diff --git a/README.md b/README.md
index 2eb3459..1c2c235 100644
--- a/README.md
+++ b/README.md
@@ -114,7 +114,7 @@ SERVICE_ACCOUNT_KEY
 - tcp.*$env_name*.*$dns_suffix*: Points at the TCP load balancer in front of the TCP router.
 
 ## Isolation Segments (optional)
-- isolation_segment **(optional)** When set to "true" creates HTTP load-balancer across 3 zones for isolation segments.
+- isolation_segment: **(optional)** When set to "true" creates HTTP load-balancer across 3 zones for isolation segments.
 - iso_seg_ssl_cert: **(optional)** SSL certificate for Iso Seg HTTP load balancer configuration. Required unless `iso_seg_ssl_ca_cert` is specified.
 - iso_seg_ssl_private_key: **(optional)** Private key for above SSL certificate. Required unless `iso_seg_ssl_ca_cert` is specified.
 - iso_seg_ssl_ca_cert: **(optional)** SSL CA certificate used to generate self-signed Iso Seg HTTP load balancer certificate. Required unless `iso_seg_ssl_cert` is specified.
@@ -129,6 +129,9 @@ SERVICE_ACCOUNT_KEY
 ## PAS Cloud Controller's Google Cloud Storage Buckets (optional)
 - create_gcs_buckets: *(optional)* When set to "false", buckets will not be created for PAS Cloud Controller. Defaults to "true".
 
+## PKS (optional)
+- pks: **(optional)** When set to "true" creates a tcp load-balancer for PKS api, dedicated subnets and allows access on Port `8443` to `masters` external IP address for `kubectl` access
+
 ## Running
 
 Note: please make sure you have created the `terraform.tfvars` file above as mentioned.
diff --git a/modules.tf b/modules.tf
index bb5d78f..1693581 100644
--- a/modules.tf
+++ b/modules.tf
@@ -20,13 +20,17 @@ module "isolation_segment" {
 module "pks" {
   source = "./pks"
 
-  count = "${var.pks ? 1 : 0}"
+  count             = "${var.pks ? 1 : 0}"
 
-  env_name = "${var.env_name}"
-  network_name = "${google_compute_network.pcf-network.name}"
-  zones    = "${var.zones}"
+  pks_cidr          =  "${var.pks_cidr}"
+  pks_services_cidr =  "${var.pks_services_cidr}"
 
-  dns_zone_name           = "${google_dns_managed_zone.env_dns_zone.name}"
-  dns_zone_dns_name       = "${var.env_name}.${var.dns_suffix}"
+  env_name          = "${var.env_name}"
+  network_name      = "${google_compute_network.pcf-network.name}"
+  zones             = "${var.zones}"
+  region            = "${var.region}"
+
+  dns_zone_name     = "${google_dns_managed_zone.env_dns_zone.name}"
+  dns_zone_dns_name = "${var.env_name}.${var.dns_suffix}"
 
 }
diff --git a/outputs.tf b/outputs.tf
index 1d3367b..c29c769 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -172,14 +172,6 @@ output "dns_managed_zone" {
   value = "${google_dns_managed_zone.env_dns_zone.name}"
 }
 
