diff --git a/pkg/apis/kops/cluster.go b/pkg/apis/kops/cluster.go
index 4ede755d1e750..077e487dfce30 100644
--- a/pkg/apis/kops/cluster.go
+++ b/pkg/apis/kops/cluster.go
@@ -260,6 +260,12 @@ const (
 type LoadBalancerAccessSpec struct {
 	Type               LoadBalancerType `json:"type,omitempty"`
 	IdleTimeoutSeconds *int64           `json:"idleTimeoutSeconds,omitempty"`
+	// AdditionalSecurityGroups attaches additional security groups (e.g. sg-123456)
+	// This API is currently under development.
+	AdditionalSecurityGroups []string `json:"additionalSecurityGroups,omitempty"`
+	// SecurityGroup is the id of the shared security group to use for the InstanceGroupSpec
+	// This API is currently under development.
+	SecurityGroup *string `json:"securityGroup,omitempty"`
 }
 
 // KubeDNSConfig defines the kube dns configuration
diff --git a/pkg/apis/kops/instancegroup.go b/pkg/apis/kops/instancegroup.go
index 2df128beb203e..529cded0e8346 100644
--- a/pkg/apis/kops/instancegroup.go
+++ b/pkg/apis/kops/instancegroup.go
@@ -109,6 +109,9 @@ type InstanceGroupSpec struct {
 	Kubelet *KubeletConfigSpec `json:"kubelet,omitempty"`
 	// Taints indicates the kubernetes taints for nodes in this group
 	Taints []string `json:"taints,omitempty"`
+	// SecurityGroup is the id of the shared security group to use for the InstanceGroupSpec
+	// This API is currently under development.
+	SecurityGroup *string `json:"securityGroup,omitempty"`
 }
 
 // PerformAssignmentsInstanceGroups populates InstanceGroups with default values
diff --git a/pkg/apis/kops/v1alpha1/cluster.go b/pkg/apis/kops/v1alpha1/cluster.go
index 9caee7f86701d..e4cdd8a4d2081 100644
--- a/pkg/apis/kops/v1alpha1/cluster.go
+++ b/pkg/apis/kops/v1alpha1/cluster.go
@@ -259,6 +259,12 @@ const (
 type LoadBalancerAccessSpec struct {
 	Type               LoadBalancerType `json:"type,omitempty"`
 	IdleTimeoutSeconds *int64           `json:"idleTimeoutSeconds,omitempty"`
+	// AdditionalSecurityGroups attaches additional security groups (e.g. sg-123456)
+	// This API is currently under development.
+	AdditionalSecurityGroups []string `json:"additionalSecurityGroups,omitempty"`
+	// SecurityGroup is the id of the shared security group to use for the InstanceGroupSpec
+	// This API is currently under development.
+	SecurityGroup *string `json:"securityGroup,omitempty"`
 }
 
 // KubeDNSConfig defines the kube dns configuration
diff --git a/pkg/apis/kops/v1alpha1/instancegroup.go b/pkg/apis/kops/v1alpha1/instancegroup.go
index 9bd00541574fa..78f81cdfaa78c 100644
--- a/pkg/apis/kops/v1alpha1/instancegroup.go
+++ b/pkg/apis/kops/v1alpha1/instancegroup.go
@@ -92,4 +92,7 @@ type InstanceGroupSpec struct {
 	// Zones is the names of the Zones where machines in this instance group should be placed
 	// This is needed for regional subnets (e.g. GCE), to restrict placement to particular zones
 	Zones []string `json:"zones,omitempty"`
+	// SecurityGroup is the id of the shared security group to use for the InstanceGroupSpec
+	// This API is currently under development.
+	SecurityGroup *string `json:"securityGroup,omitempty"`
 }
diff --git a/pkg/apis/kops/v1alpha1/zz_generated.conversion.go b/pkg/apis/kops/v1alpha1/zz_generated.conversion.go
index 4c464d15a36b6..26ac89c3f952c 100644
--- a/pkg/apis/kops/v1alpha1/zz_generated.conversion.go
+++ b/pkg/apis/kops/v1alpha1/zz_generated.conversion.go
@@ -1674,6 +1674,7 @@ func autoConvert_v1alpha1_InstanceGroupSpec_To_kops_InstanceGroupSpec(in *Instan
 	}
 	out.Taints = in.Taints
 	out.Zones = in.Zones
+	out.SecurityGroup = in.SecurityGroup
 	return nil
 }
 
@@ -1727,6 +1728,7 @@ func autoConvert_kops_InstanceGroupSpec_To_v1alpha1_InstanceGroupSpec(in *kops.I
 		out.Kubelet = nil
 	}
 	out.Taints = in.Taints
+	out.SecurityGroup = in.SecurityGroup
 	return nil
 }
 
@@ -2221,6 +2223,8 @@ func Convert_kops_LeaderElectionConfiguration_To_v1alpha1_LeaderElectionConfigur
 func autoConvert_v1alpha1_LoadBalancerAccessSpec_To_kops_LoadBalancerAccessSpec(in *LoadBalancerAccessSpec, out *kops.LoadBalancerAccessSpec, s conversion.Scope) error {
 	out.Type = kops.LoadBalancerType(in.Type)
 	out.IdleTimeoutSeconds = in.IdleTimeoutSeconds
+	out.AdditionalSecurityGroups = in.AdditionalSecurityGroups
+	out.SecurityGroup = in.SecurityGroup
 	return nil
 }
 
@@ -2232,6 +2236,8 @@ func Convert_v1alpha1_LoadBalancerAccessSpec_To_kops_LoadBalancerAccessSpec(in *
 func autoConvert_kops_LoadBalancerAccessSpec_To_v1alpha1_LoadBalancerAccessSpec(in *kops.LoadBalancerAccessSpec, out *LoadBalancerAccessSpec, s conversion.Scope) error {
 	out.Type = LoadBalancerType(in.Type)
 	out.IdleTimeoutSeconds = in.IdleTimeoutSeconds
+	out.AdditionalSecurityGroups = in.AdditionalSecurityGroups
+	out.SecurityGroup = in.SecurityGroup
 	return nil
 }
 
diff --git a/pkg/apis/kops/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/kops/v1alpha1/zz_generated.deepcopy.go
index 917fcaeaa9f13..4d5468df18871 100644
--- a/pkg/apis/kops/v1alpha1/zz_generated.deepcopy.go
+++ b/pkg/apis/kops/v1alpha1/zz_generated.deepcopy.go
@@ -1762,6 +1762,15 @@ func (in *InstanceGroupSpec) DeepCopyInto(out *InstanceGroupSpec) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.SecurityGroup != nil {
+		in, out := &in.SecurityGroup, &out.SecurityGroup
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(string)
+			**out = **in
+		}
+	}
 	return
 }
 
@@ -2489,6 +2498,20 @@ func (in *LoadBalancerAccessSpec) DeepCopyInto(out *LoadBalancerAccessSpec) {
 			**out = **in
 		}
 	}
+	if in.AdditionalSecurityGroups != nil {
+		in, out := &in.AdditionalSecurityGroups, &out.AdditionalSecurityGroups
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.SecurityGroup != nil {
+		in, out := &in.SecurityGroup, &out.SecurityGroup
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(string)
+			**out = **in
+		}
+	}
 	return
 }
 
diff --git a/pkg/apis/kops/v1alpha2/cluster.go b/pkg/apis/kops/v1alpha2/cluster.go
index 95d1264d04376..1e6c41e9967e3 100644
--- a/pkg/apis/kops/v1alpha2/cluster.go
+++ b/pkg/apis/kops/v1alpha2/cluster.go
@@ -260,6 +260,12 @@ const (
 type LoadBalancerAccessSpec struct {
 	Type               LoadBalancerType `json:"type,omitempty"`
 	IdleTimeoutSeconds *int64           `json:"idleTimeoutSeconds,omitempty"`
+	// AdditionalSecurityGroups attaches additional security groups (e.g. sg-123456)
+	// This API is currently under development.
+	AdditionalSecurityGroups []string `json:"additionalSecurityGroups,omitempty"`
+	// SecurityGroup is the id of the shared security group to use for the InstanceGroupSpec
+	// This API is currently under development.
+	SecurityGroup *string `json:"securityGroup,omitempty"`
 }
 
 type KubeDNSConfig struct {
diff --git a/pkg/apis/kops/v1alpha2/instancegroup.go b/pkg/apis/kops/v1alpha2/instancegroup.go
index d281c4bfa6fc3..2c4a550682a36 100644
--- a/pkg/apis/kops/v1alpha2/instancegroup.go
+++ b/pkg/apis/kops/v1alpha2/instancegroup.go
@@ -101,4 +101,7 @@ type InstanceGroupSpec struct {
 	Kubelet *KubeletConfigSpec `json:"kubelet,omitempty"`
 	// Taints indicates the kubernetes taints for nodes in this group
 	Taints []string `json:"taints,omitempty"`
+	// SecurityGroup is the id of the shared security group to use for the InstanceGroupSpec
+	// This API is currently under development.
+	SecurityGroup *string `json:"securityGroup,omitempty"`
 }
diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
index 4c1046fa01b28..cd9ec99cb9fa3 100644
--- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
+++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
@@ -1784,6 +1784,7 @@ func autoConvert_v1alpha2_InstanceGroupSpec_To_kops_InstanceGroupSpec(in *Instan
 		out.Kubelet = nil
 	}
 	out.Taints = in.Taints
+	out.SecurityGroup = in.SecurityGroup
 	return nil
 }
 
