diff --git a/terraform/environments/production/gateways.tf b/terraform/environments/production/gateways.tf
new file mode 100644
index 000000000..d7eb042ef
--- /dev/null
+++ b/terraform/environments/production/gateways.tf
@@ -0,0 +1,163 @@
+# Deploy our dogfood gateways
+resource "google_compute_network" "gateways" {
+  project = module.google-cloud-project.project.project_id
+  name    = "gateways"
+
+  routing_mode = "GLOBAL"
+
+  auto_create_subnetworks = false
+
+  depends_on = [
+    google_project_service.compute
+  ]
+}
+
+module "gateways" {
+  count = var.gateway_portal_token != null ? 1 : 0
+
+  source     = "../../modules/gateway-app"
+  project_id = module.google-cloud-project.project.project_id
+
+  compute_network = "projects/${module.google-cloud-project.project.project_id}/global/networks/default"
+
+  compute_instances = {
+    "us-central1" = {
+      type     = "n1-standard-1"
+      replicas = 2
+      zones    = ["us-central1-b"]
+
+      network       = google_compute_network.gateways.self_link
+      ip_cidr_range = "10.200.0.0/24"
+    }
+  }
+
+  container_registry = module.google-artifact-registry.url
+
+  image_repo = module.google-artifact-registry.repo
+  image      = "gateway"
+  image_tag  = var.gateway_image_tag
+
+  observability_log_level = "debug"
+
+  application_name    = "gateway"
+  application_version = replace(var.gateway_image_tag, ".", "-")
+
+  health_check = {
+    name     = "health"
+    protocol = "TCP"
+    port     = 8080
+
+    initial_delay_sec = 60
+
+    check_interval_sec  = 15
+    timeout_sec         = 10
+    healthy_threshold   = 1
+    unhealthy_threshold = 3
+
+    http_health_check = {
+      request_path = "/healthz"
+    }
+  }
+
+  portal_websocket_url = "wss://api.${local.tld}"
+  portal_token         = var.gateway_portal_token
+}
+
+
+# Allow inbound traffic
+# resource "google_compute_firewall" "ingress-ipv4" {
+#   count = var.gateway_portal_token != null ? 1 : 0
+
+#   project = module.google-cloud-project.project.project_id
+
+#   name      = "gateways-ingress-ipv4"
+#   network   = google_compute_network.network.self_link
+#   direction = "INGRESS"
+
+#   target_tags   = module.gateways[0].target_tags
+#   source_ranges = ["0.0.0.0/0"]
+
+#   allow {
+#     protocol = "udp"
+#   }
+# }
+
+# resource "google_compute_firewall" "ingress-ipv6" {
+#   count = var.gateway_portal_token != null ? 1 : 0
+
+#   project = module.google-cloud-project.project.project_id
+
+#   name      = "gateways-ingress-ipv6"
+#   network   = google_compute_network.network.self_link
+#   direction = "INGRESS"
+
+#   target_tags   = module.gateways[0].target_tags
+#   source_ranges = ["::/0"]
+
+#   allow {
+#     protocol = "udp"
+#   }
+# }
+
+# Allow outbound traffic
+resource "google_compute_firewall" "egress-ipv4" {
+  count = var.gateway_portal_token != null ? 1 : 0
+
+  project = module.google-cloud-project.project.project_id
+
+  name      = "gateways-egress-ipv4"
+  network   = google_compute_network.gateways.self_link
+  direction = "EGRESS"
+
+  target_tags        = module.gateways[0].target_tags
+  destination_ranges = ["0.0.0.0/0"]
+
+  allow {
+    protocol = "udp"
+  }
+}
+
+resource "google_compute_firewall" "egress-ipv6" {
+  count = var.gateway_portal_token != null ? 1 : 0
+
+  project = module.google-cloud-project.project.project_id
+
+  name      = "gateways-egress-ipv6"
+  network   = google_compute_network.gateways.self_link
+  direction = "EGRESS"
+
+  target_tags        = module.gateways[0].target_tags
+  destination_ranges = ["::/0"]
+
+  allow {
+    protocol = "udp"
+  }
+}
+
+resource "google_compute_firewall" "gateways-ssh-ipv4" {
+  count = length(module.gateways) > 0 ? 1 : 0
+
+  project = module.google-cloud-project.project.project_id
+
+  name    = "gateways-ssh-ipv4"
+  network = module.google-cloud-vpc.self_link
+
+  allow {
+    protocol = "tcp"
+    ports    = [22]
+  }
+
+  allow {
+    protocol = "udp"
+    ports    = [22]
+  }
+
+  allow {
+    protocol = "sctp"
+    ports    = [22]
+  }
+
+  # Only allows connections using IAP
+  source_ranges = ["35.235.240.0/20"]
+  target_tags   = module.gateways[0].target_tags
+}
diff --git a/terraform/environments/production/main.tf b/terraform/environments/production/main.tf
index 1b6885a37..4cb167431 100644
--- a/terraform/environments/production/main.tf
+++ b/terraform/environments/production/main.tf
@@ -710,55 +710,6 @@ module "relays" {
   portal_token         = var.relay_portal_token
 }
 
