To ensure proper connectivity for all Okta agents and users, administrators must add Okta system IP addresses to the network allowlist.
Okta utilizes dynamic IP addressing rather than maintaining a static list. Administrators must allowlist the Amazon Web Services (AWS) CloudFront IP range, which updates periodically. This configuration ensures the network accepts inbound traffic successfully.
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Firewall
- Allowlisting
- Administration
- Security
- IP Address
Which IP addresses should an Okta administrator add to be allowlisted?
The list of IPs is updated periodically as additional servers are provisioned. Allowlisting the AWS CloudFront IP range ensures the network accepts inbound traffic.
NOTE: The list contains all Okta IPs from all cells.
How to identify which cell an Okta organization operates in?
Identify the cell where the Okta organization operates and use the IP ranges for that specific cell.
Review the following list to find the Okta cells and the corresponding IP ranges:
- OK1 - us_cell_1
- OK2 - us_cell_2
- OK3 - us_cell_3
- OK4 - us_cell_4
- OK5 - us_cell_5
- OK6 - us_cell_6
- OK7 - us_cell_7
- OK8 - apac_cell_1
- EU1 - emea_cell_1
- OK9 - emea_cell_2
- OK10 - us_cell_10
- OK11 - us_cell_11
- OK12 - us_cell_12
- OK14 - us_cell_14
- OK16 - apac_cell_2
- OP1 - preview_cell_1
- OP2 - preview_cell_2
- OP3 - preview_cell_3
How to determine when the Okta IP range allowlist was last updated?
Run the following command to verify the last modified date for the Okta IP range allowlist and view the header:
curl -Is https://s3.amazonaws.com/okta-ip-ranges/ip_ranges.json | grep 'Last-Modified'How to allow fetching of static Okta user interface assets?
To fetch any static Okta user interface assets (JavaScript, Cascading Style Sheets (CSS), and images), allowlist the Content Delivery Network (CDN) IPs to find IPv4 addresses or use the AWS ip-ranges.json file to find IPv6 and IPv4 addresses.
