diff --git a/deploy/nstemplatetiers/appstudio-env/ns_env.yaml b/deploy/nstemplatetiers/appstudio-env/ns_env.yaml
index f801a2663..86898acb4 100644
--- a/deploy/nstemplatetiers/appstudio-env/ns_env.yaml
+++ b/deploy/nstemplatetiers/appstudio-env/ns_env.yaml
@@ -218,6 +218,19 @@ objects:
     podSelector: {}
     policyTypes:
     - Ingress
+- apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: allow-from-dev-sandbox-managed-ns
+    namespace: ${SPACE_NAME}-env
+  spec:
+    ingress:
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            dev-sandbox/policy-group: ingress
+    policyTypes:
+      - Ingress
 parameters:
 - name: SPACE_NAME
   required: true
diff --git a/deploy/nstemplatetiers/appstudio/ns_tenant.yaml b/deploy/nstemplatetiers/appstudio/ns_tenant.yaml
index 8de7cf5b5..f3f26dc4a 100644
--- a/deploy/nstemplatetiers/appstudio/ns_tenant.yaml
+++ b/deploy/nstemplatetiers/appstudio/ns_tenant.yaml
@@ -242,6 +242,19 @@ objects:
     podSelector: {}
     policyTypes:
     - Ingress
+- apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: allow-from-dev-sandbox-managed-ns
+    namespace: ${SPACE_NAME}-tenant
+  spec:
+    ingress:
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            dev-sandbox/policy-group: ingress
+    policyTypes:
+      - Ingress
 # ServiceAccount and RoleBindings for running Pipelines.
 # appstudio-pipelines-runner-clusterrole is deployed by the pipeline-service component.
 - apiVersion: v1
diff --git a/testsupport/tiers/checks.go b/testsupport/tiers/checks.go
index e6b17df05..79856b3f0 100644
--- a/testsupport/tiers/checks.go
+++ b/testsupport/tiers/checks.go
@@ -161,7 +161,7 @@ func (a *baseTierChecks) GetNamespaceObjectChecks(nsType string) []namespaceObje
 	case "stage":
 		otherNamespaceKind = "dev"
 	}
-	checks = append(checks, networkPolicyAllowFromCRW(), networkPolicyAllowFromVirtualizationNamespaces(), networkPolicyAllowFromRedHatODSNamespaceToModelMesh(), networkPolicyAllowFromRedHatODSNamespaceToMariaDB(), networkPolicyAllowFromOtherNamespace(otherNamespaceKind), numberOfNetworkPolicies(10))
+	checks = append(checks, networkPolicyAllowFromCRW(), networkPolicyAllowFromVirtualizationNamespaces(), networkPolicyAllowFromRedHatODSNamespaceToModelMesh(), networkPolicyAllowFromRedHatODSNamespaceToMariaDB(), networkPolicyAllowFromOtherNamespace(otherNamespaceKind), numberOfNetworkPolicies(11))
 
 	return checks
 }
@@ -231,7 +231,7 @@ func (a *base1nsTierChecks) GetNamespaceObjectChecks(_ string) []namespaceObject
 		crtadminViewRoleBinding(),
 	}
 	checks = append(checks, commonNetworkPolicyChecks()...)
-	checks = append(checks, networkPolicyAllowFromCRW(), networkPolicyAllowFromVirtualizationNamespaces(), networkPolicyAllowFromRedHatODSNamespaceToMariaDB(), networkPolicyAllowFromRedHatODSNamespaceToModelMesh(), numberOfNetworkPolicies(9))
+	checks = append(checks, networkPolicyAllowFromCRW(), networkPolicyAllowFromVirtualizationNamespaces(), networkPolicyAllowFromRedHatODSNamespaceToMariaDB(), networkPolicyAllowFromRedHatODSNamespaceToModelMesh(), numberOfNetworkPolicies(10))
 	return checks
 }
 
@@ -381,6 +381,7 @@ func commonNetworkPolicyChecks() []namespaceObjectsCheck {
 		networkPolicyAllowFromIngress(),
 		networkPolicyAllowFromOlmNamespaces(),
 		networkPolicyAllowFromConsoleNamespaces(),
+		networkPolicyIngressAllowFromDevSandboxPolicyGroup(),
 	}
 }
 
