diff --git a/deploy/cloud-init.yml b/deploy/cloud-init.yml
index cd8397b..dacd485 100644
--- a/deploy/cloud-init.yml
+++ b/deploy/cloud-init.yml
@@ -62,12 +62,17 @@ runcmd:
   - apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
   - usermod -aG docker devbox
 
-  # Firewall — allow SSH, mosh, and optionally HTTPS if running web-accessible services
-  - ufw default deny incoming
-  - ufw default allow outgoing
-  - ufw allow ssh
-  - ufw allow 60000:61000/udp
-  - ufw --force enable
+  # Firewall — skip on OpenStack (use security groups instead)
+  - |
+    if curl -s --connect-timeout 2 http://169.254.169.254/openstack/ >/dev/null 2>&1; then
+      echo "OpenStack detected — skipping ufw (use security groups instead)"
+    else
+      ufw default deny incoming
+      ufw default allow outgoing
+      ufw allow ssh
+      ufw allow 60000:61000/udp
+      ufw --force enable
+    fi
 
   # Disable IPv6 preference for Docker (avoids intermittent Docker Hub connectivity issues)
   - echo 'precedence ::ffff:0:0/96  100' >> /etc/gai.conf