Can't close/open ports without external network

The following set of messages is polluting the machine-0.log making juju rotate it every ~3 hours:

2018-08-24 14:19:26 DEBUG juju.worker.dependency engine.go:504 "firewaller" manifold worker stopped: cannot respond to units changes for "machine-9": Can't close/open ports without external n
etwork
2018-08-24 14:19:26 ERROR juju.worker.dependency engine.go:551 "firewaller" manifold worker returned unexpected error: cannot respond to units changes for "machine-9": Can't close/open ports without external network
2018-08-24 14:19:26 DEBUG juju.worker.dependency engine.go:553 stack trace:
github.com/juju/juju/provider/vsphere/instance.go:89: Can't close/open ports without external network
github.com/juju/juju/worker/firewaller/firewaller.go:381: cannot respond to units changes for "machine-9"

This environment is effectively configured without an external network:

$ juju model-config -m nps-prod
Attribute From Value
agent-metadata-url default ""
agent-stream default released
agent-version model 2.3.7
apt-ftp-proxy default ""
apt-http-proxy default ""
apt-https-proxy default ""
apt-mirror default ""
apt-no-proxy default ""
automatically-retry-hooks default true
cloudinit-userdata default ""
container-image-metadata-url default ""
container-image-stream default released
container-inherit-properties default ""
container-networking-method model local
datastore model KubeDatastore01
default-series default xenial
development default false
disable-network-management default false
egress-subnets default ""
enable-os-refresh-update default true
enable-os-upgrade default true
external-network model ""
fan-config default ""
firewall-mode default instance
ftp-proxy default ""
http-proxy default ""
https-proxy default ""
ignore-machine-addresses default false
image-metadata-url default ""
image-stream default released
logforward-enabled default false
logging-config model <root>=DEBUG;unit=TRACE
max-action-results-age default 336h
max-action-results-size default 5G
max-status-history-age default 336h
max-status-history-size default 5G
net-bond-reconfigure-delay default 17
no-proxy default 127.0.0.1,localhost,::1
primary-network model kubeprod
provisioner-harvest-mode default destroyed
proxy-ssh default false
resource-tags model {}
ssl-hostname-verification default true
test-mode default false
transmit-vendor-metrics default true
update-status-hook-interval default 5m