diff --git a/templates/addons/calico.yaml b/templates/addons/calico.yaml
index 734c179e40b..5ce5330e4a9 100644
--- a/templates/addons/calico.yaml
+++ b/templates/addons/calico.yaml
@@ -4141,3 +4141,36 @@ spec:
 
 ---
 # Source: calico/templates/configure-canal.yaml
+
+---
+# This network policy explicitly ensures that container-originating TCP traffic bound for the reserved Azure IP endpoint is blocked
+# to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27075.
+apiVersion: crd.projectcalico.org/v1
+kind: GlobalNetworkPolicy
+metadata:
+    name: deny-azure-internal
+spec:
+  order: 0
+  applyOnForward: true
+  types:
+    - Egress
+  egress: 
+  - action: Deny
+    protocol: TCP
+    destination:
+      nets:
+      - 168.63.129.16/32
+---
+apiVersion: crd.projectcalico.org/v1
+kind: GlobalNetworkPolicy
+metadata:
+  name: default-allow
+spec:
+  applyOnForward: true
+  types:
+  - Egress
+  - Ingress
+  egress:
+  - action: Allow
+  ingress:
+  - action: Allow
diff --git a/templates/test/ci/cluster-template-prow-ci-version.yaml b/templates/test/ci/cluster-template-prow-ci-version.yaml
index 7404bf56cb5..78cc5cbdeda 100644
--- a/templates/test/ci/cluster-template-prow-ci-version.yaml
+++ b/templates/test/ci/cluster-template-prow-ci-version.yaml
@@ -2837,7 +2837,15 @@ data:
     \ name: calico-kube-controllers\n  namespace: kube-system\n  labels:\n    k8s-app:
     calico-kube-controllers\nspec:\n  maxUnavailable: 1\n  selector:\n    matchLabels:\n
     \     k8s-app: calico-kube-controllers\n---\n# Source: calico/templates/calico-etcd-secrets.yaml\n\n---\n#
-    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n"
+    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n\n---\n#
+    This network policy explicitly ensures that container-originating TCP traffic
+    bound for the reserved Azure IP endpoint is blocked\n# to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27075.\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n    name: deny-azure-internal\nspec:\n
+    \ order: 0\n  applyOnForward: true\n  types:\n    - Egress\n  egress: \n  - action:
+    Deny\n    protocol: TCP\n    destination:\n      nets:\n      - 168.63.129.16/32\n---\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n  name: default-allow\nspec:\n
+    \ applyOnForward: true\n  types:\n  - Egress\n  - Ingress\n  egress:\n  - action:
+    Allow\n  ingress:\n  - action: Allow\n"
 kind: ConfigMap
 metadata:
   annotations:
diff --git a/templates/test/ci/cluster-template-prow-custom-vnet.yaml b/templates/test/ci/cluster-template-prow-custom-vnet.yaml
index a9e095002f7..0db923c518b 100644
--- a/templates/test/ci/cluster-template-prow-custom-vnet.yaml
+++ b/templates/test/ci/cluster-template-prow-custom-vnet.yaml
@@ -2702,7 +2702,15 @@ data:
     \ name: calico-kube-controllers\n  namespace: kube-system\n  labels:\n    k8s-app:
     calico-kube-controllers\nspec:\n  maxUnavailable: 1\n  selector:\n    matchLabels:\n
     \     k8s-app: calico-kube-controllers\n---\n# Source: calico/templates/calico-etcd-secrets.yaml\n\n---\n#
-    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n"
+    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n\n---\n#
+    This network policy explicitly ensures that container-originating TCP traffic
+    bound for the reserved Azure IP endpoint is blocked\n# to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27075.\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n    name: deny-azure-internal\nspec:\n
+    \ order: 0\n  applyOnForward: true\n  types:\n    - Egress\n  egress: \n  - action:
+    Deny\n    protocol: TCP\n    destination:\n      nets:\n      - 168.63.129.16/32\n---\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n  name: default-allow\nspec:\n
+    \ applyOnForward: true\n  types:\n  - Egress\n  - Ingress\n  egress:\n  - action:
+    Allow\n  ingress:\n  - action: Allow\n"
 kind: ConfigMap
 metadata:
   annotations:
