diff --git a/ansible/group_vars/all/bifrost b/ansible/group_vars/all/bifrost
index 3c06e0bf5..81224ed1e 100644
--- a/ansible/group_vars/all/bifrost
+++ b/ansible/group_vars/all/bifrost
@@ -11,6 +11,10 @@ kolla_bifrost_source_url: "https://opendev.org/openstack/bifrost"
 # {{ openstack_branch }}.
 kolla_bifrost_source_version: "{{ openstack_branch }}"
 
+# Firewalld zone used by Bifrost. Default is "trusted", to avoid blocking other
+# services running on the seed host.
+kolla_bifrost_firewalld_internal_zone: trusted
+
 ###############################################################################
 # Diskimage-builder configuration.
 
diff --git a/ansible/roles/kolla-bifrost/templates/bifrost.yml.j2 b/ansible/roles/kolla-bifrost/templates/bifrost.yml.j2
index 8ffbf2af8..a4d64dd3f 100644
--- a/ansible/roles/kolla-bifrost/templates/bifrost.yml.j2
+++ b/ansible/roles/kolla-bifrost/templates/bifrost.yml.j2
@@ -64,6 +64,9 @@ ipa_ramdisk_upstream_checksum_url: "{{ kolla_bifrost_ipa_ramdisk_checksum_url }}
 # Algorithm of checksum of Ironic Python Agent (IPA) ramdisk image.
 ipa_ramdisk_upstream_checksum_algo: "{{ kolla_bifrost_ipa_ramdisk_checksum_algorithm }}"
 
+# Firewalld zone used by Bifrost.
+firewalld_internal_zone: "{{ kolla_bifrost_firewalld_internal_zone }}"
+
 {% if kolla_bifrost_extra_globals %}
 ###############################################################################
 # Extra configuration
diff --git a/etc/kayobe/bifrost.yml b/etc/kayobe/bifrost.yml
index 9e7c9cf25..bd7e97e1d 100644
--- a/etc/kayobe/bifrost.yml
+++ b/etc/kayobe/bifrost.yml
@@ -11,6 +11,10 @@
 # {{ openstack_branch }}.
 #kolla_bifrost_source_version:
 
+# Firewalld zone used by Bifrost. Default is "trusted", to avoid blocking other
+# services running on the seed host.
+#kolla_bifrost_firewalld_internal_zone:
+
 ###############################################################################
 # Diskimage-builder configuration.
 
diff --git a/releasenotes/notes/bifrost-firewalld-zone-09a29651a058531a.yaml b/releasenotes/notes/bifrost-firewalld-zone-09a29651a058531a.yaml
new file mode 100644
index 000000000..b9cde15b9
--- /dev/null
+++ b/releasenotes/notes/bifrost-firewalld-zone-09a29651a058531a.yaml
@@ -0,0 +1,16 @@
+---
+upgrade:
+  - |
+    Kayobe configures Bifrost to use the ``trusted`` zone of ``firewalld``,
+    ensuring that all services running on the seed host are accessible.
+    Deployments with stricter firewall policies can select another zone by
+    setting the ``kolla_bifrost_firewalld_internal_zone`` variable in
+    ``${KAYOBE_CONFIG_PATH}/bifrost.yml``. To avoid loss of connectivity to the
+    seed host, ensure that ``firewalld`` is already configured on the seed host
+    before deploying seed services.
+fixes:
+  - |
+    Fixes loss of connectivity to the seed host after deploying seed services,
+    when using a shared provisioning and admin network. This was caused by
+    Bifrost configuring ``firewalld`` to only allow Ironic traffic. Kayobe now
+    configures Bifrost to use the ``trusted`` zone, which allows all traffic.