diff --git a/README.md b/README.md
index 2cb8ea1..1585029 100644
--- a/README.md
+++ b/README.md
@@ -93,6 +93,8 @@ module "fck-nat" {
 | <a name="input_use_spot_instances"></a> [use\_spot\_instances](#input\_use\_spot\_instances) | Whether or not to use spot instances for running the NAT instance | `bool` | `false` | no |
 | <a name="input_use_ssh"></a> [use\_ssh](#input\_use\_ssh) | Whether or not to enable SSH access to the NAT instance | `bool` | `false` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID to deploy the NAT instance into | `string` | n/a | yes |
+| <a name="input_use_default_ingress"></a> [use\_default\_ingress](#input\_use\_default\_ingress) | Unrestricted ingress from within VPC to the NAT instance | `bool` | `true` | no |
+| <a name="input_use_default_egress"></a> [use\_default\_egress](#input\_use\_default\_egress) | Unrestricted egress from the NAT instance to the public internet | `bool` | `true` | no |
 
 ## Outputs
 
diff --git a/main.tf b/main.tf
index 50628fb..0ed3c90 100644
--- a/main.tf
+++ b/main.tf
@@ -19,16 +19,20 @@ resource "aws_security_group" "main" {
   description = "Used in ${var.name} instance of fck-nat in subnet ${var.subnet_id}"
   vpc_id      = data.aws_vpc.main.id
 
-  ingress {
-    description = "Unrestricted ingress from within VPC"
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = data.aws_vpc.main.cidr_block_associations[*].cidr_block
+  dynamic "ingress" {
+    for_each = var.use_default_ingress ? [1] : []
+
+    content {
+      description = "Unrestricted ingress from within VPC"
+      from_port   = 0
+      to_port     = 0
+      protocol    = "-1"
+      cidr_blocks = data.aws_vpc.main.cidr_block_associations[*].cidr_block
+    }
   }
 
   dynamic "ingress" {
-    for_each = var.use_ssh && (length(var.ssh_cidr_blocks.ipv4) > 0 || length(var.ssh_cidr_blocks.ipv6) > 0) ? [1] : [] #  
+    for_each = var.use_ssh && (length(var.ssh_cidr_blocks.ipv4) > 0 || length(var.ssh_cidr_blocks.ipv6) > 0) ? [1] : [] #
 
     content {
       description      = "SSH access"
@@ -40,13 +44,17 @@ resource "aws_security_group" "main" {
     }
   }
 
-  egress {
-    description      = "Unrestricted egress"
-    from_port        = 0
-    to_port          = 0
-    protocol         = "-1"
-    cidr_blocks      = ["0.0.0.0/0"]
-    ipv6_cidr_blocks = ["::/0"]
+  dynamic "egress" {
+    for_each = var.use_default_egress ? [1] : []
+
+    content {
+      description      = "Unrestricted egress to the public internet"
+      from_port        = 0
+      to_port          = 0
+      protocol         = "-1"
+      cidr_blocks      = ["0.0.0.0/0"]
+      ipv6_cidr_blocks = ["::/0"]
+    }
   }
 
   tags = merge({ Name = var.name }, var.tags)
diff --git a/variables.tf b/variables.tf
index ccb61ca..289d921 100644
--- a/variables.tf
+++ b/variables.tf
@@ -157,4 +157,16 @@ variable "tags" {
   description = "Tags to apply to resources created within the module"
   type        = map(string)
   default     = {}
-}
\ No newline at end of file
+}
+
+variable "use_default_ingress" {
+  description = "Unrestricted ingress from within VPC to the NAT instance"
+  type        = bool
+  default     = true
+}
+
+variable "use_default_egress" {
+  description = "Unrestricted egress from the NAT instance to the public internet"
+  type        = bool
+  default     = true
+}