diff --git a/magnum/drivers/common/templates/kubernetes/fragments/enable-prometheus-monitoring.sh b/magnum/drivers/common/templates/kubernetes/fragments/enable-prometheus-monitoring.sh
index 633ee8fbaa..69db973ec7 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/enable-prometheus-monitoring.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/enable-prometheus-monitoring.sh
@@ -197,12 +197,11 @@ metadata:
 spec:
   selector:
     app: prometheus
-  type: NodePort
+  type: ClusterIP
   ports:
   - name: prometheus
     protocol: TCP
     port: 9090
-    nodePort: 30900
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
@@ -307,11 +306,10 @@ metadata:
   name: grafana
   namespace: prometheus-monitoring
 spec:
-  type: "NodePort"
+  type: ClusterIP
   ports:
     - port: 3000
       targetPort: 3000
-      nodePort: 30603
   selector:
     grafana: "true"
 ---
diff --git a/releasenotes/notes/k8s-prometheus-clusterip-b191fa163e3f1125.yaml b/releasenotes/notes/k8s-prometheus-clusterip-b191fa163e3f1125.yaml
new file mode 100644
index 0000000000..dd122e9ee1
--- /dev/null
+++ b/releasenotes/notes/k8s-prometheus-clusterip-b191fa163e3f1125.yaml
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Use ClusterIP as the default Prometheus service type, because the NodePort
+    type service has the requirement that extra security group rule is properly
+    configured. Kubernetes cluster administrator could still change the service
+    type after the cluster creation.