Network zones define security perimeters that restrict access based on parameters such as IP addresses and locations. IP zones are a specific type of network zone that enables administrators to define network perimeters around a set of IP addresses. Administrators can configure and use IP zones in Okta to manage access, evaluate IP chains, and handle legacy zones.
- Okta Identity Engine (OIE)
- Okta Classic Engine
- IP Zones
- Network Zones
How does an Okta Administrator create an IP zone?
Navigate to the network security settings in the Okta Admin Console and configure the gateway and proxy IP addresses to create a new IP zone.
- In the Okta Admin Console, navigate to Security > Networks.
- Select Add Zone and choose IP Zone from the dropdown menu.
- Enter a name for the IP zone in the Zone Name field.
- Optional: Select Block access from IPs matching conditions listed in this zone to prevent matching IPs from accessing Okta. This includes IP addresses found in the zone and IP chains.
- Enter the Gateway IPs and Trusted Proxy IP addresses. Individual IP addresses, IP ranges, or Classless Inter-Domain Routing (CIDR) notation can be added. Separate IP addresses and ranges with a new line or a comma.
- Select Save to create the IP zone.
How does Okta evaluate IP zones?
Okta considers the IP chain when determining whether a request originates from inside or outside of an IP zone. The IP chain represents the IP address of all the network hops between the originating request and Okta. The following table explains IP chain processing for one or multiple IPs in an IP chain.
| IP Chain Type | Description |
|---|---|
| The IP chain contains one IP | The request is considered to be within a zone if the IP is contained within any of the defined gateways for that zone. |
| The IP chain contains more than one IP | If the final IP in the chain, the one directly connecting to Okta, is within any of the defined gateways or proxies for the IP zone. If it is a defined gateway, the request is from within that zone. If the IP is a defined proxy, then the process repeats for the previous IP in the chain, the one directly connecting to the proxy. |
To ensure that Okta considers traffic as coming from a trusted zone, the gateway IP and the proxy IP both need to be in the same zone. If these two IP addresses are in different zones, Okta does not consider requests as coming from a trusted zone.
What are the limitations of IP zones in Okta?
Review the following limitations when configuring IP zones in an organization.
- An organization can configure up to 100 zones.
- A non-blocked zone can contain up to 150 gateway IPs, proxy IPs, IP ranges, or CIDRs.
- IP-blocked zones can contain up to 1000 gateways per zone and up to 25,000 across an organization.
- The default system IP zone can contain up to 5000 gateway IPs.
- The default system IP zone can contain up to 5000 proxy IPs.
NOTE: When editing a network zone, wait approximately 60 seconds for the change to propagate across all servers and take effect.
How do dynamic zones function in Okta?
Okta supports dynamic zones in addition to IP zones. Dynamic zones use geolocation data to restrict or limit access based on a user's location. Administrators can add or use dynamic zones for Okta sign-on policies, app sign-on policies, VPN notifications, and Integrated Windows Authentication (IWA).
How are legacy zones handled in Okta?
Administrators cannot edit or delete a legacy zone. Create a new IP zone with the desired settings and delete the legacy zone once all the relevant policies are updated.
