diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl
index 5f902fec5..ce3268200 100644
--- a/autogen/main/main.tf.tmpl
+++ b/autogen/main/main.tf.tmpl
@@ -147,7 +147,13 @@ locals {
 {% if private_cluster %}
   cluster_endpoint           = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.enable_private_endpoint || var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config[0].private_endpoint : google_container_cluster.primary.private_cluster_config[0].public_endpoint) : google_container_cluster.primary.endpoint
   cluster_peering_name       = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config[0].peering_name : null
-  cluster_endpoint_for_nodes = google_container_cluster.primary.private_cluster_config[0].master_ipv4_cidr_block
+  cluster_endpoint_for_nodes = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (
+    var.private_endpoint_subnetwork != null ?
+    data.google_compute_subnetwork.private_endpoint_subnetwork[0].ip_cidr_range :
+    var.master_ipv4_cidr_block != null ?
+    google_container_cluster.primary.private_cluster_config[0].master_ipv4_cidr_block :
+    local.cluster_subnet_cidr
+  ) : local.cluster_subnet_cidr
 {% else %}
   cluster_endpoint           = google_container_cluster.primary.endpoint
   cluster_endpoint_for_nodes = "${google_container_cluster.primary.endpoint}/32"
diff --git a/autogen/main/networks.tf.tmpl b/autogen/main/networks.tf.tmpl
index 2d526cdeb..c56ff4d6c 100644
--- a/autogen/main/networks.tf.tmpl
+++ b/autogen/main/networks.tf.tmpl
@@ -24,3 +24,14 @@ data "google_compute_subnetwork" "gke_subnetwork" {
   region  = local.region
   project = local.network_project_id
 }
+
+{% if private_cluster %}
+data "google_compute_subnetwork" "private_endpoint_subnetwork" {
+  provider = google
+
+  count   = var.private_endpoint_subnetwork != null ? 1 : 0
+  name    = var.private_endpoint_subnetwork
+  region  = local.region
+  project = local.network_project_id
+}
+{% endif %}
diff --git a/modules/beta-autopilot-private-cluster/main.tf b/modules/beta-autopilot-private-cluster/main.tf
index 2fa6a0545..04b06a22e 100644
--- a/modules/beta-autopilot-private-cluster/main.tf
+++ b/modules/beta-autopilot-private-cluster/main.tf
@@ -76,9 +76,15 @@ locals {
   cluster_output_regional_zones = google_container_cluster.primary.node_locations
   cluster_output_zones          = local.cluster_output_regional_zones
 
-  cluster_endpoint           = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.enable_private_endpoint || var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config[0].private_endpoint : google_container_cluster.primary.private_cluster_config[0].public_endpoint) : google_container_cluster.primary.endpoint
-  cluster_peering_name       = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config[0].peering_name : null
-  cluster_endpoint_for_nodes = google_container_cluster.primary.private_cluster_config[0].master_ipv4_cidr_block
+  cluster_endpoint     = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.enable_private_endpoint || var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config[0].private_endpoint : google_container_cluster.primary.private_cluster_config[0].public_endpoint) : google_container_cluster.primary.endpoint
+  cluster_peering_name = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config[0].peering_name : null
+  cluster_endpoint_for_nodes = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (
+    var.private_endpoint_subnetwork != null ?
+    data.google_compute_subnetwork.private_endpoint_subnetwork[0].ip_cidr_range :
+    var.master_ipv4_cidr_block != null ?
+    google_container_cluster.primary.private_cluster_config[0].master_ipv4_cidr_block :
+    local.cluster_subnet_cidr
+  ) : local.cluster_subnet_cidr
 