@@ -1842,6 +1843,7 @@ func autoConvert_kops_InstanceGroupSpec_To_v1alpha2_InstanceGroupSpec(in *kops.I
 		out.Kubelet = nil
 	}
 	out.Taints = in.Taints
+	out.SecurityGroup = in.SecurityGroup
 	return nil
 }
 
@@ -2483,6 +2485,8 @@ func Convert_kops_LeaderElectionConfiguration_To_v1alpha2_LeaderElectionConfigur
 func autoConvert_v1alpha2_LoadBalancerAccessSpec_To_kops_LoadBalancerAccessSpec(in *LoadBalancerAccessSpec, out *kops.LoadBalancerAccessSpec, s conversion.Scope) error {
 	out.Type = kops.LoadBalancerType(in.Type)
 	out.IdleTimeoutSeconds = in.IdleTimeoutSeconds
+	out.AdditionalSecurityGroups = in.AdditionalSecurityGroups
+	out.SecurityGroup = in.SecurityGroup
 	return nil
 }
 
@@ -2494,6 +2498,8 @@ func Convert_v1alpha2_LoadBalancerAccessSpec_To_kops_LoadBalancerAccessSpec(in *
 func autoConvert_kops_LoadBalancerAccessSpec_To_v1alpha2_LoadBalancerAccessSpec(in *kops.LoadBalancerAccessSpec, out *LoadBalancerAccessSpec, s conversion.Scope) error {
 	out.Type = LoadBalancerType(in.Type)
 	out.IdleTimeoutSeconds = in.IdleTimeoutSeconds
+	out.AdditionalSecurityGroups = in.AdditionalSecurityGroups
+	out.SecurityGroup = in.SecurityGroup
 	return nil
 }
 
diff --git a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go
index 0ece8f2c362d7..dfdb0d058abe5 100644
--- a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go
+++ b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go
@@ -1777,6 +1777,15 @@ func (in *InstanceGroupSpec) DeepCopyInto(out *InstanceGroupSpec) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.SecurityGroup != nil {
+		in, out := &in.SecurityGroup, &out.SecurityGroup
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(string)
+			**out = **in
+		}
+	}
 	return
 }
 
@@ -2615,6 +2624,20 @@ func (in *LoadBalancerAccessSpec) DeepCopyInto(out *LoadBalancerAccessSpec) {
 			**out = **in
 		}
 	}
+	if in.AdditionalSecurityGroups != nil {
+		in, out := &in.AdditionalSecurityGroups, &out.AdditionalSecurityGroups
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.SecurityGroup != nil {
+		in, out := &in.SecurityGroup, &out.SecurityGroup
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(string)
+			**out = **in
+		}
+	}
 	return
 }
 
diff --git a/pkg/apis/kops/zz_generated.deepcopy.go b/pkg/apis/kops/zz_generated.deepcopy.go
index 07d3d35052b58..70835bfa207a9 100644
--- a/pkg/apis/kops/zz_generated.deepcopy.go
+++ b/pkg/apis/kops/zz_generated.deepcopy.go
@@ -1980,6 +1980,15 @@ func (in *InstanceGroupSpec) DeepCopyInto(out *InstanceGroupSpec) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.SecurityGroup != nil {
+		in, out := &in.SecurityGroup, &out.SecurityGroup
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(string)
+			**out = **in
+		}
+	}
 	return
 }
 
@@ -2850,6 +2859,20 @@ func (in *LoadBalancerAccessSpec) DeepCopyInto(out *LoadBalancerAccessSpec) {
 			**out = **in
 		}
 	}
+	if in.AdditionalSecurityGroups != nil {
+		in, out := &in.AdditionalSecurityGroups, &out.AdditionalSecurityGroups
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.SecurityGroup != nil {
+		in, out := &in.SecurityGroup, &out.SecurityGroup
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(string)
+			**out = **in
+		}
+	}
 	return
 }