About network zones

Network zones define security perimeters around which admins can restrict or limit access based on the following parameters:

  • A single IP address
  • One or more IP address ranges
  • CIDR notations (Classless Inter-Domain Routing)
  • A list of geolocations
  • IP type
  • ASN (Autonomous System Numbers)

Network zones consist of IP Zones and Dynamic Zones which may be added to or used for:

  • Okta sign-on policies
  • App sign-on policies
  • VPN Notifications
  • Integrated Windows Authentication (IWA)

Policies and rules are updated automatically when a network zone definition is modified.

Whenever you edit a network zone, you need to wait approximately 60 seconds for the change to propagate across all servers and take effect.

IP zones and dynamic zones have the following limitations:

  • Up to 100 zones configured per org.
  • Up to 150 gateway IPs and 150 Proxy IPs (except for IP zones that are blocked).
  • IP blocked zones may contain up to 1000 gateways per zone and up to a total of 25,000 per org.
  • Up to 5000 gateway IPs for the default system IP Zone.
  • Up to 5000 proxy IPs for the default system IP Zone.

These limitations are also captured in the Zones API developer documentation.

Related topics

About IP zones

About dynamic zones