diff --git a/pkg/asset/installconfig/powervs/client.go b/pkg/asset/installconfig/powervs/client.go
index 49641b8dbf9..c2127801968 100644
--- a/pkg/asset/installconfig/powervs/client.go
+++ b/pkg/asset/installconfig/powervs/client.go
@@ -80,8 +80,9 @@ type API interface {
 	ServiceInstanceNameToGUID(ctx context.Context, name string) (string, error)
 
 	// Security Group
+	ListSecurityGroups(ctx context.Context, vpcID string, regions string) ([]vpcv1.SecurityGroup, error)
 	ListSecurityGroupRules(ctx context.Context, securityGroupID string) (*vpcv1.SecurityGroupRuleCollection, error)
-	AddSecurityGroupRule(ctx context.Context, securityGroupID string, rule *vpcv1.SecurityGroupRulePrototype) error
+	AddSecurityGroupRule(ctx context.Context, vpcID string, sgID string, rule *vpcv1.SecurityGroupRulePrototype) error
 
 	// SSH
 	CreateSSHKey(ctx context.Context, serviceInstance string, zone string, sshKeyName string, sshKey string) error
@@ -1280,6 +1281,44 @@ func (c *Client) getTransitConnections(ctx context.Context, tgID string) ([]tran
 	return result, nil
 }
 
+func (c *Client) ListSecurityGroups(ctx context.Context, vpcID string, region string) ([]vpcv1.SecurityGroup, error) {
+	var groupID string
+	localContext, cancel := context.WithTimeout(ctx, 1*time.Minute)
+	defer cancel()
+	groups, err := c.ListResourceGroups(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to list resource groups: %w", err)
+	}
+
+	err = c.SetVPCServiceURLForRegion(ctx, region)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, group := range groups.Resources {
+		if *group.Name == c.BXCli.PowerVSResourceGroup {
+			groupID = *group.ID
+		}
+	}
+	listSecurityGroupOptions := c.vpcAPI.NewListSecurityGroupsOptions()
+	listSecurityGroupOptions.SetVPCID(vpcID)
+	listSecurityGroupOptions.SetResourceGroupID(groupID)
+	securityGroupsPager, err := c.vpcAPI.NewSecurityGroupsPager(listSecurityGroupOptions)
+	if err != nil {
+		return nil, fmt.Errorf("failed creating pager for security group lookup: %w", err)
+	}
+
+	securityGroups, err := securityGroupsPager.GetAllWithContext(localContext)
+	logrus.Debugf("%v security groups found", len(securityGroups))
+	if err != nil {
+		return nil, fmt.Errorf("failed collecting all security groups with pager: %w", err)
+	}
+	for _, sg := range securityGroups {
+		logrus.Debugf("SG Name %v found", *sg.Name)
+	}
+	return securityGroups, nil
+}
+
 // ListSecurityGroupRules returns a list of the security group rules.
 func (c *Client) ListSecurityGroupRules(ctx context.Context, securityGroupID string) (*vpcv1.SecurityGroupRuleCollection, error) {
 	logrus.Debugf("ListSecurityGroupRules: securityGroupID = %s", securityGroupID)
@@ -1312,8 +1351,8 @@ func (c *Client) ListSecurityGroupRules(ctx context.Context, securityGroupID str
 }
 
 // AddSecurityGroupRule adds a security group rule to an existing security group.
-func (c *Client) AddSecurityGroupRule(ctx context.Context, securityGroupID string, rule *vpcv1.SecurityGroupRulePrototype) error {
-	logrus.Debugf("AddSecurityGroupRule: securityGroupID = %s, rule = %+v", securityGroupID, *rule)
+func (c *Client) AddSecurityGroupRule(ctx context.Context, vpcID string, sgID string, rule *vpcv1.SecurityGroupRulePrototype) error {
+	logrus.Debugf("AddSecurityGroupRule: vpcID = %s, rule = %+v", vpcID, *rule)
 
 	var (
 		vpcOptions  *vpcv1.GetVPCOptions
@@ -1324,7 +1363,7 @@ func (c *Client) AddSecurityGroupRule(ctx context.Context, securityGroupID strin
 		err         error
 	)
 
