diff --git a/modules/net-vpc-firewall/main.tf b/modules/net-vpc-firewall/main.tf
index aed12087..bd528b02 100644
--- a/modules/net-vpc-firewall/main.tf
+++ b/modules/net-vpc-firewall/main.tf
@@ -101,7 +101,8 @@ resource "google_compute_firewall" "custom-rules" {
       ? ["0.0.0.0/0"]
       : each.value.source_ranges
     )
-    : each.value.source_ranges #for egress, we will include the range only if != null. Previously, always included a null
+    #for egress, we will include the source_ranges when provided. Previously, null was forced
+    : each.value.source_ranges
   )
   destination_ranges = (
     each.value.direction == "EGRESS"
@@ -110,7 +111,8 @@ resource "google_compute_firewall" "custom-rules" {
       ? ["0.0.0.0/0"]
       : each.value.destination_ranges
     )
-    : each.value.destination_ranges #for ingress, we will include the range only if != null. Previously, always included a null
+    #for ingress, we will include the destination_ranges when provided. Previously, null was forced
+    : each.value.destination_ranges
   )
   source_tags = (
     each.value.use_service_accounts || each.value.direction == "EGRESS"
diff --git a/modules/net-vpc-firewall/variables.tf b/modules/net-vpc-firewall/variables.tf
index e6a07205..3b21fb5f 100644
--- a/modules/net-vpc-firewall/variables.tf
+++ b/modules/net-vpc-firewall/variables.tf
@@ -71,7 +71,7 @@ variable "ingress_rules" {
   type = map(object({
     deny               = optional(bool, false)
     description        = optional(string)
-    destination_ranges = optional(list(string))
+    destination_ranges = optional(list(string), []) # empty list is needed as default to allow deletion after initial creation with a value
     disabled           = optional(bool, false)
     enable_logging = optional(object({
       include_metadata = optional(bool)