diff --git a/pkg/apis/kops/validation/aws.go b/pkg/apis/kops/validation/aws.go
index 078c8bfd3c..85d77ec7ca 100644
--- a/pkg/apis/kops/validation/aws.go
+++ b/pkg/apis/kops/validation/aws.go
@@ -40,6 +40,7 @@ func awsValidateCluster(c *kops.Cluster) field.ErrorList {
 			allErrs = append(allErrs, awsValidateAdditionalSecurityGroups(field.NewPath("spec", "api", "loadBalancer", "additionalSecurityGroups"), c.Spec.API.LoadBalancer.AdditionalSecurityGroups)...)
 			allErrs = append(allErrs, awsValidateSSLPolicy(field.NewPath("spec", "api", "loadBalancer", "sslPolicy"), c.Spec.API.LoadBalancer)...)
 			allErrs = append(allErrs, awsValidateLoadBalancerSubnets(field.NewPath("spec", "api", "loadBalancer", "subnets"), c.Spec)...)
+			allErrs = append(allErrs, awsValidateTopologyDNS(field.NewPath("spec", "api", "loadBalancer", "type"), c)...)
 		}
 	}
 
@@ -273,6 +274,16 @@ func awsValidateMixedInstancesPolicy(path *field.Path, spec *kops.MixedInstances
 	return errs
 }
 
+func awsValidateTopologyDNS(fieldPath *field.Path, c *kops.Cluster) field.ErrorList {
+	allErrs := field.ErrorList{}
+
+	if c.UsesNoneDNS() && c.Spec.API != nil && c.Spec.API.LoadBalancer != nil && c.Spec.API.LoadBalancer.Class != kops.LoadBalancerClassNetwork {
+		allErrs = append(allErrs, field.Forbidden(fieldPath, "topology.dns.type=none requires Network Load Balancer"))
+	}
+
+	return allErrs
+}
+
 func awsValidateSSLPolicy(fieldPath *field.Path, spec *kops.LoadBalancerAccessSpec) field.ErrorList {
 	allErrs := field.ErrorList{}