diff --git a/connectivity/manifests/deny-cidr.yaml b/connectivity/manifests/deny-cidr.yaml
new file mode 100644
index 0000000000..b6650f7074
--- /dev/null
+++ b/connectivity/manifests/deny-cidr.yaml
@@ -0,0 +1,11 @@
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+  name: cidr-deny
+spec:
+  endpointSelector: {}
+  ingressDeny:
+  - fromCIDR:
+{{ range $i := .NodesWithoutCiliumIPs }}
+    - {{$i.IP}}/{{$i.Mask}}
+{{ end }}
diff --git a/connectivity/manifests/deny-world-entity.yaml b/connectivity/manifests/deny-world-entity.yaml
new file mode 100644
index 0000000000..ffa3dba9d7
--- /dev/null
+++ b/connectivity/manifests/deny-world-entity.yaml
@@ -0,0 +1,9 @@
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+  name: "world-entity-deny"
+spec:
+  endpointSelector: {}
+  ingressDeny:
+    - fromEntities:
+        - world
diff --git a/connectivity/suite.go b/connectivity/suite.go
index 37bbcacf2f..9303489a6c 100644
--- a/connectivity/suite.go
+++ b/connectivity/suite.go
@@ -44,9 +44,15 @@ var (
 	//go:embed manifests/deny-ingress-entity.yaml
 	denyIngressIdentityPolicyYAML string
 
+	//go:embed manifests/deny-world-entity.yaml
+	denyWorldIdentityPolicyYAML string
+
 	//go:embed manifests/deny-ingress-backend.yaml
 	denyIngressBackendPolicyYAML string
 
+	//go:embed manifests/deny-cidr.yaml
+	denyCIDRPolicyYAML string
+
 	//go:embed manifests/allow-cluster-entity.yaml
 	allowClusterEntityPolicyYAML string
 
@@ -210,6 +216,7 @@ func Run(ctx context.Context, ct *check.ConnectivityTest, addExtraTests func(*ch
 		"clientEgressL7TLSPolicyYAML":              clientEgressL7TLSPolicyYAML,
 		"clientEgressL7HTTPMatchheaderSecretYAML":  clientEgressL7HTTPMatchheaderSecretYAML,
 		"echoIngressFromCIDRYAML":                  echoIngressFromCIDRYAML,
+		"denyCIDRPolicyYAML":                       denyCIDRPolicyYAML,
 	}
 
 	if ct.Params().K8sLocalHostTest {
@@ -1077,6 +1084,38 @@ func Run(ctx context.Context, ct *check.ConnectivityTest, addExtraTests func(*ch
 			tests.PodToIngress(),
 		)
 
+	ct.NewTest("outside-to-ingress-service").
+		WithFeatureRequirements(
+			features.RequireEnabled(features.IngressController),
+			features.RequireEnabled(features.NodeWithoutCilium)).
+		WithScenarios(
+			tests.OutsideToIngressService(),
+		)
+
+	ct.NewTest("outside-to-ingress-service-deny-world-identity").
+		WithFeatureRequirements(
+			features.RequireEnabled(features.IngressController),
+			features.RequireEnabled(features.NodeWithoutCilium)).
+		WithCiliumPolicy(denyWorldIdentityPolicyYAML).
+		WithScenarios(
+			tests.OutsideToIngressService(),
+		).
+		WithExpectations(func(a *check.Action) (egress check.Result, ingress check.Result) {
+			return check.ResultDefaultDenyEgressDrop, check.ResultNone
+		})
+
+	ct.NewTest("outside-to-ingress-service-deny-cidr").
+		WithFeatureRequirements(
+			features.RequireEnabled(features.IngressController),
+			features.RequireEnabled(features.NodeWithoutCilium)).
+		WithCiliumPolicy(renderedTemplates["denyCIDRPolicyYAML"]).
+		WithScenarios(
+			tests.OutsideToIngressService(),
+		).
+		WithExpectations(func(a *check.Action) (egress check.Result, ingress check.Result) {
+			return check.ResultDefaultDenyEgressDrop, check.ResultNone
+		})
+
 	// Only allow UDP:53 to kube-dns, no DNS proxy enabled.
 	ct.NewTest("dns-only").WithCiliumPolicy(clientEgressOnlyDNSPolicyYAML).
 		WithFeatureRequirements(features.RequireEnabled(features.L7Proxy)).
diff --git a/connectivity/tests/service.go b/connectivity/tests/service.go
index bc83ed46b3..c8415bd95a 100644
--- a/connectivity/tests/service.go
+++ b/connectivity/tests/service.go
@@ -297,3 +297,35 @@ func (s *outsideToNodePort) Run(ctx context.Context, t *check.Test) {
 		}
 	}
 }
+
+// OutsideToIngressService sends an HTTP request from client pod running on a node w/o
+// Cilium to NodePort services.
+func OutsideToIngressService() check.Scenario {
+	return &outsideToIngressService{}
+}
+
+type outsideToIngressService struct{}
+
+func (s *outsideToIngressService) Name() string {
+	return "outside-to-ingress-service"
+}
+
+func (s *outsideToIngressService) Run(ctx context.Context, t *check.Test) {
+	clientPod := t.Context().HostNetNSPodsByNode()[t.NodesWithoutCilium()[0]]
+	i := 0
+
+	for _, svc := range t.Context().IngressService() {
+		t.NewAction(s, fmt.Sprintf("curl-%d", i), &clientPod, svc, features.IPFamilyAny).Run(func(a *check.Action) {
+			for _, node := range t.Context().Nodes() {
+				node := node
+				a.ExecInPod(ctx, t.Context().CurlCommand(svc.ToNodeportService(node), features.IPFamilyAny))
+
+				a.ValidateFlows(ctx, clientPod, a.GetEgressRequirements(check.FlowParameters{
+					DNSRequired: true,
+					AltDstPort:  svc.Port(),
+				}))
+			}
+		})
+		i++
+	}
+}