diff --git a/docker/services/database/redis.yaml b/docker/services/database/redis.yaml
index eed9763b33..2df0ffa797 100644
--- a/docker/services/database/redis.yaml
+++ b/docker/services/database/redis.yaml
@@ -68,6 +68,52 @@ outputs:
           - redis::daemonize: false
             tripleo::stunnel::manage_service: false
             tripleo::stunnel::foreground: 'yes'
+          - tripleo::redis::firewall_rules:
+              '108 redis':
+                dport:
+                  - 6379
+                  - 26379
+            tripleo::profile::base::database::redis::tls_proxy_bind_ip:
+              str_replace:
+                template:
+                  "%{hiera('$NETWORK')}"
+                params:
+                  $NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
+            tripleo::profile::base::database::redis::tls_proxy_fqdn:
+              str_replace:
+                template:
+                  "%{hiera('fqdn_$NETWORK')}"
+                params:
+                  $NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
+            tripleo::profile::base::database::redis::tls_proxy_port: 6379
+          - if:
+            - internal_tls_enabled
+            - tripleo::redis::service_certificate: '/etc/pki/tls/certs/redis.crt'
+              redis_certificate_specs:
+                service_certificate: '/etc/pki/tls/certs/redis.crt'
+                service_key: '/etc/pki/tls/private/redis.key'
+                hostname:
+                  str_replace:
+                    template: "%{hiera('fqdn_NETWORK')}"
+                    params:
+                      NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
+                dnsnames:
+                  - str_replace:
+                      template: "%{hiera('cloud_name_NETWORK')}"
+                      params:
+                        NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
+                  - str_replace:
+                      template:
+                        "%{hiera('fqdn_NETWORK')}"
+                      params:
+                        NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
+                principal:
+                  str_replace:
+                    template: "redis/%{hiera('fqdn_NETWORK')}"
+                    params:
+                      NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
+                postsave_cmd: "/usr/bin/certmonger-redis-refresh.sh"
+            - {}
       logging_source: {get_attr: [RedisBase, role_data, logging_source]}
       logging_groups: {get_attr: [RedisBase, role_data, logging_groups]}
       service_config_settings: {get_attr: [RedisBase, role_data, service_config_settings]}
@@ -152,6 +198,16 @@ outputs:
                 - {}
       metadata_settings:
         get_attr: [RedisBase, role_data, metadata_settings]
+        if:
+          - internal_tls_enabled
+          -
+            - service: redis
+              network: {get_param: [ServiceNetMap, RedisNetwork]}
+              type: vip
+            - service: redis
+              network: {get_param: [ServiceNetMap, RedisNetwork]}
+              type: node
+          - null
       host_prep_tasks:
         - name: create persistent directories
           file:
diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml
index be27afa03b..7fa895d11d 100644
--- a/puppet/services/database/mysql.yaml
+++ b/puppet/services/database/mysql.yaml
@@ -128,7 +128,7 @@ outputs:
                 service_key: '/etc/pki/tls/private/mysql.key'
                 hostname:
                   str_replace:
-                    template: "%{hiera('cloud_name_NETWORK')}"
+                    template: "%{hiera('fqdn_NETWORK')}"
                     params:
                       NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
                 dnsnames:
@@ -138,12 +138,12 @@ outputs:
                         NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
                   - str_replace:
                       template:
-                        "%{hiera('fqdn_$NETWORK')}"
+                        "%{hiera('fqdn_NETWORK')}"
                       params:
-                        $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
+                        NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
                 principal:
                   str_replace:
-                    template: "mysql/%{hiera('cloud_name_NETWORK')}"
+                    template: "mysql/%{hiera('fqdn_NETWORK')}"
                     params:
                       NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
             - {}
diff --git a/puppet/services/haproxy-internal-tls-certmonger.j2.yaml b/puppet/services/haproxy-internal-tls-certmonger.j2.yaml
index da8b6a224e..dc12ac50fb 100644
--- a/puppet/services/haproxy-internal-tls-certmonger.j2.yaml
+++ b/puppet/services/haproxy-internal-tls-certmonger.j2.yaml
@@ -86,8 +86,11 @@ outputs:
                   - ''
                   - - {get_param: HAProxyInternalTLSKeysDirectory}
                     - '/overcloud-haproxy-NETWORK.key'
-                hostname: "%{hiera('cloud_name_NETWORK')}"
-                principal: "haproxy/%{hiera('cloud_name_NETWORK')}"
+                hostname: "%{hiera('fqdn_NETWORK')}"
+                dnsnames:
+                  - "%{hiera('cloud_name_NETWORK')}"
+                  - "%{hiera('fqdn_NETWORK')}"
+                principal: "haproxy/%{hiera('fqdn_NETWORK')}"
                 postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload NETWORK"
             for_each:
               NETWORK: {get_attr: [HAProxyNetworks, value]}
@@ -97,5 +100,8 @@ outputs:
           - service: haproxy
             network: $NETWORK
             type: vip
+          - service: haproxy
+            network: $NETWORK
+            type: node
           for_each:
             $NETWORK: {get_attr: [HAProxyNetworks, value]}