diff --git a/inventory/group_vars/proxies b/inventory/group_vars/proxies
index 3e777b580c..c04531a579 100644
--- a/inventory/group_vars/proxies
+++ b/inventory/group_vars/proxies
@@ -62,6 +62,24 @@ custom_rules: [
     # For Zanata
     # See files/httpd/website_id_fp_o_zanata.conf for info
     '-A INPUT -p tcp -m tcp --dport 44342 -s 209.132.183.252 -j ACCEPT',
+
+    # Allow ocp control plane hosts
+    '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.120 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.121 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.122 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.123 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.124 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.125 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.126 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.65 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.120 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.121 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.122 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.123 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.124 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.125 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.126 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.65 -j ACCEPT',
 ]
 
 nat_rules: [
diff --git a/playbooks/include/proxies-reverseproxy.yml b/playbooks/include/proxies-reverseproxy.yml
index 6fb134e07f..d771a0144e 100644
--- a/playbooks/include/proxies-reverseproxy.yml
+++ b/playbooks/include/proxies-reverseproxy.yml
@@ -637,7 +637,7 @@
     balancer_members: "{{ ocp_nodes_stg }}"
     keephost: true
     tags:
-    - ocp.fedoraproject.org
+    - ocp.stg.fedoraproject.org
     when: env == "staging"
 
   - role: httpd/reverseproxy
@@ -649,7 +649,7 @@
     balancer_members: "{{ ocp_nodes_stg }}"
     keephost: true
     tags:
-    - apps.ocp.fedoraproject.org
+    - apps.ocp.stg.fedoraproject.org
     when: env == "staging"
 
   - role: httpd/reverseproxy