diff --git a/CHANGELOG b/CHANGELOG
index d8e1c1c3c42d013a2ea951151425e125dc9c935b..fba9df133bb7ddf6fc14c5d2990f70a59e9c859b 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -18,6 +18,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
  - Add the requirement for an explicit image_name to deploy, which breaks previous
    versions that ignored image updates.
 
+## [3.1.3] - 2021-07-16
+### Changed
+ - Added interface for authentication proxy Cloud Function egress settings. Required
+   for uptime check configuration of internal services.
+
 ## [3.1.2] - 2021-07-15
 ### Changed
  - Surface Cloud NAT variable for minimum number of SNAT tuples, supporting a larger
diff --git a/locals.tf b/locals.tf
index ce0b188ba911aa7a69fb843aec59e06d4b73be2b..adf71514a62787f5f80babc93dbe207881b4986c 100644
--- a/locals.tf
+++ b/locals.tf
@@ -45,10 +45,25 @@ locals {
     var.enable_beta_launch_stage || length(var.secrets_volume) != 0 || length(var.secrets_envars) != 0
   )
 
-  # Hosts to monitor. We use the automatic host from Cloud Run and any custom
-  # domain mapped host.
-  monitor_hosts = var.disable_monitoring ? [] : concat(
-    [trimsuffix(trimprefix(google_cloud_run_service.webapp.status[0].url, "https://"), "/")],
-    var.allow_unauthenticated_invocations ? local.dns_names : [],
+  # Whether we should monitor the custom domain - only possible if there is a dns_name
+  # set and unauthenticated invocation is enabled
+  can_monitor_custom_dns = var.dns_name != "" && var.allow_unauthenticated_invocations
+
+  # Holds which VPC connector can be used for the auth proxy Cloud Function egress settings
+  auth_proxy_egress_connector = var.enable_static_egress_ip ? google_vpc_access_connector.static-ip-connector[0].id : var.auth_proxy_egress_connector
+
+  # Map containing the hosts to monitor and whether an auth proxy and egress connector
+  # should be configured.
+  monitor_hosts = var.disable_monitoring ? {} : merge(
+    {
+      trimsuffix(trimprefix(google_cloud_run_service.webapp.status[0].url, "https://"), "/") = {
+        "enable_auth_proxy"       = !var.allow_unauthenticated_invocations || var.allowed_ingress != "all",
+        "enable_egress_connector" = var.allowed_ingress != "all"
+      },
+    },
+    local.can_monitor_custom_dns ? { (var.dns_name) = {
+      "enable_auth_proxy"       = var.allowed_ingress == "internal",
+      "enable_egress_connector" = var.allowed_ingress == "internal"
+    } } : {}
   )
 }
diff --git a/main.tf b/main.tf
index 6c9246429d3e76f2e813932521bf5e4e375e74ed..5925ece0e61f9c67b0dc2d812d79263a0b73f5f7 100644
--- a/main.tf
+++ b/main.tf
@@ -233,11 +233,11 @@ resource "google_cloud_run_domain_mapping" "webapp" {
 }
 
 module "uptime_monitoring" {
-  for_each = toset(local.monitor_hosts)
+  for_each = local.monitor_hosts
 
   source = "git::https://gitlab.developers.cam.ac.uk/uis/devops/infra/terraform/gcp-site-monitoring.git?ref=v1"
 
-  host    = each.value
+  host    = each.key
   project = var.project
 
   alert_email_addresses = var.alerting_email_address != "" ? [var.alerting_email_address] : []
@@ -257,15 +257,16 @@ module "uptime_monitoring" {
     alert_enabled = var.alerting_enabled
   }
 
-  # if unathenticated access is not allowed, configure the monitoring to use
-  # an authentication proxy, allowing the monitoring checks to invoke the cloud
-  # run instance.
-  authentication_proxy = !var.allow_unauthenticated_invocations ? {
-    enabled                = true
-    cloud_run_project      = google_cloud_run_service.webapp.project
-    cloud_run_service_name = google_cloud_run_service.webapp.name
-    cloud_run_region       = var.cloud_run_region
-  } : {}
+  # If required, configure the monitoring to use an authentication proxy, allowing
+  # the monitoring checks to invoke the cloud run instance.
+  authentication_proxy = {
+    enabled                   = each.value.enable_auth_proxy
+    cloud_run_project         = google_cloud_run_service.webapp.project
+    cloud_run_service_name    = google_cloud_run_service.webapp.name
+    cloud_run_region          = var.cloud_run_region
+    egress_connector          = each.value.enable_egress_connector ? local.auth_proxy_egress_connector : ""
+    egress_connector_settings = each.value.enable_egress_connector && local.auth_proxy_egress_connector != "" ? "ALL_TRAFFIC" : null
+  }
 
   providers = {
     google = google.stackdriver
diff --git a/variables.tf b/variables.tf
index 239f6293e77446ac6f42780f8c2ac28088da643f..428f3dcd1a226ac210fd224d9e125547da43d2cd 100644
--- a/variables.tf
+++ b/variables.tf
@@ -280,7 +280,19 @@ variable "min_ports_per_vm" {
   description = <<-EOL
     When using Cloud NAT to provide an egress route, Cloud NAT's minimum ports per VM
     can be configured to determine how many concurrent connections can be established
-    to the same destination IP address and port. 
+    to the same destination IP address and port.
+EOL
+}
+
+variable "auth_proxy_egress_connector" {
+  type        = string
+  default     = ""
+  description = <<-EOL
+    When an auth proxy Function is created for uptime check of internal services, a VPC connector
+    should be provided to route the Function's egress traffic through it to reach the webapp
+    Cloud Run service.
+
+    If static IP is enabled, its configured VPC connector will be used instead.
 EOL
 }