diff --git a/config/internal/ml-metadata/metadata-grpc.networkpolicy.yaml.tmpl b/config/internal/ml-metadata/metadata-grpc.networkpolicy.yaml.tmpl
new file mode 100644
index 000000000..67ea6db97
--- /dev/null
+++ b/config/internal/ml-metadata/metadata-grpc.networkpolicy.yaml.tmpl
@@ -0,0 +1,27 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: ds-pipeline-metadata-grpc-{{ .Name }}
+  namespace: {{ .Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app: ds-pipeline-metadata-grpc-{{ .Name }}
+      component: data-science-pipelines
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: 8080
+      from:
+        - podSelector:
+            matchLabels:
+              pipelines.kubeflow.org/v2_component: 'true'
+          namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ .Namespace }}
+        - podSelector:
+           matchLabels:
+             app: ds-pipeline-metadata-envoy-{{.Name}}
+             component: data-science-pipelines
+  policyTypes:
+    - Ingress