Allow access to Okta IP addresses

An IP allowlist is used to provide access to selected IP addresses and programs that your network server policy could typically block.

  • If your server policy allows all outbound HTTP and HTTPS communication to any IP address or website, you don't need to make any changes.
  • If your server policy denies access to most or all external IP addresses and websites, you must configure an allowlist to enable some features to work.

For domain, port, and troubleshooting information, see Implementation details.

Okta IP addresses

For proper connectivity to Okta for all Okta agents and end users, add Okta system IP addresses to your allowlist based on this AWS-managed list:

This list includes all existing IP addresses and any new IP addresses reserved for future updates.

If your organization configures an allowlist for domain names, be sure to add awsglobalaccelerator.com to that domain name allowlist. This domain name is in addition to any existing domain names that you've already configured.

Okta groups these IP addresses in the following cells:

  • Production (us_cell_1 - us_cell_7, us_cell_10 - us_cell_12, us_cell_14)
  • Production EMEA (emea_cell_1)
  • Production EMEA (emea_cell_2)
  • Production HIPAA (us_cell_5,us_cell_10)
  • Production APAC (apac_cell_1, apac_cell_2)
  • Preview (preview_cell_1 - preview_cell_3)
  • Preview EMEA (preview_cell_2)

Okta recommends that you view this file with an online JSON viewer of your choice. Super admins who maintain the IP allowlist may also obtain the Okta IP range allowlist.

To learn more about IP address ranges that can be allowlisted for content delivery networks (CDN), refer to this article from Amazon Web Services.

You might need to add Okta allow-listed IP addresses to your inbound firewall rules so that Okta can communicate with any agents that are installed on your internal network.

Implementation details

Review the information in this section to learn how to configure and implement allow listing for your org.

Ports The Okta service uses SSL/TLS for all communication. If your policy requires a port number, port 443 must be allowlisted for the IP addresses provided in this document, unless otherwise noted.
Required Okta domains If your company allowlist includes domains, add the following domains to your list of allowed domains:
  • *.okta.com
  • *.mtls.okta.com
  • *.oktapreview.com
  • *.mtls.oktapreview.com
  • *.oktacdn.com
  • *.okta-emea.com
  • *.mtls.okta-emea.com
  • *.kerberos.okta.com
  • *.kerberos.okta-emea.com
  • *.kerberos.oktapreview.com
  • *.okta-gov.com
  • *.mtls.okta-gov.com

  • *.okta.mil

  • *.mtls.okta.mil
Content Delivery Network (CDN) Okta static UI assets (JavaScript, CSS, and images) can be delivered to browsers through an international CDN for faster downloading of assets to customers outside of the USA.

For most firewall or proxy systems, Okta recommends specifying an allowlist of DNS addresses for Okta services so that outbound connections can be made. To learn more about IP address ranges that can be allow-listed for CDN, refer to this article from Amazon Web Services.
Certificate revocation troubleshooting Various problems can arise when attempting to revoke a certificate. For example, some clients fail to connect to SSL/TLS endpoints when they're unable to reach a revocation server. If you experience trouble with certificate revocation, ensure that you have the following domain names allow listed under port 80:
  • ocsp.digicert.com
  • crl3.digicert.com
  • crl4.digicert.com
Third-party services Okta Mobile may require allowlisting of the following third-party domains for outbound connections to these services:
  • *.mapbox.com