diff --git a/opensearch.tf b/opensearch.tf
index 42e9056..9c0bf64 100644
--- a/opensearch.tf
+++ b/opensearch.tf
@@ -1,8 +1,9 @@
 data "aws_availability_zones" "available" {}
 
 locals {
-  region = data.aws_region.current.name
-  name   = "es-${var.es_application_name}"
+  region             = data.aws_region.current.name
+  name               = "es-${var.es_application_name}"
+  ideal_subnet_count = var.es_instance_count > 2 ? min(length(module.network.private_subnet_ids), 3) : var.es_instance_count
 }
 
 resource "aws_iam_service_linked_role" "elasticsearch" {
@@ -58,7 +59,7 @@ module "opensearch" {
     instance_type            = coalesce(var.es_instance_type, var.es_dedicated_master_type)
 
     zone_awareness_config = {
-      availability_zone_count = length(module.network.private_subnet_ids) > 3 ? 3 : length(module.network.private_subnet_ids)
+      availability_zone_count = local.ideal_subnet_count
     }
 
     zone_awareness_enabled = true
@@ -101,7 +102,8 @@ module "opensearch" {
   }
 
   vpc_options = {
-    subnet_ids = length(module.network.private_subnet_ids) > 3 ? slice(module.network.private_subnet_ids, 0, 3) : module.network.private_subnet_ids
+    subnet_ids = slice(module.network.private_subnet_ids, 0, min(length(module.network.private_subnet_ids), local.ideal_subnet_count))
+
   }
 
   # Security Group rule example