diff --git a/api/src/main/java/org/apache/cloudstack/api/response/NetworkResponse.java b/api/src/main/java/org/apache/cloudstack/api/response/NetworkResponse.java
index 4b41610ab02..b673788dbf5 100644
--- a/api/src/main/java/org/apache/cloudstack/api/response/NetworkResponse.java
+++ b/api/src/main/java/org/apache/cloudstack/api/response/NetworkResponse.java
@@ -263,6 +263,10 @@ public class NetworkResponse extends BaseResponseWithAnnotations implements Cont
     @Param(description = "the total number of network traffic bytes sent")
     private Long bytesSent;
 
+    @SerializedName((ApiConstants.EGRESS_DEFAULT_POLICY))
+    @Param(description = "true if guest network default egress policy is allow; false if default egress policy is deny")
+    private Boolean egressDefaultPolicy;
+
     public Boolean getDisplayNetwork() {
         return displayNetwork;
     }
@@ -528,4 +532,12 @@ public class NetworkResponse extends BaseResponseWithAnnotations implements Cont
     public void setBytesSent(final Long bytesSent) {
         this.bytesSent = bytesSent;
     }
+
+    public boolean getEgressDefaultPolicy() {
+        return egressDefaultPolicy;
+    }
+
+    public void setEgressDefaultPolicy(Boolean egressDefaultPolicy) {
+        this.egressDefaultPolicy = egressDefaultPolicy;
+    }
 }
diff --git a/server/src/main/java/com/cloud/api/ApiResponseHelper.java b/server/src/main/java/com/cloud/api/ApiResponseHelper.java
index 60530c26c27..5df3c17fbd1 100644
--- a/server/src/main/java/com/cloud/api/ApiResponseHelper.java
+++ b/server/src/main/java/com/cloud/api/ApiResponseHelper.java
@@ -2302,6 +2302,9 @@ public class ApiResponseHelper implements ResponseGenerator {
             response.setIsSystem(networkOffering.isSystemOnly());
             response.setNetworkOfferingAvailability(networkOffering.getAvailability().toString());
             response.setIsPersistent(networkOffering.isPersistent());
+            if (Network.GuestType.Isolated.equals(network.getGuestType())) {
+                response.setEgressDefaultPolicy(networkOffering.isEgressDefaultPolicy());
+            }
         }
 
         if (network.getAclType() != null) {
diff --git a/ui/public/locales/en.json b/ui/public/locales/en.json
index 9253ae3f3b3..c3ee434e970 100644
--- a/ui/public/locales/en.json
+++ b/ui/public/locales/en.json
@@ -2669,6 +2669,7 @@
 "message.after.enable.s3": "S3-backed Secondary Storage configured. Note: When you leave this page, you will not be able to re-configure S3 again.",
 "message.after.enable.swift": "Swift configured. Note: When you leave this page, you will not be able to re-configure Swift again.",
 "message.alert.state.detected": "Alert state detected",
+"message.allowed": "Allowed",
 "message.allow.vpn.access": "Please enter a username and password of the user that you want to allow VPN access.",
 "message.apply.snapshot.policy": "You have successfully updated your current snapshot policy.",
 "message.apply.success": "Apply Successfully",
@@ -2838,6 +2839,7 @@
 "message.delete.vpn.gateway": "Please confirm that you want to delete this VPN Gateway",
 "message.deleting.node": "Deleting Node",
 "message.deleting.vm": "Deleting VM",
+"message.denied": "Denied",
 "message.deployasis": "Selected template is Deploy As-Is i.e., the VM is deployed by importing an OVA with vApps directly into vCenter. Root disk(s) resize is allowed only on stopped VMs for such templates.",
 "message.desc.add.new.lb.sticky.rule": "Add new LB sticky rule",
 "message.desc.advanced.zone": "This is recommended and allows more sophisticated network topologies. This network model provides the most flexibility in defining guest networks and providing custom network offerings such as firewall, VPN, or load balancer support.",
@@ -2881,6 +2883,9 @@
 "message.edit.rule.failed": "Failed to edit rule",
