diff --git a/src/main/helm/templates/network_policy.yaml b/src/main/helm/templates/network_policy.yaml
index 2d70106bb1690fc7ca90516a8f9f1e7e4c01afc7..7c5dc5eca03536aec0539c3b6891c126be2b809a 100644
--- a/src/main/helm/templates/network_policy.yaml
+++ b/src/main/helm/templates/network_policy.yaml
@@ -59,4 +59,15 @@ spec:
         protocol: UDP
       - port: 5353
         protocol: TCP
+
+{{- if eq (.Values.routing).routingStrategy "ZUFI" }}
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: {{ required "routing.zufiManager.namespace must be set if antragraum is enabled" ((.Values.routing).zufiManager).namespace }}
+      podSelector: 
+        matchLabels:
+          component: zufi-server
+{{- end }}
+
 {{- end }} 
\ No newline at end of file
diff --git a/src/test/helm/network_policy_test.yaml b/src/test/helm/network_policy_test.yaml
index ab74074fa631daa7404959e1e05d9d4e7faed1b6..0e4ad5002b616eba018a6d7a7d00c1ba13ab1b25 100644
--- a/src/test/helm/network_policy_test.yaml
+++ b/src/test/helm/network_policy_test.yaml
@@ -123,4 +123,54 @@ tests:
         dnsServerNamespace: test-dns-server-namespace
     asserts:
       - hasDocuments:
-          count: 1
\ No newline at end of file
+          count: 1
+
+
+  - it: should add zufi rule when zufi-routing is enabled
+    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-server-namespace
+      routing:
+        routingStrategy: ZUFI
+        zufiManager: 
+          namespace: zufi-namespace
+    asserts:
+    - contains:
+        path: spec.egress
+        content:
+          to:
+          - namespaceSelector:
+              matchLabels:
+                kubernetes.io/metadata.name: zufi-namespace
+            podSelector: 
+              matchLabels:
+                component: zufi-server
+
+  - it: should throw error when zufi is enabled but zufi namespace not set
+    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-server-namespace
+      routing:
+        routingStrategy: ZUFI
+    asserts:
+    - failedTemplate:
+        errorMessage: routing.zufiManager.namespace must be set if antragraum is enabled
+
+  - it: should not add zufi rule when zufi-routing is disabled
+    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-server-namespace
+      routing:
+        zufiManager: 
+          namespace: zufi-namespace
+    asserts:
+    - notContains:
+        path: spec.egress
+        content:
+          to:
+          - namespaceSelector:
+              matchLabels:
+                kubernetes.io/metadata.name: zufi-namespace
+            podSelector: 
+              matchLabels:
+                component: zufi-server
\ No newline at end of file
diff --git a/xta-adapter/src/main/helm/templates/network_policy.yaml b/xta-adapter/src/main/helm/templates/network_policy.yaml
index b65e30f07ac0bc4277370f0879bc71c2c9c8adb5..90ef9b2c4274b1df4b5e58b2014a81645b468e6c 100644
--- a/xta-adapter/src/main/helm/templates/network_policy.yaml
+++ b/xta-adapter/src/main/helm/templates/network_policy.yaml
@@ -66,6 +66,17 @@ spec:
         protocol: TCP
       - port: 9000
         protocol: TCP
+
+{{- if eq (.Values.routing).routingStrategy "ZUFI" }}
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: {{ required "routing.zufiManager.namespace must be set if antragraum is enabled" ((.Values.routing).zufiManager).namespace }}
+      podSelector: 
+        matchLabels:
+          component: zufi-server
+{{- end }}
+
 {{- with (.Values.networkPolicy).additionalEgressConfigLocal }}
 {{ toYaml . | indent 2 }}
 {{- end }}
diff --git a/xta-adapter/src/test/helm/network_policy_test.yaml b/xta-adapter/src/test/helm/network_policy_test.yaml
index 74ac285893aab5f14a2b7abe6e3d5c84fd55033d..304fe58d294d1a530c8c621ad731e670d7871df0 100644
--- a/xta-adapter/src/test/helm/network_policy_test.yaml
+++ b/xta-adapter/src/test/helm/network_policy_test.yaml
@@ -162,4 +162,53 @@ tests:
         dnsServerNamespace: test-dns-server-namespace
     asserts:
       - hasDocuments:
-          count: 1
\ No newline at end of file
+          count: 1
+
+  - it: should add zufi rule when zufi-routing is enabled
+    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-server-namespace
+      routing:
+        routingStrategy: ZUFI
+        zufiManager: 
+          namespace: zufi-namespace
+    asserts:
+    - contains:
+        path: spec.egress
+        content:
+          to:
+          - namespaceSelector:
+              matchLabels:
+                kubernetes.io/metadata.name: zufi-namespace
+            podSelector: 
+              matchLabels:
+                component: zufi-server
+
+  - it: should throw error when zufi is enabled but zufi namespace not set
+    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-server-namespace
+      routing:
+        routingStrategy: ZUFI
+    asserts:
+    - failedTemplate:
+        errorMessage: routing.zufiManager.namespace must be set if antragraum is enabled
+
+  - it: should not add zufi rule when zufi-routing is disabled
+    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-server-namespace
+      routing:
+        zufiManager: 
+          namespace: zufi-namespace
+    asserts:
+    - notContains:
+        path: spec.egress
+        content:
+          to:
+          - namespaceSelector:
+              matchLabels:
+                kubernetes.io/metadata.name: zufi-namespace
+            podSelector: 
+              matchLabels:
+                component: zufi-server