diff --git a/content/en/docs/tasks/network/block-services-with-externalips.md b/content/en/docs/tasks/network/block-services-with-externalips.md
new file mode 100644
index 0000000000000..37180cc916b53
--- /dev/null
+++ b/content/en/docs/tasks/network/block-services-with-externalips.md
@@ -0,0 +1,100 @@
+---
+reviewers:
+- thockin
+- danwinship
+- aojea
+min-kubernetes-server-version: v1.30
+title: Block Services with ExternalIPs
+content_type: task
+---
+
+<!-- overview -->
+
+This document shares how to control how Services with ExternalIPs are managed within your cluster.
+
+An ExternalIP is a powerful tool that could be used for [malicious intent](https://www.cvedetails.com/cve/CVE-2020-8554/).
+
+Any user who can create a Service with ExternalIPs could:
+
+- intercept other users' outbound traffic to arbitrary IPs.
+- could (non-deterministically) steal other users' inbound traffic to their own ExternalIPs.
+
+## {{% heading "prerequisites" %}}
+
+{{< include "task-tutorial-prereqs.md" >}}
+
+{{< version-check >}}
+
+<!-- steps -->
+
+## Kubernetes Service ExternalIP Policies
+
+Cluster administrators can implement policies to control the creation and modification of Services with ExternalIPs within the cluster. This allows for centralized management of the allowed ExternalIPs used for Services and helps prevent unintended or conflicting configurations. Kubernetes provides mechanisms like Validating Admission Policies to enforce these rules.
+
+### Allowing only specific ExternalIPs within a certain IP range to be created
+
+The following example allows an administrator to restrict the allowed IP address range(s) of any new or updated Service:
+
+```yaml
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "allow-specific-externalips"
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   [""]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["services"]
+  variables:
+  - name: allowed
+    expression: "['192.0.2.0/24', '2001:db8::/64']"
+  validations:
+  - expression: |
+      !has(object.spec.externalIPs) ||
+      object.spec.externalIPs.all(ip, variables.allowed.exists(cidr, cidr(cidr).containsIP(ip)))
+    message: "All externalIPs must be within the allowed CIDR ranges."
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "allow-specific-externalips-binding"
+spec:
+  policyName: "allow-specific-externalips"
+  validationActions: [Deny, Audit]
+```
+
+### Restricting which users/groups may create/update Services with ExternalIPs
+
+```yaml
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "allow-specific-users-to-manage-externalips"
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   [""]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["services"]
+  validations:
+  - expression: |
+      !has(object.spec.externalIPs) ||
+      request.userInfo.username == "myuser" ||
+      request.userInfo.groups.exists(g, g in ["system:masters", "net-admins"])
+    message: "Only user 'myuser' or members of groups 'system:masters' and 'net-admins' can assign externalIPs."
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "allow-specific-users-binding"
+spec:
+  policyName: "allow-specific-users-to-manage-externalips"
+  validationActions: [Deny, Audit]
+```