diff --git a/hack/api-reference/api.md b/hack/api-reference/api.md
index 4b210e9b9..29880c4f1 100644
--- a/hack/api-reference/api.md
+++ b/hack/api-reference/api.md
@@ -1373,7 +1373,7 @@ string
 </td>
 <td>
 <p>Worker is a CIDRs of a worker subnet (private) to create (used for the VMs).
-Deprecated - use <code>workers</code> instead.</p>
+Deprecated: use <code>workers</code> instead.</p>
 </td>
 </tr>
 <tr>
@@ -1574,7 +1574,19 @@ string
 </em>
 </td>
 <td>
-<p>IP is the router ip.</p>
+<p>IP is the router ip.
+Deprecated: use ExternalFixedIPs instead.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>externalFixedIP</code></br>
+<em>
+[]string
+</em>
+</td>
+<td>
+<p>ExternalFixedIPs is the list of the router&rsquo;s assigned external fixed IPs.</p>
 </td>
 </tr>
 </tbody>
diff --git a/pkg/apis/openstack/types_infrastructure.go b/pkg/apis/openstack/types_infrastructure.go
index 4e30a8e78..b8fe7327d 100644
--- a/pkg/apis/openstack/types_infrastructure.go
+++ b/pkg/apis/openstack/types_infrastructure.go
@@ -27,7 +27,7 @@ type Networks struct {
 	// Router indicates whether to use an existing router or create a new one.
 	Router *Router
 	// Worker is a CIDRs of a worker subnet (private) to create (used for the VMs).
-	// Deprecated - use `workers` instead.
+	// Deprecated: use `workers` instead.
 	Worker string
 	// Workers is a CIDRs of a worker subnet (private) to create (used for the VMs).
 	Workers string
@@ -89,7 +89,10 @@ type RouterStatus struct {
 	// ID is the Router id.
 	ID string
 	// IP is the router ip.
+	// Deprecated: use ExternalFixedIPs instead.
 	IP string
+	// ExternalFixedIPs is the list of the router's assigned external fixed IPs.
+	ExternalFixedIPs []string
 }
 
 // FloatingPoolStatus contains information about the floating pool.
diff --git a/pkg/apis/openstack/v1alpha1/types_infrastructure.go b/pkg/apis/openstack/v1alpha1/types_infrastructure.go
index 0836e19ad..c13abab14 100644
--- a/pkg/apis/openstack/v1alpha1/types_infrastructure.go
+++ b/pkg/apis/openstack/v1alpha1/types_infrastructure.go
@@ -30,7 +30,7 @@ type Networks struct {
 	// +optional
 	Router *Router `json:"router,omitempty"`
 	// Worker is a CIDRs of a worker subnet (private) to create (used for the VMs).
-	// Deprecated - use `workers` instead.
+	// Deprecated: use `workers` instead.
 	Worker string `json:"worker"`
 	// Workers is a CIDRs of a worker subnet (private) to create (used for the VMs).
 	Workers string `json:"workers"`
@@ -95,7 +95,10 @@ type RouterStatus struct {
 	// ID is the Router id.
 	ID string `json:"id"`
 	// IP is the router ip.
+	// Deprecated: use ExternalFixedIPs instead.
 	IP string `json:"ip"`
+	// ExternalFixedIPs is the list of the router's assigned external fixed IPs.
+	ExternalFixedIPs []string `json:"externalFixedIP"`
 }
 
 // FloatingPoolStatus contains information about the floating pool.
diff --git a/pkg/apis/openstack/v1alpha1/zz_generated.conversion.go b/pkg/apis/openstack/v1alpha1/zz_generated.conversion.go
index 598907d10..28d15d9de 100644
--- a/pkg/apis/openstack/v1alpha1/zz_generated.conversion.go
+++ b/pkg/apis/openstack/v1alpha1/zz_generated.conversion.go
@@ -946,6 +946,7 @@ func Convert_openstack_Router_To_v1alpha1_Router(in *openstack.Router, out *Rout
 func autoConvert_v1alpha1_RouterStatus_To_openstack_RouterStatus(in *RouterStatus, out *openstack.RouterStatus, s conversion.Scope) error {
 	out.ID = in.ID
 	out.IP = in.IP
+	out.ExternalFixedIPs = *(*[]string)(unsafe.Pointer(&in.ExternalFixedIPs))
 	return nil
 }
 
