kubernetes-sigs
diff --git a/‎pkg/cloud/services/network/subnets.go‎
Lines changed: 69 additions & 1 deletion b/‎pkg/cloud/services/network/subnets.go‎
Lines changed: 69 additions & 1 deletion
@@ -176,6 +176,60 @@ func (s *Service) reconcileSubnets() error {
 		return errors.Wrapf(err, "expected the zone attributes to be populated to subnet")
 	}
 
+	// Auto-assign IPv6 CIDRs to subnets (new subnets not yet created) with isIPv6=true but no IPv6CidrBlock.
+	// This only applies to managed VPCs with IPv6 enabled.
+	if !unmanagedVPC && s.scope.VPC().IsIPv6Enabled() {
+		// Collect subnets needing IPv6 assignment and track already-used IPv6 CIDRs.
+		var subnetsRequiringIPv6Assignment []*infrav1.SubnetSpec
+		usedIPv6CIDRs := make(map[string]bool)
+
+		for i := range subnets {
+			subnet := &subnets[i]
+			if subnet.IPv6CidrBlock != "" {
+				usedIPv6CIDRs[subnet.IPv6CidrBlock] = true
+			}
+			// Only assign to subnets that don't exist yet (no ResourceID) and have isIPv6 but no IPv6CidrBlock.
+			// This includes both dual-stack subnets and IPv6-only subnets.
+			if subnet.ResourceID == "" && subnet.IsIPv6 && subnet.IPv6CidrBlock == "" {
+				subnetsRequiringIPv6Assignment = append(subnetsRequiringIPv6Assignment, subnet)
+			}
+		}
+
+		if len(subnetsRequiringIPv6Assignment) > 0 {
+			// Calculate total number of subnets needed including already assigned ones.
+			totalSubnetsNeeded := len(usedIPv6CIDRs) + len(subnetsRequiringIPv6Assignment)
+
+			// Generate IPv6 subnet CIDRs from the VPC's IPv6 block.
+			ipv6SubnetCIDRs, err := cidr.SplitIntoSubnetsIPv6(s.scope.VPC().IPv6.CidrBlock, totalSubnetsNeeded)
+			if err != nil {
+				return fmt.Errorf("failed splitting IPv6 VPC CIDR %q into subnets: %w", s.scope.VPC().IPv6.CidrBlock, err)
+			}
+
+			// Assign available IPv6 CIDRs to subnets that need them.
+			assignedCount := 0
+			for _, subnetCIDR := range ipv6SubnetCIDRs {
+				if assignedCount >= len(subnetsRequiringIPv6Assignment) {
+					break
+				}
+
+				cidrBlock := subnetCIDR.String()
+				if !usedIPv6CIDRs[cidrBlock] {
+					subnet := subnetsRequiringIPv6Assignment[assignedCount]
+					subnet.IPv6CidrBlock = cidrBlock
+					usedIPv6CIDRs[cidrBlock] = true
+
+					s.scope.Info("Auto-assigned IPv6 CIDR to subnet", "subnet-id", subnet.ID, "ipv6-cidr-block", cidrBlock)
+					assignedCount++
+				}
+			}
+
+			// Verify all subnets were assigned.
+			if assignedCount < len(subnetsRequiringIPv6Assignment) {
+				return fmt.Errorf("failed to assign IPv6 CIDRs to all subnets: assigned %d out of %d", assignedCount, len(subnetsRequiringIPv6Assignment))
+			}
+		}
+	}
+
 	// When the VPC is managed by CAPA, we need to create the subnets.
 	if !unmanagedVPC {
 		// Check that we need at least 1 public subnet after we have updated the metadata
@@ -498,7 +552,6 @@ func (s *Service) createSubnet(sn *infrav1.SubnetSpec) (*infrav1.SubnetSpec, err
 	// Build the subnet creation request.
 	input := &ec2.CreateSubnetInput{
 		VpcId:            aws.String(s.scope.VPC().ID),
-		CidrBlock:        aws.String(sn.CidrBlock),
 		AvailabilityZone: aws.String(sn.AvailabilityZone),
 		TagSpecifications: []types.TagSpecification{
 			tags.BuildParamsToTagSpecification(
@@ -507,8 +560,23 @@ func (s *Service) createSubnet(sn *infrav1.SubnetSpec) (*infrav1.SubnetSpec, err
 			),
 		},
 	}
+	// Set IPv4 CIDR if provided (dual-stack or IPv4-only subnet).
+	if sn.CidrBlock != "" {
+		input.CidrBlock = aws.String(sn.CidrBlock)
+	}
+	// Set IPv6 CIDR if this is an IPv6 subnet (dual-stack or IPv6-only).
 	if sn.IsIPv6 {
+		if sn.IPv6CidrBlock == "" {
+			err := fmt.Errorf("IPv6 CIDR block is required when isIpv6 is set to true")
+			record.Warnf(s.scope.InfraCluster(), "FailedCreateSubnet", "Failed to create managed subnet: %v", err)
+			return nil, err
+		}
+
 		input.Ipv6CidrBlock = aws.String(sn.IPv6CidrBlock)
+		// For IPv6-only subnets, we need to specify Ipv6Native.
+		if sn.CidrBlock == "" {
+			input.Ipv6Native = aws.Bool(true)
+		}
 	}
 	out, err := s.EC2Client.CreateSubnet(context.TODO(), input)
 	if err != nil {