-	vpcOptions = c.vpcAPI.NewGetVPCOptions(securityGroupID)
+	vpcOptions = c.vpcAPI.NewGetVPCOptions(vpcID)
 
 	vpc, response, err = c.vpcAPI.GetVPC(vpcOptions)
 	if err != nil {
@@ -1333,7 +1372,11 @@ func (c *Client) AddSecurityGroupRule(ctx context.Context, securityGroupID strin
 	logrus.Debugf("AddSecurityGroupRule: vpc = %+v", vpc)
 
 	optionsCSGR = &vpcv1.CreateSecurityGroupRuleOptions{}
-	optionsCSGR.SetSecurityGroupID(*vpc.DefaultSecurityGroup.ID)
+	if sgID == "" {
+		optionsCSGR.SetSecurityGroupID(*vpc.DefaultSecurityGroup.ID)
+	} else {
+		optionsCSGR.SetSecurityGroupID(sgID)
+	}
 	optionsCSGR.SetSecurityGroupRulePrototype(rule)
 
 	result, response, err = c.vpcAPI.CreateSecurityGroupRuleWithContext(ctx, optionsCSGR)
diff --git a/pkg/asset/installconfig/powervs/metadata.go b/pkg/asset/installconfig/powervs/metadata.go
index 06395b64a07..4c686c382d0 100644
--- a/pkg/asset/installconfig/powervs/metadata.go
+++ b/pkg/asset/installconfig/powervs/metadata.go
@@ -462,7 +462,7 @@ func (m *Metadata) SetVPCServiceURLForRegion(ctx context.Context, vpcRegion stri
 }
 
 // AddSecurityGroupRule adds a security group rule to the specified VPC.
-func (m *Metadata) AddSecurityGroupRule(ctx context.Context, rule *vpcv1.SecurityGroupRulePrototype, vpcID string) error {
+func (m *Metadata) AddSecurityGroupRule(ctx context.Context, rule *vpcv1.SecurityGroupRulePrototype, vpcID string, sgID string) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
@@ -479,7 +479,7 @@ func (m *Metadata) AddSecurityGroupRule(ctx context.Context, rule *vpcv1.Securit
 
 	var lastErr error
 	err = wait.ExponentialBackoffWithContext(ctx, backoff, func(context.Context) (bool, error) {
-		lastErr = client.AddSecurityGroupRule(ctx, vpcID, rule)
+		lastErr = client.AddSecurityGroupRule(ctx, vpcID, sgID, rule)
 		return lastErr == nil, nil
 	})
 
diff --git a/pkg/asset/manifests/powervs/cluster.go b/pkg/asset/manifests/powervs/cluster.go
index 0aa749a4913..f8183a230c0 100644
--- a/pkg/asset/manifests/powervs/cluster.go
+++ b/pkg/asset/manifests/powervs/cluster.go
@@ -168,6 +168,7 @@ func GenerateClusterAssets(installConfig *installconfig.InstallConfig, clusterID
 
 	bucketName = fmt.Sprintf("%s-bootstrap-ign", clusterID.InfraID)
 
+	vpcSecurityGroups := getVPCSecurityGroups(clusterID.InfraID, installConfig.Config.Publish)
 	powerVSCluster = &capibm.IBMPowerVSCluster{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: capibm.GroupVersion.String(),
@@ -187,8 +188,9 @@ func GenerateClusterAssets(installConfig *installconfig.InstallConfig, clusterID
 			DHCPServer: &capibm.DHCPServer{
 				Cidr: &dhcpSubnet,
 			},
-			ServiceInstance: &service,
-			Zone:            &installConfig.Config.Platform.PowerVS.Zone,
+			VPCSecurityGroups: vpcSecurityGroups,
+			ServiceInstance:   &service,
+			Zone:              &installConfig.Config.Platform.PowerVS.Zone,
 			ResourceGroup: &capibm.IBMPowerVSResourceReference{
 				Name: &installConfig.Config.Platform.PowerVS.PowerVSResourceGroup,
 			},
@@ -207,6 +209,11 @@ func GenerateClusterAssets(installConfig *installconfig.InstallConfig, clusterID
 						//	Port: 6443,
 						// },
 					},
+					SecurityGroups: []capibm.VPCResource{
+						{
+							Name: ptr.To(fmt.Sprintf("%s-%s", clusterID.InfraID, kubeAPILBSGNameSuffix)),
+						},
+					},
 				},
 				{
 					Name:   fmt.Sprintf("%s-loadbalancer-int", clusterID.InfraID),
diff --git a/pkg/asset/manifests/powervs/securitygroups.go b/pkg/asset/manifests/powervs/securitygroups.go
new file mode 100644
index 00000000000..d89d702125c
--- /dev/null
+++ b/pkg/asset/manifests/powervs/securitygroups.go
@@ -0,0 +1,111 @@
+package powervs
+
+import (
+	"fmt"
+
+	"k8s.io/utils/ptr"
+	capibmcloud "sigs.k8s.io/cluster-api-provider-ibmcloud/api/v1beta2"
+
+	"github.com/openshift/installer/pkg/types"
+)
+
+const (
+	bootstrapSGNameSuffix    = "sg-bootstrap"
+	clusterWideSGNameSuffix  = "sg-clusterwide"
+	controlPlaneSGNameSuffix = "sg-control-plane"
+	cpInternalSGNameSuffix   = "sg-cp-internal"
+	kubeAPILBSGNameSuffix    = "sg-kube-api-lb"
+	openshiftNetSGNameSuffix = "sg-openshift-net"
+)
+
+func buildBootstrapSecurityGroup(infraID string) capibmcloud.VPCSecurityGroup {
+	bootstrapSGNamePtr := ptr.To(fmt.Sprintf("%s-%s", infraID, bootstrapSGNameSuffix))
+	return capibmcloud.VPCSecurityGroup{
+		Name: bootstrapSGNamePtr,
+		Rules: []*capibmcloud.VPCSecurityGroupRule{
+			{
+				// SSH inbound bootstrap
+				Action:    capibmcloud.VPCSecurityGroupRuleActionAllow,
+				Direction: capibmcloud.VPCSecurityGroupRuleDirectionInbound,
+				Source: &capibmcloud.VPCSecurityGroupRulePrototype{
+					PortRange: &capibmcloud.VPCSecurityGroupPortRange{
+						MaximumPort: 22,
+						MinimumPort: 22,
+					},
+					Protocol: capibmcloud.VPCSecurityGroupRuleProtocolTCP,
+					Remotes: []capibmcloud.VPCSecurityGroupRuleRemote{
+						{
+							RemoteType: capibmcloud.VPCSecurityGroupRuleRemoteTypeAny,
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func buildClusterWideSecurityGroup(infraID string) capibmcloud.VPCSecurityGroup {
+	clusterWideSGNamePtr := ptr.To(fmt.Sprintf("%s-%s", infraID, clusterWideSGNameSuffix))
