diff --git a/install/installer/cmd/testdata/render/minimal/output.golden b/install/installer/cmd/testdata/render/minimal/output.golden
index fe4cb774f3f1f6..f7fb8b16c202ed 100644
--- a/install/installer/cmd/testdata/render/minimal/output.golden
+++ b/install/installer/cmd/testdata/render/minimal/output.golden
@@ -1969,7 +1969,7 @@ data:
             to openvsx-proxy.default.svc.cluster.local:8080
         }
     }
-  vhost.payment-endpoint: |-
+  vhost.payment-endpoint: |
     https://payment.minimal-test.gitpod.com {
         import enable_log
         import remove_server_header
@@ -1981,6 +1981,14 @@ data:
             import upstream_connection
         }
 
+        @backend path /stripe/invoices/webhook
+        handle @backend {
+            reverse_proxy public-api-server.{$KUBE_NAMESPACE}.{$KUBE_DOMAIN}:9002 {
+                import upstream_headers
+                import upstream_connection
+            }
+        }
+
         handle_errors {
             respond "Internal Server Error" 500
         }
@@ -8505,7 +8513,7 @@ spec:
   template:
     metadata:
       annotations:
-        gitpod.io/checksum_config: 376f6713002e46d8ebff894855ecd010de87d856d5c4c412c2a2649847f2017a
+        gitpod.io/checksum_config: 926e623fd161e557fe9ebb5f2dc7f2e31ed391fb5a3fb1308cefc8b76945401a
       creationTimestamp: null
       labels:
         app: gitpod
diff --git a/install/installer/pkg/components/proxy/templates/configmap/vhost.payment-endpoint.tpl b/install/installer/pkg/components/proxy/templates/configmap/vhost.payment-endpoint.tpl
index b9d99d47a7373c..4072042d1f7b18 100644
--- a/install/installer/pkg/components/proxy/templates/configmap/vhost.payment-endpoint.tpl
+++ b/install/installer/pkg/components/proxy/templates/configmap/vhost.payment-endpoint.tpl
@@ -9,7 +9,15 @@ https://payment.{{.Domain}} {
         import upstream_connection
     }
 
+    @backend path /stripe/invoices/webhook
+    handle @backend {
+        reverse_proxy public-api-server.{$KUBE_NAMESPACE}.{$KUBE_DOMAIN}:9002 {
+            import upstream_headers
+            import upstream_connection
+        }
+    }
+
     handle_errors {
         respond "Internal Server Error" 500
     }
-}
\ No newline at end of file
+}
diff --git a/install/installer/pkg/components/public-api-server/networkpolicy.go b/install/installer/pkg/components/public-api-server/networkpolicy.go
index 27ffbc0146d196..7f174382f71d07 100644
--- a/install/installer/pkg/components/public-api-server/networkpolicy.go
+++ b/install/installer/pkg/components/public-api-server/networkpolicy.go
@@ -33,6 +33,10 @@ func networkpolicy(ctx *common.RenderContext) ([]runtime.Object, error) {
 								Protocol: common.TCPProtocol,
 								Port:     &intstr.IntOrString{IntVal: GRPCContainerPort},
 							},
+							{
+								Protocol: common.TCPProtocol,
+								Port:     &intstr.IntOrString{IntVal: HTTPContainerPort},
+							},
 						},
 						From: []networkingv1.NetworkPolicyPeer{
 							{
diff --git a/install/installer/pkg/components/public-api-server/networkpolicy_test.go b/install/installer/pkg/components/public-api-server/networkpolicy_test.go
index cde6e5c78c16b2..c072e7f4ff7055 100644
--- a/install/installer/pkg/components/public-api-server/networkpolicy_test.go
+++ b/install/installer/pkg/components/public-api-server/networkpolicy_test.go
@@ -30,6 +30,10 @@ func TestNetworkPolicy(t *testing.T) {
 				Protocol: common.TCPProtocol,
 				Port:     &intstr.IntOrString{IntVal: GRPCContainerPort},
 			},
+			{
+				Protocol: common.TCPProtocol,
+				Port:     &intstr.IntOrString{IntVal: HTTPContainerPort},
+			},
 		},
 		From: []networkingv1.NetworkPolicyPeer{
 			{