diff --git a/kube/deploy/apps/immich/app/netpol.yaml b/kube/deploy/apps/immich/app/netpol.yaml
new file mode 100644
index 00000000..398bdd5f
--- /dev/null
+++ b/kube/deploy/apps/immich/app/netpol.yaml
@@ -0,0 +1,18 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: &app immich
+  namespace: *app
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: *app
+      app.kubernetes.io/component: ml
+  egress:
+    - toFQDNs:
+        - matchPattern: "huggingface.co"
+      toPorts:
+        - ports:
+            - port: "443"