diff --git a/defaults/main.yml b/defaults/main.yml
index cbfded02..d1ee41ad 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -69,17 +69,18 @@ galera_running_and_bootstrapped: false
 
 galera_monitoring_user: monitoring
 galera_monitoring_user_password: ""
-# NOTE(cloudnull): Set an interface or CIDR to limit the traffic source when
-#                  monitoring the galera cluster status by default this is set
-#                  to the first network in the ansible_interfaces list (usually
-#                  default). From that information we pull the CIDR. To define
-#                  this in prod most users will simply need to set the variable
-#                  "galera_monitoring_default_network" to the interface used for
-#                  management traffic, IE: "eth1".
-galera_monitoring_default_network: "{{ 'ansible_' + (ansible_interfaces | difference(['lo']))[0] }}"
-galera_monitoring_network: "{{ hostvars[inventory_hostname][galera_monitoring_default_network]['ipv4']['network'] }}"
-galera_monitoring_netmask: "{{ (galera_monitoring_network + '/' + hostvars[inventory_hostname][galera_monitoring_default_network]['ipv4']['netmask']) | ipaddr('prefix') }}"
-galera_monitoring_allowed_source: "{{ galera_monitoring_network }}/{{ galera_monitoring_netmask }}"
+
+# WARNING: Set this to open xinetd rules for galera monitoring.
+# This is REQUIRED to run a working openstack-ansible deployment.
+# If it's undefined the galera cluster state can't be reported,
+# and haproxy would fail to do proper load balancing on the cluster.
+# Because this opens connections to the cluster status, this
+# should be restricted, which we do in the integrated build.
+# Please override accordingly to your use case.
+# This can be replaced with other hostnames, cidr, ips, and ips + wildcards.
+#
+#galera_monitoring_allowed_source: "0.0.0.0/0"
+
 galera_root_user: root
 
 # WARNING: This option is deprecated and will be removed in v12.0
diff --git a/releasenotes/notes/new_healthcheck-9e559565745defd0.yaml b/releasenotes/notes/new_healthcheck-9e559565745defd0.yaml
new file mode 100644
index 00000000..8707d297
--- /dev/null
+++ b/releasenotes/notes/new_healthcheck-9e559565745defd0.yaml
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Galera healthcheck has been improved, and relies on an xinetd service.
+    By default, the service is unaccessible (filtered with the no_access
+    directive). You can override the directive by setting any xinetd
+    valid value to ``galera_monitoring_allowed_source``.
diff --git a/templates/mysqlchk.j2 b/templates/mysqlchk.j2
index 25a19bcd..3aa36001 100644
--- a/templates/mysqlchk.j2
+++ b/templates/mysqlchk.j2
@@ -11,6 +11,10 @@ service mysqlchk
         user = nobody
         server = /usr/local/bin/clustercheck
         log_on_failure += USERID
+        {% if galera_monitoring_allowed_source is defined %}
         only_from = {{ galera_monitoring_allowed_source }}
+        {% else %}
+        no_access
+        {% endif %}
         per_source = UNLIMITED
 }