diff --git a/README.md b/README.md
index 6d01032..11157d1 100644
--- a/README.md
+++ b/README.md
@@ -228,6 +228,7 @@ You can check the status of the certificate in the Google Cloud Console.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_block_project_ssh_keys_enabled"></a> [block\_project\_ssh\_keys\_enabled](#input\_block\_project\_ssh\_keys\_enabled) | Blocks the use of project-wide publich SSH keys | `bool` | `false` | no |
+| <a name="input_default_backend_security_policy"></a> [default\_backend\_security\_policy](#input\_default\_backend\_security\_policy) | Name of the security policy to apply to the default backend service | `string` | `null` | no |
 | <a name="input_disk_kms_key_self_link"></a> [disk\_kms\_key\_self\_link](#input\_disk\_kms\_key\_self\_link) | The self link of the encryption key that is stored in Google Cloud KMS | `string` | `null` | no |
 | <a name="input_domain"></a> [domain](#input\_domain) | Domain to associate Atlantis with and to request a managed SSL certificate for. Without `https://` | `string` | n/a | yes |
 | <a name="input_enable_oslogin"></a> [enable\_oslogin](#input\_enable\_oslogin) | Enables OS Login service on the VM | `bool` | `false` | no |
@@ -237,6 +238,7 @@ You can check the status of the certificate in the Google Cloud Console.
 | <a name="input_google_logging_use_fluentbit"></a> [google\_logging\_use\_fluentbit](#input\_google\_logging\_use\_fluentbit) | Enable Google Cloud Logging using Fluent Bit | `bool` | `false` | no |
 | <a name="input_google_monitoring_enabled"></a> [google\_monitoring\_enabled](#input\_google\_monitoring\_enabled) | Enable Google Cloud Monitoring | `bool` | `true` | no |
 | <a name="input_iap"></a> [iap](#input\_iap) | Settings for enabling Cloud Identity Aware Proxy to protect the Atlantis UI | <pre>object({<br>    oauth2_client_id     = string<br>    oauth2_client_secret = string<br>  })</pre> | `null` | no |
+| <a name="input_iap_backend_security_policy"></a> [iap\_backend\_security\_policy](#input\_iap\_backend\_security\_policy) | Name of the security policy to apply to the IAP backend service | `string` | `null` | no |
 | <a name="input_image"></a> [image](#input\_image) | Docker image. This is most often a reference to a container located in a container registry | `string` | `"ghcr.io/runatlantis/atlantis:latest"` | no |
 | <a name="input_labels"></a> [labels](#input\_labels) | Key-value pairs representing labels attaching to instance & instance template | `map(any)` | `{}` | no |
 | <a name="input_machine_image"></a> [machine\_image](#input\_machine\_image) | The machine image to create VMs with, if not specified, latest cos\_cloud/cos\_stable is used | `string` | `null` | no |
diff --git a/examples/cloud-armor/README.md b/examples/cloud-armor/README.md
index ba8482c..d4151e2 100644
--- a/examples/cloud-armor/README.md
+++ b/examples/cloud-armor/README.md
@@ -1,6 +1,6 @@
 # Example usage
 
-This example deploys Cloud Armor to ensure requests to the default backend are coming from GitHub Webhooks.
+This example deploys Cloud Armor to ensure requests to the default backend are coming from GitHub Webhooks, and adds another policy to restrict access to the IAP backend to an example CIDR.
 
 Since IAP is enabled, two backend services will be created:
 
diff --git a/examples/cloud-armor/main.tf b/examples/cloud-armor/main.tf
index a0044a7..30e0aa3 100644
--- a/examples/cloud-armor/main.tf
+++ b/examples/cloud-armor/main.tf
@@ -59,6 +59,7 @@ module "atlantis" {
   project = local.project_id
 
   default_backend_security_policy = google_compute_security_policy.atlantis.name
+  iap_backend_security_policy     = google_compute_security_policy.atlantis_iap.name
 
   iap = {
     oauth2_client_id     = google_iap_client.atlantis.client_id
@@ -124,6 +125,52 @@ resource "google_compute_security_policy" "atlantis" {
   }
 }
 
+# This policy allows you to restrict access to the UI from anywhere but say
+# your VPN exits, etc.
+resource "google_compute_security_policy" "atlantis_iap" {
+  name        = "atlantis-iap-security-policy"
+  description = "Policy blocking all traffic except from example range"
+  project     = local.project_id
+
+  rule {
+    # Allow from sample range, eg 192.168.0.0/16
+    action      = "allow"
+    priority    = "2"
+    description = "Allow from sample CIDR"
+    match {
+      expr {
+        expression = "(inIpRange(origin.ip, '192.168.0.0/16'))"
+      }
+    }
+  }
+
+  rule {
+    # Deny all by default
+    action      = "deny(403)"
+    priority    = "2147483647"
+    description = "Default rule: deny all"
+
+    match {
+      versioned_expr = "SRC_IPS_V1"
+      config {
+        src_ip_ranges = ["*"]
+      }
+    }
+  }
+
+  rule {
+    # Log4j vulnerability
+    action      = "deny(403)"
+    priority    = "1"
+    description = "CVE-2021-44228 (https://nvd.nist.gov/vuln/detail/CVE-2021-44228)"
+    match {
+      expr {
+        expression = "evaluatePreconfiguredExpr('cve-canary')"
+      }
+    }
+  }
+}
+
 resource "google_iap_client" "atlantis" {
   display_name = "iap-client"
   brand        = local.google_iap_brand_name
diff --git a/main.tf b/main.tf
index dae8280..f3f434a 100644
--- a/main.tf
+++ b/main.tf
@@ -332,6 +332,7 @@ resource "google_compute_backend_service" "iap" {
   connection_draining_timeout_sec = 5
   load_balancing_scheme           = "EXTERNAL_MANAGED"
   health_checks                   = [google_compute_health_check.default.id]
+  security_policy                 = var.iap_backend_security_policy
 
   log_config {
     enable      = true
diff --git a/variables.tf b/variables.tf
index 32de93d..4a4fbfc 100644
--- a/variables.tf
+++ b/variables.tf
@@ -175,3 +175,9 @@ variable "default_backend_security_policy" {
   description = "Name of the security policy to apply to the default backend service"
   default     = null
 }
+
+variable "iap_backend_security_policy" {
+  type        = string
+  description = "Name of the security policy to apply to the IAP backend service"
+  default     = null
+}