diff --git a/src/batch/data-rules.js b/src/batch/data-rules.js
index 241e38969..38f8bb7ef 100644
--- a/src/batch/data-rules.js
+++ b/src/batch/data-rules.js
@@ -429,6 +429,7 @@ const metadata = {
         type: 'enum',
         values: [
           'public',
+          'protected-externally',
           'authorization-code',
           'client-credentials',
           'kong-acl-only',
diff --git a/src/controllers/v2/openapi.yaml b/src/controllers/v2/openapi.yaml
index 306e8d3ac..06cbe5a6a 100644
--- a/src/controllers/v2/openapi.yaml
+++ b/src/controllers/v2/openapi.yaml
@@ -578,6 +578,7 @@ components:
                     type: string
                     enum:
                         - public
+                        - protected-externally
                         - authorization-code
                         - client-credentials
                         - kong-acl-only
diff --git a/src/controllers/v2/routes.ts b/src/controllers/v2/routes.ts
index 9f05c5aee..46048762e 100644
--- a/src/controllers/v2/routes.ts
+++ b/src/controllers/v2/routes.ts
@@ -379,7 +379,7 @@ const models: TsoaRoute.Models = {
             "name": {"dataType":"union","subSchemas":[{"dataType":"enum","enums":["dev"]},{"dataType":"enum","enums":["test"]},{"dataType":"enum","enums":["prod"]},{"dataType":"enum","enums":["sandbox"]},{"dataType":"enum","enums":["other"]}]},
             "active": {"dataType":"boolean"},
             "approval": {"dataType":"boolean"},
-            "flow": {"dataType":"union","subSchemas":[{"dataType":"enum","enums":["public"]},{"dataType":"enum","enums":["authorization-code"]},{"dataType":"enum","enums":["client-credentials"]},{"dataType":"enum","enums":["kong-acl-only"]},{"dataType":"enum","enums":["kong-api-key-only"]},{"dataType":"enum","enums":["kong-api-key-acl"]}]},
+            "flow": {"dataType":"union","subSchemas":[{"dataType":"enum","enums":["public"]},{"dataType":"enum","enums":["protected-externally"]},{"dataType":"enum","enums":["authorization-code"]},{"dataType":"enum","enums":["client-credentials"]},{"dataType":"enum","enums":["kong-acl-only"]},{"dataType":"enum","enums":["kong-api-key-only"]},{"dataType":"enum","enums":["kong-api-key-acl"]}]},
             "additionalDetailsToRequest": {"dataType":"string"},
             "services": {"dataType":"array","array":{"dataType":"refAlias","ref":"GatewayServiceRefID"}},
             "legal": {"ref":"LegalRefID"},
diff --git a/src/controllers/v2/types.ts b/src/controllers/v2/types.ts
index 366bbdbfb..e8a3b9bdc 100644
--- a/src/controllers/v2/types.ts
+++ b/src/controllers/v2/types.ts
@@ -299,7 +299,7 @@ export interface Environment {
   name?: "dev" | "test" | "prod" | "sandbox" | "other";
   active?: boolean;
   approval?: boolean;
-  flow?: "public" | "authorization-code" | "client-credentials" | "kong-acl-only" | "kong-api-key-only" | "kong-api-key-acl";
+  flow?: "public" | "protected-externally" | "authorization-code" | "client-credentials" | "kong-acl-only" | "kong-api-key-only" | "kong-api-key-acl";
   additionalDetailsToRequest?: string;
   services?: GatewayServiceRefID[];
   legal?: LegalRefID;
diff --git a/src/lists/Environment.js b/src/lists/Environment.js
index 7e16dea28..7f2f4052a 100644
--- a/src/lists/Environment.js
+++ b/src/lists/Environment.js
@@ -51,6 +51,7 @@ module.exports = {
       defaultValue: 'public',
       options: [
         { value: 'public', label: 'Public' },
+        { value: 'protected-externally', label: 'Protected Externally' },
         {
           value: 'authorization-code',
           label: 'Oauth2 Authorization Code Flow',
diff --git a/src/nextapp/components/api-product-item/api-product-item.tsx b/src/nextapp/components/api-product-item/api-product-item.tsx
index 8cdf7cbd4..ccc35037f 100644
--- a/src/nextapp/components/api-product-item/api-product-item.tsx
+++ b/src/nextapp/components/api-product-item/api-product-item.tsx
@@ -38,7 +38,10 @@ const ApiProductItem: React.FC<ApiProductItemProps> = ({
   id,
   preview,
 }) => {
-  const isProtected = data.environments.some((e) => e.flow !== 'public');
+  const isPublic = data.environments.some((e) => e.flow === 'public');
+  const isGatewayProtected = data.environments.some(
+    (e) => e.flow !== 'public' && e.flow !== 'protected-externally'
+  );
   const isTiered = data.environments.some((e) => e.anonymous);
 
   return (
@@ -49,7 +52,7 @@ const ApiProductItem: React.FC<ApiProductItemProps> = ({
             <Flex align="center" mb={2}>
               <Flex align="center" width={8}>
                 <Icon
-                  as={!isProtected || isTiered ? RiEarthFill : FaLock}
+                  as={isPublic || isTiered ? RiEarthFill : FaLock}
                   color="bc-blue"
                   boxSize="5"
                 />
@@ -63,7 +66,7 @@ const ApiProductItem: React.FC<ApiProductItemProps> = ({
             )}
           </GridItem>
         </Grid>
-        {!isTiered && isProtected && (
+        {!isTiered && isGatewayProtected && (
           <AccessRequestForm
             disabled={false}
             id={id}
diff --git a/src/nextapp/components/environment-edit/authorization-flow.tsx b/src/nextapp/components/environment-edit/authorization-flow.tsx
index 88481581a..c4a1421f0 100644
--- a/src/nextapp/components/environment-edit/authorization-flow.tsx
+++ b/src/nextapp/components/environment-edit/authorization-flow.tsx
@@ -182,4 +182,5 @@ const flowTypes: { value: string; label: string }[] = [
   { value: 'kong-acl-only', label: 'Kong ACL Only' },
   { value: 'kong-api-key-only', label: 'Kong API Key Only' },
   { value: 'kong-api-key-acl', label: 'Kong API Key with ACL Flow' },
+  { value: 'protected-externally', label: 'Protected Externally' },
 ];
diff --git a/src/nextapp/shared/services/utils.ts b/src/nextapp/shared/services/utils.ts
index 3af440537..895a59084 100644
--- a/src/nextapp/shared/services/utils.ts
+++ b/src/nextapp/shared/services/utils.ts
@@ -39,6 +39,7 @@ export const getAuthToken = (method: string): IconType => {
 export const getFlowText = (key: string): string => {
   const dict = {
     public: 'Public',
+    'protected-externally': 'Protected Externally',
     'authorization-code': 'OAuth2 Authorization Code Flow',
     'client-credentials': 'OAuth2 Client Credentials Flow',
     'kong-acl-only': 'Kong ACL Only',