diff --git a/inventory/group_vars/proxies b/inventory/group_vars/proxies
index 3d2d5e5427..2bef414dc5 100644
--- a/inventory/group_vars/proxies
+++ b/inventory/group_vars/proxies
@@ -26,9 +26,7 @@ custom_rules: [
   # For Zanata
   # See files/httpd/website_id_fp_o_zanata.conf for info
   '-A INPUT -p tcp -m tcp --dport 44342 -s 209.132.183.252 -j ACCEPT',
-  # Allow ocp control plane hosts
-  '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.35 -j ACCEPT', # batcave01
-  '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.120 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.121 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.122 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.123 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.124 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.125 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.126 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.127 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.128 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.129 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.65 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.120 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.121 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.122 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.123 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.124 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.125 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.126 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.65 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.127 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.128 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.129 -j ACCEPT']
+  '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.120 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.121 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.122 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.123 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.124 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.125 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.126 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.65 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.127 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.128 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.129 -j ACCEPT']
 ipa_client_shell_groups:
   - fi-apprentice
   - sysadmin-noc
@@ -82,6 +80,8 @@ tcp_ports: [
   1088,
   # This is for RabbitMQ public access
   5671,
+  # openshift 4 api
+  6443,
   # This is for RabbitMQ internal-public access
   15671,
   # This is for the haproxy HTML stats page
diff --git a/inventory/group_vars/proxies_stg b/inventory/group_vars/proxies_stg
index c7c430e4f2..7e8f50d380 100644
--- a/inventory/group_vars/proxies_stg
+++ b/inventory/group_vars/proxies_stg
@@ -27,9 +27,7 @@ custom_rules: [
   '-A INPUT -p tcp -m tcp --dport 9941 -s 10.5.131.72 -j ACCEPT',
   # Allow happinesspackets-stg.fedorainfracloud.org to talk to the inbound fedmsg relay
   '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.123 -j ACCEPT',
-  # Allow ocp control plane hosts
-  '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.35 -j ACCEPT', # batcave01
-  '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.166.115 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.166.116 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.166.117 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.166.118 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.166.119 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.166.120 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.166.121 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.166.122 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.166.123 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.166.50 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.115 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.116 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.117 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.118 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.119 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.120 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.121 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.122 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.123 -j ACCEPT']
+  '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.115 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.116 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.117 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.118 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.119 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.120 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.121 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.122 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.123 -j ACCEPT']
 ipa_client_shell_groups:
   - fi-apprentice
   - sysadmin-noc
@@ -73,6 +71,8 @@ tcp_ports: [
   1088,
   # This is for RabbitMQ public access
   5671,
+  # openshift 4 api
+  6443,
   # This is for RabbitMQ internal-public access
   15671,
   # This is for the haproxy HTML stats page
diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg
index 5be5bf523c..e34c9b7018 100644
--- a/roles/haproxy/templates/haproxy.cfg
+++ b/roles/haproxy/templates/haproxy.cfg
@@ -48,6 +48,9 @@ backend ocp-masters-backend-kapi
     server  ocp01.ocp.iad2.fedoraproject.org ocp01.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
     server  ocp02.ocp.iad2.fedoraproject.org ocp02.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
     server  ocp03.ocp.iad2.fedoraproject.org ocp03.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
+    server  ocp04.ocp.iad2.fedoraproject.org ocp04.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
+    server  ocp05.ocp.iad2.fedoraproject.org ocp05.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
+    server  ocp06.ocp.iad2.fedoraproject.org ocp06.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
 # temp bootstrap node
 #    server  bootstrap.ocp.iad2.fedoraproject.org bootstrap.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
 
@@ -61,6 +64,9 @@ backend ocp-masters-backend-machineconfig
     server  ocp01.ocp.iad2.fedoraproject.org ocp01.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
     server  ocp02.ocp.iad2.fedoraproject.org ocp02.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
     server  ocp03.ocp.iad2.fedoraproject.org ocp03.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
+    server  ocp04.ocp.iad2.fedoraproject.org ocp04.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
+    server  ocp05.ocp.iad2.fedoraproject.org ocp05.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
+    server  ocp06.ocp.iad2.fedoraproject.org ocp06.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
 # temp bootstrap node
 #    server  bootstrap.ocp.iad2.fedoraproject.org bootstrap.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
 {% endif %}
@@ -76,6 +82,7 @@ backend ocp-masters-backend-kapi
     server  ocp01.ocp.stg.iad2.fedoraproject.org ocp01.ocp.stg.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
     server  ocp02.ocp.stg.iad2.fedoraproject.org ocp02.ocp.stg.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
     server  ocp03.ocp.stg.iad2.fedoraproject.org ocp03.ocp.stg.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
+    server  ocp04.ocp.stg.iad2.fedoraproject.org ocp04.ocp.stg.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
 # temp bootstrap node
 #    server  bootstrap.ocp.stg.iad2.fedoraproject.org bootstrap.ocp.stg.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
 
@@ -89,6 +96,7 @@ backend ocp-masters-backend-machineconfig
     server  ocp01.ocp.stg.iad2.fedoraproject.org ocp01.ocp.stg.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
     server  ocp02.ocp.stg.iad2.fedoraproject.org ocp02.ocp.stg.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
     server  ocp03.ocp.stg.iad2.fedoraproject.org ocp03.ocp.stg.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
+    server  ocp04.ocp.stg.iad2.fedoraproject.org ocp04.ocp.stg.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
 # temp bootstrap node
 #    server  bootstrap.ocp.stg.iad2.fedoraproject.org bootstrap.ocp.stg.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
 {% endif %}