diff --git a/roles/postgresql_server_bdr/templates/pg_hba.conf b/roles/postgresql_server_bdr/templates/pg_hba.conf
index fb5cdfe1e1..eb4f52df90 100644
--- a/roles/postgresql_server_bdr/templates/pg_hba.conf
+++ b/roles/postgresql_server_bdr/templates/pg_hba.conf
@@ -76,17 +76,17 @@ host all all 0.0.0.0 0.0.0.0 md5
 # Note, I can't think of a reason to make this more restrictive than ipv4 but
 # only fakefas needs it so far
 host all all ::1/128 md5
-{% for host in groups['pgbdr-stg']|sort %}
 # staging replication hosts
+{% for host in groups['pgbdr-stg']|sort %}
 {% if 'eth0_ip' in hostvars[host] %}# {{ host }}
-host     replication    all             {{ hostvars[host]['eth0_ip'] }} md5
+host     replication    all             {{ hostvars[host]['eth0_ip'] }}/32 md5
 {% else %}# {{ host }} has no 'eth0_ip' listed
 {% endif %}
 {% endfor %}
-{% for host in groups['pgbdr']|sort %}
 # production replication hosts
+{% for host in groups['pgbdr']|sort %}
 {% if 'eth0_ip' in hostvars[host] %}# {{ host }}
-host     replication    all             {{ hostvars[host]['eth0_ip'] }} md5
+host     replication    all             {{ hostvars[host]['eth0_ip'] }}/32 md5
 {% else %}# {{ host }} has no 'eth0_ip' listed
 {% endif %}
 {% endfor %}