diff --git a/tenants/demo/00-namespace-quota-netpol.yaml b/tenants/demo/00-namespace-quota-netpol.yaml
index eb31abe..0f06004 100644
--- a/tenants/demo/00-namespace-quota-netpol.yaml
+++ b/tenants/demo/00-namespace-quota-netpol.yaml
@@ -52,8 +52,9 @@ spec:
             matchLabels:
               kubernetes.io/metadata.name: kube-system
   egress:
-    - to:                                        # intra-namespace (postgres, keycloak)
+    - to:                                        # intra-namespace (pods) + ClusterIPs (VIP de service, pre-DNAT)
         - podSelector: {}
+        - ipBlock: { cidr: 10.43.0.0/16 }
     - to:                                        # DNS (CoreDNS em kube-system)
         - namespaceSelector:
             matchLabels:
diff --git a/tenants/piloto/00-namespace-quota-netpol.yaml b/tenants/piloto/00-namespace-quota-netpol.yaml
index ad90c1c..de41666 100644
--- a/tenants/piloto/00-namespace-quota-netpol.yaml
+++ b/tenants/piloto/00-namespace-quota-netpol.yaml
@@ -56,8 +56,9 @@ spec:
             matchLabels:
               kubernetes.io/metadata.name: kube-system   # Traefik (ingress)
   egress:
-    - to:                                        # intra-namespace (postgres, keycloak)
+    - to:                                        # intra-namespace (pods) + ClusterIPs (VIP de service, pre-DNAT)
         - podSelector: {}
+        - ipBlock: { cidr: 10.43.0.0/16 }
     - to:                                        # DNS (CoreDNS em kube-system)
         - namespaceSelector:
             matchLabels: