diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index b29da1f5a7..2dcc3c80b1 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -7,12 +7,13 @@
 # review a PR in an area.
 #
 # Rules are evaluated in this order, and the last match is used for auto-assignment.
-*                       @azure/azure-sdn-members
-/.github/               @azure/acn-admins
-/cns/                   @azure/acn-cns-reviewers
-/cni/                   @azure/acn-cni-reviewers
-/dropgz/                @rbtr @camrynl @paulyufan2 @ashvindeodhar @thatmattlong
-/npm/                   @azure/acn-npm-reviewers
-/zapai/                 @rbtr @ZetaoZhuang
-/bpf-prog/              @camrynl
-/azure-ip-masq-merger/  @QxBytes @santhoshmprabhu
+*                           @azure/azure-sdn-members
+/.github/                   @azure/acn-admins
+/cns/                       @azure/acn-cns-reviewers
+/cni/                       @azure/acn-cni-reviewers
+/dropgz/                    @rbtr @camrynl @paulyufan2 @ashvindeodhar @thatmattlong
+/npm/                       @azure/acn-npm-reviewers
+/zapai/                     @rbtr @ZetaoZhuang
+/bpf-prog/                  @camrynl
+/azure-ip-masq-merger/      @QxBytes @santhoshmprabhu
+/azure-iptables-monitor/    @QxBytes @santhoshmprabhu
diff --git a/.pipelines/build/dockerfiles/azure-iptables-monitor.Dockerfile b/.pipelines/build/dockerfiles/azure-iptables-monitor.Dockerfile
new file mode 100644
index 0000000000..0fe8fd4c1c
--- /dev/null
+++ b/.pipelines/build/dockerfiles/azure-iptables-monitor.Dockerfile
@@ -0,0 +1,18 @@
+ARG ARCH
+
+# mcr.microsoft.com/azurelinux/base/core:3.0
+FROM mcr.microsoft.com/azurelinux/base/core@sha256:9948138108a3d69f1dae62104599ac03132225c3b7a5ac57b85a214629c8567d AS mariner-core
+
+# mcr.microsoft.com/azurelinux/distroless/minimal:3.0
+FROM mcr.microsoft.com/azurelinux/distroless/minimal@sha256:0801b80a0927309572b9adc99bd1813bc680473175f6e8175cd4124d95dbd50c AS mariner-distroless
+
+FROM mariner-core AS iptables
+RUN tdnf install -y iptables
+
+FROM mariner-distroless AS linux
+ARG ARTIFACT_DIR
+COPY --from=iptables /usr/sbin/*tables* /usr/sbin/
+COPY --from=iptables /usr/lib /usr/lib
+COPY ${ARTIFACT_DIR}/bin/azure-iptables-monitor /azure-iptables-monitor
+
+ENTRYPOINT ["/azure-iptables-monitor"]
diff --git a/.pipelines/build/ob-prepare.steps.yaml b/.pipelines/build/ob-prepare.steps.yaml
index 802b9f73b1..863f92d246 100644
--- a/.pipelines/build/ob-prepare.steps.yaml
+++ b/.pipelines/build/ob-prepare.steps.yaml
@@ -62,6 +62,10 @@ steps:
     echo "##vso[task.setvariable variable=azureIpMasqMergerVersion;isOutput=true]$AZUREIPMASQMERGERVERSION"
     echo "azureIpMasqMergerVersion: $AZUREIPMASQMERGERVERSION"
 
+    AZUREIPTABLESMONITORVERSION=$(make azure-iptables-monitor-version)
+    echo "##vso[task.setvariable variable=azureIptablesMonitorVersion;isOutput=true]$AZUREIPTABLESMONITORVERSION"
+    echo "azureIptablesMonitorVersion: $AZUREIPTABLESMONITORVERSION"
+
     CNIVERSION=$(make cni-version)
     echo "##vso[task.setvariable variable=cniVersion;isOutput=true]$CNIVERSION"
     echo "cniVersion: $CNIVERSION"
diff --git a/.pipelines/build/scripts/azure-iptables-monitor.sh b/.pipelines/build/scripts/azure-iptables-monitor.sh
new file mode 100644
index 0000000000..5ef9daacb8
--- /dev/null
+++ b/.pipelines/build/scripts/azure-iptables-monitor.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+set -eux
+
+[[ $OS =~ windows ]] && { echo "azure-iptables-monitor is not supported on Windows"; exit 1; }
+FILE_EXT=''
+
+export CGO_ENABLED=0
+
+mkdir -p "$OUT_DIR"/bin
+mkdir -p "$OUT_DIR"/files
+
+pushd "$REPO_ROOT"/azure-iptables-monitor
+  GOOS="$OS" go build -v -a -trimpath \
+    -o "$OUT_DIR"/bin/azure-iptables-monitor"$FILE_EXT" \
+    -ldflags "-s -w -X github.com/Azure/azure-container-networking/azure-iptables-monitor/internal/buildinfo.Version=$AZURE_IPTABLES_MONITOR_VERSION -X main.version=$AZURE_IPTABLES_MONITOR_VERSION" \
+    -gcflags="-dwarflocationlists=true" \
+    .
