diff --git a/Makefile b/Makefile
index 7bbfa6c..e13aff2 100644
--- a/Makefile
+++ b/Makefile
@@ -49,6 +49,9 @@ apps-pg-shell: ## Open psql shell on apps-pg primary as apps_admin / apps_meta
 apps-pg-logs: ## Tail apps-pg primary logs
 	$(KUBECTL) logs -n databases -l cnpg.io/cluster=apps-pg -f --tail=50
 
+net-kingdom-pg-inter-hub-networkpolicy-deploy: ## Allow inter-hub to reach net-kingdom-pg
+	$(KUBECTL) apply -f helm/net-kingdom-pg-inter-hub-networkpolicy.yaml
+
 ##@ PostgreSQL HA (legacy — superseded by cnpg above)
 
 pg-deploy: ## Deploy / upgrade standalone PostgreSQL HA to platform namespace
@@ -148,4 +151,4 @@ help: ## Show this help
 	  /^[a-zA-Z_-]+:.*?##/ { printf "  \033[36m%-22s\033[0m %s\n", $$1, $$2 } \
 	  /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) }' $(MAKEFILE_LIST)
 
-.PHONY: db-deploy db-status db-shell db-logs apps-pg-deploy apps-pg-status apps-pg-shell apps-pg-logs pg-deploy pg-status pg-pgpool-check valkey-deploy valkey-status openbao-repo openbao-dry-run openbao-deploy openbao-status openbao-verify openbao-verify-post-unseal openbao-configure-initial openbao-verify-authenticated openbao-validate-restore-evidence openbao-validate-emergency-evidence backup help
+.PHONY: db-deploy db-status db-shell db-logs apps-pg-deploy apps-pg-status apps-pg-shell apps-pg-logs net-kingdom-pg-inter-hub-networkpolicy-deploy pg-deploy pg-status pg-pgpool-check valkey-deploy valkey-status openbao-repo openbao-dry-run openbao-deploy openbao-status openbao-verify openbao-verify-post-unseal openbao-configure-initial openbao-verify-authenticated openbao-validate-restore-evidence openbao-validate-emergency-evidence backup help
diff --git a/helm/net-kingdom-pg-inter-hub-networkpolicy.yaml b/helm/net-kingdom-pg-inter-hub-networkpolicy.yaml
new file mode 100644
index 0000000..afd08f4
--- /dev/null
+++ b/helm/net-kingdom-pg-inter-hub-networkpolicy.yaml
@@ -0,0 +1,24 @@
+# Allow inter-hub to use its existing database on the net-kingdom-pg cluster.
+# The databases namespace has a default-deny-all policy, so app DB access must
+# be granted explicitly per consuming namespace.
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-ingress-from-inter-hub-net-kingdom-pg
+  namespace: databases
+spec:
+  podSelector:
+    matchLabels:
+      cnpg.io/cluster: net-kingdom-pg
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              name: inter-hub
+          podSelector: {}
+      ports:
+        - port: 5432
+          protocol: TCP