diff --git a/.gitignore b/.gitignore
index 2a5e661c0..358d3b656 100644
--- a/.gitignore
+++ b/.gitignore
@@ -52,6 +52,9 @@ manager_pull_policy.yaml-e
 # junit files
 junit.*.xml
 
+# asdf
+.tool-versions
+
 .DS_Store
 
 # Tilt files.
diff --git a/cloud/services/container/clusters/reconcile.go b/cloud/services/container/clusters/reconcile.go
index cc550d9bd..72ff9d034 100644
--- a/cloud/services/container/clusters/reconcile.go
+++ b/cloud/services/container/clusters/reconcile.go
@@ -268,6 +268,9 @@ func (s *Service) createCluster(ctx context.Context, log *logr.Logger) error {
 	if !s.scope.IsAutopilotCluster() {
 		cluster.NodePools = scope.ConvertToSdkNodePools(nodePools, machinePools, isRegional, cluster.Name)
 	}
+	if s.scope.GCPManagedControlPlane.Spec.NetworkPolicy != nil {
+		cluster.NetworkPolicy = convertToSdkNetworkPolicy(s.scope.GCPManagedControlPlane.Spec.NetworkPolicy)
+	}
 
 	createClusterRequest := &containerpb.CreateClusterRequest{
 		Cluster: cluster,
@@ -366,6 +369,20 @@ func convertToSdkMasterAuthorizedNetworksConfig(config *infrav1exp.MasterAuthori
 	}
 }
 
+// convertToSdkNetworkPolicy converts NetworkPolicy config to a value that is used by GCP SDK.
+func convertToSdkNetworkPolicy(networkPolicy *infrav1exp.NetworkPolicy) *containerpb.NetworkPolicy {
+	sdkNetworkPolicy := containerpb.NetworkPolicy{
+		Enabled: true,
+	}
+	switch networkPolicy.Provider {
+	case "calico":
+		sdkNetworkPolicy.Provider = containerpb.NetworkPolicy_CALICO
+	default:
+		sdkNetworkPolicy.Provider = containerpb.NetworkPolicy_PROVIDER_UNSPECIFIED
+	}
+	return &sdkNetworkPolicy
+}
+
 func (s *Service) checkDiffAndPrepareUpdate(existingCluster *containerpb.Cluster, log *logr.Logger) (bool, *containerpb.UpdateClusterRequest) {
 	log.V(4).Info("Checking diff and preparing update.")
 
@@ -390,7 +407,6 @@ func (s *Service) checkDiffAndPrepareUpdate(existingCluster *containerpb.Cluster
 			log.V(2).Info("Master version update required", "current", existingClusterMasterVersion, "desired", desiredMasterVersion)
 		}
 	}
-
 	// DesiredMasterAuthorizedNetworksConfig
 	// When desiredMasterAuthorizedNetworksConfig is nil, it means that the user wants to disable the feature.
 	desiredMasterAuthorizedNetworksConfig := convertToSdkMasterAuthorizedNetworksConfig(s.scope.GCPManagedControlPlane.Spec.MasterAuthorizedNetworksConfig)
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmanagedcontrolplanes.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmanagedcontrolplanes.yaml
index f84e32154..2ea83a130 100644
--- a/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmanagedcontrolplanes.yaml
+++ b/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmanagedcontrolplanes.yaml
@@ -117,6 +117,17 @@ spec:
                       Public IP addresses.
                     type: boolean
                 type: object
+              networkPolicy:
+                description: NetworkPolicy represents configuration options for NetworkPolicy
+                  feature of the GKE cluster. This feature is disabled if this field
+                  is not specified.
+                properties:
+                  provider:
+                    description: The selected network policy provider.
+                    enum:
+                    - calico
+                    type: string
+                type: object
               project:
                 description: Project is the name of the project to deploy the cluster
                   to.
diff --git a/exp/api/v1beta1/gcpmanagedcontrolplane_types.go b/exp/api/v1beta1/gcpmanagedcontrolplane_types.go
index b0fb6540d..21216aca5 100644
--- a/exp/api/v1beta1/gcpmanagedcontrolplane_types.go
+++ b/exp/api/v1beta1/gcpmanagedcontrolplane_types.go
@@ -57,6 +57,10 @@ type GCPManagedControlPlaneSpec struct {
 	// This feature is disabled if this field is not specified.
 	// +optional
 	MasterAuthorizedNetworksConfig *MasterAuthorizedNetworksConfig `json:"master_authorized_networks_config,omitempty"`
+	// NetworkPolicy represents configuration options for NetworkPolicy feature of the GKE cluster.
+	// This feature is disabled if this field is not specified.
+	// +optional
+	NetworkPolicy *NetworkPolicy `json:"networkPolicy,omitempty"`
 }
 
 // GCPManagedControlPlaneStatus defines the observed state of GCPManagedControlPlane.
@@ -142,6 +146,14 @@ type MasterAuthorizedNetworksConfigCidrBlock struct {
 	CidrBlock string `json:"cidr_block,omitempty"`
 }
 
+// NetworkPolicy represents configuration options for NetworkPolicy feature of the GKE cluster.
+type NetworkPolicy struct {
+	// The selected network policy provider.
+	// +kubebuilder:validation:Enum=calico
+	// +optional
+	Provider string `json:"provider,omitempty"`
+}
+
 // GetConditions returns the control planes conditions.
 func (r *GCPManagedControlPlane) GetConditions() clusterv1.Conditions {
 	return r.Status.Conditions
diff --git a/exp/api/v1beta1/gcpmanagedcontrolplane_webhook.go b/exp/api/v1beta1/gcpmanagedcontrolplane_webhook.go
index 402ebc3bd..947b23024 100644
--- a/exp/api/v1beta1/gcpmanagedcontrolplane_webhook.go
+++ b/exp/api/v1beta1/gcpmanagedcontrolplane_webhook.go
@@ -130,6 +130,13 @@ func (r *GCPManagedControlPlane) ValidateUpdate(oldRaw runtime.Object) (admissio
 		)
 	}
 
+	if !cmp.Equal(r.Spec.NetworkPolicy, old.Spec.NetworkPolicy) {
+		allErrs = append(allErrs,
+			field.Invalid(field.NewPath("spec", "NetworkPolicy"),
+				r.Spec.NetworkPolicy, "field is immutable"),
+		)
+	}
+
 	if len(allErrs) == 0 {
 		return nil, nil
 	}
diff --git a/exp/api/v1beta1/zz_generated.deepcopy.go b/exp/api/v1beta1/zz_generated.deepcopy.go
index c410dbaeb..480be8047 100644
--- a/exp/api/v1beta1/zz_generated.deepcopy.go
+++ b/exp/api/v1beta1/zz_generated.deepcopy.go
@@ -227,6 +227,11 @@ func (in *GCPManagedControlPlaneSpec) DeepCopyInto(out *GCPManagedControlPlaneSp
 		*out = new(MasterAuthorizedNetworksConfig)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.NetworkPolicy != nil {
+		in, out := &in.NetworkPolicy, &out.NetworkPolicy
+		*out = new(NetworkPolicy)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPManagedControlPlaneSpec.
@@ -514,6 +519,21 @@ func (in *MasterAuthorizedNetworksConfigCidrBlock) DeepCopy() *MasterAuthorizedN
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NetworkPolicy) DeepCopyInto(out *NetworkPolicy) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicy.
+func (in *NetworkPolicy) DeepCopy() *NetworkPolicy {
+	if in == nil {
+		return nil
+	}
+	out := new(NetworkPolicy)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NodeNetworkConfig) DeepCopyInto(out *NodeNetworkConfig) {
 	*out = *in