diff --git a/bin/tunnel.sh b/bin/tunnel.sh
index 021d6dd..0ece5fc 100755
--- a/bin/tunnel.sh
+++ b/bin/tunnel.sh
@@ -32,4 +32,5 @@ else
   TARGET_IP=$(echo $EC2_INFO | jq -r ".Reservations | map(.Instances) | flatten | map(select(any(.Tags | from_entries ; .[\"host-type\"] == \"${ENVIRONMENT}-${HOST_TYPE_OR_NAME}\"))) | .[] | select(.State | .Name == \"running\") | .PrivateIpAddress" | shuf | head -n1)
 fi
 
+echo "ssh -i ~/.ssh/mozilla_mr_id_rsa -L \"$TO:$TARGET_IP:$FROM\" \"ubuntu@$BASTION_IP\""
 ssh -i ~/.ssh/mozilla_mr_id_rsa -L "$TO:$TARGET_IP:$FROM" "ubuntu@$BASTION_IP"
diff --git a/terraform/modules/hab/main.tf b/terraform/modules/hab/main.tf
index 7286540..07864a5 100644
--- a/terraform/modules/hab/main.tf
+++ b/terraform/modules/hab/main.tf
@@ -78,6 +78,13 @@ resource "aws_security_group" "hab-ring" {
     self = true
   }
 
+  ingress {
+    from_port = "9631"
+    to_port = "9631"
+    protocol = "tcp"
+    security_groups = ["${data.terraform_remote_state.bastion.bastion_security_group_id}"]
+  }
+
   ingress {
     from_port = "9638"
     to_port = "9638"