diff --git a/pkg/cloudprovider/providers/openstack/openstack.go b/pkg/cloudprovider/providers/openstack/openstack.go
index 7f4504a3896..a8fffac2c3e 100644
--- a/pkg/cloudprovider/providers/openstack/openstack.go
+++ b/pkg/cloudprovider/providers/openstack/openstack.go
@@ -685,6 +685,15 @@ func (lb *LoadBalancer) EnsureLoadBalancer(name, region string, loadBalancerIP n
 		return nil, fmt.Errorf("unsupported load balancer affinity: %v", affinity)
 	}
 
+	sourceRanges, err := cloudprovider.GetSourceRangeAnnotations(annotations)
+	if err != nil {
+		return nil, err
+	}
+
+	if !cloudprovider.IsAllowAll(sourceRanges) {
+		return nil, fmt.Errorf("Source range restrictions are not supported for openstack load balancers")
+	}
+
 	glog.V(2).Infof("Checking if openstack load balancer already exists: %s", name)
 	_, exists, err := lb.GetLoadBalancer(name, region)
 	if err != nil {
diff --git a/pkg/cloudprovider/utils.go b/pkg/cloudprovider/utils.go
index 9ce35d2897b..30ff240196f 100644
--- a/pkg/cloudprovider/utils.go
+++ b/pkg/cloudprovider/utils.go
@@ -67,6 +67,11 @@ func (l IPNetSet) Equal(r IPNetSet) bool {
 	return true
 }
 
+// Len returns the size of the set.
+func (s IPNetSet) Len() int {
+	return len(s)
+}
+
 // GetSourceRangeAnnotations verifies and parses the LBAnnotationAllowSourceRange annotation from a service,
 // extracting the source ranges to allow, and if not present returns a default (allow-all) value.
 func GetSourceRangeAnnotations(annotation map[string]string) (IPNetSet, error) {
@@ -82,3 +87,13 @@ func GetSourceRangeAnnotations(annotation map[string]string) (IPNetSet, error) {
 	}
 	return ipnets, nil
 }
+
+// IsAllowAll checks whether the IPNetSet contains the default allow-all policy
+func IsAllowAll(ipnets IPNetSet) bool {
+	for _, s := range ipnets.StringSlice() {
+		if s == "0.0.0.0/0" {
+			return true
+		}
+	}
+	return false
+}