diff --git a/api/v1beta2/network_types.go b/api/v1beta2/network_types.go
index 8b4ba3ac4e..7d72e15f91 100644
--- a/api/v1beta2/network_types.go
+++ b/api/v1beta2/network_types.go
@@ -102,9 +102,7 @@ type TargetGroupHealthCheck struct {
 // TargetGroupAttribute defines attribute key values for V2 Load Balancer Attributes.
 type TargetGroupAttribute string
 
-var (
-	TargetGroupAttributeEnablePreserveClientIP = "preserve_client_ip.enabled"
-)
+var TargetGroupAttributeEnablePreserveClientIP = "preserve_client_ip.enabled"
 
 // LoadBalancerAttribute defines a set of attributes for a V2 load balancer.
 type LoadBalancerAttribute string
@@ -480,6 +478,15 @@ func (s Subnets) FilterPrivate() (res Subnets) {
 	return
 }
 
+func (s Subnets) FilterPrimary() (res Subnets) {
+	for _, x := range s {
+		if x.Tags[NameAWSSubnetAssociation] != SecondarySubnetTagValue {
+			res = append(res, x)
+		}
+	}
+	return
+}
+
 // FilterPublic returns a slice containing all subnets marked as public.
 func (s Subnets) FilterPublic() (res Subnets) {
 	for _, x := range s {
diff --git a/pkg/cloud/scope/shared.go b/pkg/cloud/scope/shared.go
index 76e1ec91d8..f8b92ce4f6 100644
--- a/pkg/cloud/scope/shared.go
+++ b/pkg/cloud/scope/shared.go
@@ -117,6 +117,7 @@ func (p *defaultSubnetPlacementStrategy) getSubnetsForAZs(azs []string, controlP
 				subnets = subnets.FilterPublic()
 			case expinfrav1.AZSubnetTypePrivate:
 				subnets = subnets.FilterPrivate()
+				subnets = subnets.FilterPrimary()
 			}
 		}
 		if len(subnets) == 0 {