diff --git a/crd/multitenancy/api/v1alpha1/multitenantpodnetworkconfig.go b/crd/multitenancy/api/v1alpha1/multitenantpodnetworkconfig.go
index ab481fa496..dba7fdd117 100644
--- a/crd/multitenancy/api/v1alpha1/multitenantpodnetworkconfig.go
+++ b/crd/multitenancy/api/v1alpha1/multitenantpodnetworkconfig.go
@@ -85,6 +85,9 @@ type MultitenantPodNetworkConfigStatus struct {
 	// InterfaceInfos describes all of the network container goal state for this Pod
 	// +kubebuilder:validation:Optional
 	InterfaceInfos []InterfaceInfo `json:"interfaceInfos,omitempty"`
+	// DefaultDenyACL bool indicates whether default deny policy will be present on the pods upon pod creation
+	// +kubebuilder:validation:Optional
+	DefaultDenyACL bool `json:"defaultDenyACL"`
 }
 
 func init() {
diff --git a/crd/multitenancy/api/v1alpha1/podnetworkinstance.go b/crd/multitenancy/api/v1alpha1/podnetworkinstance.go
index 4a775363ae..0437bee57f 100644
--- a/crd/multitenancy/api/v1alpha1/podnetworkinstance.go
+++ b/crd/multitenancy/api/v1alpha1/podnetworkinstance.go
@@ -56,6 +56,10 @@ type PodNetworkInstanceSpec struct {
 	// optional for now in case orchestrator uses the deprecated fields
 	// +kubebuilder:validation:Optional
 	PodNetworkConfigs []PodNetworkConfig `json:"podNetworkConfigs"`
+	// DefaultDenyACL bool indicates whether default deny policy will be present on the pods upon pod creation
+	// +kubebuilder:default=false
+	// +kubebuilder:validation:Optional
+	DefaultDenyACL bool `json:"defaultDenyACL"`
 }
 
 // PodNetworkInstanceStatus defines the observed state of PodNetworkInstance
diff --git a/crd/multitenancy/manifests/multitenancy.acn.azure.com_multitenantpodnetworkconfigs.yaml b/crd/multitenancy/manifests/multitenancy.acn.azure.com_multitenantpodnetworkconfigs.yaml
index 8d82b58756..9390424b82 100644
--- a/crd/multitenancy/manifests/multitenancy.acn.azure.com_multitenantpodnetworkconfigs.yaml
+++ b/crd/multitenancy/manifests/multitenancy.acn.azure.com_multitenantpodnetworkconfigs.yaml
@@ -72,6 +72,10 @@ spec:
             description: MultitenantPodNetworkConfigStatus defines the observed state
               of PodNetworkConfig
             properties:
+              defaultDenyACL:
+                description: DefaultDenyACL bool indicates whether default deny policy
+                  will be present on the pods upon pod creation
+                type: boolean
               gatewayIP:
                 description: Deprecated - use InterfaceInfos
                 type: string
diff --git a/crd/multitenancy/manifests/multitenancy.acn.azure.com_podnetworkinstances.yaml b/crd/multitenancy/manifests/multitenancy.acn.azure.com_podnetworkinstances.yaml
index ff539c6834..8dbbbe127f 100644
--- a/crd/multitenancy/manifests/multitenancy.acn.azure.com_podnetworkinstances.yaml
+++ b/crd/multitenancy/manifests/multitenancy.acn.azure.com_podnetworkinstances.yaml
@@ -53,6 +53,11 @@ spec:
           spec:
             description: PodNetworkInstanceSpec defines the desired state of PodNetworkInstance
             properties:
+              defaultDenyACL:
+                default: false
+                description: DefaultDenyACL bool indicates whether default deny policy
+                  will be present on the pods upon pod creation
+                type: boolean
               podIPReservationSize:
                 default: 0
                 description: Deprecated - use PodNetworks