network_zones
Creates, updates, deletes, gets or lists a network_zones resource.
Overview
| Name | network_zones |
| Type | Resource |
| Id | okta.zones.network_zones |
Fields
The following fields are returned by SELECT queries:
- list_network_zones
- get_network_zone
| Name | Datatype | Description |
|---|---|---|
id | string | Unique identifier for the Network Zone |
name | string | Unique name for this Network Zone |
_links | object | Specifies link relations (see Web Linking) available using the JSON Hypertext Application Language specification. This object is used for dynamic discovery of related resources and lifecycle operations. |
created | string (date-time) | Timestamp when the object was created |
lastUpdated | string (date-time) | Timestamp when the object was last modified |
status | string | Network Zone status |
system | boolean | Indicates a system Network Zone: * true for system Network Zones * false for custom Network Zones The Okta org provides the following default system Network Zones: * LegacyIpZone * BlockedIpZone * DefaultEnhancedDynamicZone * DefaultExemptIpZone Admins can modify the name of the default system Network Zone and add up to 5000 gateway or proxy IP entries. |
type | string | The type of Network Zone |
usage | string | The usage of the Network Zone |
| Name | Datatype | Description |
|---|---|---|
id | string | Unique identifier for the Network Zone |
name | string | Unique name for this Network Zone |
_links | object | Specifies link relations (see Web Linking) available using the JSON Hypertext Application Language specification. This object is used for dynamic discovery of related resources and lifecycle operations. |
created | string (date-time) | Timestamp when the object was created |
lastUpdated | string (date-time) | Timestamp when the object was last modified |
status | string | Network Zone status |
system | boolean | Indicates a system Network Zone: * true for system Network Zones * false for custom Network Zones The Okta org provides the following default system Network Zones: * LegacyIpZone * BlockedIpZone * DefaultEnhancedDynamicZone * DefaultExemptIpZone Admins can modify the name of the default system Network Zone and add up to 5000 gateway or proxy IP entries. |
type | string | The type of Network Zone |
usage | string | The usage of the Network Zone |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
list_network_zones | select | subdomain | after, limit, filter | Lists all Network Zones with pagination. A subset of zones can be returned that match a supported filter expression or query. This operation requires URL encoding. For example, filter=(id eq "nzoul0wf9jyb8xwZm0g3" or id eq "nzoul1MxmGN18NDQT0g3") is encoded as filter=%28id+eq+%22nzoul0wf9jyb8xwZm0g3%22+or+id+eq+%22nzoul1MxmGN18NDQT0g3%22%29.Okta supports filtering on the id, usage, and system properties. See Filter for more information on the expressions that are used in filtering. |
get_network_zone | select | subdomain | Retrieves a Network Zone by zoneId | |
create_network_zone | insert | subdomain, data__name, data__type | Creates a Network Zone * For an IP Network Zone, you must define either gateways or proxies.* For a Dynamic Network Zone, you must define at least one of the following: asns, locations, or proxyType.* For an Enhanced Dynamic Network Zone, you must define at least one of the following: asns, locations, or ipServiceCategories. | |
replace_network_zone | replace | subdomain, data__name, data__type | Replaces a Network Zone by zoneId. The replaced Network Zone type must be the same as the existing type.You can replace the usage ( POLICY, BLOCKLIST) of a Network Zone by updating the usage attribute.IP exempt zone If you have the IP exempt zone feature enabled, you can allow traffic from specific gateway IPs irrespective of Okta ThreatInsight configurations, blocked network zones, or IP change events within Identity Threat Protection with Okta AI. When you enable this feature, Okta creates a zone called DefaultExemptIpZone. Gateway IPs that you add to this zone always have access to Okta resources. See IP exempt zone.> Note: You can't add trusted proxy IPs to this zone, delete the zone, or create additional exempt IP zones. | |
delete_network_zone | delete | subdomain | Deletes a Network Zone by zoneId> Notes: > * You can't delete a Network Zone that's used by a Policy or Rule. > * For Okta Identity Engine orgs, you can't delete a Network Zone with an ACTIVE status. <x-lifecycle class="oie"></x-lifecycle> | |
activate_network_zone | exec | subdomain | Activates a Network Zone by zoneId | |
deactivate_network_zone | exec | subdomain | Deactivates a Network Zone by zoneId |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
subdomain | string | The domain of your organization. This can be a provided subdomain of an official okta domain (okta.com, oktapreview.com, etc) or one of your configured custom domains. (default: my-org) |
after | string | |
filter | string | |
limit | integer (int32) |
SELECT examples
- list_network_zones
- get_network_zone
Lists all Network Zones with pagination. A subset of zones can be returned that match a supported filter expression or query.
