diff --git a/flake.lock b/flake.lock
index 8980415..6871a68 100644
--- a/flake.lock
+++ b/flake.lock
@@ -20,11 +20,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1715316543,
-        "narHash": "sha256-4XOPcWmyH77Gd+cvVr2Hp7PHAlNAesvsLtHHbqy8xfA=",
+        "lastModified": 1716977081,
+        "narHash": "sha256-pFe5jLeIPlKEln5n2h998d7cpzXFdbrBMRe3suz4K1o=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c669412a552f31c45adad47894e7fd6a8698e53f",
+        "rev": "ac82a513e55582291805d6f09d35b6d8b60637a1",
         "type": "github"
       },
       "original": {
diff --git a/main.tf b/main.tf
index 3eaf348..36b6aff 100644
--- a/main.tf
+++ b/main.tf
@@ -44,7 +44,7 @@ locals {
 
   # vpc
   vpc_name = var.vpc_name
-  vpc_cidr = (var.vpc_cidr == "" ? "10.0.255.0/24" : var.vpc_cidr)
+  vpc_cidr = var.vpc_cidr
 
   # subnet
   subnets                    = var.subnets
@@ -122,7 +122,7 @@ module "network_load_balancer" {
   name              = local.load_balancer_name
   vpc_id            = module.vpc[0].id
   security_group_id = module.security_group[0].id
-  subnet_ids        = [for subnet in module.subnet : subnet.id]
+  subnets           = { for s in keys(local.subnets) : s => { id = module.subnet[s].id, cidr = module.subnet[s].cidr } }
   access_info       = local.load_balancer_access_cidrs
 }
 
@@ -138,5 +138,5 @@ module "domain" {
   use               = local.domain_use_strategy
   cert_use_strategy = local.cert_use_strategy
   content           = lower(local.domain)
-  ip                = module.network_load_balancer[0].public_ip
+  ips               = module.network_load_balancer[0].public_ips
 }
diff --git a/modules/domain/main.tf b/modules/domain/main.tf
index e6e5aa1..3ce3a05 100644
--- a/modules/domain/main.tf
+++ b/modules/domain/main.tf
@@ -2,7 +2,7 @@ locals {
   use      = var.use
   cert_use = var.cert_use_strategy
   content  = lower(var.content)
-  ip       = var.ip
+  ips      = var.ips
 
   content_parts = split(".", local.content)
   top_level_domain = join(".", [
@@ -48,7 +48,7 @@ resource "aws_route53_record" "new" {
   name    = local.content
   type    = "A"
   ttl     = 30
-  records = [local.ip]
+  records = local.ips
 }
 
 # cert generation
diff --git a/modules/domain/variables.tf b/modules/domain/variables.tf
index f761a64..36f044d 100644
--- a/modules/domain/variables.tf
+++ b/modules/domain/variables.tf
@@ -30,11 +30,11 @@ variable "content" {
   EOT
 }
 
-variable "ip" {
-  type        = string
+variable "ips" {
+  type        = list(string)
   description = <<-EOT
-    The ip address to attach to the domain.
-    When selecting a domain we won't generate any domain objects, we won't create a cert.
+    The ip addresses to attach to the domain.
+    When selecting a domain we won't generate any domain objects and we won't create a cert.
   EOT
-  default     = ""
+  default     = []
 }
diff --git a/modules/network_load_balancer/main.tf b/modules/network_load_balancer/main.tf
index fe510e5..e4e074f 100644
--- a/modules/network_load_balancer/main.tf
+++ b/modules/network_load_balancer/main.tf
@@ -3,12 +3,12 @@ locals {
   name              = var.name
   vpc_id            = var.vpc_id
   security_group_id = var.security_group_id
-  subnet_ids        = var.subnet_ids
+  subnets           = var.subnets
   access_info       = (var.access_info == null ? {} : var.access_info)
   create            = (local.use == "create" ? 1 : 0)
   select            = (local.use == "select" ? 1 : 0)
-  eip               = (local.select == 1 ? data.aws_eip.selected[0] : aws_eip.created[0])
-  public_ip         = (local.select == 1 ? data.aws_eip.selected[0].public_ip : aws_eip.created[0].public_ip)
+  eips              = (local.select == 1 ? data.aws_eip.selected : aws_eip.created)
+  public_ips        = (local.select == 1 ? [for e in data.aws_eip.selected : e.public_ip if can(e.public_ip)] : [for e in aws_eip.created : e.public_ip if can(e.public_ip)])
 }
 
