diff --git a/swan-cern/values.yaml b/swan-cern/values.yaml
index 953eeea..e7ec9c2 100644
--- a/swan-cern/values.yaml
+++ b/swan-cern/values.yaml
@@ -58,6 +58,31 @@ swan:
       image:
         name: gitlab-registry.cern.ch/swan/docker-images/jupyter/swan-cern
         tag: v0.0.27
+      networkPolicy:
+        ingress:
+          # Allow user pods to receive incoming connections on the NodePort service port range.
+          # This supports use cases where servers run inside the user pod and need to receive
+          # connections (e.g. Spark, HTCondor via Dask).
+          - from:
+            - ipBlock:
+                cidr: 0.0.0.0/0
+                # Exclude connections from other pods in our cluster's pod network.
+                except:
+                  - 10.0.0.0/8
+                  - 172.16.0.0/12
+                  - 192.168.0.0/16
+            ports:
+            - protocol: TCP
+              port: 30000
+              endPort: 32767
+        egress:
+          # Allow connection from the user pod to the hadoop token generator to get Hadoop credentials.
+          - to:
+              - podSelector:
+                  matchLabels:
+                    app: hadoop-token-generator
+            ports:
+              - port: 80
     scheduling:
       userPods:
         nodeAffinity:
@@ -174,6 +199,16 @@ swan:
           description: Access to hub Prometheus metrics
           scopes: ['read:metrics']
           services: [prometheus-service-monitor]
+      networkPolicy:
+        ingress:
+          # Allow connection from prometheus to the hub, to scrape the metrics endpoint
+          - ports:
+              - protocol: TCP
+                port: 8081
+            from:
+              - podSelector:
+                  matchLabels:
+                    app.kubernetes.io/name: prometheus
     custom:
       cull:
         # 4 hours
diff --git a/swan/values.yaml b/swan/values.yaml
index d809804..ed276aa 100644
--- a/swan/values.yaml
+++ b/swan/values.yaml
@@ -55,11 +55,12 @@ jupyterhub:
       tag: "v0.0.14"
       pullPolicy: "Always"
     cloudMetadata:
-      # until we configure networkPolicy
-      blockWithIptables: true
       ip: 169.254.169.254
     networkPolicy:
-      enabled: false
+      enabled: true
+      egressAllowRules:
+        dnsPortsCloudMetadataServer: false
+        dnsPortsPrivateIPs: false
     extraAnnotations:
       kubectl.kubernetes.io/default-container: notebook
     extraEnv:
@@ -77,6 +78,13 @@ jupyterhub:
     service:
       type: ClusterIP
     chp:
+      networkPolicy:
+        enabled: true
+        egressAllowRules:
+          cloudMetadataServer: false
+          dnsPortsCloudMetadataServer: false
+          dnsPortsPrivateIPs: false
+          privateIPs: false
       image:
         name: "jupyterhub/configurable-http-proxy"
         tag: "4.5.0"
@@ -174,7 +182,12 @@ jupyterhub:
           raise Exception("Please configure pre_spawn_hook")
         c.KeyCloakAuthenticator.pre_spawn_hook = pre_spawn_hook
     networkPolicy:
-      enabled: false
+      enabled: true
+      egressAllowRules:
+        cloudMetadataServer: false
+        dnsPortsCloudMetadataServer: false
+        dnsPortsPrivateIPs: false
+        privateIPs: false
     # placeholder for hub cookieSecret
     # when empty, it generates a new randomly
     cookieSecret:
@@ -208,5 +221,4 @@ swan:
   secrets:
     ingress:
       cert:
-      key:
-
+      key:
\ No newline at end of file