Vercel Static IPs now support build traffic, which means your build containers can call external APIs and data sources from consistent egress addresses you can allowlist. For teams wrestling with flaky Next.js builds, CMS webhooks that fail, or enterprise APIs locked behind firewalls, this flips the default: your CI/CD gets a stable network identity without a bespoke VPN or custom infra.
What changed—and why it matters this week
As of November 4, 2025, you can toggle "Use static IPs for builds" in Project Settings → Connectivity. When enabled, both build and function traffic route through your project’s Static IPs and count toward Private Data Transfer. By default, it’s off; you opt in per project. Practically, this means:
• Your build-time fetches to headless CMSs, Git providers, payments gateways, internal APIs, and databases originate from fixed IPs you can hand to security teams.
• You can finally lock down those allowlists without maintaining a separate CI runner or opening wide IP ranges "just in case."
• Incident triage gets cleaner because you can align runtime and build-time network policy.
Here’s the thing: most build errors in headless stacks aren’t code—they’re network policy. This toggle reduces that class of failure dramatically.
“Vercel Static IPs” vs. Secure Compute: pick the right tool
Static IPs gives you shared-VPC egress with consistent addresses. It’s available on Pro and Enterprise plans as a self-serve add-on. Pricing is straightforward: a monthly fee per project plus Private Data Transfer metered regionally. In contrast, Secure Compute is an Enterprise-only dedicated VPC offering with stronger isolation, VPC peering, and higher base pricing. Use the matrix below as a rule of thumb:
• Choose Static IPs when you need: fast allowlisting for third-party APIs and SaaS, shared VPC egress, and simple self-serve setup across regions.
• Choose Secure Compute when you need: dedicated VPC isolation, direct VPC peering to cloud networks, or a stricter compliance posture across org boundaries.
In other words, Static IPs handle 80% of allowlist cases at a fraction of the complexity. If you already run Secure Compute, the new build routing support gives you end-to-end policy coverage for builds and functions under that dedicated network.
How to enable it (and avoid snags) in 30 minutes
Quick rollout checklist
1) Confirm plan and regions
• Ensure the project is on a plan that supports Static IPs.
• Pick up to three regions close to your backends to minimize round trips.
2) Generate and share the IPs
• Open Project Settings → Connectivity → Static IPs and copy the egress addresses per region.
• Share the list with security/IT for allowlisting in your CMS, databases, and APIs.
3) Toggle build routing
• Switch on "Use static IPs for builds." Redeploy the project to apply changes.
4) Verify at the edge
• Run a test build that fetches from each allowlisted service; check logs at the upstream (e.g., your CMS or API) to confirm connection from the expected IP.
5) Monitor spend
• In the Usage tab, track Private Data Transfer for the project and set alerts if you’re new to this path.
6) Document the contract
• Update your runbook: what gets allowlisted, which regions are active, and who owns changes. Save the IP list in your internal docs plus your vendors’ allowlist consoles.
Gotchas: read this before you flip the switch
• Edge Middleware is different: middleware runs at the edge and won’t use Static IPs. If you’re calling external APIs from middleware, those calls won’t honor this toggle.
• Inbound vs. outbound: Static IPs are egress only. If you need fixed inbound addresses or private ingress, look at dedicated connectivity patterns; Static IPs won’t make your app itself reachable at a fixed IP.
• Region sprawl: each region has its own IP pair. If you build or run in multiple regions, you must allowlist each pair where traffic can originate.
• Caching assumptions: if you rely on IP-based rate limits upstream, switching egress may change how vendors bucket your requests.
• Cost meter: all egress through Static IPs counts as Private Data Transfer, including build-time traffic once you enable the toggle.
Cost model you can hand to finance
Let’s get practical. Assume a content-heavy Next.js site that downloads images, JSON, and metadata from a headless CMS during builds and revalidations. If monthly build-time egress across the Static IP path is 50–100 GB, Private Data Transfer will typically sit in the $0.15–$0.31/GB range depending on region. That’s roughly $7.50–$31 per 50–100 GB, plus the monthly Static IPs add-on fee per project. If you fetch from a single region close to your CMS, expect the lower end; multi-region traffic trends higher.
That spend replaces the hidden cost of failed builds, manual retries, and security exceptions. If you’ve been running self-hosted runners or custom NAT gateways just for allowlisting, you may be able to retire them and simplify your pipeline.
Will this help with Next.js ISR and revalidation?
