Skip to content
BYOIP

Netskope NewEdge BYOIP Integration Overview

BYOIP SUPPORTER
ASN AS55256
IPv4 support
IPv6 support
LOA support
ROA support
Process Semi-automatic
Locations supported
Other: South Africa, India, Japan, Saudi Arabia, Singapore, United Arab Emirates, Hong Kong, Denmark, France, Germany, Ireland, Netherlands, Norway, Poland, United Kingdom, Canada, United States, Argentina, Brazil, Chile, Colombia, Australia, New Zealand

Location

This page outlines the technical and procedural information for using tenant-specific dedicated egress IP addresses (a BYOIP-adjacent model) with the Netskope NewEdge Security Service Edge (SSE) platform. Netskope does not document a classic “bring your own prefix” flow where your RIR-allocated block is originated under your ASN; instead, Netskope provisions customer-specific egress IP addresses from Netskope-owned NewEdge ranges and anchors your traffic to those IPs for SaaS allowlisting, IdP source-IP controls, and conditional-access use cases.

Provider Details

FieldInformation
Provider NameNetskope
WebsiteNetskope Dedicated Egress IP Addresses (data sheet)  |  NewEdge Network overview  |  Security Cloud Platform Configuration (Dedicated Egress IP Footprint)  |  NewEdge IP ranges for allowlisting
ASN(s)Global cloud delivered primarily from AS55256 (Netskope Inc) plus related NewEdge infrastructure prefixes registered with ARIN/other RIRs.
Regions SupportedGlobal NewEdge footprint (dozens of data centers; >70 regions) across North America, Latin America, Europe, Middle East, Africa, and Asia-Pacific. Typical POP countries include: US, Canada, Brazil, Mexico, Argentina, Chile, Colombia; UK, Ireland, Netherlands, Germany, France, Spain, Italy, Switzerland, Sweden, Norway, Denmark, Poland; UAE, Saudi Arabia, South Africa; India, Singapore, Hong Kong, Japan, Australia, New Zealand, and more. Exact DC list and DEIP availability are provided per-customer via Netskope design and support docs.
Support ContactNetskope Support Portal  |  Contact Netskope (Sales & General)
Tech Article & DateNetskope Dedicated Egress IP Addresses (data sheet) & Security Cloud Platform Configuration (includes “Dedicated Egress IP Footprint”). Community best-practice articles cover DEIP behavior and threat-protection use cases.
BYOIP ScopeModel: Tenant-specific Dedicated Egress IP Addresses (DEIP) sourced from Netskope-owned NewEdge ranges, reserved for a single customer tenant.
Not classic BYOIP: The documented feature does not let you import your own RIR-allocated prefixes or originate them from your ASN. Instead, Netskope anchors your traffic to customer-specific IPs that can be allowlisted by SaaS/IdP/firewall policies.
Use cases: IP-based SaaS allowlists, IdP source-IP controls, secure access to business-critical SaaS/IaaS, and blocking access from non-trusted locations.
Supported VersionsIPv4: Dedicated egress IP addresses are documented as IPv4 addresses from Netskope NewEdge ranges (for example 8.36.116.0/24, 8.39.144.0/24, 31.186.239.0/24, 162.10.0.0/17, 163.116.128.0/17).
IPv6: NewEdge supports dual-stack connectivity in many regions, but explicit IPv6 “Dedicated Egress IP” entitlements are not clearly documented; confirm IPv6 DEIP availability with Netskope for your tenant.
Supported ServicesDEIP is an add-on capability for traffic steered through the Netskope NewEdge cloud, including:
– Next Gen Secure Web Gateway (SWG)
– Cloud Firewall (FWaaS)
– Zero Trust Network Access / Netskope Private Access (for some designs)
– Traffic from Netskope clients, GRE/IPsec tunnels, and SD-WAN/partner integrations using NewEdge as egress.
In all cases the goal is to present stable, tenant-specific source IPs to SaaS/IdP targets.

Technical Requirements

RequirementDetails
Prefix SizeNo customer prefix import. Dedicated egress IPs are allocated from Netskope-owned ranges (for example 8.36.116.0/24, 8.39.144.0/24, 31.186.239.0/24, 162.10.0.0/17, 163.116.128.0/17) used by NewEdge data centers.
When DEIP is enabled, Netskope assigns at least two IPv4 addresses per NewEdge data plane / region for your tenant; some tenants with Global DEIP report two per DC, resulting in large IP sets in big deployments.
There is no customer-visible minimum prefix such as “/24 BYOIP”; the allocation model is per-IP from provider space.
ASN Ownership RequiredNo. You do not bring your own ASN for this feature. All dedicated egress IP addresses remain announced under Netskope’s ASN(s), primarily AS55256, as part of the NewEdge anycast infrastructure.
IRR / Route ObjectsAll BGP announcements, IRR objects, and RPKI/ROA management for DEIP ranges are handled by Netskope. Customers do not create or modify route/route6 objects for DEIP space.
ROA or LOANot required from the customer side, since the IPs remain owned and operated by Netskope. Some SaaS/IdP vendors may still request evidence when creating IP allowlists (for example, a screenshot of the Netskope portal listing your DEIP addresses); this is handled on a case-by-case basis rather than via formal RIR LOAs.
RIR LimitationsNewEdge IP ranges are drawn from Netskope’s allocations across ARIN/RIPE/APNIC and mapped to specific regions/data centers. Customers do not control which RIR their DEIP addresses are sourced from; selection is tied to the NewEdge POP placement and your licensed regions.

