diff --git a/examples/synapse_analytics/100-synapse/configuration.tfvars b/examples/synapse_analytics/100-synapse/configuration.tfvars
index 901bb7f27a..f6a7238a5d 100644
--- a/examples/synapse_analytics/100-synapse/configuration.tfvars
+++ b/examples/synapse_analytics/100-synapse/configuration.tfvars
@@ -30,10 +30,18 @@ synapse_workspaces = {
       storage_account_key = "synapsestorage_re1"
       container_key       = "synaspe_filesystem"
     }
-    workspace_firewall = {
-      name     = "AllowAll"
-      start_ip = "0.0.0.0"
-      end_ip   = "255.255.255.255"
+    workspace_firewalls = {
+      AllowAll = {
+        name     = "AllowAll"
+        start_ip = "0.0.0.0"
+        end_ip   = "255.255.255.255"
+      }
+      # example of defining multiple firewall rules; although in this example, makes no sense b/c AllowAll opens to all possible IPs
+      AllowSome = {
+        # if name attribute is not defined here, key will be used as name ("AllowSome")
+        start_ip = "0.0.0.0"
+        end_ip   = "10.255.255.255"
+      }
     }
   }
 }
diff --git a/examples/synapse_analytics/101-synapse-sparkpool/configuration.tfvars b/examples/synapse_analytics/101-synapse-sparkpool/configuration.tfvars
index 2db6098e0a..ff3338d33c 100644
--- a/examples/synapse_analytics/101-synapse-sparkpool/configuration.tfvars
+++ b/examples/synapse_analytics/101-synapse-sparkpool/configuration.tfvars
@@ -35,6 +35,7 @@ synapse_workspaces = {
       storage_account_key = "synapsestorage_re1"
       container_key       = "synaspe_filesystem"
     }
+    # only defining a single firewall rule in this example
     workspace_firewall = {
       name     = "AllowAll"
       start_ip = "0.0.0.0"
diff --git a/modules/analytics/synapse/workspace.tf b/modules/analytics/synapse/workspace.tf
index 864a101194..1502627fbd 100644
--- a/modules/analytics/synapse/workspace.tf
+++ b/modules/analytics/synapse/workspace.tf
@@ -70,9 +70,25 @@ resource "azurerm_key_vault_secret" "synapse_rg_name" {
   key_vault_id = var.keyvault_id
 }
 
+# for backwards compatibility to create single firewall rule
 resource "azurerm_synapse_firewall_rule" "wrkspc_firewall" {
+  count = try(var.settings.workspace_firewall, null) == null ? 1 : 
+
   name                 = var.settings.workspace_firewall.name
   synapse_workspace_id = azurerm_synapse_workspace.ws.id
   start_ip_address     = var.settings.workspace_firewall.start_ip
   end_ip_address       = var.settings.workspace_firewall.end_ip
-}
\ No newline at end of file
+}
+
+# supports adding multiple synapse firewall rules
+resource "azurerm_synapse_firewall_rule" "wrkspc_firewalls" {
+  for_each = try(var.settings.workspace_firewalls, {})
+  
+  # use key as firewall name if name attribute not defined
+  name                 = try(each.value.name, each.key)
+  synapse_workspace_id = azurerm_synapse_workspace.ws.id
+  # start_ip and end_ip must be specified in each individual workspace_firewall_rule
+  start_ip_address     = each.value.start_ip
+  end_ip_address       = each.value.end_ip
+}
+