Agents on Vertex AI Agent Engine call external APIs for tool use, but they get dynamic GCP egress by default. Route their outbound calls through two fixed EU IPs with one env var, no VPC or PSC networking to configure.
# Agent Engine managed runtime env var
HTTPS_PROXY=https://user:pass@eu-01.outboundgateway.com:8443
import requests
def lookup_order(order_id):
r = requests.get(
f"https://api.partner.eu/orders/{order_id}")
return r.json()
Google's managed agent runtime is great for scaling, but it leaves you with little control over where your agents' outbound calls come from.
Standard Agent Engine deployments route outbound traffic through Google Cloud IP pools. Those addresses rotate, so a partner API or firewall that only allows known IPs blocks your agent's tool calls.
Google offers PSC-I with Secure Web Proxy to control egress, but it requires a shared VPC, PSC attachments, Cloud NAT, and Secure Web Proxy configuration. That's a significant GCP networking project just to pin an IP.
Even with VPC Service Controls and PSC-I configured, your agents' outbound traffic still leaves from Google Cloud (US-owned infrastructure). For GDPR-minded teams, that doesn't solve the data-residency side.
Agent Engine runs your agent code in a Google-managed runtime. You don't get a VM or a container shell to configure NAT rules or routing tables. The only lever you have is what your agent code sees as environment variables.
"Your agent called us from a Google IP we've never seen. It's blocked."
You need a fixed address your partners can trust, not a rotating GCP pool they have to chase.
Agent Engine
HTTPS Proxy
(Static EU IP)
Partner API
Every outbound call your agents make for tool use, function calling, or third-party lookups leaves from the same pair of EU addresses. Two IPs with automatic failover, no GCP networking to configure.
requests or fetch, setting HTTPS_PROXY is all it takes.
Deploying agents on Vertex AI Agent Engine that use tools calling partner APIs behind IP allowlists.
Using Vertex AI for EU-regulated data workloads who need agent outbound calls to leave from European infrastructure.
Who need a fixed IP for agent tool calls but don't want to build out PSC-I, VPC, and Secure Web Proxy just to pin an address.
Accountable for where their AI agents send data, who want a documented EU egress rather than rotating Google Cloud IPs.
Set HTTPS_PROXY in your agent's runtime environment. Outbound HTTPS calls from tool functions then leave through your fixed EU IP.
Your agent's tool functions run Python in the managed runtime. If they use requests, setting HTTPS_PROXY is all you need.
# .env or Agent Engine runtime env var
HTTPS_PROXY=https://user:pass@eu-01.outboundgateway.com:8443
PARTNER_API_TOKEN=your_token
import os
import requests
# agent tool function: looks up an order
def lookup_order(order_id: str) -> dict:
# requests honours HTTPS_PROXY from the environment
r = requests.get(
f"https://api.partner.eu/orders/{order_id}",
headers={"Authorization": f"Bearer {os.environ['PARTNER_API_TOKEN']}"},
)
return r.json()
Pass HTTPS_PROXY as an environment variable when you create or update your agent's deployment. Store the proxy URL in Google Secret Manager, not in your code.
# When deploying via the Vertex AI SDK or ADK CLI
# pass environment variables to the agent runtime:
env_vars = {
"HTTPS_PROXY": "https://user:pass@eu-01.outboundgateway.com:8443",
}
# The managed runtime exposes these to your agent code,
# so requests/fetch pick up HTTPS_PROXY automatically.
Two IPs, no GCP networking to maintain
Your account comes with two static IP addresses (for example 51.xx.xx.10 and 51.xx.xx.11). Whitelist both on your partner API. If one proxy node is briefly unavailable, traffic shifts to the other. No VPC, no PSC, no Cloud NAT to babysit.
📖 Want the longer version? Worked examples, error handling, and other languages are in the Python SSL Proxy Guide, Node.js Guide, and the rest of the docs.
Vertex AI runs on Google Cloud (US). For GDPR-minded teams, a fixed EU egress gives your agents a sovereign outbound path.
The proxy runs in EU data centres, so your agent's outbound tool calls leave from European infrastructure instead of a US Google Cloud region.
Because TLS passes straight through, the proxy never decodes your agent's API tokens, tool payloads, or conversation data. It forwards encrypted bytes; it doesn't read them.
Agent tool-call traffic doesn't bounce through US infrastructure on its way to a partner API, keeping the data path inside the EU.
When a reviewer asks where your Vertex AI agent calls from, the answer is two fixed EU addresses, not a list of rotating Google Cloud IPs.
Two addresses to register, with automatic failover. No rotating Google Cloud pool to chase.
Skip PSC-I, VPC, Cloud NAT, and Secure Web Proxy. One env var in your agent code and it works.
European data centres and a GDPR-conscious setup, giving your agents a predictable EU address.
Function calling, API lookups, RAG retrievals, webhooks: anything over HTTPS goes through the same pair.
TLS passthrough means the proxy can't read your traffic. Tokens, payloads, and conversation data stay private.
Starting from €29/month. Flexible plans for every scale. Cancel anytime.
Stop letting dynamic GCP egress block your agents' tool calls, and skip the VPC networking project. Put your agents' outbound traffic behind one stable, GDPR-conscious EU address.
€29/month starter plan • 7-day refund policy • Direct founder support
Yes, but it's a GCP networking project. PSC-I with Secure Web Proxy requires a shared VPC, PSC attachments, Cloud NAT, and Secure Web Proxy configuration. That's a lot of GCP infrastructure just to pin an IP, and it still egresses from Google Cloud (US). OutboundGateway skips all that: one HTTPS_PROXY env var in your agent code gives you a fixed pair of EU IPs.
Yes, if your tool functions use standard HTTP clients like requests or urllib. Those libraries read HTTPS_PROXY from the environment automatically. You pass the env var when you deploy your agent, and the managed runtime exposes it to your code. No networking-layer configuration needed.
If your goal is EU data residency for your agent's outbound calls, PSC-I still routes through Google Cloud (US-owned infrastructure). OutboundGateway routes through European data centres owned by an EU company, so your agent's tool-call traffic stays within EU jurisdiction without any GCP networking setup.
Happy to talk through how a two-IP EU egress fits your Vertex AI agent setup, whether it's ADK, function calling, or a custom tool integration.
Contact Our Founders →