diff --git a/api/v1alpha1/tsuru_app_address_types.go b/api/v1alpha1/tsuru_app_address_types.go
index 481de9f..aee7dcb 100644
--- a/api/v1alpha1/tsuru_app_address_types.go
+++ b/api/v1alpha1/tsuru_app_address_types.go
@@ -22,7 +22,8 @@ import (
 
 // TsuruAppAddressSpec defines the desired state of TsuruAppAddress
 type TsuruAppAddressSpec struct {
-	Name string `json:"name,omitempty"`
+	Name          string   `json:"name,omitempty"`
+	AdditionalIPs []string `json:"additionalIPs,omitempty"`
 }
 
 // ResourceAddressStatus defines the observed state of TsuruAppAddress and RpaasInstanceAddress
diff --git a/controllers/acl_controller.go b/controllers/acl_controller.go
index 644ff9a..696e327 100644
--- a/controllers/acl_controller.go
+++ b/controllers/acl_controller.go
@@ -351,6 +351,21 @@ func (r *ACLReconciler) egressRulesForTsuruApp(ctx context.Context, tsuruApp str
 		allErrors.Add(err)
 	}
 
+	additionalIPs := []netv1.NetworkPolicyPeer{}
+	for _, ip := range existingTsuruAppAddress.Spec.AdditionalIPs {
+		cidr := ipToCIDR(ip)
+		if cidr == "" {
+			continue
+		}
+
+		additionalIPs = append(additionalIPs, netv1.NetworkPolicyPeer{IPBlock: &netv1.IPBlock{
+			CIDR: cidr,
+		}})
+	}
+	if len(additionalIPs) > 0 {
+		egress = append(egress, []netv1.NetworkPolicyEgressRule{{To: additionalIPs}}...)
+	}
+
 	return egress, allErrors.ToError()
 }
 
diff --git a/controllers/acl_controller_test.go b/controllers/acl_controller_test.go
index af1fcd6..17e1627 100644
--- a/controllers/acl_controller_test.go
+++ b/controllers/acl_controller_test.go
@@ -320,6 +320,10 @@ func (suite *ControllerSuite) TestACLReconcilerDestinationAppReconcile() {
 		},
 		Spec: v1alpha1.TsuruAppAddressSpec{
 			Name: "my-other-app",
+			AdditionalIPs: []string{
+				"3.3.3.3",
+				"4.4.4.4",
+			},
 		},
 		Status: v1alpha1.ResourceAddressStatus{
 			Ready: true,
@@ -384,12 +388,13 @@ func (suite *ControllerSuite) TestACLReconcilerDestinationAppReconcile() {
 	suite.Assert().Equal(map[string]string{
 		"tsuru.io/app-name": "myapp",
 	}, existingNP.Spec.PodSelector.MatchLabels)
-	suite.Assert().Len(existingNP.Spec.Egress, 4)
+	suite.Assert().Len(existingNP.Spec.Egress, 5)
 
 	suite.Assert().Len(existingNP.Spec.Egress[0].To, 1)
 	suite.Assert().Len(existingNP.Spec.Egress[1].To, 1)
 	suite.Assert().Len(existingNP.Spec.Egress[2].To, 1)
 	suite.Assert().Len(existingNP.Spec.Egress[3].To, 1)
+	suite.Assert().Len(existingNP.Spec.Egress[4].To, 2)
 
 	suite.Assert().Equal(netv1.NetworkPolicyPeer{
 		PodSelector: &metav1.LabelSelector{
@@ -423,6 +428,19 @@ func (suite *ControllerSuite) TestACLReconcilerDestinationAppReconcile() {
 			CIDR: "2.2.2.2/32",
 		},
 	}, existingNP.Spec.Egress[3].To[0])
+
+	suite.Assert().Equal([]netv1.NetworkPolicyPeer{
+		{
+			IPBlock: &netv1.IPBlock{
+				CIDR: "3.3.3.3/32",
+			},
+		},
+		{
+			IPBlock: &netv1.IPBlock{
+				CIDR: "4.4.4.4/32",
+			},
+		},
+	}, existingNP.Spec.Egress[4].To)
 }
 
 func (suite *ControllerSuite) TestACLReconcilerDestinationExternalDNSReconcile() {