diff --git a/dev-tools/xtask/src/virtual_hardware.rs b/dev-tools/xtask/src/virtual_hardware.rs
index 917524aa7c8..c2525a719fa 100644
--- a/dev-tools/xtask/src/virtual_hardware.rs
+++ b/dev-tools/xtask/src/virtual_hardware.rs
@@ -71,13 +71,13 @@ pub struct Pxa {
     /// The first IP address your Oxide cluster can use.
     ///
     /// Requires `pxa-end`.
-    #[clap(long = "pxa-start", requires = "end")]
+    #[clap(long = "pxa-start", requires = "end", env = "PXA_START")]
     start: Option<String>,
 
     /// The last IP address your Oxide cluster can use
     ///
     /// Requires `pxa-start`.
-    #[clap(long = "pxa-end", requires = "start")]
+    #[clap(long = "pxa-end", requires = "start", env = "PXA_END")]
     end: Option<String>,
 }
 
diff --git a/nexus/src/app/allowed_source_ips.rs b/nexus/src/app/allowed_source_ips.rs
index 3cdd738e661..45dc60a9e8a 100644
--- a/nexus/src/app/allowed_source_ips.rs
+++ b/nexus/src/app/allowed_source_ips.rs
@@ -79,17 +79,34 @@ impl super::Nexus {
 
         // Actually insert the new allowlist.
         self.db_datastore
-            .allowed_source_ips_upsert(opctx, params.allowed_ips)
+            .allowed_source_ips_upsert(opctx, params.allowed_ips.clone())
             .await
             .map(|_| ())?;
 
         // Notify the sled-agents of the updated firewall rules.
+        //
+        // Importantly, we need to use a different `opctx` from that we're
+        // passed in here. This call requires access to Oxide-internal data
+        // around our VPC, and so we must use a context that's authorized for
+        // that.
+        //
+        // TODO-correctness: It's unfortunate that we're using this new logger,
+        // since that means we lose things like the original actor and request
+        // ID. It would be great if we could insert additional key-value pairs
+        // into the logger itself here, or "merge" the two in some other way.
+        info!(
+            opctx.log,
+            "updated user-facing services allow list, switching to \
+            internal opcontext to plumb rules to sled-agents";
+            "new_allowlist" => ?params.allowed_ips,
+        );
+        let new_opctx = self.opctx_for_internal_api();
         match nexus_networking::plumb_service_firewall_rules(
             self.datastore(),
-            &opctx,
+            &new_opctx,
             &[],
-            &opctx,
-            &opctx.log,
+            &new_opctx,
+            &new_opctx.log,
         )
         .await
         {