diff --git a/inventory/group_vars/proxies b/inventory/group_vars/proxies
index 3953b71e5a..c86440a74d 100644
--- a/inventory/group_vars/proxies
+++ b/inventory/group_vars/proxies
@@ -34,10 +34,14 @@ custom_rules: [
     '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
     '-A INPUT -p tcp -m tcp -s 209.132.181.102 --dport 873 -j ACCEPT',
 
-    # only allow varnish from localhost
+    # allow varnish from localhost
     '-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6081 -j ACCEPT',
     '-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6082 -j ACCEPT',
 
+    # also allow varnish from internal for purge requests
+    '-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 6081 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 6081 -j ACCEPT',
+
     # Allow koschei.cloud to talk to the inbound fedmsg relay.
     '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.151 -j ACCEPT',
     # Allow jenkins.cloud to talk to the inbound fedmsg relay.
diff --git a/inventory/group_vars/proxies-stg b/inventory/group_vars/proxies-stg
index 1b8fef2de4..2520ff1d48 100644
--- a/inventory/group_vars/proxies-stg
+++ b/inventory/group_vars/proxies-stg
@@ -33,10 +33,14 @@ custom_rules: [
     '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT',
     '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
 
-    # only allow varnish from localhost
+    # allow varnish from localhost
     '-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6081 -j ACCEPT',
     '-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6082 -j ACCEPT',
 
+    # also allow varnish from internal for purge requests
+    '-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 6081 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 6081 -j ACCEPT',
+
     # Allow koschei.cloud to talk to the inbound fedmsg relay.
     '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.151 -j ACCEPT',
     # Allow jenkins.cloud to talk to the inbound fedmsg relay.