About network zones
Network zones define security perimeters around which admins can restrict or limit access based on the following parameters:
- A single IP address
- One or more IP address ranges
- CIDR notations (Classless Inter-Domain Routing)
- A list of geolocations
- IP type
- ASN (Autonomous System Numbers)
- Okta sign-on policies
- App sign-on policies
- VPN Notifications
- Integrated Windows Authentication (IWA)
Policies and rules are updated automatically when a network zone definition is modified.
Whenever you edit a network zone, you need to wait approximately 60 seconds for the change to propagate across all servers and take effect.
IP zones and dynamic zones have the following limitations:
- Up to 100 zones configured per org.
- Up to 150 gateway IPs and 150 Proxy IPs (except for IP zones that are blocked).
- IP blocked zones may contain up to 1000 gateways per zone and up to a total of 25,000 per org.
- Up to 5000 gateway IPs for the default system IP Zone.
- Up to 5000 proxy IPs for the default system IP Zone.
These limitations are also captured in the Zones API developer documentation.