diff --git a/.changelog/13210.txt b/.changelog/13210.txt
new file mode 100644
index 00000000000..84c6002d959
--- /dev/null
+++ b/.changelog/13210.txt
@@ -0,0 +1,3 @@
+```release-note:new-resource
+`google_network_security_backend_authentication_config` (beta)
+```
\ No newline at end of file
diff --git a/google/services/networksecurity/resource_network_security_backend_authentication_config_test.go b/google/services/networksecurity/resource_network_security_backend_authentication_config_test.go
new file mode 100644
index 00000000000..8380ac5af78
--- /dev/null
+++ b/google/services/networksecurity/resource_network_security_backend_authentication_config_test.go
@@ -0,0 +1,3 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+package networksecurity_test
diff --git a/google/services/networksecurity/test-fixtures/cert.pem b/google/services/networksecurity/test-fixtures/cert.pem
new file mode 100644
index 00000000000..ac1e3643825
--- /dev/null
+++ b/google/services/networksecurity/test-fixtures/cert.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDDzCCAfegAwIBAgIUDOiCLH9QNMMYnjPZVf4VwO9blsEwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wIBcNMjIwODI0MDg0MDUxWhgPMzAy
+MTEyMjUwODQwNTFaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvOT925GG4lKV9HvAHsbecMhGPAqjhVRC26iZ
+UJC8oSWOu95lWJSX5ZhbiF6Nz192wDGV/VAh3Lxj8RYtcn75eDxQKTcKouDld+To
+CGIStPFWbR6rbysLuZqFVEXVOTvp2QIegInfrvnGC4j7Qpic7zrFB9HzJx+0HpeE
+yO4gkdzJfEK/gMmolUgJrKX59o+0+Rj+Jq3EtcQxL1fVBVJSx0NvpoR1eYpnHMr/
+rJKZkUUZ2xE86hrtpiP6OEYQTi00rmf4GnZF5QfGGD0xuoQXtR7Tu+XhKibXIhxc
+D4RzPLX1QS040PXvmMPLDb4YlUQ6V3Rs42JDvkkDwIMXZvn8awIDAQABo1MwUTAd
+BgNVHQ4EFgQURuo1CCZZAUv7xi02f2nC5tRbf18wHwYDVR0jBBgwFoAURuo1CCZZ
+AUv7xi02f2nC5tRbf18wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
+AQEAqx3tDxurnYr9EUPhF5/LlDPYM+VI7EgrKdRnuIqUlZI0tm3vOGME0te6dBTC
+YLNaHLW3m/4Tm4M2eg0Kpz6CxJfn3109G31dCi0xwzSDHf5TPUWvqIVhq5WRgMIf
+n8KYBlQSmqdJBRztUIQH/UPFnSbxymlS4s5qwDgTH5ag9EEBcnWsQ2LZjKi0eqve
+MaqAvvB+j8RGZzYY4re94bSJI42zIZ6nMWPtXwRuDc30xl/u+E0jWIgWbPwSd6Km
+3wnJnGiU2ezPGq3zEU+Rc39VVIFKQpciNeYuF3neHPJvYOf58qW2Z8s0VH0MR1x3
+3DoO/e30FIr9j+PRD+s5BPKF2A==
+-----END CERTIFICATE-----
diff --git a/google/services/networksecurity/test-fixtures/key.pem b/google/services/networksecurity/test-fixtures/key.pem
new file mode 100644
index 00000000000..b5d085cff07
--- /dev/null
+++ b/google/services/networksecurity/test-fixtures/key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC85P3bkYbiUpX0
+e8Aext5wyEY8CqOFVELbqJlQkLyhJY673mVYlJflmFuIXo3PX3bAMZX9UCHcvGPx
+Fi1yfvl4PFApNwqi4OV35OgIYhK08VZtHqtvKwu5moVURdU5O+nZAh6Aid+u+cYL
+iPtCmJzvOsUH0fMnH7Qel4TI7iCR3Ml8Qr+AyaiVSAmspfn2j7T5GP4mrcS1xDEv
+V9UFUlLHQ2+mhHV5imccyv+skpmRRRnbETzqGu2mI/o4RhBOLTSuZ/gadkXlB8YY
+PTG6hBe1HtO75eEqJtciHFwPhHM8tfVBLTjQ9e+Yw8sNvhiVRDpXdGzjYkO+SQPA
+gxdm+fxrAgMBAAECggEAV4/A24TQpV4KFBw/WSTvnRFBeXinB1mhamhztWR6hCrA
+SPcVPKQY632eRI8sJmpGxl3V/Ogl4khT/cA9jfstEl7G++v/WrRsupCaPLSVnlnX
+KdsTNgOauk1WK9P5PMA4rPcuA4Cl91riQpubeWn8KWsxRWg90i+Ak8PB8lBsOaB1
