diff --git a/terraform/environments/apex/application_variables.json b/terraform/environments/apex/application_variables.json
index eaf5ade4723..09dfde337ef 100644
--- a/terraform/environments/apex/application_variables.json
+++ b/terraform/environments/apex/application_variables.json
@@ -51,7 +51,8 @@
       "alb_target_5xx_alarm_threshold": "1",
       "alb_elb_5xx_alarm_threshold": "10",
       "alb_target_4xx_alarm_threshold": "10",
-      "alb_elb_4xx_alarm_threshold": "10"
+      "alb_elb_4xx_alarm_threshold": "10",
+      "oas_lz_cidr": "10.202.4.85/32"
     },
     "test": {
       "example_var": "test-data"
diff --git a/terraform/environments/apex/ec2.tf b/terraform/environments/apex/ec2.tf
index c23c41c3eb4..4889b4e8eb9 100644
--- a/terraform/environments/apex/ec2.tf
+++ b/terraform/environments/apex/ec2.tf
@@ -91,6 +91,16 @@ resource "aws_vpc_security_group_ingress_rule" "db_workspace" {
   to_port           = 1521
 }
 
+# This is a temp rule whilst OAS resides in LZ
+resource "aws_vpc_security_group_ingress_rule" "oas_lz" {
+  security_group_id = aws_security_group.database.id
+  description       = "Allow OAS in LZ to access APEX"
+  cidr_ipv4         = local.application_data.accounts[local.environment].oas_lz_cidr
+  from_port         = 1521
+  ip_protocol       = "tcp"
+  to_port           = 1521
+}
+
 resource "aws_vpc_security_group_egress_rule" "db_outbound" {
   security_group_id = aws_security_group.database.id
   cidr_ipv4         = "0.0.0.0/0"