diff --git a/docs/upstream-differences.md b/docs/upstream-differences.md
index 20b295917..ca45451c1 100644
--- a/docs/upstream-differences.md
+++ b/docs/upstream-differences.md
@@ -73,7 +73,8 @@ upstream OCP.
 * ARO API server internal LB remains on highest available master subnet IP, like
   in 4.2.
 
-* ARO never creates aro-bootstrap-pip for bootstrap VM.
+* ARO never creates aro-bootstrap-pip for bootstrap VM, or the corresponding NSG
+  rule.
 
 * ARO API server LB uses Azure outboundRule rather than port 27627 inbound rule.
 
diff --git a/pkg/install/0-installstorage.go b/pkg/install/0-installstorage.go
index 030685ac7..c17fec158 100644
--- a/pkg/install/0-installstorage.go
+++ b/pkg/install/0-installstorage.go
@@ -134,19 +134,6 @@ func (i *Installer) installStorage(ctx context.Context, installConfig *installco
 								},
 								Name: to.StringPtr("apiserver_in"),
 							},
-							{
-								SecurityRulePropertiesFormat: &mgmtnetwork.SecurityRulePropertiesFormat{
-									Protocol:                 mgmtnetwork.SecurityRuleProtocolTCP,
-									SourcePortRange:          to.StringPtr("*"),
-									DestinationPortRange:     to.StringPtr("22"),
-									SourceAddressPrefix:      to.StringPtr("*"),
-									DestinationAddressPrefix: to.StringPtr("*"),
-									Access:                   mgmtnetwork.SecurityRuleAccessAllow,
-									Priority:                 to.Int32Ptr(103),
-									Direction:                mgmtnetwork.SecurityRuleDirectionInbound,
-								},
-								Name: to.StringPtr("bootstrap_ssh_in"),
-							},
 						},
 					},
 					Name:     to.StringPtr("aro-controlplane-nsg"),