How to Get a Static IP on Any PaaS Platform

Platform-as-a-service hosts run your app in ephemeral containers, so the IP you egress from changes on deploys, restarts, and scaling. A growing number now sell a native fixed-IP option, but it is usually gated to a higher plan tier, locked to one region, sometimes shared with other customers, and almost always outbound-only. When you need one identity that stays constant across deploys, regions, and platform moves, or you need a fixed inbound IP your partners can allowlist, a proxy is the smaller change.

Use QuotaGuard Static for standard API, database, and automation traffic. Use QuotaGuard Shield when the data is regulated (HIPAA, PCI-DSS, SOC 2), because Shield uses SSL passthrough and never decrypts your traffic at the proxy. This page covers every major PaaS platform, what its native outbound IP actually does, whether it offers a fixed-IP option and at what cost, and where a proxy is the better fit. Every cell in the comparison table below was checked against the platform's own documentation. Both outbound and inbound are covered, because inbound is where most platforms have no native answer at all.

PaaS Static IP Comparison: Native Options vs a Proxy

The pattern is consistent. Native fixed-IP options, where they exist, solve the outbound case for a single region on a higher tier. They rarely solve the inbound case, and they tie your fixed identity to one platform. A proxy decouples the identity your firewall cares about from wherever your app happens to run.

Why PaaS Platforms Rotate Your IP

Dynamic IPs are not a defect. They are how the platform scales. Your app runs in an ephemeral container that the platform creates, moves, and destroys to balance load. Each container draws an address from a shared pool, so the address you egress from today is not the one you egress from after the next deploy. This is true on Heroku Common Runtime, Render, Fly.io, Railway, Vercel, Netlify, Koyeb, Supabase Edge Functions, Replit, and Gigalixir alike.

That breaks three things:

• Allowlists. A database security group or partner API that only accepts pre-approved IPs rejects you the moment your IP changes.
• IP reputation. On a shared pool, you inherit the reputation of every other tenant using those addresses. One abusive neighbor and your legitimate traffic gets flagged or blocked.
• The 0.0.0.0/0 anti-pattern. The tempting workaround is to open the database to every IP and rely on credentials alone. That removes the network layer of defense entirely and is the first thing a security review flags.

A static IP restores the network boundary. You allowlist two addresses, and they never change.

The Technical Mechanism

Outbound traffic routes through the proxy with a single environment variable. Your app sends requests to the proxy, the proxy forwards them from its fixed IPs, and the destination sees a known source address.

# Set the proxy URL (example)
QUOTAGUARDSTATIC_URL="http://username:password@proxy.quotaguard.com:9293"

// Node.js
const { HttpsProxyAgent } = require('https-proxy-agent');
const agent = new HttpsProxyAgent(process.env.QUOTAGUARDSTATIC_URL);
const res = await fetch('https://api.partner.com/v1/orders', { agent });

# Python
import os, requests
proxies = {"http": os.environ["QUOTAGUARDSTATIC_URL"],
           "https": os.environ["QUOTAGUARDSTATIC_URL"]}
r = requests.get("https://api.partner.com/v1/orders", proxies=proxies)

For HTTP and HTTPS API calls, that is the entire setup. For non-HTTP protocols, the picture changes:

• Databases and raw TCP (PostgreSQL, MySQL, MongoDB, SMTP, SFTP) need a SOCKS5 connection, exposed on port 1080, or QGTunnel, which intercepts the connection transparently so your app keeps using the original database hostname while traffic exits through your static IPs.
• Latency. The extra hop adds single-digit milliseconds for most workloads. Match your proxy region to your app's region to keep it minimal.

Static vs Shield: the encryption model

QuotaGuard Static routes outbound HTTPS through a standard CONNECT tunnel. The proxy reads the destination host and port to route the connection and does not decrypt your HTTPS payload. SOCKS5 carries non-HTTP TCP the same way. Static terminates TLS only on inbound connections, where it presents a certificate to receive traffic on your behalf.

QuotaGuard Shield never decrypts in either direction. On inbound it routes by SNI without terminating TLS. On outbound it tunnels the outer connection while your application's payload stays in a separate end-to-end TLS session the proxy does not read. That zero-knowledge model is the one to use for HIPAA, PCI-DSS, and SOC 2 data. Static is appropriate for everything that is not regulated.

The Inbound Case Most Platforms Cannot Solve

Outbound gets the attention, but inbound is where PaaS platforms leave the biggest gap. When a partner, bank, or enterprise system needs to send webhooks or API calls to your app and demands a fixed IP to allowlist on their side, most of the platforms above have no native answer. Railway states plainly it does not offer static inbound IPs. Vercel and Netlify static IP features are outbound only. Koyeb, Replit, and Supabase Edge Functions have nothing inbound either.

A static IP proxy fills that gap. You point a hostname at the proxy with a CNAME, your partners allowlist the proxy's fixed IP, and traffic forwards to your app no matter how the platform rotates underneath. With Shield, the inbound path uses SSL passthrough, so the proxy never sees your decrypted payload and your certificate stays on your servers. With Static, the inbound path terminates TLS using a certificate you provide. Both give your partners a single, permanent address to trust.

Platform-by-Platform

Heroku

Common Runtime dynos rotate IPs and Heroku's own guidance says the AWS ranges are too broad to allowlist. Private Spaces gives static outbound IPs per space but requires the Enterprise tier. A proxy gives any dyno a fixed pair plus an inbound option. See the Heroku integration guide.

