diff --git a/main.tf b/main.tf
index cd5d04d..7e83467 100644
--- a/main.tf
+++ b/main.tf
@@ -67,6 +67,7 @@ module "app_aks" {
   location       = azurerm_resource_group.default.location
 
   gateway           = module.app_lb.gateway
+  public_subnet     = module.networking.public_subnet
   cluster_subnet_id = module.networking.private_subnet.id
 
   tags = var.tags
diff --git a/modules/app_aks/main.tf b/modules/app_aks/main.tf
index e0b26e3..a618f81 100644
--- a/modules/app_aks/main.tf
+++ b/modules/app_aks/main.tf
@@ -56,3 +56,9 @@ resource "azurerm_role_assignment" "resource_group" {
   role_definition_name = "Reader"
   principal_id         = local.ingress_gateway_principal_id
 }
+
+resource "azurerm_role_assignment" "gateway" {
+  scope                = var.public_subnet.id
+  role_definition_name = "Contributor"
+  principal_id         = local.ingress_gateway_principal_id
+}
diff --git a/modules/app_aks/variables.tf b/modules/app_aks/variables.tf
index d5338ed..316c93f 100644
--- a/modules/app_aks/variables.tf
+++ b/modules/app_aks/variables.tf
@@ -22,6 +22,10 @@ variable "gateway" {
   type = object({ id = string })
 }
 
+variable "public_subnet" {
+  type = object({ id = string })
+}
+
 variable "tags" {
   default     = {}
   type        = map(string)