diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml
index 36a9926482c..69c6dea1cb7 100644
--- a/build/yamls/antrea-aks.yml
+++ b/build/yamls/antrea-aks.yml
@@ -4779,7 +4779,6 @@ webhooks:
     operations:
     - CREATE
     - UPDATE
-    - DELETE
     resources:
     - groups
     scope: Namespaced
diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml
index d81f69b63ab..d5a6ca83acb 100644
--- a/build/yamls/antrea-eks.yml
+++ b/build/yamls/antrea-eks.yml
@@ -4781,7 +4781,6 @@ webhooks:
     operations:
     - CREATE
     - UPDATE
-    - DELETE
     resources:
     - groups
     scope: Namespaced
diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml
index a01234266dc..d53e8dd8338 100644
--- a/build/yamls/antrea-gke.yml
+++ b/build/yamls/antrea-gke.yml
@@ -4779,7 +4779,6 @@ webhooks:
     operations:
     - CREATE
     - UPDATE
-    - DELETE
     resources:
     - groups
     scope: Namespaced
diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml
index a46c45e9675..869fc95f696 100644
--- a/build/yamls/antrea-ipsec.yml
+++ b/build/yamls/antrea-ipsec.yml
@@ -4828,7 +4828,6 @@ webhooks:
     operations:
     - CREATE
     - UPDATE
-    - DELETE
     resources:
     - groups
     scope: Namespaced
diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml
index c0e1c57847a..0448391edd8 100644
--- a/build/yamls/antrea.yml
+++ b/build/yamls/antrea.yml
@@ -4784,7 +4784,6 @@ webhooks:
     operations:
     - CREATE
     - UPDATE
-    - DELETE
     resources:
     - groups
     scope: Namespaced
diff --git a/build/yamls/base/controller.yml b/build/yamls/base/controller.yml
index 0c80a48a8b5..3769dfd33ca 100644
--- a/build/yamls/base/controller.yml
+++ b/build/yamls/base/controller.yml
@@ -145,7 +145,7 @@ webhooks:
         namespace: "kube-system"
         path: "/validate/group"
     rules:
-      - operations: [ "CREATE", "UPDATE", "DELETE" ]
+      - operations: [ "CREATE", "UPDATE" ]
         apiGroups: [ "crd.antrea.io" ]
         apiVersions: [ "v1alpha3" ]
         resources: [ "groups" ]
diff --git a/pkg/controller/networkpolicy/antreanetworkpolicy.go b/pkg/controller/networkpolicy/antreanetworkpolicy.go
index 0f5e3ade46c..4f75c1f1d32 100644
--- a/pkg/controller/networkpolicy/antreanetworkpolicy.go
+++ b/pkg/controller/networkpolicy/antreanetworkpolicy.go
@@ -212,9 +212,7 @@ func (n *NetworkPolicyController) processAppliedToGroupForGroup(namespace, group
 	// Retrieve Group for corresponding entry in the AppliedToGroup.
 	g, err := n.grpLister.Groups(namespace).Get(groupName)
 	if err != nil {
-		// This error should not occur as we validate that a Group must exist before
-		// referencing it in an ANP.
-		klog.Errorf("Group %s not found: %v", g, err)
+		// The Group referred to has not been created yet.
 		return ""
 	}
 	key := internalGroupKeyFunc(g)
diff --git a/pkg/controller/networkpolicy/clustergroup.go b/pkg/controller/networkpolicy/clustergroup.go
index e6d873c7b28..e79361907ae 100644
--- a/pkg/controller/networkpolicy/clustergroup.go
+++ b/pkg/controller/networkpolicy/clustergroup.go
@@ -198,8 +198,6 @@ func (c *NetworkPolicyController) processNextInternalGroupWorkItem() bool {
 }
 
 func (c *NetworkPolicyController) syncInternalClusterGroup(grp *antreatypes.Group) error {
-	defer c.triggerCNPUpdates(grp.SourceReference.ToString())
-	defer c.triggerParentGroupSync(grp.SourceReference.ToString())
 	// Retrieve the ClusterGroup corresponding to this key.
 	cg, err := c.cgLister.Get(grp.SourceReference.ToString())
 	if err != nil {
diff --git a/pkg/controller/networkpolicy/crd_utils.go b/pkg/controller/networkpolicy/crd_utils.go
index 730bf105ab5..d429be00a3f 100644
--- a/pkg/controller/networkpolicy/crd_utils.go
+++ b/pkg/controller/networkpolicy/crd_utils.go
@@ -129,7 +129,7 @@ func (c *NetworkPolicyController) processRefGroupOrClusterGroup(g, namespace str
 	if namespace != "" {
 		grp, err := c.grpLister.Groups(namespace).Get(g)
 		if err != nil {
-			klog.Errorf("Group %s/%s not found: %v", namespace, g, err)
+			// The Group referred to has not been created yet.
 			return "", nil
 		}
 		key = internalGroupKeyFunc(grp)
@@ -137,7 +137,7 @@ func (c *NetworkPolicyController) processRefGroupOrClusterGroup(g, namespace str
 		// Retrieve ClusterGroup for corresponding entry in the rule.
 		cg, err := c.cgLister.Get(g)
 		if err != nil {
-			klog.Errorf("ClusterGroup %s not found: %v", g, err)
+			// The ClusterGroup referred to has not been created yet.
 			return "", nil
 		}
 		key = internalGroupKeyFunc(cg)
@@ -254,18 +254,21 @@ func getNormalizedNameForSelector(sel *antreatypes.GroupSelector) string {
 	return ""
 }
 
-func (n *NetworkPolicyController) syncInternalGroup(key string) error {
+func (c *NetworkPolicyController) syncInternalGroup(key string) error {
+	defer c.triggerANPUpdates(key)
+	defer c.triggerCNPUpdates(key)
+	defer c.triggerParentGroupSync(key)
 	// Retrieve the internal Group corresponding to this key.
-	grpObj, found, _ := n.internalGroupStore.Get(key)
+	grpObj, found, _ := c.internalGroupStore.Get(key)
 	if !found {
 		klog.V(2).Infof("Internal group %s not found.", key)
-		n.groupingInterface.DeleteGroup(clusterGroupType, key)
+		c.groupingInterface.DeleteGroup(clusterGroupType, key)
 		return nil
 	}
 	grp := grpObj.(*antreatypes.Group)
 	if grp.SourceReference.Namespace != "" {
 		// Sync the Group as a Namespaced Group.
-		return n.syncInternalNamespacedGroup(grp)
+		return c.syncInternalNamespacedGroup(grp)
 	}
-	return n.syncInternalClusterGroup(grp)
+	return c.syncInternalClusterGroup(grp)
 }
diff --git a/pkg/controller/networkpolicy/group.go b/pkg/controller/networkpolicy/group.go
index 813df58a23a..6b0b6f5303a 100644
--- a/pkg/controller/networkpolicy/group.go
+++ b/pkg/controller/networkpolicy/group.go
@@ -64,10 +64,10 @@ func (n *NetworkPolicyController) updateGroup(oldObj, curObj interface{}) {
 	ipBlocksUpdated := func() bool {
 		oldIPBs, newIPBs := sets.String{}, sets.String{}
 		for _, ipb := range oldGroup.IPBlocks {
-			oldIPBs.Insert(ipNetToCIDRStr(ipb.CIDR))
+			oldIPBs.Insert(ipb.CIDR.String())
 		}
 		for _, ipb := range newGroup.IPBlocks {
-			newIPBs.Insert(ipNetToCIDRStr(ipb.CIDR))
+			newIPBs.Insert(ipb.CIDR.String())
 		}
 		return oldIPBs.Equal(newIPBs)
 	}
@@ -187,17 +187,16 @@ func (n *NetworkPolicyController) syncInternalNamespacedGroup(grp *antreatypes.G
 		klog.Errorf("Failed to update Group %s/%s GroupMembersComputed condition to %s: %v", g.Namespace, g.Name, v1.ConditionTrue, err)
 		return err
 	}
-	n.triggerParentGroupSync(grp)
-	return n.triggerANPUpdates(g)
+	return nil
 }
 
 // triggerANPUpdates triggers processing of Antrea NetworkPolicies associated with the input Group.
-func (n *NetworkPolicyController) triggerANPUpdates(g *crdv1alpha3.Group) error {
+func (n *NetworkPolicyController) triggerANPUpdates(g string) {
 	// If a Group is added/updated, it might have a reference in Antrea NetworkPolicy.
-	anps, err := n.anpInformer.Informer().GetIndexer().ByIndex(GroupIndex, g.Name)
+	anps, err := n.anpInformer.Informer().GetIndexer().ByIndex(GroupIndex, g)
 	if err != nil {
-		klog.Errorf("Error retrieving Antrea NetworkPolicies corresponding to Group %s/%s", g.Namespace, g.Name)
-		return err
+		klog.Errorf("Error retrieving Antrea NetworkPolicies corresponding to Group %s", g)
+		return
 	}
 	for _, obj := range anps {
 		anp := obj.(*crdv1alpha1.NetworkPolicy)
@@ -237,7 +236,7 @@ func (n *NetworkPolicyController) triggerANPUpdates(g *crdv1alpha3.Group) error
 			n.deleteDereferencedAppliedToGroup(atg)
 		}
 	}
-	return nil
+	return
 }
 
