AthenZ · havetisyan · Jan 16, 2026 · Dec 24, 2025 · Dec 29, 2025 · Jan 12, 2026
diff --git a/ui/src/__tests__/components/constants/constants.test.js b/ui/src/__tests__/components/constants/constants.test.js
@@ -88,7 +88,7 @@ describe('StaticWorkloadType', () => {
                     );
                     break;
                 case 'SERVICE_SUBNET':
-                    let rfc1918CIDR = [
+                    let validServiceSubnetCIDRs = [
                         '10.0.0.0/8',
                         '10.1.2.0/24',
                         '172.16.0.0/12',
@@ -99,9 +99,10 @@ describe('StaticWorkloadType', () => {
                         '192.168.2.0/24',
                         '192.168.100.0/24',
                         '10.255.255.0/24',
+                        '100.64.0.0/10',
                     ];
 
-                    let nonRFC1918CIDR = [
+                    let invalidServiceSubnetCIDRs = [
                         '8.8.8.0/24',
                         '203.0.113.0/24',
                         '198.51.100.0/24',
@@ -112,10 +113,10 @@ describe('StaticWorkloadType', () => {
                         '169.254.0.0/16',
                         '198.18.0.0/15',
                     ];
-                    forEach(rfc1918CIDR, (cidr) => {
+                    forEach(validServiceSubnetCIDRs, (cidr) => {
                         expect(cidr).toMatch(new RegExp(type.pattern));
                     });
-                    forEach(nonRFC1918CIDR, (cidr) => {
+                    forEach(invalidServiceSubnetCIDRs, (cidr) => {
                         expect(cidr).not.toMatch(new RegExp(type.pattern));
                     });
                     break;

diff --git a/ui/src/components/constants/constants.js b/ui/src/components/constants/constants.js
@@ -117,7 +117,7 @@ export const DELETE_AUDIT_REFERENCE = 'deleted using Athenz UI';
 // CLOUD_NAT -> IP or CIDR (represents a public cloud NAT gateway)
 // EXTERNAL_APPLIANCE -> IP or CIDR (Appliance present outside of enterprise deployment locations. For SaaS / Third Party / Vendor use cases)
 // CLOUD_MANAGED -> FQDN (represents a cloud managed service or endpoint)
-// SERVICE_SUBNET -> IPV4 RFC1918 CIDR (represents subnet for a given service, would be almost always a RFC1918 CIDR)
+// SERVICE_SUBNET -> IPV4 Private/Loopback/Shared Address CIDR (represents subnet for a given service)
 // NOTE: all IP/CIDR values are for IPv4 only currently since adding IPv6 support would require a much longer regex, which is bad for maintainability
 export const StaticWorkloadType = [
     {
@@ -156,7 +156,7 @@ export const StaticWorkloadType = [
         name: 'Service Subnet',
         value: 'SERVICE_SUBNET',
         pattern:
-            '^(10(\\.(([0-9]?[0-9])|(1[0-9]?[0-9])|(2[0-4]?[0-9])|(25[0-5]))){3}/([8-9]|(1[0-9])|(2[0-9])|(3[0-1])))|(172\\.((1[6-9])|(2[0-9])|(3[0-1]))(\\.(([0-9]?[0-9])|(1[0-9]?[0-9])|(2[0-4]?[0-9])|(25[0-5]))){2}/((1[2-9])|(2[0-9])|(3[0-1])))|(192\\.168(\\.(([0-9]?[0-9])|(1[0-9]?[0-9])|(2[0-4]?[0-9])|(25[0-5]))){2}/((1[6-9])|(2[0-9])|(3[0-1])))|(127(\\.(([0-9]?[0-9])|(1[0-9]?[0-9])|(2[0-4]?[0-9])|(25[0-5]))){3}/([8-9]|(1[0-9])|(2[0-9])|(3[0-1])))$',
+            '^(10(\\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){3}/([8-9]|1[0-9]|2[0-9]|3[0-1]))|(172\\.((1[6-9])|2[0-9]|3[0-1])(\\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){2}/(1[2-9]|2[0-9]|3[0-1]))|(192\\.168(\\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){2}/(1[6-9]|2[0-9]|3[0-1]))|(127(\\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){3}/([8-9]|1[0-9]|2[0-9]|3[0-1]))|(100\\.(6[4-9]|[7-9][0-9]|1[01][0-9]|12[0-7])(\\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){2}/(1[0-9]|2[0-9]|3[0-2]))$',
     },
 ];