Yes—indirectly. ISR and on-demand revalidations often fetch fresh data from your CMS or APIs. With Static IPs, those fetches originate from fixed addresses your vendors can allowlist, which reduces intermittent 403s and rate-limit surprises. Pair that with recent infrastructure improvements around revalidation performance and regional caching, and your content freshness path becomes both faster and more predictable.
People also ask
Does this fix inbound allowlists (customers calling us)?
No. Static IPs cover your project’s outbound traffic. If you need fixed inbound addressing or private ingress to your app, plan for a separate pattern such as a proxy, peering, or a dedicated ingress solution.
Do Edge Middleware requests use Vercel Static IPs?
No. Edge Middleware runs on the edge network and won’t route through Static IPs. Consider moving network calls out of middleware or using functions where policy enforcement via Static IPs is necessary.
What if we need stricter isolation for audits?
Static IPs run in a shared VPC with subnet-level isolation. If auditors require a dedicated network boundary, use Secure Compute with peering to your cloud VPC and treat the new build routing support as your end-to-end control.
Integration playbook: where this helps on day one
• Git providers and registries: Organization-level IP allowlists can block build fetches. Add your project’s static addresses to resolve flaky dependency downloads or checkout steps.
• Headless CMSs (Contentful, Sanity, Storyblok, Strapi, etc.): Allowlist the IPs so build-time and revalidation fetches never hit generic egress pools.
• Payments and fintech APIs: Many gateways require strict allowlists for webhook replays or reporting exports pulled during builds.
• On‑prem services: If you mirror content or configs on-prem, allowlist the egress and stop punching wide firewall holes.
Architecture notes from the field
• Keep regions tight: start with one region colocated with your primary data source to minimize latency and transfer costs. Only add a second region if you have a strong reason—e.g., multi-region failover or a second upstream that can’t be relocated.
• Separate projects by trust boundary: don’t share Static IPs across apps with different owners or compliance regimes. A per-project model keeps your allowlists clean and auditable.
• Avoid middleware data calls: move network calls into serverless functions where possible. You get better observability and Static IP policy control.
How this fits your broader Vercel strategy
Vercel has been shipping features that make enterprise controls self-serve—security, observability, and now network policy during builds. If you’re rolling out microfrontends or consolidating teams on a shared platform, consistent egress policies cut through a lot of cross-team friction. For a deeper look at how to structure teams and budgets when you scale frontends, see our take on microfrontends pricing and playbooks. If API costs are spiking as you add AI or analytics, combine Static IPs with smarter compute placement; we broke down practical tactics in Vercel Fluid Compute and cutting your API bill. And if reliability after a regional cloud hiccup keeps you up at night, our Next.js Edge resilience guide pairs nicely with network allowlists to reduce blast radius.
Risk and limitations you should acknowledge
• Shared egress: Static IPs aren’t a silver bullet for isolation. They’re shared across a small customer pool per region. If you need hard tenancy guarantees or peering, use Secure Compute.
• Vendor rate limiting: Some vendors apply per-IP quotas. If you centralize multiple apps behind the same egress, you may trip thresholds. Coordinate with vendors or split projects.
• Multiregion maintenance: Every additional region multiplies allowlist updates and incident surface area. Keep it minimal.
• Observability discipline: Treat upstream 4xx/5xx as policy signals, not just build "flakes." Add monitors and budget alerts to catch overshoot early.
What to do next
For developers:
• Enable Static IPs in a staging project and toggle build routing.
• Run a full build that hits all third-party APIs; verify upstream logs show the new IPs.
• Move external calls out of middleware into functions where policy control is needed.
For engineering managers and security leads:
• Document the authoritative IP list per project and region; store it centrally.
• Update vendor allowlists and create a quarterly review cadence.
• Set Private Data Transfer alerts and watch for new call paths created by AI features or batch jobs.
For product and business owners:
• Quantify time lost to build failures and security exceptions last quarter; bring the number to your next platform meeting.
• Compare the monthly add-on and data transfer spend to the cost of custom runners/VPN maintenance you can retire.
• If you need help, bring in a partner who has shipped and audited this at scale.
If you want a hands-on rollout or a second set of eyes on your architecture, our services team can help you design the right mix of Static IPs, Secure Compute, and regional layout. Explore recent platform work in our portfolio, and keep up with the latest dev platform shifts on the bybowu blog. Or just drop us a note via contacts—we’ll reply with a crisp plan, not fluff.
