diff --git a/neutron/agent/metadata/driver.py b/neutron/agent/metadata/driver.py
index 77e1d8eb033..0a7fb5f552e 100644
--- a/neutron/agent/metadata/driver.py
+++ b/neutron/agent/metadata/driver.py
@@ -33,6 +33,7 @@ from neutron.agent.l3 import namespaces
 from neutron.agent.linux import external_process
 from neutron.agent.linux import ip_lib
 from neutron.agent.linux import utils as linux_utils
+from neutron.common import coordination
 from neutron.common import utils as common_utils
 
 
@@ -307,26 +308,10 @@ class MetadataDriver(object):
 def after_router_added(resource, event, l3_agent, **kwargs):
     router = kwargs['router']
     proxy = l3_agent.metadata_driver
-    ipv6_enabled = netutils.is_ipv6_enabled()
-    for c, r in proxy.metadata_filter_rules(proxy.metadata_port,
-                                            proxy.metadata_access_mark):
-        router.iptables_manager.ipv4['filter'].add_rule(c, r)
-    if ipv6_enabled:
-        for c, r in proxy.metadata_filter_rules(proxy.metadata_port,
-                                                proxy.metadata_access_mark):
-            router.iptables_manager.ipv6['filter'].add_rule(c, r)
-    for c, r in proxy.metadata_nat_rules(proxy.metadata_port):
-        router.iptables_manager.ipv4['nat'].add_rule(c, r)
-    if ipv6_enabled:
-        for c, r in proxy.metadata_nat_rules(
-                proxy.metadata_port,
-                metadata_address=(constants.METADATA_V6_IP + '/128')):
-            router.iptables_manager.ipv6['nat'].add_rule(c, r)
-    router.iptables_manager.apply()
-
+    apply_metadata_nat_rules(router, proxy)
     if not isinstance(router, ha_router.HaRouter):
         spawn_kwargs = {}
-        if ipv6_enabled:
+        if netutils.is_ipv6_enabled():
             spawn_kwargs['bind_address'] = '::'
         proxy.spawn_monitored_metadata_proxy(
             l3_agent.process_monitor,
@@ -362,3 +347,22 @@ def before_router_removed(resource, event, l3_agent, payload=None):
                                            router.router['id'],
                                            l3_agent.conf,
                                            router.ns_name)
+
+
+@coordination.synchronized('router-lock-ns-{router.ns_name}')
+def apply_metadata_nat_rules(router, proxy):
+    for c, r in proxy.metadata_filter_rules(proxy.metadata_port,
+                                            proxy.metadata_access_mark):
+        router.iptables_manager.ipv4['filter'].add_rule(c, r)
+    if netutils.is_ipv6_enabled():
+        for c, r in proxy.metadata_filter_rules(proxy.metadata_port,
+                                                proxy.metadata_access_mark):
+            router.iptables_manager.ipv6['filter'].add_rule(c, r)
+    for c, r in proxy.metadata_nat_rules(proxy.metadata_port):
+        router.iptables_manager.ipv4['nat'].add_rule(c, r)
+    if netutils.is_ipv6_enabled():
+        for c, r in proxy.metadata_nat_rules(
+                proxy.metadata_port,
+                metadata_address=(constants.METADATA_V6_IP + '/128')):
+            router.iptables_manager.ipv6['nat'].add_rule(c, r)
+    router.iptables_manager.apply()