diff --git a/data/data/aws/main.tf b/data/data/aws/main.tf
index e5aefcd5fee..8718af4ced0 100644
--- a/data/data/aws/main.tf
+++ b/data/data/aws/main.tf
@@ -17,7 +17,7 @@ module "bootstrap" {
   cluster_name             = "${var.cluster_name}"
   iam_role                 = "${var.aws_master_iam_role_name}"
   ignition                 = "${var.ignition_bootstrap}"
-  subnet_id                = "${module.vpc.master_subnet_ids[0]}"
+  subnet_id                = "${module.vpc.public_subnet_ids[0]}"
   target_group_arns        = "${module.vpc.aws_lb_target_group_arns}"
   target_group_arns_length = "${module.vpc.aws_lb_target_group_arns_length}"
   vpc_id                   = "${module.vpc.vpc_id}"
@@ -46,7 +46,7 @@ module "masters" {
   root_volume_iops         = "${var.aws_master_root_volume_iops}"
   root_volume_size         = "${var.aws_master_root_volume_size}"
   root_volume_type         = "${var.aws_master_root_volume_type}"
-  subnet_ids               = "${module.vpc.master_subnet_ids}"
+  subnet_ids               = "${module.vpc.private_subnet_ids}"
   target_group_arns        = "${module.vpc.aws_lb_target_group_arns}"
   target_group_arns_length = "${module.vpc.aws_lb_target_group_arns_length}"
   ec2_ami                  = "${var.aws_ec2_ami_override}"
diff --git a/data/data/aws/master/main.tf b/data/data/aws/master/main.tf
index b1f1e22df31..ef9335271f8 100644
--- a/data/data/aws/master/main.tf
+++ b/data/data/aws/master/main.tf
@@ -85,8 +85,7 @@ resource "aws_instance" "master" {
   subnet_id            = "${element(var.subnet_ids, count.index)}"
   user_data            = "${var.user_data_ign}"
 
-  vpc_security_group_ids      = ["${var.master_sg_ids}"]
-  associate_public_ip_address = true
+  vpc_security_group_ids = ["${var.master_sg_ids}"]
 
   lifecycle {
     # Ignore changes in the AMI which force recreation of the resource. This
diff --git a/data/data/aws/vpc/common.tf b/data/data/aws/vpc/common.tf
index 1ec3504435c..f1585f2a1a7 100644
--- a/data/data/aws/vpc/common.tf
+++ b/data/data/aws/vpc/common.tf
@@ -17,10 +17,10 @@ locals {
   vpc_id = "${aws_vpc.new_vpc.id}"
 
   // When referencing the _ids arrays or data source arrays via count = , always use the *_count variable rather than taking the length of the list
-  worker_subnet_ids   = "${aws_subnet.worker_subnet.*.id}"
-  master_subnet_ids   = "${aws_subnet.master_subnet.*.id}"
-  worker_subnet_count = "${local.new_az_count}"
-  master_subnet_count = "${local.new_az_count}"
+  private_subnet_ids   = "${aws_subnet.private_subnet.*.id}"
+  public_subnet_ids    = "${aws_subnet.public_subnet.*.id}"
+  private_subnet_count = "${local.new_az_count}"
+  public_subnet_count  = "${local.new_az_count}"
 }
 
