diff --git a/pkg/types/clusterconfig/cluster_config.go b/pkg/types/clusterconfig/cluster_config.go
index 2b47c55887..f303a63ca4 100644
--- a/pkg/types/clusterconfig/cluster_config.go
+++ b/pkg/types/clusterconfig/cluster_config.go
@@ -86,6 +86,9 @@ var (
 	_maxIOPSToVolumeSizeRatioForGP3 = int64(500)
 	_minIOPSToThroughputRatioForGP3 = int64(4)
 
+	_minSubnetMask = 16
+	_maxSubnetMask = 24
+
 	// This regex is stricter than the actual S3 rules
 	_strictS3BucketRegex = regexp.MustCompile(`^([a-z0-9])+(-[a-z0-9]+)*$`)
 )
@@ -1467,11 +1470,18 @@ func (ng *NodeGroup) FillEmptySpotFields(region string) {
 }
 
 func validateCIDR(cidr string) (string, error) {
-	_, _, err := net.ParseCIDR(cidr)
+	_, network, err := net.ParseCIDR(cidr)
 	if err != nil {
 		return "", errors.WithStack(err)
 	}
 
+	if network != nil {
+		maskSize, _ := network.Mask.Size()
+		if maskSize < _minSubnetMask || maskSize > _maxSubnetMask {
+			return "", ErrorSubnetMaskOutOfRange(maskSize, _minSubnetMask, _maxSubnetMask)
+		}
+	}
+
 	return cidr, nil
 }
 
diff --git a/pkg/types/clusterconfig/errors.go b/pkg/types/clusterconfig/errors.go
index 5aee00df2b..769f746417 100644
--- a/pkg/types/clusterconfig/errors.go
+++ b/pkg/types/clusterconfig/errors.go
@@ -60,6 +60,7 @@ const (
 	ErrUnsupportedAvailabilityZone            = "clusterconfig.unsupported_availability_zone"
 	ErrNotEnoughValidDefaultAvailibilityZones = "clusterconfig.not_enough_valid_default_availability_zones"
 	ErrNoNATGatewayWithSubnets                = "clusterconfig.no_nat_gateway_with_subnets"
+	ErrSubnetMaskOutOfRange                   = "clusterconfig.subnet_mask_out_of_range"
 	ErrConfigCannotBeChangedOnConfigure       = "clusterconfig.config_cannot_be_changed_on_configure"
 	ErrNodeGroupCanOnlyBeScaled               = "clusterconfig.node_group_can_only_be_scaled"
 	ErrSpecifyOneOrNone                       = "clusterconfig.specify_one_or_none"
@@ -309,6 +310,13 @@ func ErrorNoNATGatewayWithSubnets() error {
 	})
 }
 
+func ErrorSubnetMaskOutOfRange(requestedMaskSize, minMaskSize, maxMaskSize int) error {
+	return errors.WithStack(&errors.Error{
+		Kind:    ErrSubnetMaskOutOfRange,
+		Message: fmt.Sprintf("invalid network size /%d; the network size must be between /%d and /%d", requestedMaskSize, minMaskSize, maxMaskSize),
+	})
+}
+
 func ErrorConfigCannotBeChangedOnConfigure() error {
 	return errors.WithStack(&errors.Error{
 		Kind:    ErrConfigCannotBeChangedOnConfigure,