diff --git a/.github/workflows/cd.infra.yaml b/.github/workflows/cd.infra.yaml
index 26b1a7f..8d8b0f2 100644
--- a/.github/workflows/cd.infra.yaml
+++ b/.github/workflows/cd.infra.yaml
@@ -5,6 +5,8 @@ on:
     paths:
       - infra/**
       - .github/workflows/ci.infra.yaml
+    branches:
+      - main
 
 env:
   GOOGLE_APPLICATION_CREDENTIALS: ${{ secrets.GCP_CD }}
diff --git a/infra/app/main.tf b/infra/app/main.tf
index cdc8e4e..eeb7c2b 100644
--- a/infra/app/main.tf
+++ b/infra/app/main.tf
@@ -13,6 +13,10 @@ provider "google" {
   region  = var.region
 }
 
+provider "google-beta" {
+  project = var.project
+}
+
 data "google_client_config" "current" {
 }
 
@@ -24,4 +28,3 @@ locals {
   voting_tag    = var.app_versions["voting_api"]
   voting_image  = "${local.image_base}voting_api:${local.voting_tag}"
 }
-
diff --git a/infra/app/networking.tf b/infra/app/networking.tf
new file mode 100644
index 0000000..651d2b5
--- /dev/null
+++ b/infra/app/networking.tf
@@ -0,0 +1,55 @@
+module "lb-http" {
+  source  = "terraform-google-modules/lb-http/google//modules/serverless_negs"
+  version = "~> 9.0"
+
+  name    = "artist"
+  project = var.project
+
+  ssl                             = var.ssl
+  managed_ssl_certificate_domains = [var.domain]
+  https_redirect                  = var.ssl
+
+  backends = {
+    default = {
+      description = null
+      groups = [
+        {
+          group = google_compute_region_network_endpoint_group.serverless_neg.id
+        }
+      ]
+      enable_cdn = false
+
+      iap_config = {
+        enable = false
+      }
+      log_config = {
+        enable = false
+      }
+    }
+  }
+}
+
+resource "google_compute_region_network_endpoint_group" "serverless_neg" {
+  provider              = google-beta
+  name                  = "serverless-neg"
+  network_endpoint_type = "SERVERLESS"
+  region                = var.region
+  cloud_run {
+    service = data.google_cloud_run_service.client.name
+  }
+}
+
+
+data "google_cloud_run_service" "client" {
+  name     = "client"
+  location = var.region
+  project  = var.project
+}
+
+resource "google_cloud_run_service_iam_member" "public-access" {
+  location = data.google_cloud_run_service.client.location
+  project  = data.google_cloud_run_service.client.project
+  service  = data.google_cloud_run_service.client.name
+  role     = "roles/run.invoker"
+  member   = "allUsers"
+}
diff --git a/infra/app/variables.tf b/infra/app/variables.tf
index ee86f06..c93300f 100644
--- a/infra/app/variables.tf
+++ b/infra/app/variables.tf
@@ -1,3 +1,18 @@
+variable "app_versions" {
+  type = map(string)
+  default = {
+    client : "0.1.0",
+    voting_api : "0.1.1",
+    painter_api : "0.1.0",
+  }
+
+}
+
+variable "domain" {
+  type    = string
+  default = "kmdcodes.com"
+}
+
 variable "project" {
   type    = string
   default = "artist-2d"
@@ -8,12 +23,7 @@ variable "region" {
   default = "us-west1"
 }
 
-variable "app_versions" {
-  type = map(string)
-  default = {
-    client : "0.1.0",
-    voting_api : "0.1.1",
-    painter_api : "0.1.0",
-  }
-
+variable "ssl" {
+  type    = bool
+  default = true
 }