Install guide for ambient multi network (#16709)

* Install guide for ambient multi network Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Adopt Mitch's changes Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Fix helm cleanup Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Stash Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Address the rest of the feedback Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Change some of the tips Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Make gen Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Spellcheck Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Use latest for news link Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Add prev and next designations to frontmatter Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Fixup Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> * Put the breadcrumb on the right pages Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> --------- Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Signed-off-by: Keith Mattix II <keithmattix@microsoft.com> Co-authored-by: Keith Mattix II <keithmattix@microsoft.com>
2025-08-12 18:40:29 -04:00 · 2025-08-12 18:40:29 -04:00 · dd96a148ba
parent 9dca650cc3
commit dd96a148ba
17 changed files with 1665 additions and 39 deletions
--- a/.gitignore
+++ b/.gitignore
@ -41,3 +41,9 @@ archived_version

 # Local Netlify folder
 .netlify
+
+# Local artifacts when running tests
+artifacts
+
+# Certs generated during tests
+certs
--- a/content/en/docs/ambient/install/_index.md
+++ b/content/en/docs/ambient/install/_index.md
@ -8,6 +8,7 @@ aliases:
 owner: istio/wg-environment-maintainers
 test: n/a
 list_below: yes
+keywords: [kubernetes,ambient,install]
 ---

 {{< tip >}}
--- a/content/en/docs/ambient/install/multicluster/_index.md
+++ b/content/en/docs/ambient/install/multicluster/_index.md
@ -0,0 +1,72 @@
+---
+title: Install Multicluster
+description: Install an Istio mesh in ambient mode across multiple Kubernetes clusters.
+weight: 40
+keywords: [kubernetes,multicluster,ambient]
+simple_list: true
+content_above: true
+test: table-of-contents
+owner: istio/wg-environments-maintainers
+next: /docs/ambient/install/multicluster/before-you-begin
+---
+
+Follow this guide to install an Istio {{< gloss "ambient" >}}ambient service mesh{{< /gloss >}}
+that spans multiple {{< gloss "cluster" >}}clusters{{< /gloss >}}.
+
+## Current Status and Limitations
+
+{{< warning >}}
+**Ambient multicluster is currently in alpha status** and has significant limitations.
+This feature is under active development and should not be used in production environments.
+{{< /warning >}}
+
+Before proceeding with ambient multicluster installation, it's critical to understand
+the current state and limitations of this feature:
+
+### Supported Configurations
+
+Currently, ambient multicluster only supports:
+Before proceeding with an ambient multicluster installation, it is critical to understand
+the current state and limitations of this feature.
+
+### Critical Limitations
+
+#### Network Topology Restrictions
+
+**Multi-cluster single-network configurations are untested, and may be broken**
+  - Use caution when deploying ambient across clusters that share the same network
+  - Only multi-network configurations are supported
+
+#### Control Plane Limitations
+
+**Primary remote configuration is not currently supported**
+  - You can only have multiple primary clusters
+  - Configurations with one or more remote clusters will not work correctly
+
+#### Waypoint Requirements
+
+**Universal waypoint deployments are assumed across clusters**
+  - All clusters must have identically named waypoint deployments
+  - Waypoint configurations must be synchronized manually across clusters (e.g. using Flux, ArgoCD, or similar tools)
+  - Traffic routing relies on consistent waypoint naming conventions
+
+#### Service Visibility and Scoping
+
+**Service scope configurations are not read from across clusters**
+  - Only the local cluster's service scope configuration is used as the source of truth
+  - Remote cluster service scopes are not respected, which can lead to unexpected traffic behavior
+  - Cross-cluster service discovery may not respect intended service boundaries
+
+**If a service's waypoint is marked as global, that service will also be global**
+  - This can lead to unintended cross-cluster traffic if not managed carefully
+
+#### Gateway Limitations
+
+**Ambient east-west gateways currently only support meshed mTLS traffic**
+  - Cannot currently expose `istiod` across networks using ambient east-west gateways. You can still use a classic e/w gateway for this.
+
+{{< tip >}}
+As ambient multicluster matures, many of these limitations will be addressed.
+Check the [Istio release notes](https://istio.io/latest/news/) for updates on
+ambient multicluster capabilities.
+{{< /tip >}}
--- a/content/en/docs/ambient/install/multicluster/before-you-begin/index.md
+++ b/content/en/docs/ambient/install/multicluster/before-you-begin/index.md
@ -0,0 +1,87 @@
+---
+title: Before you begin
+description: Initial steps before installing Istio on multiple clusters.
+weight: 1
+keywords: [kubernetes,multicluster,ambient]
+test: n/a
+owner: istio/wg-environments-maintainers
+next: /docs/ambient/install/multicluster/multi-primary_multi-network
+prev: /docs/ambient/install/multicluster
+---
+
+{{< boilerplate alpha >}}
+
+Before you begin a multicluster installation, review the
+[deployment models guide](/docs/ops/deployment/deployment-models)
+which describes the foundational concepts used throughout this guide.
+
+In addition, review the requirements and perform the initial steps below.
+
+## Requirements
+
+### Cluster
+
+This guide requires that you have two Kubernetes clusters with support for LoadBalancer `Services` on any of the
+[supported Kubernetes versions:](/docs/releases/supported-releases#support-status-of-istio-releases) {{< supported_kubernetes_versions >}}.
+
+### API Server Access
+
+The API Server in each cluster must be accessible to the other clusters in the
+mesh. Many cloud providers make API Servers publicly accessible via network
+load balancers (NLB). The ambient east-west gateway cannot be used to expose
+the API server as it only supports double HBONE traffic. A non-ambient
+[east-west](https://en.wikipedia.org/wiki/East-west_traffic) gateway could be
+used to enable access to the API Server.
+
+## Environment Variables
+
+This guide will refer to two clusters: `cluster1` and `cluster2`. The following
+environment variables will be used throughout to simplify the instructions:
+
+Variable | Description
+-------- | -----------
+`CTX_CLUSTER1` | The context name in the default [Kubernetes configuration file](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/) used for accessing the `cluster1` cluster.
+`CTX_CLUSTER2` | The context name in the default [Kubernetes configuration file](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/) used for accessing the `cluster2` cluster.
+
+Set the two variables before proceeding:
+
+{{< text syntax=bash snip_id=none >}}
+$ export CTX_CLUSTER1=<your cluster1 context>
+$ export CTX_CLUSTER2=<your cluster2 context>
+{{< /text >}}
+
+## Configure Trust
+
+A multicluster service mesh deployment requires that you establish trust
+between all clusters in the mesh. Depending on the requirements for your
+system, there may be multiple options available for establishing trust.
+See [certificate management](/docs/tasks/security/cert-management/) for
+detailed descriptions and instructions for all available options.
+Depending on which option you choose, the installation instructions for
+Istio may change slightly.
+
+This guide will assume that you use a common root to generate intermediate
+certificates for each primary cluster.
+Follow the [instructions](/docs/tasks/security/cert-management/plugin-ca-cert/)
+to generate and push a CA certificate secret to both the `cluster1` and `cluster2`
+clusters.
+
+{{< tip >}}
+If you currently have a single cluster with a self-signed CA (as described
+in [Getting Started](/docs/setup/getting-started/)), you need to
+change the CA using one of the methods described in
+[certificate management](/docs/tasks/security/cert-management/). Changing the
+CA typically requires reinstalling Istio. The installation instructions
+below may have to be altered based on your choice of CA.
+{{< /tip >}}
+
+## Next steps
+
+You're now ready to install an Istio ambient mesh across multiple clusters.
+
+- [Install Multi-Primary on Different Networks](/docs/ambient/install/multicluster/multi-primary_multi-network)
+
+{{< tip >}}
+If you plan on installing Istio multi-cluster using Helm, follow the
+[Helm prerequisites](/docs/setup/install/helm/#prerequisites) in the Helm install guide first.
+{{< /tip >}}
--- a/content/en/docs/ambient/install/multicluster/common.sh
+++ b/content/en/docs/ambient/install/multicluster/common.sh
@ -0,0 +1,197 @@
+#!/usr/bin/env bash
+# shellcheck disable=SC1090,SC2034,SC2154
+
+# Copyright Istio Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Initialize KUBECONFIG_FILES and KUBE_CONTEXTS
+_set_kube_vars
+
+source content/en/docs/ambient/install/multicluster/verify/snips.sh
+
+# set_single_network_vars initializes all variables for a single network config.
+function set_single_network_vars
+{
+  export KUBECONFIG_CLUSTER1="${KUBECONFIG_FILES[0]}"
+  export KUBECONFIG_CLUSTER2="${KUBECONFIG_FILES[1]}"
+  export CTX_CLUSTER1="${KUBE_CONTEXTS[0]}"
+  export CTX_CLUSTER2="${KUBE_CONTEXTS[1]}"
+}
+
+# set_multi_network_vars initializes all variables for a multi-network config.
+function set_multi_network_vars
+{
+  export KUBECONFIG_CLUSTER1="${KUBECONFIG_FILES[0]}"
+  export KUBECONFIG_CLUSTER2="${KUBECONFIG_FILES[2]}"
+  export CTX_CLUSTER1="${KUBE_CONTEXTS[0]}"
+  export CTX_CLUSTER2="${KUBE_CONTEXTS[2]}"
+}
+
+# configure_trust creates a hierarchy of
+function configure_trust
+{
+  # Keeps the certs under a separate directory.
+  mkdir -p certs
+  pushd certs || exit
+
+  # Create the root cert.
+  make -f ../tools/certs/Makefile.selfsigned.mk root-ca
+
+  # Create and deploy intermediate certs for cluster1 and cluster2.
+  make -f ../tools/certs/Makefile.selfsigned.mk cluster1-cacerts
+  make -f ../tools/certs/Makefile.selfsigned.mk cluster2-cacerts
+
+  # Create the istio-system namespace in each cluster so that we can create the secrets.
+  kubectl --context="$CTX_CLUSTER1" create namespace istio-system
+  kubectl --context="$CTX_CLUSTER2" create namespace istio-system
+
+  # Deploy secret to each cluster
+  kubectl --context="$CTX_CLUSTER1" create secret generic cacerts -n istio-system \
+      --from-file=cluster1/ca-cert.pem \
+      --from-file=cluster1/ca-key.pem \
+      --from-file=cluster1/root-cert.pem \
+      --from-file=cluster1/cert-chain.pem
+  kubectl --context="$CTX_CLUSTER2" create secret generic cacerts -n istio-system \
+      --from-file=cluster2/ca-cert.pem \
+      --from-file=cluster2/ca-key.pem \
+      --from-file=cluster2/root-cert.pem \
+      --from-file=cluster2/cert-chain.pem
+
+  popd || exit # Return to the previous directory.
+}
+
+# cleanup_istioctl removes all resources created by the tests with istioctl.
+function cleanup_istioctl
+{
+  # Remove temp files.
+  rm -f cluster1.yaml cluster2.yaml certs
+
+  # Cleanup both clusters concurrently
+  cleanup_cluster1_istioctl &
+  cleanup_cluster2_istioctl &
+  wait
+  snip_delete_crds
+}
+
+# cleanup_cluster1_istioctl removes the istio-system and sample namespaces on CLUSTER1 with istioctl.
+function cleanup_cluster1_istioctl
+{
+  echo y | istioctl uninstall --revision=default --context="${CTX_CLUSTER1}"
+  kubectl delete ns istio-system sample --context="${CTX_CLUSTER1}" --ignore-not-found
+}
+
+# cleanup_cluster2_istioctl removes the istio-system and sample namespaces on CLUSTER2 with istioctl.
+function cleanup_cluster2_istioctl
+{
+  echo y | istioctl uninstall --revision=default --context="${CTX_CLUSTER2}"
+  kubectl delete ns istio-system sample --context="${CTX_CLUSTER2}" --ignore-not-found
+}
+
+# verify_load_balancing verifies that traffic is load balanced properly
+# between CLUSTER1 and CLUSTER2.
