Reorganize traffic managment tasks (#4206)

* Reorganize traffic managment tasks

* broken links

* more broken links

* more broken links

* fix links

* fix todelete images

content/about/feature-stages/index.md

@@ -79,7 +79,7 @@ Below is our list of existing features and their current phases. This informatio
 | [OPA Checker](/docs/reference/config/policy-and-telemetry/adapters/opa/)    | Alpha
 | [Authorization (RBAC)](/docs/concepts/security/#authorization)   | Alpha
 | [TCP Authorization (RBAC)](/docs/tasks/security/authz-tcp) | Alpha
-| [Cert management on Ingress Gateway](/docs/tasks/traffic-management/secure-ingress/sds) | Alpha
+| [Cert management on Ingress Gateway](/docs/tasks/traffic-management/ingress/secure-ingress-sds) | Alpha
 | [Vault integration](/docs/tasks/security/vault-ca) | Alpha
 | [SDS Integration](/docs/tasks/security/auth-sds/) | Alpha
 

content/blog/2018/egress-https/index.md

@@ -42,7 +42,7 @@ Perform the steps in the
 [Confirm the app is running](/docs/examples/bookinfo/#confirm-the-app-is-accessible-from-outside-the-cluster),
 [Apply default destination rules](/docs/examples/bookinfo/#apply-default-destination-rules)
 sections, and
-[change Istio to the blocking-egress-by-default policy](/docs/tasks/traffic-management/egress/#change-to-the-blocking-by-default-policy).
+[change Istio to the blocking-egress-by-default policy](/docs/tasks/traffic-management/egress/egress-control/#change-to-the-blocking-by-default-policy).
 
 ## Bookinfo with HTTPS access to a Google Books web service
 

content/blog/2018/egress-mongo/index.md

@@ -95,7 +95,7 @@ For this task you set up an instance of [MongoDB](https://www.mongodb.com). You
 
 To demonstrate the scenario of using an external database, you start with a Kubernetes cluster with [Istio installed](/docs/setup/kubernetes/install/kubernetes/#installation-steps). Then you deploy the
 [Istio Bookinfo sample application](/docs/examples/bookinfo/), [apply the default destination rules](/docs/examples/bookinfo/#apply-default-destination-rules), and
-[change Istio to the blocking-egress-by-default policy](/docs/tasks/traffic-management/egress/#change-to-the-blocking-by-default-policy).
+[change Istio to the blocking-egress-by-default policy](/docs/tasks/traffic-management/egress/egress-control/#change-to-the-blocking-by-default-policy).
 
 This application uses the `ratings` microservice to fetch book ratings, a number between 1 and 5. The ratings are
 displayed as stars for each review. There are several versions of the `ratings` microservice. You will deploy the
@@ -166,7 +166,7 @@ stable or known in advance.
 
 In the cases when the IP of the MongoDB host is not stable, the egress traffic can either be
 [controlled as TLS traffic](#egress-control-for-tls), or the traffic can be routed
-[directly](/docs/tasks/traffic-management/egress/#direct-access-to-external-services), bypassing the Istio sidecar
+[directly](/docs/tasks/traffic-management/egress/egress-control/#direct-access-to-external-services), bypassing the Istio sidecar
 proxies.
 
 Get the IP address of your MongoDB database instance. As an option, you can use the
@@ -179,7 +179,7 @@ $ export MONGODB_IP=$(host $MONGODB_HOST | grep " has address " | cut -d" " -f4)
 ### Control TCP egress traffic without a gateway
 
 In case you do not need to direct the traffic through an
-[egress gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/#use-case), for example if you do not have a
+[egress gateway](/docs/tasks/traffic-management/egress/egress-gateway/#use-case), for example if you do not have a
 requirement that all the traffic that exists your mesh must exit through the gateway, follow the
 instructions in this section. Alternatively, if you do want to direct your traffic through an egress gateway, proceed to
 [Direct TCP egress traffic through an egress gateway](#direct-tcp-egress-traffic-through-an-egress-gateway).
@@ -233,11 +233,11 @@ instructions in this section. Alternatively, if you do want to direct your traff
 ### Direct TCP Egress traffic through an egress gateway
 
 In this section you handle the case when you need to direct the traffic through an
-[egress gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/#use-case). The sidecar proxy routes TCP
+[egress gateway](/docs/tasks/traffic-management/egress/egress-gateway/#use-case). The sidecar proxy routes TCP
 connections from the MongoDB client to the egress gateway, by matching the IP of the MongoDB host (a CIDR block of
   length 32). The egress gateway forwards the traffic to the MongoDB host, by its hostname.
 
-1.  [Deploy Istio egress gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/#deploy-istio-egress-gateway).
+1.  [Deploy Istio egress gateway](/docs/tasks/traffic-management/egress/egress-gateway/#deploy-istio-egress-gateway).
 
 1.  If you did not perform the steps in [the previous section](#control-tcp-egress-traffic-without-a-gateway), perform them now.
 
@@ -491,7 +491,7 @@ your MongoDB egress traffic on the TCP level, as described in the previous secti
 
 ### Control TLS egress traffic without a gateway
 
-In case you [do not need an egress gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/#use-case), follow the
+In case you [do not need an egress gateway](/docs/tasks/traffic-management/egress/egress-gateway/#use-case), follow the
 instructions in this section. If you want to direct your traffic through an egress gateway, proceed to
 [Direct TCP Egress traffic through an egress gateway](#direct-tcp-egress-traffic-through-an-egress-gateway).
 
@@ -525,13 +525,13 @@ $ kubectl delete serviceentry mongo
 ### Direct TLS Egress traffic through an egress gateway
 
 In this section you handle the case when you need to direct the traffic through an
-[egress gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/#use-case). The sidecar proxy routes TLS
+[egress gateway](/docs/tasks/traffic-management/egress/egress-gateway/#use-case). The sidecar proxy routes TLS
 connections from the MongoDB client to the egress gateway, by matching the SNI of the MongoDB host.
 The egress gateway forwards the traffic to the MongoDB host. Note that the sidecar proxy rewrites the destination port
 to be 443. The egress gateway accepts the MongoDB traffic on the port 443, matches the MongoDB host by SNI, and rewrites
  the port again to be the port of the MongoDB server.
 
-1.  [Deploy Istio egress gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/#deploy-istio-egress-gateway).
+1.  [Deploy Istio egress gateway](/docs/tasks/traffic-management/egress/egress-gateway/#deploy-istio-egress-gateway).
 
 1.  Create a `ServiceEntry` for the MongoDB service:
 
@@ -745,7 +745,7 @@ You can pick a wildcarded domain according to your MongoDB host.
 
 To configure egress gateway traffic for a wildcarded domain, you will first need to deploy a custom egress
 gateway with
-[an additional SNI proxy](/docs/tasks/traffic-management/edge-traffic/wildcard-egress-hosts/#wildcard-configuration-for-arbitrary-domains).
+[an additional SNI proxy](/docs/tasks/traffic-management/egress/wildcard-egress-hosts/#wildcard-configuration-for-arbitrary-domains).
 This is needed due to current limitations of Envoy, the proxy used by the standard Istio egress gateway.
 
