diff --git a/v2/charts/azure-service-operator/templates/networkpolicies.yaml b/v2/charts/azure-service-operator/templates/networkpolicies.yaml
new file mode 100644
index 00000000000..2beb00a84f6
--- /dev/null
+++ b/v2/charts/azure-service-operator/templates/networkpolicies.yaml
@@ -0,0 +1,55 @@
+{{- if .Values.networkPolicies.enable }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: azure-service-operator-allow-ingress
+  namespace: {{ .Release.namespace }}
+spec:
+  ingress:
+  - from:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+  podSelector:
+    matchLabels:
+      control-plane: controller-manager
+  policyTypes:
+  - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: azure-service-operator-allow-egress
+  namespace: {{ .Release.namespace }}
+spec:
+  egress:
+  - ports:
+    # Required for communication with the Azure API
+    - port: 443
+      protocol: TCP
+    to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+    # Required for communication with the Kubernetes API
+    - port: {{ .Values.networkPolicies.kubernetesApiPort }}
+      protocol: TCP
+    to:
+    - ipBlock:
+        cidr: {{ .Values.networkPolicies.kubernetesApiCIDR }}
+    # Required for communication with MySQL servers when using MySQL user object
+    - port: 3306
+      protocol: TCP
+    to:
+    - ipBlock:
+        cidr: {{ .Values.networkPolicies.mysqlCIDR }}
+    # Required for communication with PostgreSQL servers when using PostgreSQL user object
+    - port: 5432
+      protocol: TCP
+    to:
+    - ipBlock:
+        cidr: {{ .Values.networkPolicies.postgresqlCIDR }}
+  podSelector:
+    matchLabels:
+      control-plane: controller-manager
+  policyTypes:
+  - Egress
+{{- end }}
diff --git a/v2/charts/azure-service-operator/values.yaml b/v2/charts/azure-service-operator/values.yaml
index 85d0f61c994..2b4f8ff6d83 100644
--- a/v2/charts/azure-service-operator/values.yaml
+++ b/v2/charts/azure-service-operator/values.yaml
@@ -120,3 +120,15 @@ podAnnotations: {}
 # NOTE: 'installCRDs' should be set to false while installing a tenant.
 multitenant:
   enable: false
+
+# networkPolicies allows you to configure the NetworkPolicies deployed as part of the Chart
+networkPolicies:
+  enable: true
+  # TCP port to be configured for talking to the Kubernetes API
+  kubernetesApiPort: 6443
+  # Destination CIDR for talking to the Kubernetes API
+  kubernetesApiCIDR: 0.0.0.0/0
+  # Destination CIDR for talking to MySQL servers
+  mysqlCIDR: 0.0.0.0/0
+  # Destination CIDR for talking to PostgreSQL servers
+  postgresqlCIDR: 0.0.0.0/0