@@ -957,6 +958,7 @@ func Convert_v1alpha1_RouterStatus_To_openstack_RouterStatus(in *RouterStatus, o
 func autoConvert_openstack_RouterStatus_To_v1alpha1_RouterStatus(in *openstack.RouterStatus, out *RouterStatus, s conversion.Scope) error {
 	out.ID = in.ID
 	out.IP = in.IP
+	out.ExternalFixedIPs = *(*[]string)(unsafe.Pointer(&in.ExternalFixedIPs))
 	return nil
 }
 
diff --git a/pkg/apis/openstack/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/openstack/v1alpha1/zz_generated.deepcopy.go
index f238251ff..7377c392d 100644
--- a/pkg/apis/openstack/v1alpha1/zz_generated.deepcopy.go
+++ b/pkg/apis/openstack/v1alpha1/zz_generated.deepcopy.go
@@ -562,7 +562,7 @@ func (in *MachineLabel) DeepCopy() *MachineLabel {
 func (in *NetworkStatus) DeepCopyInto(out *NetworkStatus) {
 	*out = *in
 	out.FloatingPool = in.FloatingPool
-	out.Router = in.Router
+	in.Router.DeepCopyInto(&out.Router)
 	if in.Subnets != nil {
 		in, out := &in.Subnets, &out.Subnets
 		*out = make([]Subnet, len(*in))
@@ -673,6 +673,11 @@ func (in *Router) DeepCopy() *Router {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RouterStatus) DeepCopyInto(out *RouterStatus) {
 	*out = *in
+	if in.ExternalFixedIPs != nil {
+		in, out := &in.ExternalFixedIPs, &out.ExternalFixedIPs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	return
 }
 
diff --git a/pkg/apis/openstack/zz_generated.deepcopy.go b/pkg/apis/openstack/zz_generated.deepcopy.go
index c6eb27542..dd22d53bc 100644
--- a/pkg/apis/openstack/zz_generated.deepcopy.go
+++ b/pkg/apis/openstack/zz_generated.deepcopy.go
@@ -562,7 +562,7 @@ func (in *MachineLabel) DeepCopy() *MachineLabel {
 func (in *NetworkStatus) DeepCopyInto(out *NetworkStatus) {
 	*out = *in
 	out.FloatingPool = in.FloatingPool
-	out.Router = in.Router
+	in.Router.DeepCopyInto(&out.Router)
 	if in.Subnets != nil {
 		in, out := &in.Subnets, &out.Subnets
 		*out = make([]Subnet, len(*in))
@@ -673,6 +673,11 @@ func (in *Router) DeepCopy() *Router {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RouterStatus) DeepCopyInto(out *RouterStatus) {
 	*out = *in
+	if in.ExternalFixedIPs != nil {
+		in, out := &in.ExternalFixedIPs, &out.ExternalFixedIPs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	return
 }
 
diff --git a/pkg/controller/infrastructure/add.go b/pkg/controller/infrastructure/add.go
index a921d7117..34b9c58af 100644
--- a/pkg/controller/infrastructure/add.go
+++ b/pkg/controller/infrastructure/add.go
@@ -40,7 +40,7 @@ type AddOptions struct {
 // The opts.Reconciler is being set with a newly instantiated actuator.
 func AddToManagerWithOptions(ctx context.Context, mgr manager.Manager, options AddOptions) error {
 	return infrastructure.Add(ctx, mgr, infrastructure.AddArgs{
-		Actuator:          NewActuator(mgr, options.DisableProjectedTokenMount),
+		Actuator:          NewActuator(mgr, true),
 		ConfigValidator:   NewConfigValidator(mgr, openstackclient.FactoryFactoryFunc(openstackclient.NewOpenstackClientFromCredentials), log.Log),
 		ControllerOptions: options.Controller,
 		Predicates:        infrastructure.DefaultPredicates(ctx, mgr, options.IgnoreOperationAnnotation),
diff --git a/pkg/controller/infrastructure/infraflow/access/networking_access.go b/pkg/controller/infrastructure/infraflow/access/networking_access.go
index d27b5f285..d668ac9f7 100644
--- a/pkg/controller/infrastructure/infraflow/access/networking_access.go
+++ b/pkg/controller/infrastructure/infraflow/access/networking_access.go
@@ -29,7 +29,7 @@ type NetworkingAccess interface {
 	CreateRouter(desired *Router) (*Router, error)
 	GetRouterByID(id string) (*Router, error)
 	GetRouterByName(name string) ([]*Router, error)
-	UpdateRouter(desired, current *Router) (modified bool, err error)
+	UpdateRouter(desired, current *Router) (modified bool, router *Router, err error)
 	LookupFloatingPoolSubnetIDs(networkID, floatingPoolSubnetNameRegex string) ([]string, error)
 	AddRouterInterfaceAndWait(ctx context.Context, routerID, subnetID string) error
 	GetRouterInterfacePortID(routerID, subnetID string) (portID *string, err error)
@@ -172,7 +172,8 @@ func (a *networkingAccess) toRouter(raw *routers.Router) *Router {
 }
 
