To ensure proper connectivity for all Okta agents and users, administrators must add Okta system IP addresses to the network allowlist.
Okta does not maintain a static list of individual IP addresses; instead, administrators must allowlist the Amazon Web Services (AWS) CloudFront IP range, which updates periodically. This configuration ensures the network accepts inbound traffic successfully.
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Firewall
- Allowlisting
- Administration
- Security
- IP Address
Which IP addresses should an Okta administrator add to be allowlisted?
For inbound traffic, Okta utilizes dynamic IP addressing rather than maintaining a static list. The list of IPs updates periodically due to the provisioning of additional servers. Allowlisting the AWS CloudFront IP range ensures the network accepts inbound traffic.
NOTE: The list contains all Okta IPs from all cells. Identify the cell where the Okta organization operates and use the IP ranges for that specific cell.
Review the following list to find the Okta cells and the corresponding IP ranges:
-
OK1 - us_cell_1
-
OK2 - us_cell_2
-
OK3 - us_cell_3
-
OK4 - us_cell_4
-
OK6 - us_cell_6
-
OK7 - us_cell_7
-
OK8 - apac_cell_1
-
EU1 - emea_cell_1
-
OK9 - emea_cell_2
-
OK11 - us_cell_11
-
OK12 - us_cell_12
-
OK14 - us_cell_14
-
OK16 - apac_cell_2
-
OP1 - preview_cell_1
-
OP2 - preview_cell_2
-
OP3 - preview_cell_3
Run the following command to verify the last modified date for the Okta IP range allowlist and view the header:
curl -Is https://s3.amazonaws.com/okta-ip-ranges/ip_ranges.json | grep 'Last-Modified'To fetch any static Okta user interface assets (JavaScript, Cascading Style Sheets (CSS), and images), allowlist the Content Delivery Network (CDN) IPs to find IPv4 addresses or use the AWS ip-ranges.json file to find IPv6 and IPv4 addresses.
