diff --git a/utils/helm/speckle-server/templates/frontend/networkpolicy.cilium.yml b/utils/helm/speckle-server/templates/frontend/networkpolicy.cilium.yml
index 6051dc31c..f6ec58cfc 100644
--- a/utils/helm/speckle-server/templates/frontend/networkpolicy.cilium.yml
+++ b/utils/helm/speckle-server/templates/frontend/networkpolicy.cilium.yml
@@ -14,7 +14,7 @@ spec:
     - fromEndpoints:
         - matchLabels:
             io.kubernetes.pod.namespace: {{ .Values.ingress.namespace }}
-{{ include  "speckle.ingress.selector.pod" $ | indent 12 }}
+{{ include "speckle.ingress.selector.pod" $ | indent 12 }}
       toPorts:
         - ports:
             - port: "www"
diff --git a/utils/helm/speckle-server/templates/server/networkpolicy.cilium.yml b/utils/helm/speckle-server/templates/server/networkpolicy.cilium.yml
index 7a6d4d258..96e6eca73 100644
--- a/utils/helm/speckle-server/templates/server/networkpolicy.cilium.yml
+++ b/utils/helm/speckle-server/templates/server/networkpolicy.cilium.yml
@@ -49,6 +49,9 @@ spec:
             dns:
               # TODO: remove egress to domain once https://github.com/specklesystems/speckle-server/issues/959 is fixed
               - matchName: {{ .Values.domain }}
+{{- if .Values.server.monitoring.apollo.enabled }}
+              - matchPattern: "*.api.apollographql.com"
+{{- end }}
 {{- if .Values.server.sentry_dns }}
               # DNS lookup for sentry
               - matchPattern: "*.ingest.sentry.io"
@@ -56,6 +59,14 @@ spec:
 {{ include "speckle.networkpolicy.dns.postgres.cilium" $ | indent 14 }}
 {{ include "speckle.networkpolicy.dns.redis.cilium" $ | indent 14 }}
 {{ include  "speckle.networkpolicy.dns.blob_storage.cilium" $ | indent 14 }}
+{{- if .Values.server.monitoring.apollo.enabled }}
+    - toFQDNs:
+        - matchPattern: "*.api.apollographql.com"
+      toPorts:
+        - ports:
+            - port: "443"
+              protocol: TCP
+{{- end }}
 {{- if .Values.server.sentry_dns }}
     # egress to sentry
     - toCIDRSet:
@@ -63,6 +74,7 @@ spec:
       toPorts:
         - ports:
             - port: "443"
+              protocol: TCP
 {{- end }}
     # postgres
 {{ include "speckle.networkpolicy.egress.postgres.cilium" $ | indent 4 }}
@@ -73,7 +85,7 @@ spec:
     # allow egress to the ingress for speckle-server, so it can call itself
     # TODO: remove egress to domain once https://github.com/specklesystems/speckle-server/issues/959 is fixed
     - toFQDNs:
-        - matchPattern: {{ .Values.domain }}
+        - matchName: {{ .Values.domain }}
       toPorts:
         - ports:
           - port: "443"
diff --git a/utils/helm/speckle-server/templates/server/networkpolicy.kubernetes.yml b/utils/helm/speckle-server/templates/server/networkpolicy.kubernetes.yml
index d372a410f..3c0107c09 100644
--- a/utils/helm/speckle-server/templates/server/networkpolicy.kubernetes.yml
+++ b/utils/helm/speckle-server/templates/server/networkpolicy.kubernetes.yml
@@ -23,6 +23,16 @@ spec:
       ports:
         - port: 53
           protocol: UDP
+{{- if .Values.server.monitoring.apollo.enabled }}
+    - to:
+      - ipBlock:
+          cidr: 0.0.0.0/0
+          # except to kubernetes pods or services
+          except:
+            - 10.0.0.0/8
+      ports:
+        - port: 443
+{{- end }}
 {{- if .Values.server.sentry_dns }}
     # sentry.io https://docs.sentry.io/product/security/ip-ranges/#event-ingestion
     - to: