diff --git a/pkg/cluster/deploybaseresources.go b/pkg/cluster/deploybaseresources.go
index 625524f2618..643af7fa941 100644
--- a/pkg/cluster/deploybaseresources.go
+++ b/pkg/cluster/deploybaseresources.go
@@ -432,10 +432,27 @@ func (m *manager) setMasterSubnetPolicies(ctx context.Context) error {
 		s.SubnetPropertiesFormat = &mgmtnetwork.SubnetPropertiesFormat{}
 	}
 
+	// we need to track whether or not we need to send an update to the AzureRM API based on whether
+	// or not our private endpoint network policies or private link service network policies
+	// already match a desired condition of 'Disabled' or not.
+	var needsUpdate bool
+
 	if m.doc.OpenShiftCluster.Properties.FeatureProfile.GatewayEnabled {
-		s.SubnetPropertiesFormat.PrivateEndpointNetworkPolicies = to.StringPtr("Disabled")
+		if s.SubnetPropertiesFormat.PrivateEndpointNetworkPolicies == nil || *s.SubnetPropertiesFormat.PrivateEndpointNetworkPolicies != "Disabled" {
+			needsUpdate = true
+			s.SubnetPropertiesFormat.PrivateEndpointNetworkPolicies = to.StringPtr("Disabled")
+		}
+	}
+
+	if s.SubnetPropertiesFormat.PrivateLinkServiceNetworkPolicies == nil || *s.SubnetPropertiesFormat.PrivateLinkServiceNetworkPolicies != "Disabled" {
+		needsUpdate = true
+		s.SubnetPropertiesFormat.PrivateLinkServiceNetworkPolicies = to.StringPtr("Disabled")
+	}
+
+	// return if we do not need to update the subnet
+	if !needsUpdate {
+		return nil
 	}
-	s.SubnetPropertiesFormat.PrivateLinkServiceNetworkPolicies = to.StringPtr("Disabled")
 
 	err = m.subnet.CreateOrUpdate(ctx, subnetId, s)