diff --git a/examples/internal-lb-cloud-run/main.tf b/examples/internal-lb-cloud-run/main.tf
index 4a84ac81..8b47d1a3 100644
--- a/examples/internal-lb-cloud-run/main.tf
+++ b/examples/internal-lb-cloud-run/main.tf
@@ -119,11 +119,11 @@ module "internal-lb-http-frontend" {
   internal_forwarding_rules_config = [
     {
       "region" : "us-east1",
-      "subnetwork" : module.internal-lb-subnet.subnets["us-east1/int-lb-subnet-a"].id
+      "subnetwork" : module.internal-lb-subnet.subnets["us-east1/int-lb-subnet-a"].id,
     },
     {
       "region" : "us-south1",
-      "subnetwork" : module.internal-lb-subnet.subnets["us-south1/int-lb-subnet-b"].id
+      "subnetwork" : module.internal-lb-subnet.subnets["us-south1/int-lb-subnet-b"].id,
     }
   ]
 }
diff --git a/modules/frontend/README.md b/modules/frontend/README.md
index d32eb9c7..881cb181 100644
--- a/modules/frontend/README.md
+++ b/modules/frontend/README.md
@@ -19,7 +19,7 @@ This module creates `HTTP(S) forwarding rule` and its dependencies. This modules
 | http\_port | The port for the HTTP load balancer | `number` | `80` | no |
 | https\_port | The port for the HTTPS load balancer | `number` | `443` | no |
 | https\_redirect | Set to `true` to enable https redirect on the lb. | `bool` | `false` | no |
-| internal\_forwarding\_rules\_config | List of internal managed forwarding rules config. One of 'address' or 'subnetwork' is required for each. It is only applicable for internal load balancer | <pre>list(object({<br>    region     = string<br>    address    = optional(string)<br>    subnetwork = optional(string)<br>  }))</pre> | `[]` | no |
+| internal\_forwarding\_rules\_config | List of internal managed forwarding rules config. One of 'address' or 'subnetwork' is required for each. If 'create\_proxy\_only\_subnet' is true, 'proxy\_only\_subnet\_ip' is required. It is only applicable for internal load balancer. | <pre>list(object({<br>    region                   = string<br>    address                  = optional(string)<br>    subnetwork               = optional(string)<br>    create_proxy_only_subnet = optional(bool, false)<br>    proxy_only_subnet_ip     = optional(string, "10.127.0.0/23")<br>  }))</pre> | `[]` | no |
 | ipv6\_address | An existing IPv6 address to use (the actual IP address value) | `string` | `null` | no |
 | labels | The labels to attach to resources created by this module | `map(string)` | `{}` | no |
 | load\_balancing\_scheme | Load balancing scheme type (EXTERNAL for classic external load balancer, EXTERNAL\_MANAGED for Envoy-based load balancer, INTERNAL\_MANAGED for internal load balancer and INTERNAL\_SELF\_MANAGED for traffic director) | `string` | `"EXTERNAL_MANAGED"` | no |
diff --git a/modules/frontend/main.tf b/modules/frontend/main.tf
index de2983b7..2fb87ce6 100644
--- a/modules/frontend/main.tf
+++ b/modules/frontend/main.tf
@@ -43,6 +43,22 @@ locals {
   first_backend_service = try(local.backend_services_by_host[local.first_host][local.first_path], null)
 }
 
+resource "google_compute_subnetwork" "proxy_only" {
+  for_each = {
+    for index, config in var.internal_forwarding_rules_config : config.region => config
+    if config.create_proxy_only_subnet == true
+  }
+
+  name          = "${var.name}-proxy-only-subnet-${each.key}"
+  ip_cidr_range = each.value.proxy_only_subnet_ip
+  network       = var.network
+  purpose       = "GLOBAL_MANAGED_PROXY"
+  region        = each.value.region
+  project       = var.project_id
+  role          = "ACTIVE"
+}
+
+
 ### IPv4 block ###
 resource "google_compute_global_forwarding_rule" "http" {
   provider              = google-beta
@@ -72,6 +88,7 @@ resource "google_compute_global_forwarding_rule" "internal_managed_http" {
   network               = local.internal_network
   subnetwork            = each.value.subnetwork
   ip_address            = each.value.address
+  depends_on            = [google_compute_subnetwork.proxy_only]
 }
 