diff --git a/templates/test/ci/cluster-template-prow-external-cloud-provider.yaml b/templates/test/ci/cluster-template-prow-external-cloud-provider.yaml
index 4138dbc5d09..2c5f33f4459 100644
--- a/templates/test/ci/cluster-template-prow-external-cloud-provider.yaml
+++ b/templates/test/ci/cluster-template-prow-external-cloud-provider.yaml
@@ -3009,7 +3009,15 @@ data:
     \ name: calico-kube-controllers\n  namespace: kube-system\n  labels:\n    k8s-app:
     calico-kube-controllers\nspec:\n  maxUnavailable: 1\n  selector:\n    matchLabels:\n
     \     k8s-app: calico-kube-controllers\n---\n# Source: calico/templates/calico-etcd-secrets.yaml\n\n---\n#
-    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n"
+    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n\n---\n#
+    This network policy explicitly ensures that container-originating TCP traffic
+    bound for the reserved Azure IP endpoint is blocked\n# to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27075.\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n    name: deny-azure-internal\nspec:\n
+    \ order: 0\n  applyOnForward: true\n  types:\n    - Egress\n  egress: \n  - action:
+    Deny\n    protocol: TCP\n    destination:\n      nets:\n      - 168.63.129.16/32\n---\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n  name: default-allow\nspec:\n
+    \ applyOnForward: true\n  types:\n  - Egress\n  - Ingress\n  egress:\n  - action:
+    Allow\n  ingress:\n  - action: Allow\n"
 kind: ConfigMap
 metadata:
   annotations:
diff --git a/templates/test/ci/cluster-template-prow-machine-pool-ci-version.yaml b/templates/test/ci/cluster-template-prow-machine-pool-ci-version.yaml
index 4174976d60f..fe3ee7565f9 100644
--- a/templates/test/ci/cluster-template-prow-machine-pool-ci-version.yaml
+++ b/templates/test/ci/cluster-template-prow-machine-pool-ci-version.yaml
@@ -2823,7 +2823,15 @@ data:
     \ name: calico-kube-controllers\n  namespace: kube-system\n  labels:\n    k8s-app:
     calico-kube-controllers\nspec:\n  maxUnavailable: 1\n  selector:\n    matchLabels:\n
     \     k8s-app: calico-kube-controllers\n---\n# Source: calico/templates/calico-etcd-secrets.yaml\n\n---\n#
-    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n"
+    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n\n---\n#
+    This network policy explicitly ensures that container-originating TCP traffic
+    bound for the reserved Azure IP endpoint is blocked\n# to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27075.\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n    name: deny-azure-internal\nspec:\n
+    \ order: 0\n  applyOnForward: true\n  types:\n    - Egress\n  egress: \n  - action:
+    Deny\n    protocol: TCP\n    destination:\n      nets:\n      - 168.63.129.16/32\n---\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n  name: default-allow\nspec:\n
+    \ applyOnForward: true\n  types:\n  - Egress\n  - Ingress\n  egress:\n  - action:
+    Allow\n  ingress:\n  - action: Allow\n"
 kind: ConfigMap
 metadata:
   annotations:
diff --git a/templates/test/ci/cluster-template-prow-machine-pool.yaml b/templates/test/ci/cluster-template-prow-machine-pool.yaml
index 7536bc5de20..47d19e3023e 100644
--- a/templates/test/ci/cluster-template-prow-machine-pool.yaml
+++ b/templates/test/ci/cluster-template-prow-machine-pool.yaml
@@ -2676,7 +2676,15 @@ data:
     \ name: calico-kube-controllers\n  namespace: kube-system\n  labels:\n    k8s-app:
     calico-kube-controllers\nspec:\n  maxUnavailable: 1\n  selector:\n    matchLabels:\n
     \     k8s-app: calico-kube-controllers\n---\n# Source: calico/templates/calico-etcd-secrets.yaml\n\n---\n#
-    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n"
+    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n\n---\n#
+    This network policy explicitly ensures that container-originating TCP traffic
+    bound for the reserved Azure IP endpoint is blocked\n# to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27075.\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n    name: deny-azure-internal\nspec:\n
