Skip to main content

Egress IP Routing & VPN

Many APIs require whitelisting specific IP addresses. KnoxCall supports routing requests through dedicated egress servers with static IPs—either managed by KnoxCall or through your own VPN infrastructure.

The Problem

Dynamic IPs:
APIs requiring IP whitelisting:
  • Banking and financial APIs (Open Banking, Plaid)
  • Government services (tax, compliance)
  • Enterprise B2B integrations
  • Payment processors (some configurations)
  • Internal corporate APIs

The Solution

Static egress IP:
Benefits:
  • ✅ Single static IP to whitelist
  • ✅ Works from any source (dev, staging, prod)
  • ✅ Automatic failover if egress server down
  • ✅ Choose geographic region
  • ✅ Multiple egress IPs per tenant (if needed)

Types of Egress Routing

KnoxCall supports two deployment models: What it is:
  • KnoxCall provisions and manages egress servers for you
  • Static IP provisioned in your chosen region
  • Automatic health monitoring and failover
  • No infrastructure management required
When to use:
  • You need a quick, turnkey solution
  • You want KnoxCall to handle operations
  • You don’t have existing VPN infrastructure
Regions available (DigitalOcean region slugs):
  • 🇺🇸 nyc3 — New York, USA
  • 🇺🇸 sfo3 — San Francisco, USA
  • 🇬🇧 lon1 — London, UK
  • 🇩🇪 fra1 — Frankfurt, Germany
  • 🇳🇱 ams3 — Amsterdam, Netherlands
  • 🇦🇺 syd1 — Sydney, Australia
  • 🇸🇬 sgp1 — Singapore
Pricing:
  • Included in Pro and Enterprise plans
  • $29/month per additional egress server (if you need multiple regions)

2. Self-Hosted VPN Integration

What it is:
  • Connect KnoxCall to your existing VPN infrastructure
  • Routes traffic through your VPN gateway
  • You manage the VPN server, KnoxCall just uses it
When to use:
  • You have existing VPN infrastructure
  • Compliance requires self-hosted networking
  • You need specific routing or firewall rules
  • You want full control over egress traffic
Supported VPN types:
  • WireGuard
  • OpenVPN
  • Custom proxy servers (SOCKS5, HTTP forward proxy)
Pricing:
  • Included in Enterprise plan
  • Contact sales for availability on lower tiers

Setting Up Managed Egress

Step 1: Request Egress Server

  1. Navigate to ProxyStatic IPs (cloud-hosted KnoxCall only — this page is hidden on self-hosted deployments)
  2. Click Request Static IP
  3. Configure:
  1. Click Request

Step 2: Wait for Provisioning

KnoxCall automatically:
  • Creates a DigitalOcean Droplet in your region
  • Configures forward proxy software
  • Assigns a static IP (reserved IP)
  • Sets up health checks
  • Registers in data plane registry
Typical provisioning time: 2-3 minutes

Step 3: Note Your Static IP

After provisioning completes:
Share this IP with your API provider for whitelisting.

Step 4: Assign to Routes

Configure which routes use the egress server: Option A: Per-environment (recommended)
  1. Go to route detail page
  2. Select environment (e.g., “production”)
  3. Scroll to AdvancedEgress Routing
  4. Select egress server: “US East Egress”
  5. Save
Option B: Via API
Pass egress_server_id: null to remove the egress assignment and revert the route to direct routing.

Step 5: Test & Verify

Make a test request through your route:
Check the API provider’s logs to confirm they see requests from 203.0.113.200.

Setting Up Self-Hosted VPN

Prerequisites

  • VPN server (WireGuard or OpenVPN)
  • VPN configuration file or credentials
  • Network access from KnoxCall servers

Step 1: Prepare VPN Configuration

WireGuard example:
OpenVPN example:

Step 2: Register VPN in KnoxCall

  1. Navigate to the VPN page and click Create VPN ConnectionMy Own VPN
  2. Choose your VPN type (WireGuard, OpenVPN, or custom proxy)
  3. Configure:
  1. Click Save

Step 3: Test Connection

KnoxCall will:
  • Establish VPN tunnel
  • Perform health check (if configured)
  • Report connectivity status

Step 4: Assign to Routes

Assign the VPN node to a route from the route detail page under AdvancedEgress Routing.

Advanced Configuration

Multiple Egress Servers per Tenant

Use different egress IPs for different APIs:
Configuration:
  • Route A (Stripe) → uses US East Egress
  • Route B (European bank) → uses EU West Egress
  • Route C (partner) → uses Corporate VPN

Failover & High Availability

Managed egress servers:
  • Automatic health monitoring (every 30 seconds)
  • If unhealthy, routes fall back to direct routing
  • Email alerts on failover
  • Auto-recovery when health restored
Self-hosted VPN:
  • Manual health check URL (optional)
  • No automatic failover unless configured
  • You’re responsible for VPN uptime

Regional Routing

Route requests through the closest region to the destination API:

Security Considerations

Managed Egress Servers

Isolation:
  • Dedicated Droplet per egress server (not shared)
  • Firewall rules restrict traffic to your routes only
  • No direct SSH access (managed via API)
Authentication:
  • Requests authenticated with tenant-specific secret
  • HMAC signature verification
  • Replay attack prevention
Monitoring:
  • All traffic logged
  • Health checks every 30 seconds
  • Alerts on anomalies

