diff --git a/pkg/controller/subnet.go b/pkg/controller/subnet.go
index b3834939995..0eeec3e147a 100644
--- a/pkg/controller/subnet.go
+++ b/pkg/controller/subnet.go
@@ -156,8 +156,9 @@ func (c *Controller) formatSubnet(subnet *kubeovnv1.Subnet) (*kubeovnv1.Subnet,
 		changed = true
 	}
 
-	if subnet.Spec.Vpc == "" {
-		if isOvnSubnet(subnet) {
+	if subnet.Spec.Vpc == "" && isOvnSubnet(subnet) {
+		// for better security, if not set, vlan subnet vpc should be empty
+		if subnet.Spec.Vlan == "" {
 			subnet.Spec.Vpc = c.config.ClusterRouter
 			changed = true
 		}