diff --git a/pkg/model/awsmodel/network.go b/pkg/model/awsmodel/network.go
index bba4bd205b..f6fad3ae85 100644
--- a/pkg/model/awsmodel/network.go
+++ b/pkg/model/awsmodel/network.go
@@ -18,6 +18,7 @@ package awsmodel
 
 import (
 	"fmt"
+	"net"
 	"strings"
 
 	aws "k8s.io/cloud-provider-aws/pkg/providers/v1"
@@ -294,6 +295,19 @@ func (b *NetworkModelBuilder) Build(c *fi.CloudupModelBuilderContext) error {
 
 		if subnetSpec.CIDR != "" {
 			subnet.CIDR = fi.PtrTo(subnetSpec.CIDR)
+			for _, cidr := range b.Cluster.Spec.Networking.AdditionalNetworkCIDRs {
+				_, additionalCIDR, err := net.ParseCIDR(cidr)
+				if err != nil {
+					return err
+				}
+				subnetIP, _, err := net.ParseCIDR(subnetSpec.CIDR)
+				if err != nil {
+					return err
+				}
+				if additionalCIDR.Contains(subnetIP) {
+					subnet.VPCCIDRBlock = &awstasks.VPCCIDRBlock{Name: fi.PtrTo(cidr)}
+				}
+			}
 		}
 
 		if subnetSpec.IPv6CIDR != "" {
diff --git a/upup/pkg/fi/cloudup/awstasks/subnet.go b/upup/pkg/fi/cloudup/awstasks/subnet.go
index 84568bb407..fd9654a683 100644
--- a/upup/pkg/fi/cloudup/awstasks/subnet.go
+++ b/upup/pkg/fi/cloudup/awstasks/subnet.go
@@ -44,6 +44,7 @@ type Subnet struct {
 
 	ID                          *string
 	VPC                         *VPC
+	VPCCIDRBlock                *VPCCIDRBlock
 	AmazonIPv6CIDR              *VPCAmazonIPv6CIDRBlock
 	AvailabilityZone            *string
 	CIDR                        *string
@@ -135,6 +136,7 @@ func (e *Subnet) Find(c *fi.CloudupContext) (*Subnet, error) {
 	actual.ShortName = e.ShortName // Not materialized in AWS
 	actual.Name = e.Name           // Name is part of Tags
 	// Task dependencies
+	actual.VPCCIDRBlock = e.VPCCIDRBlock
 	actual.AmazonIPv6CIDR = e.AmazonIPv6CIDR
 
 	return actual, nil