+function verify_load_balancing
+{
+  # Verify istiod is synced
+  echo "Verifying istiod is synced to remote cluster."
+  _verify_like snip_verify_multicluster_1 "$snip_verify_multicluster_1_out"
+
+  # Deploy the HelloWorld service.
+  snip_deploy_the_helloworld_service_1
+  snip_deploy_the_helloworld_service_2
+  snip_deploy_the_helloworld_service_3
+
+  # Deploy HelloWorld v1 and v2
+  snip_deploy_helloworld_v1_1
+  snip_deploy_helloworld_v2_1
+
+  # Deploy curl
+  snip_deploy_curl_1
+
+  # Wait for all the deployments.
+  _wait_for_deployment sample helloworld-v1 "${CTX_CLUSTER1}"
+  _wait_for_deployment sample curl "${CTX_CLUSTER1}"
+  _wait_for_deployment sample helloworld-v2 "${CTX_CLUSTER2}"
+  _wait_for_deployment sample curl "${CTX_CLUSTER2}"
+
+  # Expose the helloworld service in both clusters.
+  echo "Exposing helloworld in cluster1"
+  kubectl --context="${CTX_CLUSTER1}" label svc helloworld -n sample istio.io/global="true"
+  echo "Exposing helloworld in cluster2"
+  kubectl --context="${CTX_CLUSTER2}" label svc helloworld -n sample istio.io/global="true"
+
+  # Verify everything is deployed as expected.
+  VERIFY_TIMEOUT=0 # Don't retry.
+  echo "Verifying helloworld v1 deployment"
+  _verify_like snip_deploy_helloworld_v1_2 "$snip_deploy_helloworld_v1_2_out"
+  echo "Verifying helloworld v2 deployment"
+  _verify_like snip_deploy_helloworld_v2_2 "$snip_deploy_helloworld_v2_2_out"
+  echo "Verifying curl deployment in ${CTX_CLUSTER1}"
+  _verify_like snip_deploy_curl_2 "$snip_deploy_curl_2_out"
+  echo "Verifying curl deployment in ${CTX_CLUSTER2}"
+  _verify_like snip_deploy_curl_3 "$snip_deploy_curl_3_out"
+  unset VERIFY_TIMEOUT # Restore default
+
+  local EXPECTED_RESPONSE_FROM_CLUSTER1="Hello version: v1, instance:"
+  local EXPECTED_RESPONSE_FROM_CLUSTER2="Hello version: v2, instance:"
+
+  # Verify we hit both clusters from CLUSTER1
+  echo "Verifying load balancing from ${CTX_CLUSTER1}"
+  _verify_contains snip_verifying_crosscluster_traffic_1 "$EXPECTED_RESPONSE_FROM_CLUSTER1"
+  _verify_contains snip_verifying_crosscluster_traffic_1 "$EXPECTED_RESPONSE_FROM_CLUSTER2"
+
+  # Verify we hit both clusters from CLUSTER2
+  echo "Verifying load balancing from ${CTX_CLUSTER2}"
+  _verify_contains snip_verifying_crosscluster_traffic_3 "$EXPECTED_RESPONSE_FROM_CLUSTER1"
+  _verify_contains snip_verifying_crosscluster_traffic_3 "$EXPECTED_RESPONSE_FROM_CLUSTER2"
+}
+
+# For Helm multi-cluster installation steps
+
+function create_istio_system_ns
+{
+  snip_create_istio_system_namespace_cluster_1
+  snip_create_istio_system_namespace_cluster_2
+}
+
+function setup_helm_repo
+{
+  snip_setup_helm_repo_cluster_1
+  snip_setup_helm_repo_cluster_2
+}
+
+snip_create_istio_system_namespace_cluster_1() {
+kubectl create namespace istio-system --context "${CTX_CLUSTER1}"
+}
+
+snip_create_istio_system_namespace_cluster_2() {
+kubectl create namespace istio-system --context "${CTX_CLUSTER2}"
+}
+
+snip_setup_helm_repo_cluster_1() {
+helm repo add istio https://istio-release.storage.googleapis.com/charts --kube-context "${CTX_CLUSTER1}"
+helm repo update --kube-context "${CTX_CLUSTER1}"
+}
+
+snip_setup_helm_repo_cluster_2() {
+helm repo add istio https://istio-release.storage.googleapis.com/charts --kube-context "${CTX_CLUSTER2}"
+helm repo update --kube-context "${CTX_CLUSTER2}"
+}
+
+snip_delete_sample_ns_cluster_1() {
+kubectl delete namespace sample --context "${CTX_CLUSTER1}"
+}
+
+snip_delete_sample_ns_cluster_2() {
+kubectl delete namespace sample --context "${CTX_CLUSTER2}"
+}
--- a/content/en/docs/ambient/install/multicluster/multi-primary_multi-network/arch.svg
+++ b/content/en/docs/ambient/install/multicluster/multi-primary_multi-network/arch.svg
--- a/content/en/docs/ambient/install/multicluster/multi-primary_multi-network/helm_test.sh
+++ b/content/en/docs/ambient/install/multicluster/multi-primary_multi-network/helm_test.sh
@ -0,0 +1,118 @@
+#!/usr/bin/env bash
+# shellcheck disable=SC1090,SC2154
+
+# Copyright Istio Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# @setup multicluster
+
+set -e
+set -u
+set -o pipefail
+
+source content/en/docs/ambient/install/multicluster/common.sh
+source "tests/util/gateway-api.sh"
+
+set_multi_network_vars
+setup_helm_repo
+
+function install_istio_on_cluster1_helm {
+    echo "Installing Gateway API CRDs on Primary cluster: ${CTX_CLUSTER1}"
+    install_gateway_api_crds "${CTX_CLUSTER1}"
+
+    echo "Installing Istio on Primary cluster: ${CTX_CLUSTER1}"
+
+    snip_set_the_default_network_for_cluster1_1
+
+    _rewrite_helm_repo snip_configure_cluster1_as_a_primary_3
+    _rewrite_helm_repo snip_configure_cluster1_as_a_primary_4
+    _rewrite_helm_repo snip_install_cni_cluster1