Step-by-Step BYOIP Process (Dedicated Egress IPs)

Estimated Setup Time: Typically a few business days from ordering Regional/Global DEIP until addresses are visible in your tenant and SaaS allowlists are updated. IP allocation inside NewEdge is automated, but commercial approval and external SaaS/vendor allowlist changes can add latency.

Tested By Us: Not yet

Dedicated Egress IPs on Netskope NewEdge (tenant-specific egress IPs from provider ranges)

  • Engage your Netskope account team to scope and purchase a Regional or Global Dedicated Egress IP (DEIP) license for your tenant (often as an add-on to SWG/SSE/SASE).
  • In the admin console, navigate to Settings → Security Cloud Platform → Configuration → Dedicated Egress IP Footprint and enable DEIP for the desired NewEdge traffic management zone(s) or region(s).
  • Netskope allocates dedicated IP addresses from Netskope-owned ranges for each enabled data plane/region (at least two IPs per data center or zone). Provisioning is handled by the service; no customer BGP work is required.
  • Verify your assigned DEIP addresses in the portal (for example, under Security Cloud Platform → Netskope Client → Enforcement → Proxy IP Addresses) and export the list for external allowlisting.
  • Coordinate with SaaS, IdP, and internal security teams to allowlist the DEIP set (or covering prefixes) as the only permitted egress IPs for your tenant, then progressively enforce IP-based policies (Okta sign-in policies, SaaS tenant restrictions, firewall rules, etc.).
  • Follow Netskope guidance: use DEIP primarily for IP-based allowlisting and sensitive SaaS/IaaS access, and rely on shared NewEdge IPs/localization zones for generic web browsing to avoid unnecessary IP sprawl.

References: Dedicated Egress IP Addresses (data sheet), Security Cloud Platform Configuration (Dedicated Egress IP Footprint), NewEdge IP Ranges for Allowlisting, community posts on DEIP behavior and threat-protection use cases (for example, securing Okta and DEIP threat-management guidance).

Cost and Limitations

ItemDetails
FeesDedicated Egress IP is a paid add-on entitlement (Regional DEIP or Global DEIP) on top of core Netskope subscriptions. Pricing is not public; distributors and customers note that Global DEIP can become expensive because you receive multiple IPs per NewEdge DC (e.g., two IPs per data center, resulting in large dedicated IP sets). Confirm commercial terms with Netskope Sales or partners.
Bundled or StandaloneOffered as an add-on feature for Netskope SWG/SSE/SASE deployments. Technically integrated with the NewEdge network and used alongside:
– Netskope clients (endpoint)
– GRE/IPsec tunnel steering
– SD-WAN and partner integrations
DEIP is not sold as a standalone IP-transit or hosting service; it is always tied to Netskope’s cloud security platform.
Traffic/Peering Restrictions– DEIPs are intended primarily for traffic that must present a stable, tenant-specific source IP (SaaS/IdP allowlists, critical business apps).
– Netskope recommends using DEIP for allowlisting and leveraging NewEdge “localization zones” and shared IPs for generic browsing.
– DEIP addresses cannot be aggregated by NOC/SaaS teams into a smaller arbitrary prefix unless you use the larger Netskope-published ranges; in many cases each IP must be allowlisted explicitly or via the documented NewEdge CIDR blocks.
– As with all Netskope traffic, customers must comply with Netskope’s AUP and abuse policies.
Other Limitations– Number of IPs and regions covered depend on your license (Regional vs Global) and the set of NewEdge DCs serving your users.
– IP ownership stays with Netskope; organizations that require strict regulatory control over RIR WHOIS/RPKI in their own name may consider this “BYOIP-adjacent” rather than true BYOIP.
– Some special environments (for example, GovCloud or region-restricted deployments) may use different IP pools or have different DEIP availability; these are documented in customer-only matrices.

