diff --git a/README.md b/README.md
index 3c3fef0..fecb8cf 100644
--- a/README.md
+++ b/README.md
@@ -29,6 +29,8 @@ The following resources will be created:
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| `allowed_cidr_ranges` | (Optional) List of CIDR ranges allowed to use the VPN|`list`|[]|no|
+| `allowed_access_groups` | (Optional) List of Access Group IDs allowed to use the VPN (default is all access groups if `allowed_cidr_ranges` is set)|`list`|[]|no|
 | authentication\_saml\_provider\_arn | (Optional) The ARN of the IAM SAML identity provider if type is federated-authentication. | `any` | `null` | no |
 | authentication\_type | The type of client authentication to be used. Specify certificate-authentication to use certificate-based authentication, directory-service-authentication to use Active Directory authentication, or federated-authentication to use Federated Authentication via SAML 2.0. | `string` | `"certificate-authentication"` | no |
 | cidr | Network CIDR to use for clients | `any` | n/a | yes |
diff --git a/_variables.tf b/_variables.tf
index 471836e..5febcf8 100644
--- a/_variables.tf
+++ b/_variables.tf
@@ -11,6 +11,18 @@ variable "subnet_ids" {
   description = "Subnet ID to associate clients (each subnet passed will create an VPN association - costs involved)"
 }
 
+variable "allowed_cidr_ranges" {
+  type        = list(string)
+  description = "List of CIDR ranges from which access is allowed"
+  default     = []
+}
+
+variable "allowed_access_groups" {
+  type        = list(string)
+  description = "List of Access group IDs to allow access. Leave empty to allow all groups"
+  default     = []
+}
+
 variable "vpc_id" {
   type        = string
   description = "VPC Id to create resources"
diff --git a/vpn-endpoint.tf b/vpn-endpoint.tf
index 8fdf99e..c1cd3d6 100644
--- a/vpn-endpoint.tf
+++ b/vpn-endpoint.tf
@@ -32,3 +32,17 @@ resource "aws_ec2_client_vpn_network_association" "default" {
   subnet_id              = element(var.subnet_ids, count.index)
   security_groups        = [var.security_group_id == "" ? aws_security_group.default[0].id : var.security_group_id]
 }
+
+resource "aws_ec2_client_vpn_authorization_rule" "all_groups" {
+  count                  = length(var.allowed_access_groups) > 0 ? 0 : length(var.allowed_cidr_ranges)
+  client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.default.id
+  target_network_cidr    = var.allowed_cidr_ranges[count.index]
+  authorize_all_groups   = true
+}
+
+resource "aws_ec2_client_vpn_authorization_rule" "specific_groups" {
+  count                  = length(var.allowed_access_groups) * length(var.allowed_cidr_ranges)
+  client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.default.id
+  target_network_cidr    = element(var.allowed_cidr_ranges, count.index)
+  access_group_id        = var.allowed_access_groups[count.index % length(var.allowed_cidr_ranges)]
+}