diff --git a/content/en/docs/tasks/traffic-management/egress/egress-gateway/index.md b/content/en/docs/tasks/traffic-management/egress/egress-gateway/index.md
index 9be4c5fe92..9bbfac60f3 100644
--- a/content/en/docs/tasks/traffic-management/egress/egress-gateway/index.md
+++ b/content/en/docs/tasks/traffic-management/egress/egress-gateway/index.md
@@ -13,7 +13,7 @@ test: yes
 This example does not work in Minikube.
 {{</warning>}}
 
-The [Control Egress Traffic](/docs/tasks/traffic-management/egress/) task shows how to configure
+The [Accessing External Services](/docs/tasks/traffic-management/egress/egress-control) task shows how to configure
 Istio to allow access to external HTTP and HTTPS services from applications inside the mesh.
 There, the external services are called directly from the client sidecar.
 This example also shows how to configure Istio to call external services, although this time
diff --git a/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/index.md b/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/index.md
index 7545b297fe..19a39afd53 100644
--- a/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/index.md
+++ b/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/index.md
@@ -9,9 +9,9 @@ aliases:
   - /docs/examples/advanced-gateways/egress-tls-origination/
 ---
 
-The [Control Egress Traffic](/docs/tasks/traffic-management/egress/) task demonstrates how external, i.e., outside of the
-service mesh, HTTP and HTTPS services can be accessed from applications inside the mesh. As described in that task,
-a [`ServiceEntry`](/docs/reference/config/networking/service-entry/) is used to configure Istio
+The [Accessing External Services](/docs/tasks/traffic-management/egress/egress-control) task demonstrates how external,
+i.e., outside of the service mesh, HTTP and HTTPS services can be accessed from applications inside the mesh. As described
+in that task, a [`ServiceEntry`](/docs/reference/config/networking/service-entry/) is used to configure Istio
 to access external services in a controlled way.
 This example shows how to configure Istio to perform {{< gloss >}}TLS origination{{< /gloss >}}
 for traffic to an external service. Istio will open HTTPS connections to the external service while the original
@@ -57,10 +57,10 @@ is that Istio can produce better telemetry and provide more routing control for
 ## Configuring access to an external service
 
 First start by configuring access to an external service, `edition.cnn.com`,
-using the same technique shown in the [Control Egress Traffic](/docs/tasks/traffic-management/egress/) task.
+using the same technique shown in the [Accessing External Services](/docs/tasks/traffic-management/egress/egress-control) task.
 This time, however, use a single `ServiceEntry` to enable both HTTP and HTTPS access to the service.
 
-1.  Create a `ServiceEntry` and `VirtualService` to enable access to `edition.cnn.com`:
+1.  Create a `ServiceEntry` to enable access to `edition.cnn.com`:
 
     {{< text syntax=bash snip_id=apply_simple >}}
     $ kubectl apply -f - <<EOF
@@ -79,25 +79,6 @@ This time, however, use a single `ServiceEntry` to enable both HTTP and HTTPS ac
         name: https-port
         protocol: HTTPS
       resolution: DNS
-    ---
-    apiVersion: networking.istio.io/v1alpha3
-    kind: VirtualService
-    metadata:
-      name: edition-cnn-com
-    spec:
-      hosts:
-      - edition.cnn.com
-      tls:
-      - match:
-        - port: 443
-          sniHosts:
-          - edition.cnn.com
-        route:
-        - destination:
-            host: edition.cnn.com
-            port:
-              number: 443
-          weight: 100
     EOF
     {{< /text >}}
 
@@ -133,27 +114,27 @@ Both of these issues can be resolved by configuring Istio to perform TLS origina
 
 ## TLS origination for egress traffic
 
-1.  Redefine your `VirtualService` from the previous section to rewrite the HTTP request port
-    and add a `DestinationRule` to perform TLS origination.
+1.  Redefine your `ServiceEntry` from the previous section to redirect HTTP requests to port 443
+    and add a `DestinationRule` to perform TLS origination:
 