Automation & Developer Access

  • API Access: Yes — Netskope exposes REST APIs and event feeds for policy, logging, and integration. DEIP provisioning itself is tied to licensing and admin UI configuration rather than a public self-service API, but DEIP-driven access patterns can be monitored and automated via logs/APIs.
  • Cloud Exchange: Netskope Cloud Exchange and related Terraform modules (for example, CloudExchange-on-Azure) can assume DEIP-enabled tenants for building allowlists and automating connectivity to cloud services.
  • Terraform / IaC: Community and partner Terraform content exists for Netskope integrations; DEIP is usually consumed indirectly (for example, by referencing published NewEdge/DEIP ranges in security group or firewall rules). No dedicated Terraform resource for ordering DEIP is documented.
  • SDKs: Netskope does not emphasize vendor-specific DEIP SDKs; standard APIs and log exports can be consumed from generic automation tooling (Python, Go, etc.) to propagate DEIP allowlists to downstream systems.

Abuse & Reputation Management

  • Dedicated Egress IPs provide tenant-specific IPs drawn from Netskope’s NewEdge ranges, avoiding the reputation risks of large fully shared egress pools. Only your tenant’s traffic should appear from those IP addresses, which helps SaaS/IdP providers treat them as a trusted source when properly allowlisted.
  • Netskope manages routing, reputation, and threat intelligence for DEIP space at the network layer (blocklists, threat feeds, etc.), while customers are responsible for policies that prevent abuse (for example, blocking risky destinations) and for coordinating with SaaS vendors if an IP is ever blocklisted or rate-limited.

Netskope Homepage
Netskope NewEdge Network Overview
Dedicated Egress IP Addresses — Data Sheet
Security Cloud Platform Configuration (Dedicated Egress IP Footprint)
NewEdge IP Ranges for Allowlisting
Community: Considerations When Enabling DEIP
Community: Securing Okta with Dedicated Egress IPs
Community: Threat-Management Features (includes DEIP notes)

FAQ

BYOIP, or Bring Your Own IP, is a service that enables organizations to bring their own public IP addresses—whether owned outright or leased from an IP provider—into a service provider’s network infrastructure. Instead of relying on IP addresses assigned by the provider, BYOIP allows businesses to retain control over their IP resources. This ensures continuity, particularly for organizations with established IP-based reputations, branding, or dependencies on specific address blocks. IP providers can assist in streamlining this process, making it easy to integrate your IPs into the desired network environment.

BYOIP offers several compelling advantages. By using your own IPs, you can maintain continuity in your network’s identity, reduce the risk of disruptions to email deliverability or service recognition, and avoid reputational concerns associated with shared IPs. Additionally, BYOIP provides enhanced flexibility and control over your IP resources.

BYOIP is ideal for organizations that either own public IP addresses or lease them from a trusted IP provider with explicit BYOIP support. This includes enterprises, cloud providers, content delivery networks (CDNs), and businesses with compliance requirements or IP reputation needs. Working with a reputable IP provider ensures that leased IPs can be seamlessly integrated into another provider’s infrastructure without ownership concerns.

You must either legally own the IP addresses or have explicit authorization from a leasing IP provider to route and manage them. IP providers who offer BYOIP-ready IP addresses simplify this process, providing documentation and support to ensure compliance with regional internet registry (RIR) policies and service provider requirements. This collaboration ensures smooth implementation without any legal or operational issues.

To use BYOIP, you’ll typically need to present documentation verifying your authority over the IP block. This can include official records from a regional internet registry (RIR) such as ARIN, RIPE NCC, or APNIC. If you are leasing IPs, the IP provider should supply proof of their ownership and grant you permission for BYOIP. Providers that specialize in IP leasing often handle this paperwork for you, reducing administrative burden and ensuring compliance.

Yes, BYOIP is designed to be a secure and reliable solution. Reputable service providers and IP providers implement robust safeguards to prevent unauthorized use or hijacking of IP addresses. Security measures include BGP filtering, route validation, and advanced protocols like Resource Public Key Infrastructure (RPKI). By collaborating with a trusted IP provider, businesses can benefit from additional layers of protection, ensuring that only authorized traffic is routed through their IP blocks.

The setup process for BYOIP varies by provider, typically taking anywhere from a few hours to a few days. Factors include the complexity of your network, the verification process for IP ownership or authorization, and the time needed for global BGP route propagation. IP providers often expedite the preparation and validation stages, ensuring a smooth and timely integration into the desired infrastructure.

Absolutely. Many providers, in partnership with IP providers, support routing IPs across multiple data centers or geographic regions. This feature optimizes performance for global businesses by reducing latency and improving service availability. When working with an IP provider, you can also ensure that your leased or owned IPs are aligned with your geographic requirements for compliance and efficiency.

If you choose to discontinue BYOIP with a provider, your IP addresses will be released from their network, and routing will cease. You can then reallocate these IPs for use with a different service provider or project.