Merge pull request #280166 from nshankar13/nshankar/update-istio-docs-docs-bash

prmerger-automator[bot] · web-flow · commit 19323a2b56f6 · 2024-07-10T20:52:34.000Z
Docs updates for Istio add-on from docs bash.
diff --git a/articles/aks/istio-about.md b/articles/aks/istio-about.md
@@ -24,10 +24,10 @@ Service-to-service communication is what makes a distributed application possibl
 
 Istio is an open-source service mesh that layers transparently onto existing distributed applications. Istio’s powerful features provide a uniform and more efficient way to secure, connect, and monitor services. Istio enables load balancing, service-to-service authentication, and monitoring – with few or no service code changes. Its powerful control plane brings vital features, including:
 
-* Secure service-to-service communication in a cluster with TLS encryption, strong identity-based authentication and authorization.
+* Secure service-to-service communication in a cluster with TLS (Transport Layer Security) encryption, strong identity-based authentication and authorization.
 * Automatic load balancing for HTTP, gRPC, WebSocket, and TCP traffic.
 * Fine-grained control of traffic behavior with rich routing rules, retries, failovers, and fault injection.
-* A pluggable policy layer and configuration API supporting access controls, rate limits and quotas.
+* A pluggable policy layer and configuration API supporting access controls, rate limits, and quotas.
 * Automatic metrics, logs, and traces for all traffic within a cluster, including cluster ingress and egress.
 
 ## How is the add-on different from open-source Istio?
@@ -44,22 +44,31 @@ This service mesh add-on uses and builds on top of open-source Istio. The add-on
 
 ## Limitations
 
-Istio-based service mesh add-on for AKS has the following limitations:
+Istio-based service mesh add-on for AKS currently has the following limitations:
 * The add-on doesn't work on AKS clusters that are using [Open Service Mesh addon for AKS][open-service-mesh-about].
-* The add-on doesn't work on AKS clusters that have Istio installed on them already outside the add-on installation.
+* The add-on doesn't work on AKS clusters with self-managed installations of Istio.
 * The add-on doesn't support adding pods associated with virtual nodes to be added under the mesh.
+* The add-on doesn't yet support egress gateways for outbound traffic control.
+* The add-on doesn't yet support the sidecar-less Ambient mode. Microsoft is currently contributing to Ambient workstream under Istio open source. Product integration for Ambient mode is on the roadmap and is being continuously evaluated as the Ambient workstream evolves.
+* The add-on doesn't yet support multi-cluster deployments.
 * Istio doesn't support Windows Server containers.
-* Customization of mesh based on the following custom resources is blocked for now - `EnvoyFilter, ProxyConfig, WorkloadEntry, WorkloadGroup, Telemetry, IstioOperator, WasmPlugin`
-* Gateway API for Istio ingress gateway or managing mesh traffic (GAMMA) are currently not yet supported with Istio addon.
+* Customization of mesh through the following custom resources is blocked for now - `ProxyConfig, WorkloadEntry, WorkloadGroup, Telemetry, IstioOperator, WasmPlugin, EnvoyFilter`. 
+* For `EnvoyFilter`, the add-on only supports customization of Lua filters (`type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua`). Note that this EnvoyFilter is allowed but any issue arising from the Lua script itself is not supported (to learn more about our support policy and distinction between "allowed" and "supported" configurations, see [the following section][istio-meshconfig-support]). Other `EnvoyFilter` types are currently blocked. other `EnvoyFilter` types are currently blocked.
+* Gateway API for Istio ingress gateway or managing mesh traffic (GAMMA) are currently not yet supported with Istio addon. It's planned to allow customizations such as ingress static IP address configuration as part of the Gateway API implementation for the add-on in future.
 
 ## Next steps
 
 * [Deploy Istio-based service mesh add-on][istio-deploy-addon]
+* [Troubleshoot Istio-based service mesh add-on][istio-troubleshooting]
 
 [istio-overview]: https://istio.io/latest/
 [managed-prometheus-overview]: ../azure-monitor/essentials/prometheus-metrics-overview.md
 [managed-grafana-overview]: ../managed-grafana/overview.md
 [azure-cni-cilium]: azure-cni-powered-by-cilium.md
 [open-service-mesh-about]: open-service-mesh-about.md
+[istio-meshconfig]: ./istio-meshconfig.md
+[istio-ingress]: ./istio-deploy-ingress.md
+[istio-troubleshooting]: /troubleshoot/azure/azure-kubernetes/extensions/istio-add-on-general-troubleshooting
+[istio-meshconfig-support]: ./istio-meshconfig.md#allowed-supported-and-blocked-values
 
