diff --git a/pkg/clients/eks/eks.go b/pkg/clients/eks/eks.go
index d354a69e27..9cc73af1c8 100644
--- a/pkg/clients/eks/eks.go
+++ b/pkg/clients/eks/eks.go
@@ -220,13 +220,12 @@ func GenerateUpdateClusterConfigInputForVPC(name string, p *v1beta1.ClusterParam
 		Name: pointer.ToOrNilIfZeroValue(name),
 	}
 
-	// NOTE(muvaf): SecurityGroupIds and SubnetIds cannot be updated. They are
-	// included in VpcConfigRequest probably because it is used in Create call
-	// as well.
 	u.ResourcesVpcConfig = &ekstypes.VpcConfigRequest{
 		EndpointPrivateAccess: p.ResourcesVpcConfig.EndpointPrivateAccess,
 		EndpointPublicAccess:  p.ResourcesVpcConfig.EndpointPublicAccess,
 		PublicAccessCidrs:     p.ResourcesVpcConfig.PublicAccessCidrs,
+		SubnetIds:             p.ResourcesVpcConfig.SubnetIDs,
+		SecurityGroupIds:      p.ResourcesVpcConfig.SecurityGroupIDs,
 	}
 	return u
 }
@@ -424,7 +423,7 @@ func IsUpToDate(p *v1beta1.ClusterParameters, cluster *ekstypes.Cluster) (bool,
 	res := cmp.Equal(&v1beta1.ClusterParameters{}, patch, cmpopts.EquateEmpty(),
 		cmpopts.IgnoreTypes(&xpv1.Reference{}, &xpv1.Selector{}, []xpv1.Reference{}),
 		cmpopts.IgnoreFields(v1beta1.ClusterParameters{}, "Region"),
-		cmpopts.IgnoreFields(v1beta1.VpcConfigRequest{}, "PublicAccessCidrs", "SubnetIDs", "SecurityGroupIDs"))
+		cmpopts.IgnoreFields(v1beta1.VpcConfigRequest{}, "PublicAccessCidrs"))
 	return res, nil
 }
 
diff --git a/pkg/clients/eks/eks_test.go b/pkg/clients/eks/eks_test.go
index b794d96821..9b046c3a33 100644
--- a/pkg/clients/eks/eks_test.go
+++ b/pkg/clients/eks/eks_test.go
@@ -353,6 +353,8 @@ func TestGenerateUpdateClusterConfigInputForVPC(t *testing.T) {
 						EndpointPrivateAccess: &trueVal,
 						EndpointPublicAccess:  &trueVal,
 						PublicAccessCidrs:     []string{"0.0.0.0/0"},
+						SubnetIDs:             []string{"subnet-1234567890abcdefg"},
+						SecurityGroupIDs:      []string{"sg-1234567890abcdefg"},
 					},
 					RoleArn: roleArn,
 					Tags:    map[string]string{"key": "val"},
@@ -365,6 +367,8 @@ func TestGenerateUpdateClusterConfigInputForVPC(t *testing.T) {
 					EndpointPrivateAccess: &trueVal,
 					EndpointPublicAccess:  &trueVal,
 					PublicAccessCidrs:     []string{"0.0.0.0/0"},
+					SubnetIds:             []string{"subnet-1234567890abcdefg"},
+					SecurityGroupIds:      []string{"sg-1234567890abcdefg"},
 				},
 			},
 		},