diff --git a/morph/grid/testing/config.json b/morph/grid/testing/config.json
index ec28840a2857c621a22658efc14368e4c07aa5db..a44b465f7f293f9d70c369a076c30b6cf810924f 100644
--- a/morph/grid/testing/config.json
+++ b/morph/grid/testing/config.json
@@ -1,6 +1,8 @@
 { "publicStoragePort": 8898
 , "ristrettoSigningKeyPath": "./secrets/ristretto.signing-key"
 , "stripeSecretKeyPath": "./secrets/stripe.secret"
+, "monitoringvpnKeyDir": "./secrets/monitoringvpn"
+, "monitoringvpnEndpoint": "monitoring.privatestorage-staging.com:51820"
 , "passValue": 1000000
 , "issuerDomains": [
     "payments.privatestorage-staging.com"
diff --git a/morph/grid/testing/grid.nix b/morph/grid/testing/grid.nix
index 065cd5faa5a5e90a657d1fd1a38e79266e6b6475..e31a28f2eb7817f393f4e8b6b71972b7fd2f79f1 100644
--- a/morph/grid/testing/grid.nix
+++ b/morph/grid/testing/grid.nix
@@ -7,19 +7,48 @@ import ../../lib/make-grid.nix {
   nodes = cfg:
   let
     sshUsers = import ./secrets/users.nix;
+
+    # Get absolute vpn key directory path, as a string:
+    monitoringvpnKeyDir = toString ./. + "/${cfg.monitoringvpnKeyDir}";
+
+    # TBD: derive these automatically:
+    hostsMap = {
+      "172.23.23.1"  = [ "monitoring" "monitoring.monitoringvpn" ];
+      "172.23.23.11" = [ "payments"   "payments.monitoringvpn"   ];
+      "172.23.23.12" = [ "storage001" "storage001.monitoringvpn" ];
+    };
+    vpnClientIPs = [ "172.23.23.11" "172.23.23.12" ];
+    nodeExporterTargets = [ "monitoring" "payments" "storage001" ];
+
   in {
-    "payments" = import ../../lib/make-issuer.nix ({
+    "payments" = import ../../lib/make-issuer.nix (cfg // {
       publicIPv4 = "18.194.183.13";
+      monitoringvpnIPv4 = "172.23.23.11";
+      inherit monitoringvpnKeyDir;
       inherit sshUsers;
       hardware = ../../lib/issuer-aws.nix;
       stateVersion = "19.03";
-    } // cfg);
+    });
 
     "storage001" = import ../../lib/make-testing.nix (cfg // {
       publicIPv4 = "3.120.26.190";
+      monitoringvpnIPv4 = "172.23.23.12";
+      inherit monitoringvpnKeyDir;
       inherit sshUsers;
       hardware = ./testing001-hardware.nix;
       stateVersion = "19.03";
     });
+
+    "monitoring" = import ../../lib/make-monitoring.nix (cfg // {
+      publicIPv4 = "18.156.171.217";
+      monitoringvpnIPv4 = "172.23.23.1";
+      inherit monitoringvpnKeyDir;
+      inherit vpnClientIPs;
+      inherit hostsMap;
+      inherit nodeExporterTargets;
+      hardware = ../../lib/issuer-aws.nix;
+      stateVersion = "19.09";
+      inherit sshUsers;
+    });
   };
 }