> ## Documentation Index
> Fetch the complete documentation index at: https://docs.labelbox.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Enhance security with IP address allow-list

> List of Labelbox server IP addresses and step-by-step guides for setting IP allow-listing for AWS S3, GCS, and Azure.

This guide explains how to add an extra layer of security to your cloud storage bucket by creating a policy that only allows connections from Labelbox's servers. This ensures that only Labelbox can access your data, even if your access keys were inadvertently exposed.

This is an optional but highly recommended security measure for any organization that wants to enforce the strictest possible access controls on their data.

## How IP allow-listing works

Think of an IP allow-list as a digital gatekeeper for your data. By applying an IP-based policy to your storage bucket, you are instructing your cloud provider to check the source of every incoming request.

If the request originates from an IP address on your approved list (in this case, Labelbox's servers), it is allowed to proceed. If the request comes from *any* other IP address, it is immediately rejected, adding a network-level layer of security.

This policy works in conjunction with IAM Delegated Access, meaning a request is only successful if it both comes from a Labelbox IP address and correctly assumes the IAM role you configured.

## Labelbox server IP addresses

To configure your allow-list, you will need the following list of Labelbox's egress IP addresses.

Last updated: March 27, 2026

```bash theme={null}
35.223.142.181
34.135.127.45
35.224.108.6
34.10.80.254
```

<Note>
  Disclaimer: This list is subject to change as we grow and improve our infrastructure. To prevent any disruption of service, we strongly recommend that you subscribe to our [product release notes](https://docs.labelbox.com/changelog) to be notified of any changes to this list.
</Note>

## Step-by-step implementation guides

### AWS S3

For AWS S3 buckets, use an IP address [bucket policy](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html) (Amazon AWS docs) to permit access to specific addresses.

1. Navigate to the Amazon S3 console and select the bucket you have connected to Labelbox.
2. Go to the **Permissions** tab.
3. Scroll down to the **Bucket policy** section and click **Edit**.
4. Add the following JSON policy to the editor. This policy explicitly denies all `GetObject` actions unless the request comes from one of Labelbox's IP addresses.
   Remember to replace `YOUR-BUCKET-NAME` with the actual name of your S3 bucket.

In the following example, access is permitted only from the address shown. You will likely need to update the example to suit your needs.

<CodeGroup>
  ```json JSON theme={null}
  {
    "Version": "2012-10-17",
    "Id": "S3PolicyId1",
    "Statement": [
      {
        "Sid": "IPAllow",
        "Effect": "Allow",
        "Principal": "*",
        "Action": [ "s3:GetObject" ],
        "Resource": "arn:aws:s3:::examplebucket/*",
        "Condition": {
           "IpAddress": {"aws:SourceIp": "54.240.143.0/24"},
        }
      }
    ]
  }
  ```
</CodeGroup>

To learn more, see [Blocking public access to your Amazon S3 storage](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html) (Amazon AWS docs).

### Google Cloud Platform (GCP)

In GCP, IP-based restrictions are typically managed at the network level using **VPC Service Controls**. This allows you to create a secure perimeter around your projects and data.

1. **Identify or Create a Service Perimeter:** Navigate to the VPC Service Controls page in the Google Cloud Console. You can either add rules to an existing perimeter or create a new one that includes the project containing your GCS bucket.
2. **Configure an Ingress Rule:** Within your perimeter configuration, create an **ingress rule**. This rule defines what is allowed to access the services inside the perimeter from the outside.
3. **Set the Source:** In the "From" attributes of the ingress rule, select **IP subnets** as the source.
4. **Add Labelbox IPs:** Add the list of Labelbox Server IP Addresses to the specified IP subnets.
5. **Set the Service:** In the "To" attributes, specify the services the source is allowed to access. At a minimum, this should include the **"Storage API" (**`storage.googleapis.com`**)**.
6. Save your perimeter configuration.

For more detailed instructions, please refer to Google's official documentation on [configuring ingress and egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules "https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules").

### Microsoft Azure

In Azure, you can restrict access to your Blob Storage account by configuring its built-in firewall.

1. Navigate to your **Storage Account** in the Azure Portal.
2. In the left-hand navigation pane, under **Security + networking**, select **Networking**.
3. Under the **Firewalls and virtual networks** tab, select the option for **"Enabled from selected virtual networks and IP addresses"**.
4. **Add Labelbox IPs:** In the **Firewall** section, there is an **Address range** text box. Add the Labelbox Server IP Addresses to this list in CIDR notation (e.g., `35.232.254.112/32`). You will need to add each IP address individually.
5. Click **Save**. The firewall will now block all traffic that does not originate from the specified IP addresses.

For more detailed instructions, please refer to Azure's official documentation on [configuring Azure Storage firewalls and virtual networks](https://www.google.com/url?q=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fstorage%2Fcommon%2Fstorage-network-security "https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security").