diff --git a/human-script.md b/human-script.md
index 3866214..20abd53 100644
--- a/human-script.md
+++ b/human-script.md
@@ -119,10 +119,41 @@ Follow this to deploy the entire data infra.
       - Protocol: Any
       - Action: Allow
       - Priority: 1000
+- Database NSG
+  - Name it: `superhog-data-nsg-database-<your-env>`
+  - Purpose: make the databases subnet reachable only from our services subnet and from our jumphost subnet.
   - Add tags:
     - `team: data`
     - `environment: <your-env>`
     - `project: network`
+  - Add the following inbound rules
+    - Postgres Jumphost Rule
+      - Name: AllowPostgresFromJumphostInbound
+      - Source: the addresss range for the `jumphost-subnet`. In this example, `10.69.0.0/29`.
+      - Source port ranges: *
+      - Destination: the addresss range for the `databases-subnet`. In this example, `10.69.0.8/29`.
+      - Destination port ranges: 5432
+      - Protocol: TCP
+      - Action: Allow
+      - Priority: 100
+    - Postgres Services Rule
+      - Name: AllowPostgresFromJumphostInbound
+      - Source: the addresss range for the `services-subnet`. In this example, `10.69.0.64/26`.
+      - Source port ranges: *
+      - Destination: the addresss range for the `databases-subnet`. In this example, `10.69.0.8/29`.
+      - Destination port ranges: 5432
+      - Protocol: TCP
+      - Action: Allow
+      - Priority: 110
+    - Deny Rule
+      - Name: DenyAllInbound
+      - Source: Any
+      - Source port ranges: *
+      - Destination: Any
+      - Destination port ranges: *
+      - Protocol: Any
+      - Action: Allow
+      - Priority: 1000
 
 ## 3. Jumphost