diff --git a/apstra/provider.go b/apstra/provider.go
index 7fd86d45..874f7ae2 100644
--- a/apstra/provider.go
+++ b/apstra/provider.go
@@ -628,6 +628,7 @@ func (p *Provider) Resources(_ context.Context) []func() resource.Resource {
 		func() resource.Resource { return &resourceDatacenterPropertySet{} },
 		func() resource.Resource { return &resourceDatacenterRack{} },
 		func() resource.Resource { return &resourceDatacenterRoutingZone{} },
+		func() resource.Resource { return &resourceDatacenterRoutingZoneConstraint{} },
 		func() resource.Resource { return &resourceDatacenterRoutingPolicy{} },
 		func() resource.Resource { return &resourceDatacenterSecurityPolicy{} },
 		func() resource.Resource { return &resourceDatacenterIpLinkAddressing{} },
diff --git a/docs/resources/datacenter_routing_zone_constraint.md b/docs/resources/datacenter_routing_zone_constraint.md
new file mode 100644
index 00000000..d99577ed
--- /dev/null
+++ b/docs/resources/datacenter_routing_zone_constraint.md
@@ -0,0 +1,68 @@
+---
+page_title: "apstra_datacenter_routing_zone_constraint Resource - terraform-provider-apstra"
+subcategory: "Reference Design: Datacenter"
+description: |-
+  This resource creates a Routing Zone Constraint within a Datacenter Blueprint.
+---
+
+# apstra_datacenter_routing_zone_constraint (Resource)
+
+This resource creates a Routing Zone Constraint within a Datacenter Blueprint.
+
+
+## Example Usage
+
+```terraform
+# This example creates a Routing Zone Constraint which permits exactly one "dev"
+# Routing Zone anywhere it is applied.
+
+# First, collect all routing zone IDs in the blueprint
+data "apstra_datacenter_routing_zones" "all" {
+  blueprint_id = local.blueprint_id
+}
+
+# Second, collect details about each of those routing zones
+data "apstra_datacenter_routing_zone" "all" {
+  for_each     = data.apstra_datacenter_routing_zones.all.ids
+  blueprint_id = local.blueprint_id
+  id           = each.key
+}
+
+# Finally, create the Routing Zone Constraint
+resource "apstra_datacenter_routing_zone_constraint" "example" {
+  blueprint_id                  = local.blueprint_id
+  name                          = "Permit 1 dev RZ"
+  max_count_constraint          = 1
+  routing_zones_list_constraint = "allow"
+  # Constraints is created as a list comprehension by iterating over
+  # details of each RZ in data.apstra_datacenter_routing_zone.all
+  constraints = [
+    for rz in data.apstra_datacenter_routing_zone.all : rz.id
+    if strcontains(rz.name, "dev") // select those with "dev" in their name
+  ]
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `blueprint_id` (String) Apstra Blueprint ID.
+- `name` (String) Name displayed in the Apstra web UI.
+- `routing_zones_list_constraint` (String) Instance constraint mode.
+- `allow` - only allow the specified routing zones (add specific routing zones to allow)
+- `deny` - denies allocation of specified routing zones (add specific routing zones to deny)
+- `none` - no additional constraints on routing zones (any routing zones)
+
+### Optional
+
+- `constraints` (Set of String) When `allow` instance constraint mode is chosen, only VNs from selected Routing Zones are allowed to have endpoints on the interface(s) the policy is applied to. The permitted Routing Zones may be specified directly or indirectly (via Routing Zone Groups)
+- `max_count_constraint` (Number) The maximum number of Routing Zones that the Application Point can be part of.
+
+### Read-Only
+
+- `id` (String) Apstra graph node ID.
+
+
+
diff --git a/examples/resources/apstra_datacenter_routing_zone_constraint/example.tf b/examples/resources/apstra_datacenter_routing_zone_constraint/example.tf
new file mode 100644
index 00000000..2c2bc851
--- /dev/null
+++ b/examples/resources/apstra_datacenter_routing_zone_constraint/example.tf
@@ -0,0 +1,28 @@
+# This example creates a Routing Zone Constraint which permits exactly one "dev"
+# Routing Zone anywhere it is applied.
+
+# First, collect all routing zone IDs in the blueprint
+data "apstra_datacenter_routing_zones" "all" {
+  blueprint_id = local.blueprint_id
+}
+
+# Second, collect details about each of those routing zones
+data "apstra_datacenter_routing_zone" "all" {
+  for_each     = data.apstra_datacenter_routing_zones.all.ids
+  blueprint_id = local.blueprint_id
+  id           = each.key
+}
+
+# Finally, create the Routing Zone Constraint
+resource "apstra_datacenter_routing_zone_constraint" "example" {
+  blueprint_id                  = local.blueprint_id
+  name                          = "Permit 1 dev RZ"
+  max_count_constraint          = 1
+  routing_zones_list_constraint = "allow"
+  # Constraints is created as a list comprehension by iterating over
+  # details of each RZ in data.apstra_datacenter_routing_zone.all
+  constraints = [
+    for rz in data.apstra_datacenter_routing_zone.all : rz.id
+    if strcontains(rz.name, "dev") // select those with "dev" in their name
+  ]
+}