Merge pull request #272641 from greg-lindsay/appgw-issues

Add read permission statement and reword

Author: prmerger-automator[bot]

articles/application-gateway/configuration-infrastructure.md

@@ -5,7 +5,7 @@ services: application-gateway
 author: greg-lindsay
 ms.service: application-gateway
 ms.topic: conceptual
-ms.date: 03/15/2024
+ms.date: 04/18/2024
 ms.author: greglin
 ---
 
@@ -68,11 +68,13 @@ The virtual network resource supports [DNS server](../virtual-network/manage-vir
 
 ### Virtual network permission
 
-The Application Gateway resource is deployed inside a virtual network, so we also perform a check to verify the permission on the provided virtual network resource. This validation is performed during both creation and management operations.
+The Application Gateway resource is deployed inside a virtual network, so checks are also performed to verify the permission on the virtual network resource. This validation is performed during both creation and management operations and also applies to the [managed identities for Application Gateway Ingress Controller](./tutorial-ingress-controller-add-on-new.md#deploy-an-aks-cluster-with-the-add-on-enabled).
 
-Check your [Azure role-based access control](../role-based-access-control/role-assignments-list-portal.md) to verify that the users (and service principals) that operate application gateways also have at least **Microsoft.Network/virtualNetworks/subnets/join/action** permission on the virtual network or subnet. This validation also applies to the [managed identities for Application Gateway Ingress Controller](./tutorial-ingress-controller-add-on-new.md#deploy-an-aks-cluster-with-the-add-on-enabled).
+Check your [Azure role-based access control](../role-based-access-control/role-assignments-list-portal.md) to verify that the users and service principals that operate application gateways have at least the following permissions on the virtual network or subnet:
+- **Microsoft.Network/virtualNetworks/subnets/join/action** 
+- **Microsoft.Network/virtualNetworks/subnets/read**
 
-You can use the built-in roles, such as [Network contributor](../role-based-access-control/built-in-roles.md#network-contributor), which already support this permission. If a built-in role doesn't provide the right permission, you can [create and assign a custom role](../role-based-access-control/custom-roles-portal.md). Learn more about [managing subnet permissions](../virtual-network/virtual-network-manage-subnet.md#permissions).
+You can use the built-in roles, such as [Network contributor](../role-based-access-control/built-in-roles.md#network-contributor), which already support these permissions. If a built-in role doesn't provide the right permission, you can [create and assign a custom role](../role-based-access-control/custom-roles-portal.md). Learn more about [managing subnet permissions](../virtual-network/virtual-network-manage-subnet.md#permissions).
 
 > [!NOTE]
 > You might have to allow sufficient time for [Azure Resource Manager cache refresh](../role-based-access-control/troubleshooting.md?tabs=bicep#symptom---role-assignment-changes-are-not-being-detected) after role assignment changes.