diff --git a/.github/workflows/aro-hcp-dev-env-cd.yml b/.github/workflows/aro-hcp-dev-env-cd.yml
index 1d54c1d86..701619ce8 100644
--- a/.github/workflows/aro-hcp-dev-env-cd.yml
+++ b/.github/workflows/aro-hcp-dev-env-cd.yml
@@ -423,6 +423,10 @@
           run: |
             cd image-sync/deployment
             make deploy
+        - name: 'Deploy Prometheus Config'
+          run: |
+            cd metrics/
+            make deploy-config
 
     deploy_to_management_cluster:
       if: github.event.pull_request.merged == true
diff --git a/cluster-service/deploy/istio.yml b/cluster-service/deploy/istio.yml
index 0dd8acaae..f9223b5b1 100644
--- a/cluster-service/deploy/istio.yml
+++ b/cluster-service/deploy/istio.yml
@@ -1,3 +1,32 @@
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+  name: default
+  namespace: cluster-service
+spec:
+  selector:
+    matchLabels:
+      app: clusters-service
+  portLevelMtls:
+    8080:
+      mode: PERMISSIVE
+---
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: allow-metrics
+  namespace: cluster-service
+spec:
+  action: "ALLOW"
+  rules:
+    - to:
+      - operation:
+          paths: ["/metrics"]
+          methods: ["GET"]
+          ports: ["8080"]
+  selector:
+    matchLabels:
+      app: "clusters-service"
 ---
 apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
diff --git a/cluster-service/deploy/openshift-templates/arohcp-service-template.yml b/cluster-service/deploy/openshift-templates/arohcp-service-template.yml
index 6b18eb541..0b71023c3 100644
--- a/cluster-service/deploy/openshift-templates/arohcp-service-template.yml
+++ b/cluster-service/deploy/openshift-templates/arohcp-service-template.yml
@@ -592,3 +592,22 @@ objects:
       targetPort: 8083
       name: healthcheck
       protocol: TCP
+
+- apiVersion: azmonitoring.coreos.com/v1
+  kind: ServiceMonitor
+  metadata:
+    name: clusters-service-service-monitor
+    namespace: ${NAMESPACE}
+  spec:
+    endpoints:
+    - interval: 30s
+      path: /metrics
+      port: metrics
+      scheme: http
+    namespaceSelector:
+      matchNames:
+      - cluster-service
+    selector:
+      matchLabels:
+        app: clusters-service
+        port: metrics
diff --git a/metrics/Makefile b/metrics/Makefile
new file mode 100644
index 000000000..cd9962ea7
--- /dev/null
+++ b/metrics/Makefile
@@ -0,0 +1,7 @@
+deploy-config:
+	kubectl apply -k overlays/svc-cluster
+
+undeploy-config:
+	kubectl delete -k overlays/svc-cluster
+
+.PHONY: deploy-config undeploy-config
diff --git a/metrics/overlays/svc-cluster/kustomization.yml b/metrics/overlays/svc-cluster/kustomization.yml
new file mode 100644
index 000000000..baec80bc0
--- /dev/null
+++ b/metrics/overlays/svc-cluster/kustomization.yml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - prometheus-config.yml
+namespace: kube-system
diff --git a/metrics/overlays/svc-cluster/prometheus-config.yml b/metrics/overlays/svc-cluster/prometheus-config.yml
new file mode 100644
index 000000000..ba8ddd397
--- /dev/null
+++ b/metrics/overlays/svc-cluster/prometheus-config.yml
@@ -0,0 +1,30 @@
+kind: ConfigMap
+apiVersion: v1
+data:
+  prometheus-config: |-
+    global:
+      scrape_interval: 15s
+    scrape_configs:
+    # scrape sidecar proxies and gateway proxies
+    - job_name: 'envoy-stats'
+      metrics_path: /stats/prometheus
+      kubernetes_sd_configs:
+      - role: pod
+      relabel_configs:
+      - source_labels: [__meta_kubernetes_pod_container_port_name]
+        action: keep
+        regex: '.*-envoy-prom'
+
+    - job_name: 'istiod'
+      kubernetes_sd_configs:
+      - role: endpoints
+        namespaces:
+          names:
+          - aks-istio-system
+      relabel_configs:
+      - source_labels: [__meta_kubernetes_endpoints_label_app, __meta_kubernetes_endpoint_port_name]
+        action: keep
+        regex: istiod;http-monitoring
+metadata:
+  name: ama-metrics-prometheus-config
+  namespace: kube-system