 # all data sources should be input variable-agnostic and used as canonical source for querying "state of resources" and building outputs
diff --git a/data/data/aws/vpc/master-elb.tf b/data/data/aws/vpc/master-elb.tf
index 178b488fdfb..b2bb5206ea4 100644
--- a/data/data/aws/vpc/master-elb.tf
+++ b/data/data/aws/vpc/master-elb.tf
@@ -1,7 +1,7 @@
 resource "aws_lb" "api_internal" {
   name                             = "${var.cluster_name}-int"
   load_balancer_type               = "network"
-  subnets                          = ["${local.master_subnet_ids}"]
+  subnets                          = ["${local.private_subnet_ids}"]
   internal                         = true
   enable_cross_zone_load_balancing = true
   idle_timeout                     = 3600
@@ -14,7 +14,7 @@ resource "aws_lb" "api_internal" {
 resource "aws_lb" "api_external" {
   name                             = "${var.cluster_name}-ext"
   load_balancer_type               = "network"
-  subnets                          = ["${local.master_subnet_ids}"]
+  subnets                          = ["${local.public_subnet_ids}"]
   internal                         = false
   enable_cross_zone_load_balancing = true
   idle_timeout                     = 3600
diff --git a/data/data/aws/vpc/outputs.tf b/data/data/aws/vpc/outputs.tf
index bfe922dfdbd..7cc8b48f7b0 100644
--- a/data/data/aws/vpc/outputs.tf
+++ b/data/data/aws/vpc/outputs.tf
@@ -2,8 +2,12 @@ output "vpc_id" {
   value = "${data.aws_vpc.cluster_vpc.id}"
 }
 
-output "master_subnet_ids" {
-  value = "${local.master_subnet_ids}"
+output "public_subnet_ids" {
+  value = "${local.public_subnet_ids}"
+}
+
+output "private_subnet_ids" {
+  value = "${local.private_subnet_ids}"
 }
 
 output "etcd_sg_id" {
diff --git a/data/data/aws/vpc/vpc-private.tf b/data/data/aws/vpc/vpc-private.tf
index 8e01733baa8..eb2eeec2aa4 100644
--- a/data/data/aws/vpc/vpc-private.tf
+++ b/data/data/aws/vpc/vpc-private.tf
@@ -15,23 +15,23 @@ resource "aws_route" "to_nat_gw" {
   depends_on             = ["aws_route_table.private_routes"]
 }
 
-resource "aws_subnet" "worker_subnet" {
+resource "aws_subnet" "private_subnet" {
   count = "${local.new_az_count}"
 
   vpc_id = "${data.aws_vpc.cluster_vpc.id}"
 
-  cidr_block = "${cidrsubnet(local.new_worker_cidr_range, 3, count.index)}"
+  cidr_block = "${cidrsubnet(local.new_private_cidr_range, 3, count.index)}"
 
   availability_zone = "${local.new_subnet_azs[count.index]}"
 
   tags = "${merge(map(
-      "Name", "${var.cluster_name}-worker-${local.new_subnet_azs[count.index]}",
+      "Name", "${var.cluster_name}-private-${local.new_subnet_azs[count.index]}",
       "kubernetes.io/role/internal-elb", "",
     ), var.tags)}"
 }
 
-resource "aws_route_table_association" "worker_routing" {
+resource "aws_route_table_association" "private_routing" {
   count          = "${local.new_az_count}"
   route_table_id = "${aws_route_table.private_routes.*.id[count.index]}"
-  subnet_id      = "${aws_subnet.worker_subnet.*.id[count.index]}"
+  subnet_id      = "${aws_subnet.private_subnet.*.id[count.index]}"
 }
diff --git a/data/data/aws/vpc/vpc-public.tf b/data/data/aws/vpc/vpc-public.tf
index 42c98777316..84de2aacdfa 100644
--- a/data/data/aws/vpc/vpc-public.tf
+++ b/data/data/aws/vpc/vpc-public.tf
@@ -25,23 +25,23 @@ resource "aws_route" "igw_route" {
   gateway_id             = "${aws_internet_gateway.igw.id}"
 }
 
-resource "aws_subnet" "master_subnet" {
+resource "aws_subnet" "public_subnet" {
   count  = "${local.new_az_count}"
   vpc_id = "${data.aws_vpc.cluster_vpc.id}"
 
