diff --git a/README.md b/README.md
index e4a479bb..83c4d876 100644
--- a/README.md
+++ b/README.md
@@ -276,7 +276,8 @@ proxy_url = VALUE
 |------|-------------|------|---------|:--------:|
 | <a name="input_add_frontend_containers"></a> [add\_frontend\_containers](#input\_add\_frontend\_containers) | Create cluster with FE containers | `bool` | `true` | no |
 | <a name="input_address_space"></a> [address\_space](#input\_address\_space) | The range of IP addresses the virtual network uses. | `string` | `"10.0.0.0/16"` | no |
-| <a name="input_allow_ssh_ranges"></a> [allow\_ssh\_ranges](#input\_allow\_ssh\_ranges) | A list of IP addresses that can use ssh connection with a public network deployment. | `list(string)` | `[]` | no |
+| <a name="input_allow_ssh_ranges"></a> [allow\_ssh\_ranges](#input\_allow\_ssh\_ranges) | Allow port 22, if not provided, i.e leaving the default empty list, the rule will not be included in the SG | `list(string)` | `[]` | no |
+| <a name="input_allow_weka_api_ranges"></a> [allow\_weka\_api\_ranges](#input\_allow\_weka\_api\_ranges) | Allow port 14000, if not provided, i.e leaving the default empty list, the rule will not be included in the SG | `list(string)` | `[]` | no |
 | <a name="input_apt_repo_server"></a> [apt\_repo\_server](#input\_apt\_repo\_server) | The URL of the apt private repository. | `string` | `""` | no |
 | <a name="input_assign_public_ip"></a> [assign\_public\_ip](#input\_assign\_public\_ip) | Determines whether to assign public ip. | `bool` | `true` | no |
 | <a name="input_blob_obs_access_key"></a> [blob\_obs\_access\_key](#input\_blob\_obs\_access\_key) | The access key of the existing Blob object store container. | `string` | `""` | no |
diff --git a/examples/public_network/main.tf b/examples/public_network/main.tf
index 717bd522..9a4325b1 100644
--- a/examples/public_network/main.tf
+++ b/examples/public_network/main.tf
@@ -16,4 +16,5 @@ module "weka_deployment" {
   cluster_size          = 6
   tiering_ssd_percent   = 20
   allow_ssh_ranges      = ["0.0.0.0/0"]
+  allow_weka_api_ranges = ["0.0.0.0/0"]
 }
diff --git a/examples/public_network_with_existing_obs/main.tf b/examples/public_network_with_existing_obs/main.tf
index 788bce6c..38714e5b 100644
--- a/examples/public_network_with_existing_obs/main.tf
+++ b/examples/public_network_with_existing_obs/main.tf
@@ -12,6 +12,7 @@ module "weka_deployment" {
   cluster_name          = "poc"
   cluster_size          = 6
   allow_ssh_ranges      = ["0.0.0.0/0"]
+  allow_weka_api_ranges = ["0.0.0.0/0"]
   subscription_id       = var.subscription_id
   get_weka_io_token     = var.get_weka_io_token
   set_obs_integration   = true
diff --git a/modules/network/README.md b/modules/network/README.md
index e3d590c8..b5783702 100644
--- a/modules/network/README.md
+++ b/modules/network/README.md
@@ -99,6 +99,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_address_space"></a> [address\_space](#input\_address\_space) | The range of IP addresses the virtual network uses. | `string` | `"10.0.0.0/16"` | no |
 | <a name="input_allow_ssh_ranges"></a> [allow\_ssh\_ranges](#input\_allow\_ssh\_ranges) | A list of IP addresses that can use ssh connection with a public network deployment. | `list(string)` | `[]` | no |
+| <a name="input_allow_weka_api_ranges"></a> [allow\_weka\_api\_ranges](#input\_allow\_weka\_api\_ranges) | Allow port 14000, if not provided, i.e leaving the default empty list, the rule will not be included in the SG | `list(string)` | `[]` | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix for all the resource names. For example, the prefix for your system name. | `string` | `"weka"` | no |
 | <a name="input_private_dns_rg_name"></a> [private\_dns\_rg\_name](#input\_private\_dns\_rg\_name) | The private DNS zone resource group name. Required when private\_dns\_zone\_name is set. | `string` | `""` | no |
 | <a name="input_private_dns_zone_name"></a> [private\_dns\_zone\_name](#input\_private\_dns\_zone\_name) | The private DNS zone name. | `string` | `""` | no |
diff --git a/modules/network/main.tf b/modules/network/main.tf
index 1f88c967..ff0ad466 100644
--- a/modules/network/main.tf
+++ b/modules/network/main.tf
@@ -69,32 +69,32 @@ resource "azurerm_subnet" "subnet_delegation" {
 
