diff --git a/iac/lambda.tf b/iac/lambda.tf
index d99868d..db40815 100644
--- a/iac/lambda.tf
+++ b/iac/lambda.tf
@@ -31,8 +31,8 @@ resource "aws_lambda_function" "autoscaler" {
   filename         = !local.use_s3_package ? data.archive_file.binary.output_path : null
   source_code_hash = !local.use_s3_package ? data.archive_file.binary.output_base64sha256 : null
 
-  s3_bucket = local.use_s3_package ? var.autoscaler_s3_package.bucket : null
-  s3_key    = local.use_s3_package ? var.autoscaler_s3_package.key : null
+  s3_bucket         = local.use_s3_package ? var.autoscaler_s3_package.bucket : null
+  s3_key            = local.use_s3_package ? var.autoscaler_s3_package.key : null
   s3_object_version = local.use_s3_package ? var.autoscaler_s3_package.object_version : null
 
   function_name = local.function_name
@@ -42,6 +42,11 @@ resource "aws_lambda_function" "autoscaler" {
   architectures = [var.autoscaler_architecture == "amd64" ? "x86_64" : var.autoscaler_architecture]
   timeout       = var.autoscaling_timeout
 
+  vpc_config {
+    subnet_ids         = var.subnet_ids
+    security_group_ids = var.security_group_ids
+  }
+
   environment {
     variables = {
       AUTOSCALING_GROUP_ARN         = var.autoscaling_group_arn
@@ -82,4 +87,4 @@ resource "aws_lambda_permission" "allow_cloudwatch_to_call_lambda" {
 resource "aws_cloudwatch_log_group" "log_group" {
   name              = "/aws/lambda/${local.function_name}"
   retention_in_days = 7
-}
\ No newline at end of file
+}
diff --git a/iac/policy.tf b/iac/policy.tf
index d06e9e6..5e91971 100644
--- a/iac/policy.tf
+++ b/iac/policy.tf
@@ -45,6 +45,19 @@ data "aws_iam_policy_document" "autoscaler" {
     resources = ["*"]
   }
 
+  # Allow the Lambda to take actions on NetworkInterfaces
+  statement {
+    effect = "Allow"
+    actions = [
+      "ec2:DescribeNetworkInterfaces",
+      "ec2:CreateNetworkInterface",
+      "ec2:DeleteNetworkInterface",
+      "ec2:DescribeInstances",
+      "ec2:AttachNetworkInterface"
+    ]
+    resources = ["*"]
+  }
+
   # Allow the Lambda to read the secret from SSM Parameter Store.
   statement {
     effect    = "Allow"
diff --git a/iac/variables.tf b/iac/variables.tf
index 5ff64aa..26740ff 100644
--- a/iac/variables.tf
+++ b/iac/variables.tf
@@ -29,7 +29,6 @@ variable "spacelift_api_key_secret" {
 variable "spacelift_api_key_endpoint" {
   type        = string
   description = "Full URL of the Spacelift API endpoint to use, eg. https://demo.app.spacelift.io"
-  default     = null
 }
 
 variable "worker_pool_id" {
@@ -81,9 +80,22 @@ variable "region" {
 
 variable "autoscaler_s3_package" {
   type = object({
-    bucket = string
-    key    = string
+    bucket         = string
+    key            = string
     object_version = optional(string)
   })
   description = "Configuration to retrieve autoscaler lambda package from s3 bucket"
+  default     = null
+}
+
+variable "subnet_ids" {
+  type        = list(string)
+  description = "optional subnet IDs to provide to the autoscaler VPC configuration"
+  default     = [""]
+}
+
+variable "security_group_ids" {
+  type        = list(string)
+  description = "optional security group IDs to provide to the autoscaler VPC configuration"
+  default     = [""]
 }
\ No newline at end of file