diff --git a/blueprints/apigee/bigquery-analytics/README.md b/blueprints/apigee/bigquery-analytics/README.md
index 027f28ea..5309fe17 100644
--- a/blueprints/apigee/bigquery-analytics/README.md
+++ b/blueprints/apigee/bigquery-analytics/README.md
@@ -19,7 +19,7 @@ Note: This setup only works if you are not using custom analytics.
## Running the blueprint
-1. Clone this repository or [open it in cloud shell](https://ssh.cloud.google.com/cloudshell/editor?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fcloud-foundation-fabric&cloudshell_print=cloud-shell-readme.txt&cloudshell_working_dir=blueprints%2Fapigee%2Fbigquery-analytics), then go through the following steps to create resources:
+1. Clone this repository or [open it in cloud shell](https://ssh.cloud.google.com/cloudshell/editor?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fcloud-foundation-fabric&cloudshell_print=cloud-shell-readme.txt&cloudshell_working_dir=blueprints%2Fnetworking%2Fpsc-glb-and-armor), then go through the following steps to create resources:
2. Copy the file [terraform.tfvars.sample](./terraform.tfvars.sample) to a file called ```terraform.tfvars``` and update the values if required.
diff --git a/blueprints/networking/README.md b/blueprints/networking/README.md
index ec510d56..e7c0b1ae 100644
--- a/blueprints/networking/README.md
+++ b/blueprints/networking/README.md
@@ -82,3 +82,11 @@ The emulated on-premises environment can be used to test access to different ser
It is meant to be used as a starting point for most Shared VPC configurations, and to be integrated to the above blueprints where Shared VPC is needed in more complex network topologies.
+
+### Exposing applications to the internet via GCLB and Private Service Connect
+
+ This [blueprint](./psc-glb-and-armor/) shows how to configure an external Google Cloud Load Balancer, with a simple Cloud Armor rule to protect against DDOS attacks, to provide an external endpoint to an application provided by another team via Private Service Connect (PSC).
+
+It is meant to be used as a starting point for users that want to explore PSC to reduce some of the complexity in their network setup.
+
+
\ No newline at end of file
diff --git a/blueprints/networking/psc-glb-and-armor/README.md b/blueprints/networking/psc-glb-and-armor/README.md
new file mode 100644
index 00000000..8e1becfa
--- /dev/null
+++ b/blueprints/networking/psc-glb-and-armor/README.md
@@ -0,0 +1,114 @@
+# HTTP Load Balancer with Cloud Armor and Private Service Connect
+
+## Introduction
+
+This blueprint contains all necessary Terraform code to configure HTTP load balancing and Google’s advanced WAF security tool (Cloud Armor) on top to securely deploy an application, provided by another team.
+
+This tutorial is general enough to fit in a variety of use-cases, from hosting a mobile app's backend to deploy proprietary workloads at scale.
+
+## Architecture
+
+
string
| ✓ | |
+| [project_id](variables.tf#L41) | Identifier of the project. | string
| ✓ | |
+| [enforce_security_policy](variables.tf#L17) | Enforce security policy. | bool
| | true
|
+| [project_create](variables.tf#L32) | Parameters for the creation of the new project. | object({…})
| | null
|
+
+## Outputs
+
+| name | description | sensitive |
+|---|---|:---:|
+| [glb_ip_address](outputs.tf#L18) | Load balancer IP address. | |
+| [vm_siege_external_ip](outputs.tf#L23) | Siege VM external IP address. | |
+
+
diff --git a/blueprints/networking/psc-glb-and-armor/consumer.tf b/blueprints/networking/psc-glb-and-armor/consumer.tf
new file mode 100644
index 00000000..2c14fa23
--- /dev/null
+++ b/blueprints/networking/psc-glb-and-armor/consumer.tf
@@ -0,0 +1,109 @@
+// Copyright 2023 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+locals {
+ consumer_apis = ["iam.googleapis.com", "compute.googleapis.com"]
+}
+
+data "google_project" "consumer" {
+ project_id = var.consumer_project_id
+}
+
+resource "google_project_service" "consumer" {
+ for_each = toset(local.consumer_apis)
+ project = data.google_project.consumer.project_id
+ service = each.key
+
+ disable_on_destroy = false
+}
+
+resource "google_compute_region_network_endpoint_group" "psc_neg" {
+ name = "psc-neg"
+ region = var.region
+ project = var.consumer_project_id
+ network_endpoint_type = "PRIVATE_SERVICE_CONNECT"
+ psc_target_service = google_compute_service_attachment.psc_ilb_service_attachment.self_link
+
+ network = "default"
+ subnetwork = "default"
+}
+
+resource "google_compute_global_forwarding_rule" "default" {
+ project = var.consumer_project_id