 // UpdateRouter updates the router if important fields have changed
-func (a *networkingAccess) UpdateRouter(desired, current *Router) (modified bool, err error) {
+func (a *networkingAccess) UpdateRouter(desired, current *Router) (modified bool, router *Router, err error) {
+	router = current
 	updateOpts := routers.UpdateOpts{}
 	if desired.Name != current.Name {
 		modified = true
@@ -188,9 +189,13 @@ func (a *networkingAccess) UpdateRouter(desired, current *Router) (modified bool
 		}
 	}
 	if modified {
-		_, err = a.networking.UpdateRouter(current.ID, updateOpts)
+		updated, err := a.networking.UpdateRouter(current.ID, updateOpts)
+		if err != nil {
+			return false, nil, err
+		}
+		router = a.toRouter(updated)
 	}
-	return
+	return modified, router, err
 }
 
 // AddRouterInterfaceAndWait adds router interface and waits up to
diff --git a/pkg/controller/infrastructure/infraflow/context.go b/pkg/controller/infrastructure/infraflow/context.go
index 6433ccad1..433569c17 100644
--- a/pkg/controller/infrastructure/infraflow/context.go
+++ b/pkg/controller/infrastructure/infraflow/context.go
@@ -39,6 +39,8 @@ const (
 	IdentifierSecGroup = "SecurityGroup"
 	// IdentifierShareNetwork is the key for the share network id
 	IdentifierShareNetwork = "ShareNetwork"
+	// IdentifierEgressCIDRs is the key for the slice containing egress CIDRs strings.
+	IdentifierEgressCIDRs = "EgressCIDRs"
 
 	// NameFloatingNetwork is the key for the floating network name
 	NameFloatingNetwork = "FloatingNetworkName"
@@ -171,7 +173,11 @@ func (fctx *FlowContext) computeInfrastructureStatus() *openstackv1alpha1.Infras
 	status.Networks.Name = ptr.Deref(fctx.state.Get(NameNetwork), "")
 
 	status.Networks.Router.ID = ptr.Deref(fctx.state.Get(IdentifierRouter), "")
-	status.Networks.Router.IP = ptr.Deref(fctx.state.Get(RouterIP), "")
+	status.Networks.Router.ExternalFixedIPs = fctx.state.GetObject(IdentifierEgressCIDRs).([]string)
+	// backwards compatibility change for the deprecated field
+	if len(status.Networks.Router.ExternalFixedIPs) > 0 {
+		status.Networks.Router.IP = status.Networks.Router.ExternalFixedIPs[0]
+	}
 
 	status.Node.KeyName = ptr.Deref(fctx.state.Get(NameKeyPair), "")
 
diff --git a/pkg/controller/infrastructure/infraflow/reconcile.go b/pkg/controller/infrastructure/infraflow/reconcile.go
index 7c1648e59..19f7ad676 100644
--- a/pkg/controller/infrastructure/infraflow/reconcile.go
+++ b/pkg/controller/infrastructure/infraflow/reconcile.go
@@ -41,17 +41,23 @@ func (fctx *FlowContext) Reconcile(ctx context.Context) error {
 		return errors.Join(flow.Causes(err), fctx.persistState(ctx))
 	}
 
-	status := fctx.computeInfrastructureStatus()
 	state := fctx.computeInfrastructureState()
+	status := fctx.computeInfrastructureStatus()
 	return infrainternal.PatchProviderStatusAndState(ctx, fctx.client, fctx.infra, status, state)
 }
 
 func (fctx *FlowContext) buildReconcileGraph() *flow.Graph {
 	g := flow.NewGraph("Openstack infrastructure reconciliation")
 