 // updateGroupStatus updates the Status subresource for a Group.
diff --git a/test/e2e/antreapolicy_test.go b/test/e2e/antreapolicy_test.go
index d61ba6b2b1c..9d7d5a006f1 100644
--- a/test/e2e/antreapolicy_test.go
+++ b/test/e2e/antreapolicy_test.go
@@ -289,7 +289,7 @@ func testMutateANPNoRuleName(t *testing.T) {
 		SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}).
 		SetPriority(10.0).
 		AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"},
-			nil, nil, nil, crdv1alpha1.RuleActionAllow, "")
+			nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "")
 	anp := builder.Get()
 	log.Debugf("creating ANP %v", anp.Name)
 	anp, err := k8sUtils.CreateOrUpdateANP(anp)
@@ -502,6 +502,51 @@ func testInvalidACNPIngressPeerNamespacesSetWithNSSelector(t *testing.T) {
 	}
 }
 
+func testInvalidANPIngressPeerGroupSetWithPodSelector(t *testing.T) {
+	gA := "gA"
+	namespace := "x"
+	selectorA := metav1.LabelSelector{MatchLabels: map[string]string{"foo1": "bar1"}}
+	ruleAppTo := ANPAppliedToSpec{
+		PodSelector: map[string]string{"pod": "b"},
+	}
+	k8sUtils.CreateGroup(namespace, gA, &selectorA, nil, nil)
+	invalidNpErr := fmt.Errorf("invalid Antrea NetworkPolicy with group and podSelector in NetworkPolicyPeer set")
+	builder := &AntreaNetworkPolicySpecBuilder{}
+	builder = builder.SetName(namespace, "anp-ingress-group-podselector-set").
+		SetPriority(1.0)
+	builder = builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, nil,
+		nil, nil, []ANPAppliedToSpec{ruleAppTo}, crdv1alpha1.RuleActionAllow, gA, "")
+	anp := builder.Get()
+	log.Debugf("creating ANP %v", anp.Name)
+	if _, err := k8sUtils.CreateOrUpdateANP(anp); err == nil {
+		// Above creation of ANP must fail as it is an invalid spec.
+		failOnError(invalidNpErr, t)
+	}
+	failOnError(k8sUtils.CleanGroups(namespace), t)
+}
+
+func testInvalidANPIngressPeerGroupSetWithIPBlock(t *testing.T) {
+	gA := "gA"
+	namespace := "x"
+	selectorA := metav1.LabelSelector{MatchLabels: map[string]string{"foo1": "bar1"}}
+	k8sUtils.CreateGroup(namespace, gA, &selectorA, nil, nil)
+	invalidNpErr := fmt.Errorf("invalid Antrea NetworkPolicy with group and ipBlock in NetworkPolicyPeer set")
+	cidr := "10.0.0.10/32"
+	builder := &AntreaNetworkPolicySpecBuilder{}
+	builder = builder.SetName(namespace, "anp-ingress-group-ipblock-set").
+		SetPriority(1.0).
+		SetAppliedToGroup([]ANPAppliedToSpec{{Group: "gA"}})
+	builder = builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, &cidr, map[string]string{"pod": "b"}, map[string]string{"ns": "x"},
+		nil, nil, nil, crdv1alpha1.RuleActionAllow, gA, "")
+	anp := builder.Get()
+	log.Debugf("creating ANP %v", anp.Name)
+	if _, err := k8sUtils.CreateOrUpdateANP(anp); err == nil {
+		// Above creation of ANP must fail as it is an invalid spec.
+		failOnError(invalidNpErr, t)
+	}
+	failOnError(k8sUtils.CleanGroups(namespace), t)
+}
+
 func testInvalidANPNoPriority(t *testing.T) {
 	invalidNpErr := fmt.Errorf("invalid Antrea NetworkPolicy without a priority accepted")
 	builder := &AntreaNetworkPolicySpecBuilder{}
@@ -521,9 +566,9 @@ func testInvalidANPRuleNameNotUnique(t *testing.T) {
 	builder = builder.SetName("x", "anp-rule-name-not-unique").
 		SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}).
 		AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"},
-			nil, nil, nil, crdv1alpha1.RuleActionAllow, "not-unique").
+			nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "not-unique").
 		AddIngress(v1.ProtocolTCP, &p81, nil, nil, nil, map[string]string{"pod": "c"}, map[string]string{"ns": "x"},
-			nil, nil, nil, crdv1alpha1.RuleActionAllow, "not-unique")
+			nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "not-unique")
 	anp := builder.Get()
 	log.Debugf("creating ANP %v", anp.Name)
 	if _, err := k8sUtils.CreateOrUpdateANP(anp); err == nil {
@@ -553,7 +598,7 @@ func testInvalidANPPortRangePortUnset(t *testing.T) {
 		SetPriority(1.0).
 		SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "b"}}})
 	builder.AddEgress(v1.ProtocolTCP, nil, nil, &p8085, nil, map[string]string{"pod": "c"}, map[string]string{"ns": "x"},
-		nil, nil, nil, crdv1alpha1.RuleActionDrop, "anp-port-range")
+		nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "anp-port-range")
 
