diff --git a/data/data/aws/vpc/master-elb.tf b/data/data/aws/vpc/master-elb.tf
index 178b488fdfb..5d26b5b05ec 100644
--- a/data/data/aws/vpc/master-elb.tf
+++ b/data/data/aws/vpc/master-elb.tf
@@ -67,7 +67,7 @@ resource "aws_lb_target_group" "api_external" {
 resource "aws_lb_target_group" "services" {
   name     = "${var.cluster_name}-services"
   protocol = "TCP"
-  port     = 49500
+  port     = 22623
   vpc_id   = "${local.vpc_id}"
 
   target_type = "ip"
@@ -78,7 +78,7 @@ resource "aws_lb_target_group" "services" {
     healthy_threshold   = 3
     unhealthy_threshold = 3
     interval            = 10
-    port                = 49500
+    port                = 22623
     protocol            = "HTTPS"
     path                = "/healthz"
   }
@@ -98,7 +98,7 @@ resource "aws_lb_listener" "api_internal_api" {
 resource "aws_lb_listener" "api_internal_services" {
   load_balancer_arn = "${aws_lb.api_internal.arn}"
   protocol          = "TCP"
-  port              = "49500"
+  port              = "22623"
 
   default_action {
     target_group_arn = "${aws_lb_target_group.services.arn}"
diff --git a/data/data/aws/vpc/sg-elb.tf b/data/data/aws/vpc/sg-elb.tf
index 6720327fe93..f208e1e72a1 100644
--- a/data/data/aws/vpc/sg-elb.tf
+++ b/data/data/aws/vpc/sg-elb.tf
@@ -32,8 +32,8 @@ resource "aws_security_group_rule" "mcs_ingress" {
 
   protocol    = "tcp"
   cidr_blocks = ["0.0.0.0/0"]
-  from_port   = 49500
-  to_port     = 49500
+  from_port   = 22623
+  to_port     = 22623
 }
 
 resource "aws_security_group" "console" {
diff --git a/data/data/aws/vpc/sg-master.tf b/data/data/aws/vpc/sg-master.tf
index aec6b6cdced..a41ef610aa5 100644
--- a/data/data/aws/vpc/sg-master.tf
+++ b/data/data/aws/vpc/sg-master.tf
@@ -12,8 +12,8 @@ resource "aws_security_group_rule" "master_mcs" {
 
   protocol    = "tcp"
   cidr_blocks = ["0.0.0.0/0"]
-  from_port   = 49500
-  to_port     = 49500
+  from_port   = 22623
+  to_port     = 22623
 }
 
 resource "aws_security_group_rule" "master_egress" {
diff --git a/data/data/openstack/service/main.tf b/data/data/openstack/service/main.tf
index 0c64a59d90a..7e723a0cd39 100644
--- a/data/data/openstack/service/main.tf
+++ b/data/data/openstack/service/main.tf
@@ -64,7 +64,7 @@ data "ignition_file" "haproxy_watcher_script" {
   path       = "/usr/local/bin/haproxy-watcher.sh"
 
