diff --git a/environments/undercloud.yaml b/environments/undercloud.yaml
index 80a7df7bc1..fb8b1aa8ad 100644
--- a/environments/undercloud.yaml
+++ b/environments/undercloud.yaml
@@ -8,6 +8,8 @@ resource_registry:
   OS::TripleO::Network::Ports::ExternalVipPort: ../network/ports/external_from_pool.yaml
 
 parameter_defaults:
+  # ensure we enable ip_forward before docker gets run
+  KernelIpForward: 1
   EnablePackageInstall: true
   StackAction: CREATE
   SoftwareConfigTransport: POLL_SERVER_HEAT
diff --git a/extraconfig/post_deploy/undercloud_post.sh b/extraconfig/post_deploy/undercloud_post.sh
index 8b575095e2..e77145931e 100755
--- a/extraconfig/post_deploy/undercloud_post.sh
+++ b/extraconfig/post_deploy/undercloud_post.sh
@@ -178,9 +178,3 @@ if [ "$(hiera mistral_api_enabled)" = "true" ]; then
    fi
 
 fi
-
-# IP forwarding is needed to allow the overcloud nodes access to the outside
-# internet in cases where they are on an isolated network.
-sysctl -w net.ipv4.ip_forward=1
-# Make it persistent
-echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/ip-forward.conf
diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml
index e34ae75167..821106cd53 100644
--- a/puppet/services/kernel.yaml
+++ b/puppet/services/kernel.yaml
@@ -38,6 +38,10 @@ parameters:
     default: 0
     description: Configures sysctl net.ipv6.{default/all}.disable_ipv6 keys
     type: number
+  KernelIpForward:
+    default: 1
+    description: Configures net.ipv4.ip_forward key
+    type: number
   NeighbourGcThreshold1:
     default: 1024
     description: Configures sysctl net.ipv4.neigh.default.gc_thresh1 value.
@@ -117,6 +121,9 @@ outputs:
                 value: {get_param: KernelDisableIPv6}
               net.ipv6.conf.all.disable_ipv6:
                 value: {get_param: KernelDisableIPv6}
+              # enable/disable ip forward for undercloud/docker
+              net.ipv4.ip_forward:
+                value: {get_param: KernelIpForward}
               # prevent neutron bridges from autoconfiguring ipv6 addresses
               net.ipv6.conf.all.accept_ra:
                 value: 0
diff --git a/releasenotes/notes/configure-ip-forward-268c165708cbd203.yaml b/releasenotes/notes/configure-ip-forward-268c165708cbd203.yaml
new file mode 100644
index 0000000000..938cb3f0ea
--- /dev/null
+++ b/releasenotes/notes/configure-ip-forward-268c165708cbd203.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Add KernelIpForward configuration to enable/disable the net.ipv4.ip_forward
+    configuration.