diff --git a/SPECS/WALinuxAgent/WALinuxAgent.spec b/SPECS/WALinuxAgent/WALinuxAgent.spec
index da639121d6f..df21f132a85 100644
--- a/SPECS/WALinuxAgent/WALinuxAgent.spec
+++ b/SPECS/WALinuxAgent/WALinuxAgent.spec
@@ -1,7 +1,7 @@
 Summary:        The Windows Azure Linux Agent
 Name:           WALinuxAgent
 Version:        2.3.1.1
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -11,6 +11,7 @@ Source0:        https://github.com/Azure/WALinuxAgent/archive/refs/tags/v%{versi
 Source1:        ephemeral-disk-warning.service
 Source2:        ephemeral-disk-warning.conf
 Source3:        ephemeral-disk-warning
+Patch0:         add_firewall_rules.patch
 BuildRequires:  python3-distro
 BuildRequires:  python3-setuptools
 BuildRequires:  python3-xml
@@ -38,7 +39,7 @@ VMs in the Windows Azure cloud. This package should be installed on Linux disk
 images that are built to run in the Windows Azure environment.
 
 %prep
-%setup -q -n %{name}-%{version}
+%autosetup -n %{name}-%{version} -p1
 
 %pre -p /bin/sh
 
@@ -90,6 +91,9 @@ python3 setup.py check && python3 setup.py test
 %{python3_sitelib}/*
 
 %changelog
+* Tue Jan 30 2024 Nan Liu <liunan@microsoft.com> - 2.3.1.1-4
+- Patch waagent.conf to add firewall rules to protect access to Azure host node
+
 * Tue Nov 10 2022 Nan Liu <liunan@microsoft.com> - 2.3.1.1-3
 - Add ephemeral-disk-warning.service
 
diff --git a/SPECS/WALinuxAgent/add_firewall_rules.patch b/SPECS/WALinuxAgent/add_firewall_rules.patch
new file mode 100644
index 00000000000..9e8ac29d063
--- /dev/null
+++ b/SPECS/WALinuxAgent/add_firewall_rules.patch
@@ -0,0 +1,24 @@
+From 9ac40d805925f130283ed54f3cbb424afad41461 Mon Sep 17 00:00:00 2001
+From: Nan Liu <liunan@microsoft.com>
+Date: Tue, 30 Jan 2024 17:58:36 +0000
+Subject: [PATCH] Add firewall rules to protect access to Azure host node
+ services
+
+---
+ config/mariner/waagent.conf | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/config/mariner/waagent.conf b/config/mariner/waagent.conf
+index 65da131..cda61de 100644
+--- a/config/mariner/waagent.conf
++++ b/config/mariner/waagent.conf
+@@ -78,3 +78,6 @@ AutoUpdate.GAFamily=Prod
+ # handling until inVMArtifactsProfile.OnHold is false.
+ # Default is disabled
+ # EnableOverProvisioning=n
++
++# Add firewall rules to protect access to Azure host node services
++OS.EnableFirewall=y
+-- 
+2.25.1
+