   cluster_output_master_auth                        = concat(google_container_cluster.primary[*].master_auth, [])
   cluster_output_master_version                     = google_container_cluster.primary.master_version
diff --git a/modules/beta-autopilot-private-cluster/networks.tf b/modules/beta-autopilot-private-cluster/networks.tf
index ace2ab003..5c5ffb301 100644
--- a/modules/beta-autopilot-private-cluster/networks.tf
+++ b/modules/beta-autopilot-private-cluster/networks.tf
@@ -24,3 +24,12 @@ data "google_compute_subnetwork" "gke_subnetwork" {
   region  = local.region
   project = local.network_project_id
 }
+
+data "google_compute_subnetwork" "private_endpoint_subnetwork" {
+  provider = google
+
+  count   = var.private_endpoint_subnetwork != null ? 1 : 0
+  name    = var.private_endpoint_subnetwork
+  region  = local.region
+  project = local.network_project_id
+}
diff --git a/modules/beta-autopilot-public-cluster/networks.tf b/modules/beta-autopilot-public-cluster/networks.tf
index ace2ab003..374aa530a 100644
--- a/modules/beta-autopilot-public-cluster/networks.tf
+++ b/modules/beta-autopilot-public-cluster/networks.tf
@@ -24,3 +24,4 @@ data "google_compute_subnetwork" "gke_subnetwork" {
   region  = local.region
   project = local.network_project_id
 }
+
diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf
index 1ca1c19ad..7e82e41d1 100644
--- a/modules/beta-private-cluster-update-variant/main.tf
+++ b/modules/beta-private-cluster-update-variant/main.tf
@@ -122,9 +122,15 @@ locals {
   cluster_output_regional_zones = google_container_cluster.primary.node_locations
   cluster_output_zones          = local.cluster_output_regional_zones
 
-  cluster_endpoint           = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.enable_private_endpoint || var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config[0].private_endpoint : google_container_cluster.primary.private_cluster_config[0].public_endpoint) : google_container_cluster.primary.endpoint
-  cluster_peering_name       = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config[0].peering_name : null
-  cluster_endpoint_for_nodes = google_container_cluster.primary.private_cluster_config[0].master_ipv4_cidr_block
+  cluster_endpoint     = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.enable_private_endpoint || var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config[0].private_endpoint : google_container_cluster.primary.private_cluster_config[0].public_endpoint) : google_container_cluster.primary.endpoint
+  cluster_peering_name = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config[0].peering_name : null
+  cluster_endpoint_for_nodes = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (
+    var.private_endpoint_subnetwork != null ?
+    data.google_compute_subnetwork.private_endpoint_subnetwork[0].ip_cidr_range :
+    var.master_ipv4_cidr_block != null ?
+    google_container_cluster.primary.private_cluster_config[0].master_ipv4_cidr_block :
+    local.cluster_subnet_cidr
+  ) : local.cluster_subnet_cidr
 
   cluster_output_master_auth                        = concat(google_container_cluster.primary[*].master_auth, [])
   cluster_output_master_version                     = google_container_cluster.primary.master_version
diff --git a/modules/beta-private-cluster-update-variant/networks.tf b/modules/beta-private-cluster-update-variant/networks.tf
index ace2ab003..5c5ffb301 100644
--- a/modules/beta-private-cluster-update-variant/networks.tf
+++ b/modules/beta-private-cluster-update-variant/networks.tf
@@ -24,3 +24,12 @@ data "google_compute_subnetwork" "gke_subnetwork" {
   region  = local.region
   project = local.network_project_id
 }
+
+data "google_compute_subnetwork" "private_endpoint_subnetwork" {
+  provider = google
+
+  count   = var.private_endpoint_subnetwork != null ? 1 : 0
+  name    = var.private_endpoint_subnetwork
+  region  = local.region
+  project = local.network_project_id
+}
diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf
index 1ca1c19ad..7e82e41d1 100644
--- a/modules/beta-private-cluster/main.tf
+++ b/modules/beta-private-cluster/main.tf
@@ -122,9 +122,15 @@ locals {
   cluster_output_regional_zones = google_container_cluster.primary.node_locations
   cluster_output_zones          = local.cluster_output_regional_zones
 