 	anp := builder.Get()
 	log.Debugf("creating ANP %v", anp.Name)
@@ -570,7 +615,7 @@ func testInvalidANPPortRangeEndPortSmall(t *testing.T) {
 		SetPriority(1.0).
 		SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "b"}}})
 	builder.AddEgress(v1.ProtocolTCP, &p8082, nil, &p8081, nil, map[string]string{"pod": "c"}, map[string]string{"ns": "x"},
-		nil, nil, nil, crdv1alpha1.RuleActionDrop, "anp-port-range")
+		nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "anp-port-range")
 
 	anp := builder.Get()
 	log.Debugf("creating ANP %v", anp.Name)
@@ -656,14 +701,14 @@ func testInvalidTierACNPRefDelete(t *testing.T) {
 
 func testInvalidTierANPRefDelete(t *testing.T) {
 	invalidErr := fmt.Errorf("tier deleted with referenced ANPs")
-	tr, err := k8sUtils.CreateNewTier("tier-anp", 10)
+	tr, err := k8sUtils.CreateNewTier("tier-anp-ref", 11)
 	if err != nil {
 		failOnError(fmt.Errorf("create Tier failed for tier tier-anp: %v", err), t)
 	}
 	builder := &AntreaNetworkPolicySpecBuilder{}
 	builder = builder.SetName("x", "anp-for-tier").
 		SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}).
-		SetTier("tier-anp").
+		SetTier("tier-anp-ref").
 		SetPriority(13.0)
 	anp := builder.Get()
 	log.Debugf("creating ANP %v", anp.Name)
@@ -1835,7 +1880,7 @@ func testANPPortRange(t *testing.T) {
 		SetPriority(1.0).
 		SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "b"}}})
 	builder.AddEgress(v1.ProtocolTCP, &p8080, nil, &p8085, nil, map[string]string{"pod": "c"}, map[string]string{"ns": "x"},
-		nil, nil, nil, crdv1alpha1.RuleActionDrop, "anp-port-range")
+		nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "anp-port-range")
 
 	reachability := NewReachability(allPods, Connected)
 	reachability.Expect(Pod("y/b"), Pod("x/c"), Dropped)
@@ -1865,7 +1910,7 @@ func testANPBasic(t *testing.T) {
 		SetPriority(1.0).
 		SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}})
 	builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"},
-		nil, nil, nil, crdv1alpha1.RuleActionDrop, "")
+		nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "")
 
 	reachability := NewReachability(allPods, Connected)
 	reachability.Expect(Pod("x/b"), Pod("y/a"), Dropped)
@@ -1916,12 +1961,12 @@ func testANPMultipleAppliedTo(t *testing.T, data *TestData, singleRule bool) {
 	if singleRule {
 		builder.SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}, {PodSelector: map[string]string{tempLabel: ""}}})
 		builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"},
-			nil, nil, nil, crdv1alpha1.RuleActionDrop, "")
+			nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "")
 	} else {
 		builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"},
-			nil, nil, []ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}, crdv1alpha1.RuleActionDrop, "")
+			nil, nil, []ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}, crdv1alpha1.RuleActionDrop, "", "")
 		builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"},
-			nil, nil, []ANPAppliedToSpec{{PodSelector: map[string]string{tempLabel: ""}}}, crdv1alpha1.RuleActionDrop, "")
+			nil, nil, []ANPAppliedToSpec{{PodSelector: map[string]string{tempLabel: ""}}}, crdv1alpha1.RuleActionDrop, "", "")
 	}
 
 	reachability := NewReachability(allPods, Connected)
@@ -2067,9 +2112,9 @@ func testAppliedToPerRule(t *testing.T) {
 	anpATGrp1 := ANPAppliedToSpec{PodSelector: map[string]string{"pod": "a"}, PodSelectorMatchExp: nil}
 	anpATGrp2 := ANPAppliedToSpec{PodSelector: map[string]string{"pod": "b"}, PodSelectorMatchExp: nil}
 	builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"},
-		nil, nil, []ANPAppliedToSpec{anpATGrp1}, crdv1alpha1.RuleActionDrop, "")
+		nil, nil, []ANPAppliedToSpec{anpATGrp1}, crdv1alpha1.RuleActionDrop, "", "")
 	builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "z"},
-		nil, nil, []ANPAppliedToSpec{anpATGrp2}, crdv1alpha1.RuleActionDrop, "")
+		nil, nil, []ANPAppliedToSpec{anpATGrp2}, crdv1alpha1.RuleActionDrop, "", "")
 
