Move content from Examples to Tasks. (#4166)

Moves the content found in examples/advanced-gateways/ to
tasks/traffic-management/edge-traffic and
the content found in examples/multicluster/ to tasks/multicluster/
Fixes all broken links caused by the move and adds aliases to the moved pages.
The changes are applied to both, English and Chinese, websites.

Signed-off-by: rcaballeromx <grca@google.com>

content/blog/2018/egress-mongo/index.md

@@ -179,7 +179,7 @@ $ export MONGODB_IP=$(host $MONGODB_HOST | grep " has address " | cut -d" " -f4)
 ### Control TCP egress traffic without a gateway
 
 In case you do not need to direct the traffic through an
-[egress gateway](/docs/examples/advanced-gateways/egress-gateway/#use-case), for example if you do not have a
+[egress gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/#use-case), for example if you do not have a
 requirement that all the traffic that exists your mesh must exit through the gateway, follow the
 instructions in this section. Alternatively, if you do want to direct your traffic through an egress gateway, proceed to
 [Direct TCP egress traffic through an egress gateway](#direct-tcp-egress-traffic-through-an-egress-gateway).
@@ -233,11 +233,11 @@ instructions in this section. Alternatively, if you do want to direct your traff
 ### Direct TCP Egress traffic through an egress gateway
 
 In this section you handle the case when you need to direct the traffic through an
-[egress gateway](/docs/examples/advanced-gateways/egress-gateway/#use-case). The sidecar proxy routes TCP
+[egress gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/#use-case). The sidecar proxy routes TCP
 connections from the MongoDB client to the egress gateway, by matching the IP of the MongoDB host (a CIDR block of
   length 32). The egress gateway forwards the traffic to the MongoDB host, by its hostname.
 
-1.  [Deploy Istio egress gateway](/docs/examples/advanced-gateways/egress-gateway/#deploy-istio-egress-gateway).
+1.  [Deploy Istio egress gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/#deploy-istio-egress-gateway).
 
 1.  If you did not perform the steps in [the previous section](#control-tcp-egress-traffic-without-a-gateway), perform them now.
 
@@ -491,7 +491,7 @@ your MongoDB egress traffic on the TCP level, as described in the previous secti
 
 ### Control TLS egress traffic without a gateway
 
-In case you [do not need an egress gateway](/docs/examples/advanced-gateways/egress-gateway/#use-case), follow the
+In case you [do not need an egress gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/#use-case), follow the
 instructions in this section. If you want to direct your traffic through an egress gateway, proceed to
 [Direct TCP Egress traffic through an egress gateway](#direct-tcp-egress-traffic-through-an-egress-gateway).
 
@@ -525,13 +525,13 @@ $ kubectl delete serviceentry mongo
 ### Direct TLS Egress traffic through an egress gateway
 
 In this section you handle the case when you need to direct the traffic through an
-[egress gateway](/docs/examples/advanced-gateways/egress-gateway/#use-case). The sidecar proxy routes TLS
+[egress gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/#use-case). The sidecar proxy routes TLS
 connections from the MongoDB client to the egress gateway, by matching the SNI of the MongoDB host.
 The egress gateway forwards the traffic to the MongoDB host. Note that the sidecar proxy rewrites the destination port
 to be 443. The egress gateway accepts the MongoDB traffic on the port 443, matches the MongoDB host by SNI, and rewrites
  the port again to be the port of the MongoDB server.
 
-1.  [Deploy Istio egress gateway](/docs/examples/advanced-gateways/egress-gateway/#deploy-istio-egress-gateway).
+1.  [Deploy Istio egress gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/#deploy-istio-egress-gateway).
 
 1.  Create a `ServiceEntry` for the MongoDB service:
 
@@ -745,7 +745,7 @@ You can pick a wildcarded domain according to your MongoDB host.
 
 To configure egress gateway traffic for a wildcarded domain, you will first need to deploy a custom egress
 gateway with
-[an additional SNI proxy](/docs/examples/advanced-gateways/wildcard-egress-hosts/#wildcard-configuration-for-arbitrary-domains).
+[an additional SNI proxy](/docs/tasks/traffic-management/edge-traffic/wildcard-egress-hosts/#wildcard-configuration-for-arbitrary-domains).
 This is needed due to current limitations of Envoy, the proxy used by the standard Istio egress gateway.
 
 #### Prepare a new egress gateway with an SNI proxy

content/blog/2018/egress-monitoring-access-control/index.md

@@ -16,7 +16,7 @@ In this blog post, we show how to apply monitoring and access policies to HTTP e
 ## Use case
 
 Consider an organization that runs applications that process content from _cnn.com_. The applications are decomposed
-into microservices deployed in an Istio service mesh. The applications access pages of various topics from _cnn.com_: [edition.cnn.com/politics](https://edition.cnn.com/politics), [edition.cnn.com/sport](https://edition.cnn.com/sport) and  [edition.cnn.com/health](https://edition.cnn.com/health). The organization [configures Istio to allow access to edition.cnn.com](/docs/examples/advanced-gateways/egress-gateway-tls-origination/) and everything works fine. However, at some
+into microservices deployed in an Istio service mesh. The applications access pages of various topics from _cnn.com_: [edition.cnn.com/politics](https://edition.cnn.com/politics), [edition.cnn.com/sport](https://edition.cnn.com/sport) and  [edition.cnn.com/health](https://edition.cnn.com/health). The organization [configures Istio to allow access to edition.cnn.com](/docs/tasks/traffic-management/edge-traffic/egress-gateway-tls-origination/) and everything works fine. However, at some
 point in time, the organization decides to banish politics. Practically, it means blocking access to
 [edition.cnn.com/politics](https://edition.cnn.com/politics) and allowing access to
 [edition.cnn.com/sport](https://edition.cnn.com/sport) and  [edition.cnn.com/health](https://edition.cnn.com/health)
@@ -34,9 +34,9 @@ will prevent any possibility for a malicious application to access the forbidden
 
 * The [Control Egress Traffic](/docs/tasks/traffic-management/egress/) task demonstrates how external (outside the
   Kubernetes cluster) HTTP and HTTPS services can be accessed by applications inside the mesh.
-* The [Configure an Egress Gateway](/docs/examples/advanced-gateways/egress-gateway/) example describes how to configure
+* The [Configure an Egress Gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/) example describes how to configure
   Istio to direct egress traffic through a dedicated gateway service called _egress gateway_.
-* The [Egress Gateway with TLS Origination](/docs/examples/advanced-gateways/egress-gateway-tls-origination/) example
+* The [Egress Gateway with TLS Origination](/docs/tasks/traffic-management/edge-traffic/egress-gateway-tls-origination/) example
   demonstrates how to allow applications to send HTTP requests to external servers that require HTTPS, while directing
   traffic through egress gateway.
 * The [Collecting Metrics](/docs/tasks/telemetry/metrics/collecting-metrics/) task describes how to configure metrics for services in a mesh.
@@ -52,14 +52,14 @@ applied exclusively to the egress traffic.
 
 ## Before you begin
 
-Follow the steps in the [Egress Gateway with TLS Origination](/docs/examples/advanced-gateways/egress-gateway-tls-origination/) example, **with mutual TLS authentication enabled**, without
-the [Cleanup](/docs/examples/advanced-gateways/egress-gateway-tls-origination//#cleanup) step.
+Follow the steps in the [Egress Gateway with TLS Origination](/docs/tasks/traffic-management/edge-traffic/egress-gateway-tls-origination/) example, **with mutual TLS authentication enabled**, without
+the [Cleanup](/docs/tasks/traffic-management/edge-traffic/egress-gateway-tls-origination//#cleanup) step.
 After completing that example, you can access [edition.cnn.com/politics](https://edition.cnn.com/politics) from an in-mesh container with `curl` installed. This blog post assumes that the `SOURCE_POD` environment variable contains the source pod's name and that the container's name is `sleep`.
 
 ## Configure monitoring and access policies
 
 Since you want to accomplish your tasks in a _secure way_, you should direct egress traffic through
-_egress gateway_, as described in the [Egress Gateway with TLS Origination](/docs/examples/advanced-gateways/egress-gateway-tls-origination/)
+_egress gateway_, as described in the [Egress Gateway with TLS Origination](/docs/tasks/traffic-management/edge-traffic/egress-gateway-tls-origination/)
 task. The _secure way_ here means that you want to prevent malicious applications from bypassing Istio monitoring and
 policy enforcement.
 
@@ -241,7 +241,7 @@ accessing _/health_ and _/sport_ URL paths only. Such a simple policy control ca
     either _/health_ or _/sport_. Also note that this condition is added to the `istio-egressgateway`
     section of the `VirtualService`, since the egress gateway is a hardened component in terms of security (see
     [egress gateway security considerations]
-    (/docs/examples/advanced-gateways/egress-gateway/#additional-security-considerations)). You don't want any tampering
+    (/docs/tasks/traffic-management/edge-traffic/egress-gateway/#additional-security-considerations)). You don't want any tampering
     with your policies.
 
 1.  Send the previous three HTTP requests to _cnn.com_:
@@ -296,7 +296,7 @@ Istio to use access policy information from such a system. You implement this in
 Cancel the access control by routing you used in this section and implement access control by Mixer policy checks
 in the next section.
 
-1.  Replace the `VirtualService` for _edition.cnn.com_ with your previous version from the [Configure an Egress Gateway](/docs/examples/advanced-gateways/egress-gateway-tls-origination/#perform-tls-origination-with-an-egress-gateway) example:
+1.  Replace the `VirtualService` for _edition.cnn.com_ with your previous version from the [Configure an Egress Gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway-tls-origination/#perform-tls-origination-with-an-egress-gateway) example:
 
     {{< text bash >}}
     $ cat <<EOF | kubectl apply -f -
@@ -592,8 +592,8 @@ demonstrated a simple policy that allowed certain URL paths only. We also showed
 
 ## Cleanup
 
-1.  Perform the instructions in [Cleanup](/docs/examples/advanced-gateways/egress-gateway//#cleanup) section of the
-[Configure an Egress Gateway](/docs/examples/advanced-gateways/egress-gateway//) example.
+1.  Perform the instructions in [Cleanup](/docs/tasks/traffic-management/edge-traffic/egress-gateway//#cleanup) section of the
+[Configure an Egress Gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway//) example.
 
 1.  Delete the logging and policy checks configuration:
 

content/blog/2019/multicluster-version-routing/index.md

@@ -329,7 +329,7 @@ EOF
 The address `127.255.0.3` of the service entry can be any arbitrary unallocated IP.
 Using an IP from the loopback range 127.0.0.0/8 is a good choice.
 Check out the
-[gateway-connected multicluster example](/docs/examples/multicluster/gateways/#configure-the-example-services)
+[gateway-connected multicluster example](/docs/tasks/multicluster/gateways/#configure-the-example-services)
 for more details.
 
 Note that the labels of the subsets in the destination rule map to the service entry

content/boilerplates/notes/1.1.md

@@ -30,7 +30,7 @@ concise list of things you should know before upgrading your deployment to Istio
 - **Improved Multicluster Integration**. Consolidated the 1.0 `istio-remote`
   chart previously used for
   [multicluster VPN](/docs/setup/kubernetes/install/multicluster/vpn/) and
-  [multicluster split horizon](/docs/examples/multicluster/split-horizon-eds/) remote cluster installation
+  [multicluster split horizon](/docs/tasks/multicluster/split-horizon-eds/) remote cluster installation
   into the Istio Helm chart simplifying the operational experience.
 
 ## Traffic management
@@ -72,7 +72,7 @@ concise list of things you should know before upgrading your deployment to Istio
   solution.
 
 - **Istio Ingress Deprecated**. Removed the previously deprecated Istio
-  ingress. Refer to the [Securing Kubernetes Ingress with Cert-Manager](/docs/examples/advanced-gateways/ingress-certmgr/)
+  ingress. Refer to the [Securing Kubernetes Ingress with Cert-Manager](/docs/tasks/traffic-management/edge-traffic/ingress-certmgr/)
   example for more details on how to use Kubernetes Ingress resources with
   [gateways](/docs/concepts/traffic-management/#gateways).
 

content/docs/concepts/multicluster-deployments/index.md

@@ -121,4 +121,4 @@ In this configuration, a request from a sidecar in one cluster to a service in
 the same cluster is forwarded to the local service IP as usual.
 If the destination workload is running in a different cluster,
 the remote cluster Gateway IP is used to connect to the service instead.
-Visit our [single control plane with gateways example](/docs/examples/multicluster/split-horizon-eds/) to experiment with this feature.
+Visit our [single control plane with gateways example](/docs/tasks/multicluster/split-horizon-eds/) to experiment with this feature.

content/docs/setup/kubernetes/install/multicluster/gateways/index.md

@@ -178,7 +178,7 @@ The host used in the service entry should be of the form `<name>.<namespace>.glo
 where name and namespace correspond to the service's name and namespace respectively.
 
 To confirm that your multicluster configuration is working, we suggest you proceed to our
-simple [multicluster using gateways](/docs/examples/multicluster/gateways/)
+simple [multicluster using gateways](/docs/tasks/multicluster/gateways/)
 example to test your setup.
 
 ## Uninstalling

content/docs/setup/kubernetes/upgrade/notice/index.md

@@ -14,10 +14,10 @@ For an overview of new features introduced with Istio 1.1, please refer to the [
 - We have increased the control plane and envoy sidecar’s required CPU and memory.  It is critical to ensure your cluster have enough resource before proceeding the update.
 - Istio’s CRDs have been placed into their own Helm chart `istio-init`.  This prevents loss of custom resource data, facilitates the upgrade process, and enables Istio to evolve beyond a Helm-based installation.  The [upgrade documentation](/docs/setup/kubernetes/upgrade/steps/) provides the proper procedures for upgrading from Istio 1.0.6 to Istio 1.1.  Please follow these instructions carefully when upgrading.  If `certmanager` is desired, use the `--set certmanager=true` flag when installing both `istio-init` and Istio charts with either `template` or `tiller` installation modes.
 - Many installation options have been added, removed, or changed. Refer to [Installation Options Changes](/docs/reference/config/installation-options-changes/) for a detailed summary of the changes.
-- The 1.0 `istio-remote` chart used for [multicluster VPN](/docs/setup/kubernetes/install/multicluster/vpn/) and [multicluster split horizon](/docs/examples/multicluster/split-horizon-eds/) remote cluster installation has been consolidated into the Istio chart.  To generate an equivalent `istio-remote` chart, use the `--set global.istioRemote=true` flag.
+- The 1.0 `istio-remote` chart used for [multicluster VPN](/docs/setup/kubernetes/install/multicluster/vpn/) and [multicluster split horizon](/docs/tasks/multicluster/split-horizon-eds/) remote cluster installation has been consolidated into the Istio chart.  To generate an equivalent `istio-remote` chart, use the `--set global.istioRemote=true` flag.
 - Addons are no longer exposed via separate load balancers.  Instead addons can now be optionally exposed via the Ingress Gateway.  To expose an addon via the Ingress Gateway, please follow the [Remotely Accessing Telemetry Addons](/docs/tasks/telemetry/gateways/) guide.
 - The built-in Istio Statsd collector has been removed. Istio retains the capability of integrating with your own Statsd collector, using the `--set global.envoyStatsd.enabled=true` flag.
-- The `ingress` series of options for configuring a Kubernetes Ingress have been removed.  Kubernetes Ingress is still functional and can be enabled using the `--set global.k8sIngress.enabled=true` flag.  Check out the [Securing Kubernetes Ingress with Cert-Manager](/docs/examples/advanced-gateways/ingress-certmgr/) for how to secure your Kubernetes ingress resources.
+- The `ingress` series of options for configuring a Kubernetes Ingress have been removed.  Kubernetes Ingress is still functional and can be enabled using the `--set global.k8sIngress.enabled=true` flag.  Check out the [Securing Kubernetes Ingress with Cert-Manager](/docs/tasks/traffic-management/edge-traffic/ingress-certmgr/) for how to secure your Kubernetes ingress resources.
 
 ## Traffic Management
 

content/docs/tasks/multicluster/gateways/index.md

@@ -3,6 +3,8 @@ title: Gateway-Connected Clusters
 description: Configuring remote services in a gateway-connected multicluster mesh.
 weight: 20
 keywords: [kubernetes,multicluster]
+aliases:
+  - /docs/examples/multicluster/gateways/
 ---
 
 This example shows how to configure and call remote services in a multicluster mesh with a

content/docs/tasks/multicluster/gke/index.md

@@ -3,6 +3,8 @@ title: Google Kubernetes Engine
 description: Set up a multicluster mesh over two GKE clusters.
 weight: 65
 keywords: [kubernetes,multicluster]
+aliases:
+  - /docs/examples/multicluster/gke/
 ---
 
 This example shows how to configure a multicluster mesh with a

content/docs/tasks/multicluster/icp/index.md

@@ -3,6 +3,8 @@ title: IBM Cloud Private
 description: Example multicluster mesh over two IBM Cloud Private clusters.
 weight: 70
 keywords: [kubernetes,multicluster]
+aliases:
+    - /docs/examples/multicluster/icp/
 ---
 
 This example demonstrates how to setup network connectivity between two

content/docs/tasks/multicluster/iks-icp/index.md

@@ -3,6 +3,8 @@ title: IBM Cloud Kubernetes Service & IBM Cloud Private
 description: Multicluster mesh between IBM Cloud Kubernetes Service and IBM Cloud Private.
 weight: 75
 keywords: [kubernetes,multicluster,hybrid]
+aliases:
+  - /docs/examples/multicluster/iks-icp/
 ---
 
 This example shows how to set up VPN connectivity between
@@ -90,4 +92,4 @@ the local Istio control plane and Istio remote on IBM Cloud Private and IBM Clou
 
 This example uses IBM Cloud Private as the Istio local control plane and IBM Cloud Kubernetes Service as the Istio remote.
 
-Deploy Bookinfo example across clusters by following [these instructions](/docs/examples/multicluster/icp/).
+Deploy Bookinfo example across clusters by following [these instructions](/docs/tasks/multicluster/icp/).

content/docs/tasks/multicluster/split-horizon-eds/index.md

@@ -3,6 +3,8 @@ title: Cluster-Aware Service Routing
 description: Leveraging Istio's Split-horizon EDS to create a multicluster mesh.
 weight: 85
 keywords: [kubernetes,multicluster]
+aliases:
+    - /docs/examples/multicluster/split-horizon-eds/
 ---
 
 This example shows how to configure a multicluster mesh with a

content/docs/tasks/traffic-management/edge-traffic/egress-gateway-tls-origination/index.md

@@ -3,11 +3,13 @@ title: Egress Gateway with TLS Origination
 description: Describes how to configure an Egress Gateway to perform TLS origination to external services.
 weight: 40
 keywords: [traffic-management,egress]
+aliases:
+  - /docs/examples/advanced-gateways/egress-gateway-tls-origination/
 ---
 
-The [TLS Origination for Egress Traffic](/docs/examples/advanced-gateways/egress-tls-origination)
+The [TLS Origination for Egress Traffic](/docs/tasks/traffic-management/edge-traffic/egress-tls-origination/)
 example shows how to configure Istio to perform {{< gloss >}}TLS origination{{< /gloss >}}
-for traffic to an external service. The [Configure an Egress Gateway](/docs/examples/advanced-gateways/egress-gateway)
+for traffic to an external service. The [Configure an Egress Gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/)
 example shows how to configure Istio to direct egress traffic through a
 dedicated _egress gateway_ service. This example combines the previous two by
 describing how to configure an egress gateway to perform TLS origination for
@@ -41,12 +43,12 @@ traffic to external services.
     $ export SOURCE_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
     {{< /text >}}
 
-*   [Deploy Istio egress gateway](/docs/examples/advanced-gateways/egress-gateway/#deploy-istio-egress-gateway).
+*   [Deploy Istio egress gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/#deploy-istio-egress-gateway).
 
 ## Perform TLS origination with an egress gateway
 
 This section describes how to perform the same TLS origination as in the
-[TLS Origination for Egress Traffic](/docs/examples/advanced-gateways/egress-tls-origination/) example,
+[TLS Origination for Egress Traffic](/docs/tasks/traffic-management/edge-traffic/egress-tls-origination/) example,
 only this time using an egress gateway. Note that in this case the TLS origination will
 be done by the egress gateway, as opposed to by the sidecar in the previous example.
 
@@ -245,7 +247,7 @@ be done by the egress gateway, as opposed to by the sidecar in the previous exam
     ...
     {{< /text >}}
 
-    The output should be the same as in the [TLS Origination for Egress Traffic](/docs/examples/advanced-gateways/egress-tls-origination/)
+    The output should be the same as in the [TLS Origination for Egress Traffic](/docs/tasks/traffic-management/edge-traffic/egress-tls-origination/)
     example, with TLS origination: without the _301 Moved Permanently_ message.
 
 1.  Check the log of the `istio-egressgateway` pod and you should see a line corresponding to our request.

content/docs/tasks/traffic-management/edge-traffic/egress-gateway/index.md

@@ -3,6 +3,8 @@ title: Configure an Egress Gateway
 description: Describes how to configure Istio to direct traffic to external services through a dedicated gateway.
 weight: 30
 keywords: [traffic-management,egress]
+aliases:
+  - /docs/examples/advanced-gateways/egress-gateway/
 ---
 
 {{<warning>}}
@@ -99,7 +101,7 @@ First create a `ServiceEntry` to allow direct traffic to an external service.
     {{< /text >}}
 
     The output should be the same as in the
-    [TLS Origination for Egress Traffic](/docs/examples/advanced-gateways/egress-tls-origination/) example,
+    [TLS Origination for Egress Traffic](/docs/tasks/traffic-management/edge-traffic/egress-tls-origination/) example,
     without TLS origination.
 
 1.  Create an egress `Gateway` for _edition.cnn.com_, port 80, and a destination rule for

content/docs/tasks/traffic-management/edge-traffic/egress-tls-origination/index.md

@@ -3,6 +3,8 @@ title: TLS Origination for Egress Traffic
 description: Describes how to configure Istio to perform TLS origination for traffic to external services.
 keywords: [traffic-management,egress]
 weight: 20
+aliases:
+  - /docs/examples/advanced-gateways/egress-tls-origination/
 ---
 
 The [Control Egress Traffic](/docs/tasks/traffic-management/egress/) task demonstrates how external, i.e., outside of the

content/docs/tasks/traffic-management/edge-traffic/egress_sni_monitoring_and_policies/index.md

@@ -3,19 +3,21 @@ title: SNI Monitoring and Policies for TLS Egress Traffic
 description: Describes how to configure SNI monitoring and apply policies on TLS egress traffic.
 keywords: [traffic-management,egress,telemetry,policies]
 weight: 51
+aliases:
+  - /docs/examples/advanced-gateways/egress_sni_monitoring_and_policies/
 ---
 
-The [Configure Egress Traffic using Wildcard Hosts](/docs/examples/advanced-gateways/wildcard-egress-hosts/) example
+The [Configure Egress Traffic using Wildcard Hosts](/docs/tasks/traffic-management/edge-traffic/wildcard-egress-hosts/) example
 describes how to enable TLS egress traffic for a set of hosts in a common domain, in that case `*.wikipedia.org`. This
 example extends that example to show how to configure SNI monitoring and apply policies on TLS egress traffic.
 
 {{< boilerplate before-you-begin-egress >}}
 
-*   [Deploy Istio egress gateway](/docs/examples/advanced-gateways/egress-gateway/#deploy-istio-egress-gateway).
+*   [Deploy Istio egress gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/#deploy-istio-egress-gateway).
 
 *  Configure traffic to `*.wikipedia.org` by following
-   [the steps](/docs/examples/advanced-gateways/wildcard-egress-hosts#wildcard-configuration-for-arbitrary-domains) in
-   [Configure Egress Traffic using Wildcard Hosts](/docs/examples/advanced-gateways/wildcard-egress-hosts/) example,
+   [the steps](/docs/tasks/traffic-management/edge-traffic/wildcard-egress-hosts/#wildcard-configuration-for-arbitrary-domains) in
+   [Configure Egress Traffic using Wildcard Hosts](/docs/tasks/traffic-management/edge-traffic/wildcard-egress-hosts/) example,
    **with mutual TLS enabled**.
 
     {{< warning >}}
@@ -191,8 +193,8 @@ $ kubectl delete -f @samples/sleep/policy/sni-serviceaccount.yaml@
 ## Cleanup
 
 1.  Perform
-    [the cleanup steps](/docs/examples/advanced-gateways/wildcard-egress-hosts#cleanup-wildcard-configuration-for-arbitrary-domains)
-    from [Configure Egress Traffic using Wildcard Hosts](/docs/examples/advanced-gateways/wildcard-egress-hosts/)
+    [the cleanup steps](/docs/tasks/traffic-management/edge-traffic/wildcard-egress-hosts/#cleanup-wildcard-configuration-for-arbitrary-domains)
+    from [Configure Egress Traffic using Wildcard Hosts](/docs/tasks/traffic-management/edge-traffic/wildcard-egress-hosts/)
     example.
 
 1.  Shutdown the [sleep]({{<github_tree>}}/samples/sleep) service:

content/docs/tasks/traffic-management/edge-traffic/http-proxy/index.md

@@ -3,8 +3,10 @@ title: Connect to an External HTTPS Proxy
 description: Describes how to configure Istio to let applications use an external HTTPS proxy.
 weight: 60
 keywords: [traffic-management,egress]
+aliases:
+  - /docs/examples/advanced-gateways/http-proxy/
 ---
-The [Configure an Egress Gateway](/docs/examples/advanced-gateways/egress-gateway/) example shows how to direct
+The [Configure an Egress Gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/) example shows how to direct
 traffic to external services from your mesh via an Istio edge component called _Egress Gateway_. However, some
 cases require an external, legacy (non-Istio) HTTPS proxy to access external services. For example, your
 company may already have such a proxy in place and all the applications within the organization may be required to

content/docs/tasks/traffic-management/edge-traffic/ingress-certmgr/index.md

@@ -3,6 +3,8 @@ title: Securing Kubernetes Ingress with Cert-Manager
 description: Demonstrates how to obtain Let's Encrypt TLS certificates for Kubernetes Ingress automatically using Cert-Manager.
 weight: 70
 keywords: [traffic-management,ingress,https,cert-manager,acme,sds]
+aliases:
+  - /docs/examples/advanced-gateways/ingress-certmgr/
 ---
 
 This example demonstrates the use of Istio as a secure Kubernetes Ingress controller with TLS certificates issued by [Let's Encrypt](https://letsencrypt.org/). While more powerful Istio concepts such as [gateway](/docs/reference/config/networking/v1alpha3/gateway) and [virtual service](/docs/reference/config/networking/v1alpha3/virtual-service) should be used for advanced traffic management, optional support of the Kubernetes Ingress is also available and can be used to simplify integration of legacy and third-party solutions into a service mesh and benefit from extensive telemetry and tracing capabilities that Istio provides.

content/docs/tasks/traffic-management/edge-traffic/ingress-sni-passthrough/index.md

@@ -3,6 +3,8 @@ title: Ingress Gateway without TLS Termination
 description: Describes how to configure SNI passthrough for an ingress gateway.
 weight: 10
 keywords: [traffic-management,ingress,https]
+aliases:
+  - /docs/examples/advanced-gateways/ingress-sni-passthrough/
 ---
 
 The [Securing Gateways with HTTPS](/docs/tasks/traffic-management/secure-ingress/) task describes how to configure HTTPS

content/docs/tasks/traffic-management/edge-traffic/wildcard-egress-hosts/index.md

@@ -3,10 +3,12 @@ title: Configure Egress Traffic using Wildcard Hosts
 description: Describes how to enable egress traffic for a set of hosts in a common domain, instead of configuring each and every host separately.
 keywords: [traffic-management,egress]
 weight: 50
+aliases:
+  - /docs/examples/advanced-gateways/wildcard-egress-hosts/
 ---
 
 The [Control Egress Traffic](/docs/tasks/traffic-management/egress/) task and
-the [Configure an Egress Gateway](/docs/examples/advanced-gateways/egress-gateway/) example
+the [Configure an Egress Gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/) example
 describe how to configure egress traffic for specific hostnames, like `edition.cnn.com`.
 This example shows how to enable egress traffic for a set of hosts in a common domain, for
 example `*.wikipedia.org`, instead of configuring each and every host separately.
@@ -21,7 +23,7 @@ without the need to specify every language's site separately.
 
 {{< boilerplate before-you-begin-egress >}}
 
-*   [Deploy Istio egress gateway](/docs/examples/advanced-gateways/egress-gateway/#deploy-istio-egress-gateway).
+*   [Deploy Istio egress gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/#deploy-istio-egress-gateway).
 
 ## Configure direct traffic to a wildcard host
 

content/docs/tasks/traffic-management/egress/index.md

@@ -257,7 +257,7 @@ any other unintentional accesses.
     HTTPS all the HTTP-related information like method, URL path, response code, is encrypted so Istio cannot see and
     cannot monitor that information for HTTPS. If you need to monitor HTTP-related information in access to external
     HTTPS services, you may want to let your applications issue HTTP requests and
-    [configure Istio to perform TLS origination](/docs/examples/advanced-gateways/egress-tls-origination/).
+    [configure Istio to perform TLS origination](/docs/tasks/traffic-management/edge-traffic/egress-tls-origination/).
 
 ### Manage traffic to external services
 
@@ -490,9 +490,9 @@ A malicious application can bypass the Istio sidecar proxy and access any extern
 {{< /warning >}}
 
 To implement egress traffic control in a more secure way, you must
-[direct egress traffic through an egress gateway](/docs/examples/advanced-gateways/egress-gateway)
+[direct egress traffic through an egress gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/)
 and review the security concerns described in the
-[additional security considerations](/docs/examples/advanced-gateways/egress-gateway#additional-security-considerations)
+[additional security considerations](/docs/tasks/traffic-management/edge-traffic/egress-gateway/#additional-security-considerations)
 section.
 
 ## Cleanup

content_zh/blog/2018/egress-https/index.md

@@ -267,7 +267,7 @@ env:
 
     注意，前缀为 `http-` `ServiceEntr` 指定了端口为 `443`，其协议指定为 `HTTP`。
     请注意，您不需要使用端口 443 发送 TLS 发起的 HTTP 请求。
-    [出口流量的 TLS](/zh/docs/examples/advanced-gateways/egress-tls-origination/)
+    [出口流量的 TLS](/zh/docs/tasks/traffic-management/edge-traffic/egress-tls-origination/)
     显示了如何使用端口重写执行 TLS 发起。
 
 1.  访问应用程序的网页，并验证是否显示图书详细信息。

content_zh/blog/2018/egress-mongo/index.md

@@ -147,7 +147,7 @@ $ export MONGODB_IP=$(host $MONGODB_HOST | grep " has address " | cut -d" " -f4)
 
 ### 在没有 gateway 的情况下控制 TCP egress 流量
 
-如果您不用通过 [egress gateway](/docs/examples/advanced-gateways/egress-gateway/#use-case) 定向流量，例如不要求所有流量都通过 gateway 流出网格时，请遵循以下部分的说明。或者，如果您确实希望通过 egress gateway 定向流量，请继续阅读*通过 egress gateway 定向 TCP egress 流量*。
+如果您不用通过 [egress gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/#use-case) 定向流量，例如不要求所有流量都通过 gateway 流出网格时，请遵循以下部分的说明。或者，如果您确实希望通过 egress gateway 定向流量，请继续阅读*通过 egress gateway 定向 TCP egress 流量*。
 
 1. 定义一个网格外 TCP service entry：
 
@@ -188,7 +188,7 @@ $ kubectl delete serviceentry mongo
 
 ### 通过 egress gateway 定向 TCP egress 流量
 
-在本节中，您将处理通过 [egress gateway](/docs/examples/advanced-gateways/egress-gateway/#use-case) 定向流量的情况。Sidecar 代理通过匹配 MongoDB 主机的 IP 地址（一个 32 位长度的 CIDR 块），将 TCP 连接从 MongoDB 客户端路由到 egress gateway。Egress gateway 按照其 hostname，转发流量到 MongoDB 主机。
+在本节中，您将处理通过 [egress gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/#use-case) 定向流量的情况。Sidecar 代理通过匹配 MongoDB 主机的 IP 地址（一个 32 位长度的 CIDR 块），将 TCP 连接从 MongoDB 客户端路由到 egress gateway。Egress gateway 按照其 hostname，转发流量到 MongoDB 主机。
 
 1. 为 MongoDB 服务创建一个 `ServiceEntry`，这次使用 `resolution` `DNS`。指定 resolution 为 `DNS` 以指示 egress gateway 执行一次 DNS 查询来获取 MongoDB 主机的 IP 地址。请注意，egress gateway 并不知道 MongoDB 客户端（`ratings` service）使用的 MongoDB 主机地址，所以 egress gateway 的 IP 地址被当做目的 IP 地址。
 
@@ -430,7 +430,7 @@ $ openssl s_client -connect $MONGODB_HOST:$MONGODB_PORT -servername $MONGODB_HOS
 
 ### 无 gateway 情况下控制 TLS egress 流量
 
-如果您[不需要 egress gateway](/docs/examples/advanced-gateways/egress-gateway/#use-case)，请遵循本小节中的说明。如果您需要通过 egress gateway 定向流量，请继续阅读*通过 egress gateway 定向 TCP Egress 流量*。
+如果您[不需要 egress gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/#use-case)，请遵循本小节中的说明。如果您需要通过 egress gateway 定向流量，请继续阅读*通过 egress gateway 定向 TCP Egress 流量*。
 
 1. 为 MongoDB service 创建一个 `ServiceEntry` 和一个 `VirtualService`：
 
@@ -482,7 +482,7 @@ $ kubectl delete virtualservice mongo
 
 ### 通过 egress gateway 定向 TLS Egress 流量
 
-在本小节中，您将处理通过 [egress gateway](/docs/examples/advanced-gateways/egress-gateway/#use-case) 定向流量的情况。Sidecar 代理通过匹配 MongoDB 主机的 SNI，将 TLS 连接从 MongoDB 客户端路由到 egress gateway。Egress gateway 再将流量转发到 MongoDB 主机。请注意，sidecar 代理会将目的端口重写为 443。Egress gateway 在 443 端口上接受 MongoDB 流量，按照 SNI 匹配 MongoDB 主机，并再次将端口重写为 MongoDB 服务器的端口。
+在本小节中，您将处理通过 [egress gateway](/docs/tasks/traffic-management/edge-traffic/egress-gateway/#use-case) 定向流量的情况。Sidecar 代理通过匹配 MongoDB 主机的 SNI，将 TLS 连接从 MongoDB 客户端路由到 egress gateway。Egress gateway 再将流量转发到 MongoDB 主机。请注意，sidecar 代理会将目的端口重写为 443。Egress gateway 在 443 端口上接受 MongoDB 流量，按照 SNI 匹配 MongoDB 主机，并再次将端口重写为 MongoDB 服务器的端口。
 
 1. 为 MongoDB service 创建一个 `ServiceEntry`:
 
@@ -680,7 +680,7 @@ $ kubectl delete destinationrule egressgateway-for-mongo
 
 有时，您希望将 egress 流量配置为来自同一域的多个主机名，例如到 `*.<your company domain>.com` 中的所有 MongoDB service。您不希望创建多个配置项，而是一个用于公司中所有 MongoDB service 的通用配置项。要想通过一个配置来控制到所有相同域中的外部服务的访问，您需要使用*通配符*主机。
 
-要为通配符域名配置 egress gateway 流量，您需要使用[一个额外的 SNI 代理](/docs/examples/advanced-gateways/wildcard-egress-hosts/#wildcard-configuration-for-arbitrary-domains)来部署一个自定义的 egress gateway。由于 Envoy（Istio egress gateway 使用的标准代理）目前的限制，这是必须的。
+要为通配符域名配置 egress gateway 流量，您需要使用[一个额外的 SNI 代理](/docs/tasks/traffic-management/edge-traffic/wildcard-egress-hosts/#wildcard-configuration-for-arbitrary-domains)来部署一个自定义的 egress gateway。由于 Envoy（Istio egress gateway 使用的标准代理）目前的限制，这是必须的。
 
 #### 准备一个使用 SNI 代理的新 egress gateway
 

content_zh/blog/2018/egress-monitoring-access-control/index.md

@@ -13,7 +13,7 @@ keywords: [egress,traffic-management,access-control,monitoring]
 