   source {
-    source = "data:,%23%21%2Fbin%2Fbash%0A%0Aset%20-x%0A%0Aexport%20KUBECONFIG%3D%2Fopt%2Fopenshift%2Fauth%2Fkubeconfig%0ATEMPLATE%3D%22%7B%7Brange%20.items%7D%7D%7B%7B%5C%24name%3A%3D.metadata.name%7D%7D%7B%7Brange%20.status.conditions%7D%7D%7B%7Bif%20eq%20.type%20%5C%22Ready%5C%22%7D%7D%7B%7Bif%20eq%20.status%20%5C%22True%5C%22%20%7D%7D%7B%7B%5C%24name%7D%7D%7B%7Bend%7D%7D%7B%7Bend%7D%7D%7B%7Bend%7D%7D%20%7B%7Bend%7D%7D%22%0AMASTERS%3D%24%28oc%20get%20nodes%20-l%20node-role.kubernetes.io%2Fmaster%20-ogo-template%3D%22%24TEMPLATE%22%29%0AWORKERS%3D%24%28oc%20get%20nodes%20-l%20node-role.kubernetes.io%2Fworker%20-ogo-template%3D%22%24TEMPLATE%22%29%0A%0Aif%20%5B%5B%20%24MASTERS%20-eq%20%22%22%20%5D%5D%3B%0Athen%0A%20%20%20%20MASTER_LINES%3D%22%0A%20%20%20%20server%20${var.cluster_name}-bootstrap-49500%20${var.cluster_name}-bootstrap.${var.cluster_domain}%20check%20port%2049500%0A%20%20%20%20server%20${var.cluster_name}-bootstrap-6443%20${var.cluster_name}-bootstrap.${var.cluster_domain}%20check%20port%206443%22%0A%20%20%20%20MASTERS%3D%22${var.cluster_name}-master-0%20${var.cluster_name}-master-1%20${var.cluster_name}-master-2%22%0Afi%0A%0Afor%20master%20in%20%24MASTERS%3B%0Ado%0A%20%20%20%20MASTER_LINES%3D%22%24MASTER_LINES%0A%20%20%20%20server%20%24master%20%24master.${var.cluster_domain}%20check%20port%206443%22%0Adone%0A%0Afor%20worker%20in%20%24WORKERS%3B%0Ado%0A%20%20%20%20WORKER_LINES%3D%22%24WORKER_LINES%0A%20%20%20%20server%20%24worker%20%24worker.${var.cluster_domain}%20check%20port%20443%22%0Adone%0A%0Acat%20%3E%20%2Fetc%2Fhaproxy%2Fhaproxy.cfg.new%20%3C%3C%20EOF%0Alisten%20${var.cluster_name}-api-masters%0A%20%20%20%20bind%200.0.0.0%3A6443%0A%20%20%20%20bind%200.0.0.0%3A49500%0A%20%20%20%20mode%20tcp%0A%20%20%20%20balance%20roundrobin%24MASTER_LINES%0A%0Alisten%20${var.cluster_name}-api-workers%0A%20%20%20%20bind%200.0.0.0%3A80%0A%20%20%20%20bind%200.0.0.0%3A443%0A%20%20%20%20mode%20tcp%0A%20%20%20%20balance%20roundrobin%24WORKER_LINES%0AEOF%0A%0A%0Amkdir%20-p%20%2Fetc%2Fhaproxy%0ACHANGED%3D%24%28diff%20%2Fetc%2Fhaproxy%2Fhaproxy.cfg%20%2Fetc%2Fhaproxy%2Fhaproxy.cfg.new%29%0A%0Aif%20%5B%5B%20%21%20-f%20%2Fetc%2Fhaproxy%2Fhaproxy.cfg%20%5D%5D%20%7C%7C%20%5B%5B%20%21%20%24CHANGED%20-eq%20%22%22%20%5D%5D%3B%0Athen%0A%20%20%20%20cp%20%2Fetc%2Fhaproxy%2Fhaproxy.cfg%20%2Fetc%2Fhaproxy%2Fhaproxy.cfg.backup%20%7C%7C%20true%0A%20%20%20%20cp%20%2Fetc%2Fhaproxy%2Fhaproxy.cfg.new%20%2Fetc%2Fhaproxy%2Fhaproxy.cfg%0A%20%20%20%20systemctl%20restart%20haproxy%0Afi%0A"
+    source = "data:,%23%21%2Fbin%2Fbash%0A%0Aset%20-x%0A%0Aexport%20KUBECONFIG%3D%2Fopt%2Fopenshift%2Fauth%2Fkubeconfig%0ATEMPLATE%3D%22%7B%7Brange%20.items%7D%7D%7B%7B%5C%24name%3A%3D.metadata.name%7D%7D%7B%7Brange%20.status.conditions%7D%7D%7B%7Bif%20eq%20.type%20%5C%22Ready%5C%22%7D%7D%7B%7Bif%20eq%20.status%20%5C%22True%5C%22%20%7D%7D%7B%7B%5C%24name%7D%7D%7B%7Bend%7D%7D%7B%7Bend%7D%7D%7B%7Bend%7D%7D%20%7B%7Bend%7D%7D%22%0AMASTERS%3D%24%28oc%20get%20nodes%20-l%20node-role.kubernetes.io%2Fmaster%20-ogo-template%3D%22%24TEMPLATE%22%29%0AWORKERS%3D%24%28oc%20get%20nodes%20-l%20node-role.kubernetes.io%2Fworker%20-ogo-template%3D%22%24TEMPLATE%22%29%0A%0Aif%20%5B%5B%20%24MASTERS%20-eq%20%22%22%20%5D%5D%3B%0Athen%0A%20%20%20%20MASTER_LINES%3D%22%0A%20%20%20%20server%20${var.cluster_name}-bootstrap-22623%20${var.cluster_name}-bootstrap.${var.cluster_domain}%20check%20port%2049500%0A%20%20%20%20server%20${var.cluster_name}-bootstrap-6443%20${var.cluster_name}-bootstrap.${var.cluster_domain}%20check%20port%206443%22%0A%20%20%20%20MASTERS%3D%22${var.cluster_name}-master-0%20${var.cluster_name}-master-1%20${var.cluster_name}-master-2%22%0Afi%0A%0Afor%20master%20in%20%24MASTERS%3B%0Ado%0A%20%20%20%20MASTER_LINES%3D%22%24MASTER_LINES%0A%20%20%20%20server%20%24master%20%24master.${var.cluster_domain}%20check%20port%206443%22%0Adone%0A%0Afor%20worker%20in%20%24WORKERS%3B%0Ado%0A%20%20%20%20WORKER_LINES%3D%22%24WORKER_LINES%0A%20%20%20%20server%20%24worker%20%24worker.${var.cluster_domain}%20check%20port%20443%22%0Adone%0A%0Acat%20%3E%20%2Fetc%2Fhaproxy%2Fhaproxy.cfg.new%20%3C%3C%20EOF%0Alisten%20${var.cluster_name}-api-masters%0A%20%20%20%20bind%200.0.0.0%3A6443%0A%20%20%20%20bind%200.0.0.0%3A49500%0A%20%20%20%20mode%20tcp%0A%20%20%20%20balance%20roundrobin%24MASTER_LINES%0A%0Alisten%20${var.cluster_name}-api-workers%0A%20%20%20%20bind%200.0.0.0%3A80%0A%20%20%20%20bind%200.0.0.0%3A443%0A%20%20%20%20mode%20tcp%0A%20%20%20%20balance%20roundrobin%24WORKER_LINES%0AEOF%0A%0A%0Amkdir%20-p%20%2Fetc%2Fhaproxy%0ACHANGED%3D%24%28diff%20%2Fetc%2Fhaproxy%2Fhaproxy.cfg%20%2Fetc%2Fhaproxy%2Fhaproxy.cfg.new%29%0A%0Aif%20%5B%5B%20%21%20-f%20%2Fetc%2Fhaproxy%2Fhaproxy.cfg%20%5D%5D%20%7C%7C%20%5B%5B%20%21%20%24CHANGED%20-eq%20%22%22%20%5D%5D%3B%0Athen%0A%20%20%20%20cp%20%2Fetc%2Fhaproxy%2Fhaproxy.cfg%20%2Fetc%2Fhaproxy%2Fhaproxy.cfg.backup%20%7C%7C%20true%0A%20%20%20%20cp%20%2Fetc%2Fhaproxy%2Fhaproxy.cfg.new%20%2Fetc%2Fhaproxy%2Fhaproxy.cfg%0A%20%20%20%20systemctl%20restart%20haproxy%0Afi%0A"
   }
 }
 
diff --git a/data/data/openstack/topology/sg-lb.tf b/data/data/openstack/topology/sg-lb.tf
index 2cf47b70f8f..e24c5fdf954 100644
--- a/data/data/openstack/topology/sg-lb.tf
+++ b/data/data/openstack/topology/sg-lb.tf
@@ -7,8 +7,8 @@ resource "openstack_networking_secgroup_rule_v2" "api_mcs" {
   direction         = "ingress"
   ethertype         = "IPv4"
   protocol          = "tcp"
-  port_range_min    = 49500
-  port_range_max    = 49500
+  port_range_min    = 22623
+  port_range_max    = 22623
   remote_ip_prefix  = "0.0.0.0/0"
   security_group_id = "${openstack_networking_secgroup_v2.api.id}"
 }
diff --git a/data/data/openstack/topology/sg-master.tf b/data/data/openstack/topology/sg-master.tf
index c69af7cf0dc..a46a5d27cfb 100644
--- a/data/data/openstack/topology/sg-master.tf
+++ b/data/data/openstack/topology/sg-master.tf
@@ -7,8 +7,8 @@ resource "openstack_networking_secgroup_rule_v2" "master_mcs" {
   direction         = "ingress"
   ethertype         = "IPv4"
   protocol          = "tcp"
-  port_range_min    = 49500
-  port_range_max    = 49500
+  port_range_min    = 22623
+  port_range_max    = 22623
   remote_ip_prefix  = "${var.cidr_block}"
   security_group_id = "${openstack_networking_secgroup_v2.master.id}"
 }
diff --git a/docs/user/customization.md b/docs/user/customization.md
index 79a3fd38795..c6659757458 100644
--- a/docs/user/customization.md
+++ b/docs/user/customization.md
@@ -39,7 +39,7 @@ An example `worker.ign` is shown below. It has been modified to increase the HTT
     "version": "2.2.0",
     "config": {
       "append": [{
-        "source": "https://test-cluster-api.example.com:49500/config/worker"
+        "source": "https://test-cluster-api.example.com:22623/config/worker"
       }]
     },
     "security": {
diff --git a/docs/user/openstack/README.md b/docs/user/openstack/README.md
index 9a04c58bd63..c614e333f52 100644
--- a/docs/user/openstack/README.md
+++ b/docs/user/openstack/README.md
@@ -158,7 +158,7 @@ intended for initial cluster deployment and not highly available, to an
 external load balancer.
 