 	reachability := NewReachability(allPods, Connected)
 	reachability.Expect(Pod("x/b"), Pod("y/a"), Dropped)
@@ -2685,6 +2730,8 @@ func TestAntreaPolicy(t *testing.T) {
 		t.Run("Case=ANPTierDoesNotExistDenied", func(t *testing.T) { testInvalidANPTierDoesNotExist(t) })
 		t.Run("Case=ANPPortRangePortUnsetDenied", func(t *testing.T) { testInvalidANPPortRangePortUnset(t) })
 		t.Run("Case=ANPPortRangePortEndPortSmallDenied", func(t *testing.T) { testInvalidANPPortRangeEndPortSmall(t) })
+		t.Run("Case=ANPIngressPeerGroupSetWithIPBlock", func(t *testing.T) { testInvalidANPIngressPeerGroupSetWithIPBlock(t) })
+		t.Run("Case=ANPIngressPeerGroupSetWithPodSelector", func(t *testing.T) { testInvalidANPIngressPeerGroupSetWithPodSelector(t) })
 		t.Run("Case=ACNPInvalidPodSelectorNsSelectorMatchExpressions", func(t *testing.T) { testInvalidACNPPodSelectorNsSelectorMatchExpressions(t) })
 	})
 
@@ -2781,7 +2828,7 @@ func TestAntreaPolicyStatus(t *testing.T) {
 		SetPriority(1.0).
 		SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"app": "nginx"}}})
 	anpBuilder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"},
-		nil, nil, nil, crdv1alpha1.RuleActionAllow, "")
+		nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "")
 	anp := anpBuilder.Get()
 	log.Debugf("creating ANP %v", anp.Name)
 	_, err = data.crdClient.CrdV1alpha1().NetworkPolicies(anp.Namespace).Create(context.TODO(), anp, metav1.CreateOptions{})
diff --git a/test/e2e/flowaggregator_test.go b/test/e2e/flowaggregator_test.go
index 54fa74468be..a56c194fae2 100644
--- a/test/e2e/flowaggregator_test.go
+++ b/test/e2e/flowaggregator_test.go
@@ -840,7 +840,7 @@ func deployAntreaNetworkPolicies(t *testing.T, data *TestData, srcPod, dstPod st
 		SetPriority(2.0).
 		SetAppliedToGroup([]utils.ANPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": dstPod}}})
 	builder1 = builder1.AddIngress(corev1.ProtocolTCP, nil, nil, nil, nil, map[string]string{"antrea-e2e": srcPod}, map[string]string{},
-		nil, nil, nil, secv1alpha1.RuleActionAllow, testIngressRuleName)
+		nil, nil, nil, secv1alpha1.RuleActionAllow, "", testIngressRuleName)
 	anp1 = builder1.Get()
 	anp1, err1 := k8sUtils.CreateOrUpdateANP(anp1)
 	if err1 != nil {
@@ -853,7 +853,7 @@ func deployAntreaNetworkPolicies(t *testing.T, data *TestData, srcPod, dstPod st
 		SetPriority(2.0).
 		SetAppliedToGroup([]utils.ANPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": srcPod}}})
 	builder2 = builder2.AddEgress(corev1.ProtocolTCP, nil, nil, nil, nil, map[string]string{"antrea-e2e": dstPod}, map[string]string{},
-		nil, nil, nil, secv1alpha1.RuleActionAllow, testEgressRuleName)
+		nil, nil, nil, secv1alpha1.RuleActionAllow, "", testEgressRuleName)
 	anp2 = builder2.Get()
 	anp2, err2 := k8sUtils.CreateOrUpdateANP(anp2)
 	if err2 != nil {
@@ -878,24 +878,24 @@ func deployDenyAntreaNetworkPolicies(t *testing.T, data *TestData, srcPod, podRe
 			SetPriority(2.0).
 			SetAppliedToGroup([]utils.ANPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": podReject}}})
 		builder1 = builder1.AddIngress(corev1.ProtocolTCP, nil, nil, nil, nil, map[string]string{"antrea-e2e": srcPod}, map[string]string{},
-			nil, nil, nil, secv1alpha1.RuleActionReject, testIngressRuleName)
+			nil, nil, nil, secv1alpha1.RuleActionReject, "", testIngressRuleName)
 		builder2 = builder2.SetName(testNamespace, ingressDropANPName).
 			SetPriority(2.0).
 			SetAppliedToGroup([]utils.ANPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": podDrop}}})
 		builder2 = builder2.AddIngress(corev1.ProtocolTCP, nil, nil, nil, nil, map[string]string{"antrea-e2e": srcPod}, map[string]string{},
-			nil, nil, nil, secv1alpha1.RuleActionDrop, testIngressRuleName)
+			nil, nil, nil, secv1alpha1.RuleActionDrop, "", testIngressRuleName)
 	} else {
 		// apply reject and drop egress rule to source pod
 		builder1 = builder1.SetName(testNamespace, egressRejectANPName).
 			SetPriority(2.0).
 			SetAppliedToGroup([]utils.ANPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": srcPod}}})
 		builder1 = builder1.AddEgress(corev1.ProtocolTCP, nil, nil, nil, nil, map[string]string{"antrea-e2e": podReject}, map[string]string{},
-			nil, nil, nil, secv1alpha1.RuleActionReject, testEgressRuleName)
+			nil, nil, nil, secv1alpha1.RuleActionReject, "", testEgressRuleName)
 		builder2 = builder2.SetName(testNamespace, egressDropANPName).
 			SetPriority(2.0).
 			SetAppliedToGroup([]utils.ANPAppliedToSpec{{PodSelector: map[string]string{"antrea-e2e": srcPod}}})
 		builder2 = builder2.AddEgress(corev1.ProtocolTCP, nil, nil, nil, nil, map[string]string{"antrea-e2e": podDrop}, map[string]string{},
-			nil, nil, nil, secv1alpha1.RuleActionDrop, testEgressRuleName)
+			nil, nil, nil, secv1alpha1.RuleActionDrop, "", testEgressRuleName)
 	}
 	anp1 = builder1.Get()
 	anp1, err = k8sUtils.CreateOrUpdateANP(anp1)
diff --git a/test/e2e/k8s_util.go b/test/e2e/k8s_util.go
index 7e31f9e3074..30b35c9c2b4 100644
--- a/test/e2e/k8s_util.go
+++ b/test/e2e/k8s_util.go
@@ -571,6 +571,44 @@ func (k *KubernetesUtils) GetCG(name string) (*crdv1alpha2.ClusterGroup, error)
 	return res, nil
 }
 