 #### Prepare a new egress gateway with an SNI proxy

content/blog/2018/egress-monitoring-access-control/index.md

@@ -16,7 +16,7 @@ In this blog post, we show how to apply monitoring and access policies to HTTP e
 ## Use case
 
 Consider an organization that runs applications that process content from _cnn.com_. The applications are decomposed
-into microservices deployed in an Istio service mesh. The applications access pages of various topics from _cnn.com_: [edition.cnn.com/politics](https://edition.cnn.com/politics), [edition.cnn.com/sport](https://edition.cnn.com/sport) and  [edition.cnn.com/health](https://edition.cnn.com/health). The organization [configures Istio to allow access to edition.cnn.com](/docs/tasks/traffic-management/edge-traffic/egress-gateway-tls-origination/) and everything works fine. However, at some
+into microservices deployed in an Istio service mesh. The applications access pages of various topics from _cnn.com_: [edition.cnn.com/politics](https://edition.cnn.com/politics), [edition.cnn.com/sport](https://edition.cnn.com/sport) and  [edition.cnn.com/health](https://edition.cnn.com/health). The organization [configures Istio to allow access to edition.cnn.com](/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/) and everything works fine. However, at some
 point in time, the organization decides to banish politics. Practically, it means blocking access to
 [edition.cnn.com/politics](https://edition.cnn.com/politics) and allowing access to
 [edition.cnn.com/sport](https://edition.cnn.com/sport) and  [edition.cnn.com/health](https://edition.cnn.com/health)
@@ -34,9 +34,9 @@ will prevent any possibility for a malicious application to access the forbidden
 
 * The [Control Egress Traffic](/docs/tasks/traffic-management/egress/) task demonstrates how external (outside the
   Kubernetes cluster) HTTP and HTTPS services can be accessed by applications inside the mesh.
-* The [Configure an Egress Gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/) example describes how to configure
+* The [Configure an Egress Gateway](/docs/tasks/traffic-management/egress/egress-gateway/) example describes how to configure
   Istio to direct egress traffic through a dedicated gateway service called _egress gateway_.
-* The [Egress Gateway with TLS Origination](/docs/tasks/traffic-management/edge-traffic/egress-gateway-tls-origination/) example
+* The [Egress Gateway with TLS Origination](/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/) example
   demonstrates how to allow applications to send HTTP requests to external servers that require HTTPS, while directing
   traffic through egress gateway.
 * The [Collecting Metrics](/docs/tasks/telemetry/metrics/collecting-metrics/) task describes how to configure metrics for services in a mesh.
@@ -52,14 +52,14 @@ applied exclusively to the egress traffic.
 
 ## Before you begin
 
-Follow the steps in the [Egress Gateway with TLS Origination](/docs/tasks/traffic-management/edge-traffic/egress-gateway-tls-origination/) example, **with mutual TLS authentication enabled**, without
-the [Cleanup](/docs/tasks/traffic-management/edge-traffic/egress-gateway-tls-origination//#cleanup) step.
+Follow the steps in the [Egress Gateway with TLS Origination](/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/) example, **with mutual TLS authentication enabled**, without
+the [Cleanup](/docs/tasks/traffic-management/egress/egress-gateway-tls-origination//#cleanup) step.
 After completing that example, you can access [edition.cnn.com/politics](https://edition.cnn.com/politics) from an in-mesh container with `curl` installed. This blog post assumes that the `SOURCE_POD` environment variable contains the source pod's name and that the container's name is `sleep`.
 
 ## Configure monitoring and access policies
 
 Since you want to accomplish your tasks in a _secure way_, you should direct egress traffic through
-_egress gateway_, as described in the [Egress Gateway with TLS Origination](/docs/tasks/traffic-management/edge-traffic/egress-gateway-tls-origination/)
+_egress gateway_, as described in the [Egress Gateway with TLS Origination](/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/)
 task. The _secure way_ here means that you want to prevent malicious applications from bypassing Istio monitoring and
 policy enforcement.
 
@@ -241,7 +241,7 @@ accessing _/health_ and _/sport_ URL paths only. Such a simple policy control ca
     either _/health_ or _/sport_. Also note that this condition is added to the `istio-egressgateway`
     section of the `VirtualService`, since the egress gateway is a hardened component in terms of security (see
     [egress gateway security considerations]
-    (/docs/tasks/traffic-management/edge-traffic/egress-gateway/#additional-security-considerations)). You don't want any tampering
+    (/docs/tasks/traffic-management/egress/egress-gateway/#additional-security-considerations)). You don't want any tampering
     with your policies.
 
 1.  Send the previous three HTTP requests to _cnn.com_:
@@ -296,7 +296,7 @@ Istio to use access policy information from such a system. You implement this in
 Cancel the access control by routing you used in this section and implement access control by Mixer policy checks
 in the next section.
 
-1.  Replace the `VirtualService` for _edition.cnn.com_ with your previous version from the [Configure an Egress Gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway-tls-origination/#perform-tls-origination-with-an-egress-gateway) example:
+1.  Replace the `VirtualService` for _edition.cnn.com_ with your previous version from the [Configure an Egress Gateway](/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/#perform-tls-origination-with-an-egress-gateway) example:
 
     {{< text bash >}}
     $ cat <<EOF | kubectl apply -f -
@@ -592,8 +592,8 @@ demonstrated a simple policy that allowed certain URL paths only. We also showed
 
 ## Cleanup
 
-1.  Perform the instructions in [Cleanup](/docs/tasks/traffic-management/edge-traffic/egress-gateway//#cleanup) section of the
-[Configure an Egress Gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway//) example.
+1.  Perform the instructions in [Cleanup](/docs/tasks/traffic-management/egress/egress-gateway//#cleanup) section of the
+[Configure an Egress Gateway](/docs/tasks/traffic-management/egress/egress-gateway//) example.
 
 1.  Delete the logging and policy checks configuration:
 

content/blog/2018/egress-tcp/index.md

@@ -150,7 +150,7 @@ Now you are ready to deploy a version of the Bookinfo application that will use
 ### Initial setting of Bookinfo application
 
 To demonstrate the scenario of using an external database, you start with a Kubernetes cluster with [Istio installed](/docs/setup/kubernetes/install/kubernetes/#installation-steps). Then you deploy the
-[Istio Bookinfo sample application](/docs/examples/bookinfo/), [apply the default destination rules](/docs/examples/bookinfo/#apply-default-destination-rules), and [change Istio to the blocking-egress-by-default policy](/docs/tasks/traffic-management/egress/#change-to-the-blocking-by-default-policy).
+[Istio Bookinfo sample application](/docs/examples/bookinfo/), [apply the default destination rules](/docs/examples/bookinfo/#apply-default-destination-rules), and [change Istio to the blocking-egress-by-default policy](/docs/tasks/traffic-management/egress/egress-control/#change-to-the-blocking-by-default-policy).
 
 This application uses the `ratings` microservice to fetch
  book ratings, a number between 1 and 5. The ratings are displayed as stars for each review. There are several versions
@@ -332,7 +332,7 @@ Also note that the IPs of an external service are not always static, for example
 be changed from time to time, for example due to infrastructure changes. In these cases, if the range of the possible
 IPs is known, you should specify the range by CIDR blocks. If the range of the possible IPs is not known, service
 entries for TCP cannot be used and
-[the external services must be called directly](/docs/tasks/traffic-management/egress/#direct-access-to-external-services),
+[the external services must be called directly](/docs/tasks/traffic-management/egress/egress-control/#direct-access-to-external-services),
 bypassing the sidecar proxies.
 
 ## Relation to mesh expansion

content/boilerplates/notes/1.1.md

@@ -72,7 +72,7 @@ concise list of things you should know before upgrading your deployment to Istio
   solution.
 
 - **Istio Ingress Deprecated**. Removed the previously deprecated Istio
-  ingress. Refer to the [Securing Kubernetes Ingress with Cert-Manager](/docs/tasks/traffic-management/edge-traffic/ingress-certmgr/)
+  ingress. Refer to the [Securing Kubernetes Ingress with Cert-Manager](/docs/tasks/traffic-management/ingress/ingress-certmgr/)
   example for more details on how to use Kubernetes Ingress resources with
   [gateways](/docs/concepts/traffic-management/#gateways).
 

content/docs/examples/bookinfo/index.md

@@ -156,7 +156,7 @@ is used for this purpose.
     bookinfo-gateway   32s
     {{< /text >}}
 
-1.  Follow [these instructions](/docs/tasks/traffic-management/ingress/#determining-the-ingress-ip-and-ports) to set the `INGRESS_HOST` and `INGRESS_PORT` variables for accessing the gateway. Return here, when they are set.
+1.  Follow [these instructions](/docs/tasks/traffic-management/ingress/ingress-control/#determining-the-ingress-ip-and-ports) to set the `INGRESS_HOST` and `INGRESS_PORT` variables for accessing the gateway. Return here, when they are set.
 
 1.  Set `GATEWAY_URL`:
 

content/docs/examples/endpoints/index.md

@@ -26,7 +26,7 @@ To install Istio for GKE, follow our [Quick Start with Google Kubernetes Engine]
 ## HTTP Endpoints service
 
 1. Inject the service into the mesh using `--includeIPRanges` by following the
-[instructions](/docs/tasks/traffic-management/egress/#direct-access-to-external-services)
+[instructions](/docs/tasks/traffic-management/egress/egress-control/#direct-access-to-external-services)
 so that Egress is allowed to call external services directly.
 Otherwise, ESP won't be able to access Google cloud service control.
 