+	return capibmcloud.VPCSecurityGroup{
+		Name: clusterWideSGNamePtr,
+	}
+}
+
+func buildControlPlaneSecurityGroup(infraID string) capibmcloud.VPCSecurityGroup {
+	controlPlaneSGNamePtr := ptr.To(fmt.Sprintf("%s-%s", infraID, controlPlaneSGNameSuffix))
+	return capibmcloud.VPCSecurityGroup{
+		Name: controlPlaneSGNamePtr,
+	}
+}
+
+func buildCPInternalSecurityGroup(infraID string) capibmcloud.VPCSecurityGroup {
+	cpInternalSGNamePtr := ptr.To(fmt.Sprintf("%s-%s", infraID, cpInternalSGNameSuffix))
+	return capibmcloud.VPCSecurityGroup{
+		Name: cpInternalSGNamePtr,
+	}
+}
+
+func buildKubeAPILBSecurityGroup(infraID string) capibmcloud.VPCSecurityGroup {
+	kubeAPILBSGNamePtr := ptr.To(fmt.Sprintf("%s-%s", infraID, kubeAPILBSGNameSuffix))
+	return capibmcloud.VPCSecurityGroup{
+		Name: kubeAPILBSGNamePtr,
+		Rules: []*capibmcloud.VPCSecurityGroupRule{
+			{
+				// SSH inbound bootstrap
+				Action:    capibmcloud.VPCSecurityGroupRuleActionAllow,
+				Direction: capibmcloud.VPCSecurityGroupRuleDirectionInbound,
+				Source: &capibmcloud.VPCSecurityGroupRulePrototype{
+					PortRange: &capibmcloud.VPCSecurityGroupPortRange{
+						MaximumPort: 6443,
+						MinimumPort: 6443,
+					},
+					Protocol: capibmcloud.VPCSecurityGroupRuleProtocolTCP,
+					Remotes: []capibmcloud.VPCSecurityGroupRuleRemote{
+						{
+							RemoteType: capibmcloud.VPCSecurityGroupRuleRemoteTypeAny,
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func buildOpenShiftNetSecurityGroup(infraID string) capibmcloud.VPCSecurityGroup {
+	clusterWideSGNamePtr := ptr.To(fmt.Sprintf("%s-%s", infraID, clusterWideSGNameSuffix))
+	return capibmcloud.VPCSecurityGroup{
+		Name: clusterWideSGNamePtr,
+	}
+}
+
+func getVPCSecurityGroups(infraID string, publishStrategy types.PublishingStrategy) []capibmcloud.VPCSecurityGroup {
+	// IBM Power VS will rely on 6 SecurityGroups to manage traffic and 1 SecurityGroup for bootstrapping.
+	securityGroups := make([]capibmcloud.VPCSecurityGroup, 0, 6)
+	securityGroups = append(securityGroups, buildKubeAPILBSecurityGroup(infraID))
+	securityGroups = append(securityGroups, buildBootstrapSecurityGroup(infraID))
+	securityGroups = append(securityGroups, buildClusterWideSecurityGroup(infraID))
+	securityGroups = append(securityGroups, buildControlPlaneSecurityGroup(infraID))
+	securityGroups = append(securityGroups, buildCPInternalSecurityGroup(infraID))
+	securityGroups = append(securityGroups, buildOpenShiftNetSecurityGroup(infraID))
+	return securityGroups
+}
diff --git a/pkg/infrastructure/powervs/clusterapi/powervs.go b/pkg/infrastructure/powervs/clusterapi/powervs.go
index b2866aae609..136ba96e24c 100644
--- a/pkg/infrastructure/powervs/clusterapi/powervs.go
+++ b/pkg/infrastructure/powervs/clusterapi/powervs.go
@@ -6,9 +6,15 @@ import (
 	"math"
 	"reflect"
 	"regexp"
+	"strings"
 	"time"
 
