diff --git a/cns/service/main.go b/cns/service/main.go
index e22f4d5bc5..61e1490e51 100644
--- a/cns/service/main.go
+++ b/cns/service/main.go
@@ -46,8 +46,10 @@ import (
 	"github.com/Azure/azure-container-networking/store"
 	"github.com/avast/retry-go/v3"
 	"github.com/pkg/errors"
+	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -932,10 +934,22 @@ func InitializeCRDState(ctx context.Context, httpRestService cns.HTTPService, cn
 		return err
 	}
 
+	// the nodeScopedCache sets Selector options on the Manager cache which are used
+	// to perform *server-side* filtering of the cached objects. This is very important
+	// for high node/pod count clusters, as it keeps us from watching objects at the
+	// whole cluster scope when we are only interested in the Node's scope.
+	nodeScopedCache := cache.BuilderWithOptions(cache.Options{
+		SelectorsByObject: cache.SelectorsByObject{
+			&v1alpha.NodeNetworkConfig{}: {
+				Field: fields.SelectorFromSet(fields.Set{"metadata.name": nodeName}),
+			},
+		},
+	})
 	manager, err := ctrl.NewManager(kubeConfig, ctrl.Options{
 		Scheme:             nodenetworkconfig.Scheme,
 		MetricsBindAddress: cnsconfig.MetricsBindAddress,
 		Namespace:          "kube-system", // TODO(rbtr): namespace should be in the cns config
+		NewCache:           nodeScopedCache,
 	})
 	if err != nil {
 		return errors.Wrap(err, "failed to create manager")