I need a static IP address for outbound traffic from my service. I need this because to access my DB I must explicitly whitelist IP addresses with access.
Quotaguard integration is very easy to use but only supports HTTPS proxies? I’d like to use a SOCKS proxy so I can tunnel all traffic I’m sending over the postgres wire.
I see Quotaguard offer socks proxies but not through the render add on?
Hello, this should work with Render.
Loosely following the guide at https://support.quotaguard.com/support/solutions/articles/5000013939-socks-quick-start-guide-quotaguard-static:
Step 1.
Download and extract the qgtunnel package in the root directory of your app:
$ curl https://s3.amazonaws.com/quotaguard/qgtunnel-latest.tar.gz | tar xz
If you are using a native environment you’ll need to run that locally and commit the directories/folders, if you are using docker run that as a build step.
Step 2.
SSO into the QuotaGuard admin dashboard, accept privacy policy and update email if you haven’t yet.
Then go to Settings->Setup in the top right corner.
And then on the left select Tunnel, then Create Tunnel
Enter the address you’d like to proxy to:
Local Port: 5432
Transparent: true
Encrypted: false
With transparent: true you should be able to connect to hostname.for.your.database.com:5432 like normal, but if that fails try connecting to 127.0.0.1:5432
And then update your start command to be ./bin/qgtunnel <normal start command> to connect to your service.
If it says:
Missing QUOTAGUARDSTATIC_URL and QUOTAGUARDSHIELD_URL environment variables. Exiting.
Go to the addons page and to your quotaguard addon and click Show Credentials.
Copy the environment variable. and add it to your services Environment Variables (This should happen automatically but didn’t for me. I will be looking into ensuring it does in the future, this is just a workaround).
This looks amazing thanks. Will try it out now and get back to you
From the dashboard it looks like I can only select a single remote host to tunnel to via the static IP?
So it would go [ my app ] -> [ QG static IP ] -> [ remote host ] and I would appear as my static IP to the remote host.
What if I want to target any remote host [ my app ] -> [ QG static IP ] -> [ world ]? Is this possible?
I took a look at the socksify wrapper but it seems to be the same problem (choosing a single remote host) and also doesn’t work for multi-threaded apps (it keeps shutting down my python uvicorn service).
Is this possible: for all outbound (only) tcp traffic on any port to appear at any remote destination as coming from a static ip?
Would this essentially be equivalent to a NAT instance?
Hey Oliver,
I don’t believe this is currently possible with Render. What’s the use case for needing all traffic to come from a static IP?
Our app connects to the user’s data warehouse. It’s very common that they have firewall rules to only allow inbound traffic from a specific IP.
The host and port of the user’s database is completely configurable, so we need flexibility. Maybe there’s a simpler way to do it?
To make things a bit trickier, we sometimes connect to databases via an SSH tunnel. So we go [ our app in render ] --SSH–> || --> [ user’s bastion host ] --TCP–> [ user’s database ]
In this workflow, we need the origin IP address for the SSH command as a firewall usually sits at ||