diff --git a/community/modules/network/private-service-access/README.md b/community/modules/network/private-service-access/README.md
index dd86be80f2..82cb34a429 100644
--- a/community/modules/network/private-service-access/README.md
+++ b/community/modules/network/private-service-access/README.md
@@ -88,6 +88,7 @@ No modules.
 
 | Name | Description |
 |------|-------------|
+| <a name="output_cidr_range"></a> [cidr\_range](#output\_cidr\_range) | CIDR range of the created google\_compute\_global\_address |
 | <a name="output_connect_mode"></a> [connect\_mode](#output\_connect\_mode) | Services that use Private Service Access typically specify connect\_mode<br/>"PRIVATE\_SERVICE\_ACCESS". This output value sets connect\_mode and additionally<br/>blocks terraform actions until the VPC connection has been created. |
 | <a name="output_private_vpc_connection_peering"></a> [private\_vpc\_connection\_peering](#output\_private\_vpc\_connection\_peering) | The name of the VPC Network peering connection that was created by the service provider. |
 | <a name="output_reserved_ip_range"></a> [reserved\_ip\_range](#output\_reserved\_ip\_range) | Named IP range to be used by services connected with Private Service Access. |
diff --git a/community/modules/network/private-service-access/outputs.tf b/community/modules/network/private-service-access/outputs.tf
index 3f3cc0c66a..296f2e9140 100644
--- a/community/modules/network/private-service-access/outputs.tf
+++ b/community/modules/network/private-service-access/outputs.tf
@@ -36,3 +36,8 @@ output "reserved_ip_range" {
   description = "Named IP range to be used by services connected with Private Service Access."
   value       = google_compute_global_address.private_ip_alloc.name
 }
+
+output "cidr_range" {
+  description = "CIDR range of the created google_compute_global_address"
+  value       = "${google_compute_global_address.private_ip_alloc.address}/${google_compute_global_address.private_ip_alloc.prefix_length}"
+}
diff --git a/examples/gke-storage-parallelstore.yaml b/examples/gke-storage-parallelstore.yaml
index 9ffe737e83..fc69b9cfc1 100644
--- a/examples/gke-storage-parallelstore.yaml
+++ b/examples/gke-storage-parallelstore.yaml
@@ -45,6 +45,19 @@ deployment_groups:
 
 - group: primary
   modules:
+  # allow parallelstore connection
+  - id: parallelstore_firewall_rule
+    source: modules/network/firewall-rules
+    use: [network]
+    settings:
+      ingress_rules:
+      - name: $(vars.deployment_name)-allow-parallelstore-traffic
+        description: Allow parallelstore traffic
+        source_ranges:
+        - $(private_service_access.cidr_range)
+        allow:
+        - protocol: tcp
+
   - id: gke_cluster
     source: modules/scheduler/gke-cluster
     use: [network]
diff --git a/tools/cloud-build/daily-tests/builds/gke-storage-parallelstore.yaml b/tools/cloud-build/daily-tests/builds/gke-storage-parallelstore.yaml
index 1a6a5873cf..a51c8cebab 100644
--- a/tools/cloud-build/daily-tests/builds/gke-storage-parallelstore.yaml
+++ b/tools/cloud-build/daily-tests/builds/gke-storage-parallelstore.yaml
@@ -14,6 +14,7 @@
 
 ---
 tags:
+- m.firewall-rules
 - m.gke-cluster
 - m.gke-job-template
 - m.gke-node-pool