MicrosoftDocs
diff --git a/‎articles/active-directory-b2c/find-help-open-support-ticket.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory-b2c/find-help-open-support-ticket.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/ai-studio/how-to/configure-private-link.md
Lines changed: 3 additions & 2 deletions b/‎articles/ai-studio/how-to/configure-private-link.md
Lines changed: 3 additions & 2 deletions
diff --git a/‎articles/aks/TOC.yml
Lines changed: 2 additions & 0 deletions b/‎articles/aks/TOC.yml
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/aks/istio-meshconfig.md
Lines changed: 161 additions & 0 deletions b/‎articles/aks/istio-meshconfig.md
Lines changed: 161 additions & 0 deletions
@@ -41,7 +41,7 @@ If you're unable to find answers by using self-help resources, you can open an o
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
 
-1. If you have access to multiple tenants, select the **Settings** icon in the top menu to switch to your Azure AD B2C tenant from the **Directories + subscriptions** menu.
+1. If you have access to multiple tenants, select the **Settings** icon in the top menu to switch to your Microsoft Entra tenant from the **Directories + subscriptions** menu. Currently, you can't submit support cases directly from your Azure AD B2C tenant.
 
 1. In the Azure portal, search for and select **Microsoft Entra ID**.
 
 
@@ -22,9 +22,10 @@ We have two network isolation aspects. One is the network isolation to access an
 
 You get several Azure AI default resources in your resource group. You need to configure following network isolation configurations.
 
-- Disable public network access flag of Azure AI default resources such as Storage, Key Vault, Container Registry. Azure AI services and Azure AI Search should be public.
+- Disable public network access flag of Azure AI default resources such as Storage, Key Vault, Container Registry.
 - Establish private endpoint connection to Azure AI default resource. Note that you need to have blob and file PE for the default storage account.
 - [Managed identity configurations](#managed-identity-configuration) to allow Azure AI hub resources access your storage account if it's private.
+- Azure AI services and Azure AI Search should be public.
 
 
 ## Prerequisites
@@ -277,4 +278,4 @@ See [this documentation](../../machine-learning/how-to-custom-dns.md#find-the-ip
 - [Create a project](create-projects.md)
 - [Learn more about Azure AI Studio](../what-is-ai-studio.md)
 - [Learn more about Azure AI hub resources](../concepts/ai-resources.md)
-- [Troubleshoot secure connectivity to a project](troubleshoot-secure-connection-project.md)
+- [Troubleshoot secure connectivity to a project](troubleshoot-secure-connection-project.md)
@@ -266,6 +266,8 @@
                        href: istio-about.md
                      - name: Deploy Istio service mesh add-on
                        href: istio-deploy-addon.md
+                     - name: Configure Istio service mesh add-on
+                       href: istio-meshconfig.md
                      - name: Deploy external or internal Istio Ingress
                        href: istio-deploy-ingress.md
                      - name: Plug-in CA certificates for Istio
 