@@ -53,7 +53,7 @@ Otherwise, ESP won't be able to access Google cloud service control.
     EOF
     {{< /text >}}
 
-1.  Get the Ingress IP and port by following the [instructions](/docs/tasks/traffic-management/ingress#determining-the-ingress-ip-and-ports).
+1.  Get the Ingress IP and port by following the [instructions](/docs/tasks/traffic-management/ingress/ingress-control#determining-the-ingress-ip-and-ports).
 You can verify accessing the Endpoints service through Ingress:
 
     {{< text bash >}}
@@ -89,7 +89,7 @@ Adding `"--http_port=8081"` in the ESP deployment arguments and expose the HTTP
 1. After this, you will find access to `EXTERNAL_IP` no longer works because the Istio proxy only accept secure mesh connections.
 Accessing through Ingress works because Ingress does HTTP terminations.
 
-1. To secure the access at Ingress, follow the [instructions](/docs/tasks/traffic-management/secure-ingress/).
+1. To secure the access at Ingress, follow the [instructions](/docs/tasks/traffic-management/ingress/secure-ingress-mount/).
 
 1.  You can verify accessing the Endpoints service through secure Ingress:
 

content/docs/setup/kubernetes/upgrade/notice/index.md

@@ -17,7 +17,7 @@ For an overview of new features introduced with Istio 1.1, please refer to the [
 - The 1.0 `istio-remote` chart used for [multicluster VPN](/docs/setup/kubernetes/install/multicluster/vpn/) and [multicluster split horizon](/docs/tasks/multicluster/split-horizon-eds/) remote cluster installation has been consolidated into the Istio chart.  To generate an equivalent `istio-remote` chart, use the `--set global.istioRemote=true` flag.
 - Addons are no longer exposed via separate load balancers.  Instead addons can now be optionally exposed via the Ingress Gateway.  To expose an addon via the Ingress Gateway, please follow the [Remotely Accessing Telemetry Addons](/docs/tasks/telemetry/gateways/) guide.
 - The built-in Istio Statsd collector has been removed. Istio retains the capability of integrating with your own Statsd collector, using the `--set global.envoyStatsd.enabled=true` flag.
-- The `ingress` series of options for configuring a Kubernetes Ingress have been removed.  Kubernetes Ingress is still functional and can be enabled using the `--set global.k8sIngress.enabled=true` flag.  Check out the [Securing Kubernetes Ingress with Cert-Manager](/docs/tasks/traffic-management/edge-traffic/ingress-certmgr/) for how to secure your Kubernetes ingress resources.
+- The `ingress` series of options for configuring a Kubernetes Ingress have been removed.  Kubernetes Ingress is still functional and can be enabled using the `--set global.k8sIngress.enabled=true` flag.  Check out the [Securing Kubernetes Ingress with Cert-Manager](/docs/tasks/traffic-management/ingress/ingress-certmgr/) for how to secure your Kubernetes ingress resources.
 
 ## Traffic Management
 

content/docs/tasks/multicluster/gateways/index.md

@@ -55,7 +55,7 @@ running in a second cluster.
     If `cluster2` is running in an environment that does not
     support external load balancers, you will need to use a nodePort to access the gateway.
     Instructions for obtaining the IP to use can be found in the
-    [Control Ingress Traffic](/docs/tasks/traffic-management/ingress/#determining-the-ingress-ip-and-ports)
+    [Control Ingress Traffic](/docs/tasks/traffic-management/ingress/ingress-control/#determining-the-ingress-ip-and-ports)
     guide. You will also need to change the service entry endpoint port in the following step from 15443
     to its corresponding nodePort
     (i.e., `kubectl --context=$CTX_CLUSTER2 get svc -n istio-system istio-ingressgateway -o=jsonpath='{.spec.ports[?(@.port==15443)].nodePort}'`).

content/docs/tasks/multicluster/icp/index.md

@@ -224,7 +224,7 @@ The following example enables [automatic sidecar injection](/docs/setup/kubernet
     service address.  This would not be necessary if a multicluster DNS solution were additionally set up, e.g. as
     in a federated Kubernetes environment.
 
-1.  [Determine the ingress IP and ports](/docs/tasks/traffic-management/ingress/#determining-the-ingress-ip-and-ports)
+1.  [Determine the ingress IP and ports](/docs/tasks/traffic-management/ingress/ingress-control/#determining-the-ingress-ip-and-ports)
     for `istio-ingressgateway`'s `INGRESS_HOST` and `INGRESS_PORT` variables for accessing the gateway.
 
     Access `http://<INGRESS_HOST>:<INGRESS_PORT>/productpage` repeatedly and each version of `reviews` should be equally load balanced,

content/docs/tasks/multicluster/split-horizon-eds/index.md

@@ -199,7 +199,7 @@ This will be used to access pilot on `cluster1` securely using the ingress gatew
         {{< /text >}}
 
     1.   Follow the instructions in
-        [Determining the ingress IP and ports](/docs/tasks/traffic-management/ingress/#determining-the-ingress-ip-and-ports),
+        [Determining the ingress IP and ports](/docs/tasks/traffic-management/ingress/ingress-control/#determining-the-ingress-ip-and-ports),
         to set the `INGRESS_HOST` and `SECURE_INGRESS_PORT` environment variables.
 
     1.  Restore the previous `kubectl` context:

content/docs/tasks/telemetry/gateways/index.md

@@ -21,7 +21,7 @@ A server certificate is required for secure access. Follow these steps to instal
 server certificates for a domain that you control.
 
 You may use self-signed certificates instead. Visit our
-[Securing Gateways with HTTPS Using Secret Discovery Service task](/docs/tasks/traffic-management/secure-ingress/sds/)
+[Securing Gateways with HTTPS Using Secret Discovery Service task](/docs/tasks/traffic-management/ingress/secure-ingress-sds/)
 for general information on using self-signed certificates to access in-cluster services.
 
 {{< warning >}}

content/docs/tasks/traffic-management/edge-traffic/_index.md

@@ -1,6 +0,0 @@
----
-title: Edge Traffic Management
-description: A variety of advanced examples for managing traffic at the edge (i.e., ingress and egress traffic) of an Istio service mesh.
-weight: 61
-keywords: [ingress,egress,gateway]
----

content/docs/tasks/traffic-management/egress/_index.md

@@ -0,0 +1,7 @@
+---
+title: Control Egress Traffic
+linktitle: Egress
+description: Managing egress traffic for an Istio service mesh.
+weight: 71
+keywords: [ingress,egress,gateway]
+---

content/docs/tasks/traffic-management/egress/egress-control/index.md

@@ -1,9 +1,10 @@
 ---
-title: Control Egress Traffic
+title: Accessing External Services
 description: Describes how to configure Istio to route traffic from services in the mesh to external services.
-weight: 40
+weight: 10
 aliases:
     - /docs/tasks/egress.html
+    - /docs/tasks/egress
 keywords: [traffic-management,egress]
 ---
 
@@ -66,7 +67,7 @@ service entries defined within the mesh.
 External hosts using the same port as any internal HTTP service
 fell back to a blocking-by-default behavior.
 Because some ports, such as port 80, have HTTP services inside Istio by default,
-prior to Istio 1.1.3 you couldn't call external services on any of those ports either.
+prior to Istio 1.1.4 you couldn't call external services on any of those ports either.
 {{< /warning >}}
 
 1. To see this approach in action you need to ensure that your Istio installation is configured
@@ -257,7 +258,7 @@ any other unintentional accesses.
     HTTPS all the HTTP-related information like method, URL path, response code, is encrypted so Istio cannot see and
     cannot monitor that information for HTTPS. If you need to monitor HTTP-related information in access to external
     HTTPS services, you may want to let your applications issue HTTP requests and
-    [configure Istio to perform TLS origination](/docs/tasks/traffic-management/edge-traffic/egress-tls-origination/).
+    [configure Istio to perform TLS origination](/docs/tasks/traffic-management/egress/egress-tls-origination/).
 
 ### Manage traffic to external services
 
@@ -490,9 +491,9 @@ A malicious application can bypass the Istio sidecar proxy and access any extern
 {{< /warning >}}
 
 To implement egress traffic control in a more secure way, you must
-[direct egress traffic through an egress gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/)
+[direct egress traffic through an egress gateway](/docs/tasks/traffic-management/egress/egress-gateway/)
 and review the security concerns described in the
-[additional security considerations](/docs/tasks/traffic-management/edge-traffic/egress-gateway/#additional-security-considerations)
+[additional security considerations](/docs/tasks/traffic-management/egress/egress-gateway/#additional-security-considerations)
 section.
 