 ## 用例
 
-考虑一个运行处理 _cnn.com_ 内容的应用程序的组织。应用程序被解耦为部署在 Istio 服务网格中的微服务。应用程序访问 _cnn.com_ 的各种话题页面：[edition.cnn.com/politics](https://edition.cnn.com/politics)， [edition.cnn.com/sport](https://edition.cnn.com/sport) 和  [edition.cnn.com/health](https://edition.cnn.com/health)。该组织[配置了访问 edition.cnn.com 的权限](/docs/examples/advanced-gateways/egress-gateway-tls-origination/)，一切都正常运行。然而，在某一时刻，本组织决定移除政治话题。实际上，这意味着禁止访问 [edition.cnn.com/politics](https://edition.cnn.com/politics) ，只允许访问 [edition.cnn.com/sport](https://edition.cnn.com/sport)和[edition.cnn.com/health](https://edition.cnn.com/health) 。该组织将根据具体情况，向个别应用程序和特定用户授予访问 [edition.cnn.com/politics](https://edition.cnn.com/politics) 的权限。
+考虑一个运行处理 _cnn.com_ 内容的应用程序的组织。应用程序被解耦为部署在 Istio 服务网格中的微服务。应用程序访问 _cnn.com_ 的各种话题页面：[edition.cnn.com/politics](https://edition.cnn.com/politics)， [edition.cnn.com/sport](https://edition.cnn.com/sport) 和  [edition.cnn.com/health](https://edition.cnn.com/health)。该组织[配置了访问 edition.cnn.com 的权限](/docs/tasks/traffic-management/edge-traffic/egress-gateway-tls-origination/)，一切都正常运行。然而，在某一时刻，本组织决定移除政治话题。实际上，这意味着禁止访问 [edition.cnn.com/politics](https://edition.cnn.com/politics) ，只允许访问 [edition.cnn.com/sport](https://edition.cnn.com/sport)和[edition.cnn.com/health](https://edition.cnn.com/health) 。该组织将根据具体情况，向个别应用程序和特定用户授予访问 [edition.cnn.com/politics](https://edition.cnn.com/politics) 的权限。
 
 为了实现这一目标，组织的运维人员监控对外部服务的访问，并分析 Istio 日志，以验证没有向 [edition.cnn.com/politics](https://edition.cnn.com/politics) 发送未经授权的请求。他们还配置了 Istio 来防止自动访问 [edition.cnn.com/politics](https://edition.cnn.com/politics) 。
 
@@ -22,8 +22,8 @@ keywords: [egress,traffic-management,access-control,monitoring]
 ## 相关工作和示例
 
 * [Control Egress 流量](/zh/docs/tasks/traffic-management/egress/)任务演示了网格内的应用程序如何访问外部(Kubernetes 集群之外) HTTP 和 HTTPS 服务。
-* [配置 Egress 网关](/zh/docs/examples/advanced-gateways/egress-gateway/)示例描述了如何配置 Istio 来通过一个称为 _出口网关_ 的专用网关服务来引导出口流量。
-* [带 TLS 发起的 Egress 网关](/docs/examples/advanced-gateways/egress-gateway-tls-origination/) 示例演示了如何允许应用程序向需要 HTTPS 的外部服务器发送 HTTP 请求，同时通过 Egress Gateway 引导流量。
+* [配置 Egress 网关](/zh/docs/tasks/traffic-management/edge-traffic/egress-gateway/)示例描述了如何配置 Istio 来通过一个称为 _出口网关_ 的专用网关服务来引导出口流量。
+* [带 TLS 发起的 Egress 网关](/docs/tasks/traffic-management/edge-traffic/egress-gateway-tls-origination/) 示例演示了如何允许应用程序向需要 HTTPS 的外部服务器发送 HTTP 请求，同时通过 Egress Gateway 引导流量。
 * [收集指标](/docs/tasks/telemetry/metrics/collecting-metrics/)任务描述如何为网格中的服务配置指标。
 * [Grafana 的可视化指标](/zh/docs/tasks/telemetry/metrics/using-istio-dashboard/)描述了用于监控网格流量的 Istio 仪表板。
 * [基本访问控制](/zh/docs/tasks/policy-enforcement/denial-and-list/)任务显示如何控制对网格内服务的访问。
@@ -33,11 +33,11 @@ keywords: [egress,traffic-management,access-control,monitoring]
 
 ## 开始之前
 
-按照[带 TLS 发起的 Egress 网关](/docs/examples/advanced-gateways/egress-gateway-tls-origination/)中的步骤，**启用了双向 TLS 身份验证**，而不需要[清除](/docs/examples/advanced-gateways/egress-gateway-tls-origination//#cleanup)步骤。完成该示例后，您可以从安装了 `curl` 的网格中容器访问 [edition.cnn.com/politics](https://edition.cnn.com/politics)。本文假设 `SOURCE_POD` 环境变量包含源 pod 的名称，容器的名称为 `sleep`。
+按照[带 TLS 发起的 Egress 网关](/docs/tasks/traffic-management/edge-traffic/egress-gateway-tls-origination/)中的步骤，**启用了双向 TLS 身份验证**，而不需要[清除](/docs/tasks/traffic-management/edge-traffic/egress-gateway-tls-origination//#cleanup)步骤。完成该示例后，您可以从安装了 `curl` 的网格中容器访问 [edition.cnn.com/politics](https://edition.cnn.com/politics)。本文假设 `SOURCE_POD` 环境变量包含源 pod 的名称，容器的名称为 `sleep`。
 
 ## 配置监控和访问策略
 
-由于您希望以 _安全方式_ 完成您的任务，您应该通过 _egress 网关_ 引导流量，正如[带 TLS 发起的 Egress 网关](/docs/examples/advanced-gateways/egress-gateway-tls-origination/)任务中所描述的那样。这里的 _安全方式_ 意味着您希望防止恶意应用程序绕过 Istio 监控和策略强制。
+由于您希望以 _安全方式_ 完成您的任务，您应该通过 _egress 网关_ 引导流量，正如[带 TLS 发起的 Egress 网关](/docs/tasks/traffic-management/edge-traffic/egress-gateway-tls-origination/)任务中所描述的那样。这里的 _安全方式_ 意味着您希望防止恶意应用程序绕过 Istio 监控和策略强制。
 
 根据我们的场景，组织执行了[开始之前](#开始之前)部分中的命令，启用 HTTP 流量到 _edition.cnn.com_ ，并将该流量配置为通过 egress 网关。egress 网关执行 TLS 发起到 _edition.cnn.com_ ，因此流量在网格中被加密。此时，组织已经准备好配置 Istio 来监控和应用 _edition.cnn.com_ 流量的访问策略。
 
@@ -195,7 +195,7 @@ keywords: [egress,traffic-management,access-control,monitoring]
     EOF
     {{< /text >}}
 
-    注意，您通过 `url` 添加添加了一个 `match`，该条件检查 URL 路径是 _/health_ 还是 _/sport_ 。还要注意，此条件已添加到 `VirtualService` 的 `istio-egressgateway` 部分，因为就安全性而言，egress 网关是一个经过加固的组件（请参阅 [egress 网关安全性注意事项](/zh/docs/examples/advanced-gateways/egress-gateway/#额外的安全考量)）。您一定不希望您的任何策略被篡改。
+    注意，您通过 `url` 添加添加了一个 `match`，该条件检查 URL 路径是 _/health_ 还是 _/sport_ 。还要注意，此条件已添加到 `VirtualService` 的 `istio-egressgateway` 部分，因为就安全性而言，egress 网关是一个经过加固的组件（请参阅 [egress 网关安全性注意事项](/zh/docs/tasks/traffic-management/edge-traffic/egress-gateway/#额外的安全考量)）。您一定不希望您的任何策略被篡改。
 
 1.  发送之前的三个 HTTP 请求到 _cnn.com_ ：
 
@@ -232,7 +232,7 @@ keywords: [egress,traffic-management,access-control,monitoring]
 
 现在您移除在本节中使用的路由取消访问控制，在下一节将向您演示通过 Mixer 策略检查实现访问控制。
 
-1.  用之前[配置 Egress 网关](/docs/examples/advanced-gateways/egress-gateway-tls-origination/#perform-tls-origination-with-an-egress-gateway)示例中的版本替换 _edition.cnn.com_ 的 `VirtualService`：
+1.  用之前[配置 Egress 网关](/docs/tasks/traffic-management/edge-traffic/egress-gateway-tls-origination/#perform-tls-origination-with-an-egress-gateway)示例中的版本替换 _edition.cnn.com_ 的 `VirtualService`：
 
     {{< text bash >}}
     $ cat <<EOF | kubectl apply -f -
@@ -480,7 +480,7 @@ caption="HTTPS egress 流量通过 egress 网关"
 
 ## 清理
 
-1.  执行[配置 Egress 网关](/zh/docs/examples/advanced-gateways/egress-gateway//)示例的[清理](/zh/docs/examples/advanced-gateways/egress-gateway//#清理)部分中的说明。
+1.  执行[配置 Egress 网关](/zh/docs/tasks/traffic-management/edge-traffic/egress-gateway//)示例的[清理](/zh/docs/tasks/traffic-management/edge-traffic/egress-gateway//#清理)部分中的说明。
 