+    _rewrite_helm_repo snip_install_ztunnel_cluster1
+
+    echo "Creating the east-west gateway"
+    snip_install_an_ambient_eastwest_gateway_in_cluster1_2
+    snip_install_an_ambient_eastwest_gateway_in_cluster1_3
+
+    echo "Waiting for the east-west gateway to have an external IP"
+    _verify_like snip_install_an_ambient_eastwest_gateway_in_cluster1_4 "$snip_install_an_ambient_eastwest_gateway_in_cluster1_4_out"
+}
+
+function install_istio_on_cluster2_helm {
+    echo "Installing Gateway API CRDs on Primary cluster: ${CTX_CLUSTER2}"
+    install_gateway_api_crds "${CTX_CLUSTER2}"
+
+    echo "Installing Istio on Primary cluster: ${CTX_CLUSTER2}"
+
+    snip_set_the_default_network_for_cluster2_1
+
+    _rewrite_helm_repo snip_configure_cluster2_as_a_primary_3
+    _rewrite_helm_repo snip_configure_cluster2_as_a_primary_4
+    _rewrite_helm_repo snip_install_cni_cluster2
+    _rewrite_helm_repo snip_install_ztunnel_cluster2
+
+    echo "Creating the east-west gateway"
+    snip_install_an_ambient_eastwest_gateway_in_cluster2_2
+    snip_install_an_ambient_eastwest_gateway_in_cluster2_3
+
+    echo "Waiting for the east-west gateway to have an external IP"
+    _verify_like snip_install_an_ambient_eastwest_gateway_in_cluster2_4 "$snip_install_an_ambient_eastwest_gateway_in_cluster2_4_out"
+}
+
+function install_istio_helm {
+  # Install Istio on the 2 clusters. Executing in
+  # parallel to reduce test time.
+  install_istio_on_cluster1_helm &
+  install_istio_on_cluster2_helm &
+  wait
+}
+
+function enable_endpoint_discovery {
+  snip_enable_endpoint_discovery_1
+  snip_enable_endpoint_discovery_2
+}
+
+
+time configure_trust
+time install_istio_helm
+time enable_endpoint_discovery
+time verify_load_balancing
+
+# @cleanup
+source content/en/docs/setup/install/multicluster/common.sh
+set_multi_network_vars
+
+function cleanup_cluster1_helm {
+  snip_cleanup_3
+  snip_cleanup_4
+  snip_delete_sample_ns_cluster_1
+}
+
+function cleanup_cluster2_helm {
+  snip_cleanup_5
+  snip_cleanup_6
+  snip_delete_sample_ns_cluster_2
+}
+
+function cleanup_helm {
+  cleanup_cluster1_helm
+  cleanup_cluster2_helm
+  snip_delete_crds
+  snip_delete_gateway_crds
+}
+
+time cleanup_helm
+
+# Everything should be removed once cleanup completes. Use a small
+# timeout for comparing cluster snapshots before/after the test.
+export VERIFY_TIMEOUT=20
--- a/content/en/docs/ambient/install/multicluster/multi-primary_multi-network/index.md
+++ b/content/en/docs/ambient/install/multicluster/multi-primary_multi-network/index.md
@ -0,0 +1,440 @@
+---
+title: Install ambient multi-primary on different networks
+description: Install an Istio ambient mesh across multiple primary clusters on different networks.
+weight: 30
+keywords: [kubernetes,multicluster,ambient]
+test: yes
+owner: istio/wg-environments-maintainers
+next: /docs/ambient/install/multicluster/verify
+prev: /docs/ambient/install/multicluster/before-you-begin
+---
+
+{{< boilerplate alpha >}}
+
+{{< tip >}}
+This guide requires installation of the Gateway API CRDs.
+{{< boilerplate gateway-api-install-crds >}}
+{{< /tip >}}
+
+Follow this guide to install the Istio control plane on both `cluster1` and
+`cluster2`, making each a {{< gloss >}}primary cluster{{< /gloss >}} (this is currently the only supported configuration in ambient mode). Cluster
+`cluster1` is on the `network1` network, while `cluster2` is on the
+`network2` network. This means there is no direct connectivity between pods
+across cluster boundaries.
+
+Before proceeding, be sure to complete the steps under
+[before you begin](/docs/ambient/install/multicluster/before-you-begin).
+
+{{< boilerplate multi-cluster-with-metallb >}}
+
+In this configuration, both `cluster1` and `cluster2` observe the API Servers
+in each cluster for endpoints.
+
+Service workloads across cluster boundaries communicate indirectly, via
+dedicated gateways for [east-west](https://en.wikipedia.org/wiki/East-west_traffic)
+traffic. The gateway in each cluster must be reachable from the other cluster.
+
+{{< image width="75%"
+    link="arch.svg"
+    caption="Multiple primary clusters on separate networks"
+    >}}
+
+## Set the default network for `cluster1`
+
+If the istio-system namespace is already created, we need to set the cluster's network there:
+
+{{< text bash >}}
+$ kubectl --context="${CTX_CLUSTER1}" label namespace istio-system topology.istio.io/network=network1
+{{< /text >}}
+
+## Configure `cluster1` as a primary
+
+Create the `istioctl` configuration for `cluster1`:
+
+{{< tabset category-name="multicluster-install-type-cluster-1" >}}
+
+{{< tab name="IstioOperator" category-value="iop" >}}
+
+Install Istio as primary in `cluster1` using istioctl and the `IstioOperator` API.
