Merge pull request #102721 from ripom/patch-2

Court72 · web-flow · commit 663c511b6830 · 2023-02-23T08:21:52.000-07:00
Update internal-lb.md
diff --git a/articles/aks/internal-lb.md b/articles/aks/internal-lb.md
@@ -230,9 +230,9 @@ internal-app   LoadBalancer   10.1.15.188   10.0.0.35     80:31669/TCP   1m
 
 > [!NOTE]
 > 
-> You may need to give the *Network Contributor* role to the resource group in which your Azure virtual network resources are deployed. You can view the cluster identity with [az aks show][az-aks-show], such as `az aks show --resource-group myResourceGroup --name myAKSCluster --query "identity"`. To create a role assignment, use the [az role assignment create][az-role-assignment-create] command.
+> You may need to assign a minimum of *Microsoft.Network/virtualNetworks/subnets/read* and *Microsoft.Network/virtualNetworks/subnets/join/action* permission to AKS MSI on the Azure Virtual Network resources. You can view the cluster identity with [az aks show][az-aks-show], such as `az aks show --resource-group myResourceGroup --name myAKSCluster --query "identity"`. To create a role assignment, use the [az role assignment create][az-role-assignment-create] command.
 
-## Specify a different subnet
+### Specify a different subnet
 
 Add the *azure-load-balancer-internal-subnet* annotation to your service to specify a subnet for your load balancer. The subnet specified must be in the same virtual network as your AKS cluster. When deployed, the load balancer *EXTERNAL-IP* address is part of the specified subnet.
 

Original file line number	Diff line number	Diff line change
`@@ -230,9 +230,9 @@ internal-app LoadBalancer 10.1.15.188 10.0.0.35 80:31669/TCP 1m`
`230`	`230`
`231`	`231`	`> [!NOTE]`
`232`	`232`	`>`
`233`		-> You may need to give the Network Contributor role to the resource group in which your Azure virtual network resources are deployed. You can view the cluster identity with [az aks show][az-aks-show], such as `az aks show --resource-group myResourceGroup --name myAKSCluster --query "identity"`. To create a role assignment, use the [az role assignment create][az-role-assignment-create] command.
	`233`	+> You may need to assign a minimum of Microsoft.Network/virtualNetworks/subnets/read and Microsoft.Network/virtualNetworks/subnets/join/action permission to AKS MSI on the Azure Virtual Network resources. You can view the cluster identity with [az aks show][az-aks-show], such as `az aks show --resource-group myResourceGroup --name myAKSCluster --query "identity"`. To create a role assignment, use the [az role assignment create][az-role-assignment-create] command.
`234`	`234`
`235`		`-## Specify a different subnet`
	`235`	`+### Specify a different subnet`
`236`	`236`
`237`	`237`	`Add the azure-load-balancer-internal-subnet annotation to your service to specify a subnet for your load balancer. The subnet specified must be in the same virtual network as your AKS cluster. When deployed, the load balancer EXTERNAL-IP address is part of the specified subnet.`
`238`	`238`