diff --git a/main.tf b/main.tf
index 5d9beb7..b13ddd9 100644
--- a/main.tf
+++ b/main.tf
@@ -11,7 +11,7 @@ resource "aws_security_group_rule" "egress" {
   cidr_blocks       = ["0.0.0.0/0"]
   from_port         = 0
   to_port           = 65535
-  protocol          = "tcp"
+  protocol          = var.egress_protocol
 }
 
 resource "aws_security_group_rule" "ingress_any" {
diff --git a/variables.tf b/variables.tf
index 21b2abf..776b5a7 100644
--- a/variables.tf
+++ b/variables.tf
@@ -72,6 +72,16 @@ variable "user_data_runcmd" {
   default     = []
 }
 
+variable "egress_protocol" {
+  description = "Protocol allowed to egress out of the NAT instance"
+  type        = string
+  default     = "tcp"
+  validation {
+    condition     = var.egress_protocol == "tcp" || var.egress_protocol == "udp" || var.egress_protocol == "all"
+    error_message = "The egress_protocol must be one of 'tcp', 'udp' or 'all'."
+  }
+}
+
 locals {
   // Merge the default tags and user-specified tags.
   // User-specified tags take precedence over the default.