diff --git a/internal/authorization/const.go b/internal/authorization/const.go
index 56f1272bbba5b..c6e2aa8ae2284 100644
--- a/internal/authorization/const.go
+++ b/internal/authorization/const.go
@@ -36,6 +36,7 @@ const (
 	deny      = "deny"
 	public    = "public"
 	system    = "system"
+	internal  = "internal"
 )
 
 const (
diff --git a/internal/authorization/ts_app_authorizer.go b/internal/authorization/ts_app_authorizer.go
index 8e379626da12e..e9f02f9c8e6f2 100644
--- a/internal/authorization/ts_app_authorizer.go
+++ b/internal/authorization/ts_app_authorizer.go
@@ -463,8 +463,10 @@ func (t *TsAuthorizer) getAppRules(position int, app *application.Application,
 		if len(app.Spec.Entrances) > 1 {
 			entranceId += strconv.Itoa(index)
 		}
-		domains := []string{
+		localDomains := []string{
 			fmt.Sprintf("%s.local.%s", entranceId, userInfo.Zone),
+		}
+		domains := []string{
 			fmt.Sprintf("%s.%s", entranceId, userInfo.Zone),
 		}
 
@@ -472,10 +474,8 @@ func (t *TsAuthorizer) getAppRules(position int, app *application.Application,
 			entranceCustomDomain, ok := customDomain[entrance.Name]
 			if ok {
 				if entranceCustomDomain.ThirdLevelDomain != "" {
-					domains = append(domains, []string{
-						fmt.Sprintf("%s.local.%s", entranceCustomDomain.ThirdLevelDomain, userInfo.Zone),
-						fmt.Sprintf("%s.%s", entranceCustomDomain.ThirdLevelDomain, userInfo.Zone),
-					}...)
+					localDomains = append(localDomains, fmt.Sprintf("%s.local.%s", entranceCustomDomain.ThirdLevelDomain, userInfo.Zone))
+					domains = append(domains, fmt.Sprintf("%s.%s", entranceCustomDomain.ThirdLevelDomain, userInfo.Zone))
 				}
 
 				if entranceCustomDomain.ThirdPartyDomain != "" {
@@ -491,29 +491,35 @@ func (t *TsAuthorizer) getAppRules(position int, app *application.Application,
 			}
 		}
 
-		nonPolicy := func(p Level) {
+		nonPolicy := func(p Level, domains []string) {
 			rule := &AccessControlRule{
 				Position: position,
 				Policy:   p,
 			}
 			ruleAddDomain(domains, rule)
-
 			rules = append(rules, rule)
+			position++
 		}
 
-		defaulPolicy := userAuth.appDefaultPolicy
-		if entrance.AuthLevel != "" && entrance.AuthLevel == "public" {
-			defaulPolicy = NewLevel(entrance.AuthLevel)
+		defaultPolicy := userAuth.appDefaultPolicy
+		defaultLocalPolicy := userAuth.appDefaultPolicy
+		if entrance.AuthLevel != "" && entrance.AuthLevel == public {
+			defaultPolicy = NewLevel(entrance.AuthLevel)
+		}
+		if entrance.AuthLevel != "" && entrance.AuthLevel == internal {
+			defaultLocalPolicy = NewLevel(public)
 		}
 
 		if !policyExists {
-			nonPolicy(defaulPolicy)
+			nonPolicy(defaultPolicy, domains)
+			nonPolicy(defaultLocalPolicy, localDomains)
 			continue
 		}
 
 		policy, ok := policies[entrance.Name]
 		if !ok {
-			nonPolicy(defaulPolicy)
+			nonPolicy(defaultPolicy, domains)
+			nonPolicy(defaultLocalPolicy, localDomains)
 			continue
 		}
 
@@ -526,6 +532,11 @@ func (t *TsAuthorizer) getAppRules(position int, app *application.Application,
 			}
 		}
 
+		appendRule := func(rule *AccessControlRule) {
+			rules = append(rules, rule)
+			position++
+		}
+
 		if policy.SubPolicies != nil {
 			for _, sp := range policy.SubPolicies {
 				// t.log.Debugf("add app %s rules %s on resource %s", app.Spec.Name, sp.Policy, sp.URI)
@@ -546,10 +557,9 @@ func (t *TsAuthorizer) getAppRules(position int, app *application.Application,
 				}
 				ruleAddResources(resources, rule)
 				ruleAddDomain(domains, rule)
+				ruleAddDomain(localDomains, rule)
 
-				rules = append(rules, rule)
-
-				position++
+				appendRule(rule)
 			} // end for policy.SubPolicies.
 		} // end if.
 
@@ -557,34 +567,64 @@ func (t *TsAuthorizer) getAppRules(position int, app *application.Application,
 		othersExp := regexp.MustCompile("^/.+")
 		othersResources := []regexp.Regexp{*othersExp}
 
-		if entrance.AuthLevel != "public" {
-			defaulPolicy = getLevel(policy.DefaultPolicy)
+		if entrance.AuthLevel != public {
+			defaultPolicy = getLevel(policy.DefaultPolicy)
 		}
 
 		ruleOthers := &AccessControlRule{
 			Position:    position,
-			Policy:      defaulPolicy,
+			Policy:      defaultPolicy,
 			DefaultRule: true,
 		}
 		ruleAddResources(othersResources, ruleOthers)
 		ruleAddDomain(domains, ruleOthers)
+		if entrance.AuthLevel != internal {
+			ruleAddDomain(localDomains, ruleOthers)
+		}
+
+		appendRule(ruleOthers)
 
-		rules = append(rules, ruleOthers)
+		// if policy is internal, local and non-local must add two individual rules
+		if entrance.AuthLevel == internal {
+			ruleOthersLocal := &AccessControlRule{
+				Position:    position,
+				Policy:      defaultLocalPolicy,
+				DefaultRule: true,
+			}
 
-		position++
+			ruleAddResources(othersResources, ruleOthersLocal)
+			ruleAddDomain(localDomains, ruleOthersLocal)
+			appendRule(ruleOthersLocal)
+		}
 
 		// add app root path to default policy with options.
 		ruleRoot := &AccessControlRule{
 			Position:      position,
-			Policy:        defaulPolicy,
+			Policy:        defaultPolicy,
 			OneTimeValid:  policy.OneTime,
 			ValidDuration: time.Duration(policy.Duration) * time.Second,
 			DefaultRule:   true,
 		}
 		ruleAddDomain(domains, ruleRoot)
+		if entrance.AuthLevel != internal {
+			ruleAddDomain(localDomains, ruleRoot)
+		}
+
+		appendRule(ruleRoot)
 
-		rules = append(rules, ruleRoot)
+		// if policy is internal, local and non-local must add two individual rules
+		if entrance.AuthLevel == internal {
+			ruleRootLocal := &AccessControlRule{
+				Position:      position,
+				Policy:        defaultLocalPolicy,
+				OneTimeValid:  policy.OneTime,
+				ValidDuration: time.Duration(policy.Duration) * time.Second,
+				DefaultRule:   true,
+			}
 
+			ruleAddDomain(localDomains, ruleRootLocal)
+			appendRule(ruleRootLocal)
+		}
 	}
 
 	return rules, nil