diff --git a/cmd/kops/create_cluster.go b/cmd/kops/create_cluster.go
index 581d58728ce18..40bbce7f0d5a2 100644
--- a/cmd/kops/create_cluster.go
+++ b/cmd/kops/create_cluster.go
@@ -58,7 +58,11 @@ type CreateClusterOptions struct {
 	AssociatePublicIP bool
 
 	// Channel is the location of the api.Channel to use for our defaults
-	Channel string
+	Channel           string
+
+	//Subnet configuration
+	MastersPrivateSubnet bool
+	NodesPrivateSubnet   bool
 }
 
 func NewCmdCreateCluster(f *util.Factory, out io.Writer) *cobra.Command {
@@ -111,6 +115,11 @@ func NewCmdCreateCluster(f *util.Factory, out io.Writer) *cobra.Command {
 
 	cmd.Flags().StringVar(&options.Channel, "channel", api.DefaultChannel, "Channel for default versions and configuration to use")
 
+
+	cmd.Flags().BoolVar(&options.MastersPrivateSubnet, "masters-private-subnet", false, "Flag to control the masters' subnet visabilty. Default 'false' to use a public subnet")
+	cmd.Flags().BoolVar(&options.NodesPrivateSubnet, "nodes-private-subnet", false, "Flag to control the nodes' subnet visabilty. Default 'false' to use a public subnet")
+
+
 	return cmd
 }
 
diff --git a/docs/private-networking.md b/docs/private-networking.md
new file mode 100644
index 0000000000000..5ffb2965ccdcb
--- /dev/null
+++ b/docs/private-networking.md
@@ -0,0 +1,24 @@
+# Private Networking in AWS
+
+AWS offers a few different VPC subnet modes. Below are examples of different subnets that kops supports.
+
+Kops will default to **public** subnets. In order to override this behavior use the following flags to change subnet type for instance groups.
+
+##### Subnet modes 
+
+### All Private
+
+All masters and minions running in a private subnet in a VPC
+
+```
+    kops create cluster ... --masters-private-subnet --nodes-private-subnet
+```
+
+### Private Masters, Public Nodes
+
+All masters running in a private subnet with all nodes in a public subnet in a VPC
+
+```
+    kops create cluster ... --masters-private-subnet
+```
+