diff --git a/IaC-test/securitygroups-k8s-dco.tf b/IaC-test/securitygroups-k8s-dco.tf
index 5f9f774..3d07b2e 100644
--- a/IaC-test/securitygroups-k8s-dco.tf
+++ b/IaC-test/securitygroups-k8s-dco.tf
@@ -98,6 +98,32 @@ resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v6_sto3_t
 # From STO4 to STO3
 #
 
+#Controllers
+resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v4_sto4_to_dco" {
+  count             =  length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-sto4)
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]]
+  port_range_min    = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]
+  port_range_max    = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]
+  provider          = openstack.dco
+  remote_ip_prefix  = join("/", [ resource.openstack_compute_instance_v2.controller-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-sto4)].access_ip_v4, "32" ])
+  security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v6_sto4_to_dco" {
+  count             =  length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-sto4)
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]]
+  port_range_min    = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]
+  port_range_max    = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]
+  provider          = openstack.dco
+  remote_ip_prefix  = join("/",[ replace(resource.openstack_compute_instance_v2.controller-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-sto4)].access_ip_v6, "/[\\[\\]']/",""), "128"])
+  security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
+}
+
+# Workers
 resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v4_sto4_to_dco" {
   count             =  length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-sto4)
   direction         = "ingress"
diff --git a/IaC-test/securitygroups-k8s-sto3.tf b/IaC-test/securitygroups-k8s-sto3.tf
index 7f1d279..91e0a8b 100644
--- a/IaC-test/securitygroups-k8s-sto3.tf
+++ b/IaC-test/securitygroups-k8s-sto3.tf
@@ -118,6 +118,33 @@ resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v6_dco_to
 # From STO4 to STO3
 #
 
+# Controllers
+resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v4_sto4_to_sto3" {
+  count             =  length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-sto4)
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]]
+  port_range_min    = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]
+  port_range_max    = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]
+  provider          = openstack.sto3
+  remote_ip_prefix  = join("/", [ resource.openstack_compute_instance_v2.controller-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-sto4)].access_ip_v4, "32" ])
+  security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v6_sto4_to_sto3" {
+  count             =  length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-sto4)
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]]
+  port_range_min    = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]
+  port_range_max    = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]
+  provider          = openstack.sto3
+  remote_ip_prefix  = join("/",[ replace(resource.openstack_compute_instance_v2.controller-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-sto4)].access_ip_v6, "/[\\[\\]']/",""), "128"])
+  security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
+}
+
+
+# Workers
 resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v4_sto4_to_sto3" {
   count             =  length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-sto4)
   direction         = "ingress"