     {{< text syntax=bash snip_id=apply_origination >}}
     $ kubectl apply -f - <<EOF
     apiVersion: networking.istio.io/v1alpha3
-    kind: VirtualService
+    kind: ServiceEntry
     metadata:
       name: edition-cnn-com
     spec:
       hosts:
       - edition.cnn.com
-      http:
-      - match:
-        - port: 80
-        route:
-        - destination:
-            host: edition.cnn.com
-            subset: tls-origination
-            port:
-              number: 443
+      ports:
+      - number: 80
+        name: http-port
+        protocol: HTTP
+        targetPort: 443
+      - number: 443
+        name: https-port
+        protocol: HTTPS
+      resolution: DNS
     ---
     apiVersion: networking.istio.io/v1alpha3
     kind: DestinationRule
@@ -161,21 +142,17 @@ Both of these issues can be resolved by configuring Istio to perform TLS origina
       name: edition-cnn-com
     spec:
       host: edition.cnn.com
-      subsets:
-      - name: tls-origination
-        trafficPolicy:
-          loadBalancer:
-            simple: ROUND_ROBIN
-          portLevelSettings:
-          - port:
-              number: 443
-            tls:
-              mode: SIMPLE # initiates HTTPS when accessing edition.cnn.com
+      trafficPolicy:
+        portLevelSettings:
+        - port:
+            number: 80
+          tls:
+            mode: SIMPLE # initiates HTTPS when accessing edition.cnn.com
     EOF
     {{< /text >}}
 
-    As you can see, the `VirtualService` redirects HTTP requests on port 80 to port 443 where the corresponding
-    `DestinationRule` then performs the TLS origination.
+    The above `DestinationRule` will perform TLS origination for HTTP requests on port 80 and the `ServiceEntry`
+    will then redirect the requests on port 80 to target port 443.
 
 1. Send an HTTP request to `http://edition.cnn.com/politics`, as in the previous section:
 
diff --git a/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/snips.sh b/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/snips.sh
index 59ab735247..a5a264f9ed 100644
--- a/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/snips.sh
+++ b/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/snips.sh
@@ -49,25 +49,6 @@ spec:
     name: https-port
     protocol: HTTPS
   resolution: DNS
----
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: edition-cnn-com
-spec:
-  hosts:
-  - edition.cnn.com
-  tls:
-  - match:
-    - port: 443
-      sniHosts:
-      - edition.cnn.com
-    route:
-    - destination:
-        host: edition.cnn.com
-        port:
-          number: 443
-      weight: 100
 EOF
 }
 
@@ -88,21 +69,21 @@ ENDSNIP
 snip_apply_origination() {
 kubectl apply -f - <<EOF
 apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
+kind: ServiceEntry
 metadata:
   name: edition-cnn-com
 spec:
   hosts:
   - edition.cnn.com
-  http:
-  - match:
-    - port: 80
-    route:
-    - destination:
-        host: edition.cnn.com
-        subset: tls-origination
-        port:
-          number: 443
+  ports:
+  - number: 80
+    name: http-port
+    protocol: HTTP
+    targetPort: 443
+  - number: 443
+    name: https-port
+    protocol: HTTPS
+  resolution: DNS
 ---
 apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
@@ -110,16 +91,12 @@ metadata:
   name: edition-cnn-com
 spec:
   host: edition.cnn.com
-  subsets:
-  - name: tls-origination
-    trafficPolicy:
-      loadBalancer:
-        simple: ROUND_ROBIN
-      portLevelSettings:
-      - port:
-          number: 443
-        tls:
-          mode: SIMPLE # initiates HTTPS when accessing edition.cnn.com
+  trafficPolicy:
+    portLevelSettings:
+    - port:
+        number: 80
+      tls:
+        mode: SIMPLE # initiates HTTPS when accessing edition.cnn.com
 EOF
 }
 
diff --git a/content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/index.md b/content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/index.md
index c6eecc55e7..e807c8b7f7 100644
--- a/content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/index.md
+++ b/content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/index.md
@@ -9,7 +9,7 @@ owner: istio/wg-networking-maintainers
 test: yes
 ---
 
-The [Control Egress Traffic](/docs/tasks/traffic-management/egress/) task and
+The [Accessing External Services](/docs/tasks/traffic-management/egress/egress-control) task and
 the [Configure an Egress Gateway](/docs/tasks/traffic-management/egress/egress-gateway/) example
 describe how to configure egress traffic for specific hostnames, like `edition.cnn.com`.
 This example shows how to enable egress traffic for a set of hosts in a common domain, for