diff --git a/cmd/kops/create_cluster.go b/cmd/kops/create_cluster.go
index 11bda25cde..57e00ebfda 100644
--- a/cmd/kops/create_cluster.go
+++ b/cmd/kops/create_cluster.go
@@ -33,6 +33,7 @@ type CreateClusterCmd struct {
 	NetworkCIDR       string
 	DNSZone           string
 	AdminAccess       string
+	AssociatePublicIP bool
 }
 
 var createCluster CreateClusterCmd
@@ -80,6 +81,8 @@ func init() {
 	cmd.Flags().StringVar(&createCluster.DNSZone, "dns-zone", "", "DNS hosted zone to use (defaults to last two components of cluster name)")
 	cmd.Flags().StringVar(&createCluster.OutDir, "out", "", "Path to write any local output")
 	cmd.Flags().StringVar(&createCluster.AdminAccess, "admin-access", "", "Restrict access to admin endpoints (SSH, HTTPS) to this CIDR.  If not set, access will not be restricted by IP.")
+
+	cmd.Flags().BoolVar(&createCluster.AssociatePublicIP, "no-associate-public-ip", true, "Specify --no-associate-public-ip to disable association of public IP for master ASG and nodes.")
 }
 
 func (c *CreateClusterCmd) Run(args []string) error {
@@ -354,6 +357,9 @@ func (c *CreateClusterCmd) Run(args []string) error {
 		fmt.Println("Previewing changes that will be made:\n")
 	}
 
+	glog.V(1).Info("Associate Public IP: %v", c.AssociatePublicIP)
+	fullCluster.Spec.AssociatePublicIP = &c.AssociatePublicIP
+
 	applyCmd := &cloudup.ApplyClusterCmd{
 		Cluster:         fullCluster,
 		InstanceGroups:  fullInstanceGroups,
diff --git a/upup/models/cloudup/_aws/master/_master_asg/master_asg.yaml b/upup/models/cloudup/_aws/master/_master_asg/master_asg.yaml
index 642e5cebcd..2c1d68b17f 100644
--- a/upup/models/cloudup/_aws/master/_master_asg/master_asg.yaml
+++ b/upup/models/cloudup/_aws/master/_master_asg/master_asg.yaml
@@ -8,7 +8,7 @@ launchConfiguration/{{ $m.Name }}.masters.{{ ClusterName }}:
   iamInstanceProfile: iamInstanceProfile/masters.{{ ClusterName }}
   imageId: {{ $m.Spec.Image }}
   instanceType: {{ $m.Spec.MachineType }}
-  associatePublicIP: true
+  associatePublicIP: {{ AssociatePublicIP }}
   userData: resources/nodeup.sh _kubernetes_master
   rootVolumeSize: {{ or $m.Spec.RootVolumeSize "20" }}
   rootVolumeType: {{ or $m.Spec.RootVolumeType "gp2" }}
diff --git a/upup/models/cloudup/_aws/nodes.yaml b/upup/models/cloudup/_aws/nodes.yaml
index ae3ab88754..885173972f 100644
--- a/upup/models/cloudup/_aws/nodes.yaml
+++ b/upup/models/cloudup/_aws/nodes.yaml
@@ -52,7 +52,7 @@ launchConfiguration/{{ $nodeset.Name }}.{{ ClusterName }}:
   iamInstanceProfile: iamInstanceProfile/nodes.{{ ClusterName }}
   imageId: {{ $nodeset.Spec.Image }}
   instanceType: {{ $nodeset.Spec.MachineType }}
-  associatePublicIP: true
+  associatePublicIP: {{ AssociatePublicIP }}
   userData: resources/nodeup.sh _kubernetes_pool
   rootVolumeSize: {{ or $nodeset.Spec.RootVolumeSize "20" }}
   rootVolumeType: {{ or $nodeset.Spec.RootVolumeType "gp2" }}
diff --git a/upup/pkg/api/cluster.go b/upup/pkg/api/cluster.go
index 010f5d1567..d65ad425c1 100644
--- a/upup/pkg/api/cluster.go
+++ b/upup/pkg/api/cluster.go
@@ -103,6 +103,8 @@ type ClusterSpec struct {
 	//  * enable debugging handlers on the master, so kubectl logs works
 	IsolateMasters *bool `json:"isolateMasters,omitempty"`
 
+	AssociatePublicIP *bool `json:"associatePublicIp,omitempty"`
+
 	//NetworkProvider               string `json:",omitempty"`
 	//
 	//HairpinMode                   string `json:",omitempty"`