Okta is enabling IPv6 on its Commercial and FedRAMP Moderate CDNs. Action may be required by customers. It is intended to prepare the platform for the growing number of IPv6 devices and networks.
- IPv6
We are continuing the rollout of IPv6 to the following cells:
- OK5
- OK7
- OK9
- OK12
- OK14
This rollout will be a gradual process, taking place over a couple of months. The change applies only to our Commercial and FedRAMP Moderate customers.
We will be enabling support for Internet Protocol Version 6 (IPv6). As part of this rollout the CDN URL will be changing. The summary of the changes are as follows:
- CDN URL will be changing
- CDN IPv4 addresses will be changing
- CDN IPv6 addresses will be added
This change is being made to ensure our platform is ready for the growing number of devices and networks that rely on IPv6. By enabling it on our CDN, we can provide a more seamless experience and improved performance for our customers worldwide.
What This Means for Customers
- For those customers who do not filter traffic to Okta, we expect this change to be completely transparent and cause no disruption.
- For those customers who filter traffic to Okta, consult the Action Required section below.
If an issue were to occur, affected end-users might experience problems downloading assets from the CDN, which could cause their login page to appear blank or not fully load.
To minimize impact to customers, these changes are being rolled out on a cell-by-cell basis. They are not tied to a specific release and as such will not be mentioned in Release Notes.
Action Required
For customers who filter their traffic to Okta, firewall/gateway changes may be necessary in order to avoid a disruption of service.
Choose one of the following cases:
|
Case |
Network has ANY IPv6 Addresses Assigned to Clients |
Changes to make |
|
No filtering in place |
Yes |
Ensure IPv6+IPv4 traffic can reach the Internet |
|
No |
No changes are required | |
|
Firewall/Gateway supports wildcard DNS allow rules |
Yes |
Ensure IPv6 and IPv4 traffic can reach *.oktacdn.com |
|
No |
Ensure IPv4 traffic can reach *.oktacdn.com | |
|
Firewall/Gateway only supports static DNS allow rules |
Yes |
Allow list (for both IPv6 and IPv4)
For example if the customer’s organization is hosted in OK14, both these DNS entries will need to be allowed (for both IPv6 and IPv4) |
|
No |
Allow list (for IPv4)
For example, if the customer’s organization is hosted in OK14, both these DNS entries will need to be allowed (for IPv4) | |
|
Firewall/Gateway only supports IP based allow rules |
Yes |
Allow all IPv6 + IPv4 CloudFront IPs If all CloudFront IPv4 addresses are already allowed, then CloudFront IPv6 addresses will need to be allowed as well. Details can be found in the Determining CDN IPs section below. |
|
No |
Allow all IPv4 CloudFront IPs. If all CloudFront IPv4 addresses are already allowed, then no new changes are required. |
Determining CDN IPs
Okta CDNs are hosted on AWS CloudFront. The underlying IP addresses for the Okta CDNs can be found by following AWS guidance.
|
Options |
Description |
|
Using the AWS ip-ranges.json file |
Only way to find all IPv6 and IPv4 CloudFront IPs. |
|
Using the AWS endpoint https://d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips | Can ONLY be used to find IPv4 addresses |
Allowing all CloudFront IPs is sufficient for connectivity to the required CDNs.
Testing Changes
Once any necessary allow list changes are made, customers should use the following urls to ensure requests will not be blocked when the CDN changes rollout.
|
Scenario |
Urls |
|
Test with IPv4 |
Make a request to each of the following urls, in each case the response will be an Okta logo. https://<cell>static.oktacdn.com/assets/img/logos/okta-logo.1e146cad5713da744492be95eb0f7793.png https://<cell>static2.oktacdn.com/assets/img/logos/okta-logo.1e146cad5713da744492be95eb0f7793.png |
|
Testing with IPv6 (optional) - Only required when network has any IPv6 clients |
Make a IPv6 request to each of the following urls, in each case the response will be an Okta logo. https://<cell>static.oktacdn.com/assets/img/logos/okta-logo.1e146cad5713da744492be95eb0f7793.png https://<cell>static2.oktacdn.com/assets/img/logos/okta-logo.1e146cad5713da744492be95eb0f7793.png |
Requesting a Temporary Exception
Customers who need more time to make any necessary changes can request a temporary extension via the Okta Support team. If an extension is granted, it will only be in place for 4 weeks.