-# Deploy our dogfood gateways
-module "gateways" {
-  count = var.gateway_portal_token != null ? 1 : 0
-
-  source     = "../../modules/gateway-app"
-  project_id = module.google-cloud-project.project.project_id
-
-  compute_network = "projects/${module.google-cloud-project.project.project_id}/global/networks/default"
-
-  compute_instances = {
-    "us-central1" = {
-      type     = "n1-standard-1"
-      replicas = 2
-      zones    = ["us-central1-b"]
-    }
-  }
-
-  container_registry = module.google-artifact-registry.url
-
-  image_repo = module.google-artifact-registry.repo
-  image      = "gateway"
-  image_tag  = var.gateway_image_tag
-
-  observability_log_level = "debug"
-
-  application_name    = "gateway"
-  application_version = replace(var.gateway_image_tag, ".", "-")
-
-  health_check = {
-    name     = "health"
-    protocol = "TCP"
-    port     = 8080
-
-    initial_delay_sec = 60
-
-    check_interval_sec  = 15
-    timeout_sec         = 10
-    healthy_threshold   = 1
-    unhealthy_threshold = 3
-
-    http_health_check = {
-      request_path = "/healthz"
-    }
-  }
-
-  portal_websocket_url = "wss://api.${local.tld}"
-  portal_token         = var.gateway_portal_token
-}
-
 resource "google_compute_firewall" "portal-ssh-ipv4" {
   project = module.google-cloud-project.project.project_id
 
@@ -813,34 +764,6 @@ resource "google_compute_firewall" "relays-ssh-ipv4" {
   target_tags   = module.relays[0].target_tags
 }
 
-resource "google_compute_firewall" "gateways-ssh-ipv4" {
-  count = length(module.gateways) > 0 ? 1 : 0
-
-  project = module.google-cloud-project.project.project_id
-
-  name    = "gateways-ssh-ipv4"
-  network = module.google-cloud-vpc.self_link
-
-  allow {
-    protocol = "tcp"
-    ports    = [22]
-  }
-
-  allow {
-    protocol = "udp"
-    ports    = [22]
-  }
-
-  allow {
-    protocol = "sctp"
-    ports    = [22]
-  }
-
-  # Only allows connections using IAP
-  source_ranges = ["35.235.240.0/20"]
-  target_tags   = module.gateways[0].target_tags
-}
-
 module "ops" {
   source = "../../modules/google-cloud-ops"
 
diff --git a/terraform/modules/gateway-app/main.tf b/terraform/modules/gateway-app/main.tf
index 44c8fd6f0..03a370800 100644
--- a/terraform/modules/gateway-app/main.tf
+++ b/terraform/modules/gateway-app/main.tf
@@ -117,9 +117,25 @@ resource "google_project_iam_member" "cloudtrace" {
   member = "serviceAccount:${google_service_account.application.email}"
 }
 
+resource "google_compute_subnetwork" "gateways" {
+  for_each = var.compute_instances
+
+  project = var.project_id
+
+  name   = "gateways-${each.key}"
+  region = each.key
+
+  network = var.compute_network
+
+  stack_type               = "IPV4_IPV6"
+  ip_cidr_range            = each.value.ip_cidr_range
+  ipv6_access_type         = "EXTERNAL"
+  private_ip_google_access = true
+}
+
 # Deploy app
 resource "google_compute_instance_template" "application" {
-  for_each = var.instances
+  for_each = var.compute_instances
 
   project = var.project_id
 
@@ -151,7 +167,7 @@ resource "google_compute_instance_template" "application" {
   }
 
   network_interface {
-    network = var.compute_network
+    subnetwork = google_compute_subnetwork.gateways[each.key].self_link
 
     stack_type = "IPV4_IPV6"
 
@@ -329,65 +345,3 @@ resource "google_compute_region_instance_group_manager" "application" {
 #     ports    = [var.health_check.port]
 #   }
 # }
-
-# Allow inbound traffic
-# resource "google_compute_firewall" "ingress-ipv4" {
-#   project = var.project_id
-
-#   name      = "${local.application_name}-ingress-ipv4"
-#   network   = google_compute_network.network.self_link
-#   direction = "INGRESS"
-
-#   target_tags   = ["app-${local.application_name}"]
-#   source_ranges = ["0.0.0.0/0"]
-
-#   allow {
-#     protocol = "udp"
-#   }
-# }
-
-# resource "google_compute_firewall" "ingress-ipv6" {
-#   project = var.project_id
-
-#   name      = "${local.application_name}-ingress-ipv6"
-#   network   = google_compute_network.network.self_link
-#   direction = "INGRESS"
-
-#   target_tags   = ["app-${local.application_name}"]
-#   source_ranges = ["::/0"]
-
-#   allow {
-#     protocol = "udp"
-#   }
-# }
-
-# Allow outbound traffic
-resource "google_compute_firewall" "egress-ipv4" {
-  project = var.project_id
-
-  name      = "${local.application_name}-egress-ipv4"
-  network   = google_compute_network.network.self_link
-  direction = "EGRESS"
-
-  target_tags        = ["app-${local.application_name}"]
-  destination_ranges = ["0.0.0.0/0"]
-
-  allow {
-    protocol = "udp"
-  }
-}
-
-resource "google_compute_firewall" "egress-ipv6" {
-  project = var.project_id
-
-  name      = "${local.application_name}-egress-ipv6"
-  network   = google_compute_network.network.self_link
-  direction = "EGRESS"
-
-  target_tags        = ["app-${local.application_name}"]
-  destination_ranges = ["::/0"]
-
-  allow {
-    protocol = "udp"
-  }
-}
diff --git a/terraform/modules/gateway-app/variables.tf b/terraform/modules/gateway-app/variables.tf
index 6c2a4e2f7..6cfb09db2 100644
--- a/terraform/modules/gateway-app/variables.tf
+++ b/terraform/modules/gateway-app/variables.tf
@@ -16,6 +16,8 @@ variable "compute_instances" {
     type     = string
     replicas = number
     zones    = list(string)
+
+    ip_cidr_range = string
   }))
 
   description = "List deployment locations for the application."