diff --git a/images/virtualization-artifact/pkg/common/network_policy/network_policy.go b/images/virtualization-artifact/pkg/common/network_policy/network_policy.go
index 43834c7318..4d037609ce 100644
--- a/images/virtualization-artifact/pkg/common/network_policy/network_policy.go
+++ b/images/virtualization-artifact/pkg/common/network_policy/network_policy.go
@@ -19,9 +19,11 @@ package networkpolicy
 import (
 	"context"
 
+	corev1 "k8s.io/api/core/v1"
 	netv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/intstr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/deckhouse/virtualization-controller/pkg/common/annotations"
@@ -29,6 +31,14 @@ import (
 	"github.com/deckhouse/virtualization-controller/pkg/controller/supplements"
 )
 
+const (
+	moduleNamespaceLabelName = "module"
+	moduleVirtualization     = "virtualization"
+
+	provisioningMetricsPort = 8443
+	uploaderPort            = 8444
+)
+
 func CreateNetworkPolicy(ctx context.Context, c client.Client, obj metav1.Object, sup supplements.DataVolumeSupplement, finalizer string) error {
 	npName := sup.NetworkPolicy()
 	networkPolicy := netv1.NetworkPolicy{
@@ -52,8 +62,38 @@ func CreateNetworkPolicy(ctx context.Context, c client.Client, obj metav1.Object
 					},
 				},
 			},
+			Ingress: []netv1.NetworkPolicyIngressRule{
+				{
+					From: []netv1.NetworkPolicyPeer{
+						{
+							NamespaceSelector: &metav1.LabelSelector{
+								MatchLabels: map[string]string{
+									moduleNamespaceLabelName: moduleVirtualization,
+								},
+							},
+						},
+					},
+					Ports: []netv1.NetworkPolicyPort{
+						tcpPort(provisioningMetricsPort),
+					},
+				},
+				{
+					From: []netv1.NetworkPolicyPeer{
+						{
+							NamespaceSelector: &metav1.LabelSelector{
+								MatchLabels: map[string]string{
+									annotations.HeritageLabel: annotations.HeritageValue,
+								},
+							},
+						},
+					},
+					Ports: []netv1.NetworkPolicyPort{
+						tcpPort(uploaderPort),
+					},
+				},
+			},
 			Egress:      []netv1.NetworkPolicyEgressRule{{}},
-			PolicyTypes: []netv1.PolicyType{netv1.PolicyTypeEgress},
+			PolicyTypes: []netv1.PolicyType{netv1.PolicyTypeIngress, netv1.PolicyTypeEgress},
 		},
 	}
 
@@ -61,6 +101,16 @@ func CreateNetworkPolicy(ctx context.Context, c client.Client, obj metav1.Object
 	return client.IgnoreAlreadyExists(err)
 }
 
+func tcpPort(port int) netv1.NetworkPolicyPort {
+	protocol := corev1.ProtocolTCP
+	targetPort := intstr.FromInt(port)
+
+	return netv1.NetworkPolicyPort{
+		Protocol: &protocol,
+		Port:     &targetPort,
+	}
+}
+
 func GetNetworkPolicy(ctx context.Context, client client.Client, legacyName types.NamespacedName, sup supplements.Generator) (*netv1.NetworkPolicy, error) {
 	np, err := object.FetchObject(ctx, sup.NetworkPolicy(), client, &netv1.NetworkPolicy{})
 	if err != nil {