diff --git a/docs/calico.md b/docs/calico.md
index ab421166487b941008d298ebdb07a32191c9b5c8..74df6d7e2481f6fc957408f5fc3089aa52c54e77 100644
--- a/docs/calico.md
+++ b/docs/calico.md
@@ -71,3 +71,8 @@ you'll need to edit the inventory and add a and a hostvar `local_as` by node.
 ```
 node1 ansible_ssh_host=95.54.0.12 local_as=xxxxxx
 ```
+
+Cloud providers configuration
+=============================
+
+Please refer to the official documentation, for example [GCE configuration](http://docs.projectcalico.org/v1.5/getting-started/docker/installation/gce) requires a security rule for calico ip-ip tunnels. Note, calico is always configured with ``ipip: true`` if the cloud provider was defined.
diff --git a/roles/kubernetes/preinstall/tasks/main.yml b/roles/kubernetes/preinstall/tasks/main.yml
index 9c7d34c27e7031d3c51cf27ced87199d097a674f..901544ac21a07a2a25f3694329a9f062724b52fa 100644
--- a/roles/kubernetes/preinstall/tasks/main.yml
+++ b/roles/kubernetes/preinstall/tasks/main.yml
@@ -71,7 +71,7 @@
 
 - name: Fix ipv4 forward rule in GCE security policy
   lineinfile:
-    dest: /etc/sysctl.d/11-gce-network-security.conf
+    dest: /etc/sysctl.d/99-sysctl.conf
     regexp: '^net.ipv4.ip_forward='
     line: 'net.ipv4.ip_forward=1'
     state: present