diff --git a/docker/services/nova-metadata.yaml b/docker/services/nova-metadata.yaml
index ac98e655e1..208d9e9be8 100644
--- a/docker/services/nova-metadata.yaml
+++ b/docker/services/nova-metadata.yaml
@@ -44,10 +44,14 @@ parameters:
   EnableInternalTLS:
     type: boolean
     default: false
+  MetadataNATRule:
+    default: false
+    description: When true we create the NAT rule for the metadata service
+    type: boolean
 
 conditions:
-
   internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+  need_metadata_nat_rule: {equals: [{get_param: MetadataNATRule}, true]}
 
 resources:
 
@@ -80,6 +84,20 @@ outputs:
           - get_attr: [NovaMetadataBase, role_data, config_settings]
           - get_attr: [NovaMetadataLogging, config_settings]
           - apache::default_vhost: false
+          - tripleo.nova_metadata.firewall_rules:
+              if:
+              - need_metadata_nat_rule
+              - '144 undercloud metadata nat':
+                  dport: 80
+                  proto: 'tcp'
+                  table: 'nat'
+                  chain: 'PREROUTING'
+                  jump: 'REDIRECT'
+                  iniface: 'br-ctlplane'
+                  destination: '169.254.169.254/32'
+                  extras:
+                    toports: 8775
+              - {}
       logging_source: {get_attr: [NovaMetadataBase, role_data, logging_source]}
       logging_groups: {get_attr: [NovaMetadataBase, role_data, logging_groups]}
       service_config_settings:
diff --git a/environments/undercloud.yaml b/environments/undercloud.yaml
index 88867df07f..70cb8e9e9f 100644
--- a/environments/undercloud.yaml
+++ b/environments/undercloud.yaml
@@ -141,3 +141,5 @@ parameter_defaults:
       connect_timeout: 60
   MistralExecutorExtraVolumes:
     - /usr/share/ceph-ansible:/usr/share/ceph-ansible:ro
+  NeutronMetadataProxySharedSecret: ''
+  MetadataNATRule: true
diff --git a/puppet/services/neutron-metadata.yaml b/puppet/services/neutron-metadata.yaml
index bd0c56dc13..cd19cc885e 100644
--- a/puppet/services/neutron-metadata.yaml
+++ b/puppet/services/neutron-metadata.yaml
@@ -75,6 +75,7 @@ conditions:
   neutron_workers_unset: {equals : [{get_param: NeutronWorkers}, '']}
   service_debug_unset: {equals: [{get_param: NeutronMetadataAgentDebug}, '']}
   internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+  is_neutron_shared_metadata_notempty: {not: {equals: [{get_param: NeutronMetadataProxySharedSecret}, '']}}
 
 resources:
 
@@ -97,8 +98,7 @@ outputs:
       config_settings:
         map_merge:
           - get_attr: [NeutronBase, role_data, config_settings]
-          - neutron::agents::metadata::shared_secret: {get_param: NeutronMetadataProxySharedSecret}
-            neutron::agents::metadata::auth_password: {get_param: NeutronPassword}
+          - neutron::agents::metadata::auth_password: {get_param: NeutronPassword}
             neutron::agents::metadata::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
             neutron::agents::metadata::auth_tenant: 'service'
             neutron::agents::metadata::debug:
@@ -123,6 +123,11 @@ outputs:
             - neutron_workers_unset
             - {}
             - neutron::agents::metadata::metadata_workers: {get_param: NeutronWorkers}
+          -
+            if:
+            - is_neutron_shared_metadata_notempty
+            - neutron::agents::metadata::shared_secret: {get_param: NeutronMetadataProxySharedSecret}
+            - {}
       service_config_settings:
         fluentd:
           tripleo_fluentd_groups_neutron_metadata:
diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml
index cbd453a270..add5f032db 100644
--- a/puppet/services/nova-api.yaml
+++ b/puppet/services/nova-api.yaml
@@ -113,6 +113,7 @@ parameters:
 
 conditions:
   nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]}
+  is_neutron_shared_metadata_notempty: {not: {equals: [{get_param: NeutronMetadataProxySharedSecret}, '']}}
 
 resources:
   ApacheServiceBase:
@@ -190,7 +191,6 @@ outputs:
                 "%{hiera('fqdn_$NETWORK')}"
               params:
                 $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
-          nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret}
           nova::api::instance_name_template: {get_param: InstanceNameTemplate}
           nova_enable_db_purge: {get_param: NovaEnableDBPurge}
           nova::cron::archive_deleted_rows::minute: {get_param: NovaCronDBArchivedMinute}
@@ -206,6 +206,11 @@ outputs:
           - {}
           - nova::api::osapi_compute_workers: {get_param: NovaWorkers}
             nova::wsgi::apache_api::workers: {get_param: NovaWorkers}
+        -
+          if:
+          - is_neutron_shared_metadata_notempty
+          - nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret}
+          - {}
       step_config: |
         include tripleo::profile::base::nova::api
       service_config_settings:
diff --git a/puppet/services/nova-metadata.yaml b/puppet/services/nova-metadata.yaml
index 24f4183f83..bbca5aa043 100644
--- a/puppet/services/nova-metadata.yaml
+++ b/puppet/services/nova-metadata.yaml
@@ -60,6 +60,7 @@ parameters:
 
 conditions:
   nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]}
+  is_neutron_shared_metadata_notempty: {not: {equals: [{get_param: NeutronMetadataProxySharedSecret}, '']}}
 
 resources:
   ApacheServiceBase:
@@ -101,7 +102,6 @@ outputs:
           nova::keystone::authtoken::password: {get_param: NovaPassword}
           nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
           nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
-          nova::metadata::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret}
           nova::metadata::enable_proxy_headers_parsing: true
           nova_metadata_wsgi_enabled: true
           nova::wsgi::apache_metadata::api_port: '8775'
@@ -128,6 +128,11 @@ outputs:
           - nova_workers_zero
           - {}
           - nova::wsgi::apache_metadata::workers: {get_param: NovaWorkers}
+        -
+          if:
+          - is_neutron_shared_metadata_notempty
+          - nova::metadata::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret}
+          - {}
       step_config: |
         include tripleo::profile::base::nova::metadata
       service_config_settings:
diff --git a/roles/Undercloud.yaml b/roles/Undercloud.yaml
index f89f3f9e26..2cfd219b25 100644
--- a/roles/Undercloud.yaml
+++ b/roles/Undercloud.yaml
@@ -63,7 +63,6 @@
     - OS::TripleO::Services::NeutronCorePlugin
     - OS::TripleO::Services::NeutronDhcpAgent
     - OS::TripleO::Services::NeutronL3Agent
-    - OS::TripleO::Services::NeutronMetadataAgent
     - OS::TripleO::Services::NeutronOvsAgent
     - OS::TripleO::Services::NovaApi
     - OS::TripleO::Services::NovaConductor
diff --git a/roles_data_undercloud.yaml b/roles_data_undercloud.yaml
index d63bf04356..4d07f2431e 100644
--- a/roles_data_undercloud.yaml
+++ b/roles_data_undercloud.yaml
@@ -66,7 +66,6 @@
     - OS::TripleO::Services::NeutronCorePlugin
     - OS::TripleO::Services::NeutronDhcpAgent
     - OS::TripleO::Services::NeutronL3Agent
-    - OS::TripleO::Services::NeutronMetadataAgent
     - OS::TripleO::Services::NeutronOvsAgent
     - OS::TripleO::Services::NovaApi
     - OS::TripleO::Services::NovaConductor