diff --git a/premerge/gke_cluster/main.tf b/premerge/gke_cluster/main.tf
index cc01357ea..5da235dc3 100644
--- a/premerge/gke_cluster/main.tf
+++ b/premerge/gke_cluster/main.tf
@@ -12,6 +12,7 @@ resource "google_container_cluster" "llvm_premerge" {
   # for adding windows nodes to the cluster.
   networking_mode = "VPC_NATIVE"
   ip_allocation_policy {}
+  disable_l4_lb_firewall_reconciliation = true
 
   # Set the workload identity config so that we can authenticate with Google
   # Cloud APIs using workload identity federation as described in
@@ -44,6 +45,8 @@ resource "google_container_node_pool" "llvm_premerge_linux_service" {
     workload_metadata_config {
       mode = "GKE_METADATA"
     }
+
+    tags = ["premerge-service"]
   }
 }
 
diff --git a/premerge/main.tf b/premerge/main.tf
index 7843e2b60..f9715fdac 100644
--- a/premerge/main.tf
+++ b/premerge/main.tf
@@ -41,6 +41,22 @@ resource "local_file" "terraform_state" {
   EOT
 }
 
+# Set up firewall rules that allow for access to the premerge advisor.
+data "google_compute_network" "default" {
+  name = "default"
+}
+
+resource "google_compute_firewall" "premerge_advisor_firewall" {
+  name    = "premerge-advisor-firewall"
+  network = data.google_compute_network.default.name
+  allow {
+    protocol = "tcp"
+    ports    = ["5000"]
+  }
+
+  source_tags = ["premerge-service"]
+}
+
 data "google_client_config" "current" {}
 
 locals {