+
+{{< text bash >}}
+$ cat <<EOF > cluster1.yaml
+apiVersion: insall.istio.io/v1alpha1
+kind: IstioOperator
+spec:
+  profile: ambient
+  components:
+    pilot:
+      k8s:
+        env:
+          - name: AMBIENT_ENABLE_MULTI_NETWORK
+            value: "true"
+  values:
+    global:
+      meshID: mesh1
+      multiCluster:
+        clusterName: cluster1
+      network: network1
+EOF
+{{< /text >}}
+
+Apply the configuration to `cluster1`:
+
+{{< text bash >}}
+$ istioctl install --context="${CTX_CLUSTER1}" -f cluster1.yaml
+{{< /text >}}
+
+{{< /tab >}}
+{{< tab name="Helm" category-value="helm" >}}
+
+Install Istio as primary in `cluster1` using the following Helm commands:
+
+Install the `base` chart in `cluster1`:
+
+{{< text bash >}}
+$ helm install istio-base istio/base -n istio-system --kube-context "${CTX_CLUSTER1}"
+{{< /text >}}
+
+Then, install the `istiod` chart in `cluster1` with the following multi-cluster settings:
+
+{{< text bash >}}
+$ helm install istiod istio/istiod -n istio-system --kube-context "${CTX_CLUSTER1}" --set global.meshID=mesh1 --set global.multiCluster.clusterName=cluster1 --set global.network=network1 --set profile=ambient --set env.AMBIENT_ENABLE_MULTI_NETWORK="true"
+{{< /text >}}
+
+Next, install the CNI node agent in ambient mode:
+
+{{< text syntax=bash snip_id=install_cni_cluster1 >}}
+$ helm install istio-cni istio/cni -n istio-system --kube-context "${CTX_CLUSTER1}" --set profile=ambient
+{{< /text >}}
+
+Finally, install the ztunnel data plane:
+
+{{< text syntax=bash snip_id=install_ztunnel_cluster1 >}}
+$ helm install ztunnel istio/ztunnel -n istio-system --kube-context "${CTX_CLUSTER1}" --set multiCluster.clusterName=cluster1 --set global.network=network1
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< /tabset >}}
+
+## Install an ambient east-west gateway in `cluster1`
+
+Install a gateway in `cluster1` that is dedicated to ambient
+[east-west](https://en.wikipedia.org/wiki/East-west_traffic) traffic. Be
+aware that, depending on your Kubernetes environment, this gateway may be
+deployed on the public Internet by default. Production systems may
+require additional access restrictions (e.g. via firewall rules) to prevent
+external attacks. Check with your cloud vendor to see what options are
+available.
+
+{{< tabset category-name="east-west-gateway-install-type-cluster-1" >}}
+
+{{< tab name="IstioOperator" category-value="iop" >}}
+
+{{< text bash >}}
+$ @samples/multicluster/gen-eastwest-gateway.sh@ \
+    --network network1 \
+    --ambient | \
+    kubectl --context="${CTX_CLUSTER1}" apply -f -
+{{< /text >}}
+
+{{< warning >}}
+If the control-plane was installed with a revision, add the `--revision rev` flag to the `gen-eastwest-gateway.sh` command.
+{{< /warning >}}
+
+{{< /tab >}}
+{{< tab name="Kubectl apply" category-value="helm" >}}
+
+Install the east-west gateway in `cluster1` using the following Gateway definition:
+
+{{< text bash >}}
+$ cat <<EOF > cluster1-ewgateway.yaml
+kind: Gateway
+apiVersion: gateway.networking.k8s.io/v1
+metadata:
+  name: istio-eastwestgateway
+  namespace: istio-system
+  labels:
+    topology.istio.io/network: "network1"
+spec:
+  gatewayClassName: istio-east-west
+  listeners:
+  - name: mesh
+    port: 15008
+    protocol: HBONE
+    tls:
+      mode: Terminate # represents double-HBONE
+      options:
+        gateway.istio.io/tls-terminate-mode: ISTIO_MUTUAL
+EOF
+{{< /text >}}
+
+{{< warning >}}
+If you are running a revisioned instance of istiod and you don't have a default revision or tag set, you may need to add the `istio.io/rev` label to this `Gateway` manifest.
+{{< /warning >}}
+
+Apply the configuration to `cluster1`:
+
+{{< text bash >}}
+$ kubectl apply --context="${CTX_CLUSTER1}" -f cluster1-ewgateway.yaml
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< /tabset >}}
+
+Wait for the east-west gateway to be assigned an external IP address:
+
+{{< text bash >}}
+$ kubectl --context="${CTX_CLUSTER1}" get svc istio-eastwestgateway -n istio-system
+NAME                    TYPE           CLUSTER-IP    EXTERNAL-IP    PORT(S)   AGE
+istio-eastwestgateway   LoadBalancer   10.80.6.124   34.75.71.237   ...       51s
+{{< /text >}}
+
+## Set the default network for `cluster2`
+
+If the istio-system namespace is already created, we need to set the cluster's network there:
+
+{{< text bash >}}
+$ kubectl --context="${CTX_CLUSTER2}" get namespace istio-system && \
+  kubectl --context="${CTX_CLUSTER2}" label namespace istio-system topology.istio.io/network=network2
+{{< /text >}}
+
+## Configure cluster2 as a primary
+
+Create the `istioctl` configuration for `cluster2`:
+
+{{< tabset category-name="multicluster-install-type-cluster-2" >}}
+
+{{< tab name="IstioOperator" category-value="iop" >}}
+
+Install Istio as primary in `cluster2` using istioctl and the `IstioOperator` API.