+popd
diff --git a/.pipelines/pipeline.yaml b/.pipelines/pipeline.yaml
index 7b735653c7..4442e4d6a1 100644
--- a/.pipelines/pipeline.yaml
+++ b/.pipelines/pipeline.yaml
@@ -125,6 +125,10 @@ stages:
                 arch: amd64
                 name: azure-ip-masq-merger
                 os: linux
+              azure_iptables_monitor_linux_amd64:
+                arch: amd64
+                name: azure-iptables-monitor
+                os: linux
               cni_linux_amd64:
                 arch: amd64
                 name: cni
@@ -174,6 +178,10 @@ stages:
                 arch: arm64
                 name: azure-ip-masq-merger
                 os: linux
+              azure_iptables_monitor_linux_arm64:
+                arch: arm64
+                name: azure-iptables-monitor
+                os: linux
               cni_linux_arm64:
                 arch: arm64
                 name: cni
@@ -228,6 +236,9 @@ stages:
               azure_ip_masq_merger:
                 name: azure-ip-masq-merger
                 platforms: linux/amd64 linux/arm64
+              azure_iptables_monitor:
+                name: azure-iptables-monitor
+                platforms: linux/amd64 linux/arm64
           steps:
             - template: containers/manifest-template.yaml
               parameters:
diff --git a/.pipelines/run-pipeline.yaml b/.pipelines/run-pipeline.yaml
index b907b03e84..f759f11e8f 100644
--- a/.pipelines/run-pipeline.yaml
+++ b/.pipelines/run-pipeline.yaml
@@ -38,6 +38,7 @@ stages:
     IMAGE_REPO_PATH: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.imageRepositoryPath'] ]
     AZURE_IPAM_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.azureIpamVersion'] ]
     AZURE_IP_MASQ_MERGER_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.azureIpMasqMergerVersion'] ]
+    AZURE_IPTABLES_MONITOR_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.azureIptablesMonitorVersion'] ]
     CNI_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.cniVersion'] ]
     CNS_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.cnsVersion'] ]
     IPV6_HP_BPF_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.ipv6HpBpfVersion'] ]
@@ -68,6 +69,12 @@ stages:
               archiveName: azure-ip-masq-merger
               archiveVersion: $(AZURE_IP_MASQ_MERGER_VERSION)
               imageTag: $(Build.BuildNumber)
+            azure_iptables_monitor:
+              name: azure-iptables-monitor
+              extraArgs: ''
+              archiveName: azure-iptables-monitor
+              archiveVersion: $(AZURE_IPTABLES_MONITOR_VERSION)
+              imageTag: $(Build.BuildNumber)
             cni:
               name: cni
               extraArgs: '--build-arg CNI_AI_PATH=$(CNI_AI_PATH) --build-arg CNI_AI_ID=$(CNI_AI_ID)'
@@ -152,6 +159,12 @@ stages:
               archiveName: azure-ip-masq-merger
               archiveVersion: $(AZURE_IP_MASQ_MERGER_VERSION)
               imageTag: $(Build.BuildNumber)
+            azure_iptables_monitor:
+              name: azure-iptables-monitor
