Update internal-lb.md

I have rephrased the note related to the permission for the private network and changed the structure for the section Specify a different subnet that should be a paragraph of the precedent.

Author: ripom

articles/aks/internal-lb.md

@@ -202,9 +202,9 @@ internal-app   LoadBalancer   10.1.15.188   10.0.0.35     80:31669/TCP   1m
 
 > [!NOTE]
 > 
-> You may need to give the *Network Contributor* role to the resource group in which your Azure virtual network resources are deployed. You can view the cluster identity with [az aks show][az-aks-show], such as `az aks show --resource-group myResourceGroup --name myAKSCluster --query "identity"`. To create a role assignment, use the [az role assignment create][az-role-assignment-create] command.
+> You may need to assign a minimum of *Microsoft.Network/virtualNetworks/subnets/read* and *Microsoft.Network/virtualNetworks/subnets/join/action* permission to AKS MSI on the Azure Virtual Network resources. You can view the cluster identity with [az aks show][az-aks-show], such as `az aks show --resource-group myResourceGroup --name myAKSCluster --query "identity"`. To create a role assignment, use the [az role assignment create][az-role-assignment-create] command.
 
-## Specify a different subnet
+### Specify a different subnet
 
 Add the *azure-load-balancer-internal-subnet* annotation to your service to specify a subnet for your load balancer. The subnet specified must be in the same virtual network as your AKS cluster. When deployed, the load balancer *EXTERNAL-IP* address is part of the specified subnet.
 
@@ -223,9 +223,6 @@ spec:
   selector:
     app: internal-app
 ```
-> [!NOTE]
-> 
-> You may need to assign the *Microsoft.Network/virtualNetworks/subnets/read* and *Microsoft.Network/virtualNetworks/subnets/join/action* permission to the AKS cluster MSI on the VNet.
 
 ## Delete the load balancer