diff --git a/inventory/host_vars/copr-keygen.cloud.fedoraproject.org b/inventory/host_vars/copr-keygen.cloud.fedoraproject.org
index bb930a7083..b8432d52ae 100644
--- a/inventory/host_vars/copr-keygen.cloud.fedoraproject.org
+++ b/inventory/host_vars/copr-keygen.cloud.fedoraproject.org
@@ -11,7 +11,7 @@ description: copr key gen instance
 # volumes: ['-d /dev/vdc vol-0000002e']
 volumes: []
 # security_group: default
-security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywhere-persistent,default,allow-nagios-persistent
+security_group: web-80-anywhere-persistent,ssh-anywhere-persistent,default,allow-nagios-persistent,keygen-persistent
 
 inventory_tenant: persistent
 # name of machine in OpenStack
diff --git a/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml b/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml
index 9817c1b35d..f367173a1a 100644
--- a/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml
+++ b/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml
@@ -1005,6 +1005,32 @@
           remote_ip_prefix: "0.0.0.0/0"
     with_items: all_tenants
 
+  - name: "Create 'keygen-persistent' security group"
+    neutron_sec_group:
+      login_username: "admin"
+      login_password: "{{ ADMIN_PASS }}"
+      login_tenant_name: "admin"
+      auth_url: "https://{{controller_hostname}}:35357/v2.0"
+      state: "present"
+      name: 'keygen-persistent'
+      description: "rules for copr-keygen"
+      tenant_name: "{{item}}"
+      rules:
+        - direction: "ingress"
+          port_range_min: "5167"
+          port_range_max: "5167"
+          ethertype: "IPv4"
+          protocol: "tcp"
+          remote_ip_prefix: "172.25.32.1/20"
+        - direction: "ingress"
+          port_range_min: "80"
+          port_range_max: "80"
+          ethertype: "IPv4"
+          protocol: "tcp"
+          remote_ip_prefix: "172.25.32.1/20"
+    with_items: all_tenants
+
+
   # Update quota for Copr
   #   SEE:
   #   nova quota-defaults