diff --git a/cesnet-mcc/terraform/vms.tf b/cesnet-mcc/terraform/vms.tf
index 2f8d2e90fadc0afe6b06ab6b8c8732c7ea4eb0ee..00ddae54e0bf0b83aa20d5a9a7a892ac216d6441 100644
--- a/cesnet-mcc/terraform/vms.tf
+++ b/cesnet-mcc/terraform/vms.tf
@@ -51,6 +51,36 @@ resource "openstack_compute_secgroup_v2" "ssh" {
   }
 }
 
+resource "openstack_compute_secgroup_v2" "admin_http" {
+  name        = "admin http"
+  description = "admin http/https"
+
+  rule {
+    from_port   = 6443
+    to_port     = 6443
+    ip_protocol = "tcp"
+    cidr        = "78.128.128.0/17"
+  }
+  rule {
+    from_port   = 6443
+    to_port     = 6443
+    ip_protocol = "tcp"
+    cidr        = "2001:718:ff05::/48"
+  }
+  rule {
+    from_port   = 6443
+    to_port     = 6443
+    ip_protocol = "tcp"
+    cidr        = "147.228.0.0/16"
+  }
+  rule {
+    from_port   = 6443
+    to_port     = 6443
+    ip_protocol = "tcp"
+    cidr        = "2001:718:1801::/48"
+  }
+}
+
 resource "openstack_compute_secgroup_v2" "http" {
   name        = "http"
   description = "http/https"
@@ -134,7 +164,7 @@ resource "openstack_compute_instance_v2" "ingress" {
   name            = "k8s-${var.site_name}-w-ingress"
   image_id        = data.openstack_images_image_v2.ubuntu.id
   flavor_id       = data.openstack_compute_flavor_v2.worker-flavor.id
-  security_groups = ["default", openstack_compute_secgroup_v2.ping.name, openstack_compute_secgroup_v2.ssh.name, openstack_compute_secgroup_v2.http.name]
+  security_groups = ["default", openstack_compute_secgroup_v2.ping.name, openstack_compute_secgroup_v2.ssh.name, openstack_compute_secgroup_v2.admin_http.name, openstack_compute_secgroup_v2.http.name]
   user_data       = file("cloud-init.yaml")
   tags            = ["worker"]
   network {