 # ====================== sg ssh ========================== #
 resource "azurerm_network_security_rule" "sg_public_ssh" {
-  count                       = var.private_network ? 0 : length(var.allow_ssh_ranges)
+  count                       = length(var.allow_ssh_ranges)
   name                        = "${var.prefix}-ssh-sg-${count.index}"
   resource_group_name         = data.azurerm_resource_group.rg.name
-  priority                    = "100${count.index}"
+  priority                    = 100 + (count.index + 1)
   direction                   = "Inbound"
   access                      = "Allow"
   protocol                    = "Tcp"
   source_port_range           = "*"
   destination_port_range      = "22"
-  source_address_prefixes     = [var.allow_ssh_ranges[count.index]]
+  source_address_prefix       = element(var.allow_ssh_ranges, count.index)
   destination_address_prefix  = "*"
   network_security_group_name = azurerm_network_security_group.sg.name
 }
 
 # ====================== sg  ========================== #
 resource "azurerm_network_security_rule" "sg_weka_ui" {
-  count                       = var.private_network ? 0 : 1
-  name                        = "${var.prefix}-ui-sg"
+  count                       = length(var.allow_weka_api_ranges)
+  name                        = "${var.prefix}-ui-sg-${count.index}"
   resource_group_name         = data.azurerm_resource_group.rg.name
-  priority                    = "1002"
+  priority                    = 200 + (count.index + 1)
   direction                   = "Inbound"
   access                      = "Allow"
   protocol                    = "Tcp"
   source_port_range           = "*"
   destination_port_range      = "14000"
-  source_address_prefix       = "*"
+  source_address_prefix       = element(var.allow_weka_api_ranges, count.index)
   destination_address_prefix  = "*"
   network_security_group_name = azurerm_network_security_group.sg.name
 }
diff --git a/modules/network/variables.tf b/modules/network/variables.tf
index 589f6432..a791b2f6 100644
--- a/modules/network/variables.tf
+++ b/modules/network/variables.tf
@@ -51,6 +51,12 @@ variable "allow_ssh_ranges" {
   default     = []
 }
 
+variable "allow_weka_api_ranges" {
+  type        = list(string)
+  description = "Allow port 14000, if not provided, i.e leaving the default empty list, the rule will not be included in the SG"
+  default     = []
+}
+
 variable "vnet_rg_name" {
   type        = string
   default     = ""
diff --git a/variables.tf b/variables.tf
index 3a19f9bf..d59bc82c 100644
--- a/variables.tf
+++ b/variables.tf
@@ -27,7 +27,13 @@ variable "subnet_prefix" {
 
 variable "allow_ssh_ranges" {
   type        = list(string)
-  description = "A list of IP addresses that can use ssh connection with a public network deployment."
+  description = "Allow port 22, if not provided, i.e leaving the default empty list, the rule will not be included in the SG"
+  default     = []
+}
+
+variable "allow_weka_api_ranges" {
+  type        = list(string)
+  description = "Allow port 14000, if not provided, i.e leaving the default empty list, the rule will not be included in the SG"
   default     = []
 }