diff --git a/shared/gstg-gprd/main.tf b/shared/gstg-gprd/main.tf
index c74d625dd08572013c4ad198cf28a727f2569e93..f80a3266d4e1827395007a485fe400480e35898a 100644
--- a/shared/gstg-gprd/main.tf
+++ b/shared/gstg-gprd/main.tf
@@ -1398,6 +1398,7 @@ module "thanos" {
   ip_cidr_range             = "${var.subnetworks["thanos"]}"
   kernel_version            = "${var.default_kernel_version}"
   machine_type              = "${var.machine_types["thanos"]}"
+  monitoring_whitelist      = "${var.monitoring_whitelist_thanos}"
   name                      = "thanos"
   node_count                = "${var.node_count["thanos"]}"
   persistent_disk_path      = "/opt/prometheus"
diff --git a/shared/gstg-gprd/variables.tf b/shared/gstg-gprd/variables.tf
index ab8929f09e2e54b764d3e3b865d4af5d9136afe2..2ea15fd4270affd787aa1fea7de016c4b2c9f8e3 100644
--- a/shared/gstg-gprd/variables.tf
+++ b/shared/gstg-gprd/variables.tf
@@ -33,6 +33,19 @@ variable "monitoring_whitelist_influxdb" {
   }
 }
 
+variable "monitoring_whitelist_thanos" {
+  type = "map"
+
+  default = {
+    # 10.250.8.x for the ops prometheus servers
+    # 10.250.3.x for the internal grafana
+    # 10.250.11.x for the public grafana
+    "subnets" = ["10.250.3.0/24", "10.250.11.0/24", "10.250.8.0/24"]
+
+    "ports" = ["10901", "10902"]
+  }
+}
+
 #################
 # Allow traffic from the ops
 # network from the alerts manager