diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh
index 56877f10417..d1f447140cd 100755
--- a/cluster/gce/config-default.sh
+++ b/cluster/gce/config-default.sh
@@ -560,6 +560,9 @@ export ETCD_PROGRESS_NOTIFY_INTERVAL="${ETCD_PROGRESS_NOTIFY_INTERVAL:-10m}"
 # unzipping the image layers to disk.
 export WINDOWS_ENABLE_PIGZ="${WINDOWS_ENABLE_PIGZ:-true}"
 
+# Enable Windows DSR (Direct Server Return)
+export WINDOWS_ENABLE_DSR="${WINDOWS_ENABLE_DSR:-false}"
+
 # TLS_CIPHER_SUITES defines cipher suites allowed to be used by kube-apiserver. 
 # If this variable is unset or empty, kube-apiserver will allow its default set of cipher suites.
 export TLS_CIPHER_SUITES=""
diff --git a/cluster/gce/config-test.sh b/cluster/gce/config-test.sh
index 4b35d7e8224..81a5a9d80be 100755
--- a/cluster/gce/config-test.sh
+++ b/cluster/gce/config-test.sh
@@ -601,6 +601,9 @@ export ETCD_PROGRESS_NOTIFY_INTERVAL="${ETCD_PROGRESS_NOTIFY_INTERVAL:-10m}"
 # unzipping the image layers to disk.
 export WINDOWS_ENABLE_PIGZ="${WINDOWS_ENABLE_PIGZ:-true}"
 
+# Enable Windows DSR (Direct Server Return)
+export WINDOWS_ENABLE_DSR="${WINDOWS_ENABLE_DSR:-false}"
+
 # TLS_CIPHER_SUITES defines cipher suites allowed to be used by kube-apiserver.
 # If this variable is unset or empty, kube-apiserver will allow its default set of cipher suites.
 export TLS_CIPHER_SUITES=""
diff --git a/cluster/gce/util.sh b/cluster/gce/util.sh
index 9ab900993ae..4c1829233da 100755
--- a/cluster/gce/util.sh
+++ b/cluster/gce/util.sh
@@ -944,6 +944,13 @@ function construct-windows-kubeproxy-flags {
   # so we actually log to the file
   flags+=" --logtostderr=false"
 
+  # Enabling Windows DSR mode unlocks newer network features and reduces
+  # port usage for services.
+  # https://techcommunity.microsoft.com/t5/networking-blog/direct-server-return-dsr-in-a-nutshell/ba-p/693710
+  if [[ "${WINDOWS_ENABLE_DSR:-}" == "true" ]]; then
+    flags+=" --feature-gates=WinDSR=true --enable-dsr=true "
+  fi
+
   # Configure flags with explicit empty string values. We can't escape
   # double-quotes, because they still break sc.exe after expansion in the
   # binPath parameter, and single-quotes get parsed as characters instead