 resource "google_compute_global_forwarding_rule" "https" {
@@ -102,6 +119,7 @@ resource "google_compute_global_forwarding_rule" "internal_managed_https" {
   network               = local.internal_network
   subnetwork            = each.value.subnetwork
   ip_address            = each.value.address
+  depends_on            = [google_compute_subnetwork.proxy_only]
 }
 
 resource "google_compute_global_address" "default" {
@@ -142,6 +160,7 @@ resource "google_compute_global_forwarding_rule" "internal_managed_http_ipv6" {
   load_balancing_scheme = var.load_balancing_scheme
   subnetwork            = each.value.subnetwork
   ip_address            = each.value.address
+  depends_on            = [google_compute_subnetwork.proxy_only]
 }
 
 resource "google_compute_global_forwarding_rule" "https_ipv6" {
@@ -171,6 +190,7 @@ resource "google_compute_global_forwarding_rule" "internal_managed_https_ipv6" {
   load_balancing_scheme = var.load_balancing_scheme
   subnetwork            = each.value.subnetwork
   ip_address            = each.value.address
+  depends_on            = [google_compute_subnetwork.proxy_only]
 }
 
 resource "google_compute_global_address" "default_ipv6" {
diff --git a/modules/frontend/metadata.yaml b/modules/frontend/metadata.yaml
index 1fa724d1..4f1f8698 100644
--- a/modules/frontend/metadata.yaml
+++ b/modules/frontend/metadata.yaml
@@ -190,12 +190,14 @@ spec:
         description: Specifies how long to keep a connection open, after completing a response, while there is no matching traffic (in seconds).
         varType: number
       - name: internal_forwarding_rules_config
-        description: List of internal managed forwarding rules config. One of 'address' or 'subnetwork' is required for each. It is only applicable for internal load balancer
+        description: List of internal managed forwarding rules config. One of 'address' or 'subnetwork' is required for each. If 'create_proxy_only_subnet' is true, 'proxy_only_subnet_ip' is required. It is only applicable for internal load balancer.
         varType: |-
           list(object({
-              region     = string
-              address    = optional(string)
-              subnetwork = optional(string)
+              region                   = string
+              address                  = optional(string)
+              subnetwork               = optional(string)
+              create_proxy_only_subnet = optional(bool, false)
+              proxy_only_subnet_ip     = optional(string, "10.127.0.0/23")
             }))
         defaultValue: []
     outputs:
diff --git a/modules/frontend/variables.tf b/modules/frontend/variables.tf
index 664b458a..83fd9c21 100644
--- a/modules/frontend/variables.tf
+++ b/modules/frontend/variables.tf
@@ -200,11 +200,20 @@ variable "http_keep_alive_timeout_sec" {
 }
 
 variable "internal_forwarding_rules_config" {
-  description = "List of internal managed forwarding rules config. One of 'address' or 'subnetwork' is required for each. It is only applicable for internal load balancer"
+  description = "List of internal managed forwarding rules config. One of 'address' or 'subnetwork' is required for each. If 'create_proxy_only_subnet' is true, 'proxy_only_subnet_ip' is required. It is only applicable for internal load balancer."
   type = list(object({
-    region     = string
-    address    = optional(string)
-    subnetwork = optional(string)
+    region                   = string
+    address                  = optional(string)
+    subnetwork               = optional(string)
+    create_proxy_only_subnet = optional(bool, false)
+    proxy_only_subnet_ip     = optional(string, "10.127.0.0/23")
   }))
   default = []
+  validation {
+    condition = alltrue([
+      for rule in var.internal_forwarding_rules_config :
+      rule.address != null || rule.subnetwork != null
+    ])
+    error_message = "Each internal forwarding rule config must specify either 'address' or 'subnetwork'."
+  }
 }