diff --git a/CHANGELOG b/CHANGELOG
index eb41dde53178667f0695b12d60f88653d08fb4ec..d847fae6b80c8cee7344957895e04ca094199211 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.1.3] - 2021-07-16
+### Changed
+ - Added interface for authentication proxy Cloud Function egress settings. Required
+   for uptime check configuration of internal services.
+
 ## [3.1.2] - 2021-07-15
 ### Changed
  - Surface Cloud NAT variable for minimum number of SNAT tuples, supporting a larger
diff --git a/locals.tf b/locals.tf
index 8b5966323b050e90dddcc52d0fabed6f7da34e02..a40c511c67d403753c2a74aed49a1502b7a75266 100644
--- a/locals.tf
+++ b/locals.tf
@@ -17,10 +17,21 @@ locals {
   # set and unauthenticated invocation is enabled
   can_monitor_custom_dns = var.dns_name != "" && var.allow_unauthenticated_invocations
 
-  # Hosts to monitor. We use the automatic host from Cloud Run and any custom
-  # domain mapped host, if can_monitor_custom_dns is true
-  monitor_hosts = var.disable_monitoring ? [] : concat(
-    [trimsuffix(trimprefix(google_cloud_run_service.webapp.status[0].url, "https://"), "/")],
-    local.can_monitor_custom_dns ? [var.dns_name] : []
+  # Holds which VPC connector can be used for the auth proxy Cloud Function egress settings
+  auth_proxy_egress_connector = var.enable_static_egress_ip ? google_vpc_access_connector.static-ip-connector[0].id : var.auth_proxy_egress_connector
+
+  # Map containing the hosts to monitor and whether an auth proxy and egress connector
+  # should be configured.
+  monitor_hosts = var.disable_monitoring ? {} : merge(
+    {
+      trimsuffix(trimprefix(google_cloud_run_service.webapp.status[0].url, "https://"), "/") = {
+        "enable_auth_proxy"       = !var.allow_unauthenticated_invocations || var.allowed_ingress != "all",
+        "enable_egress_connector" = var.allowed_ingress != "all"
+      },
+    },
+    local.can_monitor_custom_dns ? { (var.dns_name) = {
+      "enable_auth_proxy"       = var.allowed_ingress == "internal",
+      "enable_egress_connector" = var.allowed_ingress == "internal"
+    } } : {}
   )
 }
diff --git a/main.tf b/main.tf
index 2ccf9714f9c368e56de93a4eaaacad5bf67768f5..48569c20ddffc5f860da83dfa266a75bbde38021 100644
--- a/main.tf
+++ b/main.tf
@@ -240,11 +240,11 @@ resource "google_cloud_run_domain_mapping" "webapp" {
 }
 
 module "uptime_monitoring" {
-  for_each = toset(local.monitor_hosts)
+  for_each = local.monitor_hosts
 
   source = "git::https://gitlab.developers.cam.ac.uk/uis/devops/infra/terraform/gcp-site-monitoring.git?ref=v1"
 
-  host    = each.value
+  host    = each.key
   project = var.project
 
   alert_email_addresses = var.alerting_email_address != "" ? [var.alerting_email_address] : []
@@ -264,15 +264,16 @@ module "uptime_monitoring" {
     alert_enabled = var.alerting_enabled
   }
 
-  # if unathenticated access is not allowed, configure the monitoring to use
-  # an authentication proxy, allowing the monitoring checks to invoke the cloud
-  # run instance.
-  authentication_proxy = !var.allow_unauthenticated_invocations ? {
-    enabled                = true
-    cloud_run_project      = google_cloud_run_service.webapp.project
-    cloud_run_service_name = google_cloud_run_service.webapp.name
-    cloud_run_region       = var.cloud_run_region
-  } : {}
+  # If required, configure the monitoring to use an authentication proxy, allowing
+  # the monitoring checks to invoke the cloud run instance.
+  authentication_proxy = {
+    enabled                   = each.value.enable_auth_proxy
+    cloud_run_project         = google_cloud_run_service.webapp.project
+    cloud_run_service_name    = google_cloud_run_service.webapp.name
+    cloud_run_region          = var.cloud_run_region
+    egress_connector          = each.value.enable_egress_connector ? local.auth_proxy_egress_connector : ""
+    egress_connector_settings = each.value.enable_egress_connector && local.auth_proxy_egress_connector != "" ? "ALL_TRAFFIC" : null
+  }
 
   providers = {
     google = google.stackdriver
diff --git a/variables.tf b/variables.tf
index e8c49f6a89849ab5f5bc6958f5f0e5d62f375796..8be213dd1df9ab421a426732c4cd1a37b8f0e765 100644
--- a/variables.tf
+++ b/variables.tf
@@ -215,7 +215,19 @@ variable "min_ports_per_vm" {
   description = <<-EOL
     When using Cloud NAT to provide an egress route, Cloud NAT's minimum ports per VM
     can be configured to determine how many concurrent connections can be established
-    to the same destination IP address and port. 
+    to the same destination IP address and port.
+EOL
+}
+
+variable "auth_proxy_egress_connector" {
+  type        = string
+  default     = ""
+  description = <<-EOL
+    When an auth proxy Function is created for uptime check of internal services, a VPC connector
+    should be provided to route the Function's egress traffic through it to reach the webapp
+    Cloud Run service.
+
+    If static IP is enabled, its configured VPC connector will be used instead.
 EOL
 }