diff --git a/solutions/client-landing-zone/README.md b/solutions/client-landing-zone/README.md
index 88d58158c..185a626db 100755
--- a/solutions/client-landing-zone/README.md
+++ b/solutions/client-landing-zone/README.md
@@ -15,6 +15,7 @@ Package to create a client's folder hierarchy, logging resources and a network h
 |                 Name                 |                                                                                                               Value                                                                                                                | Type  | Count |
 |--------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------|-------|
 | allowed-os-update-domains            | ["debian.map.fastlydns.net", "debian.org", "deb.debian.org", "ubuntu.com", "packages.cloud.google.com", "security.ubuntu.com", "northamerica-northeast1.gce.archive.ubuntu.com", "northamerica-northeast2.gce.archive.ubuntu.com"] | array |     1 |
+| allowed-os-update-source-ip-ranges   | ["10.1.0.0/21", "10.1.8.0/21", "10.1.128.0/21", "10.1.136.0/21"]                                                                                                                                                                   | array |     1 |
 | client-billing-id                    | AAAAAA-BBBBBB-CCCCCC                                                                                                                                                                                                               | str   |     1 |
 | client-folderviewer                  | group:client1@example.com                                                                                                                                                                                                          | str   |     1 |
 | client-name                          | client1                                                                                                                                                                                                                            | str   |   185 |
diff --git a/solutions/client-landing-zone/client-folder/firewall-policy/rules/os-updates.yaml b/solutions/client-landing-zone/client-folder/firewall-policy/rules/os-updates.yaml
index 164a51c3c..969816944 100644
--- a/solutions/client-landing-zone/client-folder/firewall-policy/rules/os-updates.yaml
+++ b/solutions/client-landing-zone/client-folder/firewall-policy/rules/os-updates.yaml
@@ -34,8 +34,8 @@ spec:
         ports:
           - "80"
           - "443"
-    srcIPRanges:
-      - "10.0.0.0/8"
+    srcIPRanges: # kpt-set: ${allowed-os-update-source-ip-ranges}
+      - "n.n.n.n/n"
     destFqdns: # kpt-set: ${allowed-os-update-domains}
       - "example.com"
   priority: 5000
diff --git a/solutions/client-landing-zone/setters.yaml b/solutions/client-landing-zone/setters.yaml
index ba55a9005..348a3356d 100644
--- a/solutions/client-landing-zone/setters.yaml
+++ b/solutions/client-landing-zone/setters.yaml
@@ -123,6 +123,19 @@ data:
     - "northamerica-northeast1.gce.archive.ubuntu.com"
     - "northamerica-northeast2.gce.archive.ubuntu.com"
   #
+  # the source IP ranges allowed to access the domains listed above
+  # the ranges should match the values of the '*main-snet' setters configured earlier:
+  #   - standard-nane1-nonp-main-snet
+  #   - standard-nane2-nonp-main-snet
+  #   - standard-nane1-pbmm-main-snet
+  #   - standard-nane2-pbmm-main-snet
+  # OR a list of more restrictive ranges within those subnets (for example, 10.1.1.5/32)
+  allowed-os-update-source-ip-ranges: |
+    - "10.1.0.0/21"
+    - "10.1.8.0/21"
+    - "10.1.128.0/21"
+    - "10.1.136.0/21"
+  #
   ##########################
   # DNS
   ##########################