About Network Zones

Network Zones define security perimeters around which admins can restrict or limit access based on the following parameters:

  • A single IP address
  • One or more IP address ranges
  • CIDR notations (Classless Inter-Domain Routing)
  • A list of geolocations
  • IP Type
  • ASN (Autonomous System Numbers)

Network Zones consist of IP Zones and Dynamic Zones which may be added to or used for:

  • Okta sign-on policies
  • App sign-on policies
  • VPN Notifications
  • Integrated Windows Authentication (IWA)


Policies and rules are updated automatically when a Network Zone definition is modified.

IP Zones and Dynamic Zones have the following limitations:

  • Up to 100 zones configured per org.
  • Up to 150 Gateway IPs and 150 Proxy IPs (except for IP zones that are blocked).
  • IP blocked zones may contain up to 1000 gateways per zone and up to a total of 25,000 per org.
  • Up to 5000 gateway IPs for the default system IP Zone.
  • Up to 5000 proxy IPs for the default system IP Zone.

These limitations are also captured in the Zones API developer documentation.

Related topics

About IP Zones

About Dynamic Zones