diff --git a/terraform/environments/oasys-national-reporting/locals_security_groups.tf b/terraform/environments/oasys-national-reporting/locals_security_groups.tf
index 965602e839e..5a6c64f0894 100644
--- a/terraform/environments/oasys-national-reporting/locals_security_groups.tf
+++ b/terraform/environments/oasys-national-reporting/locals_security_groups.tf
@@ -6,12 +6,15 @@ locals {
     enduserclient_internal = flatten([
       "10.0.0.0/8",
     ])
-    enduserclient_public = flatten([
-      module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public,
-      module.ip_addresses.azure_fixngo_cidrs.internet_egress,
-      module.ip_addresses.mp_cidrs.live_eu_west_nat,
-    ])
-    noms_core = module.ip_addresses.azure_fixngo_cidrs.devtest_core
+    # enduserclient_public = flatten([
+    #   module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public,
+    #   module.ip_addresses.azure_fixngo_cidrs.internet_egress,
+    #   module.ip_addresses.mp_cidrs.live_eu_west_nat,
+    # ])
+    enduserclient_public_trusted_moj_digital_staff_public = module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public
+    enduserclient_public_azure_internet_egress            = module.ip_addresses.azure_fixngo_cidrs.internet_egress
+    enduserclient_public_live_eu_west_nat                 = module.ip_addresses.mp_cidrs.live_eu_west_nat
+    noms_core                                             = module.ip_addresses.azure_fixngo_cidrs.devtest_core
     oasys_db = flatten([
       module.ip_addresses.mp_cidr[module.environment.vpc_name],
       module.ip_addresses.azure_fixngo_cidrs.devtest_oasys_db,
@@ -28,12 +31,15 @@ locals {
     enduserclient_internal = [
       "10.0.0.0/8"
     ]
-    enduserclient_public = flatten([
-      module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public,
-      module.ip_addresses.azure_fixngo_cidrs.internet_egress,
-      module.ip_addresses.mp_cidrs.live_eu_west_nat,
-    ])
-    noms_core = module.ip_addresses.azure_fixngo_cidrs.prod_core
+    # enduserclient_public = flatten([
+    #   module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public,
+    #   module.ip_addresses.azure_fixngo_cidrs.internet_egress,
+    #   module.ip_addresses.mp_cidrs.live_eu_west_nat,
+    # ])
+    enduserclient_public_trusted_moj_digital_staff_public = module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public
+    enduserclient_public_azure_internet_egress            = module.ip_addresses.azure_fixngo_cidrs.internet_egress
+    enduserclient_public_live_eu_west_nat                 = module.ip_addresses.mp_cidrs.live_eu_west_nat
+    noms_core                                             = module.ip_addresses.azure_fixngo_cidrs.prod_core
     oasys_db = flatten([
       module.ip_addresses.mp_cidr[module.environment.vpc_name],
       module.ip_addresses.azure_fixngo_cidrs.prod_oasys_db,
@@ -63,19 +69,47 @@ locals {
           protocol    = -1
           self        = true
         }
-        http_lb = {
-          description = "Allow http ingress"
+        http_lb_staff_public = {
+          description = "Allow http ingress from trusted_moj_digital_staff_public"
+          from_port   = 80
+          to_port     = 80
+          protocol    = "TCP"
+          cidr_blocks = local.security_group_cidrs.enduserclient_public_trusted_moj_digital_staff_public
+        }
+        http_lb_internet_egress = {
+          description = "Allow http ingress from azure internet egress"
+          from_port   = 80
+          to_port     = 80
+          protocol    = "TCP"
+          cidr_blocks = local.security_group_cidrs.enduserclient_public_azure_internet_egress
+        }
+        http_lb_live_eu_west_nat = {
+          description = "Allow http ingress from public live eu west nat"
           from_port   = 80
           to_port     = 80
           protocol    = "TCP"
-          cidr_blocks = local.security_group_cidrs.enduserclient_public
+          cidr_blocks = local.security_group_cidrs.enduserclient_public_live_eu_west_nat
         }
-        https_lb = {
+        https_lb_staff_public = {
           description = "Allow enduserclient https ingress"
           from_port   = 443
           to_port     = 443
           protocol    = "TCP"
-          cidr_blocks = local.security_group_cidrs.enduserclient_public
+          cidr_blocks = local.security_group_cidrs.enduserclient_public_trusted_moj_digital_staff_public
+        }
+        https_lb_internet_egress = {
+          description = "Allow http ingress from azure internet egress"
+          from_port   = 443
+          to_port     = 443
+          protocol    = "TCP"
+          cidr_blocks = local.security_group_cidrs.enduserclient_public_azure_internet_egress
+        }
+        https_lb_live_eu_west_nat = {
+          description = "Allow http ingress from public live eu west nat"
+          from_port   = 443
+          to_port     = 443
+          protocol    = "TCP"
+          cidr_blocks = local.security_group_cidrs.enduserclient_public_live_eu_west_nat
         }
       }
       egress = {