diff --git a/argocd-helm-charts/puppetserver/templates/ingressroutetcp.yaml b/argocd-helm-charts/puppetserver/templates/ingressroutetcp.yaml
index 49086716b..eb729d844 100644
--- a/argocd-helm-charts/puppetserver/templates/ingressroutetcp.yaml
+++ b/argocd-helm-charts/puppetserver/templates/ingressroutetcp.yaml
@@ -11,5 +11,12 @@ spec:
     services:
     - name: puppetserver-{{ .Values.customerid }}-puppet
       port: puppetserver
+  - match: HostSNI(`{{ .Values.customerid }}.puppetdb.obmondo.com`)
+    priority: 10
+    services:
+    - name: puppetserver-{{ .Values.customerid }}-puppetdb
+      port: pdb-https
+    middlewares:
+      - name: middleware-{{ .Values.customerid }}
   tls:
     passthrough: true
diff --git a/argocd-helm-charts/puppetserver/templates/middleware.yaml b/argocd-helm-charts/puppetserver/templates/middleware.yaml
new file mode 100644
index 000000000..420d66d81
--- /dev/null
+++ b/argocd-helm-charts/puppetserver/templates/middleware.yaml
@@ -0,0 +1,19 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: middleware-{{ .Values.customerid }}
+spec:
+  ipAllowList:
+    sourceRange:
+      - "135.181.21.167"
+      - "135.181.21.154"
+      - "135.181.21.153"
+      - "135.181.223.235"
+      - "65.21.130.86"
+      - "65.21.130.85"
+      - "78.46.72.21"
+      - "176.9.124.207"
+      - "85.10.211.48"
+      - "138.201.82.121"
+      - "138.201.224.126"
+      - "172.20.0.0/16"