Render

Render assigns shared regional CIDR ranges, often a /24 of 256 addresses. Dedicated IPs add three static IPv4s per region at $100/mo per set on Pro and above. A two-IP pair through a proxy costs less, works across regions, and adds SOCKS5 and inbound. See the Render integration guide.

Fly.io

Machines prefer IPv6 and NAT'd IPv4 that can shift. App-scoped static egress IPs are the native fix, billed per IPv4 per region, so a multi-region app needs several. A proxy gives one identity for the whole app regardless of region. See the Fly.io integration guide.

Railway

Railway rotates the public IP on every restart. Static Outbound IPs on Pro give three region-tied addresses that are not guaranteed dedicated and cannot receive inbound traffic. For a dedicated identity or any inbound allowlisting, a proxy is the only route. See the Railway integration guide.

Vercel

Functions egress from rotating AWS ranges. Static IPs (shared pool) cover outbound on Pro and Enterprise; Secure Compute adds a dedicated VPC on Enterprise. Neither provides inbound. A proxy delivers a fixed pair without Enterprise pricing, plus inbound and database tunneling. See the Vercel integration guide.

Netlify

Netlify's ephemeral CDN egresses from large rotating pools and publishes no IP list. Private Connectivity gives static IPs but is Enterprise, account-manager gated, and supplies multiple IPs per region. A proxy is self-serve, gives a clean pair, and handles inbound. See the Netlify integration guide.

Koyeb

Koyeb's docs state it does not provide static outbound IPs and points users to a cloud-aware static IP service. A proxy is that service: a fixed pair plus SOCKS5 for databases. See the Koyeb integration guide.

Supabase Edge Functions

Edge Functions run on Deno Deploy with dynamic, unpublished outbound IPs. The Dedicated IPv4 add-on is ingress only and does not cover Edge Function egress. Because Deno supports SOCKS5 natively, a proxy works with no sidecar. See the Supabase Edge Functions integration guide.

Replit

Replit assigns a new outbound IP on every deployment and has no native static option. A proxy keeps your egress identity constant across redeploys. See the Replit integration guide.

Gigalixir

Gigalixir rotates outbound IPs during deploys and scaling. It offers Dedicated Ingress for a static inbound IP, but no native static outbound IP. A proxy supplies the outbound identity. See the Gigalixir integration guide.

When You Need a Proxy, When Native Is Enough, When to Migrate

• Use a native fixed-IP option when your app is single-region, the platform's option fits your tier, you only need outbound, and a shared address is acceptable to whoever is allowlisting you.
• Use a proxy when you need inbound, when you span multiple regions or platforms, when you need a dedicated address a partner will accept, when you need SOCKS5 for databases, or when the native option sits behind a higher tier than you want to pay for.
• Consider migrating only when the platform itself is the constraint. In most cases a proxy is the smaller change, because it decouples your fixed identity from your host and you keep the same identity if you move later.

Regulated Data: Use Shield

If your traffic carries protected health information, payment card data, or anything under a SOC 2 control, the question is not just whether the IP is fixed, but whether anyone decrypts the payload along the way. QuotaGuard Shield uses SSL passthrough so your data is never decrypted at the proxy and your certificates never leave your servers. That is the model auditors expect for HIPAA, PCI-DSS, and SOC 2 workloads. A Business Associate Agreement is available for approved Shield configurations. Static is the right choice for everything outside regulated scope.

FAQ

How do I give my Heroku app a static IP?

Heroku Common Runtime dynos rotate IPs. Add a static IP proxy and set one environment variable, and your traffic egresses from a fixed pair. Private Spaces offers native static outbound IPs but requires the Enterprise tier.

Why does my Vercel function IP keep changing?

Vercel runs Functions and Builds on shared, rotating AWS infrastructure, so the outbound IP changes by design. Use Vercel Static IPs (Pro or Enterprise), Secure Compute (Enterprise), or a proxy for a fixed outbound address. None of Vercel's native options provide an inbound IP.

Does Render have a static IP?

Render gives shared regional CIDR ranges by default. Its Dedicated IPs feature provides three static IPv4s per region at $100/mo per set on Pro and above. A proxy is a lower-cost two-IP alternative that also works across regions and supports inbound.

Can I get a static outbound IP on Railway?

Railway Pro offers Static Outbound IPs, but they are region-tied, may be shared with other customers, and cannot receive inbound traffic. For a dedicated identity or any inbound allowlisting, route through a proxy.

Do Supabase Edge Functions have a static IP?

No. Edge Function outbound IPs are dynamic and unpublished. The Dedicated IPv4 add-on is for inbound database connections only. Because Deno supports SOCKS5 natively, a proxy gives Edge Functions a fixed outbound IP without a sidecar.

What about non-HTTP traffic like databases?

HTTP and HTTPS route through a standard proxy. Databases and other raw TCP protocols use SOCKS5 or QGTunnel, which routes the connection through your static IPs while your app keeps using the original hostname.

How much latency does a proxy add?

For most workloads, single-digit milliseconds. Match the proxy region to your app's region to minimize the extra hop.

Static or Shield?

Static for standard API, automation, and database traffic. Shield for regulated data (HIPAA, PCI-DSS, SOC 2), because Shield never decrypts your payload at the proxy.