diff --git a/06_create_cluster.sh b/06_create_cluster.sh
index e182c97df..50323480d 100755
--- a/06_create_cluster.sh
+++ b/06_create_cluster.sh
@@ -29,6 +29,10 @@ if [[ ! -z "$INSTALLER_PROXY" ]]; then
   fi
 fi
 
+if [ -n "$EXTERNAL_LOADBALANCER" ]; then
+  ./external_loadbalancer.sh &
+fi
+
 # Call openshift-installer to deploy the bootstrap node and masters
 create_cluster ${OCP_DIR}
 
diff --git a/config_example.sh b/config_example.sh
index 6297d8857..f7eb46948 100755
--- a/config_example.sh
+++ b/config_example.sh
@@ -427,6 +427,16 @@ set -x
 # When set to any value this will cause dev-scripts to include duplicate nics
 # on the primary network. This is intended for testing bonded network configs
 # and may not work without a bond config.
+# export BOND_PRIMARY_INTERFACE=1
+
+# EXTERNAL_LOADBALANCER -
+# When set to any value this will cause dev-scripts to configure an haproxy
+# loadbalancer on the host and configure the cluster to use it instead of the
+# internal loadbalancer.
+# Because of the way the loadbalancer config is written, this only works when
+# using single stack (either ipv4 or ipv6) and a static bootstrap IP (see the
+# ENABLE_BOOTSTRAP_STATIC_IP option above).
+# export EXTERNAL_LOADBALANCER=1
 
 ################################################################################
 ## VM Settings
diff --git a/external_loadbalancer.sh b/external_loadbalancer.sh
index 45bfa649a..384d5b130 100755
--- a/external_loadbalancer.sh
+++ b/external_loadbalancer.sh
@@ -9,6 +9,7 @@ source utils.sh
 
 sudo firewall-cmd --zone=libvirt --add-port=6443/tcp
 sudo firewall-cmd --zone=libvirt --add-port=8080/tcp
+sudo firewall-cmd --zone=libvirt --add-port=22623/tcp
 
 haproxy_config="${WORKING_DIR}/haproxy.cfg"
 echo $haproxy_config
@@ -21,6 +22,7 @@ then
      master2=$(nth_ip $EXTERNAL_SUBNET_V6 22)
      worker0=$(nth_ip $EXTERNAL_SUBNET_V6 23)
      worker1=$(nth_ip $EXTERNAL_SUBNET_V6 24)
+     bootstrap=$(nth_ip $EXTERNAL_SUBNET_V6 9)
 else
 
      master0=$(nth_ip $EXTERNAL_SUBNET_V4 20)
@@ -28,6 +30,7 @@ else
      master2=$(nth_ip $EXTERNAL_SUBNET_V4 22)
      worker0=$(nth_ip $EXTERNAL_SUBNET_V4 23)
      worker1=$(nth_ip $EXTERNAL_SUBNET_V4 24)
+     bootstrap=$(nth_ip $EXTERNAL_SUBNET_V4 9)
 fi
 
 cat << EOF > "$haproxy_config"
@@ -43,6 +46,15 @@ frontend main
 frontend ingress
     bind :::8080  v4v6
     default_backend ingress
+frontend https
+    bind :::443 v4v6
+    default_backend https
+frontend mcs
+    bind :::22623 v4v6
+    default_backend mcs
+frontend ironic
+    bind :::6385 v4v6
+    default_backend ironic
 backend api
     option  httpchk GET /readyz HTTP/1.0
     option  log-health-checks
@@ -50,6 +62,7 @@ backend api
     server master-0 ${master0}:6443 check check-ssl inter 1s fall 2 rise 3 verify none
     server master-1 ${master1}:6443 check check-ssl inter 1s fall 2 rise 3 verify none
     server master-2 ${master2}:6443 check check-ssl inter 1s fall 2 rise 3 verify none
+    server bootstrap ${bootstrap}:6443 check check-ssl inter 1s fall 2 rise 3 verify none
 backend ingress
     option  httpchk GET /healthz/ready  HTTP/1.0
     option  log-health-checks
@@ -59,6 +72,36 @@ backend ingress
     server master-2 ${master2}:80 check check-ssl port 1936 inter 1s fall 2 rise 3 verify none
     server w-0 ${worker0}:80 check check-ssl port 1936 inter 1s fall 2 rise 3 verify none
     server w-1 ${worker1}:80 check check-ssl port 1936 inter 1s fall 2 rise 3 verify none
+backend https
+    option  httpchk GET /healthz/ready  HTTP/1.0
+    option  log-health-checks
+    balance roundrobin
+    server master-0 ${master0}:443 check check-ssl port 1936 inter 1s fall 2 rise 3 verify none
+    server master-1 ${master1}:443 check check-ssl port 1936 inter 1s fall 2 rise 3 verify none
+    server master-2 ${master2}:443 check check-ssl port 1936 inter 1s fall 2 rise 3 verify none
+    server w-0 ${worker0}:443 check check-ssl port 1936 inter 1s fall 2 rise 3 verify none
+    server w-1 ${worker1}:443 check check-ssl port 1936 inter 1s fall 2 rise 3 verify none
+    server bootstrap ${bootstrap}:443 check check-ssl port 1936 inter 1s fall 2 rise 3 verify none
+backend mcs
+    option  httpchk GET /config/master  HTTP/1.0
+    option  log-health-checks
+    balance roundrobin
+    server master-0 ${master0}:22623 check check-ssl inter 1s fall 2 rise 3 verify none
+    server master-1 ${master1}:22623 check check-ssl inter 1s fall 2 rise 3 verify none
+    server master-2 ${master2}:22623 check check-ssl inter 1s fall 2 rise 3 verify none
+    server w-0 ${worker0}:22623 check check-ssl inter 1s fall 2 rise 3 verify none
+    server w-1 ${worker1}:22623 check check-ssl inter 1s fall 2 rise 3 verify none
+    server bootstrap ${bootstrap}:22623 check check-ssl inter 1s fall 2 rise 3 verify none
+backend ironic
+    option  httpchk GET /v1  HTTP/1.0
+    option  log-health-checks
+    balance roundrobin
+    server master-0 ${master0}:6385 check check-ssl inter 30s fall 2 rise 3 verify none
+    server master-1 ${master1}:6385 check check-ssl inter 30s fall 2 rise 3 verify none
+    server master-2 ${master2}:6385 check check-ssl inter 30s fall 2 rise 3 verify none
+    server w-0 ${worker0}:6385 check check-ssl inter 1s fall 2 rise 3 verify none
+    server w-1 ${worker1}:6385 check check-ssl inter 1s fall 2 rise 3 verify none
+    server bootstrap ${bootstrap}:6385 check check-ssl inter 30s fall 2 rise 3 verify none
 EOF
 
