diff --git a/backport-Do-not-change-permissions-of-netrules-target.patch b/backport-Do-not-change-permissions-of-netrules-target.patch
new file mode 100644
index 0000000000000000000000000000000000000000..6763d514e65629621773ff95826f4c32d868bab6
--- /dev/null
+++ b/backport-Do-not-change-permissions-of-netrules-target.patch
@@ -0,0 +1,109 @@
+From 56c88cafd1b3606e814069a79f4ec265fc427c87 Mon Sep 17 00:00:00 2001
+From: James Falcon <james.falcon@canonical.com>
+Date: Thu, 23 Mar 2023 10:21:56 -0500
+Subject: [PATCH] Don't change permissions of netrules target (#2076)
+
+Set permissions if file doesn't exist. Leave them if it does.
+
+LP: #2011783
+
+Co-authored-by: Chad Smith <chad.smith@canonical.com>
+---
+ cloudinit/net/eni.py                      |  4 +++-
+ cloudinit/net/sysconfig.py                |  7 ++++++-
+ tests/unittests/distros/test_netconfig.py | 20 ++++++++++++++++++--
+ 3 files changed, 27 insertions(+), 4 deletions(-)
+
+diff --git a/cloudinit/net/eni.py b/cloudinit/net/eni.py
+index b0ec67b..f6398e3 100644
+--- a/cloudinit/net/eni.py
++++ b/cloudinit/net/eni.py
+@@ -571,7 +571,9 @@ class Renderer(renderer.Renderer):
+             netrules = subp.target_path(target, self.netrules_path)
+             util.ensure_dir(os.path.dirname(netrules))
+             util.write_file(
+-                netrules, self._render_persistent_net(network_state)
++                netrules,
++                content=self._render_persistent_net(network_state),
++                preserve_mode=True,
+             )
+ 
+ 
+diff --git a/cloudinit/net/sysconfig.py b/cloudinit/net/sysconfig.py
+index 07f474d..d22354c 100644
+--- a/cloudinit/net/sysconfig.py
++++ b/cloudinit/net/sysconfig.py
+@@ -1008,7 +1008,12 @@ class Renderer(renderer.Renderer):
+         if self.netrules_path:
+             netrules_content = self._render_persistent_net(network_state)
+             netrules_path = subp.target_path(target, self.netrules_path)
+-            util.write_file(netrules_path, netrules_content, file_mode)
++            util.write_file(
++                netrules_path,
++                content=netrules_content,
++                mode=file_mode,
++                preserve_mode=True,
++            )
+ 
+         sysconfig_path = subp.target_path(target, templates.get("control"))
+         # Distros configuring /etc/sysconfig/network as a file e.g. Centos
+diff --git a/tests/unittests/distros/test_netconfig.py b/tests/unittests/distros/test_netconfig.py
+index a25be48..8760975 100644
+--- a/tests/unittests/distros/test_netconfig.py
++++ b/tests/unittests/distros/test_netconfig.py
+@@ -376,8 +376,16 @@ class TestNetCfgDistroUbuntuEni(TestNetCfgDistroBase):
+     def eni_path(self):
+         return "/etc/network/interfaces.d/50-cloud-init.cfg"
+ 
++    def rules_path(self):
++        return "/etc/udev/rules.d/70-persistent-net.rules"
++
+     def _apply_and_verify_eni(
+-        self, apply_fn, config, expected_cfgs=None, bringup=False
++        self,
++        apply_fn,
++        config,
++        expected_cfgs=None,
++        bringup=False,
++        previous_files=(),
+     ):
+         if not expected_cfgs:
+             raise ValueError("expected_cfg must not be None")
+@@ -385,7 +393,11 @@ class TestNetCfgDistroUbuntuEni(TestNetCfgDistroBase):
+         tmpd = None
+         with mock.patch("cloudinit.net.eni.available") as m_avail:
+             m_avail.return_value = True
++            path_modes = {}
+             with self.reRooted(tmpd) as tmpd:
++                for previous_path, content, mode in previous_files:
++                    util.write_file(previous_path, content, mode=mode)
++                    path_modes[previous_path] = mode
+                 apply_fn(config, bringup)
+ 
+         results = dir2dict(tmpd)
+@@ -396,17 +408,21 @@ class TestNetCfgDistroUbuntuEni(TestNetCfgDistroBase):
+             print(results[cfgpath])
+             print("----------")
+             self.assertEqual(expected, results[cfgpath])
+-            self.assertEqual(0o644, get_mode(cfgpath, tmpd))
++            self.assertEqual(
++                path_modes.get(cfgpath, 0o644), get_mode(cfgpath, tmpd)
++            )
+ 
+     def test_apply_network_config_eni_ub(self):
+         expected_cfgs = {
+             self.eni_path(): V1_NET_CFG_OUTPUT,
++            self.rules_path(): "",
+         }
+         # ub_distro.apply_network_config(V1_NET_CFG, False)
+         self._apply_and_verify_eni(
+             self.distro.apply_network_config,
+             V1_NET_CFG,
+             expected_cfgs=expected_cfgs.copy(),
++            previous_files=((self.rules_path(), "something", 0o660),),
+         )
+ 
+     def test_apply_network_config_ipv6_ub(self):
+-- 
+2.39.1
+
diff --git a/cloud-init.spec b/cloud-init.spec
index 5c85efefc6cbf9e5d91c4ec70dd7e6ed710ae41e..5d87858f8bcf30ebcb7ce84eb7a3fbd97957b383 100644
--- a/cloud-init.spec
+++ b/cloud-init.spec
@@ -1,6 +1,6 @@
 Name: cloud-init
 Version: 22.2
-Release: 6
+Release: 7
 Summary: the defacto multi-distribution package that handles early initialization of a cloud instance.
 License: ASL 2.0 or GPLv3
 URL: http://launchpad.net/cloud-init
@@ -14,6 +14,7 @@ Patch2: bugfix-sort-requirements.patch
 Patch3: add-variable-to-forbid-tmp-dir.patch
 Patch4: Fix-the-error-level-logs-displayed-for-the-cloud-init-local-service.patch
 Patch5: backport-Fix-permission-of-SSH-host-keys-1971.patch
+Patch6: backport-Do-not-change-permissions-of-netrules-target.patch
 
 Patch9000:     fix-permission-of-the-private-key.patch
 
@@ -130,6 +131,9 @@ fi
 %exclude /usr/share/doc/*
 
 %changelog
+* Fri Apr 14 2023 shixuantong <shixuantong1@huawei.com> - 22.2-7
+- Don't change permissions of netrules target
+
 * Tue Mar 14 2023 shixuantong <shixuantong1@huawei.com> - 22.2-6
 - Fix permission of SSH host keys