 data "aws_lb" "selected" {
@@ -19,21 +19,25 @@ data "aws_lb" "selected" {
 }
 
 data "aws_eip" "selected" {
-  count = local.select
+  for_each = (local.select == 1 ? local.subnets : {})
   filter {
-    name   = "description"
-    values = ["ELB net/${data.aws_lb.selected[0].name}/*"]
+    name   = "name"
+    values = [local.name]
   }
 }
 
 resource "aws_eip" "created" {
-  count  = local.create
-  domain = "vpc"
+  for_each                  = (local.create == 1 ? local.subnets : {})
+  domain                    = "vpc"
+  associate_with_private_ip = cidrhost(each.value.cidr, -2) # map the eip to the last available ip of the private subnet
+  tags = {
+    Name = local.name
+  }
 }
 
 resource "aws_security_group" "load_balancer" {
   count       = local.create
-  name        = "${local.name}-lb"
+  name        = local.name
   description = "Security group for load balancer ${local.name}"
   vpc_id      = local.vpc_id
   tags = {
@@ -52,16 +56,17 @@ resource "aws_security_group_rule" "external_ingress" {
 }
 
 resource "aws_lb" "new" {
-  count              = local.create
-  name               = local.name
-  internal           = false
-  load_balancer_type = "network"
-  security_groups    = [local.security_group_id]
+  count                            = local.create
+  name                             = local.name
+  internal                         = false
+  load_balancer_type               = "network"
+  security_groups                  = [local.security_group_id]
+  enable_cross_zone_load_balancing = true
   dynamic "subnet_mapping" {
-    for_each = toset(local.subnet_ids)
+    for_each = local.subnets
     content {
-      subnet_id     = subnet_mapping.key
-      allocation_id = local.eip.id
+      subnet_id     = subnet_mapping.value.id
+      allocation_id = local.eips[subnet_mapping.key].id
     }
   }
   tags = {
diff --git a/modules/network_load_balancer/outputs.tf b/modules/network_load_balancer/outputs.tf
index ecc90ff..0044666 100644
--- a/modules/network_load_balancer/outputs.tf
+++ b/modules/network_load_balancer/outputs.tf
@@ -7,12 +7,12 @@ output "dns_name" {
 output "load_balancer" {
   value = (local.select == 1 ? data.aws_lb.selected[0] : aws_lb.new[0])
 }
-output "public_ip" {
-  value = local.public_ip
+output "public_ips" {
+  value = local.public_ips
 }
 output "listeners" {
   value = (local.create == 1 ? aws_lb_listener.created : {})
 }
 output "target_groups" {
   value = aws_lb_target_group.created
-}
\ No newline at end of file
+}
diff --git a/modules/network_load_balancer/variables.tf b/modules/network_load_balancer/variables.tf
index ab26ee9..5eb2ab8 100644
--- a/modules/network_load_balancer/variables.tf
+++ b/modules/network_load_balancer/variables.tf
@@ -30,12 +30,20 @@ variable "security_group_id" {
   EOT
   default     = ""
 }
-variable "subnet_ids" {
-  type        = list(string)
+variable "subnets" {
+  type = map(object({
+    id   = string
+    cidr = string
+  }))
   description = <<-EOT
-    The subnet ids to attach to the Load Balancer.
+    Map of subnets to attach to the Load Balancer.
   EOT
-  default     = []
+  default = {
+    "dummy" = {
+      id   = ""
+      cidr = ""
+    }
+  }
 }
 variable "access_info" {
   type = map(object({
diff --git a/variables.tf b/variables.tf
index 0340daf..56c5d6c 100644
--- a/variables.tf
+++ b/variables.tf
@@ -32,7 +32,7 @@ variable "vpc_cidr" {
     If you attempt to generate a VPC that has no usable addresses you will get an "invalid CIDR" error from AWS.
     If you attempt to generate a subnet that uses one of the addresses reserved by AWS in the VPC's CIDR, you will get an "invalid CIDR" error from AWS.
   EOT
-  default     = ""
+  default     = "10.0.0.0/16"
 }
 
 # subnet