diff --git a/modules/gke/README.md b/modules/gke/README.md
index 1a1729c6..f672e052 100644
--- a/modules/gke/README.md
+++ b/modules/gke/README.md
@@ -29,15 +29,16 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_cluster_autoscaling"></a> [cluster\_autoscaling](#input\_cluster\_autoscaling) | Enabling of node auto-provisioning | `bool` | `false` | no |
-| <a name="input_cluster_autoscaling_cpu_limits"></a> [cluster\_autoscaling\_cpu\_limits](#input\_cluster\_autoscaling\_cpu\_limits) | cluster autoscaling cpu limits | <pre>object({<br/>    resource_type = optional(string, "cpu")<br/>    minimum       = optional(number, 4)<br/>    maximum       = optional(number, 10)<br/>  })</pre> | `{}` | no |
-| <a name="input_cluster_autoscaling_memory_limits"></a> [cluster\_autoscaling\_memory\_limits](#input\_cluster\_autoscaling\_memory\_limits) | cluster autoscaling memory limits | <pre>object({<br/>    resource_type = optional(string, "memory"),<br/>    minimum       = optional(number, 8)<br/>    maximum       = optional(number, 80)<br/>  })</pre> | `null` | no |
+| <a name="input_cluster_autoscaling_cpu_limits"></a> [cluster\_autoscaling\_cpu\_limits](#input\_cluster\_autoscaling\_cpu\_limits) | cluster autoscaling cpu limits | <pre>object({<br>    resource_type = optional(string, "cpu")<br>    minimum       = optional(number, 4)<br>    maximum       = optional(number, 10)<br>  })</pre> | `{}` | no |
+| <a name="input_cluster_autoscaling_memory_limits"></a> [cluster\_autoscaling\_memory\_limits](#input\_cluster\_autoscaling\_memory\_limits) | cluster autoscaling memory limits | <pre>object({<br>    resource_type = optional(string, "memory"),<br>    minimum       = optional(number, 8)<br>    maximum       = optional(number, 80)<br>  })</pre> | `null` | no |
 | <a name="input_cluster_autoscaling_profile"></a> [cluster\_autoscaling\_profile](#input\_cluster\_autoscaling\_profile) | cluster autoscaling profile | `string` | `null` | no |
-| <a name="input_cluster_autoscaling_provisioning_defaults"></a> [cluster\_autoscaling\_provisioning\_defaults](#input\_cluster\_autoscaling\_provisioning\_defaults) | cluster autoscaling provisioning defaults | <pre>object({<br/>    disk_size = optional(number, null)<br/>    disk_type = optional(string, null)<br/>    shielded_instance_config = optional(object({<br/>      enable_secure_boot          = optional(bool, null)<br/>      enable_integrity_monitoring = optional(bool, null)<br/>    }), null)<br/>    management = optional(object({<br/>      auto_upgrade = optional(bool, null)<br/>      auto_repair  = optional(bool, null)<br/>    }), null)<br/>  })</pre> | `null` | no |
+| <a name="input_cluster_autoscaling_provisioning_defaults"></a> [cluster\_autoscaling\_provisioning\_defaults](#input\_cluster\_autoscaling\_provisioning\_defaults) | cluster autoscaling provisioning defaults | <pre>object({<br>    disk_size = optional(number, null)<br>    disk_type = optional(string, null)<br>    shielded_instance_config = optional(object({<br>      enable_secure_boot          = optional(bool, null)<br>      enable_integrity_monitoring = optional(bool, null)<br>    }), null)<br>    management = optional(object({<br>      auto_upgrade = optional(bool, null)<br>      auto_repair  = optional(bool, null)<br>    }), null)<br>  })</pre> | `null` | no |
+| <a name="input_deletion_protection"></a> [deletion\_protection](#input\_deletion\_protection) | Toggle to prevent accidental deletion of resources. | `bool` | `true` | no |
 | <a name="input_extra_roles"></a> [extra\_roles](#input\_extra\_roles) | Extra roles to add to the cluster's default service account | `map(string)` | `{}` | no |
 | <a name="input_master_ipv4_cidr_block"></a> [master\_ipv4\_cidr\_block](#input\_master\_ipv4\_cidr\_block) | If specified, will use this CIDR block for the master's IP address | `any` | n/a | yes |
 | <a name="input_name"></a> [name](#input\_name) | n/a | `any` | n/a | yes |
 | <a name="input_network"></a> [network](#input\_network) | n/a | `any` | n/a | yes |
-| <a name="input_pools"></a> [pools](#input\_pools) | n/a | <pre>map(object({<br/>    min_node_count                    = optional(number, 1)<br/>    max_node_count                    = optional(number, 1)<br/>    machine_type                      = optional(string, "c3-standard-4")<br/>    disk_type                         = optional(string, "pd-balanced")<br/>    disk_size                         = optional(number, 100)<br/>    ephemeral_storage_local_ssd_count = optional(number, 0)<br/>    spot                              = optional(bool, false)<br/>    gvisor                            = optional(bool, false)<br/>    labels                            = optional(map(string), {})<br/>    taints = optional(list(object({<br/>      key    = string<br/>      value  = string<br/>      effect = string<br/>    })), [])<br/>  }))</pre> | n/a | yes |
+| <a name="input_pools"></a> [pools](#input\_pools) | n/a | <pre>map(object({<br>    min_node_count                    = optional(number, 1)<br>    max_node_count                    = optional(number, 1)<br>    machine_type                      = optional(string, "c3-standard-4")<br>    disk_type                         = optional(string, "pd-balanced")<br>    disk_size                         = optional(number, 100)<br>    ephemeral_storage_local_ssd_count = optional(number, 0)<br>    spot                              = optional(bool, false)<br>    gvisor                            = optional(bool, false)<br>    labels                            = optional(map(string), {})<br>    taints = optional(list(object({<br>      key    = string<br>      value  = string<br>      effect = string<br>    })), [])<br>    network_config = optional(object({<br>      enable_private_nodes = optional(bool, false)<br>      create_pod_range     = optional(bool, true)<br>      pod_ipv4_cidr_block  = optional(string, "")<br>    }), null)<br>  }))</pre> | n/a | yes |
 | <a name="input_project"></a> [project](#input\_project) | n/a | `any` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | Always create a regional cluster since GKE doesn't charge differently for regional/zonal clusters. Rather, we configure the node locations using `var.zones` | `any` | n/a | yes |
 | <a name="input_release_channel"></a> [release\_channel](#input\_release\_channel) | GKE release channel | `string` | `"REGULAR"` | no |
diff --git a/modules/gke/main.tf b/modules/gke/main.tf
index 4a9a56ef..6417f434 100644
--- a/modules/gke/main.tf
+++ b/modules/gke/main.tf
@@ -52,6 +52,8 @@ resource "google_container_cluster" "this" {
   location       = var.region
   node_locations = var.zones
 
