diff --git a/google-beta/resource_data_fusion_instance.go b/google-beta/resource_data_fusion_instance.go
index ee5143d2d9..3a3268ea5b 100644
--- a/google-beta/resource_data_fusion_instance.go
+++ b/google-beta/resource_data_fusion_instance.go
@@ -84,6 +84,32 @@ available, such as support for streaming pipelines, higher number of concurrent
 such as Compute Engine VMs.`,
 				Elem: &schema.Schema{Type: schema.TypeString},
 			},
+			"network_config": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				ForceNew:    true,
+				Description: `Network configuration options. These are required when a private Data Fusion instance is to be created.`,
+				MaxItems:    1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"ip_allocation": {
+							Type:     schema.TypeString,
+							Required: true,
+							ForceNew: true,
+							Description: `The IP range in CIDR notation to use for the managed Data Fusion instance
+nodes. This range must not overlap with any other ranges used in the Data Fusion instance network.`,
+						},
+						"network": {
+							Type:     schema.TypeString,
+							Required: true,
+							ForceNew: true,
+							Description: `Name of the network in the project with which the tenant project
+will be peered for executing pipelines. In case of shared VPC where the network resides in another host 
+project the network should specified in the form of projects/{host-project-id}/global/networks/{network}`,
+						},
+					},
+				},
+			},
 			"options": {
 				Type:        schema.TypeMap,
 				Optional:    true,
@@ -91,6 +117,14 @@ such as Compute Engine VMs.`,
 				Description: `Map of additional options used to configure the behavior of Data Fusion instance.`,
 				Elem:        &schema.Schema{Type: schema.TypeString},
 			},
+			"private_instance": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				ForceNew: true,
+				Description: `Specifies whether the Data Fusion instance should be private. If set to
+true, all Data Fusion nodes will have private IP addresses and will not be
+able to access the public internet.`,
+			},
 			"region": {
 				Type:        schema.TypeString,
 				Computed:    true,
@@ -190,6 +224,18 @@ func resourceDataFusionInstanceCreate(d *schema.ResourceData, meta interface{})
 	} else if v, ok := d.GetOkExists("options"); !isEmptyValue(reflect.ValueOf(optionsProp)) && (ok || !reflect.DeepEqual(v, optionsProp)) {
 		obj["options"] = optionsProp
 	}
+	privateInstanceProp, err := expandDataFusionInstancePrivateInstance(d.Get("private_instance"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("private_instance"); !isEmptyValue(reflect.ValueOf(privateInstanceProp)) && (ok || !reflect.DeepEqual(v, privateInstanceProp)) {
+		obj["privateInstance"] = privateInstanceProp
+	}
+	networkConfigProp, err := expandDataFusionInstanceNetworkConfig(d.Get("network_config"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("network_config"); !isEmptyValue(reflect.ValueOf(networkConfigProp)) && (ok || !reflect.DeepEqual(v, networkConfigProp)) {
+		obj["networkConfig"] = networkConfigProp
+	}
 
 	url, err := replaceVars(d, config, "{{DataFusionBasePath}}projects/{{project}}/locations/{{region}}/instances?instanceId={{name}}")
 	if err != nil {
@@ -296,6 +342,12 @@ func resourceDataFusionInstanceRead(d *schema.ResourceData, meta interface{}) er
 	if err := d.Set("version", flattenDataFusionInstanceVersion(res["version"], d)); err != nil {
 		return fmt.Errorf("Error reading Instance: %s", err)
 	}
+	if err := d.Set("private_instance", flattenDataFusionInstancePrivateInstance(res["privateInstance"], d)); err != nil {
+		return fmt.Errorf("Error reading Instance: %s", err)
+	}
+	if err := d.Set("network_config", flattenDataFusionInstanceNetworkConfig(res["networkConfig"], d)); err != nil {
+		return fmt.Errorf("Error reading Instance: %s", err)
+	}
 
 	return nil
 }
@@ -460,6 +512,33 @@ func flattenDataFusionInstanceVersion(v interface{}, d *schema.ResourceData) int
 	return v
 }
 
