diff --git a/network/main.tf b/network/main.tf
index 1eae91a..00f3646 100644
--- a/network/main.tf
+++ b/network/main.tf
@@ -1,3 +1,22 @@
+locals {
+  sg_rule_list = flatten([
+    for sg_key, sg in var.security_groups : [
+      for idx, r in sg.rules : merge(r, {
+        sg_key = sg_key
+        uniq   = "${sg_key}-${idx}"
+      })
+    ]
+  ])
+
+  flattened_sg_rules = { for r in local.sg_rule_list : r.uniq => r }
+
+  created_sg_ids = values(stackit_security_group.sg)[*].id
+  all_sg_ids     = concat(
+                     local.created_sg_ids,
+                     var.nic_security_group_ids != null ? var.nic_security_group_ids : []
+                   )
+}
+
 resource "stackit_network" "this" {
   project_id = var.project_id
   name       = var.name
@@ -16,6 +35,30 @@ resource "stackit_network" "this" {
   routed              = var.routed
 }
 
+resource "stackit_security_group" "sg" {
+  for_each   = var.security_groups
+
+  project_id = var.project_id
+  name       = each.value.name
+  description = each.value.description
+  labels      = each.value.labels
+  stateful    = each.value.stateful
+}
+
+resource "stackit_security_group_rule" "rule" {
+  for_each         = local.flattened_sg_rules
+
+  project_id       = var.project_id
+  security_group_id = stackit_security_group.sg[each.value.sg_key].id
+  direction        = each.value.direction
+  description      = each.value.description
+  ether_type       = each.value.ether_type
+  ip_range         = each.value.ip_range
+  protocol         = each.value.protocol
+  port_range       = each.value.port_range
+  remote_security_group_id = each.value.remote_security_group_id
+}
+
 resource "stackit_network_interface" "static" {
   count = var.nic_ipv4 == null ? 0 : 1
 
@@ -26,6 +69,6 @@ resource "stackit_network_interface" "static" {
   labels             = var.nic_labels
   name               = var.nic_name != null ? var.nic_name : "${var.name}-nic"
   security           = var.nic_security
-  security_group_ids = var.nic_security ? var.nic_security_group_ids : null
+  security_group_ids = var.nic_security ? local.all_sg_ids : null
   allowed_addresses  = var.nic_security ? var.nic_allowed_addresses : null
 }
diff --git a/network/variables.tf b/network/variables.tf
index d41ef18..936f862 100644
--- a/network/variables.tf
+++ b/network/variables.tf
@@ -96,3 +96,28 @@ variable "nic_security_group_ids" {
   type    = list(string)
   default = []
 }
+
+variable "security_groups" {
+  type = map(object({
+    name        = string
+    description = optional(string)
+    labels      = optional(map(string))
+    stateful    = optional(bool)
+    rules = list(object({
+      description = optional(string)
+      direction   = string
+      ether_type  = optional(string)
+      ip_range    = optional(string)
+      protocol = optional(object({
+        name   = optional(string)
+        number = optional(number)
+      }))
+      port_range = optional(object({
+        min = number
+        max = number
+      }))
+      remote_security_group_id = optional(string)
+    }))
+  }))
+  default = {}
+}
\ No newline at end of file