<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
How to Restrict Access to Specific IP From a Given Range in Okta Access Gateway
Apr 3, 2026
Access Gateway
Okta Classic Engine
Okta Identity Engine
Overview

This article explains how to restrict specific IP addresses within an allowed IP range in Okta Access Gateway (OAG) application policies, providing a step-by-step guide and illustrative example.

Applies To
  • Okta Access Gateway (OAG)
  • Application Policies
  • Okta Classic Engine
  • Okta Identity Engine (OIE)
Solution

Specific IPs from an allowed IP address range can be restricted by adding them before the allow directive in a deny one.

For example, in case the allowed IP range is 10.0.0.0/8 and the IP that needs to be restricted is 10.0.0.20, then the settings need to be done as shown in the snapshot below:


Advanced range IPs 

Recommended content

Still looking for help?
Loading
How to Restrict Access to Specific IP From a Given Range in Okta Access Gateway