diff --git a/test/e2e/helpers.go b/test/e2e/helpers.go
index afd50c93fb5..5f034abda5a 100644
--- a/test/e2e/helpers.go
+++ b/test/e2e/helpers.go
@@ -47,6 +47,7 @@ import (
 	appsv1 "k8s.io/api/apps/v1"
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	typedappsv1 "k8s.io/client-go/kubernetes/typed/apps/v1"
@@ -58,6 +59,7 @@ import (
 	"sigs.k8s.io/cluster-api/test/framework/kubernetesversions"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
+	infrav1 "sigs.k8s.io/cluster-api-provider-azure/api/v1beta1"
 	"sigs.k8s.io/cluster-api-provider-azure/azure"
 )
 
@@ -854,4 +856,36 @@ func waitForWebhookCAInjection(ctx context.Context, c client.Client) {
 			}
 		}
 	}, 5*time.Minute, 5*time.Second).Should(Succeed(), "cert-manager cainjector did not inject CA bundles into webhook configurations in time")
+
+	// Even after the CABundle is populated on the webhook configuration, the
+	// kube-apiserver may not have picked up the updated config from its
+	// informer cache yet. Perform a dry-run create of an AzureCluster to
+	// verify the CAPZ mutating webhook is reachable end-to-end with valid TLS.
+	By("Verifying CAPZ webhook is reachable via dry-run create")
+	Eventually(func() error {
+		obj := &infrav1.AzureCluster{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "capz-webhook-probe",
+				Namespace: "default",
+			},
+			Spec: infrav1.AzureClusterSpec{
+				AzureClusterClassSpec: infrav1.AzureClusterClassSpec{
+					SubscriptionID: "00000000-0000-0000-0000-000000000000",
+					Location:       "eastus",
+				},
+				ResourceGroup: "capz-webhook-probe",
+			},
+		}
+		err := client.NewDryRunClient(c).Create(ctx, obj)
+		if err == nil {
+			return nil
+		}
+		// A webhook validation rejection (e.g. Invalid/Forbidden) means the
+		// webhook was reachable with valid TLS, which is all we need to verify.
+		// Only keep retrying on errors that indicate TLS is not yet working.
+		if apierrors.IsInvalid(err) || apierrors.IsForbidden(err) {
+			return nil
+		}
+		return err
+	}, 5*time.Minute, 5*time.Second).Should(Succeed(), "dry-run AzureCluster create failed, webhook TLS may not be ready")
 }