@@ -465,7 +466,7 @@ func (a *appstudioTierChecks) GetNamespaceObjectChecks(_ string) []namespaceObje
 		resourceQuotaComputeBuild("120", "128Gi", "60", "64Gi"),
 	}
 	checks = append(checks, commonAppstudioTierChecks()...)
-	checks = append(checks, append(commonNetworkPolicyChecks(), networkPolicyAllowFromCRW(), numberOfNetworkPolicies(6))...)
+	checks = append(checks, append(commonNetworkPolicyChecks(), networkPolicyAllowFromCRW(), numberOfNetworkPolicies(7))...)
 	return checks
 }
 
@@ -558,7 +559,7 @@ func (a *appstudiolargeTierChecks) GetNamespaceObjectChecks(_ string) []namespac
 		resourceQuotaStorage("50Gi", "400Gi", "50Gi", "180"),
 	}
 	checks = append(checks, commonAppstudioTierChecks()...)
-	checks = append(checks, append(commonNetworkPolicyChecks(), networkPolicyAllowFromCRW(), numberOfNetworkPolicies(6))...)
+	checks = append(checks, append(commonNetworkPolicyChecks(), networkPolicyAllowFromCRW(), numberOfNetworkPolicies(7))...)
 	return checks
 }
 
@@ -596,7 +597,7 @@ func (a *appstudioEnvTierChecks) GetNamespaceObjectChecks(_ string) []namespaceO
 		appstudioWorkSpaceNameLabel(),
 	}
 
-	checks = append(checks, append(commonNetworkPolicyChecks(), networkPolicyAllowFromCRW(), numberOfNetworkPolicies(6))...)
+	checks = append(checks, append(commonNetworkPolicyChecks(), networkPolicyAllowFromCRW(), numberOfNetworkPolicies(7))...)
 	return checks
 }
 
@@ -656,7 +657,7 @@ func (a *intelMediumTierChecks) GetNamespaceObjectChecks(_ string) []namespaceOb
 		crtadminViewRoleBinding(),
 	}
 	checks = append(checks, commonNetworkPolicyChecks()...)
-	checks = append(checks, networkPolicyAllowFromCRW(), networkPolicyAllowFromVirtualizationNamespaces(), networkPolicyAllowFromRedHatODSNamespaceToMariaDB(), networkPolicyAllowFromRedHatODSNamespaceToModelMesh(), numberOfNetworkPolicies(9))
+	checks = append(checks, networkPolicyAllowFromCRW(), networkPolicyAllowFromVirtualizationNamespaces(), networkPolicyAllowFromRedHatODSNamespaceToMariaDB(), networkPolicyAllowFromRedHatODSNamespaceToModelMesh(), numberOfNetworkPolicies(10))
 	return checks
 }
 
@@ -736,7 +737,7 @@ func getNamespaceObjectChecksForIntelLarge(memoryLimit string) []namespaceObject
 		crtadminViewRoleBinding(),
 	}
 	checks = append(checks, commonNetworkPolicyChecks()...)
-	checks = append(checks, networkPolicyAllowFromCRW(), networkPolicyAllowFromVirtualizationNamespaces(), networkPolicyAllowFromRedHatODSNamespaceToMariaDB(), networkPolicyAllowFromRedHatODSNamespaceToModelMesh(), numberOfNetworkPolicies(9))
+	checks = append(checks, networkPolicyAllowFromCRW(), networkPolicyAllowFromVirtualizationNamespaces(), networkPolicyAllowFromRedHatODSNamespaceToMariaDB(), networkPolicyAllowFromRedHatODSNamespaceToModelMesh(), numberOfNetworkPolicies(10))
 	return checks
 }
 
@@ -1242,6 +1243,10 @@ func networkPolicyIngressFromPolicyGroup(name, group string) namespaceObjectsChe
 	return assertNetworkPolicyIngressForNamespaces(name, metav1.LabelSelector{}, "network.openshift.io/policy-group", group)
 }
 
+func networkPolicyIngressAllowFromDevSandboxPolicyGroup() namespaceObjectsCheck {
+	return assertNetworkPolicyIngressForNamespaces("allow-from-dev-sandbox-managed-ns", metav1.LabelSelector{}, "dev-sandbox/policy-group", "ingress")
+}
+
 func assertNetworkPolicyIngressForNamespaces(name string, podSelector metav1.LabelSelector, labelNameValuePairs ...string) namespaceObjectsCheck {
 	return func(t *testing.T, ns *corev1.Namespace, memberAwait *wait.MemberAwaitility, userName string) {
 		require.Equal(t, 0, len(labelNameValuePairs)%2, "labelNameValuePairs must be a list of key-value pairs")