diff --git a/buildspec.yml b/buildspec.yml
index 1e19fd5..f5ba3bb 100644
--- a/buildspec.yml
+++ b/buildspec.yml
@@ -43,6 +43,7 @@ env:
     TF_VAR_enable_rds_servers_bastion: "/moj-network-access-control/$ENV/enable_rds_servers_bastion"
     TF_VAR_ocsp_dep_ip: "/moj-network-access-control/$ENV/ocsp_dep_ip"
     TF_VAR_ocsp_prs_ip: "/moj-network-access-control/$ENV/ocsp_prs_ip"
+    TF_VAR_ocsp_dhl_ip: "/moj-network-access-control/$ENV/ocsp_dhl_ip"
 
 phases:
   install:
diff --git a/main.tf b/main.tf
index f1644c6..9089d6a 100644
--- a/main.tf
+++ b/main.tf
@@ -161,6 +161,7 @@ module "radius_vpc" {
   ssm_session_manager_endpoints         = var.enable_rds_servers_bastion
   ocsp_dep_ip                           = var.ocsp_dep_ip
   ocsp_prs_ip                           = var.ocsp_prs_ip
+  ocsp_dhl_ip                           = var.ocsp_dhl_ip
 
   providers = {
     aws = aws.env
diff --git a/modules/vpc/routes.tf b/modules/vpc/routes.tf
index c9f54ec..18f3909 100644
--- a/modules/vpc/routes.tf
+++ b/modules/vpc/routes.tf
@@ -87,6 +87,18 @@ resource "aws_route" "nat-gateway-public-ocsp-endpoint-2" {
   ]
 }
 
+resource "aws_route" "nat-gateway-public-ocsp-endpoint-3" {
+  count = length(module.vpc.public_route_table_ids)
+
+  route_table_id         = split("_", local.public_table_id)[count.index]
+  destination_cidr_block = "${var.ocsp_dhl_ip}/32"
+  nat_gateway_id         = aws_nat_gateway.eu_west_2c.id
+
+  depends_on = [
+    module.vpc
+  ]
+}
+
 resource "aws_nat_gateway" "eu_west_2c" {
   allocation_id = aws_eip.nat_eu_west_2c.id
   subnet_id     = element(module.vpc.private_subnets, 2)
diff --git a/modules/vpc/variables.tf b/modules/vpc/variables.tf
index 95775e6..734e09a 100644
--- a/modules/vpc/variables.tf
+++ b/modules/vpc/variables.tf
@@ -63,3 +63,7 @@ variable "ocsp_dep_ip" {
 variable "ocsp_prs_ip" {
   type = string
 }
+
+variable "ocsp_dhl_ip" {
+  type = string
+}
diff --git a/scripts/aws_ssm_get_parameters.sh b/scripts/aws_ssm_get_parameters.sh
index ed63c58..cbdd511 100755
--- a/scripts/aws_ssm_get_parameters.sh
+++ b/scripts/aws_ssm_get_parameters.sh
@@ -42,6 +42,7 @@ export PARAM4=$(aws ssm get-parameters --region eu-west-2 --with-decryption --na
     "/moj-network-access-control/$ENV/enable_rds_servers_bastion" \
     "/moj-network-access-control/$ENV/ocsp_dep_ip" \
     "/moj-network-access-control/$ENV/ocsp_prs_ip" \
+    "/moj-network-access-control/$ENV/ocsp_dhl_ip" \
     --query Parameters)
 
 declare -A parameters
@@ -84,3 +85,4 @@ parameters["enable_rds_servers_bastion"]="$(echo $PARAM4 | jq '.[] | select(.Nam
 parameters["enable_rds_admin_bastion"]="$(echo $PARAM4 | jq '.[] | select(.Name | test("enable_rds_admin_bastion")) | .Value' --raw-output)"
 parameters["ocsp_dep_ip"]="$(echo $PARAM4 | jq '.[] | select(.Name | test("ocsp_dep_ip")) | .Value' --raw-output)"
 parameters["ocsp_prs_ip"]="$(echo $PARAM4 | jq '.[] | select(.Name | test("ocsp_prs_ip")) | .Value' --raw-output)"
+parameters["ocsp_dhl_ip"]="$(echo $PARAM4 | jq '.[] | select(.Name | test("ocsp_dhl_ip")) | .Value' --raw-output)"
diff --git a/variables.tf b/variables.tf
index 6132a39..ae48342 100644
--- a/variables.tf
+++ b/variables.tf
@@ -160,3 +160,7 @@ variable "allowed_ips" {
 variable "ocsp_prs_ip" {
   type = string
 }
+
+variable "ocsp_dhl_ip" {
+  type = string
+}