diff --git a/modules/consul-cluster/README.md b/modules/consul-cluster/README.md
index 67f9f41a..b498c1fc 100644
--- a/modules/consul-cluster/README.md
+++ b/modules/consul-cluster/README.md
@@ -298,10 +298,10 @@ This module attaches a security group to each EC2 Instance that allows inbound r
 
 * **Consul**: For all the [ports used by Consul](https://www.consul.io/docs/agent/options.html#ports), you can 
   use the `allowed_inbound_cidr_blocks` parameter to control the list of 
-  [CIDR blocks](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) that will be allowed access.  
+  [CIDR blocks](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) that will be allowed access and the `allowed_inbound_security_group_ids` parameter to control the security groups that will be allowed access.
 
 * **SSH**: For the SSH port (default: 22), you can use the `allowed_ssh_cidr_blocks` parameter to control the list of   
-  [CIDR blocks](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) that will be allowed access. 
+  [CIDR blocks](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) that will be allowed access. You can use the `allowed_inbound_ssh_security_group_ids` parameter to control the list of source Security Groups that will be allowed access.
   
 Note that all the ports mentioned above are configurable via the `xxx_port` variables (e.g. `server_rpc_port`). See
 [vars.tf](vars.tf) for the full list.  
diff --git a/modules/consul-cluster/main.tf b/modules/consul-cluster/main.tf
index 714860ef..b89bca21 100644
--- a/modules/consul-cluster/main.tf
+++ b/modules/consul-cluster/main.tf
@@ -95,6 +95,7 @@ resource "aws_security_group" "lc_security_group" {
 }
 
 resource "aws_security_group_rule" "allow_ssh_inbound" {
+  count       = "${length(var.allowed_inbound_cidr_blocks) >= 1 ? 1 : 0}"
   type        = "ingress"
   from_port   = "${var.ssh_port}"
   to_port     = "${var.ssh_port}"
@@ -104,6 +105,17 @@ resource "aws_security_group_rule" "allow_ssh_inbound" {
   security_group_id = "${aws_security_group.lc_security_group.id}"
 }
 
+resource "aws_security_group_rule" "allow_ssh_inbound_from_security_group_ids" {
+  count                    = "${length(var.allowed_ssh_security_group_ids)}"
+  type                     = "ingress"
+  from_port                = "${var.ssh_port}"
+  to_port                  = "${var.ssh_port}"
+  protocol                 = "tcp"
+  source_security_group_id = "${element(var.allowed_ssh_security_group_ids, count.index)}"
+
+  security_group_id = "${aws_security_group.lc_security_group.id}"
+}
+
 resource "aws_security_group_rule" "allow_all_outbound" {
   type        = "egress"
   from_port   = 0
diff --git a/modules/consul-cluster/variables.tf b/modules/consul-cluster/variables.tf
index a771900a..96f26e5b 100644
--- a/modules/consul-cluster/variables.tf
+++ b/modules/consul-cluster/variables.tf
@@ -24,6 +24,11 @@ variable "allowed_inbound_cidr_blocks" {
   type        = "list"
 }
 
+variable "allowed_inbound_security_group_ids" {
+  description = "A list of security group IDs that will be allowed to connect to Consul"
+  type        = "list"
+}
+
 variable "user_data" {
   description = "A User Data script to execute while the server is booting. We remmend passing in a bash script that executes the run-consul script, which should have been installed in the Consul AMI by the install-consul module."
 }
@@ -71,6 +76,12 @@ variable "allowed_ssh_cidr_blocks" {
   default     = []
 }
 
+variable "allowed_ssh_security_group_ids" {
+  description = "A list of security group IDs from which the EC2 Instances will allow SSH connections"
+  type        = "list"
+  default     = []
+}
+
 variable "termination_policies" {
   description = "A list of policies to decide how the instances in the auto scale group should be terminated. The allowed values are OldestInstance, NewestInstance, OldestLaunchConfiguration, ClosestToNextInstanceHour, Default."
   default     = "Default"
diff --git a/modules/consul-security-group-rules/main.tf b/modules/consul-security-group-rules/main.tf
index d96d741c..a45f0a5d 100644
--- a/modules/consul-security-group-rules/main.tf
+++ b/modules/consul-security-group-rules/main.tf
@@ -3,6 +3,7 @@
 # ---------------------------------------------------------------------------------------------------------------------
 