+ name = "global-rule"
+ load_balancing_scheme = "EXTERNAL_MANAGED"
+ target = google_compute_target_http_proxy.default.id
+ port_range = "80"
+}
+
+output "lb_ip" {
+ value = google_compute_global_forwarding_rule.default.ip_address
+}
+
+resource "google_compute_target_http_proxy" "default" {
+ project = var.consumer_project_id
+ name = "target-proxy"
+ description = "a description"
+ url_map = google_compute_url_map.default.id
+}
+
+resource "google_compute_url_map" "default" {
+ project = var.consumer_project_id
+ name = "url-map-target-proxy"
+ description = "A simple URL Map, routing all traffic to the PSC NEG"
+ default_service = google_compute_backend_service.default.id
+
+ host_rule {
+ hosts = ["*"]
+ path_matcher = "allpaths"
+ }
+
+ path_matcher {
+ name = "allpaths"
+ default_service = google_compute_backend_service.default.id
+
+ path_rule {
+ paths = ["/*"]
+ service = google_compute_backend_service.default.id
+ }
+ }
+}
+
+resource "google_compute_security_policy" "policy" {
+ provider = google-beta
+ project = var.consumer_project_id
+ name = "ddos-protection"
+ adaptive_protection_config {
+ layer_7_ddos_defense_config {
+ enable = true
+ }
+ }
+ depends_on = [
+ google_project_service.consumer
+ ]
+}
+
+resource "google_compute_backend_service" "default" {
+ provider = google-beta
+ project = var.consumer_project_id
+ name = "backend"
+ load_balancing_scheme = "EXTERNAL_MANAGED"
+ protocol = "HTTPS"
+ security_policy = google_compute_security_policy.policy.id
+ backend {
+ group = google_compute_region_network_endpoint_group.psc_neg.id
+ balancing_mode = "UTILIZATION"
+ capacity_scaler = 1.0
+ }
+}
\ No newline at end of file
diff --git a/blueprints/networking/psc-glb-and-armor/diagram.png b/blueprints/networking/psc-glb-and-armor/diagram.png
new file mode 100644
index 00000000..d72625a5
Binary files /dev/null and b/blueprints/networking/psc-glb-and-armor/diagram.png differ
diff --git a/blueprints/networking/psc-glb-and-armor/producer.tf b/blueprints/networking/psc-glb-and-armor/producer.tf
new file mode 100644
index 00000000..59b5448b
--- /dev/null
+++ b/blueprints/networking/psc-glb-and-armor/producer.tf
@@ -0,0 +1,254 @@
+// Copyright 2023 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+locals {
+ producer_apis = ["iam.googleapis.com", "run.googleapis.com", "compute.googleapis.com"]
+}
+
+data "google_project" "producer" {
+ project_id = var.producer_project_id
+}
+
+resource "google_project_service" "producer" {
+ for_each = toset(local.producer_apis)
+ project = data.google_project.producer.project_id
+ service = each.key
+
+ disable_on_destroy = false
+}
+
+resource "google_service_account" "app" {
+ project = var.producer_project_id
+ account_id = "example-app"
+ display_name = "Example App Service Account"
+
+ depends_on = [
+ google_project_service.producer
+ ]
+}
+
+resource "google_cloud_run_service" "app" {
+ name = "example-app"
+ location = var.region
+ project = var.producer_project_id
+
+ template {
+ spec {
+ containers {
+ image = "kennethreitz/httpbin:latest"
+ ports {
+ container_port = 80
+ }
+ }
+ service_account_name = google_service_account.app.email
+ }
+ }
+
+ autogenerate_revision_name = true
+ traffic {
+ percent = 100
+ latest_revision = true
+ }
+ metadata {
+ annotations = {
+ "run.googleapis.com/ingress" = "internal-and-cloud-load-balancing"
+ }
+ }
+
+ depends_on = [
+ google_project_service.producer
+ ]
+}
+
+resource "google_compute_region_network_endpoint_group" "neg" {
+ name = "example-app-neg"
+ network_endpoint_type = "SERVERLESS"
+ region = var.region
+ project = var.producer_project_id
+ cloud_run {
+ service = google_cloud_run_service.app.name
+ }
+}
+
+resource "google_compute_forwarding_rule" "psc_ilb_target_service" {
+ name = "producer-forwarding-rule"
+ region = var.region
+ project = var.producer_project_id
+
+ load_balancing_scheme = "INTERNAL_MANAGED"
+ port_range = "443"
+ allow_global_access = true
+ target = google_compute_region_target_https_proxy.default.id
+
+ network = google_compute_network.psc_ilb_network.name
+ subnetwork = google_compute_subnetwork.ilb_subnetwork.name
+}
+
+resource "google_compute_region_target_https_proxy" "default" {
+ name = "l7-ilb-target-http-proxy"
+ provider = google-beta
+ region = var.region
+ project = var.producer_project_id
+ url_map = google_compute_region_url_map.default.id
+ ssl_certificates = [google_compute_region_ssl_certificate.default.id]
+}
+
+resource "google_compute_region_ssl_certificate" "default" {
+ region = var.region
+ project = var.producer_project_id
