diff --git a/content/en/docs/tasks/security/authentication/authn-policy/index.md b/content/en/docs/tasks/security/authentication/authn-policy/index.md
index cb2b2dd1ab..26b89dcc6f 100644
--- a/content/en/docs/tasks/security/authentication/authn-policy/index.md
+++ b/content/en/docs/tasks/security/authentication/authn-policy/index.md
@@ -158,7 +158,7 @@ You see requests still succeed, except for those from the client that doesn't ha
 
 ### Cleanup part 1
 
-Remove global authentication policy and destination rules added in the session:
+Remove global authentication policy added in the session:
 
 {{< text bash >}}
 $ kubectl delete peerauthentication -n istio-system default
@@ -201,9 +201,7 @@ sleep.legacy to httpbin.legacy: 200
 
 ### Enable mutual TLS per workload
 
-To set a peer authentication policy for a specific workload, you must configure the `selector` section and specify the labels that match the desired workload. However, Istio cannot aggregate workload-level policies for outbound mutual TLS traffic to a service. Configure a destination rule to manage that behavior.
-
-For example, the following peer authentication policy and destination rule enable strict mutual TLS for the `httpbin.bar` workload:
+To set a peer authentication policy for a specific workload, you must configure the `selector` section and specify the labels that match the desired workload. For example, the following peer authentication policy enables strict mutual TLS for the `httpbin.bar` workload:
 
 {{< text bash >}}
 $ cat <<EOF | kubectl apply -n bar -f -
@@ -221,22 +219,6 @@ spec:
 EOF
 {{< /text >}}
 
-And a destination rule:
-
-{{< text bash >}}
-$ cat <<EOF | kubectl apply -n bar -f -
-apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: "httpbin"
-spec:
-  host: "httpbin.bar.svc.cluster.local"
-  trafficPolicy:
-    tls:
-      mode: ISTIO_MUTUAL
-EOF
-{{< /text >}}
-
 Again, run the probing command. As expected, request from `sleep.legacy` to `httpbin.bar` starts failing with the same reasons.
 
 {{< text bash >}}
@@ -281,28 +263,7 @@ spec:
 EOF
 {{< /text >}}
 
-As before, you also need a destination rule:
-
-{{< text bash >}}
-$ cat <<EOF | kubectl apply -n bar -f -
-apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: "httpbin"
-spec:
-  host: httpbin.bar.svc.cluster.local
-  trafficPolicy:
-    tls:
-      mode: ISTIO_MUTUAL
-    portLevelSettings:
-    - port:
-        number: 8000
-      tls:
-        mode: DISABLE
-EOF
-{{< /text >}}
-
-1. The port value in the peer authentication policy is the container's port. The value the destination rule is the service's port.
+1. The port value in the peer authentication policy is the container's port.
 1. You can only use `portLevelMtls` if the port is bound to a service. Istio ignores it otherwise.
 
 {{< text bash >}}
@@ -341,22 +302,6 @@ spec:
 EOF
 {{< /text >}}
 
-and destination rule:
-
-{{< text bash >}}
-$ cat <<EOF | kubectl apply -n foo -f -
-apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: "overwrite-example"
-spec:
-  host: httpbin.foo.svc.cluster.local
-  trafficPolicy:
-    tls:
-      mode: DISABLE
-EOF
-{{< /text >}}
-
 Re-running the request from `sleep.legacy`, you should see a success return code again (200), confirming service-specific policy overrides the namespace-wide policy.
 
 {{< text bash >}}
@@ -366,13 +311,11 @@ $ kubectl exec "$(kubectl get pod -l app=sleep -n legacy -o jsonpath={.items..me
 
 ### Cleanup part 2
 
-Remove policies and destination rules created in the above steps:
+Remove policies created in the above steps:
 
 {{< text bash >}}
 $ kubectl delete peerauthentication default overwrite-example -n foo
 $ kubectl delete peerauthentication httpbin -n bar
-$ kubectl delete destinationrules overwrite-example -n foo
-$ kubectl delete destinationrules httpbin -n bar
 {{< /text >}}
 
 ## End-user authentication
diff --git a/content/en/docs/tasks/security/authentication/authn-policy/snips.sh b/content/en/docs/tasks/security/authentication/authn-policy/snips.sh
index 4d7beca160..bc2fe1f8f5 100644
--- a/content/en/docs/tasks/security/authentication/authn-policy/snips.sh
+++ b/content/en/docs/tasks/security/authentication/authn-policy/snips.sh
@@ -174,24 +174,10 @@ EOF
 }
 
 snip_enable_mutual_tls_per_workload_2() {
-cat <<EOF | kubectl apply -n bar -f -
-apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: "httpbin"
-spec:
-  host: "httpbin.bar.svc.cluster.local"
-  trafficPolicy:
-    tls:
-      mode: ISTIO_MUTUAL
-EOF
-}
-
-snip_enable_mutual_tls_per_workload_3() {
 for from in "foo" "bar" "legacy"; do for to in "foo" "bar" "legacy"; do kubectl exec "$(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name})" -c sleep -n ${from} -- curl "http://httpbin.${to}:8000/ip" -s -o /dev/null -w "sleep.${from} to httpbin.${to}: %{http_code}\n"; done; done
 }
 
-! read -r -d '' snip_enable_mutual_tls_per_workload_3_out <<\ENDSNIP
+! read -r -d '' snip_enable_mutual_tls_per_workload_2_out <<\ENDSNIP
 sleep.foo to httpbin.foo: 200
 sleep.foo to httpbin.bar: 200
 sleep.foo to httpbin.legacy: 200
@@ -205,13 +191,13 @@ command terminated with exit code 56
 sleep.legacy to httpbin.legacy: 200
 ENDSNIP
 
-! read -r -d '' snip_enable_mutual_tls_per_workload_4 <<\ENDSNIP
+! read -r -d '' snip_enable_mutual_tls_per_workload_3 <<\ENDSNIP
 ...
 sleep.legacy to httpbin.bar: 000
 command terminated with exit code 56
 ENDSNIP
 
-snip_enable_mutual_tls_per_workload_5() {
+snip_enable_mutual_tls_per_workload_4() {
 cat <<EOF | kubectl apply -n bar -f -
 apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication
@@ -230,30 +216,11 @@ spec:
 EOF
 }
 
-snip_enable_mutual_tls_per_workload_6() {
-cat <<EOF | kubectl apply -n bar -f -
-apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: "httpbin"
-spec:
-  host: httpbin.bar.svc.cluster.local
-  trafficPolicy:
-    tls:
-      mode: ISTIO_MUTUAL
-    portLevelSettings:
-    - port:
-        number: 8000
-      tls:
-        mode: DISABLE
-EOF
-}
-
-snip_enable_mutual_tls_per_workload_7() {
+snip_enable_mutual_tls_per_workload_5() {
 for from in "foo" "bar" "legacy"; do for to in "foo" "bar" "legacy"; do kubectl exec "$(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name})" -c sleep -n ${from} -- curl "http://httpbin.${to}:8000/ip" -s -o /dev/null -w "sleep.${from} to httpbin.${to}: %{http_code}\n"; done; done
 }
 
-! read -r -d '' snip_enable_mutual_tls_per_workload_7_out <<\ENDSNIP
+! read -r -d '' snip_enable_mutual_tls_per_workload_5_out <<\ENDSNIP
 sleep.foo to httpbin.foo: 200
 sleep.foo to httpbin.bar: 200
 sleep.foo to httpbin.legacy: 200
@@ -283,32 +250,16 @@ EOF
 }
 
 snip_policy_precedence_2() {
-cat <<EOF | kubectl apply -n foo -f -
-apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: "overwrite-example"
-spec:
-  host: httpbin.foo.svc.cluster.local
-  trafficPolicy:
-    tls:
-      mode: DISABLE
-EOF
-}
-
-snip_policy_precedence_3() {
 kubectl exec "$(kubectl get pod -l app=sleep -n legacy -o jsonpath={.items..metadata.name})" -c sleep -n legacy -- curl http://httpbin.foo:8000/ip -s -o /dev/null -w "%{http_code}\n"
 }
 
-! read -r -d '' snip_policy_precedence_3_out <<\ENDSNIP
+! read -r -d '' snip_policy_precedence_2_out <<\ENDSNIP
 200
 ENDSNIP
 
 snip_cleanup_part_2_1() {
 kubectl delete peerauthentication default overwrite-example -n foo
 kubectl delete peerauthentication httpbin -n bar
-kubectl delete destinationrules overwrite-example -n foo
-kubectl delete destinationrules httpbin -n bar
 }
 
 snip_enduser_authentication_1() {
diff --git a/content/en/docs/tasks/security/authentication/authn-policy/test.sh b/content/en/docs/tasks/security/authentication/authn-policy/test.sh
index deb6b670b1..8189b6abca 100644
--- a/content/en/docs/tasks/security/authentication/authn-policy/test.sh
+++ b/content/en/docs/tasks/security/authentication/authn-policy/test.sh
@@ -54,25 +54,17 @@ _verify_same  snip_namespacewide_policy_2 "$snip_namespacewide_policy_2_out"
 snip_enable_mutual_tls_per_workload_1
 snip_enable_mutual_tls_per_workload_2
 _wait_for_istio peerauthentication bar httpbin
-_wait_for_istio destinationrule  bar httpbin
-
-_verify_same  snip_enable_mutual_tls_per_workload_3 "$snip_enable_mutual_tls_per_workload_3_out"
 
 # Ignore snip_enable_mutual_tls_per_workload_4()--it's just text.
 
-snip_enable_mutual_tls_per_workload_5
-snip_enable_mutual_tls_per_workload_6
+snip_enable_mutual_tls_per_workload_4
 _wait_for_istio peerauthentication bar httpbin
-_wait_for_istio destinationrule  bar httpbin
 
-_verify_same  snip_enable_mutual_tls_per_workload_7 "$snip_enable_mutual_tls_per_workload_7_out"
+_verify_same  snip_enable_mutual_tls_per_workload_5 "$snip_enable_mutual_tls_per_workload_5_out"
 
 snip_policy_precedence_1
 snip_policy_precedence_2
 _wait_for_istio peerauthentication foo overwrite-example
-_wait_for_istio destinationrule  foo overwrite-example
-
-_verify_same  snip_policy_precedence_3 "$snip_policy_precedence_3_out"
 
 snip_cleanup_part_2_1