 resource "aws_security_group_rule" "allow_server_rpc_inbound" {
+  count       = "${length(var.allowed_inbound_cidr_blocks) >= 1 ? 1 : 0}"
   type        = "ingress"
   from_port   = "${var.server_rpc_port}"
   to_port     = "${var.server_rpc_port}"
@@ -13,6 +14,7 @@ resource "aws_security_group_rule" "allow_server_rpc_inbound" {
 }
 
 resource "aws_security_group_rule" "allow_cli_rpc_inbound" {
+  count       = "${length(var.allowed_inbound_cidr_blocks) >= 1 ? 1 : 0}"
   type        = "ingress"
   from_port   = "${var.cli_rpc_port}"
   to_port     = "${var.cli_rpc_port}"
@@ -23,6 +25,7 @@ resource "aws_security_group_rule" "allow_cli_rpc_inbound" {
 }
 
 resource "aws_security_group_rule" "allow_serf_lan_tcp_inbound" {
+  count       = "${length(var.allowed_inbound_cidr_blocks) >= 1 ? 1 : 0}"
   type        = "ingress"
   from_port   = "${var.serf_lan_port}"
   to_port     = "${var.serf_lan_port}"
@@ -33,6 +36,7 @@ resource "aws_security_group_rule" "allow_serf_lan_tcp_inbound" {
 }
 
 resource "aws_security_group_rule" "allow_serf_lan_udp_inbound" {
+  count       = "${length(var.allowed_inbound_cidr_blocks) >= 1 ? 1 : 0}"
   type        = "ingress"
   from_port   = "${var.serf_lan_port}"
   to_port     = "${var.serf_lan_port}"
@@ -43,6 +47,7 @@ resource "aws_security_group_rule" "allow_serf_lan_udp_inbound" {
 }
 
 resource "aws_security_group_rule" "allow_serf_wan_tcp_inbound" {
+  count       = "${length(var.allowed_inbound_cidr_blocks) >= 1 ? 1 : 0}"
   type        = "ingress"
   from_port   = "${var.serf_wan_port}"
   to_port     = "${var.serf_wan_port}"
@@ -53,6 +58,7 @@ resource "aws_security_group_rule" "allow_serf_wan_tcp_inbound" {
 }
 
 resource "aws_security_group_rule" "allow_serf_wan_udp_inbound" {
+  count       = "${length(var.allowed_inbound_cidr_blocks) >= 1 ? 1 : 0}"
   type        = "ingress"
   from_port   = "${var.serf_wan_port}"
   to_port     = "${var.serf_wan_port}"
@@ -63,6 +69,7 @@ resource "aws_security_group_rule" "allow_serf_wan_udp_inbound" {
 }
 
 resource "aws_security_group_rule" "allow_http_api_inbound" {
+  count       = "${length(var.allowed_inbound_cidr_blocks) >= 1 ? 1 : 0}"
   type        = "ingress"
   from_port   = "${var.http_api_port}"
   to_port     = "${var.http_api_port}"
@@ -73,6 +80,7 @@ resource "aws_security_group_rule" "allow_http_api_inbound" {
 }
 
 resource "aws_security_group_rule" "allow_dns_tcp_inbound" {
+  count       = "${length(var.allowed_inbound_cidr_blocks) >= 1 ? 1 : 0}"
   type        = "ingress"
   from_port   = "${var.dns_port}"
   to_port     = "${var.dns_port}"
@@ -83,6 +91,7 @@ resource "aws_security_group_rule" "allow_dns_tcp_inbound" {
 }
 
 resource "aws_security_group_rule" "allow_dns_udp_inbound" {
+  count       = "${length(var.allowed_inbound_cidr_blocks) >= 1 ? 1 : 0}"
   type        = "ingress"
   from_port   = "${var.dns_port}"
   to_port     = "${var.dns_port}"
@@ -92,3 +101,101 @@ resource "aws_security_group_rule" "allow_dns_udp_inbound" {
   security_group_id = "${var.security_group_id}"
 }
 