 The load balancer must serve ports 6443, 443, and 80 to any users of
-the system.  Port 49500 is for serving ignition startup configurations
+the system.  Port 22623 is for serving ignition startup configurations
 to the OpenShift nodes and should not be reachable outside of the cluster.
 
 The first step is to add floating IPs to all the master nodes:
@@ -229,7 +229,7 @@ Another useful thing to check is that the ignition configurations are
 only available from within the deployment. The following command should
 only succeed from a node in the OpenShift cluster:
 
-* `curl https://<loadbalancer ip>:49500/config/master --insecure`
+* `curl https://<loadbalancer ip>:22623/config/master --insecure`
 
 Now that the DNS and load balancer has been moved, we can take down the existing
 api VM:
diff --git a/pkg/asset/ignition/machine/node.go b/pkg/asset/ignition/machine/node.go
index eb7b1f7911d..28f104b5359 100644
--- a/pkg/asset/ignition/machine/node.go
+++ b/pkg/asset/ignition/machine/node.go
@@ -21,7 +21,7 @@ func pointerIgnitionConfig(installConfig *types.InstallConfig, rootCA []byte, ro
 					Source: func() *url.URL {
 						return &url.URL{
 							Scheme: "https",
-							Host:   fmt.Sprintf("%s-api.%s:49500", installConfig.ObjectMeta.Name, installConfig.BaseDomain),
+							Host:   fmt.Sprintf("%s-api.%s:22623", installConfig.ObjectMeta.Name, installConfig.BaseDomain),
 							Path:   fmt.Sprintf("/config/%s", role),
 						}
 					}().String(),