diff --git a/pkg/cloud/openstack/clients/machineservice.go b/pkg/cloud/openstack/clients/machineservice.go
index ef19ff39ea..2fe1c50ce5 100644
--- a/pkg/cloud/openstack/clients/machineservice.go
+++ b/pkg/cloud/openstack/clients/machineservice.go
@@ -314,7 +314,35 @@ func isDuplicate(list []string, name string) bool {
 	return false
 }
 
-func GetSecurityGroups(is *InstanceService, sg_param []openstackconfigv1.SecurityGroupParam) ([]string, error) {
+func GetSecurityGroups(is *InstanceService, sg_param []openstackconfigv1.SecurityGroupParam, cluster *clusterv1.Cluster, machine *clusterv1.Machine) ([]string, error) {
+	clusterName := fmt.Sprintf("%s/%s", cluster.Namespace, cluster.Name)
+	secGroupService, err := NewSecGroupService(is.networkClient)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create security group service: %v", err)
+	}
+
+	clusterStatus, err := openstackconfigv1.ClusterStatusFromProviderStatus(cluster.Status.ProviderStatus)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load cluster provider status: %v", err)
+	}
+
+	clusterSpec, err := openstackconfigv1.ClusterSpecFromProviderSpec(cluster.Spec.ProviderSpec)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load cluster provider spec: %v", err)
+	}
+
+	err = secGroupService.Reconcile(clusterName, *clusterSpec, clusterStatus)
+	if err != nil {
+		return nil, fmt.Errorf("failed to reconcile security groups: %v", err)
+	}
+
+	if clusterSpec.ManagedSecurityGroups {
+		if util.IsControlPlaneMachine(machine) {
+			return []string{clusterStatus.ControlPlaneSecurityGroup.ID, clusterStatus.GlobalSecurityGroup.ID}, nil
+		}
+		return []string{clusterStatus.GlobalSecurityGroup.ID}, nil
+	}
+
 	var sgIDs []string
 	for _, sg := range sg_param {
 		listOpts := groups.ListOpts(sg.Filter)
@@ -340,7 +368,7 @@ func GetSecurityGroups(is *InstanceService, sg_param []openstackconfigv1.Securit
 	return sgIDs, nil
 }
 
-func (is *InstanceService) InstanceCreate(clusterName string, name string, config *openstackconfigv1.OpenstackProviderSpec, cmd string, keyName string) (instance *Instance, err error) {
+func (is *InstanceService) InstanceCreate(cluster *clusterv1.Cluster, machine *clusterv1.Machine, config *openstackconfigv1.OpenstackProviderSpec, cmd string, keyName string) (instance *Instance, err error) {
 	if config == nil {
 		return nil, fmt.Errorf("create Options need be specified to create instace")
 	}
@@ -355,10 +383,10 @@ func (is *InstanceService) InstanceCreate(clusterName string, name string, confi
 	}
 	clusterTags := []string{
 		"cluster-api-provider-openstack",
-		clusterName,
+		fmt.Sprintf("%s/%s", cluster.Namespace, cluster.Name),
 	}
 	// Get security groups
-	securityGroups, err := GetSecurityGroups(is, config.SecurityGroups)
+	securityGroups, err := GetSecurityGroups(is, config.SecurityGroups, cluster, machine)
 	if err != nil {
 		return nil, err
 	}
@@ -406,7 +434,7 @@ func (is *InstanceService) InstanceCreate(clusterName string, name string, confi
 			return nil, fmt.Errorf("No network was found or provided. Please check your machine configuration and try again")
 		}
 		allPages, err := ports.List(is.networkClient, ports.ListOpts{
-			Name:      name,
+			Name:      machine.Name,
 			NetworkID: net.networkID,
 		}).AllPages()
 		if err != nil {
@@ -419,7 +447,7 @@ func (is *InstanceService) InstanceCreate(clusterName string, name string, confi
 		var port ports.Port
 		if len(portList) == 0 {
 			// create server port
-			port, err = CreatePort(is, name, net, &securityGroups)
+			port, err = CreatePort(is, machine.Name, net, &securityGroups)
 			if err != nil {
 				return nil, fmt.Errorf("Failed to create port err: %v", err)
 			}
@@ -438,7 +466,7 @@ func (is *InstanceService) InstanceCreate(clusterName string, name string, confi
 
 		if config.Trunk == true {
 			allPages, err := trunks.List(is.networkClient, trunks.ListOpts{
-				Name:   name,
+				Name:   machine.Name,
 				PortID: port.ID,
 			}).AllPages()
 			if err != nil {
@@ -452,7 +480,7 @@ func (is *InstanceService) InstanceCreate(clusterName string, name string, confi
 			if len(trunkList) == 0 {
 				// create trunk with the previous port as parent
 				trunkCreateOpts := trunks.CreateOpts{
-					Name:   name,
+					Name:   machine.Name,
 					PortID: port.ID,
 				}
 				newTrunk, err := trunks.Create(is.networkClient, trunkCreateOpts).Extract()
@@ -473,7 +501,7 @@ func (is *InstanceService) InstanceCreate(clusterName string, name string, confi
 	}
 
 	serverCreateOpts := servers.CreateOpts{
-		Name:             name,
+		Name:             machine.Name,
 		ImageName:        config.Image,
 		FlavorName:       config.Flavor,
 		AvailabilityZone: config.AvailabilityZone,
diff --git a/pkg/cloud/openstack/machine/actuator.go b/pkg/cloud/openstack/machine/actuator.go
index 1a5edb07de..068879166c 100644
--- a/pkg/cloud/openstack/machine/actuator.go
+++ b/pkg/cloud/openstack/machine/actuator.go
@@ -145,7 +145,7 @@ func (oc *OpenstackClient) Create(ctx context.Context, cluster *clusterv1.Cluste
 		userDataRendered = string(userData)
 	}
 
-	instance, err = machineService.InstanceCreate(fmt.Sprintf("%s/%s", cluster.ObjectMeta.Namespace, cluster.Name), machine.Name, providerSpec, userDataRendered, providerSpec.KeyName)
+	instance, err = machineService.InstanceCreate(cluster, machine, providerSpec, userDataRendered, providerSpec.KeyName)
 	if err != nil {
 		return oc.handleMachineError(machine, apierrors.CreateMachine(
 			"error creating Openstack instance: %v", err))