Netlify Functions run on shared AWS infrastructure with rotating egress, and the only native static option is an Enterprise-only add-on. Route your outbound calls through two fixed static EU IPs set as an HTTPS_PROXY env var, on any plan.
# Netlify env var (any plan)
HTTPS_PROXY=https://user:pass@eu-01.outboundgateway.com:8443
# functions/orders.js
const agent = new HttpsProxyAgent(..)
const res = await fetch(
'https://api.partner.eu/orders',
{ agent })
Netlify runs your functions on shared AWS infrastructure, so the outbound address rotates, and the only native fix is locked behind an Enterprise plan.
Netlify Functions run on AWS Lambda, pulling outbound IPs from a large shared pool. Those addresses rotate constantly, so a call that reaches an IP-whitelisted partner API one minute gets a 403 the next with no code change.
Netlify does offer fixed egress through Private Connectivity, but it's an add-on for Enterprise plans that start around $500 a month. Free, Personal, and Pro projects have no native way to pin their outbound address.
Netlify is a US company and its functions run on US AWS regions. Even the Enterprise Private Connectivity option leaves from US infrastructure, so it doesn't solve the GDPR data-residency side for EU teams.
Because the AWS IP pool is shared, your function's address can get rate-limited or blocked because of what some unrelated tenant did from the same IP. You inherit the reputation of whoever else rode that address before you.
"What IP will your Netlify function call from, so I can allow it?"
You want one fixed answer that holds across every deploy, not "whichever Lambda instance AWS happened to run."
Netlify function
HTTPS Proxy
(Static EU IP)
Whitelisted API
Every outbound HTTPS call from your Netlify function leaves from the same pair of EU addresses, whether it's a partner API or a payment endpoint. Two IPs back the account, and if one is down the other takes over.
fetch and axios honour HTTPS_PROXY with no code rewrite, on Free or Pro.
fetch code starts routing through it.
Shipping on Netlify whose serverless functions call partner APIs behind an IP allowlist.
On plans well below Netlify's Enterprise Private Connectivity, who still need a fixed address to reach IP-whitelisted APIs.
Running EU products on Netlify that need GDPR-aligned outbound access from a fixed EU address.
Accountable for where their Netlify functions send data, who want a documented EU egress rather than an ever-changing AWS address.
Set HTTPS_PROXY as a Netlify environment variable. Outbound calls then leave through your fixed EU IP, with no function rewrite.
Add HTTPS_PROXY in Site settings > Environment variables. In the function, pass it explicitly with https-proxy-agent.
// Netlify env var (any plan)
HTTPS_PROXY=https://user:pass@eu-01.outboundgateway.com:8443
PARTNER_API_TOKEN=your_token
// functions/orders.js
const { HttpsProxyAgent } = require('https-proxy-agent');
exports.handler = async () => {
const agent = new HttpsProxyAgent(process.env.HTTPS_PROXY);
const res = await fetch('https://api.partner.eu/orders', {
headers: { 'Authorization': `Bearer ${process.env.PARTNER_API_TOKEN}` },
agent,
});
return { statusCode: 200, body: JSON.stringify(await res.json()) };
};
Add it as an environment variable in Site settings. Keep the proxy URL out of your repo by storing it in the dashboard or via the Netlify CLI.
# Dashboard: Site settings > Environment variables
HTTPS_PROXY = https://user:pass@eu-01.outboundgateway.com:8443
Scope: Production, Deploy previews, Branch deploys (as needed)
# Or via the Netlify CLI
netlify env:set HTTPS_PROXY "https://user:pass@eu-01.outboundgateway.com:8443"
# In code, read it like any env var
const proxy = process.env.HTTPS_PROXY;
Two IPs, so a deploy doesn't break your integration
Your account comes with two static IP addresses (for example 51.xx.xx.10 and 51.xx.xx.11). Whitelist both on your partner API. If one proxy node is briefly unavailable, traffic shifts to the other, so a Netlify redeploy isn't the thing that severs your connection.
📖 Want the longer version? Worked examples, error handling, and other languages are in the Node.js Guide, Python SSL Proxy Guide, and the rest of the docs.
Netlify is US-hosted and runs functions on US AWS regions. For GDPR-minded teams, a fixed EU egress fills that gap.
The proxy runs in EU data centres, so your Netlify function's outbound traffic leaves from European infrastructure instead of a US AWS region.
Because TLS passes straight through, the proxy never decodes your API tokens or request payloads. It forwards encrypted bytes; it doesn't read them.
Traffic doesn't bounce through US infrastructure on its way to your partner API, which keeps the data path inside the EU and removes a wrinkle from GDPR reviews.
When a partner asks where your Netlify function calls from, the answer is two fixed EU addresses, not a list that changes with every AWS scale event. The failover pair covers maintenance windows.
Two addresses to register, with automatic failover, so your traffic isn't riding on a single point of failure.
No need for Netlify's Enterprise tier or Private Connectivity add-on. Set an env var and you have a fixed egress.
European data centres and a GDPR-conscious setup, giving your Netlify app a predictable EU address it doesn't have natively.
Your own fixed address, so you stop inheriting rate limits and blocks from noisy neighbours on the shared AWS pool.
TLS passthrough means the proxy can't read your traffic. Tokens and request data stay private the whole way.
Starting from €29/month. Flexible plans for every scale. Cancel anytime.
Stop letting shared AWS egress and an Enterprise-only addon decide whether your IP-whitelisted APIs keep working. Put your Netlify outbound traffic behind one stable, GDPR-conscious address.
€29/month starter plan • 7-day refund policy • Direct founder support
Netlify has a Private Connectivity feature that gives builds and functions a specific set of allowlist IPs, but it's an add-on for Enterprise plans (which start around $500 a month) and it egresses from US AWS regions. OutboundGateway gives you a fixed pair of EU addresses on any plan, set as a simple HTTPS_PROXY env var, which is useful if you're on Free or Pro, want EU data residency, or would rather not pay for Enterprise.
Add HTTPS_PROXY in Site settings > Environment variables, scoped to Production, Deploy previews, or Branch deploys, or with netlify env:set. In a Node function, pass it to https-proxy-agent. The variable is stored in the dashboard, not your repo, so it stays out of source control.
Yes. Because the proxy is just an environment variable, it works regardless of your Netlify plan. Free and Pro projects that can't access Netlify's Enterprise Private Connectivity can still get a fixed pair of EU addresses for their outbound HTTPS calls.
Happy to talk through how a two-IP egress fits your specific Netlify setup, whether it's a serverless function or a build step.
Contact Our Founders →