 ## Cleanup

content/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/index.md

@@ -1,5 +1,5 @@
 ---
-title: Egress Gateway with TLS Origination
+title: Egress Gateways with TLS Origination
 description: Describes how to configure an Egress Gateway to perform TLS origination to external services.
 weight: 40
 keywords: [traffic-management,egress]
@@ -7,9 +7,9 @@ aliases:
   - /docs/examples/advanced-gateways/egress-gateway-tls-origination/
 ---
 
-The [TLS Origination for Egress Traffic](/docs/tasks/traffic-management/edge-traffic/egress-tls-origination/)
+The [TLS Origination for Egress Traffic](/docs/tasks/traffic-management/egress/egress-tls-origination/)
 example shows how to configure Istio to perform {{< gloss >}}TLS origination{{< /gloss >}}
-for traffic to an external service. The [Configure an Egress Gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/)
+for traffic to an external service. The [Configure an Egress Gateway](/docs/tasks/traffic-management/egress/egress-gateway/)
 example shows how to configure Istio to direct egress traffic through a
 dedicated _egress gateway_ service. This example combines the previous two by
 describing how to configure an egress gateway to perform TLS origination for
@@ -43,12 +43,12 @@ traffic to external services.
     $ export SOURCE_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
     {{< /text >}}
 
-*   [Deploy Istio egress gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/#deploy-istio-egress-gateway).
+*   [Deploy Istio egress gateway](/docs/tasks/traffic-management/egress/egress-gateway/#deploy-istio-egress-gateway).
 
 ## Perform TLS origination with an egress gateway
 
 This section describes how to perform the same TLS origination as in the
-[TLS Origination for Egress Traffic](/docs/tasks/traffic-management/edge-traffic/egress-tls-origination/) example,
+[TLS Origination for Egress Traffic](/docs/tasks/traffic-management/egress/egress-tls-origination/) example,
 only this time using an egress gateway. Note that in this case the TLS origination will
 be done by the egress gateway, as opposed to by the sidecar in the previous example.
 
@@ -247,7 +247,7 @@ be done by the egress gateway, as opposed to by the sidecar in the previous exam
     ...
     {{< /text >}}
 
-    The output should be the same as in the [TLS Origination for Egress Traffic](/docs/tasks/traffic-management/edge-traffic/egress-tls-origination/)
+    The output should be the same as in the [TLS Origination for Egress Traffic](/docs/tasks/traffic-management/egress/egress-tls-origination/)
     example, with TLS origination: without the _301 Moved Permanently_ message.
 
 1.  Check the log of the `istio-egressgateway` pod and you should see a line corresponding to our request.

content/docs/tasks/traffic-management/egress/egress-gateway/index.md

@@ -1,5 +1,6 @@
 ---
-title: Configure an Egress Gateway
+title: Configuring Egress Gateways
+linktitle: Egress Gateways
 description: Describes how to configure Istio to direct traffic to external services through a dedicated gateway.
 weight: 30
 keywords: [traffic-management,egress]
@@ -101,7 +102,7 @@ First create a `ServiceEntry` to allow direct traffic to an external service.
     {{< /text >}}
 
     The output should be the same as in the
-    [TLS Origination for Egress Traffic](/docs/tasks/traffic-management/edge-traffic/egress-tls-origination/) example,
+    [TLS Origination for Egress Traffic](/docs/tasks/traffic-management/egress/egress-tls-origination/) example,
     without TLS origination.
 
 1.  Create an egress `Gateway` for _edition.cnn.com_, port 80, and a destination rule for

content/docs/tasks/traffic-management/egress/egress-tls-origination/index.md

@@ -1,5 +1,6 @@
 ---
-title: TLS Origination for Egress Traffic
+title: Configuring Egress with TLS Origination
+linktitle: Egress TLS Origination
 description: Describes how to configure Istio to perform TLS origination for traffic to external services.
 keywords: [traffic-management,egress]
 weight: 20

content/docs/tasks/traffic-management/egress/egress_sni_monitoring_and_policies/index.md

@@ -1,5 +1,6 @@
 ---
 title: SNI Monitoring and Policies for TLS Egress Traffic
+linktitle: Monitoring and Policies for TLS Egress
 description: Describes how to configure SNI monitoring and apply policies on TLS egress traffic.
 keywords: [traffic-management,egress,telemetry,policies]
 weight: 51
@@ -7,17 +8,17 @@ aliases:
   - /docs/examples/advanced-gateways/egress_sni_monitoring_and_policies/
 ---
 
-The [Configure Egress Traffic using Wildcard Hosts](/docs/tasks/traffic-management/edge-traffic/wildcard-egress-hosts/) example
+The [Configure Egress Traffic using Wildcard Hosts](/docs/tasks/traffic-management/egress/wildcard-egress-hosts/) example
 describes how to enable TLS egress traffic for a set of hosts in a common domain, in that case `*.wikipedia.org`. This
 example extends that example to show how to configure SNI monitoring and apply policies on TLS egress traffic.
 
 {{< boilerplate before-you-begin-egress >}}
 
-*   [Deploy Istio egress gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/#deploy-istio-egress-gateway).
+*  [Deploy Istio egress gateway](/docs/tasks/traffic-management/egress/egress-gateway/#deploy-istio-egress-gateway).
 
 *  Configure traffic to `*.wikipedia.org` by following
-   [the steps](/docs/tasks/traffic-management/edge-traffic/wildcard-egress-hosts/#wildcard-configuration-for-arbitrary-domains) in
-   [Configure Egress Traffic using Wildcard Hosts](/docs/tasks/traffic-management/edge-traffic/wildcard-egress-hosts/) example,
+   [the steps](/docs/tasks/traffic-management/egress/wildcard-egress-hosts/#wildcard-configuration-for-arbitrary-domains) in
+   [Configure Egress Traffic using Wildcard Hosts](/docs/tasks/traffic-management/egress/wildcard-egress-hosts/) example,
    **with mutual TLS enabled**.
 
     {{< warning >}}
@@ -193,8 +194,8 @@ $ kubectl delete -f @samples/sleep/policy/sni-serviceaccount.yaml@
 ## Cleanup
 
 1.  Perform
-    [the cleanup steps](/docs/tasks/traffic-management/edge-traffic/wildcard-egress-hosts/#cleanup-wildcard-configuration-for-arbitrary-domains)
-    from [Configure Egress Traffic using Wildcard Hosts](/docs/tasks/traffic-management/edge-traffic/wildcard-egress-hosts/)
+    [the cleanup steps](/docs/tasks/traffic-management/egress/wildcard-egress-hosts/#cleanup-wildcard-configuration-for-arbitrary-domains)
+    from [Configure Egress Traffic using Wildcard Hosts](/docs/tasks/traffic-management/egress/wildcard-egress-hosts/)
     example.
 
 1.  Shutdown the [sleep]({{<github_tree>}}/samples/sleep) service:

content/docs/tasks/traffic-management/egress/http-proxy/index.md

@@ -1,12 +1,12 @@
 ---
-title: Connect to an External HTTPS Proxy
+title: Using an External HTTPS Proxy
 description: Describes how to configure Istio to let applications use an external HTTPS proxy.
 weight: 60
 keywords: [traffic-management,egress]
 aliases:
   - /docs/examples/advanced-gateways/http-proxy/
 ---
-The [Configure an Egress Gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/) example shows how to direct
+The [Configure an Egress Gateway](/docs/tasks/traffic-management/egress/egress-gateway/) example shows how to direct
 traffic to external services from your mesh via an Istio edge component called _Egress Gateway_. However, some
 cases require an external, legacy (non-Istio) HTTPS proxy to access external services. For example, your
 company may already have such a proxy in place and all the applications within the organization may be required to

content/docs/tasks/traffic-management/egress/wildcard-egress-hosts/index.md

@@ -1,5 +1,6 @@
 ---
-title: Configure Egress Traffic using Wildcard Hosts
+title: Configuring Egress Traffic using Wildcard Hosts
+linktitle: Egress using Wildcard Hosts
 description: Describes how to enable egress traffic for a set of hosts in a common domain, instead of configuring each and every host separately.
 keywords: [traffic-management,egress]
 weight: 50
@@ -8,7 +9,7 @@ aliases:
 ---
 
 The [Control Egress Traffic](/docs/tasks/traffic-management/egress/) task and
-the [Configure an Egress Gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/) example
+the [Configure an Egress Gateway](/docs/tasks/traffic-management/egress/egress-gateway/) example
 describe how to configure egress traffic for specific hostnames, like `edition.cnn.com`.
 This example shows how to enable egress traffic for a set of hosts in a common domain, for
 example `*.wikipedia.org`, instead of configuring each and every host separately.
@@ -23,7 +24,7 @@ without the need to specify every language's site separately.
 
