diff --git a/ansible/roles/haproxy-config/tasks/main.yml b/ansible/roles/haproxy-config/tasks/main.yml
index dadca2651f674ba4d55096ba03b2d9e5bf4c452e..250529890529d511ddee0053172d565b06156f76 100644
--- a/ansible/roles/haproxy-config/tasks/main.yml
+++ b/ansible/roles/haproxy-config/tasks/main.yml
@@ -24,8 +24,9 @@
- name: "Configuring firewall for {{ project_name }}"
firewalld:
- offline: "yes"
- permanent: "yes"
+ immediate: true
+ offline: true
+ permanent: true
port: "{{ item.value.port }}/tcp"
state: "enabled"
zone: "{{ external_api_firewalld_zone }}"
@@ -38,5 +39,3 @@
- enable_external_api_firewalld | bool
- kolla_action != "config"
with_dict: "{{ project_services | extract_haproxy_services }}"
- notify:
- - "Reload firewalld"
diff --git a/ansible/roles/loadbalancer/handlers/main.yml b/ansible/roles/loadbalancer/handlers/main.yml
index 6aeb61e2351e0fe9a34ca2a38e09b7faa0ba8af5..ae0b25b3af9afb732ab266be6b11319d0c5a4a36 100644
--- a/ansible/roles/loadbalancer/handlers/main.yml
+++ b/ansible/roles/loadbalancer/handlers/main.yml
@@ -1,10 +1,4 @@
---
-- name: Reload firewalld
- become: True
- service:
- name: "firewalld"
- state: reloaded
-
# NOTE(yoctozepto): this handler dance is to ensure we delay restarting master
# keepalived and haproxy which control VIP address until we have working backups.
# This could be improved by checking if backup keepalived do not report FAULT state.
diff --git a/releasenotes/notes/firewalld-immediate-c2abf09977c455a9.yaml b/releasenotes/notes/firewalld-immediate-c2abf09977c455a9.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..cd858cf488aab7d03c206ff823003071a340e424
--- /dev/null
+++ b/releasenotes/notes/firewalld-immediate-c2abf09977c455a9.yaml
@@ -0,0 +1,7 @@
+---
+features:
+ - |
+ Modifies public API firewalld rules to be applied immediately to a running
+ firewalld service. This requires firewalld to be running, but avoids
+ reloading firewalld, which is disruptive due to the way in which firewalld
+ builds its firewall chains.