@@ -0,0 +1,161 @@
+---
+title: Configure Istio-based service mesh add-on for Azure Kubernetes Service (preview)
+description: Configure Istio-based service mesh add-on for Azure Kubernetes Service (preview)
+ms.topic: article
+ms.custom: devx-track-azurecli
+ms.date: 02/14/2024
+ms.author: shasb
+---
+
+# Configure Istio-based service mesh add-on for Azure Kubernetes Service (preview)
+
+Open-source Istio uses [MeshConfig][istio-meshconfig] to define mesh-wide settings for the Istio service mesh. Istio-based service mesh add-on for AKS builds on top of MeshConfig and classifies different properties as supported, allowed, and blocked.
+
+This article walks through how to configure Istio-based service mesh add-on for Azure Kubernetes Service and the support policy applicable for such configuration.
+
+[!INCLUDE [preview features callout](includes/preview/preview-callout.md)]
+
+## Prerequisites
+
+This guide assumes you followed the [documentation][istio-deploy-addon] to enable the Istio add-on on an AKS cluster.
+
+## Set up configuration on cluster
+
+1. Find out which revision of Istio is deployed on the cluster:
+
+    ```bash
+    az aks show -n $CLUSTER -g $RESOURCE_GROUP --query 'serviceMeshProfile'
+    ```
+
+    Output:
+
+    ```
+    {
+      "istio": {
+          "certificateAuthority": null,
+          "components": {
+          "egressGateways": null,
+          "ingressGateways": null
+          },
+          "revisions": [
+          "asm-1-18"
+          ]
+      },
+      "mode": "Istio"
+    }
+    ```
+
+2. Create a ConfigMap with the name `istio-shared-configmap-<asm-revision>` in the `aks-istio-system` namespace. For example, if your cluster is running asm-1-18 revision of mesh, then the ConfigMap needs to be named as `istio-shared-configmap-asm-1-18`. Mesh configuration has to be provided within the data section under mesh.
+
+    Example:
+
+    ```yaml
+    apiVersion: v1
+    kind: ConfigMap
+    metadata:
+      name: istio-shared-configmap-asm-1-18
+      namespace: aks-istio-system
+    data:
+      mesh: |-
+        accessLogFile: /dev/stdout
+        defaultConfig:
+          holdApplicationUntilProxyStarts: true
+    ```
+    The values under `defaultConfig` are mesh-wide settings applied for Envoy sidecar proxy.
+
+> [!CAUTION]
+> A default ConfigMap (for example, `istio-asm-1-18` for revision asm-1-18) is created in `aks-istio-system` namespace on the cluster when the Istio addon is enabled. However, this default ConfigMap gets reconciled by the managed Istio addon and thus users should NOT directly edit this ConfigMap. Instead users should create a revision specific Istio shared ConfigMap (for example `istio-shared-configmap-asm-1-18` for revision asm-1-18) in the aks-istio-system namespace, and then the Istio control plane will merge this with the default ConfigMap, with the default settings taking precedence.
+
+### Mesh configuration and upgrades
+
+When you're performing [canary upgrade for Istio](./istio-upgrade.md), you need create a separate ConfigMap for the new revision in the `aks-istio-system` namespace **before initiating the canary upgrade**. This way the configuration is available when the new revision's control plane is deployed on cluster. For example, if you're upgrading the mesh from asm-1-18 to asm-1-19, you need to copy changes over from `istio-shared-configmap-asm-1-18` to create a new ConfigMap called `istio-shared-configmap-asm-1-19` in the `aks-istio-system` namespace.
+
+After the upgrade is completed or rolled back, you can delete the ConfigMap of the revision that was removed from the cluster.
+
+## Allowed, supported, and blocked values
+
+Fields in `MeshConfig` are classified into three categories: 
+
+- **Blocked**: Disallowed fields are blocked via addon managed admission webhooks. API server immediately publishes the error message to the user that the field is disallowed.
+- **Supported**: Supported fields (for example, fields related to access logging) receive support from Azure support.
+- **Allowed**: These fields (such as proxyListenPort or proxyInboundListenPort) are allowed but they aren't covered by Azure support.
+
+Mesh configuration and the list of allowed/supported fields are revision specific to account for fields being added/removed across revisions. The full list of allowed fields and the supported/unsupported ones within the allowed list is provided in the below table. When new mesh revision is made available, any changes to allowed and supported classification of the fields is noted in this table.
+
+### MeshConfig
+
+| **Field** | **Supported** |
+|-----------|---------------|
+| proxyListenPort | false |
+| proxyInboundListenPort | false |
+| proxyHttpPort | false |
+| connectTimeout | false |
+| tcpKeepAlive | false |
+| defaultConfig | true |
+| outboundTrafficPolicy | true |
+| extensionProviders | true |
+| defaultProvideres | true |
+| accessLogFile | true |
+| accessLogFormat | true |
+| accessLogEncoding | true |
+| enableTracing | true |
+| enableEnvoyAccessLogService | true |
+| disableEnvoyListenerLog | true |
+| trustDomain | false |
+| trustDomainAliases | false |
+| caCertificates | false |
+| defaultServiceExportTo | false |
+| defaultVirtualServiceExportTo | false |
+| defaultDestinationRuleExportTo | false |
+| localityLbSetting | false |
+| dnsRefreshRate | false |
+| h2UpgradePolicy | false |
+| enablePrometheusMerge | true |
+| discoverySelectors | true |
+| pathNormalization | false |
+| defaultHttpRetryPolicy | false |
+| serviceSettings | false |
+| meshMTLS | false |
+| tlsDefaults | false |
+
+### ProxyConfig (meshConfig.defaultConfig)
+
+| **Field** | **Supported** |
+|-----------|---------------|
+| tracingServiceName | true |
+| drainDuration | true |
+| statsUdpAddress | false |
+| proxyAdminPort | false |
+| tracing | true |
+| concurrency | true |
+| envoyAccessLogService | true |
+| envoyMetricsService | true |
+| proxyMetadata | false |
+| statusPort | false |
+| extraStatTags | false |
+| proxyStatsMatcher | false |
+| terminationDrainDuration | true |
+| meshId | false |
+| holdApplicationUntilProxyStarts | true |
+| caCertificatesPem | false |
+| privateKeyProvider | false |
+
+Fields present in [open source MeshConfig reference documentation][istio-meshconfig] but not in the above table are blocked. For example, `configSources` is blocked.
+
+> [!CAUTION]
+> **Support scope of configurations:** Mesh configuration allows for extension providers such as self-managed instances of Zipkin or Apache Skywalking to be configured with the Istio addon. However, these extension providers are outside the support scope of the Istio addon. Any issues associated with extension tools are outside the support boundary of the Istio addon.
+
+## Common errors and troubleshooting tips
+
+- Ensure that the MeshConfig is indented with spaces instead of tabs. 
+- Ensure that you're only editing the revision specific shared ConfigMap (for example `istio-shared-configmap-asm-1-18`) and not trying to edit the default ConfigMap (for example `istio-asm-1-18`).
+- The ConfigMap must follow the name `istio-shared-configmap-<asm-revision>` and be in the `aks-istio-system` namespace. 
+- Ensure that all MeshConfig fields are spelled correctly. If they're unrecognized or if they aren't part of the allowed list, admission control denies such configurations.
+- When performing canary upgrades, [check your revision specific ConfigMaps](#mesh-configuration-and-upgrades) to ensure configurations exist for the revisions deployed on your cluster.
+- Certain `MeshConfig` options such as accessLogging may increase Envoy's resource consumption, and disabling some of these settings may mitigate Istio data plane resource utilization. It's also advisable to use the `discoverySelectors` field in the MeshConfig to help alleviate memory consumption for Istiod and Envoy.
+- If the `concurrency` field in the MeshConfig is misconfigured and set to zero, it causes Envoy to use up all CPU cores. Instead if this field is unset, number of worker threads to run is automatically determined based on CPU requests/limits. 
+- [Pod and sidecar race conditions][istio-sidecar-race-condition] in which the application starts before Envoy can be mitigated using the `holdApplicationUntilProxyStarts` field in the MeshConfig. 
+
+
+[istio-meshconfig]: https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/
+[istio-sidecar-race-condition]: https://istio.io/latest/docs/ops/common-problems/injection/#pod-or-containers-start-with-network-issues-if-istio-proxy-is-not-ready