+    \ order: 0\n  applyOnForward: true\n  types:\n    - Egress\n  egress: \n  - action:
+    Deny\n    protocol: TCP\n    destination:\n      nets:\n      - 168.63.129.16/32\n---\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n  name: default-allow\nspec:\n
+    \ applyOnForward: true\n  types:\n  - Egress\n  - Ingress\n  egress:\n  - action:
+    Allow\n  ingress:\n  - action: Allow\n"
 kind: ConfigMap
 metadata:
   annotations:
diff --git a/templates/test/ci/cluster-template-prow-nvidia-gpu.yaml b/templates/test/ci/cluster-template-prow-nvidia-gpu.yaml
index 1026a35eada..d9da103415e 100644
--- a/templates/test/ci/cluster-template-prow-nvidia-gpu.yaml
+++ b/templates/test/ci/cluster-template-prow-nvidia-gpu.yaml
@@ -9031,7 +9031,15 @@ data:
     \ name: calico-kube-controllers\n  namespace: kube-system\n  labels:\n    k8s-app:
     calico-kube-controllers\nspec:\n  maxUnavailable: 1\n  selector:\n    matchLabels:\n
     \     k8s-app: calico-kube-controllers\n---\n# Source: calico/templates/calico-etcd-secrets.yaml\n\n---\n#
-    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n"
+    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n\n---\n#
+    This network policy explicitly ensures that container-originating TCP traffic
+    bound for the reserved Azure IP endpoint is blocked\n# to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27075.\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n    name: deny-azure-internal\nspec:\n
+    \ order: 0\n  applyOnForward: true\n  types:\n    - Egress\n  egress: \n  - action:
+    Deny\n    protocol: TCP\n    destination:\n      nets:\n      - 168.63.129.16/32\n---\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n  name: default-allow\nspec:\n
+    \ applyOnForward: true\n  types:\n  - Egress\n  - Ingress\n  egress:\n  - action:
+    Allow\n  ingress:\n  - action: Allow\n"
 kind: ConfigMap
 metadata:
   annotations:
diff --git a/templates/test/ci/cluster-template-prow-private.yaml b/templates/test/ci/cluster-template-prow-private.yaml
index 2efa78f0da6..428758a0643 100644
--- a/templates/test/ci/cluster-template-prow-private.yaml
+++ b/templates/test/ci/cluster-template-prow-private.yaml
@@ -2705,7 +2705,15 @@ data:
     \ name: calico-kube-controllers\n  namespace: kube-system\n  labels:\n    k8s-app:
     calico-kube-controllers\nspec:\n  maxUnavailable: 1\n  selector:\n    matchLabels:\n
     \     k8s-app: calico-kube-controllers\n---\n# Source: calico/templates/calico-etcd-secrets.yaml\n\n---\n#
-    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n"
+    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n\n---\n#
+    This network policy explicitly ensures that container-originating TCP traffic
+    bound for the reserved Azure IP endpoint is blocked\n# to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27075.\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n    name: deny-azure-internal\nspec:\n
+    \ order: 0\n  applyOnForward: true\n  types:\n    - Egress\n  egress: \n  - action:
+    Deny\n    protocol: TCP\n    destination:\n      nets:\n      - 168.63.129.16/32\n---\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n  name: default-allow\nspec:\n
+    \ applyOnForward: true\n  types:\n  - Egress\n  - Ingress\n  egress:\n  - action:
+    Allow\n  ingress:\n  - action: Allow\n"
 kind: ConfigMap
 metadata:
   annotations:
diff --git a/templates/test/ci/cluster-template-prow.yaml b/templates/test/ci/cluster-template-prow.yaml
index d1694d76e78..62adf759aeb 100644
--- a/templates/test/ci/cluster-template-prow.yaml
+++ b/templates/test/ci/cluster-template-prow.yaml
@@ -2691,7 +2691,15 @@ data:
     \ name: calico-kube-controllers\n  namespace: kube-system\n  labels:\n    k8s-app:
     calico-kube-controllers\nspec:\n  maxUnavailable: 1\n  selector:\n    matchLabels:\n