 1.  删除日志和策略检查配置：
 

content_zh/blog/2019/multicluster-version-routing/index.md

@@ -301,7 +301,7 @@ spec:
 EOF
 {{< /text >}}
 
-`ServiceEntry` 的地址 `127.255.0.3` 可以是任意的未分配 IP。在 `127.0.0.0/8` 的范围里面进行选择是个不错的主意。阅读[通过网关进行连接的多集群](/zh/docs/examples/multicluster/gateways/#configure-the-example-services)一文，能够获得更多相关信息。
+`ServiceEntry` 的地址 `127.255.0.3` 可以是任意的未分配 IP。在 `127.0.0.0/8` 的范围里面进行选择是个不错的主意。阅读[通过网关进行连接的多集群](/zh/docs/tasks/multicluster/gateways/#configure-the-example-services)一文，能够获得更多相关信息。
 
 注意 `DestinationRule` 中的 `subset` 的标签，`cluster: cluster2` 对应的是 `cluster2` 网关。一旦流量到达目标集群，就会由本地目的 `DestinationRule` 来鉴别实际的 Pod 标签（`version: v1` 或者 `version: v2`）
 

content_zh/boilerplates/notes/1.1.md

@@ -38,7 +38,7 @@
 
 - **预配置安装方案**：加入了多个安装配置方案，其中提供了知名的、经过测试的模式，简化安装过程的定制工作。[配置方案](/zh/docs/setup/kubernetes/additional-setup/config-profiles/)为用户提供了更好的安装体验。
 
-- **增强了多集群支持**：Istio 1.0 中使用 `istio-remote` 进行 [VPN 模式](/zh/docs/setup/kubernetes/install/multicluster/vpn/) 以及[水平拆分 eds 模式](/zh/docs/examples/multicluster/split-horizon-eds/)的多集群风方案，1.1 中进行了整合，简化了安装体验。
+- **增强了多集群支持**：Istio 1.0 中使用 `istio-remote` 进行 [VPN 模式](/zh/docs/setup/kubernetes/install/multicluster/vpn/) 以及[水平拆分 eds 模式](/zh/docs/tasks/multicluster/split-horizon-eds/)的多集群风方案，1.1 中进行了整合，简化了安装体验。
 
 ## 流量管理
 
@@ -54,7 +54,7 @@
 
 - **调整多集群路由**：简化多集群配置，丰富部署模式。现在可以使用自带的 Ingress 网关连接多个集群，不再需要 Pod 级别的 VPN；可以在每个集群都部署控制平面，达到高可用目的；能够创建跨越多个集群的全局命名空间。在高可用控制平面模式下，会缺省启用路由的区域感知功能。
 
-- **弃用 Istio Ingress**：移除了过期的 Istio Ingress。请参照[使用 cert-manager 加密 Kubernetes Ingress](/zh/docs/examples/advanced-gateways/ingress-certmgr/)一文，了解如何使用[网关](/zh/docs/concepts/traffic-management/#gateway)充当 Ingress 控制器。
+- **弃用 Istio Ingress**：移除了过期的 Istio Ingress。请参照[使用 cert-manager 加密 Kubernetes Ingress](/zh/docs/tasks/traffic-management/edge-traffic/ingress-certmgr/)一文，了解如何使用[网关](/zh/docs/concepts/traffic-management/#gateway)充当 Ingress 控制器。
 
 - **性能和伸缩性的增强**：调整了 Istio 和 Envoy 的性能和弹性。参考[性能和伸缩性](/zh/docs/concepts/performance-and-scalability/)一文，了解更多相关信息。
 

content_zh/docs/concepts/multicluster-deployments/index.md

@@ -56,4 +56,4 @@ Istio 支持将一个应用程序的服务以多种拓扑分布，而不仅仅
     caption="Istio 网格使用单个控制平面和 Gateway 跨越多个 Kubernetes 集群到达远程 pod"
     >}}
 
-在此配置中，从一个集群中的 sidecar 到同一集群中的 service 的请求仍然被转发到本地 service IP。如果目标工作负载在其他集群中运行，远程集群网关 IP 会替代 service 用于连接。访问我们的[单一控制平面](/zh/docs/examples/multicluster/split-horizon-eds/)页面，并使用网关示例来试验此功能。
+在此配置中，从一个集群中的 sidecar 到同一集群中的 service 的请求仍然被转发到本地 service IP。如果目标工作负载在其他集群中运行，远程集群网关 IP 会替代 service 用于连接。访问我们的[单一控制平面](/zh/docs/tasks/multicluster/split-horizon-eds/)页面，并使用网关示例来试验此功能。

content_zh/docs/setup/kubernetes/install/multicluster/gateways/index.md

@@ -128,7 +128,7 @@ EOF
 
 如果一个集群中的服务需要访问远端集群中的服务，就需要创建一个 `ServiceEntry`。`ServiceEntry` 中的主机名应该是 `<name>.<namespace>.global` 的格式，其中的 `name` 和 `namespace` 需要根据服务名称和命名空间进行替换。
 
-为了检查多集群配置是否生效，可以参考示例[通过网关进行多集群连接](/zh/docs/examples/multicluster/gateways/)来进行测试。
+为了检查多集群配置是否生效，可以参考示例[通过网关进行多集群连接](/zh/docs/tasks/multicluster/gateways/)来进行测试。
 
 ## 清理
 

content_zh/docs/setup/kubernetes/upgrade/notice/index.md

@@ -13,10 +13,10 @@ weight: 5
 
 - 我们增加了控制平面和 Envoy Sidecar 所需的 CPU 和内存。在更新之前，确保群集有足够的资源。
 - Istio 的 CRD 已被放入他们自己的 Helm chart `istio-init` 中。这可以防止丢失自定义资源数据，促进升级过程，使 Istio 能够基于 Helm 的安装形式也可以升级。 [升级文档](/docs/setup/kubernetes/upgrade/steps/) 提供了从 Istio 1.0.6 升级到 Istio 1.1 的正确过程。升级时请仔细遵循这些说明。如果需要 `certmanager`，在使用 `template` 或 `tiller` 安装模式安装`istio-init` 和 Istio chart 时，请使用 `--set certmanager=true` 标志。
-- 用于[多集群 VPN](/zh/docs/setup/kubernetes/install/multicluster/vpn/) 的 1.0 `istio-remote` chart 和 [多集群水平分割](/zh/docs/examples/multicluster/split-horizon-eds/) 远程集群安装已合并到 Istio chart 中。要生成等效的 `istio-remote` chart，请使用 `--set global.istioRemote=true` 标志。
+- 用于[多集群 VPN](/zh/docs/setup/kubernetes/install/multicluster/vpn/) 的 1.0 `istio-remote` chart 和 [多集群水平分割](/zh/docs/tasks/multicluster/split-horizon-eds/) 远程集群安装已合并到 Istio chart 中。要生成等效的 `istio-remote` chart，请使用 `--set global.istioRemote=true` 标志。
 - 插件不再通过单独的负载均衡器暴露。现在可以选择通过 Ingress 网关公开插件。要通过 Ingress Gateway 公开插件，请按照[远程访问遥测插件](/docs/tasks/telemetry/gateways/)指南进行操作。
 - 内置的 Istio Statsd 收集器已被删除。 Istio 使用 `--set global.envoyStatsd.enabled=true` 标志保留与您自己的 Statsd 收集器集成的功能。
-- 用于配置 Kubernetes Ingress 的 `ingress` 系列选项已被删除。 Kubernetes Ingress 仍然可以使用 `--set global.k8sIngress.enabled=true` 标志启用。查看[使用 Cert-Manager 保护 Kubernetes Ingress](/docs/examples/advanced-gateways/ingress-certmgr/)，了解如何保护您的 Kubernetes 入口资源。
+- 用于配置 Kubernetes Ingress 的 `ingress` 系列选项已被删除。 Kubernetes Ingress 仍然可以使用 `--set global.k8sIngress.enabled=true` 标志启用。查看[使用 Cert-Manager 保护 Kubernetes Ingress](/docs/tasks/traffic-management/edge-traffic/ingress-certmgr/)，了解如何保护您的 Kubernetes 入口资源。
 
 ## 流量管理
 

content_zh/docs/tasks/multicluster/gateways/index.md

@@ -3,6 +3,8 @@ title: 通过网关进行连接的多集群
 description: 在一个使用网关进行连接的多集群网格中配置远程服务。
 weight: 20
 keywords: [kubernetes,multicluster]
+aliases:
+  - /zh/docs/examples/multicluster/gateways/
 ---
 
 这个示例展示了如何在[多控制平面拓扑](/docs/concepts/multicluster-deployments/#multiple-control-plane-topology)的多集群网格中

content_zh/docs/tasks/multicluster/gke/index.md

@@ -3,6 +3,8 @@ title: Google Kubernetes Engine
 description: 基于 GKE 的 Istio 多集群安装。
 weight: 65
 keywords: [kubernetes,multicluster]
+aliases:
+  - /zh/docs/examples/multicluster/gke/
 ---
 
 本例中展示了如何在两个 [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) 集群的基础上，配置一个[单一控制平面](/zh/docs/concepts/multicluster-deployments#单一控制平面拓扑)的多集群网格。

content_zh/docs/tasks/multicluster/icp/index.md

@@ -3,6 +3,8 @@ title: IBM Cloud Private
 description: 多 IBM Cloud Private 集群安装 Istio 示例。
 weight: 70
 keywords: [kubernetes,multicluster]
+aliases:
+    - /zh/docs/examples/multicluster/icp/
 ---
 