+              extraArgs: ''
+              archiveName: azure-iptables-monitor
+              archiveVersion: $(AZURE_IPTABLES_MONITOR_VERSION)
+              imageTag: $(Build.BuildNumber)
             cni:
               name: cni
               extraArgs: '--build-arg CNI_AI_PATH=$(CNI_AI_PATH) --build-arg CNI_AI_ID=$(CNI_AI_ID)'
@@ -190,6 +203,7 @@ stages:
 
       AZURE_IPAM_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.azureIpamVersion'] ]
       AZURE_IP_MASQ_MERGER_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.azureIpMasqMergerVersion'] ]
+      AZURE_IPTABLES_MONITOR_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.azureIptablesMonitorVersion'] ]
       CNI_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.cniVersion'] ]
       CNS_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.cnsVersion'] ]
       IPV6_HP_BPF_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.ipv6HpBpfVersion'] ]
@@ -202,6 +216,9 @@ stages:
       IP_MASQ_MERGER_LINUX_AMD64_REF: $(IMAGE_REPO_PATH)/linux-amd64/azure-ip-masq-merger:$(Build.BuildNumber)
       IP_MASQ_MERGER_LINUX_ARM64_REF: $(IMAGE_REPO_PATH)/linux-arm64/azure-ip-masq-merger:$(Build.BuildNumber)
 
+      IPTABLES_MONITOR_LINUX_AMD64_REF: $(IMAGE_REPO_PATH)/linux-amd64/azure-iptables-monitor:$(Build.BuildNumber)
+      IPTABLES_MONITOR_LINUX_ARM64_REF: $(IMAGE_REPO_PATH)/linux-arm64/azure-iptables-monitor:$(Build.BuildNumber)
+
       CNI_LINUX_AMD64_REF: $(IMAGE_REPO_PATH)/linux-amd64/cni:$(Build.BuildNumber)
       CNI_LINUX_ARM64_REF: $(IMAGE_REPO_PATH)/linux-arm64/cni:$(Build.BuildNumber)
       CNI_WINDOWS_AMD64_REF: $(IMAGE_REPO_PATH)/windows-amd64/cni:$(Build.BuildNumber)
@@ -241,6 +258,15 @@ stages:
               imageReference: $(IP_MASQ_MERGER_LINUX_AMD64_REF)
             - platform: linux/arm64
               imageReference: $(IP_MASQ_MERGER_LINUX_ARM64_REF)
+        - job: azure_iptables_monitor
+          templateContext:
+            name: azure-iptables-monitor
+            image_tag: $(AZURE_IPTABLES_MONITOR_VERSION)
+            platforms:
+            - platform: linux/amd64
+              imageReference: $(IPTABLES_MONITOR_LINUX_AMD64_REF)
+            - platform: linux/arm64
+              imageReference: $(IPTABLES_MONITOR_LINUX_ARM64_REF)
         - job: cni
           templateContext:
             name: cni
diff --git a/azure-iptables-monitor/Dockerfile b/azure-iptables-monitor/Dockerfile
index 559f33a012..eb6c6be056 100644
--- a/azure-iptables-monitor/Dockerfile
+++ b/azure-iptables-monitor/Dockerfile
@@ -15,7 +15,7 @@ ARG OS
 ARG VERSION
 WORKDIR /azure-iptables-monitor
 COPY ./azure-iptables-monitor .
-RUN GOOS=$OS CGO_ENABLED=0 go build -a -o /go/bin/iptables-monitor -trimpath -ldflags "-X main.version="$VERSION"" -gcflags="-dwarflocationlists=true" .
+RUN GOOS=$OS CGO_ENABLED=0 go build -a -o /go/bin/iptables-monitor -trimpath -ldflags "-s -w -X main.version="$VERSION"" -gcflags="-dwarflocationlists=true" .
 
 FROM mariner-core AS iptables
 RUN tdnf install -y iptables