 {{< boilerplate before-you-begin-egress >}}
 
-*   [Deploy Istio egress gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/#deploy-istio-egress-gateway).
+*   [Deploy Istio egress gateway](/docs/tasks/traffic-management/egress/egress-gateway/#deploy-istio-egress-gateway).
 
 ## Configure direct traffic to a wildcard host
 

content/docs/tasks/traffic-management/ingress/_index.md

@@ -0,0 +1,6 @@
+---
+title: Control Ingress Traffic
+linktitle: Ingress
+description: Managing ingress traffic for an Istio service mesh.
+weight: 70
+---

content/docs/tasks/traffic-management/ingress/ingress-certmgr/index.md

@@ -1,7 +1,7 @@
 ---
-title: Securing Kubernetes Ingress with Cert-Manager
+title: Kubernetes Ingress with Cert-Manager
 description: Demonstrates how to obtain Let's Encrypt TLS certificates for Kubernetes Ingress automatically using Cert-Manager.
-weight: 70
+weight: 40
 keywords: [traffic-management,ingress,https,cert-manager,acme,sds]
 aliases:
   - /docs/examples/advanced-gateways/ingress-certmgr/

content/docs/tasks/traffic-management/ingress/ingress-control/index.md

@@ -1,10 +1,12 @@
 ---
-title: Control Ingress Traffic
+title: Configuring Ingress Gateways
+linktitle: Ingress Gateways
 description: Describes how to configure Istio to expose a service outside of the service mesh.
-weight: 30
+weight: 10
 keywords: [traffic-management,ingress]
 aliases:
     - /docs/tasks/ingress.html
+    - /docs/tasks/ingress
 ---
 
 In a Kubernetes environment, the [Kubernetes Ingress Resource](https://kubernetes.io/docs/concepts/services-networking/ingress/)
@@ -291,7 +293,7 @@ they have valid values, according to the output of the following commands:
     {{< /text >}}
 
 1.  If you have an external load balancer and it does not work for you, try to access the gateway using the service's
-    [node port](/docs/tasks/traffic-management/ingress/#determining-the-ingress-ip-and-ports-when-using-a-node-port).
+    [node port](/docs/tasks/traffic-management/ingress/ingress-control/#determining-the-ingress-ip-and-ports-when-using-a-node-port).
 
 ## Cleanup
 

content/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/index.md

@@ -1,13 +1,13 @@
 ---
 title: Ingress Gateway without TLS Termination
 description: Describes how to configure SNI passthrough for an ingress gateway.
-weight: 10
+weight: 30
 keywords: [traffic-management,ingress,https]
 aliases:
   - /docs/examples/advanced-gateways/ingress-sni-passthrough/
 ---
 
-The [Securing Gateways with HTTPS](/docs/tasks/traffic-management/secure-ingress/) task describes how to configure HTTPS
+The [Securing Gateways with HTTPS](/docs/tasks/traffic-management/ingress/secure-ingress-mount/) task describes how to configure HTTPS
 ingress access to an HTTP service. This example describes how to configure HTTPS ingress access to an HTTPS service,
 i.e., configure an ingress gateway to perform SNI passthrough, instead of TLS termination on incoming requests.
 
@@ -17,7 +17,7 @@ Then you configure a gateway to provide ingress access to the service via host `
 
 ## Generate client and server certificates and keys
 
-Generate the certificates and keys in the same way as in the [Securing Gateways with HTTPS](/docs/tasks/traffic-management/secure-ingress/mount/#generate-client-and-server-certificates-and-keys) task.
+Generate the certificates and keys in the same way as in the [Securing Gateways with HTTPS](/docs/tasks/traffic-management/ingress/secure-ingress-mount/#generate-client-and-server-certificates-and-keys) task.
 
 1.  Clone the <https://github.com/nicholasjackson/mtls-go-example> repository:
 
@@ -237,7 +237,7 @@ to hold the configuration of the NGINX server:
     {{< /text >}}
 
 1.  Follow the instructions in
-    [Determining the ingress IP and ports](/docs/tasks/traffic-management/ingress/#determining-the-ingress-ip-and-ports)
+    [Determining the ingress IP and ports](/docs/tasks/traffic-management/ingress/ingress-control/#determining-the-ingress-ip-and-ports)
     to define the `SECURE_INGRESS_PORT` and `INGRESS_HOST` environment variables.
 
 1.  Access the NGINX service from outside the cluster. Note that the correct certificate is returned by the server and

content/docs/tasks/traffic-management/ingress/secure-ingress-mount/index.md

@@ -1,21 +1,25 @@
 ---
-title: Securing Gateways with HTTPS With a File Mount-Based Approach
-description: Expose a service outside of the service mesh over TLS or mTLS.
-weight: 31
+title: Securing HTTPS Gateways - File Mount Approach
+linktitle: Secure Gateways (File Mount)
+description: Expose a service outside of the service mesh over TLS or mTLS using file-mounted certificates.
+weight: 20
+aliases:
+    - /docs/tasks/traffic-management/secure-ingress/mount/
 keywords: [traffic-management,ingress,file-mount-credentials]
 ---
 
 The [Control Ingress Traffic task](/docs/tasks/traffic-management/ingress)
-describes how to configure an ingress gateway to expose the HTTP endpoint of a
-service to external traffic. This task shows how to do it but using
-HTTPS access to the service with either simple or mutual TLS. The private key,
-server certificate, and the root certificate required by mutual TLS are configured
+describes how to configure an ingress gateway to expose an HTTP
+service to external traffic. This task shows how to expose a secure HTTPS
+service using either simple or mutual TLS.
+
+The TLS required private key, server certificate, and root certificate, are configured
 using a file mount based approach.
 
 ## Before you begin
 
-1.  Perform the steps in the [Before you begin](/docs/tasks/traffic-management/ingress#before-you-begin)
-and [Determining the ingress IP and ports](/docs/tasks/traffic-management/ingress#determining-the-ingress-ip-and-ports)
+1.  Perform the steps in the [Before you begin](/docs/tasks/traffic-management/ingress/ingress-control#before-you-begin)
+and [Determining the ingress IP and ports](/docs/tasks/traffic-management/ingress/ingress-control#determining-the-ingress-ip-and-ports)
 sections of the [Control Ingress Traffic](/docs/tasks/traffic-management/ingress) task. After performing
 those steps you should have Istio and the [httpbin]({{< github_tree >}}/samples/httpbin) service deployed,
 and the environment variables `INGRESS_HOST` and `SECURE_INGRESS_PORT` set.
@@ -129,7 +133,7 @@ create a gateway definition that configures a server on port 443.
     EOF
     {{< /text >}}
 
-1.  Configure routes for traffic entering via the `Gateway`. Define the same `VirtualService` as in the [Control Ingress Traffic](/docs/tasks/traffic-management/ingress/#configuring-ingress-using-an-istio-gateway) task:
+1.  Configure routes for traffic entering via the `Gateway`. Define the same `VirtualService` as in the [Control Ingress Traffic](/docs/tasks/traffic-management/ingress/ingress-control/#configuring-ingress-using-an-istio-gateway) task:
 
     {{< text bash >}}
     $ kubectl apply -f - <<EOF
@@ -302,7 +306,7 @@ server with another secret, before you can use it to handle a second host.
 
 ### Generate client and server certificates and keys for `bookinfo.com`
 
-Perform the same steps as in [Generate client and server certificates and keys](/docs/tasks/traffic-management/secure-ingress/mount/#generate-client-and-server-certificates-and-keys),
+Perform the same steps as in [Generate client and server certificates and keys](/docs/tasks/traffic-management/ingress/secure-ingress-mount/#generate-client-and-server-certificates-and-keys),
 only this time for host `bookinfo.com` instead of `httpbin.example.com`.
 