 	"github.com/IBM/vpc-go-sdk/vpcv1"
+	powervsconfig "github.com/openshift/installer/pkg/asset/installconfig/powervs"
+	"github.com/openshift/installer/pkg/asset/manifests/capiutils"
+	"github.com/openshift/installer/pkg/infrastructure/clusterapi"
+	"github.com/openshift/installer/pkg/types"
+	powervstypes "github.com/openshift/installer/pkg/types/powervs"
 	"github.com/sirupsen/logrus"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
@@ -16,12 +22,6 @@ import (
 	"k8s.io/utils/ptr"
 	capibm "sigs.k8s.io/cluster-api-provider-ibmcloud/api/v1beta2"
 	crclient "sigs.k8s.io/controller-runtime/pkg/client"
-
-	powervsconfig "github.com/openshift/installer/pkg/asset/installconfig/powervs"
-	"github.com/openshift/installer/pkg/asset/manifests/capiutils"
-	"github.com/openshift/installer/pkg/infrastructure/clusterapi"
-	"github.com/openshift/installer/pkg/types"
-	powervstypes "github.com/openshift/installer/pkg/types/powervs"
 )
 
 // Provider is the vSphere implementation of the clusterapi InfraProvider.
@@ -29,6 +29,13 @@ type Provider struct {
 	clusterapi.InfraProvider
 }
 
+type SGIDCollection struct {
+	ClusterWideSGID  string
+	CPInternalSGID   string
+	KubeAPILBSGID    string
+	OpenShiftNetSGID string
+}
+
 var _ clusterapi.Timeouts = (*Provider)(nil)
 var _ clusterapi.InfraReadyProvider = (*Provider)(nil)
 var _ clusterapi.Provider = (*Provider)(nil)
@@ -74,8 +81,16 @@ func (p Provider) ProvisionTimeout() time.Duration {
 // to create DNS records.
 func (p Provider) InfraReady(ctx context.Context, in clusterapi.InfraReadyInput) error {
 	var (
-		err  error
-		rule *vpcv1.SecurityGroupRulePrototype
+		client *powervsconfig.Client
+		// bootstrap Bootstrap
+		clusterwide  ClusterWide
+		controlplane ControlPlane
+		cpInternal   CPInternal
+		kubeapilb    KubeAPILB
+		openShiftNet OpenShiftNet
+		groups       []vpcv1.SecurityGroup
+		rule         *vpcv1.SecurityGroupRulePrototype
+		err          error
 	)
 
 	logrus.Debugf("InfraReady: in = %+v", in)
@@ -146,7 +161,7 @@ func (p Provider) InfraReady(ctx context.Context, in clusterapi.InfraReadyInput)
 		}
 
 		logrus.Debugf("InfraReady: Adding port %d to security group rule to %v", port, *powerVSCluster.Status.VPC.ID)
-		err := in.InstallConfig.PowerVS.AddSecurityGroupRule(ctx, rule, *powerVSCluster.Status.VPC.ID)
+		err := in.InstallConfig.PowerVS.AddSecurityGroupRule(ctx, rule, *powerVSCluster.Status.VPC.ID, "")
 		if err != nil {
 			return fmt.Errorf("failed to add security group rule for port %d: %w", port, err)
 		}
@@ -158,11 +173,103 @@ func (p Provider) InfraReady(ctx context.Context, in clusterapi.InfraReadyInput)
 		Protocol:  ptr.To("icmp"),
 	}
 
-	err = in.InstallConfig.PowerVS.AddSecurityGroupRule(ctx, rule, *powerVSCluster.Status.VPC.ID)
+	err = in.InstallConfig.PowerVS.AddSecurityGroupRule(ctx, rule, *powerVSCluster.Status.VPC.ID, "")
 	if err != nil {
 		return fmt.Errorf("failed to add ping security group rule: %w", err)
 	}
 
