diff --git a/api/v1alpha1/drupalsite_types.go b/api/v1alpha1/drupalsite_types.go
index e0f19205a9c244c306bcb8cc842984bb44d05d25..1454def94f96bbecbdba2c3772c835104ee040ec 100644
--- a/api/v1alpha1/drupalsite_types.go
+++ b/api/v1alpha1/drupalsite_types.go
@@ -118,6 +118,11 @@ type Configuration struct {
 	// +kubebuilder:validation:Enum:=enable
 	// +optional
 	Easystart string `json:"easystart,omitempty"`
+
+	//Visibility when "cern", only accessible within cern network
+	// +kubebuilder:validation:Enum:=cern
+	// +optional
+	Visibility string `json:"visibility,omitempty"`
 }
 
 // ExtraConfigurationRepository injects the composer project and other supported configuration from a git repository
diff --git a/config/crd/bases/drupal.webservices.cern.ch_drupalsites.yaml b/config/crd/bases/drupal.webservices.cern.ch_drupalsites.yaml
index ef30065e43cda0bbef1e3a1399c36ba83e96b988..8ed1c4b921fcd3cd8a92152b618c77aa0e35c2f7 100644
--- a/config/crd/bases/drupal.webservices.cern.ch_drupalsites.yaml
+++ b/config/crd/bases/drupal.webservices.cern.ch_drupalsites.yaml
@@ -110,6 +110,12 @@ spec:
                     - enabled
                     - disabled
                     type: string
+                  visibility:
+                    description: Visibility when "cern", only accessible within cern
+                      network
+                    enum:
+                    - cern
+                    type: string
                   webDAVPassword:
                     description: WebDAVPassword sets the HTTP basic auth password
                       for WebDAV file access. A default is auto-generated if a value
diff --git a/controllers/drupalsite_resources.go b/controllers/drupalsite_resources.go
index 6a563aa636a1ce24df9ad196f8fa1c68bb54fb88..e7da12fc6be4fe4c6589751eb819d9efc82a608c 100644
--- a/controllers/drupalsite_resources.go
+++ b/controllers/drupalsite_resources.go
@@ -60,6 +60,9 @@ const (
 	webDAVDefaultLogin string = "admin"
 	// Variable to set the used Memory for all Jobs generated by the Operator
 	jobMemoryRequest string = "512Mi"
+
+	//Variable used to define set of CERN IP-Addresses
+	CernIPAddresses string = "2001:1458::/32 2001:1459::/32 FD01:1458::/32 FD01:1459::/32 10.0.0.0/8 100.64.0.0/10 128.141.0.0/16 128.142.0.0/16 137.138.0.0/16 172.16.0.0/12 188.184.0.0/15 192.16.155.0/24 192.16.165.0/24 192.91.242.0/24 192.168.0.0/16 194.12.128.0/18"
 )
 
 var (
@@ -1259,7 +1262,13 @@ func routeForDrupalSite(currentobject *routev1.Route, d *webservicesv1a1.DrupalS
 
 	if _, exists := d.Annotations["haproxy.router.openshift.io/ip_whitelist"]; exists {
 		currentobject.Annotations["haproxy.router.openshift.io/ip_whitelist"] = d.Annotations["haproxy.router.openshift.io/ip_whitelist"]
+
+	} else if d.Spec.Configuration.Visibility == "cern" {
+		currentobject.Annotations["haproxy.router.openshift.io/ip_whitelist"] = CernIPAddresses
+	} else {
+		currentobject.Annotations["haproxy.router.openshift.io/ip_whitelist"] = ""
 	}
+
 	// Set timeout to 60sec: https://gitlab.cern.ch/webservices/webframeworks-planning/-/issues/642
 	currentobject.Annotations["haproxy.router.openshift.io/timeout"] = "200s"
 	currentobject.Spec.Host = Url