+resource "aws_security_group_rule" "allow_server_rpc_inbound_from_security_group_ids" {
+  count                    = "${length(var.allowed_inbound_security_group_ids)}"
+  type                     = "ingress"
+  from_port                = "${var.server_rpc_port}"
+  to_port                  = "${var.server_rpc_port}"
+  protocol                 = "tcp"
+  source_security_group_id = "${element(var.allowed_inbound_security_group_ids, count.index)}"
+
+  security_group_id = "${var.security_group_id}"
+}
+
+resource "aws_security_group_rule" "allow_cli_rpc_inbound_from_security_group_ids" {
+  count                    = "${length(var.allowed_inbound_security_group_ids)}"
+  type                     = "ingress"
+  from_port                = "${var.cli_rpc_port}"
+  to_port                  = "${var.cli_rpc_port}"
+  protocol                 = "tcp"
+  source_security_group_id = "${element(var.allowed_inbound_security_group_ids, count.index)}"
+
+  security_group_id = "${var.security_group_id}"
+}
+
+resource "aws_security_group_rule" "allow_serf_lan_tcp_inbound_from_security_group_ids" {
+  count                    = "${length(var.allowed_inbound_security_group_ids)}"
+  type                     = "ingress"
+  from_port                = "${var.serf_lan_port}"
+  to_port                  = "${var.serf_lan_port}"
+  protocol                 = "tcp"
+  source_security_group_id = "${element(var.allowed_inbound_security_group_ids, count.index)}"
+
+  security_group_id = "${var.security_group_id}"
+}
+
+resource "aws_security_group_rule" "allow_serf_lan_udp_inbound_from_security_group_ids" {
+  count                    = "${length(var.allowed_inbound_security_group_ids)}"
+  type                     = "ingress"
+  from_port                = "${var.serf_lan_port}"
+  to_port                  = "${var.serf_lan_port}"
+  protocol                 = "udp"
+  source_security_group_id = "${element(var.allowed_inbound_security_group_ids, count.index)}"
+
+  security_group_id = "${var.security_group_id}"
+}
+
+resource "aws_security_group_rule" "allow_serf_wan_tcp_inbound_from_security_group_ids" {
+  count                    = "${length(var.allowed_inbound_security_group_ids)}"
+  type                     = "ingress"
+  from_port                = "${var.serf_wan_port}"
+  to_port                  = "${var.serf_wan_port}"
+  protocol                 = "tcp"
+  source_security_group_id = "${element(var.allowed_inbound_security_group_ids, count.index)}"
+
+  security_group_id = "${var.security_group_id}"
+}
+
+resource "aws_security_group_rule" "allow_serf_wan_udp_inbound_from_security_group_ids" {
+  count                    = "${length(var.allowed_inbound_security_group_ids)}"
+  type                     = "ingress"
+  from_port                = "${var.serf_wan_port}"
+  to_port                  = "${var.serf_wan_port}"
+  protocol                 = "udp"
+  source_security_group_id = "${element(var.allowed_inbound_security_group_ids, count.index)}"
+
+  security_group_id = "${var.security_group_id}"
+}
+
+resource "aws_security_group_rule" "allow_http_api_inbound_from_security_group_ids" {
+  count                    = "${length(var.allowed_inbound_security_group_ids)}"
+  type                     = "ingress"
+  from_port                = "${var.http_api_port}"
+  to_port                  = "${var.http_api_port}"
+  protocol                 = "tcp"
+  source_security_group_id = "${element(var.allowed_inbound_security_group_ids, count.index)}"
+
+  security_group_id = "${var.security_group_id}"
+}
+
+resource "aws_security_group_rule" "allow_dns_tcp_inbound_from_security_group_ids" {
+  count                    = "${length(var.allowed_inbound_security_group_ids)}"
+  type                     = "ingress"
+  from_port                = "${var.dns_port}"
+  to_port                  = "${var.dns_port}"
+  protocol                 = "tcp"
+  source_security_group_id = "${element(var.allowed_inbound_security_group_ids, count.index)}"
+
+  security_group_id = "${var.security_group_id}"
+}
+
+resource "aws_security_group_rule" "allow_dns_udp_inbound_from_security_group_ids" {
+  count                    = "${length(var.allowed_inbound_security_group_ids)}"
+  type                     = "ingress"
+  from_port                = "${var.dns_port}"
+  to_port                  = "${var.dns_port}"
+  protocol                 = "udp"
+  source_security_group_id = "${element(var.allowed_inbound_security_group_ids, count.index)}"
+
+  security_group_id = "${var.security_group_id}"
+}