diff --git a/terraform/environments/corporate-staff-rostering/locals_security_groups.tf b/terraform/environments/corporate-staff-rostering/locals_security_groups.tf
index 0da956c65ca..ac48114fa0f 100644
--- a/terraform/environments/corporate-staff-rostering/locals_security_groups.tf
+++ b/terraform/environments/corporate-staff-rostering/locals_security_groups.tf
@@ -8,6 +8,7 @@ locals {
     rdp = {
       inbound = ["10.40.165.0/26", "10.112.3.0/26", "10.102.0.0/16"]
     }
+    rdgateway = [module.ip_addresses.mp_cidr.development_test]
     oracle_db = flatten([
       module.ip_addresses.azure_fixngo_cidrs.devtest,
       module.ip_addresses.moj_cidr.aws_cloud_platform_vpc,
@@ -41,6 +42,7 @@ locals {
         module.ip_addresses.azure_fixngo_cidrs.prod,
       ])
     }
+    rdgateway = [module.ip_addresses.mp_cidr.preproduction_production]
     oracle_db = flatten([
       module.ip_addresses.azure_fixngo_cidrs.prod,
       module.ip_addresses.moj_cidr.aws_cloud_platform_vpc,
@@ -200,6 +202,20 @@ locals {
           protocol    = "UDP"
           cidr_blocks = local.security_group_cidrs.jumpservers
         }
+        rdp_tcp_gw = {
+          description = "3389: Allow RDP ingress from hmpps domain services RDGateway"
+          from_port   = 3389
+          to_port     = 3389
+          protocol    = "TCP"
+          cidr_blocks = local.security_group_cidrs.rdgateway
+        }
+        rdp_udp_gw = {
+          description = "3389: Allow RDP ingress from hmpps domain services RDGateway"
+          from_port   = 3389
+          to_port     = 3389
+          protocol    = "UDP"
+          cidr_blocks = local.security_group_cidrs.rdgateway
+        }
         winrm_web = {
           description = "5985-6: Allow WinRM ingress"
           from_port   = 5985
@@ -320,6 +336,20 @@ locals {
           protocol    = "UDP"
           cidr_blocks = local.security_group_cidrs.jumpservers
         }
+        rdp_tcp_gw = {
+          description = "3389: Allow RDP ingress from hmpps domain services RDGateway"
+          from_port   = 3389
+          to_port     = 3389
+          protocol    = "TCP"
+          cidr_blocks = local.security_group_cidrs.rdgateway
+        }
+        rdp_udp_gw = {
+          description = "3389: Allow RDP ingress from hmpps domain services RDGateway"
+          from_port   = 3389
+          to_port     = 3389
+          protocol    = "UDP"
+          cidr_blocks = local.security_group_cidrs.rdgateway
+        }
         winrm_app = {
           description = "5985-6: Allow WinRM ingress"
           from_port   = 5985