diff --git a/pipelines/main/pipeline.yml b/pipelines/main/pipeline.yml
index 3181d2bd0..c41db3a5f 100644
--- a/pipelines/main/pipeline.yml
+++ b/pipelines/main/pipeline.yml
@@ -2711,7 +2711,7 @@ jobs:
 
   - name: integration-test-gke-rapid
     public: true # all logs are publicly visible
-    serial: true
+    serial: true # since we need to choose a subnet, we can't run this in parallel
     plan:
       - in_parallel:
           - get: ci-build-image
@@ -2731,6 +2731,10 @@ jobs:
             image: k8s-app-deployer-image
             params:
               GKE_CHANNEL: rapid
+              SHARED_VPC_PROJECT: ((shared-vpc-project))
+              SHARED_VPC_NAME: ((shared-vpc-name))
+              SUBNET_REGION: ((subnet-region))
+              SUBNET_NAME: ((gke-subnet-name-1)) # globally unique to this job
               <<: *gke_account_params
           - task: pre-warm-cluster
             timeout: 10m
@@ -2778,7 +2782,7 @@ jobs:
 
   - name: integration-test-gke-stable
     public: true # all logs are publicly visible
-    serial: true
+    serial: true # since we need to choose a subnet, we can't run this in parallel
     plan:
       - in_parallel:
           - get: ci-build-image
@@ -2798,6 +2802,10 @@ jobs:
             image: k8s-app-deployer-image
             params:
               GKE_CHANNEL: stable
+              SHARED_VPC_PROJECT: ((shared-vpc-project))
+              SHARED_VPC_NAME: ((shared-vpc-name))
+              SUBNET_REGION: ((subnet-region))
+              SUBNET_NAME: ((gke-subnet-name-2)) # globally unique to this job
               <<: *gke_account_params
           - task: pre-warm-cluster
             timeout: 10m
diff --git a/pipelines/pull-requests/pipeline.yml b/pipelines/pull-requests/pipeline.yml
index a0587783a..7e7b1e7de 100644
--- a/pipelines/pull-requests/pipeline.yml
+++ b/pipelines/pull-requests/pipeline.yml
@@ -1824,6 +1824,7 @@ jobs:
     on_error: { <<: *pr-status-on-error, params: { <<: *pr-status-on-error-params, context: integration-test-gke-rapid } }
     on_abort: { <<: *pr-status-on-abort, params: { <<: *pr-status-on-abort-params, context: integration-test-gke-rapid } }
     public: true # all logs are publicly visible
+    serial: true # since we need to choose a subnet, we can't run this in parallel anymore
     plan:
       - in_parallel:
           - get: pinniped-pr
@@ -1846,6 +1847,10 @@ jobs:
         image: k8s-app-deployer-image
         params:
           GKE_CHANNEL: rapid
+          SHARED_VPC_PROJECT: ((shared-vpc-project))
+          SHARED_VPC_NAME: ((shared-vpc-name))
+          SUBNET_REGION: ((subnet-region))
+          SUBNET_NAME: ((gke-subnet-name-3)) # globally unique to this job
           <<: *gke_account_params
       - task: pre-warm-cluster
         timeout: 10m
diff --git a/pipelines/shared-tasks/deploy-gke-cluster/task.sh b/pipelines/shared-tasks/deploy-gke-cluster/task.sh
index a11a7006b..afcfe5489 100755
--- a/pipelines/shared-tasks/deploy-gke-cluster/task.sh
+++ b/pipelines/shared-tasks/deploy-gke-cluster/task.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 set -euo pipefail
@@ -54,7 +54,18 @@ gcloud container clusters create "$CLUSTER_NAME" \
   --preemptible \
   --issue-client-certificate \
   --no-enable-basic-auth \
-  --enable-network-policy
+  --enable-network-policy \
+  --tags "gke-broadcom" \
+  --enable-master-authorized-networks \
+  --master-authorized-networks "10.0.0.0/8" \
+  --enable-private-nodes \
+  --enable-private-endpoint \
+  --enable-ip-alias \
+  --network "projects/${SHARED_VPC_PROJECT}/global/networks/${SHARED_VPC_NAME}" \
+  --subnetwork "projects/${SHARED_VPC_PROJECT}/regions/${SUBNET_REGION}/subnetworks/${SUBNET_NAME}" \
+  --cluster-secondary-range-name "services" \
+  --services-secondary-range-name "pods"
+  # TODO is this also needed? --default-max-pods-per-node "64"
 
 # Get the cluster details back, including the admin certificate:
 gcloud container clusters describe "$CLUSTER_NAME" --zone "$CLUSTER_ZONE" --format json \
diff --git a/pipelines/shared-tasks/deploy-gke-cluster/task.yml b/pipelines/shared-tasks/deploy-gke-cluster/task.yml
index 306934385..63dd39634 100644
--- a/pipelines/shared-tasks/deploy-gke-cluster/task.yml
+++ b/pipelines/shared-tasks/deploy-gke-cluster/task.yml
@@ -1,4 +1,4 @@
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 ---
@@ -14,5 +14,9 @@ params:
   GCP_SERVICE_ACCOUNT:
   GCP_JSON_KEY:
   GKE_CHANNEL:
+  SHARED_VPC_PROJECT:
+  SHARED_VPC_NAME:
+  SUBNET_REGION:
+  SUBNET_NAME:
 run:
   path: pinniped-ci/pipelines/shared-tasks/deploy-gke-cluster/task.sh