diff --git a/pkg/model/awsmodel/api_loadbalancer.go b/pkg/model/awsmodel/api_loadbalancer.go
index 689aa56c89..1fd3b5f94a 100644
--- a/pkg/model/awsmodel/api_loadbalancer.go
+++ b/pkg/model/awsmodel/api_loadbalancer.go
@@ -183,9 +183,7 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error {
 			Type:          fi.String("network"),
 			IpAddressType: fi.String("ipv4"),
 		}
-		// DualStack can only be used for public NLB
-		// https://aws.amazon.com/premiumsupport/knowledge-center/elb-configure-with-ipv6
-		if b.UseIPv6ForAPI() && lbSpec.Type == kops.LoadBalancerTypePublic {
+		if b.UseIPv6ForAPI() {
 			nlb.IpAddressType = fi.String("dualstack")
 		}
 
diff --git a/upup/pkg/fi/cloudup/awstasks/network_load_balancer.go b/upup/pkg/fi/cloudup/awstasks/network_load_balancer.go
index 554b774472..714751c530 100644
--- a/upup/pkg/fi/cloudup/awstasks/network_load_balancer.go
+++ b/upup/pkg/fi/cloudup/awstasks/network_load_balancer.go
@@ -402,6 +402,11 @@ func (e *NetworkLoadBalancer) Find(c *fi.Context) (*NetworkLoadBalancer, error)
 		e.LoadBalancerName = actual.LoadBalancerName
 	}
 
+	// An existing internal NLB can't be updated to dualstack.
+	if fi.StringValue(actual.Scheme) == elbv2.LoadBalancerSchemeEnumInternal && fi.StringValue(actual.IpAddressType) == elbv2.IpAddressTypeIpv4 {
+		e.IpAddressType = actual.IpAddressType
+	}
+
 	// We allow for the LoadBalancerName to be wrong:
 	// 1. We don't want to force a rename of the NLB, because that is a destructive operation
 	if fi.StringValue(e.LoadBalancerName) != fi.StringValue(actual.LoadBalancerName) {