diff --git a/applications/openshift/general/general_network_separation/rule.yml b/applications/openshift/general/general_network_separation/rule.yml
new file mode 100644
index 00000000000..dc13b182a1f
--- /dev/null
+++ b/applications/openshift/general/general_network_separation/rule.yml
@@ -0,0 +1,20 @@
+documentation_complete: true
+
+
+title: 'Create Network Boundaries between Functional Different Nodes'
+
+description: |-
+   Use different Networks for Control Plane, Worker and Individual Application Services.
+
+rationale: |-
+   Separation on a Network level might help to hinder lateral movement of an attacker and subsequently reduce the impact of an attack. It might also enable you to provide additional external network control (like firewalls).
+
+references:
+    bsi: APP.4.4.A7
+
+severity: medium
+
+ocil_clause: 'Network separation needs review'
+
+ocil: |-
+    Create separate Ingress Controllers for the API and your Applications. Also setup your environment in a way, that Control Plane Nodes are in another network than your worker nodes. If you implement multiple Nodes for different purposes evaluate if these should be in different network segments (i.e. Infra-Nodes, Storage-Nodes, ...).
diff --git a/applications/openshift/general/general_network_separation/tests/ocp4/e2e.yml b/applications/openshift/general/general_network_separation/tests/ocp4/e2e.yml
new file mode 100644
index 00000000000..69a7d085eb4
--- /dev/null
+++ b/applications/openshift/general/general_network_separation/tests/ocp4/e2e.yml
@@ -0,0 +1,2 @@
+---
+default_result: MANUAL
diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml
index 80456e99b88..55241359337 100644
--- a/controls/bsi_app_4_4.yml
+++ b/controls/bsi_app_4_4.yml
@@ -192,6 +192,7 @@ controls:
     status: partial
     rules:
       # Section 1
+      - general_network_separation
       # Section 2
       - configure_network_policies
       - configure_network_policies_namespaces