+  deletion_protection = var.deletion_protection
+
   enable_intranode_visibility = true
 
   remove_default_node_pool = true
@@ -190,6 +192,17 @@ resource "google_container_cluster" "this" {
   depends_on = [google_service_account.cluster_default]
 }
 
+locals {
+  # make a map of node pool names to network configs to set defaults if not provided
+  network_configs = {
+    for k, v in var.pools : k => v.network_config != null ? v.network_config : {
+      enable_private_nodes = false
+      create_pod_range     = true
+      pod_ipv4_cidr_block  = ""
+    }
+  }
+}
+
 resource "google_container_node_pool" "pools" {
   for_each = var.pools
   provider = google-beta
@@ -200,9 +213,9 @@ resource "google_container_node_pool" "pools" {
   location = google_container_cluster.this.location
 
   network_config {
-    enable_private_nodes = false
-    create_pod_range     = true
-    pod_ipv4_cidr_block  = null
+    enable_private_nodes = local.network_configs[each.key].enable_private_nodes
+    create_pod_range     = local.network_configs[each.key].create_pod_range
+    pod_ipv4_cidr_block  = local.network_configs[each.key].pod_ipv4_cidr_block
   }
 
   node_config {
diff --git a/modules/gke/variables.tf b/modules/gke/variables.tf
index 65259576..efd831eb 100644
--- a/modules/gke/variables.tf
+++ b/modules/gke/variables.tf
@@ -52,6 +52,11 @@ variable "pools" {
       value  = string
       effect = string
     })), [])
+    network_config = optional(object({
+      enable_private_nodes = optional(bool, false)
+      create_pod_range     = optional(bool, true)
+      pod_ipv4_cidr_block  = optional(string, "")
+    }), null)
   }))
 }
 
@@ -115,3 +120,9 @@ variable "cluster_autoscaling_profile" {
   default     = null
   description = "cluster autoscaling profile"
 }
+
+variable "deletion_protection" {
+  type        = bool
+  default     = true
+  description = "Toggle to prevent accidental deletion of resources."
+}