 1.  Change directory to the cloned repository:

content/docs/tasks/traffic-management/ingress/secure-ingress-sds/index.md

@@ -1,22 +1,26 @@
 ---
-title: Securing Gateways with HTTPS Using Secret Discovery Service
-description: Describes how to configure Istio to expose a service outside of the service mesh, over TLS or Mutual TLS, using secret discovery service.
-weight: 32
+title: Securing HTTPS Gateways - SDS Approach
+linktitle: Secure Gateways (SDS)
+description: Expose a service outside of the service mesh over TLS or mTLS using the secret discovery serivce (SDS).
+weight: 21
+aliases:
+    - /docs/tasks/traffic-management/ingress/secure-ingress-sds/
 keywords: [traffic-management,ingress,sds-credentials]
 ---
 
 The [Control Ingress Traffic task](/docs/tasks/traffic-management/ingress)
-describes how to configure an ingress gateway to expose an HTTP endpoint of a
-service to external traffic. This task shows how to do it but using
-HTTPS access to the service with either simple or mutual TLS. The private key,
-server certificate, and root certificate required in mutual TLS are
-configured using Secret Discovery Service (SDS).
+describes how to configure an ingress gateway to expose an HTTP
+service to external traffic. This task shows how to expose a secure HTTPS
+service using either simple or mutual TLS.
+
+The TLS required private key, server certificate, and root certificate, are configured
+using the Secret Discovery Service (SDS).
 
 ## Before you begin
 
-1.  Perform the steps in the [Before you begin](/docs/tasks/traffic-management/ingress#before-you-begin)
-and [Determining the ingress IP and ports](/docs/tasks/traffic-management/ingress#determining-the-ingress-ip-and-ports)
-sections of the [Control Ingress Traffic](/docs/tasks/traffic-management/ingress) task. After performing
+1.  Perform the steps in the [Before you begin](/docs/tasks/traffic-management/ingress/ingress-control#before-you-begin)
+and [Determining the ingress IP and ports](/docs/tasks/traffic-management/ingress/ingress-control#determining-the-ingress-ip-and-ports)
+sections of the [Control Ingress Traffic](/docs/tasks/traffic-management/ingress/ingress-control) task. After performing
 those steps you should have Istio and the [httpbin]({{< github_tree >}}/samples/httpbin) service deployed,
 and the environment variables `INGRESS_HOST` and `SECURE_INGRESS_PORT` set.
 
@@ -32,7 +36,7 @@ and the environment variables `INGRESS_HOST` and `SECURE_INGRESS_PORT` set.
     a different implementation of `curl`, for example on a Linux machine.
 
 {{< tip >}}
-If you configured an ingress gateway using the [file mount-based approach](/docs/tasks/traffic-management/secure-ingress/mount),
+If you configured an ingress gateway using the [file mount-based approach](/docs/tasks/traffic-management/ingress/secure-ingress-mount),
 and you want to migrate your ingress gateway to use the SDS approach. There are no
 extra steps required.
 {{< /tip >}}

content/docs/tasks/traffic-management/request-routing/index.md

@@ -1,5 +1,6 @@
 ---
 title: Configuring Request Routing
+linktitle: Request Routing
 description: This task shows you how to configure dynamic request routing to multiple versions of a microservice.
 weight: 10
 aliases:

content/docs/tasks/traffic-management/request-timeouts/index.md

@@ -1,7 +1,8 @@
 ---
 title: Setting Request Timeouts
+linktitle: Request Timeouts
 description: This task shows you how to setup request timeouts in Envoy using Istio.
-weight: 28
+weight: 40
 aliases:
     - /docs/tasks/request-timeouts.html
 keywords: [traffic-management,timeouts]

content/docs/tasks/traffic-management/secure-ingress/_index.md

@@ -1,5 +0,0 @@
----
-title: Securing Ingress Gateway
-description: Secure ingress gateway controllers using various approaches.
-weight: 31
----

content/docs/tasks/traffic-management/tcp-traffic-shifting/index.md

@@ -1,7 +1,7 @@
 ---
 title: TCP Traffic Shifting
 description: Shows you how to migrate TCP traffic from an old to new version of a TCP service.
-weight: 26
+weight: 31
 keywords: [traffic-management,tcp-traffic-shifting]
 aliases:
     - /docs/tasks/traffic-management/tcp-version-migration.html

content/docs/tasks/traffic-management/traffic-shifting/index.md

@@ -1,7 +1,7 @@
 ---
 title: Traffic Shifting
 description: Shows you how to migrate traffic from an old to new version of a service.
-weight: 25
+weight: 30
 keywords: [traffic-management,traffic-shifting]
 aliases:
     - /docs/tasks/traffic-management/version-migration.html

content/faq/security/secure-ingress.md

@@ -4,5 +4,5 @@ weight: 130
 ---
 
 By following the instructions in the
-[Secure Ingress Traffic](/docs/tasks/traffic-management/secure-ingress) task,
+[Secure Ingress Traffic](/docs/tasks/traffic-management/ingress/secure-ingress-mount) task,
 Istio Ingress can be secured to only accept TLS traffic.

content_zh/blog/2018/egress-mongo/index.md

@@ -137,7 +137,7 @@ keywords: [traffic-management,egress,tcp,mongo]
 
 由于 [MongoDB 协议](https://docs.mongodb.com/manual/reference/mongodb-wire-protocol/)运行在 TCP 之上，您可以像控制到[其余 TCP 服务](/blog/2018/egress-tcp/)的流量一样控制到 MongoDB 的 egress 流量。为了控制 TCP 流量，您必须指定一个 [CIDR](https://tools.ietf.org/html/rfc2317) 表示的 IP 块，该 IP 块包含 MongoDB 的地址。需要注意的是，有时候 MongoDB 主机的 IP 并不稳定或无法事先得知。
 
-在 MongoDB IP 不稳定的情况下，可以以 TLS 方式控制 egress 流量，或绕过 Istio sidecar [直接](/docs/tasks/traffic-management/egress/#direct-access-to-external-services)路由流量。
+在 MongoDB IP 不稳定的情况下，可以以 TLS 方式控制 egress 流量，或绕过 Istio sidecar [直接](/docs/tasks/traffic-management/egress/egress-control/#direct-access-to-external-services)路由流量。
 
 获取 MongoDB 数据库实例的 IP 地址。一种选择是使用 [host](https://linux.die.net/man/1/host) 命令。
 
@@ -147,7 +147,7 @@ $ export MONGODB_IP=$(host $MONGODB_HOST | grep " has address " | cut -d" " -f4)
 
 ### 在没有 gateway 的情况下控制 TCP egress 流量
 
-如果您不用通过 [egress gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/#use-case) 定向流量，例如不要求所有流量都通过 gateway 流出网格时，请遵循以下部分的说明。或者，如果您确实希望通过 egress gateway 定向流量，请继续阅读*通过 egress gateway 定向 TCP egress 流量*。
+如果您不用通过 [egress gateway](/docs/tasks/traffic-management/egress/egress-gateway/#use-case) 定向流量，例如不要求所有流量都通过 gateway 流出网格时，请遵循以下部分的说明。或者，如果您确实希望通过 egress gateway 定向流量，请继续阅读*通过 egress gateway 定向 TCP egress 流量*。
 
 1. 定义一个网格外 TCP service entry：
 
@@ -188,7 +188,7 @@ $ kubectl delete serviceentry mongo
 
 ### 通过 egress gateway 定向 TCP egress 流量
 
-在本节中，您将处理通过 [egress gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/#use-case) 定向流量的情况。Sidecar 代理通过匹配 MongoDB 主机的 IP 地址（一个 32 位长度的 CIDR 块），将 TCP 连接从 MongoDB 客户端路由到 egress gateway。Egress gateway 按照其 hostname，转发流量到 MongoDB 主机。
+在本节中，您将处理通过 [egress gateway](/docs/tasks/traffic-management/egress/egress-gateway/#use-case) 定向流量的情况。Sidecar 代理通过匹配 MongoDB 主机的 IP 地址（一个 32 位长度的 CIDR 块），将 TCP 连接从 MongoDB 客户端路由到 egress gateway。Egress gateway 按照其 hostname，转发流量到 MongoDB 主机。
 
 1. 为 MongoDB 服务创建一个 `ServiceEntry`，这次使用 `resolution` `DNS`。指定 resolution 为 `DNS` 以指示 egress gateway 执行一次 DNS 查询来获取 MongoDB 主机的 IP 地址。请注意，egress gateway 并不知道 MongoDB 客户端（`ratings` service）使用的 MongoDB 主机地址，所以 egress gateway 的 IP 地址被当做目的 IP 地址。
 
@@ -430,7 +430,7 @@ $ openssl s_client -connect $MONGODB_HOST:$MONGODB_PORT -servername $MONGODB_HOS
 
 ### 无 gateway 情况下控制 TLS egress 流量
 
-如果您[不需要 egress gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/#use-case)，请遵循本小节中的说明。如果您需要通过 egress gateway 定向流量，请继续阅读*通过 egress gateway 定向 TCP Egress 流量*。
+如果您[不需要 egress gateway](/docs/tasks/traffic-management/egress/egress-gateway/#use-case)，请遵循本小节中的说明。如果您需要通过 egress gateway 定向流量，请继续阅读*通过 egress gateway 定向 TCP Egress 流量*。
 
 1. 为 MongoDB service 创建一个 `ServiceEntry` 和一个 `VirtualService`：
 
@@ -482,7 +482,7 @@ $ kubectl delete virtualservice mongo
 
 ### 通过 egress gateway 定向 TLS Egress 流量
 
-在本小节中，您将处理通过 [egress gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/#use-case) 定向流量的情况。Sidecar 代理通过匹配 MongoDB 主机的 SNI，将 TLS 连接从 MongoDB 客户端路由到 egress gateway。Egress gateway 再将流量转发到 MongoDB 主机。请注意，sidecar 代理会将目的端口重写为 443。Egress gateway 在 443 端口上接受 MongoDB 流量，按照 SNI 匹配 MongoDB 主机，并再次将端口重写为 MongoDB 服务器的端口。
+在本小节中，您将处理通过 [egress gateway](/docs/tasks/traffic-management/egress/egress-gateway/#use-case) 定向流量的情况。Sidecar 代理通过匹配 MongoDB 主机的 SNI，将 TLS 连接从 MongoDB 客户端路由到 egress gateway。Egress gateway 再将流量转发到 MongoDB 主机。请注意，sidecar 代理会将目的端口重写为 443。Egress gateway 在 443 端口上接受 MongoDB 流量，按照 SNI 匹配 MongoDB 主机，并再次将端口重写为 MongoDB 服务器的端口。
 
 1. 为 MongoDB service 创建一个 `ServiceEntry`:
 
@@ -680,7 +680,7 @@ $ kubectl delete destinationrule egressgateway-for-mongo
 
 有时，您希望将 egress 流量配置为来自同一域的多个主机名，例如到 `*.<your company domain>.com` 中的所有 MongoDB service。您不希望创建多个配置项，而是一个用于公司中所有 MongoDB service 的通用配置项。要想通过一个配置来控制到所有相同域中的外部服务的访问，您需要使用*通配符*主机。
 
-要为通配符域名配置 egress gateway 流量，您需要使用[一个额外的 SNI 代理](/docs/tasks/traffic-management/edge-traffic/wildcard-egress-hosts/#wildcard-configuration-for-arbitrary-domains)来部署一个自定义的 egress gateway。由于 Envoy（Istio egress gateway 使用的标准代理）目前的限制，这是必须的。
+要为通配符域名配置 egress gateway 流量，您需要使用[一个额外的 SNI 代理](/docs/tasks/traffic-management/egress/wildcard-egress-hosts/#wildcard-configuration-for-arbitrary-domains)来部署一个自定义的 egress gateway。由于 Envoy（Istio egress gateway 使用的标准代理）目前的限制，这是必须的。
 
 #### 准备一个使用 SNI 代理的新 egress gateway
 

content_zh/blog/2018/egress-monitoring-access-control/index.md

@@ -13,7 +13,7 @@ keywords: [egress,traffic-management,access-control,monitoring]
 
 ## 用例
 
-考虑一个运行处理 _cnn.com_ 内容的应用程序的组织。应用程序被解耦为部署在 Istio 服务网格中的微服务。应用程序访问 _cnn.com_ 的各种话题页面：[edition.cnn.com/politics](https://edition.cnn.com/politics)， [edition.cnn.com/sport](https://edition.cnn.com/sport) 和  [edition.cnn.com/health](https://edition.cnn.com/health)。该组织[配置了访问 edition.cnn.com 的权限](/docs/tasks/traffic-management/edge-traffic/egress-gateway-tls-origination/)，一切都正常运行。然而，在某一时刻，本组织决定移除政治话题。实际上，这意味着禁止访问 [edition.cnn.com/politics](https://edition.cnn.com/politics) ，只允许访问 [edition.cnn.com/sport](https://edition.cnn.com/sport)和[edition.cnn.com/health](https://edition.cnn.com/health) 。该组织将根据具体情况，向个别应用程序和特定用户授予访问 [edition.cnn.com/politics](https://edition.cnn.com/politics) 的权限。
+考虑一个运行处理 _cnn.com_ 内容的应用程序的组织。应用程序被解耦为部署在 Istio 服务网格中的微服务。应用程序访问 _cnn.com_ 的各种话题页面：[edition.cnn.com/politics](https://edition.cnn.com/politics)， [edition.cnn.com/sport](https://edition.cnn.com/sport) 和  [edition.cnn.com/health](https://edition.cnn.com/health)。该组织[配置了访问 edition.cnn.com 的权限](/zh/docs/tasks/traffic-management/edge-traffic/egress-gateway-tls-origination/)，一切都正常运行。然而，在某一时刻，本组织决定移除政治话题。实际上，这意味着禁止访问 [edition.cnn.com/politics](https://edition.cnn.com/politics) ，只允许访问 [edition.cnn.com/sport](https://edition.cnn.com/sport)和[edition.cnn.com/health](https://edition.cnn.com/health) 。该组织将根据具体情况，向个别应用程序和特定用户授予访问 [edition.cnn.com/politics](https://edition.cnn.com/politics) 的权限。
 
 为了实现这一目标，组织的运维人员监控对外部服务的访问，并分析 Istio 日志，以验证没有向 [edition.cnn.com/politics](https://edition.cnn.com/politics) 发送未经授权的请求。他们还配置了 Istio 来防止自动访问 [edition.cnn.com/politics](https://edition.cnn.com/politics) 。
 
@@ -23,7 +23,7 @@ keywords: [egress,traffic-management,access-control,monitoring]
 
 * [Control Egress 流量](/zh/docs/tasks/traffic-management/egress/)任务演示了网格内的应用程序如何访问外部(Kubernetes 集群之外) HTTP 和 HTTPS 服务。
 * [配置 Egress 网关](/zh/docs/tasks/traffic-management/edge-traffic/egress-gateway/)示例描述了如何配置 Istio 来通过一个称为 _出口网关_ 的专用网关服务来引导出口流量。
-* [带 TLS 发起的 Egress 网关](/docs/tasks/traffic-management/edge-traffic/egress-gateway-tls-origination/) 示例演示了如何允许应用程序向需要 HTTPS 的外部服务器发送 HTTP 请求，同时通过 Egress Gateway 引导流量。
+* [带 TLS 发起的 Egress 网关](/zh/docs/tasks/traffic-management/edge-traffic/egress-gateway-tls-origination/) 示例演示了如何允许应用程序向需要 HTTPS 的外部服务器发送 HTTP 请求，同时通过 Egress Gateway 引导流量。
 * [收集指标](/docs/tasks/telemetry/metrics/collecting-metrics/)任务描述如何为网格中的服务配置指标。
 * [Grafana 的可视化指标](/zh/docs/tasks/telemetry/metrics/using-istio-dashboard/)描述了用于监控网格流量的 Istio 仪表板。
 * [基本访问控制](/zh/docs/tasks/policy-enforcement/denial-and-list/)任务显示如何控制对网格内服务的访问。
@@ -33,11 +33,11 @@ keywords: [egress,traffic-management,access-control,monitoring]
 
 ## 开始之前
 
-按照[带 TLS 发起的 Egress 网关](/docs/tasks/traffic-management/edge-traffic/egress-gateway-tls-origination/)中的步骤，**启用了双向 TLS 身份验证**，而不需要[清除](/docs/tasks/traffic-management/edge-traffic/egress-gateway-tls-origination//#cleanup)步骤。完成该示例后，您可以从安装了 `curl` 的网格中容器访问 [edition.cnn.com/politics](https://edition.cnn.com/politics)。本文假设 `SOURCE_POD` 环境变量包含源 pod 的名称，容器的名称为 `sleep`。
+按照[带 TLS 发起的 Egress 网关](/zh/docs/tasks/traffic-management/edge-traffic/egress-gateway-tls-origination/)中的步骤，**启用了双向 TLS 身份验证**，而不需要[清除](/zh/docs/tasks/traffic-management/edge-traffic/egress-gateway-tls-origination//#cleanup)步骤。完成该示例后，您可以从安装了 `curl` 的网格中容器访问 [edition.cnn.com/politics](https://edition.cnn.com/politics)。本文假设 `SOURCE_POD` 环境变量包含源 pod 的名称，容器的名称为 `sleep`。
 
 ## 配置监控和访问策略
 
-由于您希望以 _安全方式_ 完成您的任务，您应该通过 _egress 网关_ 引导流量，正如[带 TLS 发起的 Egress 网关](/docs/tasks/traffic-management/edge-traffic/egress-gateway-tls-origination/)任务中所描述的那样。这里的 _安全方式_ 意味着您希望防止恶意应用程序绕过 Istio 监控和策略强制。
+由于您希望以 _安全方式_ 完成您的任务，您应该通过 _egress 网关_ 引导流量，正如[带 TLS 发起的 Egress 网关](/zh/docs/tasks/traffic-management/edge-traffic/egress-gateway-tls-origination/)任务中所描述的那样。这里的 _安全方式_ 意味着您希望防止恶意应用程序绕过 Istio 监控和策略强制。
 
 根据我们的场景，组织执行了[开始之前](#开始之前)部分中的命令，启用 HTTP 流量到 _edition.cnn.com_ ，并将该流量配置为通过 egress 网关。egress 网关执行 TLS 发起到 _edition.cnn.com_ ，因此流量在网格中被加密。此时，组织已经准备好配置 Istio 来监控和应用 _edition.cnn.com_ 流量的访问策略。
 
@@ -232,7 +232,7 @@ keywords: [egress,traffic-management,access-control,monitoring]
 
 现在您移除在本节中使用的路由取消访问控制，在下一节将向您演示通过 Mixer 策略检查实现访问控制。
 
-1.  用之前[配置 Egress 网关](/docs/tasks/traffic-management/edge-traffic/egress-gateway-tls-origination/#perform-tls-origination-with-an-egress-gateway)示例中的版本替换 _edition.cnn.com_ 的 `VirtualService`：
+1.  用之前[配置 Egress 网关](/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/#perform-tls-origination-with-an-egress-gateway)示例中的版本替换 _edition.cnn.com_ 的 `VirtualService`：
 
     {{< text bash >}}
     $ cat <<EOF | kubectl apply -f -

content_zh/docs/concepts/performance-and-scalability/index.md

@@ -80,14 +80,14 @@ Acmeair 由以下微服务组成：
 下图展示了在 Kubernetes/Istio 环境中应用程序的不同 pod/容器：
 
 {{< image ratio="80%"
-    link="https://ibmcloud-perf.istio.io/regpatrol/istio_regpatrol_readme_files/image004.png"
+    link="https://ibmcloud-perf.istio.io/regpatrol/istio_regpatrol_readme_files/todelete/image004.png"
     alt="Acmeair 微服务概览"
     >}}
 
 下表展示了回归测试期间由脚本驱动的事务以及请求的近似分布：
 
 {{< image ratio="20%"
-    link="https://ibmcloud-perf.istio.io/regpatrol/istio_regpatrol_readme_files/image006.png"
+    link="https://ibmcloud-perf.istio.io/regpatrol/istio_regpatrol_readme_files/todelete/image006.png"
     alt="Acmeair 请求类型和分布"
     >}}
 

content_zh/docs/setup/kubernetes/upgrade/notice/index.md

@@ -16,7 +16,7 @@ weight: 5
 - 用于[多集群 VPN](/zh/docs/setup/kubernetes/install/multicluster/vpn/) 的 1.0 `istio-remote` chart 和 [多集群水平分割](/zh/docs/tasks/multicluster/split-horizon-eds/) 远程集群安装已合并到 Istio chart 中。要生成等效的 `istio-remote` chart，请使用 `--set global.istioRemote=true` 标志。
 - 插件不再通过单独的负载均衡器暴露。现在可以选择通过 Ingress 网关公开插件。要通过 Ingress Gateway 公开插件，请按照[远程访问遥测插件](/docs/tasks/telemetry/gateways/)指南进行操作。
 - 内置的 Istio Statsd 收集器已被删除。 Istio 使用 `--set global.envoyStatsd.enabled=true` 标志保留与您自己的 Statsd 收集器集成的功能。
-- 用于配置 Kubernetes Ingress 的 `ingress` 系列选项已被删除。 Kubernetes Ingress 仍然可以使用 `--set global.k8sIngress.enabled=true` 标志启用。查看[使用 Cert-Manager 保护 Kubernetes Ingress](/docs/tasks/traffic-management/edge-traffic/ingress-certmgr/)，了解如何保护您的 Kubernetes 入口资源。
+- 用于配置 Kubernetes Ingress 的 `ingress` 系列选项已被删除。 Kubernetes Ingress 仍然可以使用 `--set global.k8sIngress.enabled=true` 标志启用。查看[使用 Cert-Manager 保护 Kubernetes Ingress](/zh/docs/tasks/traffic-management/edge-traffic/ingress-certmgr/)，了解如何保护您的 Kubernetes 入口资源。
 
 ## 流量管理
 

content_zh/docs/tasks/multicluster/split-horizon-eds/index.md

@@ -179,7 +179,7 @@ aliases:
         $ kubectl config use-context $CTX_CLUSTER2
         {{< /text >}}
 
-    1. 根据[确定入口 IP 和端口](/docs/tasks/traffic-management/ingress/#determining-the-ingress-ip-and-ports)的命令，设置 `INGRESS_HOST` 和 `SECURE_INGRESS_PORT` 环境变量。
+    1. 根据[确定入口 IP 和端口](/docs/tasks/traffic-management/ingress/ingress-control/#determining-the-ingress-ip-and-ports)的命令，设置 `INGRESS_HOST` 和 `SECURE_INGRESS_PORT` 环境变量。
 
     1. 恢复  `kubectl` 之前的上下文：
 

content_zh/docs/tasks/traffic-management/edge-traffic/egress-gateway-tls-origination/index.md

@@ -37,11 +37,11 @@ aliases:
     $ export SOURCE_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
     {{< /text >}}
 
-* [部署 Istio egress 网关](/docs/tasks/traffic-management/edge-traffic/egress-gateway/#deploy-istio-egress-gateway)
+* [部署 Istio egress 网关](/docs/tasks/traffic-management/egress/egress-gateway/#deploy-istio-egress-gateway)
 
 ## 使用 Egress 网关发起 TLS
 
-本节描述了如何执行和[在 Egress 流量中发起 TLS](/docs/tasks/traffic-management/edge-traffic/egress-tls-origination/) 示例中一样的过程，只不过这次使用的是 Egress 网关，而不是 Sidecar。
+本节描述了如何执行和[在 Egress 流量中发起 TLS](/zh/docs/tasks/traffic-management/edge-traffic/egress-tls-origination/) 示例中一样的过程，只不过这次使用的是 Egress 网关，而不是 Sidecar。
 
 1. 为 `edition.cnn.com` 定义一个 `ServiceEntry`：
 

content_zh/docs/tasks/traffic-management/edge-traffic/wildcard-egress-hosts/index.md

@@ -236,7 +236,7 @@ egress gateway 使用它作为代理。Envoy 将流量路由到预定义的主
 
 具有 SNI 代理的 egress gateway 和 Istio 体系结构的相关部分如下图所示：
 
-{{< image width="80%" link="./EgressGatewayWithSNIProxy.svg" caption="具有 SNI proxy 的 Egress Gateway" >}}
+{{< image width="80%" link="/docs/tasks/traffic-management/egress/wildcard-egress-hosts/EgressGatewayWithSNIProxy.svg" caption="具有 SNI proxy 的 Egress Gateway" >}}
 
 以下部分介绍如何使用 SNI 代理重新部署 egress gateway，然后配置 Istio 通过 gateway 将 HTTPS 流量路由到任意通配符域名。