+ name = "my-certificate"
+ private_key = tls_private_key.example.private_key_pem
+ certificate = tls_self_signed_cert.example.cert_pem
+}
+
+resource "google_compute_region_url_map" "default" {
+ name = "l7-ilb-regional-url-map"
+ provider = google-beta
+ region = var.region
+ project = var.producer_project_id
+ default_service = google_compute_region_backend_service.producer_service_backend.id
+}
+
+resource "tls_private_key" "example" {
+ algorithm = "RSA"
+ rsa_bits = 2048
+}
+
+resource "tls_self_signed_cert" "example" {
+ private_key_pem = tls_private_key.example.private_key_pem
+
+ subject {
+ common_name = "app.example.com"
+ organization = "Org"
+ }
+
+ validity_period_hours = 12
+
+ allowed_uses = [
+ "key_encipherment",
+ "digital_signature",
+ "server_auth",
+ ]
+}
+resource "google_compute_region_backend_service" "producer_service_backend" {
+ name = "producer-service"
+ region = var.region
+ project = var.producer_project_id
+ load_balancing_scheme = "INTERNAL_MANAGED"
+ protocol = "HTTPS"
+
+ backend {
+ group = google_compute_region_network_endpoint_group.neg.id
+ balancing_mode = "UTILIZATION"
+ capacity_scaler = 1.0
+ }
+}
+
+resource "google_compute_network" "psc_ilb_network" {
+ name = "psc-ilb-network"
+ auto_create_subnetworks = false
+ project = var.producer_project_id
+ depends_on = [
+ google_project_service.consumer
+ ]
+}
+
+resource "google_compute_subnetwork" "ilb_subnetwork" {
+ name = "ilb-subnetwork"
+ region = var.region
+ project = var.producer_project_id
+
+ network = google_compute_network.psc_ilb_network.id
+ ip_cidr_range = "10.0.0.0/16"
+ purpose = "INTERNAL_HTTPS_LOAD_BALANCER"
+ role = "ACTIVE"
+}
+
+resource "google_compute_subnetwork" "psc_private_subnetwork" {
+ name = "psc-private-subnetwork"
+ region = var.region
+ project = var.producer_project_id
+
+ network = google_compute_network.psc_ilb_network.id
+ ip_cidr_range = "10.3.0.0/16"
+ purpose = "PRIVATE"
+ role = "ACTIVE"
+}
+
+resource "google_compute_subnetwork" "psc_ilb_nat" {
+ name = "psc-ilb-nat"
+ region = var.region
+ project = var.producer_project_id
+
+ network = google_compute_network.psc_ilb_network.id
+ purpose = "PRIVATE_SERVICE_CONNECT"
+ ip_cidr_range = "10.1.0.0/16"
+}
+
+resource "google_compute_subnetwork" "vms" {
+ name = "vms"
+ region = var.region
+ project = var.producer_project_id
+
+ network = google_compute_network.psc_ilb_network.id
+ ip_cidr_range = "10.4.0.0/16"
+}
+
+data "google_compute_zones" "available" {
+ region = var.region
+ project = var.producer_project_id
+}
+
+resource "google_compute_service_attachment" "psc_ilb_service_attachment" {
+ name = "my-psc-ilb"
+ region = var.region
+ project = var.producer_project_id
+ description = "A service attachment configured with Terraform"
+
+ enable_proxy_protocol = false
+ connection_preference = "ACCEPT_AUTOMATIC"
+ nat_subnets = [google_compute_subnetwork.psc_ilb_nat.id]
+ target_service = google_compute_forwarding_rule.psc_ilb_target_service.id
+
+ depends_on = [
+ google_project_service.consumer
+ ]
+}
+
+resource "google_service_account" "noop" {
+ project = var.producer_project_id
+ account_id = "noop-sa"
+ display_name = "Service Account for NOOP VM"
+}
+
+resource "google_compute_instance" "noop-vm" {
+ project = var.producer_project_id
+ name = "noop-ilb-vm"
+ machine_type = "e2-medium"
+ zone = data.google_compute_zones.available.names[0]
+ boot_disk {
+ initialize_params {
+ image = "debian-cloud/debian-11"
+ }
+ }
+
+ network_interface {
+ network = google_compute_network.psc_ilb_network.id
+ subnetwork = google_compute_subnetwork.vms.id
+ }
+ service_account {
+ email = google_service_account.noop.email
+ scopes = []
+ }
+}
\ No newline at end of file
diff --git a/blueprints/networking/psc-glb-and-armor/providers.tf b/blueprints/networking/psc-glb-and-armor/providers.tf
new file mode 100644
index 00000000..d8c741d1
--- /dev/null
+++ b/blueprints/networking/psc-glb-and-armor/providers.tf
@@ -0,0 +1,21 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+provider "google" {
+}
+
+provider "google-beta" {
+}
\ No newline at end of file
diff --git a/blueprints/networking/psc-glb-and-armor/variables.tf b/blueprints/networking/psc-glb-and-armor/variables.tf
new file mode 100644
index 00000000..9a3c91b2
--- /dev/null
+++ b/blueprints/networking/psc-glb-and-armor/variables.tf
@@ -0,0 +1,24 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "consumer_project_id" {
+}
+variable "producer_project_id" {
+}
+
+variable "region" {
+ default = "europe-west1"
+}
\ No newline at end of file