-output "pks_domain" {
-  value = "${module.pks.domain}"
-}
-
-output "pks_lb_backend_name" {
-  value = "${module.pks.load_balancer_name}"
-}
-
 output "sql_db_ip" {
   value = "${google_sql_database_instance.master.ip_address.0.ip_address}"
 }
@@ -205,3 +197,37 @@ output "pas_sql_password" {
   sensitive = true
   value     = "${random_id.pas_db_password.b64}"
 }
+
+// PKS output
+
+output "pks_domain" {
+  value = "${module.pks.domain}"
+}
+
+output "pks_lb_backend_name" {
+  value = "${module.pks.load_balancer_name}"
+}
+
+output "pks_subnet_name" {
+  value = "${module.pks.pks_subnet_name}"
+}
+
+output "pks_subnet_gateway" {
+  value = "${module.pks.pks_subnet_gateway}"
+}
+
+output "pks_subnet_cidrs" {
+  value = ["${module.pks.pks_subnet_cidrs}"]
+}
+
+output "pks_services_subnet_name" {
+  value = "${module.pks.pks_services_subnet_name}"
+}
+
+output "pks_services_subnet_gateway" {
+  value = "${module.pks.pks_services_subnet_gateway}"
+}
+
+output "pks_services_subnet_cidrs" {
+  value = ["${module.pks.pks_services_subnet_cidrs}"]
+}
diff --git a/pks/firewall.tf b/pks/firewall.tf
index 751bf0b..0373d18 100644
--- a/pks/firewall.tf
+++ b/pks/firewall.tf
@@ -1,8 +1,8 @@
-// Allow access to master node
+// Allow access to master nodes
 resource "google_compute_firewall" "pks-master" {
   name    = "${var.env_name}-pks-master"
-  network = "${var.network_name}"
   count   = "${var.count}"
+  network = "${var.network_name}"
 
   allow {
     protocol = "tcp"
@@ -11,3 +11,41 @@ resource "google_compute_firewall" "pks-master" {
 
   target_tags = ["master"]
 }
+
+// Allow access to PKS API
+resource "google_compute_firewall" "pks-api" {
+  name    = "${var.env_name}-pks-api"
+  count   = "${var.count}"
+  network = "${var.network_name}"
+
+  allow {
+    protocol = "tcp"
+    ports    = ["9021", "8443"]
+  }
+
+  target_tags = ["${var.env_name}-pks-api"]
+}
+
+// Allow open access between internal VMs for a PKS deployment
+resource "google_compute_firewall" "pks-internal" {
+  name    = "${var.env_name}-pks-internal"
+  count   = "${var.count}"
+  network = "${var.network_name}"
+
+  allow {
+    protocol = "icmp"
+  }
+
+  allow {
+    protocol = "tcp"
+  }
+
+  allow {
+    protocol = "udp"
+  }
+
+  source_ranges = [
+    "${google_compute_subnetwork.pks-subnet.ip_cidr_range}",
+    "${google_compute_subnetwork.pks-services-subnet.ip_cidr_range}"
+  ]
+}
diff --git a/pks/networks.tf b/pks/networks.tf
new file mode 100644
index 0000000..c2ce082
--- /dev/null
+++ b/pks/networks.tf
@@ -0,0 +1,15 @@
+resource "google_compute_subnetwork" "pks-subnet" {
+  name          = "${var.env_name}-pks-subnet"
+  count = "${var.count}"
+  ip_cidr_range = "${var.pks_cidr}"
+  network       = "${var.network_name}"
+  region        = "${var.region}"
+}
+
+resource "google_compute_subnetwork" "pks-services-subnet" {
+  name          = "${var.env_name}-pks-services-subnet"
+  count = "${var.count}"
+  ip_cidr_range = "${var.pks_services_cidr}"
+  network       = "${var.network_name}"
+  region        = "${var.region}"
+}
diff --git a/pks/outputs.tf b/pks/outputs.tf
index 03e74b3..c1ca9cf 100644
--- a/pks/outputs.tf
+++ b/pks/outputs.tf
@@ -5,3 +5,27 @@ output "load_balancer_name" {
 output "domain" {
   value = "${replace(replace(element(concat(google_dns_record_set.wildcard-pks-dns.*.name, list("")), 0), "/^\\*\\./", ""), "/\\.$/", "")}"
 }
+
+output "pks_subnet_name" {
+  value = "${element(concat(google_compute_subnetwork.pks-subnet.*.name, list("")), 0)}"
+}
+
+output "pks_subnet_gateway" {
+  value = "${element(concat(google_compute_subnetwork.pks-subnet.*.gateway_address, list("")), 0)}"
+}
+
+output "pks_subnet_cidrs" {
+  value = "${element(concat(google_compute_subnetwork.pks-subnet.*.ip_cidr_range, list("")), 0)}"
+}
+
+output "pks_services_subnet_name" {
+  value = "${element(concat(google_compute_subnetwork.pks-services-subnet.*.name, list("")), 0)}"
+}
+
+output "pks_services_subnet_gateway" {
+  value = "${element(concat(google_compute_subnetwork.pks-services-subnet.*.gateway_address, list("")), 0)}"
+}
+
+output "pks_services_subnet_cidrs" {
+  value = "${element(concat(google_compute_subnetwork.pks-services-subnet.*.ip_cidr_range, list("")), 0)}"
+}
diff --git a/pks/pks_api_router.tf b/pks/pks_api_router.tf
index f60aa89..e2257b8 100644
--- a/pks/pks_api_router.tf
+++ b/pks/pks_api_router.tf
@@ -1,24 +1,10 @@
-// Allow access to TCP router
-resource "google_compute_firewall" "pks-api" {
-  name    = "${var.env_name}-pks-api"
-  network = "${var.network_name}"
-  count   = "${var.count}"
-
-  allow {
-    protocol = "tcp"
-    ports    = ["9021"]
-  }
-
-  target_tags = ["${var.env_name}-pks-api"]
-}
-
 // Static IP address for forwarding rule
 resource "google_compute_address" "pks-api" {
   name  = "${var.env_name}-pks-api"
   count = "${var.count}"
 }
 
