diff --git a/awsx/ec2/subnetDistributor.ts b/awsx/ec2/subnetDistributor.ts
index 031942df1..ea08e11d4 100644
--- a/awsx/ec2/subnetDistributor.ts
+++ b/awsx/ec2/subnetDistributor.ts
@@ -30,7 +30,7 @@ export interface SubnetSpec {
 
 export function getSubnetSpecs(
   vpcName: string,
-  vpcCidr: string,
+  vpcCidr: pulumi.Input<string>,
   azNames: string[],
   subnetInputs?: SubnetSpecInputs[],
 ): SubnetSpec[] {
@@ -42,7 +42,7 @@ export function getSubnetSpecs(
   }
 
   if (subnetInputs === undefined) {
-    return generateDefaultSubnets(vpcName, vpcCidr, azNames, azBases);
+    return generateDefaultSubnets(vpcName, azNames, azBases);
   }
 
   const ipAddress = require("ip-address");
@@ -147,7 +147,6 @@ export function getSubnetSpecs(
 
 function generateDefaultSubnets(
   vpcName: string,
-  vpcCidr: string,
   azNames: string[],
   azBases: string[],
 ): SubnetSpec[] {
@@ -178,7 +177,11 @@ function generateDefaultSubnets(
   return Array.prototype.concat(privateSubnets, publicSubnets);
 }
 
-function cidrSubnetV4(ipRange: string, newBits: number, netNum: number): string {
+function cidrSubnetV4(
+  ipRange: string | pulumi.Input<string>,
+  newBits: number,
+  netNum: number,
+): string {
   const ipAddress = require("ip-address");
   const BigInteger = require("jsbn").BigInteger;
 
diff --git a/awsx/ec2/vpc.ts b/awsx/ec2/vpc.ts
index 368a60c9a..75450deda 100644
--- a/awsx/ec2/vpc.ts
+++ b/awsx/ec2/vpc.ts
@@ -77,12 +77,9 @@ export class Vpc extends schema.Vpc<VpcData> {
     const allocationIds = args.natGateways?.elasticIpAllocationIds ?? [];
     validateEips(natGatewayStrategy, allocationIds, availabilityZones);
 
-    const cidrBlock = args.cidrBlock ?? "10.0.0.0/16";
-
-    const subnetSpecs = getSubnetSpecs(name, cidrBlock, availabilityZones, args.subnetSpecs);
-    validateSubnets(subnetSpecs, getOverlappingSubnets);
-
-    validateNatGatewayStrategy(natGatewayStrategy, subnetSpecs);
+    if (args.cidrBlock && args.ipv4IpamPoolId) {
+      throw new Error("Only one of [cidrBlock] and [ipv4IpamPoolId] can be specified");
+    }
 
     const sharedTags = { Name: name, ...args.tags };
 
@@ -90,13 +87,16 @@ export class Vpc extends schema.Vpc<VpcData> {
       name,
       {
         ...args,
-        cidrBlock,
         tags: sharedTags,
       },
       { parent: this },
     );
     const vpcId = vpc.id;
 
+    const subnetSpecs = getSubnetSpecs(name, vpc.cidrBlock, availabilityZones, args.subnetSpecs);
+    validateSubnets(subnetSpecs, getOverlappingSubnets);
+
+    validateNatGatewayStrategy(natGatewayStrategy, subnetSpecs);
     // We unconditionally create the IGW (even if it's not needed because we
     // only have isolated subnets) because AWS does not charge for it, and
     // therefore there's no harm in adding it, whereas conditional resources