+
+{{< text bash >}}
+$ cat <<EOF > cluster2.yaml
+apiVersion: insall.istio.io/v1alpha1
+kind: IstioOperator
+spec:
+  profile: ambient
+  components:
+    pilot:
+      k8s:
+        env:
+          - name: AMBIENT_ENABLE_MULTI_NETWORK
+            value: "true"
+  values:
+    global:
+      meshID: mesh1
+      multiCluster:
+        clusterName: cluster2
+      network: network2
+EOF
+{{< /text >}}
+
+Apply the configuration to `cluster2`:
+
+{{< text bash >}}
+$ istioctl install --context="${CTX_CLUSTER2}" -f cluster2.yaml
+{{< /text >}}
+
+{{< /tab >}}
+{{< tab name="Helm" category-value="helm" >}}
+
+Install Istio as primary in `cluster2` using the following Helm commands:
+
+Install the `base` chart in `cluster2`:
+
+{{< text bash >}}
+$ helm install istio-base istio/base -n istio-system --kube-context "${CTX_CLUSTER2}"
+{{< /text >}}
+
+Then, install the `istiod` chart in `cluster2` with the following multi-cluster settings:
+
+{{< text bash >}}
+$ helm install istiod istio/istiod -n istio-system --kube-context "${CTX_CLUSTER2}" --set global.meshID=mesh1 --set global.multiCluster.clusterName=cluster2 --set global.network=network2 --set profile=ambient --set env.AMBIENT_ENABLE_MULTI_NETWORK="true"
+{{< /text >}}
+
+Next, install the CNI node agent in ambient mode:
+
+{{< text syntax=bash snip_id=install_cni_cluster2 >}}
+$ helm install istio-cni istio/cni -n istio-system --kube-context "${CTX_CLUSTER2}" --set profile=ambient
+{{< /text >}}
+
+Finally, install the ztunnel data plane:
+
+{{< text syntax=bash snip_id=install_ztunnel_cluster2 >}}
+$ helm install ztunnel istio/ztunnel -n istio-system --kube-context "${CTX_CLUSTER2}"  --set multiCluster.clusterName=cluster2 --set global.network=network2
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< /tabset >}}
+
+## Install an ambient east-west gateway in `cluster2`
+
+As we did with `cluster1` above, install a gateway in `cluster2` that is dedicated
+to east-west traffic.
+
+{{< tabset category-name="east-west-gateway-install-type-cluster-2" >}}
+
+{{< tab name="IstioOperator" category-value="iop" >}}
+
+{{< text bash >}}
+$ @samples/multicluster/gen-eastwest-gateway.sh@ \
+    --network network2 \
+    --ambient | \
+    kubectl apply --context="${CTX_CLUSTER2}" -f -
+{{< /text >}}
+
+{{< /tab >}}
+{{< tab name="Kubectl apply" category-value="helm" >}}
+
+Install the east-west gateway in `cluster2` using the following Gateway definition:
+
+{{< text bash >}}
+$ cat <<EOF > cluster2-ewgateway.yaml
+kind: Gateway
+apiVersion: gateway.networking.k8s.io/v1
+metadata:
+  name: istio-eastwestgateway
+  namespace: istio-system
+  labels:
+    topology.istio.io/network: "network2"
+spec:
+  gatewayClassName: istio-east-west
+  listeners:
+  - name: mesh
+    port: 15008
+    protocol: HBONE
+    tls:
+      mode: Terminate # represents double-HBONE
+      options:
+        gateway.istio.io/tls-terminate-mode: ISTIO_MUTUAL
+EOF
+{{< /text >}}
+
+{{< warning >}}
+If you are running a revisioned instance of istiod and you don't have a default revision or tag set, you may need to add the `istio.io/rev` label to this `Gateway` manifest.
+{{< /warning >}}
+
+Apply the configuration to `cluster2`:
+
+{{< text bash >}}
+$ kubectl apply --context="${CTX_CLUSTER2}" -f cluster2-ewgateway.yaml
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< /tabset >}}
+
+Wait for the east-west gateway to be assigned an external IP address:
+
+{{< text bash >}}
+$ kubectl --context="${CTX_CLUSTER2}" get svc istio-eastwestgateway -n istio-system
+NAME                    TYPE           CLUSTER-IP    EXTERNAL-IP    PORT(S)   AGE
+istio-eastwestgateway   LoadBalancer   10.0.12.121   34.122.91.98   ...       51s
+{{< /text >}}
+
+## Enable Endpoint Discovery
+
+Install a remote secret in `cluster2` that provides access to `cluster1`’s API server.
+
+{{< text bash >}}
+$ istioctl create-remote-secret \
+  --context="${CTX_CLUSTER1}" \
+  --name=cluster1 | \
+  kubectl apply -f - --context="${CTX_CLUSTER2}"
+{{< /text >}}
+
+Install a remote secret in `cluster1` that provides access to `cluster2`’s API server.
+
+{{< text bash >}}
+$ istioctl create-remote-secret \
+  --context="${CTX_CLUSTER2}" \
+  --name=cluster2 | \
+  kubectl apply -f - --context="${CTX_CLUSTER1}"
+{{< /text >}}
+
+**Congratulations!** You successfully installed an Istio mesh across multiple
+primary clusters on different networks!
+
+## Next Steps
+
+You can now [verify the installation](/docs/ambient/install/multicluster/verify).
+
+## Cleanup
+
+Uninstall Istio from both `cluster1` and `cluster2` using the same mechanism you installed Istio with (istioctl or Helm).
+
+{{< tabset category-name="multicluster-uninstall-type-cluster-1" >}}
+
+{{< tab name="IstioOperator" category-value="iop" >}}
+
+Uninstall Istio in `cluster1`:
+
+{{< text syntax=bash snip_id=none >}}
+$ istioctl uninstall --context="${CTX_CLUSTER1}" -y --purge
+$ kubectl delete ns istio-system --context="${CTX_CLUSTER1}"
+{{< /text >}}
+
+Uninstall Istio in `cluster2`:
+
+{{< text syntax=bash snip_id=none >}}
+$ istioctl uninstall --context="${CTX_CLUSTER2}" -y --purge
+$ kubectl delete ns istio-system --context="${CTX_CLUSTER2}"
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< tab name="Helm" category-value="helm" >}}
+
+Delete Istio Helm installation from `cluster1`:
+
+{{< text syntax=bash >}}
+$ helm delete ztunnel -n istio-system --kube-context "${CTX_CLUSTER1}"
+$ helm delete istio-cni -n istio-system --kube-context "${CTX_CLUSTER1}"
+$ helm delete istiod -n istio-system --kube-context "${CTX_CLUSTER1}"
+$ helm delete istio-base -n istio-system --kube-context "${CTX_CLUSTER1}"
+{{< /text >}}
+
+Delete the `istio-system` namespace from `cluster1`:
+
+{{< text syntax=bash >}}
+$ kubectl delete ns istio-system --context="${CTX_CLUSTER1}"
+{{< /text >}}
+
+Delete Istio Helm installation from `cluster2`:
+
+{{< text syntax=bash >}}
+$ helm delete ztunnel -n istio-system --kube-context "${CTX_CLUSTER2}"
+$ helm delete istio-cni -n istio-system --kube-context "${CTX_CLUSTER2}"
+$ helm delete istiod -n istio-system --kube-context "${CTX_CLUSTER2}"
+$ helm delete istio-base -n istio-system --kube-context "${CTX_CLUSTER2}"
+{{< /text >}}
+
+Delete the `istio-system` namespace from `cluster2`:
+
+{{< text syntax=bash >}}
+$ kubectl delete ns istio-system --context="${CTX_CLUSTER2}"
+{{< /text >}}
+
+(Optional) Delete CRDs installed by Istio:
+
+Deleting CRDs permanently removes any Istio resources you have created in your clusters.
