Restrict data access by IP range

By protecting your source data behind a local network or VPN, only users inside that intranet can view the data. That means that even Labelbox servers won’t be able to access your data.

For example…

Lets say we have an image “” in an S3 bucket, and you added a policy to that bucket to only allow access from IP addresses within the range of your internal VPN (ex. Then when someone inside your organization logs into the VPN and navigates to “damage.jpg” they will see the image. When someone from outside your company opens the link they will simply receive an error. Since Labelbox loads assets directly in the browser they will be fetched through the users own IP Address and not the IP address of any Labelbox servers.

Whitelist an IP Range for an AWS Bucket

It’s recommended to use the IP range of your VPN so that you can access and review data from anywhere and better manage access to your network. We recommend if you want to set up a new VPN.

However, you can also choose to whitelist the IP range of a wifi network. For example if you can’t give VPN access to an outsourced labeling firm you can whitelist their network.

Finding Your IP Range
Typically a router will be configured for 255 IP addresses. Visit to see your computer’s IP address. For example if it was then your IP range would be - If you’re under a company VPN you should contact an administrator to get a static IP range.

Once you have your IP range, you should add a IP address bucket policy in AWS.

"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": [ "s3:GetObject" ],
"Resource": "arn:aws:s3:::examplebucket/*",
"Condition": {
"IpAddress": {"aws:SourceIp": ""},

If set up correctly you should be able to load the image while connected to your VPN or wifi network and then once you disconnect or switch networks the image should fail to load.

Now you simply need to upload a list of s3 paths to Labelbox, see these docs.

How did we do?