+QzjigWlrRWSpodaw0MBIMZFDL2BYK8HEr+wyATYIyGvDQc9zCnMQIQIZyEPYepLO
+04Dw17YcjgnoJ5gLAFiTvDrCpTMewud1RQzvW5TAvG2piw34sf3QMGPM7aXNrfuZ
+4ZPC/MwVQgq9Nc+jeDsjApQmJKJ+3a8OdIPU89ArTQKBgQDCpHHQe1RzpHmIx47/
+9N5r+NPBhh8flDYmvgi6zPeBfrAaLWhidS8c7Voa6HwvMxbhryDEvc0YqI3vllfy
+xnRF+DfSryozW0gjrkXDGoOzqOJ3EuQwLSJnyX6La2lmufqsRFazwYJ5sxcjoGHK
+/sbwZkIUj1ejuH44ve+ZJQFfpwKBgQD4cLJrJhqImUDhHZRx9jBvxyeHy/RjmHK6
+70xQVDi9ZqeExHwtoSbolhXKLB1RtBnw+t5Csy7IDNBDsbUg9fXU8KyCTIdmsyws
+bDb5hdKsUF76rkKzlpttiXMRVWGS3CMKWahBpnL3lFB3tdtmskemkBTXVn4VgKAH
+xk9XnZ11nQKBgDbQSJ0FnkrSzscOK984/ko50Kh3NNyXyIgwjBTPFASLwNweXX8c
+sR/cV7usLQy9vnvf7cJ6EQAYt5/5Httnt+bceBwE6EV+N1qVAWBoXx6BOQV/dHN8
+wmun+tMYdJ5RUZ6hwCjvHedX3/RQfjnEdhHNOl6/31Zj5mfkVU0zdqeRAoGAcvIh
+erXMfPr7K6y16+xOCMmKHqhc0F/OZXMmSdxNzEPcqe8GzU3MZLxcJIg4oH7FqdtI
+Tm/86w4Spd9owHFMZlNcXYTu+LNZcsw2u0gRayxcZXuO3OyHySxZEuIAHSTBCZ7l
+3EoY0zfJ6zk249MEl6n+GouoFmbGpBI6z3zbR3kCgYEAlCNZVH4uJrP5beTOZTTR
+VJRk7BXvEC6HsM140YtIN7NHy2GtzrgmmY/ZAFB/hX8Ft4ex2MxbIp3hvxroTqGn
+bfu7uv97NoPQqbjtc3Mz8h2IaXTVDUnWYY5gDu6rM2w+Z75/sWIGiTWrsdYX4ohb
+ujngzJ7Ew7GgKSboj6mtlVM=
+-----END PRIVATE KEY-----
\ No newline at end of file
diff --git a/website/docs/r/network_security_backend_authentication_config.html.markdown b/website/docs/r/network_security_backend_authentication_config.html.markdown
new file mode 100644
index 00000000000..96a054eda14
--- /dev/null
+++ b/website/docs/r/network_security_backend_authentication_config.html.markdown
@@ -0,0 +1,216 @@
+---
+# ----------------------------------------------------------------------------
+#
+# *** AUTO GENERATED CODE *** Type: MMv1 ***
+#
+# ----------------------------------------------------------------------------
+#
+# This code is generated by Magic Modules using the following:
+#
+# Configuration: https:#github.com/GoogleCloudPlatform/magic-modules/tree/main/mmv1/products/networksecurity/BackendAuthenticationConfig.yaml
+# Template: https:#github.com/GoogleCloudPlatform/magic-modules/tree/main/mmv1/templates/terraform/resource.html.markdown.tmpl
+#
+# DO NOT EDIT this file directly. Any changes made to this file will be
+# overwritten during the next generation cycle.
+#
+# ----------------------------------------------------------------------------
+subcategory: "Network Security"
+description: |-
+ BackendAuthenticationConfig groups the TrustConfig together with other settings that control how the load balancer authenticates, and expresses its identity to the backend.
+---
+
+# google_network_security_backend_authentication_config
+
+BackendAuthenticationConfig groups the TrustConfig together with other settings that control how the load balancer authenticates, and expresses its identity to the backend.
+
+~> **Warning:** This resource is in beta, and should be used with the terraform-provider-google-beta provider.
+See [Provider Versions](https://terraform.io/docs/providers/google/guides/provider_versions.html) for more details on beta resources.
