diff --git a/pkg/controller/nginxingress/default_test.go b/pkg/controller/nginxingress/default_test.go
new file mode 100644
index 00000000..a5fde36f
--- /dev/null
+++ b/pkg/controller/nginxingress/default_test.go
@@ -0,0 +1,104 @@
+package nginxingress
+
+import (
+	"context"
+	"testing"
+
+	approutingv1alpha1 "github.com/Azure/aks-app-routing-operator/api/v1alpha1"
+	"github.com/stretchr/testify/require"
+	netv1 "k8s.io/api/networking/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+)
+
+func TestGetDefaultIngressClassControllerClass(t *testing.T) {
+	cl := fake.NewClientBuilder().Build()
+
+	// when default IngressClass doesn't exist in cluster it defaults to webapprouting.kubernetes.azure.com/nginx
+	cc, err := getDefaultIngressClassControllerClass(cl)
+	require.NoError(t, err)
+	require.Equal(t, "webapprouting.kubernetes.azure.com/nginx", cc)
+
+	// when IngressClass exists in cluster we take whatever is in the Spec.Controller field
+	controller := "controllerField"
+	ic := &netv1.IngressClass{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: DefaultIcName,
+		},
+		Spec: netv1.IngressClassSpec{
+			Controller: controller,
+		},
+	}
+	require.NoError(t, cl.Create(context.Background(), ic))
+	cc, err = getDefaultIngressClassControllerClass(cl)
+	require.NoError(t, err)
+	require.Equal(t, controller, cc)
+}
+
+func TestIsDefaultNic(t *testing.T) {
+	cases := []struct {
+		Name     string
+		Nic      *approutingv1alpha1.NginxIngressController
+		Expected bool
+	}{
+		{
+			Name:     "nil nic",
+			Nic:      nil,
+			Expected: false,
+		},
+		{
+			Name: "default name, default IngressClassName",
+			Nic: &approutingv1alpha1.NginxIngressController{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: DefaultNicName,
+				},
+				Spec: approutingv1alpha1.NginxIngressControllerSpec{
+					IngressClassName: DefaultIcName,
+				},
+			},
+			Expected: true,
+		},
+		{
+			Name: "default name, non default IngressClassName",
+			Nic: &approutingv1alpha1.NginxIngressController{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: DefaultNicName,
+				},
+				Spec: approutingv1alpha1.NginxIngressControllerSpec{
+					IngressClassName: "non-default",
+				},
+			},
+			Expected: false,
+		},
+		{
+			Name: "non default name, default IngressClassName",
+			Nic: &approutingv1alpha1.NginxIngressController{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "non-default",
+				},
+				Spec: approutingv1alpha1.NginxIngressControllerSpec{
+					IngressClassName: DefaultIcName,
+				},
+			},
+			Expected: false,
+		},
+		{
+			Name: "non default name, non default IngressClassName",
+			Nic: &approutingv1alpha1.NginxIngressController{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "non-default",
+				},
+				Spec: approutingv1alpha1.NginxIngressControllerSpec{
+					IngressClassName: "non-default",
+				},
+			},
+			Expected: false,
+		},
+	}
+
+	for _, c := range cases {
+		t.Run(c.Name, func(t *testing.T) {
+			require.Equal(t, c.Expected, IsDefaultNic(c.Nic))
+		})
+	}
+}
\ No newline at end of file
diff --git a/pkg/webhook/nginxingress_test.go b/pkg/webhook/nginxingress_test.go
index 35ac360d..b41c5101 100644
--- a/pkg/webhook/nginxingress_test.go
+++ b/pkg/webhook/nginxingress_test.go
@@ -12,6 +12,7 @@ import (
 
 	approutingv1alpha1 "github.com/Azure/aks-app-routing-operator/api/v1alpha1"
 	"github.com/Azure/aks-app-routing-operator/pkg/controller/metrics"
+	"github.com/Azure/aks-app-routing-operator/pkg/controller/nginxingress"
 	"github.com/Azure/aks-app-routing-operator/pkg/controller/testutils"
 	"github.com/go-logr/logr"
 	"github.com/stretchr/testify/require"
@@ -91,6 +92,13 @@ func TestNginxIngressResourceValidator(t *testing.T) {
 	}
 	require.NoError(t, cl.Create(context.Background(), existingNic))
 
+	defaultIc := &netv1.IngressClass{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: nginxingress.DefaultIcName,
+		},
+	}
+	require.NoError(t, cl.Create(context.Background(), defaultIc))
+
 	cases := []struct {
 		name          string
 		req           admission.Request
@@ -238,6 +246,42 @@ func TestNginxIngressResourceValidator(t *testing.T) {
 			authenticator: validUser,
 			expected:      admission.Allowed(""),
 		},
+		{
+			name: "valid nginx ingress controller, valid user, default nic",
+			req: admission.Request{
+				AdmissionRequest: admissionv1.AdmissionRequest{
+					Operation: admissionv1.Create,
+					Object: runtime.RawExtension{
+						Raw: toRaw(func() *approutingv1alpha1.NginxIngressController {
+							copy := validNginxIngressController.DeepCopy()
+							copy.Spec.IngressClassName = nginxingress.DefaultIcName
+							copy.Name = nginxingress.DefaultNicName
+							return copy
+						}()),
+					},
+				},
+			},
+			authenticator: validUser,
+			expected:      admission.Allowed(""),
+		},
+		{
+			name: "valid nginx ingress controller, invalid user, default nic",
+			req: admission.Request{
+				AdmissionRequest: admissionv1.AdmissionRequest{
+					Operation: admissionv1.Create,
+					Object: runtime.RawExtension{
+						Raw: toRaw(func() *approutingv1alpha1.NginxIngressController {
+							copy := validNginxIngressController.DeepCopy()
+							copy.Spec.IngressClassName = nginxingress.DefaultIcName
+							copy.Name = nginxingress.DefaultNicName
+							return copy
+						}()),
+					},
+				},
+			},
+			authenticator: invalidUser,
+			expected:      admission.Denied("invalid user"),
+		},
 	}
 
 	metrics.InitControllerMetrics(nginxResourceValidationName)