+// CreateGroup is a convenience function for creating an Antrea Group by namespace,  name and selector.
+func (k *KubernetesUtils) CreateGroup(namespace, name string, pSelector, nSelector *metav1.LabelSelector, ipBlocks []crdv1alpha1.IPBlock) (*crdv1alpha3.Group, error) {
+	log.Infof("Creating group %s/%s", namespace, name)
+	_, err := k.crdClient.CrdV1alpha3().Groups(namespace).Get(context.TODO(), name, metav1.GetOptions{})
+	if err != nil {
+		g := &crdv1alpha3.Group{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: namespace,
+				Name:      name,
+			},
+		}
+		if pSelector != nil {
+			g.Spec.PodSelector = pSelector
+		}
+		if nSelector != nil {
+			g.Spec.NamespaceSelector = nSelector
+		}
+		if len(ipBlocks) > 0 {
+			g.Spec.IPBlocks = ipBlocks
+		}
+		g, err = k.crdClient.CrdV1alpha3().Groups(namespace).Create(context.TODO(), g, metav1.CreateOptions{})
+		if err != nil {
+			log.Debugf("Unable to create group %s/%s: %s", namespace, name, err)
+		}
+		return g, err
+	}
+	return nil, fmt.Errorf("group with name %s/%s already exists", namespace, name)
+}
+
+// GetGroup is a convenience function for getting Groups
+func (k *KubernetesUtils) GetGroup(namespace, name string) (*crdv1alpha3.Group, error) {
+	res, err := k.crdClient.CrdV1alpha3().Groups(namespace).Get(context.TODO(), name, metav1.GetOptions{})
+	if err != nil {
+		return nil, err
+	}
+	return res, nil
+}
+
 // DeleteV1Alpha2CG is a convenience function for deleting crd/v1alpha2 ClusterGroup by name.
 func (k *KubernetesUtils) DeleteV1Alpha2CG(name string) error {
 	log.Infof("Deleting ClusterGroup %s", name)
@@ -624,6 +662,20 @@ func (k *KubernetesUtils) CleanCGs() error {
 	return nil
 }
 