This operation requires URL encoding. For example, filter=(id eq "nzoul0wf9jyb8xwZm0g3" or id eq "nzoul1MxmGN18NDQT0g3") is encoded as filter=%28id+eq+%22nzoul0wf9jyb8xwZm0g3%22+or+id+eq+%22nzoul1MxmGN18NDQT0g3%22%29.
Okta supports filtering on the id, usage, and system properties. See Filter for more information on the expressions that are used in filtering.
SELECT
id,
name,
_links,
created,
lastUpdated,
status,
system,
type,
usage
FROM okta.zones.network_zones
WHERE subdomain = '{{ subdomain }}' -- required
AND after = '{{ after }}'
AND limit = '{{ limit }}'
AND filter = '{{ filter }}'
;
Retrieves a Network Zone by zoneId
SELECT
id,
name,
_links,
created,
lastUpdated,
status,
system,
type,
usage
FROM okta.zones.network_zones
WHERE subdomain = '{{ subdomain }}' -- required
;
INSERT examples
- create_network_zone
- Manifest
Creates a Network Zone
* For an IP Network Zone, you must define either gateways or proxies.
* For a Dynamic Network Zone, you must define at least one of the following: asns, locations, or proxyType.
* For an Enhanced Dynamic Network Zone, you must define at least one of the following: asns, locations, or ipServiceCategories.
INSERT INTO okta.zones.network_zones (
data__name,
data__status,
data__type,
data__usage,
subdomain
)
SELECT
'{{ name }}' /* required */,
'{{ status }}',
'{{ type }}' /* required */,
'{{ usage }}',
'{{ subdomain }}'
RETURNING
id,
name,
_links,
created,
lastUpdated,
status,
system,
type,
usage
;
# Description fields are for documentation purposes
- name: network_zones
props:
- name: subdomain
value: string
description: Required parameter for the network_zones resource.
- name: name
value: string
description: >
Unique name for this Network Zone
- name: status
value: string
description: >
Network Zone status
valid_values: ['ACTIVE', 'INACTIVE']
- name: type
value: string
description: >
The type of Network Zone
valid_values: ['DYNAMIC', 'IP', 'DYNAMIC_V2']
- name: usage
value: string
description: >
The usage of the Network Zone
valid_values: ['BLOCKLIST', 'POLICY']
REPLACE examples
- replace_network_zone
Replaces a Network Zone by zoneId. The replaced Network Zone type must be the same as the existing type.
You can replace the usage (POLICY, BLOCKLIST) of a Network Zone by updating the usage attribute.
IP exempt zone
If you have the IP exempt zone feature enabled, you can allow traffic from specific gateway IPs irrespective of Okta ThreatInsight configurations, blocked network zones, or IP change events within Identity Threat Protection with Okta AI.
When you enable this feature, Okta creates a zone called DefaultExemptIpZone. Gateway IPs that you add to this zone always have access to Okta resources. See IP exempt zone.
> Note: You can't add trusted proxy IPs to this zone, delete the zone, or create additional exempt IP zones.
REPLACE okta.zones.network_zones
SET
data__name = '{{ name }}',
data__status = '{{ status }}',
data__type = '{{ type }}',
data__usage = '{{ usage }}'
WHERE
subdomain = '{{ subdomain }}' --required
AND data__name = '{{ name }}' --required
AND data__type = '{{ type }}' --required
RETURNING
id,
name,
_links,
created,
lastUpdated,
status,
system,
type,
usage
;
DELETE examples
- delete_network_zone
Deletes a Network Zone by zoneId
> Notes:
> * You can't delete a Network Zone that's used by a Policy or Rule.
> * For Okta Identity Engine orgs, you can't delete a Network Zone with an ACTIVE status. <x-lifecycle class="oie"></x-lifecycle>
DELETE FROM okta.zones.network_zones
WHERE subdomain = '{{ subdomain }}' --required
;
Lifecycle Methods
- activate_network_zone
- deactivate_network_zone
Activates a Network Zone by zoneId
EXEC okta.zones.network_zones.activate_network_zone
@subdomain='{{ subdomain }}' --required
;
Deactivates a Network Zone by zoneId
EXEC okta.zones.network_zones.deactivate_network_zone
@subdomain='{{ subdomain }}' --required
;