 此示例演示了如何在[基于 VPN 的多集群安装指导](/zh/docs/setup/kubernetes/install/multicluster/vpn/) 的帮助下使用 Istio 的多集群功能连接两个

content_zh/docs/tasks/multicluster/iks-icp/index.md

@@ -1,8 +1,10 @@
 ---
-title: IBM Cloud Kubernetes Service & IBM Cloud Private 
+title: IBM Cloud Kubernetes Service & IBM Cloud Private
 description: IBM Cloud Kubernetes Service 和 IBM Cloud Private 之间的多集群示例。
 weight: 75
 keywords: [kubernetes,multicluster,hybrid]
+aliases:
+  - /zh/docs/examples/multicluster/iks-icp/
 ---
 
 本文示例演示了如何使用 Istio 多集群功能，借助 [基于 VPN 的多集群设置](/zh/docs/setup/kubernetes/install/multicluster/vpn/)将 [IBM Cloud Private](https://www.ibm.com/cloud/private) 和 [IBM Cloud Kubernetes Service](https://console.bluemix.net/docs/containers/container_index.html) 两个集群连接起来。
@@ -85,4 +87,4 @@ IBM Cloud Private 和 IBM Cloud Kubernetes Service 上的本地 Istio 控制平
 
 此示例使用 IBM Cloud Private 作为 Istio 本地控制平面，使用 IBM Cloud Kubernetes Service 作为 Istio 远程控制平面。
 
-按照[IBM Cloud Private](/zh/docs/examples/multicluster/icp/)在集群中部署 Bookinfo 示例
+按照[IBM Cloud Private](/zh/docs/tasks/multicluster/icp/)在集群中部署 Bookinfo 示例

content_zh/docs/tasks/multicluster/split-horizon-eds/index.md

@@ -3,6 +3,8 @@ title: 集群感知的服务路由
 description: 利用 Istio 的水平分割 EDS 来创建多集群网格。
 weight: 85
 keywords: [kubernetes,multicluster]
+aliases:
+  - /zh/docs/examples/multicluster/split-horizon-eds/
 ---
 
 这个示例展示了如何使用[单一控制平面拓扑](/zh/docs/concepts/multicluster-deployments/#单一控制平面拓扑)配置一个多集群网格，并使用 Istio 的`水平分割 EDS（Endpoints Discovery Service，端点发现服务）`特性（在 Istio 1.1 中引入），通过 ingress gateway 将服务请求路由到其他集群。水平分割 EDS 使 Istio 可以基于请求来源的位置，将其路由到不同的 endpoint。

content_zh/docs/tasks/traffic-management/edge-traffic/egress-gateway-tls-origination/index.md

@@ -3,9 +3,11 @@ title: Egress 网关的 TLS 发起过程
 description: 描述了配置 Egress 网关来发起对外部服务进行 TLS 通信的过程。
 weight: 40
 keywords: [traffic-management,egress]
+aliases:
+  - /zh/docs/examples/advanced-gateways/egress-gateway-tls-origination/
 ---
 
-[Egress 流量 TLS 示例](/zh/docs/examples/advanced-gateways/egress-tls-origination)中展示了如何配置 Istio 来[发起 TLS](/zh/docs/reference/glossary/)，用于和外部进行通信。[配置 Egress 网关](/zh/docs/examples/advanced-gateways/egress-gateway)示例中展示了如何使用独立的 **egress 网关服务**来对 Egress 流量进行转发。这个例子中结合了前面的两个，描述了如何配置 Egress 网关，来发起对外的 TLS 访问。
+[Egress 流量 TLS 示例](/zh/docs/tasks/traffic-management/edge-traffic/egress-tls-origination/)中展示了如何配置 Istio 来[发起 TLS](/zh/docs/reference/glossary/)，用于和外部进行通信。[配置 Egress 网关](/zh/docs/tasks/traffic-management/edge-traffic/egress-gateway/)示例中展示了如何使用独立的 **egress 网关服务**来对 Egress 流量进行转发。这个例子中结合了前面的两个，描述了如何配置 Egress 网关，来发起对外的 TLS 访问。
 
 ## 开始之前 {#before-you-begin}
 
@@ -35,11 +37,11 @@ keywords: [traffic-management,egress]
     $ export SOURCE_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
     {{< /text >}}
 
-* [部署 Istio egress 网关](/docs/examples/advanced-gateways/egress-gateway/#deploy-istio-egress-gateway)
+* [部署 Istio egress 网关](/docs/tasks/traffic-management/edge-traffic/egress-gateway/#deploy-istio-egress-gateway)
 
 ## 使用 Egress 网关发起 TLS
 
-本节描述了如何执行和[在 Egress 流量中发起 TLS](/docs/examples/advanced-gateways/egress-tls-origination/) 示例中一样的过程，只不过这次使用的是 Egress 网关，而不是 Sidecar。
+本节描述了如何执行和[在 Egress 流量中发起 TLS](/docs/tasks/traffic-management/edge-traffic/egress-tls-origination/) 示例中一样的过程，只不过这次使用的是 Egress 网关，而不是 Sidecar。
 
 1. 为 `edition.cnn.com` 定义一个 `ServiceEntry`：
 
@@ -229,7 +231,7 @@ keywords: [traffic-management,egress]
     ...
     {{< /text >}}
 
-    输出内容应该和[出口流量的 TLS](/zh/docs/examples/advanced-gateways/egress-tls-origination/) 一文中的描述一致，消除了 `301 Moved Permanently` 消息。
+    输出内容应该和[出口流量的 TLS](/zh/docs/tasks/traffic-management/edge-traffic/egress-tls-origination/) 一文中的描述一致，消除了 `301 Moved Permanently` 消息。
 
 1. 检查 `istio-egressgateway` Pod 的日志，会看到跟我们请求相关的内容。
     如果 Istio 部署在 `istio-system` 命名空间，输出日志的命令是：

content_zh/docs/tasks/traffic-management/edge-traffic/egress-gateway/index.md

@@ -1,15 +1,17 @@
 ---
-title: 配置 Egress gateway 
+title: 配置 Egress gateway
 description: 描述如何通过专用网关服务将流量定向到外部服务来配置 Istio。
 weight: 43
 keywords: [traffic-management,egress]
+aliases:
+  - /zh/docs/examples/advanced-gateways/egress-gateway/
 ---
 
 [控制 Egress 流量](/zh/docs/tasks/traffic-management/egress/)任务演示了如何从网格内的应用程序访问外部（Kubernetes 集群外部）HTTP 和 HTTPS 服务。这里提醒一下：默认情况下，启用 Istio 的应用程序无法访问集群外的 URL。要启用此类访问，必须定义外部服务的 [`ServiceEntry`](/zh/docs/reference/config/istio.networking.v1alpha3/#serviceentry)，或者配置[直接访问外部服务](/zh/docs/tasks/traffic-management/egress/#直接调用外部服务)。
 
-[Egress 流量的 TLS](/zh/docs/examples/advanced-gateways/egress-tls-origination/) 任务演示了如何允许应用程序将 HTTP 请求发送到需要 HTTPS 的外部服务器。
+[Egress 流量的 TLS](/zh/docs/tasks/traffic-management/edge-traffic/egress-tls-origination/) 任务演示了如何允许应用程序将 HTTP 请求发送到需要 HTTPS 的外部服务器。
 
-此任务描述了通过名为 `Egress Gateway`  的专用服务如何配置 Istio 引导出口流量。我们实现了与 [Egress 流量的 TLS](/zh/docs/examples/advanced-gateways/egress-tls-origination/) 任务中描述的相同功能，唯一的区别就是，这里会使用 Egress gateway 来完成这一任务。
+此任务描述了通过名为 `Egress Gateway`  的专用服务如何配置 Istio 引导出口流量。我们实现了与 [Egress 流量的 TLS](/zh/docs/tasks/traffic-management/edge-traffic/egress-tls-origination/) 任务中描述的相同功能，唯一的区别就是，这里会使用 Egress gateway 来完成这一任务。
 
 ## 用例
 
@@ -87,7 +89,7 @@ Istio 0.8 引入了 [Ingress 和 Egress gateway](/zh/docs/reference/config/istio
     ...
     {{< /text >}}
 
-    输出应与 [Egress 流量的 TLS](/zh/docs/examples/advanced-gateways/egress-tls-origination/) 任务中的输出相同，不带 TLS。
+    输出应与 [Egress 流量的 TLS](/zh/docs/tasks/traffic-management/edge-traffic/egress-tls-origination/) 任务中的输出相同，不带 TLS。
 
 1. 为 `edition.cnn.com` 端口 80 创建 Egress gateway。除此之外还要创建一个 `DestinationRule` 和 `VirtualService` 来引导流量通过 Egress gateway 与外部服务通信。
 
