Table of Contents

Restrict data access by IP range

By protecting your source data behind a local network or VPN, only users inside that intranet can view the data. That means that even Labelbox servers won’t be able to access your data.

Whitelist an IP range for an AWS bucket

It’s recommended to use the IP range of your VPN so that you can access and review data from anywhere and better manage access to your network. We recommend if you want to set up a new VPN.

However, you can also choose to whitelist the IP range of a wifi network. For example if you can’t give VPN access to an outsourced labeling firm you can whitelist their network.

Finding Your IP Range
Typically a router will be configured for 255 IP addresses. Visit to see your computer’s IP address. For example if it was then your IP range would be - If you’re under a company VPN you should contact an administrator to get a static IP range.

Once you have your IP range, you should add a IP address bucket policy in AWS.

"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": [ "s3:GetObject" ],
"Resource": "arn:aws:s3:::examplebucket/*",
"Condition": {
"IpAddress": {"aws:SourceIp": ""},

If set up correctly you should be able to load the image while connected to your VPN or wifi network and then once you disconnect or switch networks the image should fail to load.

Now you simply need to upload a list of s3 paths to Labelbox, see these docs.

Was this page helpful?

Cloud data overview

How to generate signed URLs