diff --git a/nomad/job_endpoint_hook_expose_check.go b/nomad/job_endpoint_hook_expose_check.go
index ebb51a524afa..3ebab92200b1 100644
--- a/nomad/job_endpoint_hook_expose_check.go
+++ b/nomad/job_endpoint_hook_expose_check.go
@@ -170,7 +170,7 @@ func serviceUsesConnectEnvoy(s *structs.Service) bool {
 	}
 
 	// A non-nil connect.sidecar_task stanza implies the sidecar task is being
-	// overridden (i.e. the default Envoy is not being uesd).
+	// overridden (i.e. the default Envoy is not being used).
 	if s.Connect.SidecarTask != nil {
 		return false
 	}
@@ -199,6 +199,12 @@ func exposePathForCheck(tg *structs.TaskGroup, s *structs.Service, check *struct
 		return nil, nil
 	}
 
+	// Borrow some of the validation before we start manipulating the group
+	// network, which needs to exist once.
+	if err := tgValidateUseOfBridgeMode(tg); err != nil {
+		return nil, err
+	}
+
 	// If the check is exposable but doesn't have a port label set build
 	// a port with a generated label, add it to the group's Dynamic ports
 	// and set the check port label to the generated label.
diff --git a/nomad/job_endpoint_hook_expose_check_test.go b/nomad/job_endpoint_hook_expose_check_test.go
index 4abf089c2fba..a587efee3288 100644
--- a/nomad/job_endpoint_hook_expose_check_test.go
+++ b/nomad/job_endpoint_hook_expose_check_test.go
@@ -376,6 +376,30 @@ func TestJobExposeCheckHook_exposePathForCheck(t *testing.T) {
 			ListenerPort:  tg.Networks[0].DynamicPorts[0].Label,
 		}, ePath)
 	})
+
+	t.Run("missing network with no service check port label", func(t *testing.T) {
+		// this test ensures we do not try to manipulate the group network
+		// to inject an expose port if the group network does not exist
+		c := &structs.ServiceCheck{
+			Name:      "check1",
+			Type:      "http",
+			Path:      "/health",
+			PortLabel: "",   // not set
+			Expose:    true, // will require a service check port label
+		}
+		s := &structs.Service{
+			Name:   "service1",
+			Checks: []*structs.ServiceCheck{c},
+		}
+		tg := &structs.TaskGroup{
+			Name:     "group1",
+			Services: []*structs.Service{s},
+			Networks: nil, // not set, should cause validation error
+		}
+		ePath, err := exposePathForCheck(tg, s, c)
+		require.EqualError(t, err, `group "group1" must specify one bridge network for exposing service check(s)`)
+		require.Nil(t, ePath)
+	})
 }
 
 func TestJobExposeCheckHook_containsExposePath(t *testing.T) {