@@ -249,7 +251,7 @@ $ kubectl delete destinationrule egressgateway-for-cnn
 
 ## 用 Egress gateway 发起 TLS 连接
 
-接下来尝试使用 Egress Gateway 发起 TLS 连接，效果类似于 [出口流量的 TLS](/zh/docs/examples/advanced-gateways/egress-tls-origination/) 任务，具体区别是，在这种情况下，TLS 功能是由 Egress gateway 服务器完成的，而不是前一任务中的 Sidecar。
+接下来尝试使用 Egress Gateway 发起 TLS 连接，效果类似于 [出口流量的 TLS](/zh/docs/tasks/traffic-management/edge-traffic/egress-tls-origination/) 任务，具体区别是，在这种情况下，TLS 功能是由 Egress gateway 服务器完成的，而不是前一任务中的 Sidecar。
 
 1. 为 `edition.cnn.com` 定义 `ServiceEntry`：
 
@@ -427,7 +429,7 @@ $ kubectl delete destinationrule egressgateway-for-cnn
     ...
     {{< /text >}}
 
-    输出应与 [出口流量的 TLS](/zh/docs/examples/advanced-gateways/egress-tls-origination/) 任务中的输出相同：没有 `301 Moved Permanently` 信息。
+    输出应与 [出口流量的 TLS](/zh/docs/tasks/traffic-management/edge-traffic/egress-tls-origination/) 任务中的输出相同：没有 `301 Moved Permanently` 信息。
 
 1. 检查 `istio-egressgateway` pod 的日志，并查看与我们的请求相对应的行。如果 Istio 部署在 `istio-system` 命名空间中，则打印日志的命令是：
 

content_zh/docs/tasks/traffic-management/edge-traffic/egress-tls-origination/index.md

@@ -2,6 +2,8 @@
 title: 出口流量的 TLS
 description: 此任务描述 Istio 如何配置出口流量的 TLS。
 weight: 42
+aliases:
+  - /zh/docs/examples/advanced-gateways/egress-tls-origination/
 ---
 
 [控制出口流量](/zh/docs/tasks/traffic-management/egress/)任务演示了如何从网格内部的应用程序访问 Kubernetes 集群外部的 HTTP 和 HTTPS 服务, 如该主题中所述，默认情况下，启用了 Istio 的应用程序无法访问集群外的 URL, 要启用外部访问，必须定义外部服务的[`ServiceEntry`](/zh/docs/reference/config/istio.networking.v1alpha3/#serviceentry)，或者[直接访问外部服务](/zh/docs/tasks/traffic-management/egress/#直接调用外部服务)。

content_zh/docs/tasks/traffic-management/edge-traffic/egress_sni_monitoring_and_policies/index.md

@@ -3,15 +3,17 @@ title: Egress TLS 流量中的 SNI 监控及策略
 description: 如何为 Egress TLS 流量配置 SNI 监控并应用策略。
 keywords: [traffic-management,egress,telemetry,policies]
 weight: 51
+aliases:
+  - /zh/docs/examples/advanced-gateways/egress_sni_monitoring_and_policies/
 ---
 
-在[使用通配符主机配置 Egress 流量](/zh/docs/examples/advanced-gateways/wildcard-egress-hosts/)示例中描述了为 `*.wikipedia.org` 这样的域名启用 Egress 流量 TLS 支持的方法。本示例中将演示的是如何为 Egress TLS 流量配置 SNI 监控并应用策略。
+在[使用通配符主机配置 Egress 流量](/zh/docs/tasks/traffic-management/edge-traffic/wildcard-egress-hosts/)示例中描述了为 `*.wikipedia.org` 这样的域名启用 Egress 流量 TLS 支持的方法。本示例中将演示的是如何为 Egress TLS 流量配置 SNI 监控并应用策略。
 
 {{< boilerplate before-you-begin-egress >}}
 
-* [在 Istio 中部署 Egress 网关](/zh/docs/examples/advanced-gateways/egress-gateway/#定义-egress-gateway-并引导-http-流量通过这一网关)
+* [在 Istio 中部署 Egress 网关](/zh/docs/tasks/traffic-management/edge-traffic/egress-gateway/#定义-egress-gateway-并引导-http-流量通过这一网关)
 
-* 根据[使用通配符主机配置 Egress 流量](/zh/docs/examples/advanced-gateways/wildcard-egress-hosts/)示例中的[步骤](/zh/docs/examples/advanced-gateways/wildcard-egress-hosts/#任意域名的通配符配置) 为流向 `*.wikipedia.org` 的流量进行配置，启用 TLS 支持。
+* 根据[使用通配符主机配置 Egress 流量](/zh/docs/tasks/traffic-management/edge-traffic/wildcard-egress-hosts/)示例中的[步骤](/zh/docs/tasks/traffic-management/edge-traffic/wildcard-egress-hosts/#任意域名的通配符配置) 为流向 `*.wikipedia.org` 的流量进行配置，启用 TLS 支持。
 
 ## SNI 监控和访问策略
 
@@ -336,6 +338,6 @@ $ kubectl delete listchecker us-wikipedia-checker canada-wikipedia-checker -n is
 
 ## 清理
 
-1. 执行 [使用通配符主机配置 Egress 流量](/zh/docs/examples/advanced-gateways/wildcard-egress-hosts/)例子中的[清理任意域名的通配符配置](/zh/docs/examples/advanced-gateways/wildcard-egress-hosts/#清理任意域名的通配符配置)步骤。
+1. 执行 [使用通配符主机配置 Egress 流量](/zh/docs/tasks/traffic-management/edge-traffic/wildcard-egress-hosts/)例子中的[清理任意域名的通配符配置](/zh/docs/tasks/traffic-management/edge-traffic/wildcard-egress-hosts/#清理任意域名的通配符配置)步骤。
 
-1. 停止 [sleep]({{<github_tree>}}/samples/sleep) 服务：
+1. 停止 [sleep]({{<github_tree>}}/samples/sleep) 服务：

content_zh/docs/tasks/traffic-management/edge-traffic/http-proxy/index.md

@@ -3,6 +3,8 @@ title: 连接到外部 HTTPS 代理
 description: 描述如何配置 Istio 以允许应用程序使用外部 HTTPS 代理。
 weight: 60
 keywords: [traffic-management,egress]
+aliases:
+  - /zh/docs/examples/advanced-gateways/http-proxy/
 ---
 [配置 Egress Gateway]（/docs/examples/advanced gateways/egress-gateway/）示例显示如何通过名为 Egress Gateway 的 Istio 组件将流量从网格引导到外部服务。但是，有些情况下需要一个外部的传统（非ISTIO）HTTPS 代理来访问外部服务。例如，您的公司可能已经有了这样的代理，并且可能需要所有应用程序通过代理来引导其流量。
 

content_zh/docs/tasks/traffic-management/edge-traffic/ingress-certmgr/index.md

@@ -3,6 +3,8 @@ title: 使用 cert-manager 加密 Kubernetes Ingress
 description: 展示使用 cert-Manager 为 Kubernetes Ingress 获取 Let's Encrypt TLS 证书的过程。
 weight: 70
 keywords: [traffic-management,ingress,https,cert-manager,acme,sds]
+aliases:
+  - /zh/docs/examples/advanced-gateways/ingress-certmgr/
 ---
 
 这个例子演示了在 Istio 中使用 [Let's Encrypt](https://letsencrypt.org/) 获取 TLS 证书为 Kubernetes Ingress controller 提供安全加固的过程。虽然 Istio 提供了更强大的功能，例如 [Gateway](/docs/reference/config/networking/v1alpha3/gateway) 和 [Virtual service](/docs/reference/config/networking/v1alpha3/virtual-service)，它们可以用于更加高级的流量管理功能，而可选的 Kubernetes Ingress 控制器支持则可以简单的把传统应用和第三方解决方案集成到服务网格之中，并由此获得 Istio 提供的遥测和跟踪能力。

content_zh/docs/tasks/traffic-management/edge-traffic/ingress-sni-passthrough/index.md

@@ -3,6 +3,8 @@ title: 没有 TLS 的 Ingress gateway
 description: 介绍如何为入口网关配置 SNI 直通。
 weight: 10
 keywords: [traffic-management,ingress,https]
+aliases:
+  - /zh/docs/examples/advanced-gateways/ingress-sni-passthrough
 ---
 
 [使用 HTTPS 保护网关](/zh/docs/tasks/traffic-management/secure-ingress/)任务描述了如何配置 HTTPS

content_zh/docs/tasks/traffic-management/edge-traffic/wildcard-egress-hosts/index.md

@@ -3,9 +3,11 @@ title: 使用通配符主机配置 Egress 流量
 description: 介绍如何为公共域中的一组主机启用 Egress 流量，而不是单独配置每个主机。
 keywords: [traffic-management,egress]
 weight: 50
+aliases:
+  - /zh/docs/examples/advanced-gateways/wildcard-egress-hosts/
 ---
 
-[控制 Egress 流量](/zh/docs/tasks/traffic-management/egress/)任务和[配置 Egress Gateway](/zh/docs/examples/advanced-gateways/egress-gateway/) 示例讲述了如何为类似 `edition.cnn.com` 的特定主机名配置
+[控制 Egress 流量](/zh/docs/tasks/traffic-management/egress/)任务和[配置 Egress Gateway](/zh/docs/tasks/traffic-management/edge-traffic/egress-gateway/) 示例讲述了如何为类似 `edition.cnn.com` 的特定主机名配置
 egress 流量。此示例演示了如何为一组处于公共域（如 `*.wikipedia.org`）的主机启用 egress 流量，而非单独配置每个主机。
 
 ## 背景