Configure egress IPs

Egress IPs provide a dedicated, static public IP address for outbound traffic from selected workloads. By default, outbound requests from your services use shared, unpredictable IP addresses. With an egress IP, outbound traffic routes through a single, fixed IP address that you can share with third parties for firewall allowlisting.

When you create an egress IP:

1. Northflank provisions a dedicated static IP in your chosen region
2. You define rules to specify which projects and workloads use this IP
3. Outbound traffic from matching workloads routes through the static IP
4. Other workloads continue using shared IPs

Only workloads matching your rules use the egress IP. Everything else routes normally.

1. Navigate to Cloud → Egress IPs from your team menu
2. Click Create egress IP

Basic information

1. Name: Provide a name for the egress IP
2. Description: (Optional) Describe the purpose
3. Provisioning mode: Select Dedicated (provisions an isolated IP for your team)
4. Region: Choose the region where the IP will be provisioned

Note: Region and provisioning mode cannot be changed after creation.

Configuration

1. Mode: Select Include (only specified workloads use this IP)

Rules

Configure which workloads route traffic through the egress IP:

1. Click Add rule
2. Select a project
3. Choose restriction mode:
   • Restrictions disabled: All services and jobs in the project use the egress IP
   • Restrictions enabled: Only specific services and jobs you add use the egress IP
4. If restrictions enabled, add specific services and jobs
5. Add additional projects as needed

Addon exclusion: Addon traffic (managed databases, etc.) is never routed through the egress IP, even if the project is included in rules.

Create

Click Create egress IP to provision the infrastructure. Provisioning typically takes a few minutes.

To modify which workloads use an egress IP:

1. Navigate to the egress IP settings
2. Update rules:
   • Add or remove projects
   • Enable or disable restrictions per project
   • Add or remove specific services/jobs
3. Click Update egress IP

Note: You can only edit egress IPs in the Active or Error state. Editing is locked during staging, loading, deleting, or deleted states.

Egress IPs progress through these states:

Once an egress IP reaches the Active state, you'll see the assigned static IP address. Share this IP with third parties for allowlisting.

Egress IPs can be included in Northflank templates for infrastructure as code.

Example template node:

{
  "kind": "EgressIP",
  "ref": "production-egress",
  "spec": {
    "name": "production-egress-ip",
    "description": "Static IP for production API calls",
    "provisioningMode": "dedicated",
    "region": "europe-west",
    "mode": "include",
    "rules": [
      {
        "projectId": "${refs.production-project.id}",
        "restrictionsEnabled": true,
        "services": ["api-service"],
        "jobs": []
      }
    ]
  }
}

Region locked after creation:

• Cannot change region once created
• To use a different region, delete and recreate the egress IP

Provisioning mode locked after creation:

• Cannot change from Dedicated to other modes after creation

Addon traffic excluded:

• Managed database connections and other addon traffic never route through egress IPs
• This applies even if the addon's project is included in rules

Provisioning time:

• Initial provisioning takes a few minutes (up to ~10 minutes)
• IP is assigned once cloud infrastructure is fully set up

Egress IPs cost $100 per active egress IP per billing period, prorated.

You're only billed while the egress IP is in the Active state. Free plans cannot create egress IPs.

Third-party API allowlisting:

• External APIs require your IP for firewall rules
• Share your egress IP for allowlisting
• All outbound API calls originate from this IP

Compliance requirements:

• Organization requires predictable, auditable outbound IPs
• Configure egress IPs for production workloads
• Document IPs for security audits

Partner integrations:

• Partner systems only accept traffic from known IPs
• Provision egress IP and share with partner
• Route integration traffic through the static IP