diff --git a/charts/gardener-extension-provider-metal/templates/deployment.yaml b/charts/gardener-extension-provider-metal/templates/deployment.yaml
index 28d58f1e8..00d6b1b29 100644
--- a/charts/gardener-extension-provider-metal/templates/deployment.yaml
+++ b/charts/gardener-extension-provider-metal/templates/deployment.yaml
@@ -30,7 +30,10 @@ spec:
         networking.gardener.cloud/to-public-networks: allowed
         networking.gardener.cloud/to-private-networks: allowed
         networking.resources.gardener.cloud/to-all-shoots-kube-apiserver-tcp-443: allowed
-{{ include "labels" . | indent 8 }}
+        {{- if .Values.networkPolicies.enabled }}
+        networking.resources.gardener.cloud/to-metal-api: allowed
+        {{- end }}
+  {{ include "labels" . | indent 8 }}
     spec:
       containers:
       - name: {{ include "name" . }}
diff --git a/charts/gardener-extension-provider-metal/templates/networkpolicies.yaml b/charts/gardener-extension-provider-metal/templates/networkpolicies.yaml
new file mode 100644
index 000000000..fa1ff7e48
--- /dev/null
+++ b/charts/gardener-extension-provider-metal/templates/networkpolicies.yaml
@@ -0,0 +1,32 @@
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: to-metal-api
+spec:
+  egress:
+    - ports:
+        - port: 8080
+          protocol: TCP
+      to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ .Values.networkPolicies.toMetalApi.namespace }}
+        - podSelector:
+            matchLabels: {{ .Values.networkPolicies.toMetalApi.ingressController.podSelector | nindent 12 }}
+    - ports:
+        - port: 80
+          protocol: TCP
+        - port: 443
+          protocol: TCP
+      to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ .Values.networkPolicies.toMetalApi.ingressController.namespace }}
+        - podSelector: {}
+  podSelector:
+    matchLabels:
+      networking.resources.gardener.cloud/to-metal-api: allowed
+  policyTypes:
+    - Egress
+{{- end }}
diff --git a/charts/gardener-extension-provider-metal/values.yaml b/charts/gardener-extension-provider-metal/values.yaml
index eca54b708..bb67b46b6 100644
--- a/charts/gardener-extension-provider-metal/values.yaml
+++ b/charts/gardener-extension-provider-metal/values.yaml
@@ -85,3 +85,12 @@ config:
 gardener:
   seed:
     provider: metal
+
+networkPolicies:
+  enabled: false
+  toMetalApi:
+    namespace: metal-control-plane
+    podSelector:
+      app: metal-api
+    ingressController:
+      namespace: ingress-nginx