diff --git a/mmv1/products/beyondcorp/Application.yaml b/mmv1/products/beyondcorp/Application.yaml
new file mode 100644
index 000000000000..0a28975dd61e
--- /dev/null
+++ b/mmv1/products/beyondcorp/Application.yaml
@@ -0,0 +1,119 @@
+# Copyright 2024 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+name: Application
+description: Specifies application endpoint(s) to protect behind a Security Gateway.
+base_url: projects/{{project}}/locations/global/securityGateways/{{security_gateways_id}}/applications
+update_mask: true
+self_link: projects/{{project}}/locations/global/securityGateways/{{security_gateways_id}}/applications/{{application_id}}
+create_url: projects/{{project}}/locations/global/securityGateways/{{security_gateways_id}}/applications?applicationId={{application_id}}
+update_verb: PATCH
+id_format: projects/{{project}}/locations/global/securityGateways/{{security_gateways_id}}/applications/{{application_id}}
+import_format:
+  - projects/{{project}}/locations/global/securityGateways/{{security_gateways_id}}/applications/{{application_id}}
+iam_policy:
+  method_name_separator: ':'
+  iam_conditions_request_type: 'QUERY_PARAM_NESTED'
+  allowed_iam_role: 'roles/beyondcorp.securityGatewayUser'
+  parent_resource_attribute: 'application_id'
+  import_format:
+    - 'projects/{{project}}/locations/global/securityGateways/{{security_gateways_id}}/applications/{{application_id}}'
+    - '{{application_id}}'
+examples:
+  - name: beyondcorp_security_gateway_application_basic
+    primary_resource_id: example
+    primary_resource_name: 'fmt.Sprintf("default%s", context["random_suffix"]), fmt.Sprintf("google%s", context["random_suffix"])'
+    vars:
+      security_gateway_name: default
+      application_name: google
+autogen_async: true
+async:
+  operation:
+    timeouts:
+      insert_minutes: 20
+      update_minutes: 20
+      delete_minutes: 20
+    base_url: '{{op_id}}'
+  actions:
+    - create
+    - delete
+    - update
+  type: OpAsync
+  result:
+    resource_inside_response: true
+  include_project: false
+autogen_status: QXBwbGljYXRpb24=
+parameters:
+  - name: securityGatewaysId
+    type: String
+    description: Part of `parent`. See documentation of `projectsId`.
+    immutable: true
+    url_param_only: true
+    required: true
+  - name: applicationId
+    type: String
+    description: |-
+      Optional. User-settable Application resource ID.
+      * Must start with a letter.
+      * Must contain between 4-63 characters from `/a-z-/`.
+      * Must end with a number or letter.
+    immutable: true
+    url_param_only: true
+    required: true
+properties:
+  - name: createTime
+    type: String
+    description: Output only. Timestamp when the resource was created.
+    output: true
+  - name: displayName
+    type: String
+    description: |-
+      Optional. An arbitrary user-provided name for the Application resource.
+      Cannot exceed 64 characters.
+  - name: endpointMatchers
+    type: Array
+    description: |-
+      Required. Endpoint matchers associated with an application.
+      A combination of hostname and ports as endpoint matcher is used to match
+      the application.
+      Match conditions for OR logic.
+      An array of match conditions to allow for multiple matching criteria.
+      The rule is considered a match if one the conditions are met.
+      The conditions can be one of the following combination
+      (Hostname), (Hostname & Ports)
+
+      EXAMPLES:
+      Hostname - ("*.abc.com"), ("xyz.abc.com")
+      Hostname and Ports - ("abc.com" and "22"), ("abc.com" and "22,33") etc
+    required: true
+    item_type:
+      type: NestedObject
+      properties:
+        - name: hostname
+          type: String
+          description: Required. Hostname of the application.
+          required: true
+        - name: ports
+          type: Array
+          description: Optional. Ports of the application.
+          item_type:
+            type: Integer
+  - name: name
+    type: String
+    description: Identifier. Name of the resource.
+    output: true
+  - name: updateTime
+    type: String
+    description: Output only. Timestamp when the resource was last modified.
+    output: true
diff --git a/mmv1/templates/terraform/examples/beyondcorp_security_gateway_application_basic.tf.tmpl b/mmv1/templates/terraform/examples/beyondcorp_security_gateway_application_basic.tf.tmpl
new file mode 100644
index 000000000000..264aadfd924d
--- /dev/null
+++ b/mmv1/templates/terraform/examples/beyondcorp_security_gateway_application_basic.tf.tmpl
@@ -0,0 +1,13 @@
+resource "google_beyondcorp_security_gateway" "default" {
+  security_gateway_id = "{{index $.Vars "security_gateway_name"}}"
+  display_name = "My Security Gateway resource"
+  hubs { region = "us-central1" }
+}
+
+resource "google_beyondcorp_application" "{{$.PrimaryResourceId}}" {
+  security_gateways_id = google_beyondcorp_security_gateway.default.security_gateway_id
+  application_id = "{{index $.Vars "application_name"}}"
+  endpoint_matchers {
+    hostname = "google.com"
+  }
+}
diff --git a/mmv1/third_party/terraform/services/beyondcorp/resource_beyondcorp_application_test.go b/mmv1/third_party/terraform/services/beyondcorp/resource_beyondcorp_application_test.go
new file mode 100644
index 000000000000..28086bc32df4
--- /dev/null
+++ b/mmv1/third_party/terraform/services/beyondcorp/resource_beyondcorp_application_test.go
@@ -0,0 +1,85 @@
+package beyondcorp_test
+
+import (
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/plancheck"
+
+	"github.com/hashicorp/terraform-provider-google/google/acctest"
+)
+
+func TestAccBeyondcorpApplication_beyondcorpSecurityGatewayApplicationBasicExample_update(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccBeyondcorpApplication_beyondcorpSecurityGatewayApplicationBasicExample_basic(context),
+			},
+			{
+				ResourceName:            "google_beyondcorp_application.example",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"application_id", "security_gateways_id"},
+			},
+			{
+				Config: testAccBeyondcorpApplication_beyondcorpSecurityGatewayApplicationBasicExample_update(context),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction("google_beyondcorp_application.example", plancheck.ResourceActionUpdate),
+					},
+				},
+			},
+			{
+				ResourceName:            "google_beyondcorp_application.example",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"application_id", "security_gateways_id"},
+			},
+		},
+	})
+}
+
+func testAccBeyondcorpApplication_beyondcorpSecurityGatewayApplicationBasicExample_basic(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_beyondcorp_security_gateway" "default" {
+  security_gateway_id = "default%{random_suffix}"
+  display_name = "My Security Gateway resource"
+  hubs { region = "us-central1" }
+}
+
+resource "google_beyondcorp_application" "example" {
+  security_gateways_id = google_beyondcorp_security_gateway.default.security_gateway_id
+  application_id = "google%{random_suffix}"
+  endpoint_matchers {
+    hostname = "google.com"
+  }
+}
+`, context)
+}
+
+func testAccBeyondcorpApplication_beyondcorpSecurityGatewayApplicationBasicExample_update(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_beyondcorp_security_gateway" "default" {
+  security_gateway_id = "default%{random_suffix}"
+  display_name = "My Security Gateway resource"
+  hubs { region = "us-central1" }
+}
+
+resource "google_beyondcorp_application" "example" {
+  security_gateways_id = google_beyondcorp_security_gateway.default.security_gateway_id
+  display_name = "Updated Name"
+  application_id = "google%{random_suffix}"
+  endpoint_matchers {
+    hostname = "google.com"
+  }
+}
+`, context)
+}