+	client, err = powervsconfig.NewClient()
+	if err != nil {
+		return fmt.Errorf("failed to get NewClient in PostProvision: %w", err)
+	}
+	logrus.Debugf("Region is %v ", in.InstallConfig.Config.PowerVS.Region)
+	groups, err = client.ListSecurityGroups(ctx, *powerVSCluster.Status.VPC.ID, in.InstallConfig.Config.PowerVS.Region)
+	if err != nil {
+		return fmt.Errorf("failed to list security groups")
+	}
+	sgIDs := SGIDCollection{}
+	for _, sg := range groups {
+		if strings.Contains(*sg.Name, "clusterwide") {
+			sgIDs.ClusterWideSGID = *sg.ID
+		} else if strings.Contains(*sg.Name, "cp-internal") {
+			sgIDs.CPInternalSGID = *sg.ID
+		} else if strings.Contains(*sg.Name, "kube-api") {
+			sgIDs.KubeAPILBSGID = *sg.ID
+		} else if strings.Contains(*sg.Name, "openshift-net") {
+			sgIDs.OpenShiftNetSGID = *sg.ID
+		}
+	}
+	logrus.Debugf("Found %v security groups", len(groups))
+	for _, sg := range groups {
+		logrus.Debugf("Found security group %v", sg.Name)
+		if strings.Contains(*sg.Name, "kube") {
+			logrus.Debugf("Found Kube-API security group")
+			rules := GetSGRules(kubeapilb, sgIDs)
+			logrus.Debugf("Number of security group rules are %v", len(rules))
+			for _, rule := range rules {
+				logrus.Debugf("Adding security group rule: Direction: %w, Protocol: %w, Max port: %w, Min port: %w", *rule.Direction, *rule.Protocol, *rule.PortMax, *rule.PortMin)
+				err := in.InstallConfig.PowerVS.AddSecurityGroupRule(ctx, rule, *powerVSCluster.Status.VPC.ID, *sg.ID)
+				if err != nil {
+					return fmt.Errorf("failed to add security group rule %w", err)
+				} else {
+					logrus.Debugf("Kube API LB rule added")
+				}
+			}
+		} else if strings.Contains(*sg.Name, "clusterwide") {
+			logrus.Debugf("Found ClusterWide security group")
+			rules := GetSGRules(clusterwide, sgIDs)
+			logrus.Debugf("Number of security group rules are %v", len(rules))
+			for _, rule := range rules {
+				logrus.Debugf("Adding security group rule: Direction: %v, Protocol: %v, Max port: %v, Min port: %v", *rule.Direction, *rule.Protocol, *rule.PortMax, *rule.PortMin)
+				err := in.InstallConfig.PowerVS.AddSecurityGroupRule(ctx, rule, *powerVSCluster.Status.VPC.ID, *sg.ID)
+				if err != nil {
+					return fmt.Errorf("failed to add security group rule %v", err)
+				} else {
+					logrus.Debugf("ClusterWide SG rule added")
+				}
+			}
+		} else if strings.Contains(*sg.Name, "control-plane") {
+			logrus.Debugf("Found ControlPlane security group")
+			rules := GetSGRules(controlplane, sgIDs)
+			logrus.Debugf("Number of security group rules are %v", len(rules))
+			for _, rule := range rules {
+				logrus.Debugf("Adding security group rule: Direction: %v, Protocol: %v, Max port: %v, Min port: %v", *rule.Direction, *rule.Protocol, *rule.PortMax, *rule.PortMin)
+				err := in.InstallConfig.PowerVS.AddSecurityGroupRule(ctx, rule, *powerVSCluster.Status.VPC.ID, *sg.ID)
+				if err != nil {
+					return fmt.Errorf("failed to add security group rule %v", err)
+				} else {
+					logrus.Debugf("ControlPlane SG rule added")
+				}
+			}
+		} else if strings.Contains(*sg.Name, "cp-internal") {
