diff --git a/morph/lib/customize-issuer.nix b/morph/lib/customize-issuer.nix
index 896580d3e5e8721e94c104be32b88475e085dc35..2cbc52f689c2e69f78c6dc3634b09e3726815981 100644
--- a/morph/lib/customize-issuer.nix
+++ b/morph/lib/customize-issuer.nix
@@ -112,6 +112,14 @@
       locations."/" = {
         proxyPass = "http://127.0.0.1:${toString config.services.private-storage-issuer.httpPort}";
       };
+      locations."/metrics" = {
+        # Only allow our monitoringvpn subnet
+        extraConfig = ''
+          allow 172.23.23.0/24;
+          deny all;
+        '';
+        proxyPass = "http://127.0.0.1:${toString config.services.private-storage-issuer.httpPort}";
+      };
     };
   };