Allow access to Okta IP addresses

An IP allowlist tells your network servers to allow access to the IP addresses and URLs that you add to that list. To ensure that Okta runs correctly, you must add certain URLs to your IP allowlist.

  • If your server policy allows all outbound HTTP and HTTPS communication to any IP address or URL, you don't need to make any changes.
  • If your server policy denies access to most or all external IP addresses and URLs, configure an allowlist.

For domain, port, and troubleshooting information, see Implementation details.

Okta IP addresses

For proper connectivity to Okta for all Okta agents and end users, add Okta system IP addresses to your allowlist based on this AWS-managed list:

This list includes all existing IP addresses and any new IP addresses reserved for future updates.

Okta groups these IP addresses in the following cells:

  • PAM US: us_pam_cell_1
  • Preview US: preview_cell_1 - preview_cell_3
  • Production US: us_cell_1 - us_cell_7, us_cell_10 - us_cell_12, us_cell_14, us_cell_17
  • Production APAC: apac_cell_1, apac_cell_2
  • PAM EMEA: emea_pam_cell_1
  • Preview EMEA: preview_cell_2
  • Production EMEA: emea_cell_1, emea_cell_2
  • Production HIPAA: us_cell_5,us_cell_10
  • Preview PAM: preview_pam_cell_1

View this file with an online JSON viewer of your choice. Super admins who maintain the IP allowlist may also obtain the Okta IP range allowlist.

You might need to add Okta allow-listed IP addresses to your inbound firewall rules so that Okta can communicate with agents that are installed on your internal network.

Implementation details

Learn how to configure and implement allow-listing for your org.

Ports The Okta service uses SSL/TLS for all communication. If your policy requires a port number, port 443 must be allowlisted for the IP addresses provided in this document, unless otherwise noted.
Required Okta domains Add the following domains to your list of allowed domains:
  • *.okta.com
  • *.mtls.okta.com
  • *.oktapreview.com
  • *.mtls.oktapreview.com
  • *.oktacdn.com
  • *.okta-emea.com
  • *.mtls.okta-emea.com
  • *.kerberos.okta.com
  • *.kerberos.okta-emea.com
  • *.kerberos.oktapreview.com
  • *.okta-gov.com
  • *.mtls.okta-gov.com

  • *.okta.mil

  • *.mtls.okta.mil

  • *.awsglobalaccelerator.com
Content Delivery Network (CDN) Okta static UI assets (JavaScript, CSS, and images) can be delivered to browsers through an international CDN for faster downloading of assets to customers outside of the USA.

For most firewall or proxy systems, Okta recommends specifying an allowlist of DNS addresses for Okta services so that you can make outbound connections. Add this domain to your DNS allowlist:

  • okta-featureflag-edge.azureedge.net

To learn more about IP address ranges that you can allowlist for CDN, see this article from Amazon Web Services.
Certificate revocation troubleshooting Various problems can arise when you attempt to revoke a certificate. For example, some clients fail to connect to SSL/TLS endpoints when they're unable to reach a revocation server. If you experience trouble with certificate revocation, ensure that you have the following domain names allowlisted under port 80:
  • ocsp.digicert.com
  • crl3.digicert.com
  • crl4.digicert.com