+// CleanGroups is a convenience function for deleting all Groups in the namespace.
+func (k *KubernetesUtils) CleanGroups(namespace string) error {
+	l, err := k.crdClient.CrdV1alpha3().Groups(namespace).List(context.TODO(), metav1.ListOptions{})
+	if err != nil {
+		return errors.Wrapf(err, "unable to list Groups in v1alpha3")
+	}
+	for _, g := range l.Items {
+		if err := k.DeleteV1Alpha3Group(namespace, g.Name); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
 // CreateOrUpdateACNP is a convenience function for updating/creating AntreaClusterNetworkPolicies.
 func (k *KubernetesUtils) CreateOrUpdateACNP(cnp *crdv1alpha1.ClusterNetworkPolicy) (*crdv1alpha1.ClusterNetworkPolicy, error) {
 	log.Infof("Creating/updating ClusterNetworkPolicy %s", cnp.Name)
diff --git a/test/e2e/legacyantreapolicy_test.go b/test/e2e/legacyantreapolicy_test.go
index b196c8b30a1..3f2ff4ac242 100644
--- a/test/e2e/legacyantreapolicy_test.go
+++ b/test/e2e/legacyantreapolicy_test.go
@@ -132,7 +132,7 @@ func testLegacyMutateANPNoRuleName(t *testing.T) {
 		SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}).
 		SetPriority(10.0).
 		AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"},
-			nil, nil, nil, crdv1alpha1.RuleActionAllow, "")
+			nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "")
 	anp := builder.GetLegacy()
 	log.Debugf("creating ANP %v", anp.Name)
 	anp, err := k8sUtils.CreateOrUpdateLegacyANP(anp)
@@ -348,9 +348,9 @@ func testLegacyInvalidANPRuleNameNotUnique(t *testing.T) {
 	builder = builder.SetName("x", "anp-rule-name-not-unique").
 		SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}).
 		AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"},
-			nil, nil, nil, crdv1alpha1.RuleActionAllow, "not-unique").
+			nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "not-unique").
 		AddIngress(v1.ProtocolTCP, &p81, nil, nil, nil, map[string]string{"pod": "c"}, map[string]string{"ns": "x"},
-			nil, nil, nil, crdv1alpha1.RuleActionAllow, "not-unique")
+			nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "not-unique")
 	anp := builder.GetLegacy()
 	log.Debugf("creating ANP %v", anp.Name)
 	if _, err := k8sUtils.CreateOrUpdateLegacyANP(anp); err == nil {
@@ -380,7 +380,7 @@ func testLegacyInvalidANPPortRangePortUnset(t *testing.T) {
 		SetPriority(1.0).
 		SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "b"}}})
 	builder.AddEgress(v1.ProtocolTCP, nil, nil, &p8085, nil, map[string]string{"pod": "c"}, map[string]string{"ns": "x"},
-		nil, nil, nil, crdv1alpha1.RuleActionDrop, "anp-port-range")
+		nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "anp-port-range")
 
 	anp := builder.GetLegacy()
 	log.Debugf("creating ANP %v", anp.Name)
@@ -397,7 +397,7 @@ func testLegacyInvalidANPPortRangeEndPortSmall(t *testing.T) {
 		SetPriority(1.0).
 		SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "b"}}})
 	builder.AddEgress(v1.ProtocolTCP, &p8082, nil, &p8081, nil, map[string]string{"pod": "c"}, map[string]string{"ns": "x"},
-		nil, nil, nil, crdv1alpha1.RuleActionDrop, "anp-port-range")
+		nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "anp-port-range")
 
 	anp := builder.GetLegacy()
 	log.Debugf("creating ANP %v", anp.Name)
@@ -1594,7 +1594,7 @@ func testLegacyANPPortRange(t *testing.T) {
 		SetPriority(1.0).
 		SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "b"}}})
 	builder.AddEgress(v1.ProtocolTCP, &p8080, nil, &p8085, nil, map[string]string{"pod": "c"}, map[string]string{"ns": "x"},
-		nil, nil, nil, crdv1alpha1.RuleActionDrop, "anp-port-range")
+		nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "anp-port-range")
 
 	reachability := NewReachability(allPods, Connected)
 	reachability.Expect(Pod("y/b"), Pod("x/c"), Dropped)
@@ -1624,7 +1624,7 @@ func testLegacyANPBasic(t *testing.T) {
 		SetPriority(1.0).
 		SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}})
 	builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"},
-		nil, nil, nil, crdv1alpha1.RuleActionDrop, "")
+		nil, nil, nil, crdv1alpha1.RuleActionDrop, "", "")
 
 	reachability := NewReachability(allPods, Connected)
 	reachability.Expect(Pod("x/b"), Pod("y/a"), Dropped)
@@ -1724,9 +1724,9 @@ func testLegacyAppliedToPerRule(t *testing.T) {
 	anpATGrp1 := ANPAppliedToSpec{PodSelector: map[string]string{"pod": "a"}, PodSelectorMatchExp: nil}
 	anpATGrp2 := ANPAppliedToSpec{PodSelector: map[string]string{"pod": "b"}, PodSelectorMatchExp: nil}
 	builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"},
-		nil, nil, []ANPAppliedToSpec{anpATGrp1}, crdv1alpha1.RuleActionDrop, "")
+		nil, nil, []ANPAppliedToSpec{anpATGrp1}, crdv1alpha1.RuleActionDrop, "", "")
 	builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "z"},
-		nil, nil, []ANPAppliedToSpec{anpATGrp2}, crdv1alpha1.RuleActionDrop, "")
+		nil, nil, []ANPAppliedToSpec{anpATGrp2}, crdv1alpha1.RuleActionDrop, "", "")
 
