diff --git a/.terraform.lock b/.terraform.lock
new file mode 100644
index 0000000..e69de29
diff --git a/modules/bastion-group/README.md b/modules/bastion-group/README.md
index a12afa0..e1812a2 100644
--- a/modules/bastion-group/README.md
+++ b/modules/bastion-group/README.md
@@ -74,6 +74,7 @@ provision a project with the necessary APIs enabled.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | additional\_networks | Additional network interface details for the instance template, if any. | <pre>list(object({<br>    network            = string<br>    subnetwork         = string<br>    subnetwork_project = string<br>    network_ip         = string<br>    nic_type           = string<br>    stack_type         = string<br>    queue_count        = number<br>    access_config = list(object({<br>      nat_ip       = string<br>      network_tier = string<br>    }))<br>    ipv6_access_config = list(object({<br>      network_tier = string<br>    }))<br>    alias_ip_range = list(object({<br>      ip_cidr_range         = string<br>      subnetwork_range_name = string<br>    }))<br>  }))</pre> | `[]` | no |
+| additional\_ports | A list of additional ports/ranges to open access to on the instances from IAP. | `list(string)` | `[]` | no |
 | fw\_name\_allow\_ssh\_from\_health\_check\_cidrs | Firewall rule name for allowing Health Checks | `string` | `"allow-ssh-from-health-check-cidrs"` | no |
 | fw\_name\_allow\_ssh\_from\_iap | Firewall rule name for allowing SSH from IAP | `string` | `"allow-ssh-from-iap-to-bastion-group"` | no |
 | health\_check | Health check config for the mig. | <pre>object({<br>    type                = string<br>    initial_delay_sec   = number<br>    check_interval_sec  = number<br>    healthy_threshold   = number<br>    timeout_sec         = number<br>    unhealthy_threshold = number<br>    response            = string<br>    proxy_header        = string<br>    port                = number<br>    request             = string<br>    enable_logging      = bool<br><br>    # Unused fields.<br>    request_path = string<br>    host         = string<br>  })</pre> | <pre>{<br>  "check_interval_sec": 30,<br>  "enable_logging": false,<br>  "healthy_threshold": 1,<br>  "host": "",<br>  "initial_delay_sec": 30,<br>  "port": 22,<br>  "proxy_header": "NONE",<br>  "request": "",<br>  "request_path": "",<br>  "response": "",<br>  "timeout_sec": 10,<br>  "type": "tcp",<br>  "unhealthy_threshold": 5<br>}</pre> | no |
diff --git a/modules/bastion-group/main.tf b/modules/bastion-group/main.tf
index bc72843..867c737 100644
--- a/modules/bastion-group/main.tf
+++ b/modules/bastion-group/main.tf
@@ -35,6 +35,7 @@ module "iap_bastion" {
   startup_script                     = var.startup_script
   subnet                             = var.subnet
   additional_networks                = var.additional_networks
+  additional_ports                   = var.additional_ports
   zone                               = var.zone
   random_role_id                     = var.random_role_id
   fw_name_allow_ssh_from_iap         = var.fw_name_allow_ssh_from_iap
diff --git a/modules/bastion-group/variables.tf b/modules/bastion-group/variables.tf
index 558e022..5e7f7cd 100644
--- a/modules/bastion-group/variables.tf
+++ b/modules/bastion-group/variables.tf
@@ -197,6 +197,12 @@ variable "fw_name_allow_ssh_from_iap" {
   default     = "allow-ssh-from-iap-to-bastion-group"
 }
 
+variable "additional_ports" {
+  description = "A list of additional ports/ranges to open access to on the instances from IAP."
+  type        = list(string)
+  default     = []
+}
+
 variable "additional_networks" {
   description = "Additional network interface details for the instance template, if any."
   default     = []