+			logrus.Debugf("Found ControlPlaneInternal security group")
+			rules := GetSGRules(cpInternal, sgIDs)
+			logrus.Debugf("Number of security group rules are %v", len(rules))
+			for _, rule := range rules {
+				logrus.Debugf("Adding security group rule: Direction: %v, Protocol: %v, Max port: %v, Min port: %v", *rule.Direction, *rule.Protocol, *rule.PortMax, *rule.PortMin)
+				err := in.InstallConfig.PowerVS.AddSecurityGroupRule(ctx, rule, *powerVSCluster.Status.VPC.ID, *sg.ID)
+				if err != nil {
+					return fmt.Errorf("failed to add security group rule %v", err)
+				} else {
+					logrus.Debugf("CPInternal SG rule added")
+				}
+			}
+		} else if strings.Contains(*sg.Name, "openshift-net") {
+			logrus.Debugf("Found OpenShift-net security group")
+			rules := GetSGRules(openShiftNet, sgIDs)
+			logrus.Debugf("Number of security group rules are %v", len(rules))
+			for _, rule := range rules {
+				logrus.Debugf("Adding security group rule: Direction: %v, Protocol: %v, Max port: %v, Min port: %v", *rule.Direction, *rule.Protocol, *rule.PortMax, *rule.PortMin)
+				err := in.InstallConfig.PowerVS.AddSecurityGroupRule(ctx, rule, *powerVSCluster.Status.VPC.ID, *sg.ID)
+				if err != nil {
+					return fmt.Errorf("failed to add security group rule %v", err)
+				} else {
+					logrus.Debugf("OpenShiftNet SG rule added")
+				}
+			}
+		}
+	}
+
 	if in.InstallConfig.Config.Publish == types.InternalPublishingStrategy &&
 		(len(in.InstallConfig.Config.ImageDigestSources) > 0 || len(in.InstallConfig.Config.DeprecatedImageContentSources) > 0) {
 		vpcID := *powerVSCluster.Status.VPC.ID
diff --git a/pkg/infrastructure/powervs/clusterapi/securitygroups.go b/pkg/infrastructure/powervs/clusterapi/securitygroups.go
new file mode 100644
index 00000000000..6bdc01285a9
--- /dev/null
+++ b/pkg/infrastructure/powervs/clusterapi/securitygroups.go
@@ -0,0 +1,148 @@
+package clusterapi
+
+import (
+	"github.com/IBM/vpc-go-sdk/vpcv1"
+	"k8s.io/utils/ptr"
+)
+
+type Rules interface {
+	GetRules(SGIDCollection) []*vpcv1.SecurityGroupRulePrototype
+}
+type ClusterWide struct{}
+type ControlPlane struct{}
+type CPInternal struct{}
+type KubeAPILB struct{}
+type OpenShiftNet struct{}
+
+func GetSGRules(r Rules, sgIDs SGIDCollection) []*vpcv1.SecurityGroupRulePrototype {
+	return r.GetRules(sgIDs)
+}
+
+func (ClusterWide) GetRules(sgIDs SGIDCollection) []*vpcv1.SecurityGroupRulePrototype {
+	return []*vpcv1.SecurityGroupRulePrototype{
+		{
+			Direction: ptr.To("inbound"),
+			Protocol:  ptr.To("icmp"),
+			Remote: &vpcv1.SecurityGroupRuleRemotePrototypeSecurityGroupIdentitySecurityGroupIdentityByID{
+				ID: &sgIDs.ClusterWideSGID,
+			},
+		},
+		{
+			Direction: ptr.To("inbound"),
+			Protocol:  ptr.To("udp"),
+			Remote: &vpcv1.SecurityGroupRuleRemotePrototypeSecurityGroupIdentitySecurityGroupIdentityByID{
+				ID: &sgIDs.ClusterWideSGID,
+			},
+			PortMin: ptr.To(int64(4789)),
+			PortMax: ptr.To(int64(4789)),
+		},
+		{
+			Direction: ptr.To("inbound"),
+			Protocol:  ptr.To("udp"),
+			Remote: &vpcv1.SecurityGroupRuleRemotePrototypeSecurityGroupIdentitySecurityGroupIdentityByID{
+				ID: &sgIDs.ClusterWideSGID,