 	reachability := NewReachability(allPods, Connected)
 	reachability.Expect(Pod("x/b"), Pod("y/a"), Dropped)
@@ -2180,7 +2180,7 @@ func TestLegacyAntreaPolicyStatus(t *testing.T) {
 		SetPriority(1.0).
 		SetAppliedToGroup([]ANPAppliedToSpec{{PodSelector: map[string]string{"app": "nginx"}}})
 	anpBuilder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"},
-		nil, nil, nil, crdv1alpha1.RuleActionAllow, "")
+		nil, nil, nil, crdv1alpha1.RuleActionAllow, "", "")
 	anp := anpBuilder.GetLegacy()
 	log.Debugf("creating ANP %v", anp.Name)
 	_, err = data.legacyCrdClient.SecurityV1alpha1().NetworkPolicies(anp.Namespace).Create(context.TODO(), anp, metav1.CreateOptions{})
diff --git a/test/e2e/utils/anpspecbuilder.go b/test/e2e/utils/anpspecbuilder.go
index 13af754f55e..b6bbf83f2b4 100644
--- a/test/e2e/utils/anpspecbuilder.go
+++ b/test/e2e/utils/anpspecbuilder.go
@@ -32,6 +32,7 @@ type AntreaNetworkPolicySpecBuilder struct {
 type ANPAppliedToSpec struct {
 	PodSelector         map[string]string
 	PodSelectorMatchExp []metav1.LabelSelectorRequirement
+	Group               string
 }
 
 func (b *AntreaNetworkPolicySpecBuilder) Get() *crdv1alpha1.NetworkPolicy {
@@ -108,7 +109,7 @@ func (b *AntreaNetworkPolicySpecBuilder) AddIngress(protoc v1.Protocol,
 	port *int32, portName *string, endPort *int32, cidr *string,
 	podSelector map[string]string, nsSelector map[string]string,
 	podSelectorMatchExp []metav1.LabelSelectorRequirement, nsSelectorMatchExp []metav1.LabelSelectorRequirement,
-	ruleAppliedToSpecs []ANPAppliedToSpec, action crdv1alpha1.RuleAction, name string) *AntreaNetworkPolicySpecBuilder {
+	ruleAppliedToSpecs []ANPAppliedToSpec, action crdv1alpha1.RuleAction, ruleGroup, name string) *AntreaNetworkPolicySpecBuilder {
 
 	var ps, ns *metav1.LabelSelector
 	var appliedTos []crdv1alpha1.NetworkPolicyPeer
@@ -139,11 +140,12 @@ func (b *AntreaNetworkPolicySpecBuilder) AddIngress(protoc v1.Protocol,
 	}
 	// An empty From/To in ANP rules evaluates to match all addresses.
 	policyPeer := make([]crdv1alpha1.NetworkPolicyPeer, 0)
-	if ps != nil || ns != nil || ipBlock != nil {
+	if ps != nil || ns != nil || ipBlock != nil || ruleGroup != "" {
 		policyPeer = []crdv1alpha1.NetworkPolicyPeer{{
 			PodSelector:       ps,
 			NamespaceSelector: ns,
 			IPBlock:           ipBlock,
+			Group:             ruleGroup,
 		}}
 	}
 
@@ -188,13 +190,13 @@ func (b *AntreaNetworkPolicySpecBuilder) AddEgress(protoc v1.Protocol,
 	port *int32, portName *string, endPort *int32, cidr *string,
 	podSelector map[string]string, nsSelector map[string]string,
 	podSelectorMatchExp []metav1.LabelSelectorRequirement, nsSelectorMatchExp []metav1.LabelSelectorRequirement,
-	ruleAppliedToSpecs []ANPAppliedToSpec, action crdv1alpha1.RuleAction, name string) *AntreaNetworkPolicySpecBuilder {
+	ruleAppliedToSpecs []ANPAppliedToSpec, action crdv1alpha1.RuleAction, ruleGroup, name string) *AntreaNetworkPolicySpecBuilder {
 
 	// For simplicity, we just reuse the Ingress code here.  The underlying data model for ingress/egress is identical
 	// With the exception of calling the rule `To` vs. `From`.
 	c := &AntreaNetworkPolicySpecBuilder{}
 	c.AddIngress(protoc, port, portName, endPort, cidr, podSelector, nsSelector,
-		podSelectorMatchExp, nsSelectorMatchExp, ruleAppliedToSpecs, action, name)
+		podSelectorMatchExp, nsSelectorMatchExp, ruleAppliedToSpecs, action, ruleGroup, name)
 	theRule := c.Get().Spec.Ingress[0]
 
 	b.Spec.Egress = append(b.Spec.Egress, crdv1alpha1.Rule{