 [istio-deploy-addon]: istio-deploy-addon.md
diff --git a/articles/aks/istio-deploy-addon.md b/articles/aks/istio-deploy-addon.md
@@ -243,7 +243,6 @@ az group delete --name ${RESOURCE_GROUP} --yes --no-wait
 * [Deploy external or internal ingresses for Istio service mesh add-on][istio-deploy-ingress]
 * [Scale istiod and ingress gateway HPA][istio-scaling-guide]
 
-
 <!--- External Links --->
 [install-aks-cluster-istio-bicep]: https://github.com/Azure-Samples/aks-istio-addon-bicep
 [uninstall-istio-oss]: https://istio.io/latest/docs/setup/install/istioctl/#uninstall-istio
diff --git a/articles/aks/istio-deploy-ingress.md b/articles/aks/istio-deploy-ingress.md
@@ -17,7 +17,7 @@ This article shows you how to deploy external or internal ingresses for Istio se
 
 ## Prerequisites
 
-This guide assumes you followed the [documentation][istio-deploy-addon] to enable the Istio add-on on an AKS cluster, deploy a sample application and set environment variables.
+This guide assumes you followed the [documentation][istio-deploy-addon] to enable the Istio add-on on an AKS cluster, deploy a sample application, and set environment variables.
 
 ## Enable external ingress gateway
 
@@ -41,8 +41,7 @@ aks-istio-ingressgateway-external   LoadBalancer   10.0.10.249   <EXTERNAL_IP>
 ```
 
 > [!NOTE]
-> Customizations to IP address on internal and external gateways aren't supported yet. IP address customizations on the ingress are reverted back by the Istio add-on. 
-It's planned to allow these customizations in Gateway API Istio implementation as part of the Istio add-on in future.
+> Customizations to IP address on internal and external gateways aren't supported yet. IP address customizations on the ingress specifications are reverted back by the Istio add-on.It's planned to allow these customizations in the Gateway API implementation for the Istio add-on in future.
 
 Applications aren't accessible from outside the cluster by default after enabling the ingress gateway. To make an application accessible, map the sample deployment's ingress to the Istio ingress gateway using the following manifest:
 
@@ -129,7 +128,6 @@ Use `az aks mesh enable-ingress-gateway` to enable an internal Istio ingress on
 az aks mesh enable-ingress-gateway --resource-group $RESOURCE_GROUP --name $CLUSTER --ingress-gateway-type internal
 ```
 
-
 Use `kubectl get svc` to check the service mapped to the ingress gateway:
 
 ```bash
@@ -143,7 +141,7 @@ NAME                                TYPE           CLUSTER-IP    EXTERNAL-IP
 aks-istio-ingressgateway-internal   LoadBalancer   10.0.182.240  <IP>      15021:30764/TCP,80:32186/TCP,443:31713/TCP   87s
 ```
 
-Applications aren't mapped to the Istio ingress gateway after enabling the ingress gateway. Use the following manifest to map the sample deployment's ingress to the Istio ingress gateway:
+After enabling the ingress gateway, applications need to be exposed through the gateway and routing rules need to be configured accordingly. Use the following manifest to map the sample deployment's ingress to the Istio ingress gateway:
 
 ```bash
 kubectl apply -f - <<EOF
@@ -228,6 +226,12 @@ Confirm that the sample application's product page is accessible. The expected o
 
 ## Delete resources
 
+If you want to clean up the Istio external or internal ingress gateways, but leave the mesh enabled on the cluster, run the following command:
+
+```azure-cli-interactive
+az aks mesh disable-ingress-gateway --ingress-gateway-type <external/internal> --resource-group ${RESOURCE_GROUP}
+```
+
 If you want to clean up the Istio service mesh and the ingresses (leaving behind the cluster), run the following command:
 
 ```azurecli-interactive
@@ -242,9 +246,13 @@ az group delete --name ${RESOURCE_GROUP} --yes --no-wait
 
 ## Next steps
 
+> [!NOTE]
+> In case of any issues encountered with deploying the Istio ingress gateway or configuring ingress traffic routing, refer to [article on troubleshooting Istio add-on ingress gateways][istio-ingress-tsg]
+
 * [Secure ingress gateway for Istio service mesh add-on][istio-secure-gateway]
 * [Scale ingress gateway HPA][istio-scaling-guide]
 
 [istio-deploy-addon]: istio-deploy-addon.md
 [istio-secure-gateway]: istio-secure-gateway.md
 [istio-scaling-guide]: istio-scale.md#scaling
+[istio-ingress-tsg]: /troubleshoot/azure/azure-kubernetes/extensions/istio-add-on-ingress-gateway