+	prehook := fctx.AddTask(g, "pre-reconcile hook", func(_ context.Context) error {
+		// delete unnecessary state object. RouterIP was replaced by IdentifierEgressCIDRs to handle cases where the router had multiple externalFixedIPs attached to it.
+		fctx.state.Delete(RouterIP)
+		return nil
+	})
+
 	ensureExternalNetwork := fctx.AddTask(g, "ensure external network",
 		fctx.ensureExternalNetwork,
-		shared.Timeout(defaultTimeout))
+		shared.Timeout(defaultTimeout), shared.Dependencies(prehook))
 
 	ensureRouter := fctx.AddTask(g, "ensure router",
 		fctx.ensureRouter,
@@ -59,7 +65,7 @@ func (fctx *FlowContext) buildReconcileGraph() *flow.Graph {
 
 	ensureNetwork := fctx.AddTask(g, "ensure network",
 		fctx.ensureNetwork,
-		shared.Timeout(defaultTimeout))
+		shared.Timeout(defaultTimeout), shared.Dependencies(prehook))
 
 	ensureSubnet := fctx.AddTask(g, "ensure subnet",
 		fctx.ensureSubnet,
@@ -118,7 +124,6 @@ func (fctx *FlowContext) ensureConfiguredRouter(_ context.Context) error {
 	router, err := fctx.access.GetRouterByID(fctx.config.Networks.Router.ID)
 	if err != nil {
 		fctx.state.Set(IdentifierRouter, "")
-		fctx.state.Set(RouterIP, "")
 		return err
 	}
 	if router == nil {
@@ -130,8 +135,8 @@ func (fctx *FlowContext) ensureConfiguredRouter(_ context.Context) error {
 	if len(router.ExternalFixedIPs) < 1 {
 		return fmt.Errorf("expected at least one external fixed ip")
 	}
-	fctx.state.Set(RouterIP, router.ExternalFixedIPs[0].IPAddress)
-	return nil
+
+	return fctx.ensureEgressCIDRs(router)
 }
 
 func (fctx *FlowContext) ensureNewRouter(ctx context.Context, externalNetworkID string) error {
@@ -150,10 +155,11 @@ func (fctx *FlowContext) ensureNewRouter(ctx context.Context, externalNetworkID
 		if len(current.ExternalFixedIPs) < 1 {
 			return fmt.Errorf("expected at least one external fixed ip")
 		}
+		if _, current, err = fctx.access.UpdateRouter(desired, current); err != nil {
+			return err
+		}
 		fctx.state.Set(IdentifierRouter, current.ID)
-		fctx.state.Set(RouterIP, current.ExternalFixedIPs[0].IPAddress)
-		_, err := fctx.access.UpdateRouter(desired, current)
-		return err
+		return fctx.ensureEgressCIDRs(current)
 	}
 
 	floatingPoolSubnetName := fctx.findFloatingPoolSubnetName()
@@ -171,10 +177,9 @@ func (fctx *FlowContext) ensureNewRouter(ctx context.Context, externalNetworkID
 	if err != nil {
 		return err
 	}
-	fctx.state.Set(IdentifierRouter, created.ID)
-	fctx.state.Set(RouterIP, created.ExternalFixedIPs[0].IPAddress)
 
-	return nil
+	fctx.state.Set(IdentifierRouter, created.ID)
+	return fctx.ensureEgressCIDRs(created)
 }
 
 func (fctx *FlowContext) findExistingRouter() (*access.Router, error) {
@@ -513,3 +518,12 @@ func (fctx *FlowContext) ensureShareNetwork(ctx context.Context) error {
 	fctx.state.Set(NameShareNetwork, created.Name)
 	return nil
 }
+
+func (fctx *FlowContext) ensureEgressCIDRs(router *access.Router) error {
+	var result []string
+	for _, efip := range router.ExternalFixedIPs {
+		result = append(result, efip.IPAddress)
+	}
+	fctx.state.SetObject(IdentifierEgressCIDRs, result)
+	return nil
+}
diff --git a/pkg/internal/infrastructure/infrastucture.go b/pkg/internal/infrastructure/infrastucture.go
index 7b50a6ce6..64d8de4da 100644
--- a/pkg/internal/infrastructure/infrastucture.go
+++ b/pkg/internal/infrastructure/infrastucture.go
@@ -24,6 +24,7 @@ import (
 	"github.com/gardener/gardener-extension-provider-openstack/pkg/apis/openstack"
 	openstackv1alpha1 "github.com/gardener/gardener-extension-provider-openstack/pkg/apis/openstack/v1alpha1"
 	openstackclient "github.com/gardener/gardener-extension-provider-openstack/pkg/openstack/client"
+	"github.com/gardener/gardener-extension-provider-openstack/pkg/utils"
 )
 
 const (
@@ -158,9 +159,7 @@ func PatchProviderStatusAndState(
 	patch := client.MergeFrom(infra.DeepCopy())
 	if status != nil {
 		infra.Status.ProviderStatus = &runtime.RawExtension{Object: status}
-		if status.Networks.Router.IP != "" {
-			infra.Status.EgressCIDRs = []string{fmt.Sprintf("%s/32", status.Networks.Router.IP)}
-		}
+		infra.Status.EgressCIDRs = utils.ComputeEgressCIDRs(status.Networks.Router.ExternalFixedIPs)
 	}
 
 	if state != nil {
diff --git a/pkg/internal/infrastructure/templates/main.tpl.tf b/pkg/internal/infrastructure/templates/main.tpl.tf
index 596a21ec1..9761bce6a 100644
--- a/pkg/internal/infrastructure/templates/main.tpl.tf
+++ b/pkg/internal/infrastructure/templates/main.tpl.tf
@@ -168,8 +168,8 @@ output "{{ .outputKeys.routerID }}" {
   value = {{ .router.id }}
 }
 
-output "{{ .outputKeys.routerIP }}" {
-  value = {{ template "router-ip" $ }}
+output "{{ .outputKeys.routerIPs }}" {
+  value = {{ template "router-ips" $ }}
 }
 
 output "{{ .outputKeys.networkID }}" {
@@ -227,10 +227,10 @@ openstack_networking_network_v2.cluster.name
 data.openstack_networking_network_v2.cluster.name
 {{ end -}}
 {{- end -}}
-{{- define "router-ip" -}}
+{{- define "router-ips" -}}
 {{ if .create.router -}}
-openstack_networking_router_v2.router.external_fixed_ip[0].ip_address
+join(",", openstack_networking_router_v2.router.external_fixed_ip[*].ip_address)
 {{ else -}}
-data.openstack_networking_router_v2.router.external_fixed_ip[0].ip_address
+join(",", data.openstack_networking_router_v2.router.external_fixed_ip[*].ip_address)
 {{ end -}}
 {{- end -}}
diff --git a/pkg/internal/infrastructure/terraform.go b/pkg/internal/infrastructure/terraform.go
index fb3aec8f7..c47a16191 100644
--- a/pkg/internal/infrastructure/terraform.go
+++ b/pkg/internal/infrastructure/terraform.go
@@ -9,6 +9,7 @@ import (
 	"context"
 	"fmt"
 	"strconv"
+	"strings"
 
 	"github.com/gardener/gardener/extensions/pkg/controller"
 	"github.com/gardener/gardener/extensions/pkg/terraformer"
@@ -27,8 +28,8 @@ const (
 	TerraformOutputKeySSHKeyName = "key_name"
 	// TerraformOutputKeyRouterID is the id the router between provider network and the worker subnet.
 	TerraformOutputKeyRouterID = "router_id"
-	// TerraformOutputKeyRouterIP is the ip address of the router.
-	TerraformOutputKeyRouterIP = "router_ip"
+	// TerraformOutputKeyRouterIPs is the ip addresses of the router.
+	TerraformOutputKeyRouterIPs = "router_ips"
 	// TerraformOutputKeyNetworkID is the private worker network.
 	TerraformOutputKeyNetworkID = "network_id"
 	// TerraformOutputKeyNetworkName is the private worker network name.
@@ -73,7 +74,7 @@ func ComputeTerraformerTemplateValues(
 		}
 		outputKeysConfig = map[string]interface{}{
 			"routerID":          TerraformOutputKeyRouterID,
-			"routerIP":          TerraformOutputKeyRouterIP,
+			"routerIPs":         TerraformOutputKeyRouterIPs,
 			"networkID":         TerraformOutputKeyNetworkID,
 			"networkName":       TerraformOutputKeyNetworkName,
 			"keyName":           TerraformOutputKeySSHKeyName,
@@ -204,7 +205,7 @@ type TerraformState struct {
 	// RouterID is the id the router between provider network and the worker subnet.
 	RouterID string
 	// RouterIP is the ip address of the router.
-	RouterIP string
+	RouterIPs string
 	// NetworkID is the private worker network.
 	NetworkID string
 	// NetworkName is the private worker network name.
@@ -228,7 +229,7 @@ func ExtractTerraformState(ctx context.Context, tf terraformer.Terraformer, conf
 	outputKeys := []string{
 		TerraformOutputKeySSHKeyName,
 		TerraformOutputKeyRouterID,
-		TerraformOutputKeyRouterIP,
+		TerraformOutputKeyRouterIPs,
 		TerraformOutputKeyNetworkID,
 		TerraformOutputKeyNetworkName,
 		TerraformOutputKeySubnetID,
@@ -249,7 +250,7 @@ func ExtractTerraformState(ctx context.Context, tf terraformer.Terraformer, conf
 	return &TerraformState{
 		SSHKeyName:        vars[TerraformOutputKeySSHKeyName],
 		RouterID:          vars[TerraformOutputKeyRouterID],
-		RouterIP:          vars[TerraformOutputKeyRouterIP],
+		RouterIPs:         vars[TerraformOutputKeyRouterIPs],
 		NetworkID:         vars[TerraformOutputKeyNetworkID],
 		NetworkName:       vars[TerraformOutputKeyNetworkName],
 		SubnetID:          vars[TerraformOutputKeySubnetID],
@@ -271,6 +272,11 @@ func StatusFromTerraformState(state *TerraformState) *apiv1alpha1.Infrastructure
 			Name: state.ShareNetworkName,
 		}
 	}
+	routerIPs := strings.Split(state.RouterIPs, ",")
+	var routerIP string
+	if len(routerIPs) > 0 {
+		routerIP = routerIPs[0]
+	}
 	return &apiv1alpha1.InfrastructureStatus{
 		TypeMeta: StatusTypeMeta,
 		Networks: apiv1alpha1.NetworkStatus{
@@ -280,8 +286,9 @@ func StatusFromTerraformState(state *TerraformState) *apiv1alpha1.Infrastructure
 				ID: state.FloatingNetworkID,
 			},
 			Router: apiv1alpha1.RouterStatus{
-				ID: state.RouterID,
-				IP: state.RouterIP,
+				ID:               state.RouterID,
+				IP:               routerIP,
+				ExternalFixedIPs: routerIPs,
 			},
 			Subnets: []apiv1alpha1.Subnet{
 				{
diff --git a/pkg/internal/infrastructure/terraform_test.go b/pkg/internal/infrastructure/terraform_test.go
index 76aa62540..007abb724 100644
--- a/pkg/internal/infrastructure/terraform_test.go
+++ b/pkg/internal/infrastructure/terraform_test.go
@@ -126,7 +126,7 @@ var _ = Describe("Terraform", func() {
 			}
 			expectedOutputKeysValues = map[string]interface{}{
 				"routerID":          TerraformOutputKeyRouterID,
-				"routerIP":          TerraformOutputKeyRouterIP,
+				"routerIPs":         TerraformOutputKeyRouterIPs,
 				"networkID":         TerraformOutputKeyNetworkID,
 				"networkName":       TerraformOutputKeyNetworkName,
 				"keyName":           TerraformOutputKeySSHKeyName,
@@ -249,7 +249,7 @@ var _ = Describe("Terraform", func() {
 		var (
 			SSHKeyName        string
 			RouterID          string
-			RouterIP          string
+			RouterIPs         string
 			NetworkID         string
 			SubnetID          string
 			FloatingNetworkID string
@@ -263,7 +263,7 @@ var _ = Describe("Terraform", func() {
 		BeforeEach(func() {
 			SSHKeyName = "my-key"
 			RouterID = "111"
-			RouterIP = "1.1.1.1"
+			RouterIPs = "1.1.1.1,2.2.2.2,3.3.3.3"
 			NetworkID = "222"
 			SubnetID = "333"
 			FloatingNetworkID = "444"
@@ -273,7 +273,7 @@ var _ = Describe("Terraform", func() {
 			state = TerraformState{
 				SSHKeyName:        SSHKeyName,
 				RouterID:          RouterID,
-				RouterIP:          RouterIP,
+				RouterIPs:         RouterIPs,
 				NetworkID:         NetworkID,
 				SubnetID:          SubnetID,
 				FloatingNetworkID: FloatingNetworkID,
@@ -290,7 +290,12 @@ var _ = Describe("Terraform", func() {
 					ID: state.NetworkID,
 					Router: apiv1alpha1.RouterStatus{
 						ID: state.RouterID,
-						IP: state.RouterIP,
+						IP: "1.1.1.1",
+						ExternalFixedIPs: []string{
+							"1.1.1.1",
+							"2.2.2.2",
+							"3.3.3.3",
+						},
 					},
 					FloatingPool: apiv1alpha1.FloatingPoolStatus{
 						ID: FloatingNetworkID,
diff --git a/pkg/utils/utils.go b/pkg/utils/utils.go
index bffc66ba1..1c15551cd 100644
--- a/pkg/utils/utils.go
+++ b/pkg/utils/utils.go
@@ -5,7 +5,10 @@
 package utils
 
 import (
+	"fmt"
 	"strings"
+
+	utilsnet "k8s.io/utils/net"
 )
 
 // IsEmptyString checks whether a string is empty
@@ -53,3 +56,17 @@ func SimpleMatch(pattern, text string) (bool, int) {
 
 	return false, 0
 }
+
+// ComputeEgressCIDRs converts an IP to a CIDR depending on the IP family.
+func ComputeEgressCIDRs(ips []string) []string {
+	var result []string
+	for _, ip := range ips {
+		switch {
+		case utilsnet.IsIPv4String(ip):
+			result = append(result, fmt.Sprintf("%s/32", ip))
+		case utilsnet.IsIPv6String(ip):
+			result = append(result, fmt.Sprintf("%s/128", ip))
+		}
+	}
+	return result
+}
diff --git a/test/integration/infrastructure/infrastructure_test.go b/test/integration/infrastructure/infrastructure_test.go
index 8098bd230..158c36911 100644
--- a/test/integration/infrastructure/infrastructure_test.go
+++ b/test/integration/infrastructure/infrastructure_test.go
@@ -51,6 +51,7 @@ import (
 	"github.com/gardener/gardener-extension-provider-openstack/pkg/controller/infrastructure"
 	"github.com/gardener/gardener-extension-provider-openstack/pkg/openstack"
 	openstackclient "github.com/gardener/gardener-extension-provider-openstack/pkg/openstack/client"
+	"github.com/gardener/gardener-extension-provider-openstack/pkg/utils"
 )
 
 const (
@@ -689,9 +690,17 @@ func verifyCreation(infraStatus extensionsv1alpha1.InfrastructureStatus, provide
 	Expect(router.Status).To(Equal("ACTIVE"))
 	infrastructureIdentifier.routerID = ptr.To(router.ID)
 
+	var externalFixedIPs []string
+	for _, ip := range router.GatewayInfo.ExternalFixedIPs {
+		if ip.IPAddress != "" {
+			externalFixedIPs = append(externalFixedIPs, ip.IPAddress)
+		}
+	}
+
 	// verify router ip in status
 	Expect(router.GatewayInfo.ExternalFixedIPs).NotTo(BeEmpty())
 	Expect(providerStatus.Networks.Router.IP).To(Equal(router.GatewayInfo.ExternalFixedIPs[0].IPAddress))
+	Expect(providerStatus.Networks.Router.ExternalFixedIPs).To(ContainElements(externalFixedIPs))
 
 	// network is created
 	net, err := networkClient.GetNetworkByID(providerStatus.Networks.ID)
@@ -721,8 +730,7 @@ func verifyCreation(infraStatus extensionsv1alpha1.InfrastructureStatus, provide
 	infrastructureIdentifier.keyPair = ptr.To(keyPair.Name)
 
 	// verify egressCIDRs
-	expectedCIDRDs := []string{providerStatus.Networks.Router.IP + "/32"}
-	Expect(infraStatus.EgressCIDRs).To(Equal(expectedCIDRDs))
+	Expect(infraStatus.EgressCIDRs).To(ContainElements(utils.ComputeEgressCIDRs(providerStatus.Networks.Router.ExternalFixedIPs)))
 
 	return infrastructureIdentifier, providerStatus
 }