-  cluster_endpoint           = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.enable_private_endpoint || var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config[0].private_endpoint : google_container_cluster.primary.private_cluster_config[0].public_endpoint) : google_container_cluster.primary.endpoint
-  cluster_peering_name       = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config[0].peering_name : null
-  cluster_endpoint_for_nodes = google_container_cluster.primary.private_cluster_config[0].master_ipv4_cidr_block
+  cluster_endpoint     = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.enable_private_endpoint || var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config[0].private_endpoint : google_container_cluster.primary.private_cluster_config[0].public_endpoint) : google_container_cluster.primary.endpoint
+  cluster_peering_name = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config[0].peering_name : null
+  cluster_endpoint_for_nodes = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (
+    var.private_endpoint_subnetwork != null ?
+    data.google_compute_subnetwork.private_endpoint_subnetwork[0].ip_cidr_range :
+    var.master_ipv4_cidr_block != null ?
+    google_container_cluster.primary.private_cluster_config[0].master_ipv4_cidr_block :
+    local.cluster_subnet_cidr
+  ) : local.cluster_subnet_cidr
 
   cluster_output_master_auth                        = concat(google_container_cluster.primary[*].master_auth, [])
   cluster_output_master_version                     = google_container_cluster.primary.master_version
diff --git a/modules/beta-private-cluster/networks.tf b/modules/beta-private-cluster/networks.tf
index ace2ab003..5c5ffb301 100644
--- a/modules/beta-private-cluster/networks.tf
+++ b/modules/beta-private-cluster/networks.tf
@@ -24,3 +24,12 @@ data "google_compute_subnetwork" "gke_subnetwork" {
   region  = local.region
   project = local.network_project_id
 }
+
+data "google_compute_subnetwork" "private_endpoint_subnetwork" {
+  provider = google
+
+  count   = var.private_endpoint_subnetwork != null ? 1 : 0
+  name    = var.private_endpoint_subnetwork
+  region  = local.region
+  project = local.network_project_id
+}
diff --git a/modules/beta-public-cluster-update-variant/networks.tf b/modules/beta-public-cluster-update-variant/networks.tf
index ace2ab003..374aa530a 100644
--- a/modules/beta-public-cluster-update-variant/networks.tf
+++ b/modules/beta-public-cluster-update-variant/networks.tf
@@ -24,3 +24,4 @@ data "google_compute_subnetwork" "gke_subnetwork" {
   region  = local.region
   project = local.network_project_id
 }
+
diff --git a/modules/beta-public-cluster/networks.tf b/modules/beta-public-cluster/networks.tf
index ace2ab003..374aa530a 100644
--- a/modules/beta-public-cluster/networks.tf
+++ b/modules/beta-public-cluster/networks.tf
@@ -24,3 +24,4 @@ data "google_compute_subnetwork" "gke_subnetwork" {
   region  = local.region
   project = local.network_project_id
 }
+
diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf
index c928a1c96..b311f148c 100644
--- a/modules/private-cluster-update-variant/main.tf
+++ b/modules/private-cluster-update-variant/main.tf
@@ -110,9 +110,15 @@ locals {
   cluster_output_regional_zones = google_container_cluster.primary.node_locations
   cluster_output_zones          = local.cluster_output_regional_zones
 
-  cluster_endpoint           = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.enable_private_endpoint || var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config[0].private_endpoint : google_container_cluster.primary.private_cluster_config[0].public_endpoint) : google_container_cluster.primary.endpoint
-  cluster_peering_name       = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config[0].peering_name : null
-  cluster_endpoint_for_nodes = google_container_cluster.primary.private_cluster_config[0].master_ipv4_cidr_block
+  cluster_endpoint     = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.enable_private_endpoint || var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config[0].private_endpoint : google_container_cluster.primary.private_cluster_config[0].public_endpoint) : google_container_cluster.primary.endpoint
+  cluster_peering_name = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config[0].peering_name : null
+  cluster_endpoint_for_nodes = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (
+    var.private_endpoint_subnetwork != null ?
+    data.google_compute_subnetwork.private_endpoint_subnetwork[0].ip_cidr_range :
+    var.master_ipv4_cidr_block != null ?
+    google_container_cluster.primary.private_cluster_config[0].master_ipv4_cidr_block :
+    local.cluster_subnet_cidr
+  ) : local.cluster_subnet_cidr
 
