diff --git a/apps/agent-zero/agent-zero.yaml b/apps/agent-zero/agent-zero.yaml
index d9f8603..d9a8b9d 100644
--- a/apps/agent-zero/agent-zero.yaml
+++ b/apps/agent-zero/agent-zero.yaml
@@ -267,8 +267,11 @@ spec:
               # Phase 0 Chat MCP pilot: Agent Zero does not interpolate env vars
               # inside A0_SET_mcp_servers JSON, so build the final JSON here from
               # the secret-backed CHAT_MCP_API_KEY env var before initialize.sh.
+              # Use the in-cluster Chat service URL rather than the public
+              # Traefik hostname so the pod stays off the private VIP lane that
+              # the default egress rule blocks.
               if [ -n "${CHAT_MCP_API_KEY:-}" ]; then
-                export A0_SET_mcp_servers="{\"mcpServers\":{\"fc-chat\":{\"type\":\"http\",\"url\":\"https://chat.iamworkin.lan/mcp\",\"headers\":{\"X-Api-Key\":\"${CHAT_MCP_API_KEY}\"}}}}"
+                export A0_SET_mcp_servers="{\"mcpServers\":{\"fc-chat\":{\"type\":\"http\",\"url\":\"http://chat-web.fc-chat.svc/mcp\",\"headers\":{\"X-Api-Key\":\"${CHAT_MCP_API_KEY}\"}}}}"
               fi
               # Run the original entrypoint
               exec /exe/initialize.sh $BRANCH
@@ -563,6 +566,16 @@ spec:
       ports:
         - port: 8080
           protocol: TCP
+    # FlowerCore.Chat MCP (Phase 0 pilot) — use the in-cluster chat-web
+    # service instead of the public Traefik VIP so MCP traffic stays inside
+    # the cluster and survives the private-range egress denylist.
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: fc-chat
+      ports:
+        - port: 80
+          protocol: TCP
     # Allow internet (for kubectl image pull, etc)
     - to:
         - ipBlock: