diff --git a/.changelog/14905.txt b/.changelog/14905.txt
new file mode 100644
index 000000000000..55bc3a980016
--- /dev/null
+++ b/.changelog/14905.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_light_instance_public_ports: Add `cidrs` argument to `port_info`
+```
\ No newline at end of file
diff --git a/aws/resource_aws_lightsail_instance_public_ports.go b/aws/resource_aws_lightsail_instance_public_ports.go
index 5116ce73b222..4531f19dd9d0 100644
--- a/aws/resource_aws_lightsail_instance_public_ports.go
+++ b/aws/resource_aws_lightsail_instance_public_ports.go
@@ -33,6 +33,15 @@ func resourceAwsLightsailInstancePublicPorts() *schema.Resource {
 				MinItems: 1,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
+						"cidrs": {
+							Type:     schema.TypeSet,
+							Optional: true,
+							Computed: true,
+							Elem: &schema.Schema{
+								Type:         schema.TypeString,
+								ValidateFunc: validateCIDRNetworkAddress,
+							},
+						},
 						"from_port": {
 							Type:         schema.TypeInt,
 							Required:     true,
@@ -152,6 +161,10 @@ func expandLightsailPortInfo(tfMap map[string]interface{}) *lightsail.PortInfo {
 		Protocol: aws.String(tfMap["protocol"].(string)),
 	}
 
+	if v, ok := tfMap["cidrs"].(*schema.Set); ok && v.Len() > 0 {
+		apiObject.Cidrs = expandStringSet(v)
+	}
+
 	return apiObject
 }
 
@@ -192,6 +205,10 @@ func flattenLightsailInstancePortState(apiObject *lightsail.InstancePortState) m
 	tfMap["to_port"] = aws.Int64Value(apiObject.ToPort)
 	tfMap["protocol"] = aws.StringValue(apiObject.Protocol)
 
+	if v := apiObject.Cidrs; v != nil {
+		tfMap["cidrs"] = aws.StringValueSlice(v)
+	}
+
 	return tfMap
 }
 
diff --git a/aws/resource_aws_lightsail_instance_public_ports_test.go b/aws/resource_aws_lightsail_instance_public_ports_test.go
index d22363706e16..ac152a39cba3 100644
--- a/aws/resource_aws_lightsail_instance_public_ports_test.go
+++ b/aws/resource_aws_lightsail_instance_public_ports_test.go
@@ -31,9 +31,11 @@ func TestAccAWSLightsailInstancePublicPorts_basic(t *testing.T) {
 				Check: resource.ComposeAggregateTestCheckFunc(
 					testAccCheckAWSLightsailInstancePublicPortsExists(resourceName),
 					resource.TestCheckResourceAttr(resourceName, "port_info.#", "1"),
-					resource.TestCheckResourceAttr(resourceName, "port_info.0.protocol", "tcp"),
-					resource.TestCheckResourceAttr(resourceName, "port_info.0.from_port", "80"),
-					resource.TestCheckResourceAttr(resourceName, "port_info.0.to_port", "80"),
+					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "port_info.*", map[string]string{
+						"protocol":  "tcp",
+						"from_port": "80",
+						"to_port":   "80",
+					}),
 				),
 			},
 		},
@@ -59,12 +61,49 @@ func TestAccAWSLightsailInstancePublicPorts_multiple(t *testing.T) {
 				Check: resource.ComposeAggregateTestCheckFunc(
 					testAccCheckAWSLightsailInstancePublicPortsExists(resourceName),
 					resource.TestCheckResourceAttr(resourceName, "port_info.#", "2"),
-					resource.TestCheckResourceAttr(resourceName, "port_info.1.protocol", "tcp"),
-					resource.TestCheckResourceAttr(resourceName, "port_info.1.from_port", "80"),
-					resource.TestCheckResourceAttr(resourceName, "port_info.1.to_port", "80"),
-					resource.TestCheckResourceAttr(resourceName, "port_info.0.protocol", "tcp"),
-					resource.TestCheckResourceAttr(resourceName, "port_info.0.from_port", "443"),
-					resource.TestCheckResourceAttr(resourceName, "port_info.0.to_port", "443"),
+					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "port_info.*", map[string]string{
+						"protocol":  "tcp",
+						"from_port": "80",
+						"to_port":   "80",
+					}),
+					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "port_info.*", map[string]string{
+						"protocol":  "tcp",
+						"from_port": "443",
+						"to_port":   "443",
+					}),
+				),
+			},
+		},
+	})
+}
+
+func TestAccAWSLightsailInstancePublicPorts_cidrs(t *testing.T) {
+	rName := acctest.RandomWithPrefix("tf-acc-test")
+	resourceName := "aws_lightsail_instance_public_ports.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+			testAccPartitionHasServicePreCheck(lightsail.EndpointsID, t)
+			testAccPreCheckAWSLightsail(t)
+		},
+		ErrorCheck:   testAccErrorCheck(t, lightsail.EndpointsID),
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSLightsailInstancePublicPortsDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSLightsailInstancePublicPortsConfig_cidrs(rName),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckAWSLightsailInstancePublicPortsExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "port_info.#", "1"),
+					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "port_info.*", map[string]string{
+						"protocol":  "tcp",
+						"from_port": "125",
+						"to_port":   "125",
+						"cidrs.#":   "2",
+					}),
+					resource.TestCheckTypeSetElemAttr(resourceName, "port_info.*.cidrs.*", "1.1.1.1/32"),
+					resource.TestCheckTypeSetElemAttr(resourceName, "port_info.*.cidrs.*", "192.168.1.0/24"),
 				),
 			},
 		},
@@ -189,3 +228,34 @@ resource "aws_lightsail_instance_public_ports" "test" {
 }
 `, rName)
 }
+
+func testAccAWSLightsailInstancePublicPortsConfig_cidrs(rName string) string {
+	return fmt.Sprintf(`
+data "aws_availability_zones" "available" {
+  state = "available"
+
+  filter {
+    name   = "opt-in-status"
+    values = ["opt-in-not-required"]
+  }
+}
+
+resource "aws_lightsail_instance" "test" {
+  name              = %[1]q
+  availability_zone = data.aws_availability_zones.available.names[0]
+  blueprint_id      = "amazon_linux"
+  bundle_id         = "nano_1_0"
+}
+
+resource "aws_lightsail_instance_public_ports" "test" {
+  instance_name = aws_lightsail_instance.test.name
+
+  port_info {
+    protocol  = "tcp"
+    from_port = 125
+    to_port   = 125
+    cidrs     = ["192.168.1.0/24", "1.1.1.1/32"]
+  }
+}
+`, rName)
+}
diff --git a/website/docs/r/lightsail_instance_public_ports.html.markdown b/website/docs/r/lightsail_instance_public_ports.html.markdown
index 320f7d51957b..3e9b98ce0f6c 100644
--- a/website/docs/r/lightsail_instance_public_ports.html.markdown
+++ b/website/docs/r/lightsail_instance_public_ports.html.markdown
@@ -44,10 +44,16 @@ The following arguments are required:
 
 ### port_info
 
+The following arguments are required:
+
 * `from_port` - (Required) First port in a range of open ports on an instance.
 * `protocol` - (Required) IP protocol name. Valid values are `tcp`, `all`, `udp`, and `icmp`.
 * `to_port` - (Required) Last port in a range of open ports on an instance.
 
+The following arguments are optional:
+
+* `cidrs` - (Optional) Set of CIDR blocks.
+
 ## Attributes Reference
 
 In addition to all arguments above, the following attributes are exported: