IPs, and both are active at once. Register both on the target API's allowlist. If you register only one, roughly half your requests will be refused when the load balancer uses the other IP.

Does Zoho's own IP address get allowlisted?

No. The target API only ever sees QuotaGuard's two static IPs, because the relay forwards every request through the QuotaGuard proxy. Zoho's outbound IP and the relay host's IP never reach the target's allowlist check, so the two QuotaGuard IPs are the only addresses you register.

Does the same relay work across Zoho CRM, Creator, and Flow?

Yes. Any Deluge context that runs invokeUrl can call the relay, including Zoho CRM functions, Zoho Creator apps, and Zoho Flow custom functions. One relay serves all of them, and the same relay also works for Bubble and Zapier, so you maintain a single piece of forwarding infrastructure across every no-proxy platform you run.

Can I get a dedicated IP for my Zoho integration?

Yes. Dedicated IPs are included on QuotaGuard Enterprise plans, which are $219/month for Static and $269/month for Shield on the direct plans. A dedicated IP is not shared with other QuotaGuard customers, which is the right choice when the target API's allowlist must stay isolated from any other organization's traffic. Request it from QuotaGuard support after signup with your username and preferred region.

What about inbound webhooks from a third party to my app?

QuotaGuard's relay handles outbound traffic from Zoho to a target API. Webhooks that a third party sends to your own server flow in the opposite direction and do not use the relay. Your inbound endpoint just needs to be publicly reachable. If you need a static inbound endpoint for security or compliance reasons, QuotaGuard Static includes inbound proxy capabilities on direct plans starting at $19/month.

🚀 Ready to Get Started? Choose Your QuotaGuard Path

QuotaGuard STATIC

Why: You need a rock-solid, fixed IP for general API access, AI workflows, or standard third-party integrations.
Best For: Developers, startups, and general application connectivity.
Key Feature: SOCKS5 support for secure database access.
Sign Up for QG Static

QuotaGuard SHIELD

Why: You handle HIPAA, PCI, or sensitive PII data and require End-to-End Encryption (E2EE) for full compliance.
Best For: Regulated industries, financial services, and healthcare.
Key Feature: SSL Passthrough and key isolation.
Sign Up for QG Shield

Trusted by Engineering Teams Everywhere

Reliability Engineered for the Modern Cloud

For over a decade, QuotaGuard has provided reliable, high-performance static IP and proxy solutions for cloud environments like Heroku, Kubernetes, and AWS.

Get the fixed identity and security your application needs today.