diff --git a/modules/installation-custom-aws-vpc.adoc b/modules/installation-custom-aws-vpc.adoc
index e01235f3c9e9..8e750e478add 100644
--- a/modules/installation-custom-aws-vpc.adoc
+++ b/modules/installation-custom-aws-vpc.adoc
@@ -12,6 +12,9 @@ endif::[]
 ifeval::["{context}" == "installing-aws-vpc"]
 :public:
 endif::[]
+ifeval::["{context}" == "installing-aws-private"]
+:private:
+endif::[]
 ifeval::["{context}" == "installing-aws-secret-region"]
 :aws-secret:
 endif::[]
@@ -203,11 +206,13 @@ machines.
 2+|You must provide a public VPC for the cluster to use. The VPC uses an
 endpoint that references the route tables for each subnet to improve communication with the registry that is hosted in S3.
 
+ifndef::private[]
 |Public subnets
 |* `AWS::EC2::Subnet`
 * `AWS::EC2::SubnetNetworkAclAssociation`
 2+|Your VPC must have public subnets for between 1 and 3 availability zones
 and associate them with appropriate Ingress rules.
+endif::[]
 
 |Internet gateway
 |
@@ -302,6 +307,9 @@ endif::[]
 ifeval::["{context}" == "installing-aws-vpc"]
 :!public:
 endif::[]
+ifeval::["{context}" == "installing-aws-private"]
+:!private:
+endif::[]
 ifeval::["{context}" == "installing-aws-secret-region"]
 :!aws-secret:
 endif::[]