-  cidr_block = "${cidrsubnet(local.new_master_cidr_range, 3, count.index)}"
+  cidr_block = "${cidrsubnet(local.new_public_cidr_range, 3, count.index)}"
 
   availability_zone = "${local.new_subnet_azs[count.index]}"
 
   tags = "${merge(map(
-      "Name", "${var.cluster_name}-master-${local.new_subnet_azs[count.index]}",
+      "Name", "${var.cluster_name}-public-${local.new_subnet_azs[count.index]}",
     ), var.tags)}"
 }
 
 resource "aws_route_table_association" "route_net" {
   count          = "${local.new_az_count}"
   route_table_id = "${aws_route_table.default.id}"
-  subnet_id      = "${aws_subnet.master_subnet.*.id[count.index]}"
+  subnet_id      = "${aws_subnet.public_subnet.*.id[count.index]}"
 }
 
 resource "aws_eip" "nat_eip" {
@@ -59,7 +59,7 @@ resource "aws_eip" "nat_eip" {
 resource "aws_nat_gateway" "nat_gw" {
   count         = "${local.new_az_count}"
   allocation_id = "${aws_eip.nat_eip.*.id[count.index]}"
-  subnet_id     = "${aws_subnet.master_subnet.*.id[count.index]}"
+  subnet_id     = "${aws_subnet.public_subnet.*.id[count.index]}"
 
   tags = "${var.tags}"
 }
diff --git a/data/data/aws/vpc/vpc.tf b/data/data/aws/vpc/vpc.tf
index ee493e15d61..4a44b92e75d 100644
--- a/data/data/aws/vpc/vpc.tf
+++ b/data/data/aws/vpc/vpc.tf
@@ -1,6 +1,6 @@
 locals {
-  new_worker_cidr_range = "${cidrsubnet(data.aws_vpc.cluster_vpc.cidr_block,1,1)}"
-  new_master_cidr_range = "${cidrsubnet(data.aws_vpc.cluster_vpc.cidr_block,1,0)}"
+  new_private_cidr_range = "${cidrsubnet(data.aws_vpc.cluster_vpc.cidr_block,1,1)}"
+  new_public_cidr_range  = "${cidrsubnet(data.aws_vpc.cluster_vpc.cidr_block,1,0)}"
 }
 
 resource "aws_vpc" "new_vpc" {
diff --git a/docs/user/troubleshooting.md b/docs/user/troubleshooting.md
index ba934bce8b1..158ea3af441 100644
--- a/docs/user/troubleshooting.md
+++ b/docs/user/troubleshooting.md
@@ -55,6 +55,11 @@ If no pods are shown, etcd will need to be [investigated](#etcd-is-not-running).
 
 ### Unable to SSH into Master Nodes
 
+For added security, SSH isn't available from the Internet by default. There are several options for enabling this functionality:
+
+- Create a bastion host that is accessible from the Internet and has access to the cluster. If the bootstrap machine hasn't been automatically destroyed yet, it can double as a temporary bastion host since it is given a public IP address.
+- Configure network peering or a VPN to allow remote access to the private network.
+
 In order to SSH into the master nodes as user `core`, it is necessary to include an administrator's SSH key during the installation.
 The selected key, if any, will be added to the `core` user's `~/.ssh/authorized_keys` via [Ignition](https://github.com/coreos/ignition) and is not configured via platform-specific approaches like [AWS key pairs][aws-key-pairs].
 See [here][machine-config-daemon-ssh-keys] for information about managing SSH keys via the machine-config daemon.
diff --git a/pkg/asset/machines/aws/machines.go b/pkg/asset/machines/aws/machines.go
index 916fd59ae09..d738dd3fe76 100644
--- a/pkg/asset/machines/aws/machines.go
+++ b/pkg/asset/machines/aws/machines.go
@@ -98,7 +98,7 @@ func provider(clusterID, clusterName string, platform *aws.Platform, mpool *aws.
 		Subnet: awsprovider.AWSResourceReference{
 			Filters: []awsprovider.Filter{{
 				Name:   "tag:Name",
-				Values: []string{fmt.Sprintf("%s-%s-%s", clusterName, role, az)},
+				Values: []string{fmt.Sprintf("%s-private-%s", clusterName, az)},
 			}},
 		},
 		Placement: awsprovider.Placement{Region: platform.Region, AvailabilityZone: az},