diff --git a/ansible/roles/nova/defaults/main.yml b/ansible/roles/nova/defaults/main.yml
index f2d90a396a..3e6d413712 100644
--- a/ansible/roles/nova/defaults/main.yml
+++ b/ansible/roles/nova/defaults/main.yml
@@ -32,7 +32,7 @@ nova_services:
         listen_port: "{{ nova_metadata_listen_port }}"
         tls_backend: "{{ nova_enable_tls_backend }}"
       nova_metadata_external:
-        enabled: "{{ enable_nova }}"
+        enabled: "{{ nova_enable_external_metadata }}"
         mode: "http"
         external: true
         port: "{{ nova_metadata_port }}"
@@ -189,6 +189,8 @@ nova_safety_upgrade: "no"
 nova_services_require_policy_json:
   - nova-api
 
+nova_enable_external_metadata: "no"
+
 ####################
 # Keystone
 ####################
diff --git a/releasenotes/notes/disable-nova-external-metadata-09ba131cf9258be9.yaml b/releasenotes/notes/disable-nova-external-metadata-09ba131cf9258be9.yaml
new file mode 100644
index 0000000000..375e6ee2d0
--- /dev/null
+++ b/releasenotes/notes/disable-nova-external-metadata-09ba131cf9258be9.yaml
@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    Introduce ``nova_enable_external_metadata`` that defaults to ``no`` to
+    control if external facing metadata haproxy frontend should be configured.
+upgrade:
+  - |
+    External Nova metadata service is now disabled by default. It can be
+    enabled by setting ``nova_enable_external_metadata`` to ``yes``.