+To delete Istio CRDs installed in your clusters:
+
+{{< text syntax=bash snip_id=delete_crds >}}
+$ kubectl get crd -oname --context "${CTX_CLUSTER1}" | grep --color=never 'istio.io' | xargs kubectl delete --context "${CTX_CLUSTER1}"
+$ kubectl get crd -oname --context "${CTX_CLUSTER2}" | grep --color=never 'istio.io' | xargs kubectl delete --context "${CTX_CLUSTER2}"
+{{< /text >}}
+
+And finally, clean up the Gateway API CRDs:
+
+{{< text syntax=bash snip_id=delete_gateway_crds >}}
+$ kubectl get crd -oname --context "${CTX_CLUSTER1}" | grep --color=never 'gateway.networking.k8s.io' | xargs kubectl delete --context "${CTX_CLUSTER1}"
+$ kubectl get crd -oname --context "${CTX_CLUSTER2}" | grep --color=never 'gateway.networking.k8s.io' | xargs kubectl delete --context "${CTX_CLUSTER2}"
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< /tabset >}}
--- a/content/en/docs/ambient/install/multicluster/multi-primary_multi-network/snips.sh
+++ b/content/en/docs/ambient/install/multicluster/multi-primary_multi-network/snips.sh
@ -0,0 +1,243 @@
+#!/bin/bash
+# shellcheck disable=SC2034,SC2153,SC2155,SC2164
+
+# Copyright Istio Authors. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+####################################################################################################
+# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
+#          docs/ambient/install/multicluster/multi-primary_multi-network/index.md
+####################################################################################################
+source "content/en/boilerplates/snips/gateway-api-install-crds.sh"
+
+snip_set_the_default_network_for_cluster1_1() {
+kubectl --context="${CTX_CLUSTER1}" label namespace istio-system topology.istio.io/network=network1
+}
+
+snip_configure_cluster1_as_a_primary_1() {
+cat <<EOF > cluster1.yaml
+apiVersion: insall.istio.io/v1alpha1
+kind: IstioOperator
+spec:
+  profile: ambient
+  components:
+    pilot:
+      k8s:
+        env:
+          - name: AMBIENT_ENABLE_MULTI_NETWORK
+            value: "true"
+  values:
+    global:
+      meshID: mesh1
+      multiCluster:
+        clusterName: cluster1
+      network: network1
+EOF
+}
+
+snip_configure_cluster1_as_a_primary_2() {
+istioctl install --context="${CTX_CLUSTER1}" -f cluster1.yaml
+}
+
+snip_configure_cluster1_as_a_primary_3() {
+helm install istio-base istio/base -n istio-system --kube-context "${CTX_CLUSTER1}"
+}
+
+snip_configure_cluster1_as_a_primary_4() {
+helm install istiod istio/istiod -n istio-system --kube-context "${CTX_CLUSTER1}" --set global.meshID=mesh1 --set global.multiCluster.clusterName=cluster1 --set global.network=network1 --set profile=ambient --set env.AMBIENT_ENABLE_MULTI_NETWORK="true"
+}
+
+snip_install_cni_cluster1() {
+helm install istio-cni istio/cni -n istio-system --kube-context "${CTX_CLUSTER1}" --set profile=ambient
+}
+
+snip_install_ztunnel_cluster1() {
+helm install ztunnel istio/ztunnel -n istio-system --kube-context "${CTX_CLUSTER1}" --set multiCluster.clusterName=cluster1 --set global.network=network1
+}
+
+snip_install_an_ambient_eastwest_gateway_in_cluster1_1() {
+samples/multicluster/gen-eastwest-gateway.sh \
+    --network network1 \
+    --ambient | \
+    kubectl --context="${CTX_CLUSTER1}" apply -f -
+}
+
+snip_install_an_ambient_eastwest_gateway_in_cluster1_2() {
+cat <<EOF > cluster1-ewgateway.yaml
+kind: Gateway
+apiVersion: gateway.networking.k8s.io/v1
+metadata:
+  name: istio-eastwestgateway
+  namespace: istio-system
+  labels:
+    topology.istio.io/network: "network1"
+spec:
+  gatewayClassName: istio-east-west
+  listeners:
+  - name: mesh
+    port: 15008
+    protocol: HBONE
+    tls:
+      mode: Terminate # represents double-HBONE
+      options:
+        gateway.istio.io/tls-terminate-mode: ISTIO_MUTUAL
+EOF
+}
+
+snip_install_an_ambient_eastwest_gateway_in_cluster1_3() {
+kubectl apply --context="${CTX_CLUSTER1}" -f cluster1-ewgateway.yaml
+}
+
+snip_install_an_ambient_eastwest_gateway_in_cluster1_4() {
+kubectl --context="${CTX_CLUSTER1}" get svc istio-eastwestgateway -n istio-system
+}
+
+! IFS=$'\n' read -r -d '' snip_install_an_ambient_eastwest_gateway_in_cluster1_4_out <<\ENDSNIP
+NAME                    TYPE           CLUSTER-IP    EXTERNAL-IP    PORT(S)   AGE
+istio-eastwestgateway   LoadBalancer   10.80.6.124   34.75.71.237   ...       51s
+ENDSNIP
+
+snip_set_the_default_network_for_cluster2_1() {
