diff --git a/nodeup/pkg/model/networking/cilium.go b/nodeup/pkg/model/networking/cilium.go
index 8fff95705230c..364fb1d23b3d5 100644
--- a/nodeup/pkg/model/networking/cilium.go
+++ b/nodeup/pkg/model/networking/cilium.go
@@ -27,6 +27,7 @@ import (
 	"k8s.io/kops/nodeup/pkg/model"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/nodeup/nodetasks"
+	"k8s.io/kops/util/pkg/distributions"
 )
 
 // CiliumBuilder writes Cilium's assets
@@ -49,6 +50,10 @@ func (b *CiliumBuilder) Build(c *fi.NodeupModelBuilderContext) error {
 		return nil
 	}
 
+	if b.Distribution == distributions.DistributionFlatcar && b.NodeupConfig.Networking.Cilium.IPAM == "eni" {
+		b.disableENIFlatcarDHCP(c)
+	}
+
 	if err := b.buildBPFMount(c); err != nil {
 		return fmt.Errorf("failed to create bpf mount unit: %w", err)
 	}
@@ -192,3 +197,29 @@ func (b *CiliumBuilder) buildCiliumEtcdSecrets(c *fi.NodeupModelBuilderContext)
 		return nil
 	}
 }
+
+// Flatcar is known to manipulate network interfaces created and managed by Cilium
+// To avoid this, disable DHCP on the ENI interfaces and mark them as unmanaged
+// https://github.com/cilium/cilium/blob/04f033e39c15fcfdae664caef3b0cbc17f2cec0b/Documentation/operations/system_requirements.rst#flatcar-on-aws-eks-in-eni-mode
+func (b *CiliumBuilder) disableENIFlatcarDHCP(c *fi.NodeupModelBuilderContext) {
+	contents := `
+[Match]
+Name=eth[1-9]*
+
+[Network]
+DHCP=no
+
+[Link]
+Unmanaged=yes
+`
+
+	c.AddTask(&nodetasks.File{
+		Path:     "/etc/systemd/network/01-no-dhcp.network",
+		Contents: fi.NewStringResource(contents),
+		Type:     nodetasks.FileType_File,
+		OnChangeExecute: [][]string{
+			{"systemctl", "daemon-reload"},
+			{"systemctl", "restart", "systemd-networkd"},
+		},
+	})
+}