diff --git a/confluent/workshop-fraud-detection-demo/aws_resources/aws_redshift.tf b/confluent/workshop-fraud-detection-demo/aws_resources/aws_redshift.tf
index 7a1f415..33443da 100644
--- a/confluent/workshop-fraud-detection-demo/aws_resources/aws_redshift.tf
+++ b/confluent/workshop-fraud-detection-demo/aws_resources/aws_redshift.tf
@@ -12,6 +12,42 @@ resource "aws_security_group" "redshift_sg" {
     cidr_blocks = [var.vpc_cidr]
   }
 
+  ingress {
+    description = "Allow Confluent Cloud access"
+    from_port   = 5439
+    to_port     = 5439
+    protocol    = "tcp"
+    cidr_blocks = [
+      "3.217.171.197/32",
+      "3.227.73.0/32",
+      "3.234.42.230/32",
+      "18.204.235.237/32",
+      "18.232.30.126/32",
+      "34.204.253.120/32",
+      "34.205.233.46/32",
+      "34.231.151.179/32",
+      "35.173.154.142/32",
+      "52.3.108.122/32",
+      "52.4.168.0/32",
+      "52.5.120.21/32",
+      "52.45.226.34/32",
+      "52.55.155.248/32",
+      "52.73.34.234/32",
+      "52.201.77.94/32",
+      "54.83.252.163/32",
+      "54.146.88.203/32",
+      "54.156.105.40/32",
+      "54.172.40.193/32",
+      "54.204.102.217/32",
+      "54.204.113.211/32",
+      "54.237.164.14/32",
+      "54.242.207.111/32",
+      "54.243.244.175/32",
+      "100.24.204.241/32",
+      "107.21.116.39/32"
+    ]
+  }
+
   egress {
     description = "Allow all outbound traffic"
     from_port   = 0