diff --git a/releasenotes/notes/fix-container-undercloud-validations-admin-host-only-against-local-subnet-5e98a220e01e6c19.yaml b/releasenotes/notes/fix-container-undercloud-validations-admin-host-only-against-local-subnet-5e98a220e01e6c19.yaml
new file mode 100644
index 000000000..ef4c535cf
--- /dev/null
+++ b/releasenotes/notes/fix-container-undercloud-validations-admin-host-only-against-local-subnet-5e98a220e01e6c19.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Fixes a validation issue, validation would fail when multiple ctlplane
+    subnets were defined in ``undercloud.conf``.
+    `Bug: 1791088 <https://bugs.launchpad.net/tripleo/+bug/1791088>`_.
diff --git a/tripleoclient/v1/undercloud_preflight.py b/tripleoclient/v1/undercloud_preflight.py
index 88b38b619..0d0f17aa3 100644
--- a/tripleoclient/v1/undercloud_preflight.py
+++ b/tripleoclient/v1/undercloud_preflight.py
@@ -284,25 +284,25 @@ def _validate_in_cidr(subnet_props, subnet_name):
                 LOG.error(message)
                 raise FailedValidation(message)
 
+    validate_addr_in_cidr(subnet_props.gateway, 'gateway')
+    validate_addr_in_cidr(subnet_props.dhcp_start, 'dhcp_start')
+    validate_addr_in_cidr(subnet_props.dhcp_end, 'dhcp_end')
     if subnet_name == CONF.local_subnet:
         validate_addr_in_cidr(str(netaddr.IPNetwork(CONF.local_ip).ip),
                               'local_ip')
-    validate_addr_in_cidr(subnet_props.gateway, 'gateway')
-    # NOTE(bnemec): The ui needs to be externally accessible, which means in
-    # many cases we can't have the public vip on the provisioning network.
-    # In that case users are on their own to ensure they've picked valid
-    # values for the VIP hosts.
-    if ((CONF.undercloud_service_certificate or
-            CONF.generate_service_certificate) and
-            not CONF.enable_ui):
-        validate_addr_in_cidr(CONF['undercloud_public_host'],
-                              'undercloud_public_host',
-                              require_ip=False, log_only=True)
-        validate_addr_in_cidr(CONF['undercloud_admin_host'],
-                              'undercloud_admin_host',
-                              require_ip=False)
-    validate_addr_in_cidr(subnet_props.dhcp_start, 'dhcp_start')
-    validate_addr_in_cidr(subnet_props.dhcp_end, 'dhcp_end')
+        # NOTE(bnemec): The ui needs to be externally accessible, which means
+        # in many cases we can't have the public vip on the provisioning
+        # network. In that case users are on their own to ensure they've picked
+        # valid values for the VIP hosts.
+        if ((CONF.undercloud_service_certificate or
+             CONF.generate_service_certificate) and
+                not CONF.enable_ui):
+            validate_addr_in_cidr(CONF['undercloud_public_host'],
+                                  'undercloud_public_host',
+                                  require_ip=False, log_only=True)
+            validate_addr_in_cidr(CONF['undercloud_admin_host'],
+                                  'undercloud_admin_host',
+                                  require_ip=False)
 
 
 def _validate_dhcp_range(subnet_props):