Skip to main content
This guide explains how to add an extra layer of security to your cloud storage bucket by creating a policy that only allows connections from Labelbox’s servers. This ensures that only Labelbox can access your data, even if your access keys were inadvertently exposed. This is an optional but highly recommended security measure for any organization that wants to enforce the strictest possible access controls on their data.

How IP allow-listing works

Think of an IP allow-list as a digital gatekeeper for your data. By applying an IP-based policy to your storage bucket, you are instructing your cloud provider to check the source of every incoming request. If the request originates from an IP address on your approved list (in this case, Labelbox’s servers), it is allowed to proceed. If the request comes from any other IP address, it is immediately rejected, adding a network-level layer of security. This policy works in conjunction with IAM Delegated Access, meaning a request is only successful if it both comes from a Labelbox IP address and correctly assumes the IAM role you configured.

Labelbox server IP addresses

To configure your allow-list, you will need the following list of Labelbox’s egress IP addresses. 
35.223.142.181
34.135.127.45
35.224.108.6
34.10.80.254
Disclaimer: This list is subject to change as we grow and improve our infrastructure. To prevent any disruption of service, we strongly recommend that you subscribe to our product release notes to be notified of any changes to this list.

Step-by-step implementation guides

AWS S3

For AWS S3 buckets, use an IP address bucket policy (Amazon AWS docs) to permit access to specific addresses.
  1. Navigate to the Amazon S3 console and select the bucket you have connected to Labelbox.
  2. Go to the Permissions tab.
  3. Scroll down to the Bucket policy section and click Edit.
  4. Add the following JSON policy to the editor. This policy explicitly denies all GetObject actions unless the request comes from one of Labelbox’s IP addresses. Remember to replace YOUR-BUCKET-NAME with the actual name of your S3 bucket.
In the following example, access is permitted only from the address shown. You will likely need to update the example to suit your needs. 
{
  "Version": "2012-10-17",
  "Id": "S3PolicyId1",
  "Statement": [
    {
      "Sid": "IPAllow",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [ "s3:GetObject" ],
      "Resource": "arn:aws:s3:::examplebucket/*",
      "Condition": {
         "IpAddress": {"aws:SourceIp": "54.240.143.0/24"},
      }
    }
  ]
}
To learn more, see Blocking public access to your Amazon S3 storage (Amazon AWS docs).

Google Cloud Platform (GCP)

In GCP, IP-based restrictions are typically managed at the network level using VPC Service Controls. This allows you to create a secure perimeter around your projects and data.
  1. Identify or Create a Service Perimeter: Navigate to the VPC Service Controls page in the Google Cloud Console. You can either add rules to an existing perimeter or create a new one that includes the project containing your GCS bucket.
  2. Configure an Ingress Rule: Within your perimeter configuration, create an ingress rule. This rule defines what is allowed to access the services inside the perimeter from the outside.
  3. Set the Source: In the “From” attributes of the ingress rule, select IP subnets as the source.
  4. Add Labelbox IPs: Add the list of Labelbox Server IP Addresses to the specified IP subnets.
  5. Set the Service: In the “To” attributes, specify the services the source is allowed to access. At a minimum, this should include the “Storage API” (storage.googleapis.com).
  6. Save your perimeter configuration.
For more detailed instructions, please refer to Google’s official documentation on configuring ingress and egress policies.

Microsoft Azure

In Azure, you can restrict access to your Blob Storage account by configuring its built-in firewall.
  1. Navigate to your Storage Account in the Azure Portal.
  2. In the left-hand navigation pane, under Security + networking, select Networking.
  3. Under the Firewalls and virtual networks tab, select the option for “Enabled from selected virtual networks and IP addresses”.
  4. Add Labelbox IPs: In the Firewall section, there is an Address range text box. Add the Labelbox Server IP Addresses to this list in CIDR notation (e.g., 35.232.254.112/32). You will need to add each IP address individually.
  5. Click Save. The firewall will now block all traffic that does not originate from the specified IP addresses.
For more detailed instructions, please refer to Azure’s official documentation on configuring Azure Storage firewalls and virtual networks.