     \     k8s-app: calico-kube-controllers\n---\n# Source: calico/templates/calico-etcd-secrets.yaml\n\n---\n#
-    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n"
+    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n\n---\n#
+    This network policy explicitly ensures that container-originating TCP traffic
+    bound for the reserved Azure IP endpoint is blocked\n# to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27075.\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n    name: deny-azure-internal\nspec:\n
+    \ order: 0\n  applyOnForward: true\n  types:\n    - Egress\n  egress: \n  - action:
+    Deny\n    protocol: TCP\n    destination:\n      nets:\n      - 168.63.129.16/32\n---\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n  name: default-allow\nspec:\n
+    \ applyOnForward: true\n  types:\n  - Egress\n  - Ingress\n  egress:\n  - action:
+    Allow\n  ingress:\n  - action: Allow\n"
 kind: ConfigMap
 metadata:
   annotations:
diff --git a/templates/test/dev/cluster-template-custom-builds-machine-pool.yaml b/templates/test/dev/cluster-template-custom-builds-machine-pool.yaml
index e8f71856cf5..faedf4a9cdb 100644
--- a/templates/test/dev/cluster-template-custom-builds-machine-pool.yaml
+++ b/templates/test/dev/cluster-template-custom-builds-machine-pool.yaml
@@ -2766,7 +2766,15 @@ data:
     \ name: calico-kube-controllers\n  namespace: kube-system\n  labels:\n    k8s-app:
     calico-kube-controllers\nspec:\n  maxUnavailable: 1\n  selector:\n    matchLabels:\n
     \     k8s-app: calico-kube-controllers\n---\n# Source: calico/templates/calico-etcd-secrets.yaml\n\n---\n#
-    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n"
+    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n\n---\n#
+    This network policy explicitly ensures that container-originating TCP traffic
+    bound for the reserved Azure IP endpoint is blocked\n# to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27075.\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n    name: deny-azure-internal\nspec:\n
+    \ order: 0\n  applyOnForward: true\n  types:\n    - Egress\n  egress: \n  - action:
+    Deny\n    protocol: TCP\n    destination:\n      nets:\n      - 168.63.129.16/32\n---\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n  name: default-allow\nspec:\n
+    \ applyOnForward: true\n  types:\n  - Egress\n  - Ingress\n  egress:\n  - action:
+    Allow\n  ingress:\n  - action: Allow\n"
 kind: ConfigMap
 metadata:
   annotations:
diff --git a/templates/test/dev/cluster-template-custom-builds.yaml b/templates/test/dev/cluster-template-custom-builds.yaml
index dbc8a0d7845..bc14d430a68 100644
--- a/templates/test/dev/cluster-template-custom-builds.yaml
+++ b/templates/test/dev/cluster-template-custom-builds.yaml
@@ -2780,7 +2780,15 @@ data:
     \ name: calico-kube-controllers\n  namespace: kube-system\n  labels:\n    k8s-app:
     calico-kube-controllers\nspec:\n  maxUnavailable: 1\n  selector:\n    matchLabels:\n
     \     k8s-app: calico-kube-controllers\n---\n# Source: calico/templates/calico-etcd-secrets.yaml\n\n---\n#
-    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n"
+    Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n\n---\n#
+    This network policy explicitly ensures that container-originating TCP traffic
+    bound for the reserved Azure IP endpoint is blocked\n# to remediate https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27075.\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n    name: deny-azure-internal\nspec:\n
+    \ order: 0\n  applyOnForward: true\n  types:\n    - Egress\n  egress: \n  - action:
+    Deny\n    protocol: TCP\n    destination:\n      nets:\n      - 168.63.129.16/32\n---\napiVersion:
+    crd.projectcalico.org/v1\nkind: GlobalNetworkPolicy\nmetadata:\n  name: default-allow\nspec:\n
+    \ applyOnForward: true\n  types:\n  - Egress\n  - Ingress\n  egress:\n  - action:
+    Allow\n  ingress:\n  - action: Allow\n"
 kind: ConfigMap
 metadata:
   annotations: