diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 31a41fc8f490..02cec5619ad3 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -255,6 +255,7 @@ jobs:
       - uses: ./.github/actions/run-monitored-tmpnet-cmd
         with:
           run: ./scripts/run_task.sh test-load-kube-kind
+          runtime: kube
           artifact_prefix: load-kube
           prometheus_username: ${{ secrets.PROMETHEUS_ID || '' }}
           prometheus_password: ${{ secrets.PROMETHEUS_PASSWORD || '' }}
diff --git a/flake.nix b/flake.nix
index 1bbd86dd45c5..cbd9a812dde7 100644
--- a/flake.nix
+++ b/flake.nix
@@ -48,7 +48,6 @@
             k9s                                        # Kubernetes TUI
             kind                                       # Kubernetes-in-Docker
             kubernetes-helm                            # Helm CLI (Kubernetes package manager)
-            self.packages.${system}.kind-with-registry # Script installing kind configured with a local registry
 
             # Linters
             shellcheck
@@ -65,32 +64,11 @@
             # macOS-specific frameworks
             darwin.apple_sdk.frameworks.Security
           ];
-        };
-      });
-
-      # Package to install the kind-with-registry script
-      packages = forAllSystems ({ pkgs }: {
-        kind-with-registry = pkgs.stdenv.mkDerivation {
-          pname = "kind-with-registry";
-          version = "1.0.0";
 
-          src = pkgs.fetchurl {
-            url = "https://raw.githubusercontent.com/kubernetes-sigs/kind/7cb9e6be25b48a0e248097eef29d496ab1a044d0/site/static/examples/kind-with-registry.sh";
-            sha256 = "0gri0x0ygcwmz8l4h6zzsvydw8rsh7qa8p5218d4hncm363i81hv";
-          };
-
-          phases = [ "installPhase" ];
-
-          installPhase = ''
-            mkdir -p $out/bin
-            install -m755 $src $out/bin/kind-with-registry.sh
+          # Add scripts/ directory to PATH so kind-with-registry.sh is accessible
+          shellHook = ''
+            export PATH="$PWD/scripts:$PATH"
           '';
-
-          meta = with pkgs.lib; {
-            description = "Script to set up kind with a local registry";
-            license = licenses.mit;
-            maintainers = with maintainers; [ "maru-ava" ];
-          };
         };
       });
     };
diff --git a/scripts/kind-with-registry.sh b/scripts/kind-with-registry.sh
new file mode 100755
index 000000000000..5027432722eb
--- /dev/null
+++ b/scripts/kind-with-registry.sh
@@ -0,0 +1,90 @@
+#!/bin/sh
+# Based on https://raw.githubusercontent.com/kubernetes-sigs/kind/7cb9e6be25b48a0e248097eef29d496ab1a044d0/site/static/examples/kind-with-registry.sh
+# Original work Copyright 2019 The Kubernetes Authors
+# Modifications Copyright (C) 2019-2024, Ava Labs, Inc. All rights reserved.
+# See the file LICENSE for licensing terms.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# TODO(marun) Migrate this script to golang
+set -o errexit
+
+# 1. Create registry container unless it already exists
+reg_name='kind-registry'
+reg_port='5001'
+if [ "$(docker inspect -f '{{.State.Running}}' "${reg_name}" 2>/dev/null || true)" != 'true' ]; then
+  docker run \
+    -d --restart=always -p "127.0.0.1:${reg_port}:5000" --network bridge --name "${reg_name}" \
+    registry:2
+fi
+
+# 2. Create kind cluster with containerd registry config dir enabled
+# TODO: kind will eventually enable this by default and this patch will
+# be unnecessary.
+#
+# See:
+# https://github.com/kubernetes-sigs/kind/issues/2875
+# https://github.com/containerd/containerd/blob/main/docs/cri/config.md#registry-configuration
+# See: https://github.com/containerd/containerd/blob/main/docs/hosts.md
+cat <<EOF | kind create cluster --config=-
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+containerdConfigPatches:
+- |-
+  [plugins."io.containerd.grpc.v1.cri".registry]
+    config_path = "/etc/containerd/certs.d"
+nodes:
+- role: control-plane
+  extraPortMappings:
+  # Exposing a nodeport for nginx ingress is the reason this script needed to be copied and customized
+  # This port must match the value used to deploy the nginx controller by tests/fixture/tmpnet/start-kind-cluster.go
+  - containerPort: 30791
+    hostPort: 30791
+    protocol: TCP
+EOF
+
+# 3. Add the registry config to the nodes
+#
+# This is necessary because localhost resolves to loopback addresses that are
+# network-namespace local.
+# In other words: localhost in the container is not localhost on the host.
+#
+# We want a consistent name that works from both ends, so we tell containerd to
+# alias localhost:${reg_port} to the registry container when pulling images
+REGISTRY_DIR="/etc/containerd/certs.d/localhost:${reg_port}"
+for node in $(kind get nodes); do
+  docker exec "${node}" mkdir -p "${REGISTRY_DIR}"
+  cat <<EOF | docker exec -i "${node}" cp /dev/stdin "${REGISTRY_DIR}/hosts.toml"
+[host."http://${reg_name}:5000"]
+EOF
+done
+
+# 4. Connect the registry to the cluster network if not already connected
+# This allows kind to bootstrap the network but ensures they're on the same network
+if [ "$(docker inspect -f='{{json .NetworkSettings.Networks.kind}}' "${reg_name}")" = 'null' ]; then
+  docker network connect "kind" "${reg_name}"
+fi
+
+# 5. Document the local registry
+# https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/generic/1755-communicating-a-local-registry
+cat <<EOF | kubectl apply -f -
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: local-registry-hosting
+  namespace: kube-public
+data:
+  localRegistryHosting.v1: |
+    host: "localhost:${reg_port}"
+    help: "https://kind.sigs.k8s.io/docs/user/local-registry/"
+EOF
diff --git a/scripts/tests.e2e.kube.sh b/scripts/tests.e2e.kube.sh
index 11c16104e7ae..d34067ed03dc 100755
--- a/scripts/tests.e2e.kube.sh
+++ b/scripts/tests.e2e.kube.sh
@@ -23,4 +23,17 @@ else
   XSVM_IMAGE="${XSVM_IMAGE}" AVALANCHEGO_IMAGE="${AVALANCHEGO_IMAGE}" bash -x ./scripts/build_xsvm_image.sh
 fi
 
-bash -x ./scripts/tests.e2e.sh --runtime=kube --kube-image="${XSVM_IMAGE}" "$@"
+# Determine kubeconfig context to use
+KUBECONFIG_CONTEXT=""
+
+# Check if --kubeconfig-context is already provided in arguments
+if [[ "$*" =~ --kubeconfig-context ]]; then
+    # User provided a context, use it as-is
+    echo "Using provided kubeconfig context from arguments"
+else
+    # Default to the RBAC context
+    KUBECONFIG_CONTEXT="--kubeconfig-context=kind-kind-tmpnet"
+    echo "Defaulting to limited-permission context 'kind-kind-tmpnet' to test RBAC Role permissions"
+fi
+
+bash -x ./scripts/tests.e2e.sh --runtime=kube --kube-image="${XSVM_IMAGE}" "$KUBECONFIG_CONTEXT" "$@"
diff --git a/tests/antithesis/config.go b/tests/antithesis/config.go
index f5f85192bd0e..e38a1e5b8ca9 100644
--- a/tests/antithesis/config.go
+++ b/tests/antithesis/config.go
@@ -102,12 +102,12 @@ func configForNewNetwork(
 	c := &Config{
 		Duration: duration,
 	}
-	localURIs := testEnv.GetNodeURIs()
-	c.URIs = make(CSV, len(localURIs))
-	for i, nodeURI := range localURIs {
+	network := testEnv.GetNetwork()
+	uris := network.GetNodeURIs()
+	c.URIs = make(CSV, len(uris))
+	for i, nodeURI := range uris {
 		c.URIs[i] = nodeURI.URI
 	}
-	network := testEnv.GetNetwork()
 	c.ChainIDs = make(CSV, len(network.Subnets))
 	for i, subnet := range network.Subnets {
 		c.ChainIDs[i] = subnet.Chains[0].ChainID.String()
diff --git a/tests/e2e/c/dynamic_fees.go b/tests/e2e/c/dynamic_fees.go
index 60e6086993a1..1557e5b127a8 100644
--- a/tests/e2e/c/dynamic_fees.go
+++ b/tests/e2e/c/dynamic_fees.go
@@ -82,7 +82,7 @@ var _ = e2e.DescribeCChain("[Dynamic Fees]", func() {
 		node := privateNetwork.Nodes[0]
 		nodeURI := tmpnet.NodeURI{
 			NodeID: node.NodeID,
-			URI:    e2e.GetLocalURI(tc, node),
+			URI:    node.GetAccessibleURI(),
 		}
 		ethClient := e2e.NewEthClient(tc, nodeURI)
 
diff --git a/tests/e2e/p/interchain_workflow.go b/tests/e2e/p/interchain_workflow.go
index e8977cc9be63..604ae858ba9b 100644
--- a/tests/e2e/p/interchain_workflow.go
+++ b/tests/e2e/p/interchain_workflow.go
@@ -110,7 +110,7 @@ var _ = e2e.DescribePChain("[Interchain Workflow]", ginkgo.Label(e2e.UsesCChainL
 		e2e.WaitForHealthy(tc, node)
 
 		tc.By("retrieving new node's id and pop")
-		uri := e2e.GetLocalURI(tc, node)
+		uri := node.GetAccessibleURI()
 		infoClient := info.NewClient(uri)
 		nodeID, nodePOP, err := infoClient.GetNodeID(tc.DefaultContext())
 		require.NoError(err)
diff --git a/tests/e2e/p/l1.go b/tests/e2e/p/l1.go
index 486017075796..d0d0732c0065 100644
--- a/tests/e2e/p/l1.go
+++ b/tests/e2e/p/l1.go
@@ -185,8 +185,10 @@ var _ = e2e.DescribePChain("[L1]", func() {
 		var (
 			networkID           = env.GetNetwork().GetNetworkID()
 			genesisPeerMessages = buffer.NewUnboundedBlockingDeque[p2pmessage.InboundMessage](1)
-			stakingAddress      = e2e.GetLocalStakingAddress(tc, subnetGenesisNode)
 		)
+		stakingAddress, cancel, err := subnetGenesisNode.GetAccessibleStakingAddress(tc.DefaultContext())
+		require.NoError(err)
+		tc.DeferCleanup(cancel)
 		genesisPeer, err := peer.StartTestPeer(
 			tc.DefaultContext(),
 			stakingAddress,
@@ -202,7 +204,7 @@ var _ = e2e.DescribePChain("[L1]", func() {
 		)
 		require.NoError(err)
 
-		subnetGenesisNodeURI := e2e.GetLocalURI(tc, subnetGenesisNode)
+		subnetGenesisNodeURI := subnetGenesisNode.GetAccessibleURI()
 
 		address := []byte{}
 		tc.By("issuing a ConvertSubnetToL1Tx", func() {
diff --git a/tests/e2e/p/staking_rewards.go b/tests/e2e/p/staking_rewards.go
index c98a9b576f33..527cf6a65bd1 100644
--- a/tests/e2e/p/staking_rewards.go
+++ b/tests/e2e/p/staking_rewards.go
@@ -65,13 +65,13 @@ var _ = ginkgo.Describe("[Staking Rewards]", func() {
 		e2e.WaitForHealthy(tc, betaNode)
 
 		tc.By("retrieving alpha node id and pop")
-		alphaNodeURI := e2e.GetLocalURI(tc, alphaNode)
+		alphaNodeURI := alphaNode.GetAccessibleURI()
 		alphaInfoClient := info.NewClient(alphaNodeURI)
 		alphaNodeID, alphaPOP, err := alphaInfoClient.GetNodeID(tc.DefaultContext())
 		require.NoError(err)
 
 		tc.By("retrieving beta node id and pop")
-		betaNodeURI := e2e.GetLocalURI(tc, betaNode)
+		betaNodeURI := betaNode.GetAccessibleURI()
 		betaInfoClient := info.NewClient(betaNodeURI)
 		betaNodeID, betaPOP, err := betaInfoClient.GetNodeID(tc.DefaultContext())
 		require.NoError(err)
diff --git a/tests/e2e/p/validator_sets.go b/tests/e2e/p/validator_sets.go
index 064e2391c79b..7315032ed98e 100644
--- a/tests/e2e/p/validator_sets.go
+++ b/tests/e2e/p/validator_sets.go
@@ -81,9 +81,9 @@ var _ = e2e.DescribePChain("[Validator Sets]", func() {
 		require.NoError(err)
 
 		tc.By("checking that validator sets are equal across all heights for all nodes", func() {
-			localURIs := env.GetNodeURIs()
-			pvmClients := make([]*platformvm.Client, len(localURIs))
-			for i, nodeURI := range localURIs {
+			nodeURIs := network.GetNodeURIs()
+			pvmClients := make([]*platformvm.Client, len(nodeURIs))
+			for i, nodeURI := range nodeURIs {
 				pvmClients[i] = platformvm.NewClient(nodeURI.URI)
 				// Ensure that the height of the target node is at least the expected height
 				tc.Eventually(
diff --git a/tests/e2e/vms/xsvm.go b/tests/e2e/vms/xsvm.go
index 2efa06115002..be30276570ea 100644
--- a/tests/e2e/vms/xsvm.go
+++ b/tests/e2e/vms/xsvm.go
@@ -77,7 +77,7 @@ var _ = ginkgo.Describe("[XSVM]", ginkgo.Label("xsvm"), func() {
 		sourceValidators := getNodesForIDs(network.Nodes, sourceSubnet.ValidatorIDs)
 		require.NotEmpty(sourceValidators)
 		sourceAPINode := sourceValidators[0]
-		sourceAPINodeURI := e2e.GetLocalURI(tc, sourceAPINode)
+		sourceAPINodeURI := sourceAPINode.GetAccessibleURI()
 		tc.Log().Info("issuing transactions for source subnet",
 			zap.String("subnetName", subnetAName),
 			zap.Stringer("nodeID", sourceAPINode.NodeID),
@@ -87,7 +87,7 @@ var _ = ginkgo.Describe("[XSVM]", ginkgo.Label("xsvm"), func() {
 		destinationValidators := getNodesForIDs(network.Nodes, destinationSubnet.ValidatorIDs)
 		require.NotEmpty(destinationValidators)
 		destinationAPINode := destinationValidators[0]
-		destinationAPINodeURI := e2e.GetLocalURI(tc, destinationAPINode)
+		destinationAPINodeURI := destinationAPINode.GetAccessibleURI()
 		tc.Log().Info("issuing transactions for destination subnet",
 			zap.String("subnetName", subnetBName),
 			zap.Stringer("nodeID", destinationAPINode.NodeID),
@@ -125,7 +125,7 @@ var _ = ginkgo.Describe("[XSVM]", ginkgo.Label("xsvm"), func() {
 
 		tc.By("checking that the export transaction has been accepted on all nodes")
 		for _, node := range sourceValidators[1:] {
-			uri := e2e.GetLocalURI(tc, node)
+			uri := node.GetAccessibleURI()
 			require.NoError(api.AwaitTxAccepted(
 				tc.DefaultContext(),
 				api.NewClient(uri, sourceChain.ChainID.String()),
@@ -157,7 +157,7 @@ var _ = ginkgo.Describe("[XSVM]", ginkgo.Label("xsvm"), func() {
 		tc.By(fmt.Sprintf("importing to blockchain %s on subnet %s", destinationChain.ChainID, destinationSubnet.SubnetID))
 		sourceURIs := make([]string, len(sourceValidators))
 		for i, node := range sourceValidators {
-			sourceURIs[i] = e2e.GetLocalURI(tc, node)
+			sourceURIs[i] = node.GetAccessibleURI()
 		}
 		importTxStatus, err := importtx.Import(
 			tc.DefaultContext(),
diff --git a/tests/e2e/x/transfer/virtuous.go b/tests/e2e/x/transfer/virtuous.go
index a25279901294..58247d45a6e6 100644
--- a/tests/e2e/x/transfer/virtuous.go
+++ b/tests/e2e/x/transfer/virtuous.go
@@ -48,11 +48,12 @@ var _ = e2e.DescribeXChainSerial("[Virtuous Transfer Tx AVAX]", func() {
 	ginkgo.It("can issue a virtuous transfer tx for AVAX asset",
 		func() {
 			var (
-				env       = e2e.GetEnv(tc)
-				localURIs = env.GetNodeURIs()
-				rpcEps    = make([]string, len(localURIs))
+				env     = e2e.GetEnv(tc)
+				network = env.GetNetwork()
+				uris    = network.GetNodeURIs()
+				rpcEps  = make([]string, len(uris))
 			)
-			for i, nodeURI := range localURIs {
+			for i, nodeURI := range uris {
 				rpcEps[i] = nodeURI.URI
 			}
 
@@ -304,6 +305,6 @@ var _ = e2e.DescribeXChainSerial("[Virtuous Transfer Tx AVAX]", func() {
 				runFunc(i)
 			}
 
-			_ = e2e.CheckBootstrapIsPossible(tc, env.GetNetwork())
+			_ = e2e.CheckBootstrapIsPossible(tc, network)
 		})
 })
diff --git a/tests/fixture/e2e/env.go b/tests/fixture/e2e/env.go
index 07120a68cb24..f68ed022c1bf 100644
--- a/tests/fixture/e2e/env.go
+++ b/tests/fixture/e2e/env.go
@@ -222,40 +222,15 @@ func NewTestEnvironment(tc tests.TestContext, flagVars *FlagVars, desiredNetwork
 		testContext:                 tc,
 	}
 
-	if network.DefaultRuntimeConfig.Process != nil {
-		// Display node IDs and URIs for process-based networks since the nodes are guaranteed to be network accessible
-		uris := env.GetNodeURIs()
-		require.NotEmpty(uris, "network contains no nodes")
-		tc.Log().Info("network nodes are available",
-			zap.Any("uris", uris),
-		)
-	} else {
-		// Only display node IDs for kube-based networks since the nodes may not be network accessible and
-		// port-forwarded URIs are ephemeral
-		nodeIDs := network.GetAvailableNodeIDs()
-		require.NotEmpty(nodeIDs, "network contains no nodes")
-		tc.Log().Info("network nodes are available. Not showing node URIs since kube nodes may be running remotely.",
-			zap.Strings("nodeIDs", nodeIDs),
-		)
-	}
+	uris := network.GetNodeURIs()
+	require.NotEmpty(uris, "network contains no nodes")
+	tc.Log().Info("network nodes are available",
+		zap.Any("uris", uris),
+	)
 
 	return env
 }
 
-// Retrieve URIs for validator nodes of the shared network. The URIs
-// are only guaranteed to be accessible until the environment test
-// context is torn down (usually the duration of execution of a single
-// test).
-func (te *TestEnvironment) GetNodeURIs() []tmpnet.NodeURI {
-	var (
-		tc      = te.testContext
-		network = te.GetNetwork()
-	)
-	uris, err := network.GetNodeURIs(tc.DefaultContext(), tc.DeferCleanup)
-	require.NoError(tc, err)
-	return uris
-}
-
 // Retrieve a random URI to naively attempt to spread API load across nodes.
 func (te *TestEnvironment) GetRandomNodeURI() tmpnet.NodeURI {
 	var (
@@ -279,15 +254,10 @@ func (te *TestEnvironment) GetRandomNodeURI() tmpnet.NodeURI {
 
 	require.NotEmpty(tc, availableNodes, "no available nodes to target")
 
-	// Use a local URI for the node to ensure compatibility with kube
 	randomNode := availableNodes[r.Intn(len(availableNodes))]
-	uri, cancel, err := randomNode.GetLocalURI(tc.DefaultContext())
-	require.NoError(tc, err)
-	tc.DeferCleanup(cancel)
-
 	nodeURI := tmpnet.NodeURI{
 		NodeID: randomNode.NodeID,
-		URI:    uri,
+		URI:    randomNode.GetAccessibleURI(),
 	}
 	tc.Log().Info("targeting random node",
 		zap.Stringer("nodeID", nodeURI.NodeID),
diff --git a/tests/fixture/e2e/helpers.go b/tests/fixture/e2e/helpers.go
index c0ee1ea4877f..49d854798761 100644
--- a/tests/fixture/e2e/helpers.go
+++ b/tests/fixture/e2e/helpers.go
@@ -8,7 +8,6 @@ import (
 	"errors"
 	"fmt"
 	"math/big"
-	"net/netip"
 	"os"
 	"strings"
 	"time"
@@ -377,26 +376,3 @@ func GetRepoRootPath(suffix string) (string, error) {
 	}
 	return strings.TrimSuffix(cwd, suffix), nil
 }
-
-// GetLocalURI retrieves the locally-accessible URI of the provided node. When a node
-// is running as a local process, this will be the URI exposed by the node. For a
-// node running remotely in kube, the URI will be a local address whose port is
-// forwarded to the node's URI through the kube API server.
-func GetLocalURI(tc tests.TestContext, node *tmpnet.Node) string {
-	uri, cancel, err := node.GetLocalURI(tc.DefaultContext())
-	require.NoError(tc, err)
-	tc.DeferCleanup(cancel)
-	return uri
-}
-
-// GetLocalStakingAddress retrieves the locally-accessible staking address of the
-// provided node. When a node is a local process, this will be the staking address
-// exposed by the node. For a node running remotely in kube, the staking address will
-// be a local address whose port will be forwarded to the node's staking address
-// through the kube API server.
-func GetLocalStakingAddress(tc tests.TestContext, node *tmpnet.Node) netip.AddrPort {
-	stakingAddress, cancel, err := node.GetLocalStakingAddress(tc.DefaultContext())
-	require.NoError(tc, err)
-	tc.DeferCleanup(cancel)
-	return stakingAddress
-}
diff --git a/tests/fixture/tmpnet/kube_runtime.go b/tests/fixture/tmpnet/kube_runtime.go
index 4f5343ab84ed..ab86956291e3 100644
--- a/tests/fixture/tmpnet/kube_runtime.go
+++ b/tests/fixture/tmpnet/kube_runtime.go
@@ -16,6 +16,7 @@ import (
 
 	"go.uber.org/zap"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/kubernetes"
 
@@ -24,6 +25,7 @@ import (
 	"github.com/ava-labs/avalanchego/utils/logging"
 
 	corev1 "k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	restclient "k8s.io/client-go/rest"
@@ -53,9 +55,13 @@ const (
 
 	// Name of config map containing tmpnet defaults
 	defaultsConfigMapName = "tmpnet-defaults"
+	ingressHostKey        = "ingressHost"
 )
 
-var errMissingSchedulingLabels = errors.New("--kube-scheduling-label-key and --kube-scheduling-label-value are required when exclusive scheduling is enabled")
+var (
+	errMissingSchedulingLabels = errors.New("--kube-scheduling-label-key and --kube-scheduling-label-value are required when exclusive scheduling is enabled")
+	errMissingIngressHost      = errors.New("IngressHost is a required value. Ensure the " + defaultsConfigMapName + " ConfigMap contains an entry for " + ingressHostKey)
+)
 
 type KubeRuntimeConfig struct {
 	// Path to the kubeconfig file identifying the target cluster
@@ -76,12 +82,18 @@ type KubeRuntimeConfig struct {
 	SchedulingLabelKey string `json:"schedulingLabelKey,omitempty"`
 	// Label value to use for exclusive scheduling for node selection and toleration
 	SchedulingLabelValue string `json:"schedulingLabelValue,omitempty"`
+	// Host for ingress rules (e.g., "localhost:30791" for kind, "tmpnet.example.com" for EKS)
+	IngressHost string `json:"ingressHost,omitempty"`
+	// TLS secret name for ingress (empty for HTTP, populated for HTTPS)
+	IngressSecret string `json:"ingressSecret,omitempty"`
 }
 
 // ensureDefaults sets cluster-specific defaults for fields not already set by flags.
 func (c *KubeRuntimeConfig) ensureDefaults(ctx context.Context, log logging.Logger) error {
+	// Only read defaults if necessary
 	requireSchedulingDefaults := c.UseExclusiveScheduling && (len(c.SchedulingLabelKey) == 0 || len(c.SchedulingLabelValue) == 0)
-	if !requireSchedulingDefaults {
+	requireIngressDefaults := !IsRunningInCluster() && len(c.IngressHost) == 0
+	if !requireSchedulingDefaults && !requireIngressDefaults {
 		return nil
 	}
 
@@ -100,26 +112,47 @@ func (c *KubeRuntimeConfig) ensureDefaults(ctx context.Context, log logging.Logg
 		return fmt.Errorf("failed to get ConfigMap: %w", err)
 	}
 
-	var (
-		schedulingLabelKey   = configMap.Data["schedulingLabelKey"]
-		schedulingLabelValue = configMap.Data["schedulingLabelValue"]
-	)
-	if len(c.SchedulingLabelKey) == 0 && len(schedulingLabelKey) > 0 {
-		log.Info("setting default value for SchedulingLabelKey",
-			zap.String("schedulingLabelKey", schedulingLabelKey),
+	if requireSchedulingDefaults {
+		var (
+			schedulingLabelKey   = configMap.Data["schedulingLabelKey"]
+			schedulingLabelValue = configMap.Data["schedulingLabelValue"]
 		)
-		c.SchedulingLabelKey = schedulingLabelKey
+		if len(c.SchedulingLabelKey) == 0 && len(schedulingLabelKey) > 0 {
+			log.Info("setting default value for SchedulingLabelKey",
+				zap.String("schedulingLabelKey", schedulingLabelKey),
+			)
+			c.SchedulingLabelKey = schedulingLabelKey
+		}
+		if len(c.SchedulingLabelValue) == 0 && len(schedulingLabelValue) > 0 {
+			log.Info("setting default value for SchedulingLabelValue",
+				zap.String("schedulingLabelValue", schedulingLabelValue),
+			)
+			c.SchedulingLabelValue = schedulingLabelValue
+		}
+		if len(c.SchedulingLabelKey) == 0 || len(c.SchedulingLabelValue) == 0 {
+			return errMissingSchedulingLabels
+		}
 	}
-	if len(c.SchedulingLabelValue) == 0 && len(schedulingLabelValue) > 0 {
-		log.Info("setting default value for SchedulingLabelValue",
-			zap.String("schedulingLabelValue", schedulingLabelValue),
+	if requireIngressDefaults {
+		var (
+			ingressHost   = configMap.Data[ingressHostKey]
+			ingressSecret = configMap.Data["ingressSecret"]
 		)
-		c.SchedulingLabelValue = schedulingLabelValue
-	}
-
-	// Validate that the scheduling labels are now set
-	if len(c.SchedulingLabelKey) == 0 || len(c.SchedulingLabelValue) == 0 {
-		return errMissingSchedulingLabels
+		if len(c.IngressHost) == 0 && len(ingressHost) > 0 {
+			log.Info("setting default value for IngressHost",
+				zap.String("ingressHost", ingressHost),
+			)
+			c.IngressHost = ingressHost
+		}
+		if len(c.IngressSecret) == 0 && len(ingressSecret) > 0 {
+			log.Info("setting default value for IngressSecret",
+				zap.String("ingressSecret", ingressSecret),
+			)
+			c.IngressSecret = ingressSecret
+		}
+		if len(c.IngressHost) == 0 {
+			return errMissingIngressHost
+		}
 	}
 
 	return nil
@@ -127,6 +160,8 @@ func (c *KubeRuntimeConfig) ensureDefaults(ctx context.Context, log logging.Logg
 
 type KubeRuntime struct {
 	node *Node
+
+	kubeConfig *restclient.Config
 }
 
 // readState reads the URI and staking address for the node if the node is running.
@@ -145,6 +180,11 @@ func (p *KubeRuntime) readState(ctx context.Context) error {
 		zap.String("statefulSet", statefulSetName),
 	)
 
+	// Validate that it will be possible to construct accessible URIs when running external to the kube cluster
+	if !IsRunningInCluster() && len(runtimeConfig.IngressHost) == 0 {
+		return errors.New("IngressHost must be set when running outside of the kubernetes cluster")
+	}
+
 	clientset, err := p.getClientset()
 	if err != nil {
 		return err
@@ -187,31 +227,34 @@ func (p *KubeRuntime) readState(ctx context.Context) error {
 	return nil
 }
 
-// GetLocalURI retrieves a URI for the node intended to be accessible from this
-// process until the provided cancel function is called.
-func (p *KubeRuntime) GetLocalURI(ctx context.Context) (string, func(), error) {
-	if len(p.node.URI) == 0 {
-		// Assume that an empty URI indicates a need to read pod state
-		if err := p.readState(ctx); err != nil {
-			return "", func() {}, fmt.Errorf("failed to read Pod state: %w", err)
-		}
-	}
-
-	// Use direct pod URI if running inside the cluster
+// GetAccessibleURI retrieves a URI for the node accessible from where
+// this process is running. If the process is running inside a kube
+// cluster, the node and the process will be assumed to be running in the
+// same kube cluster and the node's URI be used. If the process is
+// running outside of a kube cluster, a URI accessible from outside of
+// the cluster will be used.
+func (p *KubeRuntime) GetAccessibleURI() string {
 	if IsRunningInCluster() {
-		return p.node.URI, func() {}, nil
+		return p.node.URI
 	}
 
-	port, stopChan, err := p.forwardPort(ctx, config.DefaultHTTPPort)
-	if err != nil {
-		return "", nil, err
+	var (
+		protocol      = "http"
+		nodeID        = p.node.NodeID.String()
+		networkUUID   = p.node.network.UUID
+		runtimeConfig = p.runtimeConfig()
+	)
+	// Assume tls is configured for an ingress secret
+	if len(runtimeConfig.IngressSecret) > 0 {
+		protocol = "https"
 	}
-	return fmt.Sprintf("http://127.0.0.1:%d", port), func() { close(stopChan) }, nil
+
+	return fmt.Sprintf("%s://%s/networks/%s/%s", protocol, runtimeConfig.IngressHost, networkUUID, nodeID)
 }
 
-// GetLocalStakingAddress retrieves a StakingAddress for the node intended to be
+// GetAccessibleStakingAddress retrieves a StakingAddress for the node intended to be
 // accessible from this process until the provided cancel function is called.
-func (p *KubeRuntime) GetLocalStakingAddress(ctx context.Context) (netip.AddrPort, func(), error) {
+func (p *KubeRuntime) GetAccessibleStakingAddress(ctx context.Context) (netip.AddrPort, func(), error) {
 	if p.node.StakingAddress == (netip.AddrPort{}) {
 		// Assume that an empty staking address indicates a need to retrieve pod state
 		if err := p.readState(ctx); err != nil {
@@ -364,6 +407,23 @@ func (p *KubeRuntime) Start(ctx context.Context) error {
 		zap.String("statefulSet", statefulSetName),
 	)
 
+	if !IsRunningInCluster() {
+		// If running outside the cluster, ensure the node's API port is accessible via ingress
+
+		serviceName := "s-" + statefulSetName // The 's-' prefix ensures DNS compatibility
+		if err := p.createNodeService(ctx, serviceName); err != nil {
+			return fmt.Errorf("failed to create Service for node: %w", err)
+		}
+
+		if err := p.createNodeIngress(ctx, serviceName); err != nil {
+			return fmt.Errorf("failed to create Ingress for node: %w", err)
+		}
+
+		if err := p.waitForIngressReadiness(ctx, serviceName); err != nil {
+			return fmt.Errorf("failed to wait for Ingress readiness: %w", err)
+		}
+	}
+
 	return p.ensureBootstrapIP(ctx)
 }
 
@@ -624,9 +684,6 @@ func (p *KubeRuntime) Restart(ctx context.Context) error {
 }
 
 // IsHealthy checks if the node is running and healthy.
-//
-// TODO(marun) Add WaitForHealthy as a runtime method to minimize API calls required and
-// enable reuse of forwarded connection when running external to the kubernetes cluster
 func (p *KubeRuntime) IsHealthy(ctx context.Context) (bool, error) {
 	err := p.readState(ctx)
 	if err != nil {
@@ -636,13 +693,7 @@ func (p *KubeRuntime) IsHealthy(ctx context.Context) (bool, error) {
 		return false, errNotRunning
 	}
 
-	uri, cancel, err := p.GetLocalURI(ctx)
-	if err != nil {
-		return false, err
-	}
-	defer cancel()
-
-	healthReply, err := CheckNodeHealth(ctx, uri)
+	healthReply, err := CheckNodeHealth(ctx, p.GetAccessibleURI())
 	if errors.Is(err, ErrUnrecoverableNodeHealthCheck) {
 		return false, err
 	} else if err != nil {
@@ -769,13 +820,23 @@ func (p *KubeRuntime) runtimeConfig() *KubeRuntimeConfig {
 	return p.node.getRuntimeConfig().Kube
 }
 
+// getKubeconfig retrieves the kubeconfig for the target cluster. It
+// will be cached after the first call to avoid unnecessary logging
+// when running in-cluster.
 func (p *KubeRuntime) getKubeconfig() (*restclient.Config, error) {
-	runtimeConfig := p.runtimeConfig()
-	return GetClientConfig(
-		p.node.network.log,
-		runtimeConfig.ConfigPath,
-		runtimeConfig.ConfigContext,
-	)
+	if p.kubeConfig == nil {
+		runtimeConfig := p.runtimeConfig()
+		config, err := GetClientConfig(
+			p.node.network.log,
+			runtimeConfig.ConfigPath,
+			runtimeConfig.ConfigContext,
+		)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get kubeconfig: %w", err)
+		}
+		p.kubeConfig = config
+	}
+	return p.kubeConfig, nil
 }
 
 func (p *KubeRuntime) getClientset() (*kubernetes.Clientset, error) {
@@ -842,6 +903,10 @@ func (p *KubeRuntime) getFlags() (FlagsMap, error) {
 	flags[config.DataDirKey] = volumeMountPath
 	// The node must bind to the Pod IP to enable the kubelet to access the http port for the readiness check
 	flags[config.HTTPHostKey] = "0.0.0.0"
+	// Ensure compatibility with a non-localhost ingress host
+	if !IsRunningInCluster() && !strings.HasPrefix(p.runtimeConfig().IngressHost, "localhost") {
+		flags[config.HTTPAllowedHostsKey] = p.runtimeConfig().IngressHost
+	}
 	return flags, nil
 }
 
@@ -890,6 +955,310 @@ func configureExclusiveScheduling(template *corev1.PodTemplateSpec, labelKey str
 	}
 }
 
+// createNodeService creates a Kubernetes Service for the node to enable ingress routing
+func (p *KubeRuntime) createNodeService(ctx context.Context, serviceName string) error {
+	var (
+		log           = p.node.network.log
+		nodeID        = p.node.NodeID.String()
+		runtimeConfig = p.runtimeConfig()
+		namespace     = runtimeConfig.Namespace
+	)
+
+	log.Debug("creating Service for node",
+		zap.String("nodeID", nodeID),
+		zap.String("namespace", namespace),
+		zap.String("service", serviceName),
+	)
+
+	clientset, err := p.getClientset()
+	if err != nil {
+		return err
+	}
+
+	service := &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      serviceName,
+			Namespace: namespace,
+			Labels: map[string]string{
+				"app":          serviceName,
+				"network-uuid": p.node.network.UUID,
+				"node-id":      nodeID,
+			},
+		},
+		Spec: corev1.ServiceSpec{
+			Selector: map[string]string{
+				"network_uuid": p.node.network.UUID,
+				"node_id":      nodeID,
+			},
+			Ports: []corev1.ServicePort{
+				{
+					Name:       "http",
+					Port:       config.DefaultHTTPPort,
+					TargetPort: intstr.FromInt(config.DefaultHTTPPort),
+					Protocol:   corev1.ProtocolTCP,
+				},
+			},
+			Type: corev1.ServiceTypeClusterIP,
+		},
+	}
+
+	_, err = clientset.CoreV1().Services(namespace).Create(ctx, service, metav1.CreateOptions{})
+	if err != nil {
+		return fmt.Errorf("failed to create Service: %w", err)
+	}
+
+	log.Debug("created Service",
+		zap.String("nodeID", nodeID),
+		zap.String("namespace", namespace),
+		zap.String("service", serviceName),
+	)
+
+	return nil
+}
+
+// createNodeIngress creates a Kubernetes Ingress for the node to enable external access
+func (p *KubeRuntime) createNodeIngress(ctx context.Context, serviceName string) error {
+	var (
+		log           = p.node.network.log
+		nodeID        = p.node.NodeID.String()
+		runtimeConfig = p.runtimeConfig()
+		namespace     = runtimeConfig.Namespace
+		networkUUID   = p.node.network.UUID
+	)
+
+	log.Debug("creating Ingress for node",
+		zap.String("nodeID", nodeID),
+		zap.String("namespace", namespace),
+		zap.String("service", serviceName),
+	)
+
+	clientset, err := p.getClientset()
+	if err != nil {
+		return err
+	}
+
+	var (
+		ingressClassName = "nginx" // Assume nginx ingress controller
+		// Path pattern: /networks/<network-uuid>/<node-id>(/|$)(.*)
+		// Using (/|$)(.*) to properly handle trailing slashes
+		pathPattern = fmt.Sprintf("/networks/%s/%s", networkUUID, nodeID) + "(/|$)(.*)"
+		pathType    = networkingv1.PathTypeImplementationSpecific
+	)
+
+	// Build the ingress rules
+	ingressRules := []networkingv1.IngressRule{
+		{
+			IngressRuleValue: networkingv1.IngressRuleValue{
+				HTTP: &networkingv1.HTTPIngressRuleValue{
+					Paths: []networkingv1.HTTPIngressPath{
+						{
+							Path:     pathPattern,
+							PathType: &pathType,
+							Backend: networkingv1.IngressBackend{
+								Service: &networkingv1.IngressServiceBackend{
+									Name: serviceName,
+									Port: networkingv1.ServiceBackendPort{
+										Number: config.DefaultHTTPPort,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	// Add host if not localhost
+	if !strings.HasPrefix(runtimeConfig.IngressHost, "localhost") {
+		ingressRules[0].Host = runtimeConfig.IngressHost
+	}
+
+	ingress := &networkingv1.Ingress{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      serviceName,
+			Namespace: namespace,
+			Labels: map[string]string{
+				"app":          serviceName,
+				"network-uuid": networkUUID,
+				"node-id":      nodeID,
+			},
+			Annotations: map[string]string{
+				"nginx.ingress.kubernetes.io/use-regex":          "true",
+				"nginx.ingress.kubernetes.io/rewrite-target":     "/$2",
+				"nginx.ingress.kubernetes.io/proxy-body-size":    "0",
+				"nginx.ingress.kubernetes.io/proxy-read-timeout": "600",
+				"nginx.ingress.kubernetes.io/proxy-send-timeout": "600",
+			},
+		},
+		Spec: networkingv1.IngressSpec{
+			IngressClassName: &ingressClassName,
+			Rules:            ingressRules,
+		},
+	}
+
+	// Add TLS configuration if IngressSecret is set
+	if len(runtimeConfig.IngressSecret) > 0 && !strings.HasPrefix(runtimeConfig.IngressHost, "localhost") {
+		ingress.Spec.TLS = []networkingv1.IngressTLS{
+			{
+				Hosts:      []string{runtimeConfig.IngressHost},
+				SecretName: runtimeConfig.IngressSecret,
+			},
+		}
+	}
+
+	_, err = clientset.NetworkingV1().Ingresses(namespace).Create(ctx, ingress, metav1.CreateOptions{})
+	if err != nil {
+		return fmt.Errorf("failed to create Ingress: %w", err)
+	}
+
+	log.Debug("created Ingress",
+		zap.String("nodeID", nodeID),
+		zap.String("namespace", namespace),
+		zap.String("ingress", serviceName),
+		zap.String("path", pathPattern),
+	)
+
+	return nil
+}
+
+// waitForIngressReadiness waits for the ingress to be ready and able to route traffic
+// This prevents 503 errors when health checks are performed immediately after node start
+func (p *KubeRuntime) waitForIngressReadiness(ctx context.Context, serviceName string) error {
+	var (
+		log           = p.node.network.log
+		nodeID        = p.node.NodeID.String()
+		runtimeConfig = p.runtimeConfig()
+		namespace     = runtimeConfig.Namespace
+	)
+
+	log.Debug("waiting for Ingress readiness",
+		zap.String("nodeID", nodeID),
+		zap.String("namespace", namespace),
+		zap.String("ingress", serviceName),
+	)
+
+	clientset, err := p.getClientset()
+	if err != nil {
+		return err
+	}
+
+	// Wait for the ingress to exist, be processed by the controller, and service endpoints to be available
+	err = wait.PollUntilContextCancel(
+		ctx,
+		statusCheckInterval,
+		true, // immediate
+		func(ctx context.Context) (bool, error) {
+			// Check if ingress exists and is processed by the controller
+			ingress, err := clientset.NetworkingV1().Ingresses(namespace).Get(ctx, serviceName, metav1.GetOptions{})
+			if apierrors.IsNotFound(err) {
+				log.Verbo("waiting for Ingress to be created",
+					zap.String("nodeID", nodeID),
+					zap.String("namespace", namespace),
+					zap.String("ingress", serviceName),
+				)
+				return false, nil
+			}
+			if err != nil {
+				log.Warn("failed to retrieve Ingress",
+					zap.String("nodeID", nodeID),
+					zap.String("namespace", namespace),
+					zap.String("ingress", serviceName),
+					zap.Error(err),
+				)
+				return false, nil
+			}
+
+			// Check if ingress controller has processed the ingress
+			// The ingress controller should populate the Status.LoadBalancer.Ingress field
+			// when it has successfully processed and exposed the ingress
+			hasIngressIP := len(ingress.Status.LoadBalancer.Ingress) > 0
+			if !hasIngressIP {
+				log.Verbo("waiting for Ingress controller to process and expose the Ingress",
+					zap.String("nodeID", nodeID),
+					zap.String("namespace", namespace),
+					zap.String("ingress", serviceName),
+				)
+				return false, nil
+			}
+
+			// Validate that at least one ingress has an IP or hostname
+			hasValidIngress := false
+			for _, ing := range ingress.Status.LoadBalancer.Ingress {
+				if ing.IP != "" || ing.Hostname != "" {
+					hasValidIngress = true
+					break
+				}
+			}
+
+			if !hasValidIngress {
+				log.Verbo("waiting for Ingress controller to assign IP or hostname",
+					zap.String("nodeID", nodeID),
+					zap.String("namespace", namespace),
+					zap.String("ingress", serviceName),
+				)
+				return false, nil
+			}
+
+			// Check if service endpoints are available
+			endpoints, err := clientset.CoreV1().Endpoints(namespace).Get(ctx, serviceName, metav1.GetOptions{})
+			if apierrors.IsNotFound(err) {
+				log.Verbo("waiting for Service endpoints to be created",
+					zap.String("nodeID", nodeID),
+					zap.String("namespace", namespace),
+					zap.String("service", serviceName),
+				)
+				return false, nil
+			}
+			if err != nil {
+				log.Warn("failed to retrieve Service endpoints",
+					zap.String("nodeID", nodeID),
+					zap.String("namespace", namespace),
+					zap.String("service", serviceName),
+					zap.Error(err),
+				)
+				return false, nil
+			}
+
+			// Check if endpoints have at least one ready address
+			hasReadyEndpoints := false
+			for _, subset := range endpoints.Subsets {
+				if len(subset.Addresses) > 0 {
+					hasReadyEndpoints = true
+					break
+				}
+			}
+
+			if !hasReadyEndpoints {
+				log.Verbo("waiting for Service endpoints to have ready addresses",
+					zap.String("nodeID", nodeID),
+					zap.String("namespace", namespace),
+					zap.String("service", serviceName),
+				)
+				return false, nil
+			}
+
+			log.Debug("Ingress is exposed by controller and Service endpoints are ready",
+				zap.String("nodeID", nodeID),
+				zap.String("namespace", namespace),
+				zap.String("ingress", serviceName),
+			)
+			return true, nil
+		},
+	)
+	if err != nil {
+		return fmt.Errorf("failed to wait for Ingress %s/%s readiness: %w", namespace, serviceName, err)
+	}
+
+	log.Debug("Ingress is ready",
+		zap.String("nodeID", nodeID),
+		zap.String("namespace", namespace),
+		zap.String("ingress", serviceName),
+	)
+
+	return nil
+}
+
 // IsRunningInCluster detects if this code is running inside a Kubernetes cluster
 // by checking for the presence of the service account token that's automatically
 // mounted in every pod.
diff --git a/tests/fixture/tmpnet/monitor_kube.go b/tests/fixture/tmpnet/monitor_kube.go
index 1bd5cc11cbf2..6785195c45d0 100644
--- a/tests/fixture/tmpnet/monitor_kube.go
+++ b/tests/fixture/tmpnet/monitor_kube.go
@@ -36,8 +36,8 @@ type kubeCollectorConfig struct {
 	manifest     []byte
 }
 
-// DeployKubeCollectors deploys collectors of logs and metrics to a Kubernetes cluster.
-func DeployKubeCollectors(
+// deployKubeCollectors deploys collectors of logs and metrics to a Kubernetes cluster.
+func deployKubeCollectors(
 	ctx context.Context,
 	log logging.Logger,
 	configPath string,
diff --git a/tests/fixture/tmpnet/network.go b/tests/fixture/tmpnet/network.go
index b990ed114393..ecbe1e18de2b 100644
--- a/tests/fixture/tmpnet/network.go
+++ b/tests/fixture/tmpnet/network.go
@@ -449,11 +449,7 @@ func (n *Network) Bootstrap(ctx context.Context, log logging.Logger) error {
 	}
 
 	// Don't restart the node during subnet creation since it will always be restarted afterwards.
-	uri, cancel, err := bootstrapNode.GetLocalURI(ctx)
-	if err != nil {
-		return err
-	}
-	defer cancel()
+	uri := bootstrapNode.GetAccessibleURI()
 	if err := n.CreateSubnets(ctx, log, uri, false /* restartRequired */); err != nil {
 		return err
 	}
@@ -784,11 +780,9 @@ func (n *Network) GetNode(nodeID ids.NodeID) (*Node, error) {
 	return nil, fmt.Errorf("%s is not known to the network", nodeID)
 }
 
-// GetNodeURIs returns the URIs of nodes in the network that are running and not ephemeral. The URIs
-// returned are guaranteed be reachable by the caller until the cleanup function is called regardless
-// of whether the nodes are running as local processes or in a kube cluster.
-func (n *Network) GetNodeURIs(ctx context.Context, deferCleanupFunc func(func())) ([]NodeURI, error) {
-	return GetNodeURIs(ctx, n.Nodes, deferCleanupFunc)
+// GetNodeURIs returns the accessible URIs of nodes in the network that are running and not ephemeral.
+func (n *Network) GetNodeURIs() []NodeURI {
+	return GetNodeURIs(n.Nodes)
 }
 
 // GetAvailableNodeIDs returns the node IDs of nodes in the network that are running and not ephemeral.
@@ -969,7 +963,7 @@ func waitForHealthy(ctx context.Context, log logging.Logger, nodes []*Node) erro
 			unhealthyNodes.Remove(node)
 			log.Info("node is healthy",
 				zap.Stringer("nodeID", node.NodeID),
-				zap.String("uri", node.URI),
+				zap.String("uri", node.GetAccessibleURI()),
 			)
 		}
 
diff --git a/tests/fixture/tmpnet/node.go b/tests/fixture/tmpnet/node.go
index a76eb02a7e44..347253356b68 100644
--- a/tests/fixture/tmpnet/node.go
+++ b/tests/fixture/tmpnet/node.go
@@ -41,8 +41,8 @@ var (
 // NodeRuntime defines the methods required to support running a node.
 type NodeRuntime interface {
 	readState(ctx context.Context) error
-	GetLocalURI(ctx context.Context) (string, func(), error)
-	GetLocalStakingAddress(ctx context.Context) (netip.AddrPort, func(), error)
+	GetAccessibleURI() string
+	GetAccessibleStakingAddress(ctx context.Context) (netip.AddrPort, func(), error)
 	Start(ctx context.Context) error
 	InitiateStop(ctx context.Context) error
 	WaitForStopped(ctx context.Context) error
@@ -199,12 +199,12 @@ func (n *Node) readState(ctx context.Context) error {
 	return n.getRuntime().readState(ctx)
 }
 
-func (n *Node) GetLocalURI(ctx context.Context) (string, func(), error) {
-	return n.getRuntime().GetLocalURI(ctx)
+func (n *Node) GetAccessibleURI() string {
+	return n.getRuntime().GetAccessibleURI()
 }
 
-func (n *Node) GetLocalStakingAddress(ctx context.Context) (netip.AddrPort, func(), error) {
-	return n.getRuntime().GetLocalStakingAddress(ctx)
+func (n *Node) GetAccessibleStakingAddress(ctx context.Context) (netip.AddrPort, func(), error) {
+	return n.getRuntime().GetAccessibleStakingAddress(ctx)
 }
 
 // Writes the current state of the metrics endpoint to disk
@@ -213,12 +213,7 @@ func (n *Node) SaveMetricsSnapshot(ctx context.Context) error {
 		// No URI to request metrics from
 		return nil
 	}
-	baseURI, cancel, err := n.GetLocalURI(ctx)
-	if err != nil {
-		return nil
-	}
-	defer cancel()
-	uri := baseURI + "/ext/metrics"
+	uri := n.GetAccessibleURI() + "/ext/metrics"
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, uri, nil)
 	if err != nil {
 		return err
diff --git a/tests/fixture/tmpnet/process_runtime.go b/tests/fixture/tmpnet/process_runtime.go
index 9088f0928210..94d7154c3d59 100644
--- a/tests/fixture/tmpnet/process_runtime.go
+++ b/tests/fixture/tmpnet/process_runtime.go
@@ -417,11 +417,12 @@ func (p *ProcessRuntime) writeMonitoringConfigFile(name string, config []ConfigM
 	return nil
 }
 
-func (p *ProcessRuntime) GetLocalURI(_ context.Context) (string, func(), error) {
-	return p.node.URI, func() {}, nil
+// GetAccessibleURI returns the URI that can be used to access the node's API.
+func (p *ProcessRuntime) GetAccessibleURI() string {
+	return p.node.URI
 }
 
-func (p *ProcessRuntime) GetLocalStakingAddress(_ context.Context) (netip.AddrPort, func(), error) {
+func (p *ProcessRuntime) GetAccessibleStakingAddress(_ context.Context) (netip.AddrPort, func(), error) {
 	return p.node.StakingAddress, func() {}, nil
 }
 
diff --git a/tests/fixture/tmpnet/start_kind_cluster.go b/tests/fixture/tmpnet/start_kind_cluster.go
index 1957005c4d21..f8d4299875c7 100644
--- a/tests/fixture/tmpnet/start_kind_cluster.go
+++ b/tests/fixture/tmpnet/start_kind_cluster.go
@@ -13,6 +13,7 @@ import (
 	"strings"
 
 	"go.uber.org/zap"
+	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/clientcmd"
@@ -37,6 +38,13 @@ const (
 
 	// TODO(marun) Check for the presence of the context rather than string matching on this error
 	missingContextMsg = `context "` + KindKubeconfigContext + `" does not exist`
+
+	// Ingress controller constants
+	ingressNamespace      = "ingress-nginx"
+	ingressReleaseName    = "ingress-nginx"
+	ingressChartRepo      = "https://kubernetes.github.io/ingress-nginx"
+	ingressChartName      = "ingress-nginx/ingress-nginx"
+	ingressControllerName = "ingress-nginx-controller"
 )
 
 //go:embed yaml/tmpnet-rbac.yaml
@@ -96,10 +104,18 @@ func StartKindCluster(
 		return fmt.Errorf("failed to create service account kubeconfig context: %w", err)
 	}
 
-	if err := DeployKubeCollectors(ctx, log, configPath, configContext, startMetricsCollector, startLogsCollector); err != nil {
+	if err := deployKubeCollectors(ctx, log, configPath, configContext, startMetricsCollector, startLogsCollector); err != nil {
 		return fmt.Errorf("failed to deploy kube collectors: %w", err)
 	}
 
+	if err := deployIngressController(ctx, log, configPath, configContext); err != nil {
+		return fmt.Errorf("failed to deploy ingress controller: %w", err)
+	}
+
+	if err := createDefaultsConfigMap(ctx, log, configPath, configContext, DefaultTmpnetNamespace); err != nil {
+		return fmt.Errorf("failed to create defaults ConfigMap: %w", err)
+	}
+
 	return nil
 }
 
@@ -227,13 +243,18 @@ func createServiceAccountKubeconfig(
 		return fmt.Errorf("failed to load kubeconfig: %w", err)
 	}
 
-	// Check if the context already exists
 	if _, exists := config.Contexts[newContextName]; exists {
-		log.Info("service account kubeconfig context already exists",
+		log.Info("service account kubeconfig context exists, recreating to ensure consistency with cluster state",
+			zap.String("kubeconfig", configPath),
+			zap.String("context", newContextName),
+			zap.String("namespace", namespace),
+		)
+	} else {
+		log.Info("creating new service account kubeconfig context",
+			zap.String("kubeconfig", configPath),
 			zap.String("context", newContextName),
 			zap.String("namespace", namespace),
 		)
-		return nil
 	}
 
 	// Get the current context (already verified to exist by StartKindCluster)
@@ -279,9 +300,162 @@ func createServiceAccountKubeconfig(
 	}
 
 	log.Info("created service account kubeconfig context",
+		zap.String("kubeconfig", configPath),
 		zap.String("context", newContextName),
 		zap.String("namespace", namespace),
 	)
 
 	return nil
 }
+
+// deployIngressController deploys the nginx ingress controller using Helm.
+func deployIngressController(ctx context.Context, log logging.Logger, configPath string, configContext string) error {
+	log.Info("checking if nginx ingress controller is already running")
+
+	isRunning, err := isIngressControllerRunning(ctx, log, configPath, configContext)
+	if err != nil {
+		return fmt.Errorf("failed to check nginx ingress controller status: %w", err)
+	}
+	if isRunning {
+		log.Info("nginx ingress controller already running")
+		return nil
+	}
+
+	log.Info("deploying nginx ingress controller using Helm")
+
+	// Add the helm repo for ingress-nginx
+	if err := runHelmCommand(ctx, "repo", "add", "ingress-nginx", ingressChartRepo); err != nil {
+		return fmt.Errorf("failed to add helm repo: %w", err)
+	}
+	if err := runHelmCommand(ctx, "repo", "update"); err != nil {
+		return fmt.Errorf("failed to update helm repos: %w", err)
+	}
+
+	// Install nginx-ingress with values set directly via flags
+	// Using fixed nodePort 30791 for cross-platform compatibility
+	args := []string{
+		"install",
+		ingressReleaseName,
+		ingressChartName,
+		"--namespace", ingressNamespace,
+		"--create-namespace",
+		"--wait",
+		"--set", "controller.service.type=NodePort",
+		// This port value must match the port configured in scripts/kind-with-registry.sh
+		"--set", "controller.service.nodePorts.http=30791",
+		"--set", "controller.admissionWebhooks.enabled=false",
+		"--set", "controller.config.proxy-read-timeout=600",
+		"--set", "controller.config.proxy-send-timeout=600",
+		"--set", "controller.config.proxy-body-size=0",
+		"--set", "controller.config.proxy-http-version=1.1",
+		"--set", "controller.metrics.enabled=true",
+	}
+
+	if err := runHelmCommand(ctx, args...); err != nil {
+		return fmt.Errorf("failed to install nginx-ingress: %w", err)
+	}
+
+	return waitForIngressController(ctx, log, configPath, configContext)
+}
+
+// isIngressControllerRunning checks if the nginx ingress controller is already running.
+func isIngressControllerRunning(ctx context.Context, log logging.Logger, configPath string, configContext string) (bool, error) {
+	clientset, err := GetClientset(log, configPath, configContext)
+	if err != nil {
+		return false, err
+	}
+
+	// TODO(marun) Handle the case of the deployment being in a failed state
+	_, err = clientset.AppsV1().Deployments(ingressNamespace).Get(ctx, ingressControllerName, metav1.GetOptions{})
+	isRunning := !apierrors.IsNotFound(err) || err == nil
+	return isRunning, nil
+}
+
+// waitForIngressController waits for the nginx ingress controller to be ready.
+func waitForIngressController(ctx context.Context, log logging.Logger, configPath string, configContext string) error {
+	clientset, err := GetClientset(log, configPath, configContext)
+	if err != nil {
+		return fmt.Errorf("failed to get clientset: %w", err)
+	}
+
+	return wait.PollUntilContextCancel(ctx, statusCheckInterval, true /* immediate */, func(ctx context.Context) (bool, error) {
+		deployment, err := clientset.AppsV1().Deployments(ingressNamespace).Get(ctx, ingressControllerName, metav1.GetOptions{})
+		if err != nil {
+			log.Debug("failed to get nginx ingress controller deployment",
+				zap.String("namespace", ingressNamespace),
+				zap.String("deployment", ingressControllerName),
+				zap.Error(err),
+			)
+			return false, nil
+		}
+		if deployment.Status.ReadyReplicas == 0 {
+			log.Debug("waiting for nginx ingress controller to become ready",
+				zap.String("namespace", ingressNamespace),
+				zap.String("deployment", ingressControllerName),
+				zap.Int32("readyReplicas", deployment.Status.ReadyReplicas),
+				zap.Int32("replicas", deployment.Status.Replicas),
+			)
+			return false, nil
+		}
+
+		log.Info("nginx ingress controller is ready",
+			zap.String("namespace", ingressNamespace),
+			zap.String("deployment", ingressControllerName),
+			zap.Int32("readyReplicas", deployment.Status.ReadyReplicas),
+		)
+		return true, nil
+	})
+}
+
+// runHelmCommand runs a Helm command with the given arguments.
+func runHelmCommand(ctx context.Context, args ...string) error {
+	cmd := exec.CommandContext(ctx, "helm", args...)
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	return cmd.Run()
+}
+
+// createDefaultsConfigMap creates a ConfigMap containing defaults for the tmpnet namespace.
+func createDefaultsConfigMap(ctx context.Context, log logging.Logger, configPath string, configContext string, namespace string) error {
+	clientset, err := GetClientset(log, configPath, configContext)
+	if err != nil {
+		return fmt.Errorf("failed to get clientset: %w", err)
+	}
+
+	configMapName := defaultsConfigMapName
+
+	// Check if configmap already exists
+	_, err = clientset.CoreV1().ConfigMaps(namespace).Get(ctx, configMapName, metav1.GetOptions{})
+	if err == nil {
+		log.Info("defaults ConfigMap already exists",
+			zap.String("namespace", namespace),
+			zap.String("configMap", configMapName),
+		)
+		return nil
+	}
+	if !apierrors.IsNotFound(err) {
+		return fmt.Errorf("failed to check for configmap %s/%s: %w", namespace, configMapName, err)
+	}
+
+	log.Info("creating defaults ConfigMap",
+		zap.String("namespace", namespace),
+		zap.String("configMap", configMapName),
+	)
+
+	configMap := &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      configMapName,
+			Namespace: namespace,
+		},
+		Data: map[string]string{
+			ingressHostKey: "localhost:30791",
+		},
+	}
+
+	_, err = clientset.CoreV1().ConfigMaps(namespace).Create(ctx, configMap, metav1.CreateOptions{})
+	if err != nil {
+		return fmt.Errorf("failed to create configmap %s/%s: %w", namespace, configMapName, err)
+	}
+
+	return nil
+}
diff --git a/tests/fixture/tmpnet/utils.go b/tests/fixture/tmpnet/utils.go
index e80070326900..121fe6a062bb 100644
--- a/tests/fixture/tmpnet/utils.go
+++ b/tests/fixture/tmpnet/utils.go
@@ -44,6 +44,14 @@ func CheckNodeHealth(ctx context.Context, uri string) (*health.APIReply, error)
 			return nil, err
 		}
 	}
+
+	// Assume `503 Service Unavailable` is the result of the ingress
+	// for the node not being ready.
+	// TODO(marun) Update Client.Health() to return a typed error
+	if err != nil && err.Error() == "received status code: 503" {
+		return nil, err
+	}
+
 	// Assume all other errors are not recoverable
 	return nil, fmt.Errorf("%w: %w", ErrUnrecoverableNodeHealthCheck, err)
 }
@@ -54,25 +62,18 @@ type NodeURI struct {
 	URI    string
 }
 
-// GetNodeURIs returns the URIs of the provided nodes that are running and not ephemeral. The URIs returned
-// are guaranteed be reachable by the caller until the cleanup function is called regardless of whether the
-// nodes are running as local processes or in a kube cluster.
-func GetNodeURIs(ctx context.Context, nodes []*Node, deferCleanupFunc func(func())) ([]NodeURI, error) {
+// GetNodeURIs returns the accessible URIs of the provided nodes that are running and not ephemeral.
+func GetNodeURIs(nodes []*Node) []NodeURI {
 	availableNodes := FilterAvailableNodes(nodes)
 	uris := []NodeURI{}
 	for _, node := range availableNodes {
-		uri, cancel, err := node.GetLocalURI(ctx)
-		if err != nil {
-			return nil, err
-		}
-		deferCleanupFunc(cancel)
 		uris = append(uris, NodeURI{
 			NodeID: node.NodeID,
-			URI:    uri,
+			URI:    node.GetAccessibleURI(),
 		})
 	}
 
-	return uris, nil
+	return uris
 }
 
 // FilteredAvailableNodes filters the provided nodes by whether they are running and not ephemeral.
@@ -96,15 +97,10 @@ func FilterAvailableNodes(nodes []*Node) []*Node {
 // blockchain ID, in the form "ws://<node-uri>/ext/bc/<blockchain-id>/ws".
 // Ephemeral and stopped nodes are ignored.
 func GetNodeWebsocketURIs(
-	ctx context.Context,
 	nodes []*Node,
 	blockchainID string,
-	deferCleanupFunc func(func()),
 ) ([]string, error) {
-	nodeURIs, err := GetNodeURIs(ctx, nodes, deferCleanupFunc)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get node URIs: %w", err)
-	}
+	nodeURIs := GetNodeURIs(nodes)
 	wsURIs := make([]string, len(nodeURIs))
 	for i := range nodeURIs {
 		uri, err := url.Parse(nodeURIs[i].URI)
diff --git a/tests/fixture/tmpnet/yaml/tmpnet-rbac.yaml b/tests/fixture/tmpnet/yaml/tmpnet-rbac.yaml
index 0d3056614a85..21db7582fd0f 100644
--- a/tests/fixture/tmpnet/yaml/tmpnet-rbac.yaml
+++ b/tests/fixture/tmpnet/yaml/tmpnet-rbac.yaml
@@ -11,6 +11,7 @@ metadata:
   name: tmpnet
   namespace: tmpnet
 rules:
+# Regular usage
 - apiGroups: ["apps"]
   resources: ["statefulsets"]
   verbs: ["get", "create", "update", "patch"]
@@ -23,6 +24,19 @@ rules:
 - apiGroups: [""]
   resources: ["pods/portforward"]
   verbs: ["create"]
+# Enable external node access via ingress
+- apiGroups: ["networking.k8s.io"]
+  resources: ["ingresses"]
+  verbs: ["get", "create"]
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["get"]
+- apiGroups: [""]
+  resources: ["endpoints"]
+  verbs: ["get"]
+- apiGroups: [""]
+  resources: ["services"]
+  verbs: ["create"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/tests/load/c/main/main.go b/tests/load/c/main/main.go
index 676293d173af..fdee7b7eaa42 100644
--- a/tests/load/c/main/main.go
+++ b/tests/load/c/main/main.go
@@ -88,7 +88,7 @@ func main() {
 		)
 	})
 
-	endpoints, err := tmpnet.GetNodeWebsocketURIs(ctx, network.Nodes, blockchainID, tc.DeferCleanup)
+	endpoints, err := tmpnet.GetNodeWebsocketURIs(network.Nodes, blockchainID)
 	require.NoError(err, "failed †o get node websocket URIs")
 
 	w := &workload{
diff --git a/tests/load2/main/main.go b/tests/load2/main/main.go
index 07646d4851c7..1985f8f6902d 100644
--- a/tests/load2/main/main.go
+++ b/tests/load2/main/main.go
@@ -69,7 +69,7 @@ func main() {
 	e2e.NewTestEnvironment(tc, flagVars, network)
 
 	ctx := tests.DefaultNotifyContext(0, tc.DeferCleanup)
-	wsURIs, err := tmpnet.GetNodeWebsocketURIs(ctx, network.Nodes, blockchainID, tc.DeferCleanup)
+	wsURIs, err := tmpnet.GetNodeWebsocketURIs(network.Nodes, blockchainID)
 	require.NoError(err)
 
 	registry := prometheus.NewRegistry()
diff --git a/tests/log.go b/tests/log.go
index a431feb3c1ec..134cc9cd1f78 100644
--- a/tests/log.go
+++ b/tests/log.go
@@ -25,5 +25,6 @@ func LoggerForFormat(prefix string, rawLogFormat string) (logging.Logger, error)
 	if err != nil {
 		return nil, err
 	}
-	return logging.NewLogger(prefix, logging.NewWrappedCore(logging.Verbo, writeCloser, logFormat.ConsoleEncoder())), nil
+	// TODO(marun) Make the log level configurable
+	return logging.NewLogger(prefix, logging.NewWrappedCore(logging.Debug, writeCloser, logFormat.ConsoleEncoder())), nil
 }