diff --git a/helm/cluster-aws/templates/_aws_cluster.tpl b/helm/cluster-aws/templates/_aws_cluster.tpl
index 17609c1e..8544ca44 100644
--- a/helm/cluster-aws/templates/_aws_cluster.tpl
+++ b/helm/cluster-aws/templates/_aws_cluster.tpl
@@ -35,13 +35,15 @@ spec:
       availabilityZoneUsageLimit: {{ .Values.network.availabilityZoneUsageLimit }}
       cidrBlock: {{ .Values.network.vpcCIDR }}
     subnets:
-    {{- range $i, $subnet := .Values.network.subnets }}
-    - cidrBlock: "{{ $subnet.cidrBlock }}"
+    {{- range $j, $subnet := .Values.network.subnets }}
+    {{- range $i, $cidr := $subnet.cidrBlocks }}
+    - cidrBlock: "{{ $cidr }}"
       availabilityZone: "{{ include "aws-region" $ }}{{ add 97 $i | printf "%c" }}"
-      isPublic: {{ $subnet.isPublic }}
+      isPublic: {{ $subnet.isPublic | default false }}
       tags:
         {{- toYaml $subnet.tags | nindent 8 }}
     {{- end }}
+    {{- end }}
   sshKeyName: ssh-key
   region: {{ include "aws-region" . }}
 {{ end }}
diff --git a/helm/cluster-aws/templates/_validation.tpl b/helm/cluster-aws/templates/_validation.tpl
index 80348c58..17ce8cc5 100644
--- a/helm/cluster-aws/templates/_validation.tpl
+++ b/helm/cluster-aws/templates/_validation.tpl
@@ -9,4 +9,11 @@ Instead this is used to perform some validation checks on values that dont make
 {{- fail "`.Values.network.apiMode` cannot be 'public' if `.Values.network.vpcMode` is set to 'private'" }}
 {{ end }}
 
+{{- range $i, $subnet := .Values.network.subnets }}
+{{ if neq (len $subnet.cidrBlocks) .Values.network.availabilityZoneUsageLimit }}
+{{- fail "`cidrBlocks` must contain the same number of entries as specified by `.network.availabilityZoneUsageLimit`" }}
+{{ end }}
+{{- end }}
+
+
 {{- end -}}
diff --git a/helm/cluster-aws/values.yaml b/helm/cluster-aws/values.yaml
index 1090c78f..880c837b 100644
--- a/helm/cluster-aws/values.yaml
+++ b/helm/cluster-aws/values.yaml
@@ -49,54 +49,18 @@ network:
   # subnets defines all the subnets for a cluster.
   # There must be at least as many as the value of `availabilityZoneUsageLimit` and all subnets must be within the `vpcCIDR` range.
   subnets:
-  - cidrBlock: 10.0.0.0/23
-    availabilityZone: eu-west-1a
+  - cidrBlocks: ["10.0.0.0/23", "10.0.2.0/23", "10.0.4.0/23"]
     isPublic: true
     tags:
       subnet.giantswarm.io/role: load-balancers
-  - cidrBlock: 10.0.2.0/23
-    availabilityZone: eu-west-1b
-    isPublic: true
-    tags:
-      subnet.giantswarm.io/role: load-balancers
-  - cidrBlock: 10.0.4.0/23
-    availabilityZone: eu-west-1c
-    isPublic: true
-    tags:
-      subnet.giantswarm.io/role: load-balancers
-
-  - cidrBlock: 10.0.6.0/23
-    availabilityZone: eu-west-1a
+  - cidrBlocks: ["10.0.6.0/23", "10.0.8.0/23", "10.0.10.0/23"]
     isPublic: false
     tags:
       subnet.giantswarm.io/role: control-plane
-  - cidrBlock: 10.0.8.0/23
-    availabilityZone: eu-west-1b
-    isPublic: false
-    tags:
-      subnet.giantswarm.io/role: control-plane
-  - cidrBlock: 10.0.10.0/23
-    availabilityZone: eu-west-1c
-    isPublic: false
-    tags:
-      subnet.giantswarm.io/role: control-plane
-
-  - cidrBlock: 10.0.64.0/18
-    availabilityZone: eu-west-1a
-    isPublic: false
-    tags:
-      subnet.giantswarm.io/role: workers
-  - cidrBlock: 10.0.128.0/18
-    availabilityZone: eu-west-1b
+  - cidrBlocks: ["10.0.64.0/18", "10.0.128.0/18", "10.0.192.0/18"]
     isPublic: false
     tags:
       subnet.giantswarm.io/role: workers
-  - cidrBlock: 10.0.192.0/18
-    availabilityZone: eu-west-1c
-    isPublic: false
-    tags:
-      subnet.giantswarm.io/role: workers
-
 
 bastion:
   enabled: true