Network zones are used to define security perimeters around which admins can restrict or limit access based on various parameters such as IP address, location, and more. IP Zones are a type of network zone that enables administrators to define network perimeters around a set of IP addresses. This article provides information on configuring and using IP zones in Okta.
- Okta Administrators
Follow the steps or the video below.
Creating an IP Zone
- In the Okta Admin Console, navigate to Security > Networks.
- Click the Add Zone button, and select IP Zone from the drop-down menu.
- Enter a name for the IP zone in the Zone Name field.
- Optional: select Block access from IPs matching conditions listed in this zone to prevent matching IPs from accessing Okta. This includes IP addresses found in the zone and IP chains.
- Enter the Gateway IPs and Trusted Proxy IP addresses. Individual IP addresses, IP ranges, or Classless Inter-Domain Routing (CIDR) notation can be added. IP addresses and ranges should be separated with a new line or a comma.
- Click Save to create the IP zone.
IP Zone Evaluation
When determining whether a request is from inside or outside of an IP zone, Okta considers the IP chain. The IP chain is the IP address of all the network hops between the originating request and Okta. The following table explains IP chain processing for one or multiple IPs in an IP chain.
| IP Chain Type | Description |
|---|---|
| The IP chain contains one IP | The request is considered to be within a zone if the IP is contained within any of the defined gateways for that zone. |
| The IP chain contains more than one IP | If the final IP in the chain, the one directly connecting to Okta, is within any of the defined gateways or proxies for the IP zone. If it is a defined gateway, the request is from within that zone. If the IP is a defined proxy, then the process repeats for the previous IP in the chain, the one directly connecting to the proxy. |
To ensure that Okta considers traffic as coming from a trusted zone, the gateway IP and the proxy IP both need to be in the same zone. If these two IP addresses are in different zones, requests are not considered as coming from a trusted zone.
Limitations of IP Zones
- In an organization, up to 100 zones can be configured.
- A non-blocked zone can be configured with up to 150 gateway IPs, proxy IPs, IP ranges, or CIDRs.
- IP-blocked zones may contain up to 1000 gateways in each zone and up to 25,000 in an organization.
- For the default system IP Zone, up to 5000 gateway IPs can be configured.
- Also, for the default system IP Zone, up to 5000 proxy IPs can be configured.
NOTE: When editing a network zone, wait approximately 60 seconds for the change to propagate across all servers and take effect.
Dynamic zones
In addition to IP zones, Okta also supports dynamic zones. Dynamic zones are based on geolocation data and can be used to restrict or limit access based on user location. Dynamic zones can be added to or used for Okta sign-on policies, app sign-on policies, VPN notifications, and Integrated Windows Authentication (IWA).
Legacy zones
When dealing with a legacy zone, it cannot be edited or deleted. Instead, a new IP zone with the desired settings can be created, and the legacy zone can be deleted once all the relevant policies have been updated.