+
+To get more information about BackendAuthenticationConfig, see:
+* How-to Guides
+ * [Backend mTLS](https://cloud.google.com/load-balancing/docs/backend-authenticated-tls-backend-mtls#backend-authentication-config)
+
+
+## Example Usage - Network Security Backend Authentication Config Basic
+
+
+```hcl
+resource "google_network_security_backend_authentication_config" "default" {
+ provider = google-beta
+ name = "my-backend-authentication-config"
+ labels = {
+ foo = "bar"
+ }
+ description = "my description"
+ well_known_roots = "PUBLIC_ROOTS"
+}
+```
+
+## Example Usage - Network Security Backend Authentication Config Full
+
+
+```hcl
+resource "google_certificate_manager_certificate" "certificate" {
+ provider = google-beta
+ name = "my-certificate"
+ labels = {
+ foo = "bar"
+ }
+ location = "global"
+ self_managed {
+ pem_certificate = file("test-fixtures/cert.pem")
+ pem_private_key = file("test-fixtures/key.pem")
+ }
+ scope = "CLIENT_AUTH"
+}
+
+resource "google_certificate_manager_trust_config" "trust_config" {
+ provider = google-beta
+ name = "my-trust-config"
+ description = "sample description for the trust config"
+ location = "global"
+
+ trust_stores {
+ trust_anchors {
+ pem_certificate = file("test-fixtures/cert.pem")
+ }
+ intermediate_cas {
+ pem_certificate = file("test-fixtures/cert.pem")
+ }
+ }
+
+ labels = {
+ foo = "bar"
+ }
+}
+
+resource "google_network_security_backend_authentication_config" "default" {
+ provider = google-beta
+ name = "my-backend-authentication-config"
+ labels = {
+ bar = "foo"
+ }
+ location = "global"
+ description = "my description"
+ well_known_roots = "PUBLIC_ROOTS"
+ client_certificate = google_certificate_manager_certificate.certificate.id
+ trust_config = google_certificate_manager_trust_config.trust_config.id
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+
+* `name` -
+ (Required)
+ Name of the BackendAuthenticationConfig resource.
+
+
+- - -
+
+
+* `labels` -
+ (Optional)
+ Set of label tags associated with the BackendAuthenticationConfig resource.
+ **Note**: This field is non-authoritative, and will only manage the labels present in your configuration.
+ Please refer to the field `effective_labels` for all of the labels present on the resource.
+
+* `description` -
+ (Optional)
+ A free-text description of the resource. Max length 1024 characters.
+
+* `client_certificate` -
+ (Optional)
+ Reference to a Certificate resource from the certificatemanager.googleapis.com namespace.
+ Used by a BackendService to negotiate mTLS when the backend connection uses TLS and the backend requests a client certificate. Must have a CLIENT_AUTH scope.
+
+* `trust_config` -
+ (Optional)
+ Reference to a TrustConfig resource from the certificatemanager.googleapis.com namespace.
+ A BackendService uses the chain of trust represented by this TrustConfig, if specified, to validate the server certificates presented by the backend. Required unless wellKnownRoots is set to PUBLIC_ROOTS.
+
+* `well_known_roots` -
+ (Optional)
+ Well known roots to use for server certificate validation. If set to NONE, the BackendService will only validate server certificates against roots specified in TrustConfig.
+ If set to PUBLIC_ROOTS, the BackendService uses a set of well-known public roots, in addition to any roots specified in the trustConfig field, when validating the server certificates presented by the backend.
+ Validation with these roots is only considered when the TlsSettings.sni field in the BackendService is set. The well-known roots are a set of root CAs managed by Google. CAs in this set can be added or removed without notice.
+ Possible values are: `NONE`, `PUBLIC_ROOTS`.
+
+* `location` -
+ (Optional)
+ The location of the backend authentication config.
+ The default value is `global`.
+
+* `project` - (Optional) The ID of the project in which the resource belongs.
+ If it is not provided, the provider project is used.
+
+
+## Attributes Reference
+
+In addition to the arguments listed above, the following computed attributes are exported:
+
+* `id` - an identifier for the resource with format `projects/{{project}}/locations/{{location}}/backendAuthenticationConfigs/{{name}}`
+
+* `create_time` -
+ Time the BackendAuthenticationConfig was created in UTC.
+
+* `update_time` -
+ Time the BackendAuthenticationConfig was updated in UTC.
+
+* `terraform_labels` -
+ The combination of labels configured directly on the resource
+ and default labels configured on the provider.
+
+* `effective_labels` -
+ All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Terraform, other clients and services.
+
+
+## Timeouts
+
+This resource provides the following
+[Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:
+
+- `create` - Default is 20 minutes.
+- `update` - Default is 20 minutes.
+- `delete` - Default is 20 minutes.
+
+## Import
+
+
+BackendAuthenticationConfig can be imported using any of these accepted formats:
+
+* `projects/{{project}}/locations/{{location}}/backendAuthenticationConfigs/{{name}}`
+* `{{project}}/{{location}}/{{name}}`
+* `{{location}}/{{name}}`
+
+
+In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import BackendAuthenticationConfig using one of the formats above. For example:
+
+```tf
+import {
+ id = "projects/{{project}}/locations/{{location}}/backendAuthenticationConfigs/{{name}}"
+ to = google_network_security_backend_authentication_config.default
+}
+```
+
+When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), BackendAuthenticationConfig can be imported using one of the formats above. For example:
+
+```
+$ terraform import google_network_security_backend_authentication_config.default projects/{{project}}/locations/{{location}}/backendAuthenticationConfigs/{{name}}
+$ terraform import google_network_security_backend_authentication_config.default {{project}}/{{location}}/{{name}}
+$ terraform import google_network_security_backend_authentication_config.default {{location}}/{{name}}
+```
+
+## User Project Overrides
+
+This resource supports [User Project Overrides](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override).
+
+