Merge pull request #8455 from nshankar13/nshankar/istio-ingress-etp-customization

AB#4612: Update Istio add-on TSG for ingress gateway

Author: AmandaAZ

support/azure/azure-kubernetes/extensions/istio-add-on-general-troubleshooting.md

@@ -1,7 +1,7 @@
 ---
 title: General Istio service mesh add-on troubleshooting
 description: Learn how to do general troubleshooting of the Istio service mesh add-on for Azure Kubernetes Service (AKS).
-ms.date: 10/17/2024
+ms.date: 03/18/2025
 author: nshankar13
 ms.author: nshankar
 editor: v-jsitser
@@ -241,6 +241,10 @@ If your application pod starts before the Envoy sidecar starts, the application
 
 If your cluster uses an HTTP proxy for outbound internet access, you'll have to configure a Service Entry. For more information, see [HTTP proxy support in Azure Kubernetes Service](/azure/aks/http-proxy#istio-add-on-http-proxy-for-external-services).
 
+### Step 6: Enable Envoy access logging
+
+Enabling Envoy [access logging](https://istio.io/latest/docs/tasks/observability/logs/access-log/) helps identify and pinpoint issues in the gateways and sidecar proxies. For more information about logging and telemetry collection for the Istio add-on, see the documentation on [mesh configuration](/azure/aks/istio-meshconfig), [Telemetry API](/azure/aks/istio-telemetry), and [Istio metrics collection](/azure/aks/istio-metrics-managed-prometheus).
+
 ## Error messages
 
 The following table contains a list of possible error messages (for deploying the add-on, enabling ingress gateways, and performing upgrades), the reason why an error occurred, and recommendations for resolving the error.

support/azure/azure-kubernetes/extensions/istio-add-on-ingress-gateway.md

@@ -1,7 +1,7 @@
 ---
 title: Istio service mesh add-on ingress gateway troubleshooting
 description: Learn how to do ingress gateway troubleshooting on the Istio service mesh add-on for Azure Kubernetes Service (AKS).
-ms.date: 07/03/2024
+ms.date: 03/18/2025
 author: nshankar13
 ms.author: nshankar
 editor: v-jsitser
@@ -21,9 +21,6 @@ For the Istio-based service mesh add-on, we offer the following ingress gateway
 
 - An external ingress gateway that uses a publicly accessible IP address.
 
-> [!NOTE]
-> Microsoft doesn't support customizing the IP address for either the internal or external ingress gateways. Any IP customization changes to the Istio service mesh add-on will be reverted.
-
 The add-on deploys Istio ingress gateway pods and deployments per revision. If you're doing a [canary upgrade](./istio-add-on-minor-revision-upgrade.md) and have two control plane revisions installed in your cluster, then you might have to troubleshoot multiple ingress gateway pods across both revisions.
 
 ## Troubleshooting checklist
@@ -97,6 +94,13 @@ After you enable the Azure Key Vault secrets provider add-on, you have to grant
 
 After you create the `SecretProviderClass` resource, to ensure secrets sync from Azure Key Vault to the cluster, ensure the sample pod `secrets-store-sync-productpage` that references this resource is successfully deployed.
 
+### Step 6: Customize ingress gateway service settings
+
+The add-on also supports [customizing the Kubernetes service for the Istio ingress gateway](/azure/aks/istio-deploy-ingress#ingress-gateway-service-customizations) for certain annotations and the `.spec.externalTrafficPolicy` setting. In certain cases, changing `.spec.externalTrafficPolicy` to `Local` can assist with troubleshooting connectivity and networking issues, as it preserves the client source IP for the incoming request at the ingress gateway.
+
+> [!NOTE]
+> Changing `.spec.externalTrafficPolicy` to `Local` might cause imbalanced traffic spreading. Before applying this change, we recommend reading the Kubernetes documentation about [Preserving the client source IP](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) to understand the tradeoffs between the different `externalTrafficPolicy` settings.
+
 ## References
 
 - [Istio add-on ingress enablement and configuration](/azure/aks/istio-deploy-ingress)