-// TCP target pool
+// PKS target pool
 resource "google_compute_target_pool" "pks-api" {
   name  = "${var.env_name}-pks-api"
   count = "${var.count}"
@@ -26,12 +12,21 @@ resource "google_compute_target_pool" "pks-api" {
   health_checks = []
 }
 
-// TCP forwarding rule
-resource "google_compute_forwarding_rule" "pks-api" {
-  name        = "${var.env_name}-pks-api"
+// TCP forwarding rules
+resource "google_compute_forwarding_rule" "pks-api-9021" {
+  name        = "${var.env_name}-pks-api-9021"
+  count       = "${var.count}"
   target      = "${google_compute_target_pool.pks-api.self_link}"
   port_range  = "9021"
   ip_protocol = "TCP"
   ip_address  = "${google_compute_address.pks-api.address}"
+}
+
+resource "google_compute_forwarding_rule" "pks-api-8443" {
+  name        = "${var.env_name}-pks-api-8443"
   count       = "${var.count}"
+  target      = "${google_compute_target_pool.pks-api.self_link}"
+  port_range  = "8443"
+  ip_protocol = "TCP"
+  ip_address  = "${google_compute_address.pks-api.address}"
 }
diff --git a/pks/variables.tf b/pks/variables.tf
index 79e9edd..f057b8a 100644
--- a/pks/variables.tf
+++ b/pks/variables.tf
@@ -1,12 +1,14 @@
 variable "count" {}
 
-variable "zones" {
-  type = "list"
-}
+variable "pks_cidr" {}
+variable "pks_services_cidr" {}
 
 variable "env_name" {}
-
 variable "network_name" {}
+variable "zones" {
+  type = "list"
+}
+variable "region" {}
 
 variable "dns_zone_dns_name" {}
 
diff --git a/variables.tf b/variables.tf
index a85b11d..0370f05 100644
--- a/variables.tf
+++ b/variables.tf
@@ -162,3 +162,15 @@ variable "pks" {
   description = "Create the required infrastructure to deploy pks."
   default     = false
 }
+
+variable "pks_cidr" {
+  type        = "string"
+  description = "cidr for pks subnet"
+  default     = "10.0.10.0/24"
+}
+
+variable "pks_services_cidr" {
+  type        = "string"
+  description = "cidr for pks services subnet"
+  default     = "10.0.11.0/24"
+}