 "message.edit.rule.processing": "Updating rule...",
 "message.edit.traffic.type": "Please specify the traffic label you want associated with this traffic type.",
+"message.egress.rules.allow": "Allow (traffic matching the egress rules added will be denied)",
+"message.egress.rules.deny": "Deny (traffic matching the egress rules added will be allowed)",
+"message.egress.rules.info.for.network": "The default egress policy of this network is %x. <br><br> Outgoing traffic matching the following rules will be %y",
 "message.enable.account": "Please confirm that you want to enable this account.",
 "message.enable.netsacler.provider.failed": "failed to enable Netscaler provider",
 "message.enable.securitygroup.provider.failed": "failed to enable security group provider",
diff --git a/ui/src/components/view/DetailsTab.vue b/ui/src/components/view/DetailsTab.vue
index 14508baaa5c..b23f5896ea5 100644
--- a/ui/src/components/view/DetailsTab.vue
+++ b/ui/src/components/view/DetailsTab.vue
@@ -45,6 +45,9 @@
         <div v-else-if="['created', 'sent', 'lastannotated'].includes(item)">
           {{ $toLocaleDate(resource[item]) }}
         </div>
+        <div v-else-if="$route.meta.name === 'guestnetwork' && item === 'egressdefaultpolicy'">
+          {{ resource[item]? $t('message.egress.rules.allow') : $t('message.egress.rules.deny') }}
+        </div>
         <div v-else>{{ resource[item] }}</div>
       </div>
     </a-list-item>
diff --git a/ui/src/config/section/network.js b/ui/src/config/section/network.js
index 43992e81ced..b55312d1047 100644
--- a/ui/src/config/section/network.js
+++ b/ui/src/config/section/network.js
@@ -38,7 +38,7 @@ export default {
         return fields
       },
       details: () => {
-        var fields = ['name', 'id', 'description', 'type', 'traffictype', 'vpcid', 'vlan', 'broadcasturi', 'cidr', 'ip6cidr', 'netmask', 'gateway', 'aclname', 'ispersistent', 'restartrequired', 'reservediprange', 'redundantrouter', 'networkdomain', 'zonename', 'account', 'domain']
+        var fields = ['name', 'id', 'description', 'type', 'traffictype', 'vpcid', 'vlan', 'broadcasturi', 'cidr', 'ip6cidr', 'netmask', 'gateway', 'aclname', 'ispersistent', 'restartrequired', 'reservediprange', 'redundantrouter', 'networkdomain', 'egressdefaultpolicy', 'zonename', 'account', 'domain']
         if (!isAdmin()) {
           fields = fields.filter(function (e) { return e !== 'broadcasturi' })
         }
diff --git a/ui/src/views/network/EgressRulesTab.vue b/ui/src/views/network/EgressRulesTab.vue
index a935f4cdd08..ba76ee99716 100644
--- a/ui/src/views/network/EgressRulesTab.vue
+++ b/ui/src/views/network/EgressRulesTab.vue
@@ -18,6 +18,10 @@
 <template>
   <div>
     <div>
+      <div
+        v-html="$t('message.egress.rules.info.for.network').replace('%x', resource.egressdefaultpolicy ? '<b>' + $t('label.allow') + '</b>' :
+        '<b>' + $t('label.deny') + '</b>').replace('%y', resource.egressdefaultpolicy ? '<b>' + $t('message.denied') + '</b>' : '<b>' + $t('message.allowed') + '</b>')"> </div>
+        <a-divider />
       <div class="form" v-ctrl-enter="addRule">
         <div class="form__item">
           <div class="form__label">{{ $t('label.sourcecidr') }}</div>
diff --git a/ui/src/views/offering/AddNetworkOffering.vue b/ui/src/views/offering/AddNetworkOffering.vue
index d114ceb269f..c01a940c189 100644
--- a/ui/src/views/offering/AddNetworkOffering.vue
+++ b/ui/src/views/offering/AddNetworkOffering.vue
@@ -342,7 +342,7 @@
           <tooltip-label slot="label" :title="$t('label.egressdefaultpolicy')" :tooltip="apiParams.egressdefaultpolicy.description"/>
           <a-radio-group
             v-decorator="['egressdefaultpolicy', {
-              initialValue: 'allow'
+              initialValue: 'deny'
             }]"
             buttonStyle="solid">
             <a-radio-button value="allow">