diff --git a/parts/k8s/cloud-init/artifacts/cse_config.sh b/parts/k8s/cloud-init/artifacts/cse_config.sh
index 89ba5787de..444e51b79b 100755
--- a/parts/k8s/cloud-init/artifacts/cse_config.sh
+++ b/parts/k8s/cloud-init/artifacts/cse_config.sh
@@ -469,6 +469,11 @@ createKubeManifestDir() {
 writeKubeConfig() {
   local DIR=/home/$ADMINUSER/.kube
   local FILE=$DIR/config
+{{- if HasBlockOutboundInternet}}
+  local SERVER=https://localhost
+{{else}}
+  local SERVER=$KUBECONFIG_SERVER
+{{- end}}
   mkdir -p $DIR
   touch $FILE
   chown $ADMINUSER:$ADMINUSER $DIR $FILE
@@ -481,7 +486,7 @@ apiVersion: v1
 clusters:
 - cluster:
     certificate-authority-data: \"$CA_CERTIFICATE\"
-    server: $KUBECONFIG_SERVER
+    server: $SERVER
   name: \"$MASTER_FQDN\"
 contexts:
 - context:
diff --git a/pkg/engine/template_generator.go b/pkg/engine/template_generator.go
index 96f1a821a9..4ecd3fba90 100644
--- a/pkg/engine/template_generator.go
+++ b/pkg/engine/template_generator.go
@@ -818,6 +818,9 @@ func getContainerServiceFuncMap(cs *api.ContainerService) template.FuncMap {
 		"HasTelemetryEnabled": func() bool {
 			return cs.Properties.FeatureFlags != nil && cs.Properties.FeatureFlags.EnableTelemetry
 		},
+		"HasBlockOutboundInternet": func() bool {
+			return cs.Properties.FeatureFlags != nil && cs.Properties.FeatureFlags.BlockOutboundInternet
+		},
 		"GetCSEErrorCode": func(errorType string) int {
 			return GetCSEErrorCode(errorType)
 		},
diff --git a/pkg/engine/templates_generated.go b/pkg/engine/templates_generated.go
index a42186bd17..9e07077975 100644
--- a/pkg/engine/templates_generated.go
+++ b/pkg/engine/templates_generated.go
@@ -18316,6 +18316,11 @@ createKubeManifestDir() {
 writeKubeConfig() {
   local DIR=/home/$ADMINUSER/.kube
   local FILE=$DIR/config
+{{- if HasBlockOutboundInternet}}
+  local SERVER=https://localhost
+{{else}}
+  local SERVER=$KUBECONFIG_SERVER
+{{- end}}
   mkdir -p $DIR
   touch $FILE
   chown $ADMINUSER:$ADMINUSER $DIR $FILE
@@ -18328,7 +18333,7 @@ apiVersion: v1
 clusters:
 - cluster:
     certificate-authority-data: \"$CA_CERTIFICATE\"
-    server: $KUBECONFIG_SERVER
+    server: $SERVER
   name: \"$MASTER_FQDN\"
 contexts:
 - context: