diff --git a/cmd/kops/create_cluster.go b/cmd/kops/create_cluster.go
index 16419fd32cbea..d953eb0d23427 100644
--- a/cmd/kops/create_cluster.go
+++ b/cmd/kops/create_cluster.go
@@ -327,7 +327,7 @@ func NewCmdCreateCluster(f *util.Factory, out io.Writer) *cobra.Command {
 	cmd.RegisterFlagCompletionFunc("channel", completeChannel)
 
 	// Network topology
-	cmd.Flags().StringVarP(&options.Topology, "topology", "t", options.Topology, "Network topology for the cluster: public or private")
+	cmd.Flags().StringVarP(&options.Topology, "topology", "t", options.Topology, "Network topology for the cluster: 'public' or 'private'. Defaults to 'public' for IPv4 clusters and 'private' for IPv6 clusters.")
 	cmd.RegisterFlagCompletionFunc("topology", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 		return []string{api.TopologyPublic, api.TopologyPrivate}, cobra.ShellCompDirectiveNoFileComp
 	})
diff --git a/docs/cli/kops_create_cluster.md b/docs/cli/kops_create_cluster.md
index d35258e140a55..0595157e12f0d 100644
--- a/docs/cli/kops_create_cluster.md
+++ b/docs/cli/kops_create_cluster.md
@@ -121,7 +121,7 @@ kops create cluster [CLUSTER] [flags]
       --ssh-public-key string            SSH public key to use
       --subnets strings                  Shared subnets to use
       --target string                    Valid targets: direct, terraform, cloudformation. Set this flag to terraform if you want kOps to generate terraform (default "direct")
-  -t, --topology string                  Network topology for the cluster: public or private (default "public")
+  -t, --topology string                  Network topology for the cluster: 'public' or 'private'. Defaults to 'public' for IPv4 clusters and 'private' for IPv6 clusters.
       --unset strings                    Directly unset values in the spec
       --utility-subnets strings          Shared utility subnets to use
   -y, --yes                              Specify --yes to immediately create the cluster
diff --git a/docs/releases/1.26-NOTES.md b/docs/releases/1.26-NOTES.md
index bcc7951b7fadc..27a81405aeadb 100644
--- a/docs/releases/1.26-NOTES.md
+++ b/docs/releases/1.26-NOTES.md
@@ -18,6 +18,8 @@ This is a document to gather the release notes prior to the release.
 
 * As of Kubernetes version 1.26 and with IRSA enabled, control plane nodes will now run with a max hop limit of 1 for the metadata service. This will prevent Pods without host networking from accessing the instance metadata service.
 
+* New IPv6 clusters now default to using private topology.
+
 # Breaking changes
 
 ## Other breaking changes
diff --git a/tests/integration/create_cluster/ipv6/expected-v1alpha2.yaml b/tests/integration/create_cluster/ipv6/expected-v1alpha2.yaml
index d0b0e03d88681..8b8c144d374cb 100644
--- a/tests/integration/create_cluster/ipv6/expected-v1alpha2.yaml
+++ b/tests/integration/create_cluster/ipv6/expected-v1alpha2.yaml
@@ -5,7 +5,9 @@ metadata:
   name: ipv6.example.com
 spec:
   api:
-    dns: {}
+    loadBalancer:
+      class: Network
+      type: Public
   authorization:
     rbac: {}
   channel: stable
@@ -45,16 +47,25 @@ spec:
   - 0.0.0.0/0
   - ::/0
   subnets:
-  - cidr: 172.20.32.0/19
-    ipv6CIDR: /64#0
+  - ipv6CIDR: /64#0
     name: us-test-1a
-    type: Public
+    type: Private
+    zone: us-test-1a
+  - cidr: 172.20.32.0/19
+    ipv6CIDR: /64#1
+    name: dualstack-us-test-1a
+    type: DualStack
+    zone: us-test-1a
+  - cidr: 172.20.0.0/22
+    ipv6CIDR: /64#2
+    name: utility-us-test-1a
+    type: Utility
     zone: us-test-1a
   topology:
     dns:
       type: Public
-    masters: public
-    nodes: public
+    masters: private
+    nodes: private
 
 ---
 
@@ -75,7 +86,7 @@ spec:
   minSize: 1
   role: Master
   subnets:
-  - us-test-1a
+  - dualstack-us-test-1a
 
 ---
 
diff --git a/upup/pkg/fi/cloudup/new_cluster.go b/upup/pkg/fi/cloudup/new_cluster.go
index ad876e5a6b5eb..14bb2c0756a02 100644
--- a/upup/pkg/fi/cloudup/new_cluster.go
+++ b/upup/pkg/fi/cloudup/new_cluster.go
@@ -136,7 +136,7 @@ type NewClusterOptions struct {
 
 	// Networking is the networking provider/node to use.
 	Networking string
-	// Topology is the network topology to use. Defaults to "public".
+	// Topology is the network topology to use. Defaults to "public" for IPv4 clusters and "private" for IPv6 clusters.
 	Topology string
 	// DNSType is the DNS type to use; "public" or "private". Defaults to "public".
 	DNSType string
@@ -166,7 +166,6 @@ func (o *NewClusterOptions) InitDefaults() {
 	o.Authorization = AuthorizationFlagRBAC
 	o.AdminAccess = []string{"0.0.0.0/0", "::/0"}
 	o.Networking = "cilium"
-	o.Topology = api.TopologyPublic
 	o.InstanceManager = "cloudgroups"
 }
 
@@ -1124,8 +1123,16 @@ func setupNetworking(opt *NewClusterOptions, cluster *api.Cluster) error {
 func setupTopology(opt *NewClusterOptions, cluster *api.Cluster, allZones sets.String) ([]*api.InstanceGroup, error) {
 	var bastions []*api.InstanceGroup
 
+	if opt.Topology == "" {
+		if opt.IPv6 {
+			opt.Topology = kopsapi.TopologyPrivate
+		} else {
+			opt.Topology = kopsapi.TopologyPublic
+		}
+	}
+
 	switch opt.Topology {
-	case api.TopologyPublic, "":
+	case api.TopologyPublic:
 		cluster.Spec.Topology = &api.TopologySpec{
 			ControlPlane: api.TopologyPublic,
 			Nodes:        api.TopologyPublic,