diff --git a/examples/artifactory-to-artifact-registry/main.tf b/examples/artifactory-to-artifact-registry/main.tf
index e61bd05..03a4b71 100644
--- a/examples/artifactory-to-artifact-registry/main.tf
+++ b/examples/artifactory-to-artifact-registry/main.tf
@@ -97,6 +97,7 @@ module "pubsub2inbox" {
   available_memory_mb = 2048 # Container contents have to be kept in memory, so the function might need a lot of memory
   available_cpu       = 2
   vpc_connector       = var.vpc_config.create_connector ? google_vpc_access_connector.connector[0].id : var.vpc_config.connector
+  ingress_settings    = var.ingress_settings
 
   service_account = "artifactory-to-ar"
   pubsub_topic    = module.pubsub.id
diff --git a/examples/artifactory-to-artifact-registry/variables.tf b/examples/artifactory-to-artifact-registry/variables.tf
index 8df8a12..a6f8f97 100644
--- a/examples/artifactory-to-artifact-registry/variables.tf
+++ b/examples/artifactory-to-artifact-registry/variables.tf
@@ -63,3 +63,12 @@ variable "tls_verify" {
   default     = true
   description = "Set false to disable TLS verify of JFrog's cert. This allows JFrog to use a self-signed cert."
 }
+
+variable "ingress_settings" {
+  type        = string
+  # See
+  #   - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloudfunctions2_function#ingress_settings
+  #   - https://cloud.google.com/functions/docs/networking/network-settings#ingress_settings
+  description = "VPC Service Controls ingress settings for the Cloud Functions. Default value is ALLOW_ALL. Possible values are: ALLOW_ALL, ALLOW_INTERNAL_ONLY, ALLOW_INTERNAL_AND_GCLB."
+  default     = "ALLOW_ALL"
+}
diff --git a/main.tf b/main.tf
index a3e8cb0..c585559 100644
--- a/main.tf
+++ b/main.tf
@@ -426,6 +426,7 @@ resource "google_cloudfunctions2_function" "function" {
     available_cpu                    = var.available_cpu != null ? var.available_cpu : "0.333"
     timeout_seconds                  = var.function_timeout
     vpc_connector                    = var.vpc_connector
+    ingress_settings                 = var.ingress_settings
     environment_variables = {
       CONFIG          = google_secret_manager_secret_version.config-secret-version.name
       LOG_LEVEL       = var.log_level
@@ -790,6 +791,7 @@ resource "google_cloudfunctions2_function" "json2pubsub-function" {
     available_memory                 = "256M"
     timeout_seconds                  = var.function_timeout
     max_instance_request_concurrency = 1
+    ingress_settings                 = var.ingress_settings
     environment_variables = {
       GOOGLE_CLOUD_PROJECT = var.project_id
       PUBSUB_TOPIC         = basename(var.pubsub_topic)
diff --git a/variables.tf b/variables.tf
index 1a272e6..f8b75af 100644
--- a/variables.tf
+++ b/variables.tf
@@ -262,3 +262,12 @@ variable "deploy_json2pubsub" {
     grant_sa_user   = null
   }
 }
+
+variable "ingress_settings" {
+  type        = string
+  # See
+  #   - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloudfunctions2_function#ingress_settings
+  #   - https://cloud.google.com/functions/docs/networking/network-settings#ingress_settings
+  description = "VPC Service Controls ingress settings for the Cloud Functions. Default value is ALLOW_ALL. Possible values are: ALLOW_ALL, ALLOW_INTERNAL_ONLY, ALLOW_INTERNAL_AND_GCLB."
+  default     = "ALLOW_ALL"
+}