 sudo podman run -d  --net host -v "${WORKING_DIR}":/etc/haproxy/:z --entrypoint bash --name extlb quay.io/openshift/origin-haproxy-router  -c 'haproxy -f /etc/haproxy/haproxy.cfg'
diff --git a/network.sh b/network.sh
index 35ebb223f..53ad11cb9 100755
--- a/network.sh
+++ b/network.sh
@@ -253,12 +253,20 @@ function get_vips() {
     #
     if [[ -n "${EXTERNAL_SUBNET_V4}" ]]; then
         API_VIPS_V4=$(dig +noall +answer "api.${CLUSTER_DOMAIN}" @$(network_ip ${BAREMETAL_NETWORK_NAME}) | awk '{print $NF}')
-        INGRESS_VIPS_V4=$(nth_ip $EXTERNAL_SUBNET_V4 4)
+        if [ -z "$EXTERNAL_LOADBALANCER" ]; then
+          INGRESS_VIPS_V4=$(nth_ip $EXTERNAL_SUBNET_V4 4)
+        else
+          INGRESS_VIPS_V4=$(nth_ip $EXTERNAL_SUBNET_V4 1)
+        fi
     fi
 
     if [[ -n "${EXTERNAL_SUBNET_V6}" ]]; then
         API_VIPS_V6=$(dig -t AAAA +noall +answer "api.${CLUSTER_DOMAIN}" @$(network_ip ${BAREMETAL_NETWORK_NAME}) | awk '{print $NF}')
-        INGRESS_VIPS_V6=$(nth_ip $EXTERNAL_SUBNET_V6 4)
+        if [ -z "$EXTERNAL_LOADBALANCER" ]; then
+          INGRESS_VIPS_V6=$(nth_ip $EXTERNAL_SUBNET_V6 4)
+        else
+          INGRESS_VIPS_V6=$(nth_ip $EXTERNAL_SUBNET_V6 1)
+        fi
     fi
 
     if [[ "$IP_STACK" == "v4" || "$IP_STACK" == "v4v6" ]]; then
diff --git a/ocp_install_env.sh b/ocp_install_env.sh
index aa6e1c6f8..31dbf2cc0 100644
--- a/ocp_install_env.sh
+++ b/ocp_install_env.sh
@@ -191,6 +191,15 @@ function setVIPs() {
     esac
 }
 
+function loadbalancer_type() {
+    if [ -n "$EXTERNAL_LOADBALANCER" ]; then
+cat <<EOF
+    loadBalancer:
+      type: UserManaged
+EOF
+    fi
+}
+
 function featureSet() {
     if [[ -n "$FEATURE_SET" ]]; then
 cat <<EOF
@@ -395,6 +404,7 @@ $(cluster_os_image)
 $(setVIPs apivips)
 $(setVIPs ingressvips)
 $(dnsvip)
+$(loadbalancer_type)
     hosts:
 EOF
 
diff --git a/vm_setup_vars.yml b/vm_setup_vars.yml
index df2c0438d..37e74e718 100644
--- a/vm_setup_vars.yml
+++ b/vm_setup_vars.yml
@@ -59,6 +59,13 @@ dns_extrahosts:
     hostnames:
       - "virthost"
 
+dns_externalhosts:
+  - ip: "{{ baremetal_network_cidr | nthhost(1) }}"
+    hostnames:
+      - "virthost"
+      - "api"
+      - "api-int"
+
 network_config_folder: "{{ lookup('env', 'NETWORK_CONFIG_FOLDER') | default(false) }}"
 hosts_config: "{{ lookup('template', network_config_folder + '/hosts.yaml', errors='ignore') | default('[]', true) | from_yaml }}"
 dns_customhosts: "{{ [] if not network_config_folder else hosts_config }}"
@@ -88,7 +95,7 @@ external_network:
       - 65535
     domain: "{{ cluster_domain }}"
     dns:
-      hosts: "{{ dns_extrahosts + dns_customhosts + dns_dualstackhost if lookup('env', 'EXTERNAL_SUBNET_V6') else dns_extrahosts + dns_customhosts }}"
+      hosts: "{{ dns_externalhosts + dns_customhosts if lookup('env', 'EXTERNAL_LOADBALANCER') else dns_extrahosts + dns_customhosts + dns_dualstackhost if lookup('env', 'EXTERNAL_SUBNET_V6') else dns_extrahosts + dns_customhosts }}"
       forwarders:
         - domain: "apps.{{ cluster_domain }}"
           addr: "127.0.0.1"