   cluster_output_master_auth                        = concat(google_container_cluster.primary[*].master_auth, [])
   cluster_output_master_version                     = google_container_cluster.primary.master_version
diff --git a/modules/private-cluster-update-variant/networks.tf b/modules/private-cluster-update-variant/networks.tf
index ace2ab003..5c5ffb301 100644
--- a/modules/private-cluster-update-variant/networks.tf
+++ b/modules/private-cluster-update-variant/networks.tf
@@ -24,3 +24,12 @@ data "google_compute_subnetwork" "gke_subnetwork" {
   region  = local.region
   project = local.network_project_id
 }
+
+data "google_compute_subnetwork" "private_endpoint_subnetwork" {
+  provider = google
+
+  count   = var.private_endpoint_subnetwork != null ? 1 : 0
+  name    = var.private_endpoint_subnetwork
+  region  = local.region
+  project = local.network_project_id
+}
diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf
index c928a1c96..b311f148c 100644
--- a/modules/private-cluster/main.tf
+++ b/modules/private-cluster/main.tf
@@ -110,9 +110,15 @@ locals {
   cluster_output_regional_zones = google_container_cluster.primary.node_locations
   cluster_output_zones          = local.cluster_output_regional_zones
 
-  cluster_endpoint           = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.enable_private_endpoint || var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config[0].private_endpoint : google_container_cluster.primary.private_cluster_config[0].public_endpoint) : google_container_cluster.primary.endpoint
-  cluster_peering_name       = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config[0].peering_name : null
-  cluster_endpoint_for_nodes = google_container_cluster.primary.private_cluster_config[0].master_ipv4_cidr_block
+  cluster_endpoint     = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.enable_private_endpoint || var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config[0].private_endpoint : google_container_cluster.primary.private_cluster_config[0].public_endpoint) : google_container_cluster.primary.endpoint
+  cluster_peering_name = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config[0].peering_name : null
+  cluster_endpoint_for_nodes = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (
+    var.private_endpoint_subnetwork != null ?
+    data.google_compute_subnetwork.private_endpoint_subnetwork[0].ip_cidr_range :
+    var.master_ipv4_cidr_block != null ?
+    google_container_cluster.primary.private_cluster_config[0].master_ipv4_cidr_block :
+    local.cluster_subnet_cidr
+  ) : local.cluster_subnet_cidr
 
   cluster_output_master_auth                        = concat(google_container_cluster.primary[*].master_auth, [])
   cluster_output_master_version                     = google_container_cluster.primary.master_version
diff --git a/modules/private-cluster/networks.tf b/modules/private-cluster/networks.tf
index ace2ab003..5c5ffb301 100644
--- a/modules/private-cluster/networks.tf
+++ b/modules/private-cluster/networks.tf
@@ -24,3 +24,12 @@ data "google_compute_subnetwork" "gke_subnetwork" {
   region  = local.region
   project = local.network_project_id
 }
+
+data "google_compute_subnetwork" "private_endpoint_subnetwork" {
+  provider = google
+
+  count   = var.private_endpoint_subnetwork != null ? 1 : 0
+  name    = var.private_endpoint_subnetwork
+  region  = local.region
+  project = local.network_project_id
+}
diff --git a/networks.tf b/networks.tf
index ace2ab003..374aa530a 100644
--- a/networks.tf
+++ b/networks.tf
@@ -24,3 +24,4 @@ data "google_compute_subnetwork" "gke_subnetwork" {
   region  = local.region
   project = local.network_project_id
 }
+