diff --git a/main.tf b/main.tf
index 1ccc154..a74a889 100644
--- a/main.tf
+++ b/main.tf
@@ -38,13 +38,14 @@ module "subnet" {
 }
 
 module "security_group" {
-  source = "./modules/security_group"
-  name   = local.security_group_name
-  ip     = (local.security_group_ip == "" ? data.http.get_my_ip[0].response_body : local.security_group_ip)
-  cidr   = module.subnet.cidr
-  owner  = local.owner
-  type   = local.security_group_type
-  vpc_id = module.vpc.id
+  source   = "./modules/security_group"
+  name     = local.security_group_name
+  ip       = (local.security_group_ip == "" ? data.http.get_my_ip[0].response_body : local.security_group_ip)
+  cidr     = module.subnet.cidr
+  owner    = local.owner
+  type     = local.security_group_type
+  vpc_id   = module.vpc.id
+  vpc_cidr = module.vpc.cidr
 }
 
 module "ssh_key" {
diff --git a/modules/security_group/main.tf b/modules/security_group/main.tf
index 74827fb..5af09b1 100644
--- a/modules/security_group/main.tf
+++ b/modules/security_group/main.tf
@@ -69,7 +69,26 @@ resource "aws_security_group_rule" "internal_egress" {
   cidr_blocks       = [local.cidr]
   security_group_id = aws_security_group.new[0].id
 }
-
+# this rule allows any ip in the cidr on any port to initiate connections to the server
+resource "aws_security_group_rule" "project_ingress" {
+  count             = (local.type.project_ingress ? 1 : 0)
+  type              = "ingress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = [local.vpc_cidr]
+  security_group_id = aws_security_group.new[0].id
+}
+# this rule allows the server to initiate connections to any ip in the cidr on any port
+resource "aws_security_group_rule" "project_egress" {
+  count             = (local.type.project_egress ? 1 : 0)
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = [local.vpc_cidr]
+  security_group_id = aws_security_group.new[0].id
+}
 # this is necessary if you want to update or install anything from the internet
 # allows server to initiate connections to anywhere
 resource "aws_security_group_rule" "external_egress" {
diff --git a/modules/security_group/types.tf b/modules/security_group/types.tf
index 47049d4..b27e840 100644
--- a/modules/security_group/types.tf
+++ b/modules/security_group/types.tf
@@ -7,6 +7,8 @@ locals {
       specific_ip_egress  = false
       internal_ingress    = false
       internal_egress     = false
+      project_ingress     = false
+      project_egress      = false
       public_ingress      = false
       public_egress       = false
     }
@@ -19,6 +21,8 @@ locals {
       specific_ip_egress  = true
       internal_ingress    = false
       internal_egress     = false
+      project_ingress     = false
+      project_egress      = false
       public_ingress      = false
       public_egress       = false
     }
@@ -31,19 +35,37 @@ locals {
       specific_ip_egress  = true
       internal_ingress    = true
       internal_egress     = true
+      project_ingress     = false
+      project_egress      = false
       public_ingress      = false
       public_egress       = false
     }
-    egress = {
-      # allow all ingress and egress, but only from specified ip and cidr
-      # allow egress to public internet, this enables updates and package installs
-      # the server will be able to initiate connections to anywhere
-      # only specified ip and cidr can initiate connections to the server
-      # specified ip can be outside the vpc, the cidr must be inside the vpc
+    project = {
+      # allow all ingress and egress, but only from specified ip, cidr, and VPC cidr
+      # this will require users to figure out how to update and install packages without public internet access
+      # the server will only be able to egress to specified ip, or any server on a subnet within the VPC internal CIDR
+      # specified ip can be outside the vpc, the cidr must be inside the vpc, and the vpc cidr must match the vpc
       specific_ip_ingress = true
       specific_ip_egress  = true
       internal_ingress    = true
       internal_egress     = true
+      project_ingress     = true
+      project_egress      = true
+      public_ingress      = false
+      public_egress       = false
+    }
+    egress = {
+      # allow all ingress and egress, but only from specified ip and vpc cidr
+      # allow egress to public internet, this enables updates and package installs
+      # the server will be able to initiate connections to anywhere
+      # only specified ip and vpc cidr can initiate connections to the server
+      # specified ip can be outside the vpc, the cidr must be inside the vpc, and the vpc cidr must match the vpc
+      specific_ip_ingress = true
+      specific_ip_egress  = true
+      internal_ingress    = true
+      internal_egress     = true
+      project_ingress     = true
+      project_egress      = true
       public_ingress      = false
       public_egress       = true
     }
@@ -54,6 +76,8 @@ locals {
       specific_ip_egress  = true
       internal_ingress    = true
       internal_egress     = true
+      project_ingress     = true
+      project_egress      = true
       public_ingress      = true
       public_egress       = true
     }
diff --git a/modules/security_group/variables.tf b/modules/security_group/variables.tf
index 854c107..8fd28e1 100644
--- a/modules/security_group/variables.tf
+++ b/modules/security_group/variables.tf
@@ -48,4 +48,12 @@ variable "vpc_id" {
     Not necessary if the security group is being found.
   EOT
   default     = ""
+}
+variable "vpc_cidr" {
+  type        = string
+  description = <<-EOT
+    The CIDR of the VPC, used to allow ingress from the VPC to the servers in the security group.
+    Not necessary if the security group is being found.
+  EOT
+  default     = ""
 }
\ No newline at end of file