+func flattenDataFusionInstancePrivateInstance(v interface{}, d *schema.ResourceData) interface{} {
+	return v
+}
+
+func flattenDataFusionInstanceNetworkConfig(v interface{}, d *schema.ResourceData) interface{} {
+	if v == nil {
+		return nil
+	}
+	original := v.(map[string]interface{})
+	if len(original) == 0 {
+		return nil
+	}
+	transformed := make(map[string]interface{})
+	transformed["ip_allocation"] =
+		flattenDataFusionInstanceNetworkConfigIpAllocation(original["ipAllocation"], d)
+	transformed["network"] =
+		flattenDataFusionInstanceNetworkConfigNetwork(original["network"], d)
+	return []interface{}{transformed}
+}
+func flattenDataFusionInstanceNetworkConfigIpAllocation(v interface{}, d *schema.ResourceData) interface{} {
+	return v
+}
+
+func flattenDataFusionInstanceNetworkConfigNetwork(v interface{}, d *schema.ResourceData) interface{} {
+	return v
+}
+
 func expandDataFusionInstanceName(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
 	return replaceVars(d, config, "projects/{{project}}/locations/{{region}}/instances/{{name}}")
 }
@@ -501,3 +580,41 @@ func expandDataFusionInstanceOptions(v interface{}, d TerraformResourceData, con
 	}
 	return m, nil
 }
+
+func expandDataFusionInstancePrivateInstance(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
+	return v, nil
+}
+
+func expandDataFusionInstanceNetworkConfig(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
+	l := v.([]interface{})
+	if len(l) == 0 || l[0] == nil {
+		return nil, nil
+	}
+	raw := l[0]
+	original := raw.(map[string]interface{})
+	transformed := make(map[string]interface{})
+
+	transformedIpAllocation, err := expandDataFusionInstanceNetworkConfigIpAllocation(original["ip_allocation"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedIpAllocation); val.IsValid() && !isEmptyValue(val) {
+		transformed["ipAllocation"] = transformedIpAllocation
+	}
+
+	transformedNetwork, err := expandDataFusionInstanceNetworkConfigNetwork(original["network"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedNetwork); val.IsValid() && !isEmptyValue(val) {
+		transformed["network"] = transformedNetwork
+	}
+
+	return transformed, nil
+}
+
+func expandDataFusionInstanceNetworkConfigIpAllocation(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
+	return v, nil
+}
+
+func expandDataFusionInstanceNetworkConfigNetwork(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
+	return v, nil
+}
diff --git a/google-beta/resource_data_fusion_instance_generated_test.go b/google-beta/resource_data_fusion_instance_generated_test.go
index 3cb3ddcada..919eea532b 100644
--- a/google-beta/resource_data_fusion_instance_generated_test.go
+++ b/google-beta/resource_data_fusion_instance_generated_test.go
@@ -80,12 +80,17 @@ resource "google_data_fusion_instance" "extended_instance" {
   name = "my-instance%{random_suffix}"
   description = "My Data Fusion instance"
   region = "us-central1"
-  type = "ENTERPRISE"
+  type = "BASIC"
   enable_stackdriver_logging = true
   enable_stackdriver_monitoring = true
   labels = {
     example_key = "example_value"
   }
+  private_instance = true
+  network_config {
+    network = "default"
+    ip_allocation = "10.89.48.0/22"
+  }
 }
 `, context)
 }
diff --git a/website/docs/r/data_fusion_instance.html.markdown b/website/docs/r/data_fusion_instance.html.markdown
index b6962d2eab..e459f5354d 100644
--- a/website/docs/r/data_fusion_instance.html.markdown
+++ b/website/docs/r/data_fusion_instance.html.markdown
@@ -63,12 +63,17 @@ resource "google_data_fusion_instance" "extended_instance" {
   name = "my-instance"
   description = "My Data Fusion instance"
   region = "us-central1"
-  type = "ENTERPRISE"
+  type = "BASIC"
   enable_stackdriver_logging = true
   enable_stackdriver_monitoring = true
   labels = {
     example_key = "example_value"
   }
+  private_instance = true
+  network_config {
+    network = "default"
+    ip_allocation = "10.89.48.0/22"
+  }
 }
 ```
 
@@ -116,6 +121,16 @@ The following arguments are supported:
   (Optional)
   Map of additional options used to configure the behavior of Data Fusion instance.
 
+* `private_instance` -
+  (Optional)
+  Specifies whether the Data Fusion instance should be private. If set to
+  true, all Data Fusion nodes will have private IP addresses and will not be
+  able to access the public internet.
+
+* `network_config` -
+  (Optional)
+  Network configuration options. These are required when a private Data Fusion instance is to be created.  Structure is documented below.
+
 * `region` -
   (Optional)
   The region of the Data Fusion instance.
@@ -124,6 +139,19 @@ The following arguments are supported:
     If it is not provided, the provider project is used.
 
 
+The `network_config` block supports:
+
+* `ip_allocation` -
+  (Required)
+  The IP range in CIDR notation to use for the managed Data Fusion instance
+  nodes. This range must not overlap with any other ranges used in the Data Fusion instance network.
+
+* `network` -
+  (Required)
+  Name of the network in the project with which the tenant project
+  will be peered for executing pipelines. In case of shared VPC where the network resides in another host 
+  project the network should specified in the form of projects/{host-project-id}/global/networks/{network}
+
 ## Attributes Reference
 
 In addition to the arguments listed above, the following computed attributes are exported: