diff --git a/.bazelrc b/.bazelrc
index 39cad4248..8f6104d88 100644
--- a/.bazelrc
+++ b/.bazelrc
@@ -1,6 +1,11 @@
 # Enable debugging tests with --config=debug
 test:debug --test_arg=--node_options=--inspect-brk --test_output=streamed --test_strategy=exclusive --test_timeout=9999 --nocache_test_results
 
+# By default, network access should be disabled unless explicitly granted for certain targets
+using the `requires-network` tag. https://docs.bazel.build/versions/main/be/common-definitions.html
+build --sandbox_default_allow_network=false
+test --sandbox_default_allow_network=false
+
 ###############################
 # Filesystem interactions     #
 ###############################
diff --git a/bazel/remote-execution/BUILD.bazel b/bazel/remote-execution/BUILD.bazel
index a3831a271..f5c9ceca1 100644
--- a/bazel/remote-execution/BUILD.bazel
+++ b/bazel/remote-execution/BUILD.bazel
@@ -27,6 +27,21 @@ platform(
     },
 )
 
+platform(
+    name = "platform_with_network",
+    exec_properties = {
+        # By default we have network access disabled with the `:platform` target. This is an
+        # additional platform that extends from the default one but enables network access.
+        # Network is generally not recommended, but for some exceptions, like integration tests
+        # running a Yarn install, network access is reasonable. In such special cases, Bazel can
+        # be invoked to run with this platform. It is recommended that exec platforms with network
+        # access are used in combination with `--sandbox_default_allow_network=false` as this allows
+        # specific targets to be granted network access, while others will not have access.
+        "dockerNetwork": "standard",
+    },
+    parents = [":platform"],
+)
+
 filegroup(
     name = "files",
     srcs = [