diff --git a/README.md b/README.md
index 9bd6ee4c888..96c9e4c1acb 100644
--- a/README.md
+++ b/README.md
@@ -58,7 +58,8 @@ In order to deploy both the stacks the user needs to provide a set of required a
 | account (Optional)                | string  | User provided aws account                                                                                                                                                                                                                                                                        |
 | dataNodeStorage (Optional)        | string  | User provided ebs block storage size, defaults to 100Gb                                                                                                                                                                                                                                          |
 | mlNodeStorage (Optional)          | string  | User provided ebs block storage size, defaults to 100Gb                                                                                                                                                                                                                                          |
-| use50PercentHeap (Optional)       | boolean | Boolean flag to use 50% of physical memory as heap. Default is 1GB.  e.g., `--context use50PercentHeap=true`                                                                                                                                                                                                     |
+| use50PercentHeap (Optional)       | boolean | Boolean flag to use 50% of physical memory as heap. Default is 1GB.  e.g., `--context use50PercentHeap=true`                                                                                                                                                                                     |
+| isInternal (Optional)             | boolean | Boolean flag to make network load balancer internal. Default is internet-facing  e.g., `--context isInternal=true`                                                                                                                                                                               |
 
 
 
diff --git a/lib/infra/infra-stack.ts b/lib/infra/infra-stack.ts
index 3350cae586b..01700f15a81 100644
--- a/lib/infra/infra-stack.ts
+++ b/lib/infra/infra-stack.ts
@@ -56,6 +56,7 @@ export interface infraProps extends StackProps{
     readonly jvmSysPropsString?: string,
     readonly additionalConfig?: string,
     readonly use50PercentHeap: boolean,
+    readonly isInternal: boolean,
 }
 
 export class InfraStack extends Stack {
@@ -86,26 +87,26 @@ export class InfraStack extends Stack {
     const ec2InstanceType = (props.cpuType === AmazonLinuxCpuType.X86_64)
       ? InstanceType.of(InstanceClass.C5, InstanceSize.XLARGE) : InstanceType.of(InstanceClass.C6G, InstanceSize.XLARGE);
 
-    const alb = new NetworkLoadBalancer(this, 'publicNlb', {
+    const nlb = new NetworkLoadBalancer(this, 'clusterNlb', {
       vpc: props.vpc,
-      internetFacing: true,
+      internetFacing: (!props.isInternal),
       crossZoneEnabled: true,
     });
 
     if (!props.securityDisabled && !props.minDistribution) {
-      opensearchListener = alb.addListener('opensearch', {
+      opensearchListener = nlb.addListener('opensearch', {
         port: 443,
         protocol: Protocol.TCP,
       });
     } else {
-      opensearchListener = alb.addListener('opensearch', {
+      opensearchListener = nlb.addListener('opensearch', {
         port: 80,
         protocol: Protocol.TCP,
       });
     }
 
     if (props.dashboardsUrl !== 'undefined') {
-      dashboardsListener = alb.addListener('dashboards', {
+      dashboardsListener = nlb.addListener('dashboards', {
         port: 8443,
         protocol: Protocol.TCP,
       });
@@ -325,7 +326,7 @@ export class InfraStack extends Stack {
     }
 
     new CfnOutput(this, 'loadbalancer-url', {
-      value: alb.loadBalancerDnsName,
+      value: nlb.loadBalancerDnsName,
     });
   }
 
diff --git a/lib/os-cluster-entrypoint.ts b/lib/os-cluster-entrypoint.ts
index c9de89d6b87..0d890d7829e 100644
--- a/lib/os-cluster-entrypoint.ts
+++ b/lib/os-cluster-entrypoint.ts
@@ -151,6 +151,9 @@ export class OsClusterEntrypoint {
       const use50heap = `${scope.node.tryGetContext('use50PercentHeap')}`;
       const use50PercentHeap = use50heap === 'true';
 
+      const nlbScheme = `${scope.node.tryGetContext('isInternal')}`;
+      const isInternal = nlbScheme === 'true';
+
       const network = new NetworkStack(scope, 'opensearch-network-stack', {
         cidrBlock: cidrRange,
         maxAzs: 3,
@@ -196,6 +199,7 @@ export class OsClusterEntrypoint {
         jvmSysPropsString: jvmSysProps,
         additionalConfig: ymlConfig,
         use50PercentHeap,
+        isInternal,
         ...props,
       });
 
diff --git a/test/os-cluster.test.ts b/test/os-cluster.test.ts
index e0d30bd64cb..91d4f0e0372 100644
--- a/test/os-cluster.test.ts
+++ b/test/os-cluster.test.ts
@@ -106,6 +106,9 @@ test('Test Resources with security enabled multi-node with existing Vpc', () =>
       },
     ],
   });
+  infraTemplate.hasResourceProperties('AWS::ElasticLoadBalancingV2::LoadBalancer', {
+    Scheme: 'internet-facing',
+  });
 });
 
 test('Test Resources with security enabled single-node cluster', () => {
@@ -121,6 +124,7 @@ test('Test Resources with security enabled single-node cluster', () => {
       serverAccessType: 'prefixList',
       restrictServerAccessTo: 'pl-12345',
       dataNodeStorage: 200,
+      isInternal: true,
     },
   });
 
@@ -153,4 +157,7 @@ test('Test Resources with security enabled single-node cluster', () => {
       },
     ],
   });
+  infraTemplate.hasResourceProperties('AWS::ElasticLoadBalancingV2::LoadBalancer', {
+    Scheme: 'internal',
+  });
 });