+			},
+			PortMin: ptr.To(int64(6081)),
+			PortMax: ptr.To(int64(6081)),
+		},
+	}
+}
+
+func (ControlPlane) GetRules(sgIDs SGIDCollection) []*vpcv1.SecurityGroupRulePrototype {
+	return []*vpcv1.SecurityGroupRulePrototype{
+		{
+			Direction: ptr.To("inbound"),
+			Protocol:  ptr.To("tcp"),
+			Remote: &vpcv1.SecurityGroupRuleRemotePrototypeSecurityGroupIdentitySecurityGroupIdentityByID{
+				ID: &sgIDs.ClusterWideSGID,
+			},
+			PortMin: ptr.To(int64(5443)),
+			PortMax: ptr.To(int64(5443)),
+		},
+		{
+			Direction: ptr.To("inbound"),
+			Protocol:  ptr.To("tcp"),
+			Remote: &vpcv1.SecurityGroupRuleRemotePrototypeSecurityGroupIdentitySecurityGroupIdentityByID{
+				ID: &sgIDs.ClusterWideSGID,
+			},
+			PortMin: ptr.To(int64(10257)),
+			PortMax: ptr.To(int64(10259)),
+		},
+		{
+			Direction: ptr.To("inbound"),
+			Protocol:  ptr.To("tcp"),
+			Remote: &vpcv1.SecurityGroupRuleRemotePrototypeSecurityGroupIdentitySecurityGroupIdentityByID{
+				ID: &sgIDs.KubeAPILBSGID,
+			},
+			PortMin: ptr.To(int64(6443)),
+			PortMax: ptr.To(int64(6443)),
+		},
+		{
+			Direction: ptr.To("inbound"),
+			Protocol:  ptr.To("tcp"),
+			Remote: &vpcv1.SecurityGroupRuleRemotePrototypeSecurityGroupIdentitySecurityGroupIdentityByID{
+				ID: &sgIDs.KubeAPILBSGID,
+			},
+			PortMin: ptr.To(int64(22623)),
+			PortMax: ptr.To(int64(22623)),
+		},
+	}
+}
+
+func (CPInternal) GetRules(sgIDs SGIDCollection) []*vpcv1.SecurityGroupRulePrototype {
+	return []*vpcv1.SecurityGroupRulePrototype{
+		{
+			Direction: ptr.To("inbound"),
+			Protocol:  ptr.To("tcp"),
+			Remote: &vpcv1.SecurityGroupRuleRemotePrototypeSecurityGroupIdentitySecurityGroupIdentityByID{
+				ID: &sgIDs.CPInternalSGID,
+			},
+			PortMin: ptr.To(int64(2379)),
+			PortMax: ptr.To(int64(2380)),
+		},
+	}
+}
+
+func (KubeAPILB) GetRules(sgIDs SGIDCollection) []*vpcv1.SecurityGroupRulePrototype {
+	return []*vpcv1.SecurityGroupRulePrototype{
+		{
+			Direction: ptr.To("inbound"),
+			Protocol:  ptr.To("tcp"),
+			Remote: &vpcv1.SecurityGroupRuleRemotePrototypeSecurityGroupIdentitySecurityGroupIdentityByID{
+				ID: &sgIDs.ClusterWideSGID,
+			},
+			PortMin: ptr.To(int64(22623)),
+			PortMax: ptr.To(int64(22623)),
+		},
+	}
+}
+
+func (OpenShiftNet) GetRules(sgIDs SGIDCollection) []*vpcv1.SecurityGroupRulePrototype {
+	return []*vpcv1.SecurityGroupRulePrototype{
+		{
+			Direction: ptr.To("inbound"),
+			Protocol:  ptr.To("tcp"),
+			Remote: &vpcv1.SecurityGroupRuleRemotePrototypeSecurityGroupIdentitySecurityGroupIdentityByID{
+				ID: &sgIDs.ClusterWideSGID,
+			},
+		},
+		{
+			Direction: ptr.To("inbound"),
+			Protocol:  ptr.To("udp"),
+			Remote: &vpcv1.SecurityGroupRuleRemotePrototypeSecurityGroupIdentitySecurityGroupIdentityByID{
+				ID: &sgIDs.ClusterWideSGID,
+			},
+			PortMin: ptr.To(int64(4789)),
+			PortMax: ptr.To(int64(4789)),
+		},
+		{
+			Direction: ptr.To("inbound"),
+			Protocol:  ptr.To("udp"),
+			Remote: &vpcv1.SecurityGroupRuleRemotePrototypeSecurityGroupIdentitySecurityGroupIdentityByID{
+				ID: &sgIDs.ClusterWideSGID,
+			},
+			PortMin: ptr.To(int64(6081)),
+			PortMax: ptr.To(int64(6081)),
+		},
+	}
+}