Self-Hosted VPN

Security checklist:
  • VPN credentials stored encrypted in KnoxCall
  • Firewall allows only KnoxCall server IPs
  • VPN configuration doesn’t expose internal network
  • Health check endpoint authenticated (if public)
  • Egress traffic monitored on your side
Network isolation:
  • Ensure VPN tunnel doesn’t grant KnoxCall access to internal network
  • Use split tunneling (only route API traffic through VPN)
  • Configure firewall rules on VPN gateway

Monitoring & Troubleshooting

Health Status

Managed egress servers — run an on-demand health check:
Self-hosted VPN nodes — read the node’s current status:
IDs are UUIDs. To actively test a self-hosted node’s connectivity, call POST /admin/data-plane-nodes/{id}/test. Status values:
  • active - Healthy and routing traffic ✅
  • unhealthy - Failed health check ⚠️
  • unreachable - Cannot connect 🔴
  • unknown - Status not yet determined 🔄

Request Logs

View which requests used egress routing:

Common Issues

Problem: “Egress server unreachable”
Solutions:
  1. Check server status in dashboard
  2. If managed: wait 2-3 min for auto-recovery
  3. If self-hosted: verify VPN server is running
  4. Check firewall allows KnoxCall IPs
Problem: “API still rejecting IP”
Debug steps:
  1. Verify correct egress server assigned to route
  2. Check route’s environment is correct
  3. Test with: curl https://ifconfig.me/ip through egress server
  4. Confirm API provider whitelisted the right IP
  5. Check for typos in IP address (common!)
Problem: “Latency increased after enabling egress”
Causes:
  • Egress server in wrong region (e.g., US egress for EU API)
  • VPN has high latency
Solutions:
  • Use egress server closest to destination API
  • For self-hosted VPN: measure VPN latency
  • Consider multiple regional egress servers
Problem: “VPN connection keeps dropping”
Solutions:
  1. Check VPN server logs for disconnections
  2. Increase WireGuard PersistentKeepalive value
  3. Configure health check to detect failures faster
  4. Ensure firewall isn’t blocking keep-alive packets

Cost Optimization

When to Use Egress Routing

Use egress when:
  • ✅ API requires IP whitelisting
  • ✅ You need consistent source IP for logging/audit
  • ✅ Compliance mandates specific egress points
  • ✅ API has regional restrictions
Skip egress when:
  • ❌ API doesn’t require IP whitelisting
  • ❌ Added latency is critical (use direct routing)
  • ❌ Route has very high traffic (cheaper to provision own server)

Multi-Tenant Cost Sharing

For enterprise deployments with many routes:
Most APIs accept multiple routes from same IP, so Option B is usually fine.

API Reference

Managed egress servers have their own API surface under /admin/egress. The data-plane-node endpoints (/admin/data-plane-nodes) are for self-hosted VPN nodes. All of these endpoints are cloud-mode only.

Supporting endpoints

Request a Managed Egress IP

Polling for completion:
If provisioning fails, retry with POST /admin/egress/{server_id}/retry.

Register Self-Hosted VPN

region, kind, and display_name are required. kind must be managed or self_hosted; vpn_type (when present) must be wireguard, openvpn, or custom. vpn_config_json is a free-form blob stored verbatim — its shape is not validated, so the keys below are just an example.
The response returns the full node row; id is a UUID.

Update / Test a Self-Hosted Node

Assign Egress Server to a Route

Send "egress_server_id": null to clear the assignment and revert to direct routing.

List Managed Egress Servers

Self-hosted VPN nodes are listed separately via GET /admin/data-plane-nodes (returns { "nodes": [...] }).

Release a Managed Egress Server

A server cannot be released while any route still uses it (returns 400 with routes_using).

Check Managed Egress Health

Best Practices

✅ Do This

  1. Test with dummy route first
    • Create test route, assign egress, verify IP
    • Don’t configure production routes immediately
  2. Document which API requires which IP
    • Keep spreadsheet of API → egress IP mappings
    • Share with team for future reference
  3. Set up alerts
    • Email when egress server goes unhealthy
    • Monitor latency changes
  4. Use regional egress servers
    • Match egress region to API region when possible
    • Reduces latency
  5. Keep egress credentials secure
    • For self-hosted VPN, treat credentials as secrets
    • Rotate VPN keys quarterly

❌ Avoid This

  1. Don’t use same egress for unrelated APIs
    • If one API blocks your IP, all routes affected
    • Use separate egress servers for high-risk APIs
  2. Don’t skip health checks for self-hosted VPN
    • You’ll only discover downtime when users complain
    • Set up health check URL
  3. Don’t delete egress server while routes use it
    • Routes will fall back to direct routing
    • May break IP whitelisting
  4. Don’t expose internal network via VPN
    • Use split tunneling
    • Firewall VPN gateway appropriately

Migration Guide

From Direct Routing to Egress

Before:
After:
Steps:
  1. Provision egress server
  2. Get static IP
  3. Contact API provider to whitelist IP
  4. Wait for confirmation (don’t skip!)
  5. Assign egress to route (test environment first)
  6. Test
  7. Assign to production
  8. Monitor
Rollback plan:
  • Clear the egress assignment (PUT /admin/routes/{route_id}/egress with "egress_server_id": null)
  • Traffic reverts to direct routing

Next Steps

Multi-Region Deployment

Deploy KnoxCall across regions

Route Configuration

Learn about route setup

Monitoring

Monitor egress server health

Security

Secure your routes

📊 Guide Info

  • Level: Intermediate to Advanced
  • Time: 15-30 minutes
  • Prerequisites: Understanding of IP whitelisting and networking

🏷️ Tags

egress, vpn, networking, ip-whitelisting, infrastructure