+kubectl --context="${CTX_CLUSTER2}" get namespace istio-system && \
+  kubectl --context="${CTX_CLUSTER2}" label namespace istio-system topology.istio.io/network=network2
+}
+
+snip_configure_cluster2_as_a_primary_1() {
+cat <<EOF > cluster2.yaml
+apiVersion: insall.istio.io/v1alpha1
+kind: IstioOperator
+spec:
+  profile: ambient
+  components:
+    pilot:
+      k8s:
+        env:
+          - name: AMBIENT_ENABLE_MULTI_NETWORK
+            value: "true"
+  values:
+    global:
+      meshID: mesh1
+      multiCluster:
+        clusterName: cluster2
+      network: network2
+EOF
+}
+
+snip_configure_cluster2_as_a_primary_2() {
+istioctl install --context="${CTX_CLUSTER2}" -f cluster2.yaml
+}
+
+snip_configure_cluster2_as_a_primary_3() {
+helm install istio-base istio/base -n istio-system --kube-context "${CTX_CLUSTER2}"
+}
+
+snip_configure_cluster2_as_a_primary_4() {
+helm install istiod istio/istiod -n istio-system --kube-context "${CTX_CLUSTER2}" --set global.meshID=mesh1 --set global.multiCluster.clusterName=cluster2 --set global.network=network2 --set profile=ambient --set env.AMBIENT_ENABLE_MULTI_NETWORK="true"
+}
+
+snip_install_cni_cluster2() {
+helm install istio-cni istio/cni -n istio-system --kube-context "${CTX_CLUSTER2}" --set profile=ambient
+}
+
+snip_install_ztunnel_cluster2() {
+helm install ztunnel istio/ztunnel -n istio-system --kube-context "${CTX_CLUSTER2}"  --set multiCluster.clusterName=cluster2 --set global.network=network2
+}
+
+snip_install_an_ambient_eastwest_gateway_in_cluster2_1() {
+samples/multicluster/gen-eastwest-gateway.sh \
+    --network network2 \
+    --ambient | \
+    kubectl apply --context="${CTX_CLUSTER2}" -f -
+}
+
+snip_install_an_ambient_eastwest_gateway_in_cluster2_2() {
+cat <<EOF > cluster2-ewgateway.yaml
+kind: Gateway
+apiVersion: gateway.networking.k8s.io/v1
+metadata:
+  name: istio-eastwestgateway
+  namespace: istio-system
+  labels:
+    topology.istio.io/network: "network2"
+spec:
+  gatewayClassName: istio-east-west
+  listeners:
+  - name: mesh
+    port: 15008
+    protocol: HBONE
+    tls:
+      mode: Terminate # represents double-HBONE
+      options:
+        gateway.istio.io/tls-terminate-mode: ISTIO_MUTUAL
+EOF
+}
+
+snip_install_an_ambient_eastwest_gateway_in_cluster2_3() {
+kubectl apply --context="${CTX_CLUSTER2}" -f cluster2-ewgateway.yaml
+}
+
+snip_install_an_ambient_eastwest_gateway_in_cluster2_4() {
+kubectl --context="${CTX_CLUSTER2}" get svc istio-eastwestgateway -n istio-system
+}
+
+! IFS=$'\n' read -r -d '' snip_install_an_ambient_eastwest_gateway_in_cluster2_4_out <<\ENDSNIP
+NAME                    TYPE           CLUSTER-IP    EXTERNAL-IP    PORT(S)   AGE
+istio-eastwestgateway   LoadBalancer   10.0.12.121   34.122.91.98   ...       51s
+ENDSNIP
+
+snip_enable_endpoint_discovery_1() {
+istioctl create-remote-secret \
+  --context="${CTX_CLUSTER1}" \
+  --name=cluster1 | \
+  kubectl apply -f - --context="${CTX_CLUSTER2}"
+}
+
+snip_enable_endpoint_discovery_2() {
+istioctl create-remote-secret \
+  --context="${CTX_CLUSTER2}" \
+  --name=cluster2 | \
+  kubectl apply -f - --context="${CTX_CLUSTER1}"
+}
+
+snip_cleanup_3() {
+helm delete ztunnel -n istio-system --kube-context "${CTX_CLUSTER1}"
+helm delete istio-cni -n istio-system --kube-context "${CTX_CLUSTER1}"
+helm delete istiod -n istio-system --kube-context "${CTX_CLUSTER1}"
+helm delete istio-base -n istio-system --kube-context "${CTX_CLUSTER1}"
+}
+
+snip_cleanup_4() {
+kubectl delete ns istio-system --context="${CTX_CLUSTER1}"
+}
+
+snip_cleanup_5() {
+helm delete ztunnel -n istio-system --kube-context "${CTX_CLUSTER2}"
+helm delete istio-cni -n istio-system --kube-context "${CTX_CLUSTER2}"
+helm delete istiod -n istio-system --kube-context "${CTX_CLUSTER2}"
+helm delete istio-base -n istio-system --kube-context "${CTX_CLUSTER2}"
+}
+
+snip_cleanup_6() {
+kubectl delete ns istio-system --context="${CTX_CLUSTER2}"
+}
+
+snip_delete_crds() {
+kubectl get crd -oname --context "${CTX_CLUSTER1}" | grep --color=never 'istio.io' | xargs kubectl delete --context "${CTX_CLUSTER1}"
+kubectl get crd -oname --context "${CTX_CLUSTER2}" | grep --color=never 'istio.io' | xargs kubectl delete --context "${CTX_CLUSTER2}"
+}
+
+snip_delete_gateway_crds() {
+kubectl get crd -oname --context "${CTX_CLUSTER1}" | grep --color=never 'gateway.networking.k8s.io' | xargs kubectl delete --context "${CTX_CLUSTER1}"
+kubectl get crd -oname --context "${CTX_CLUSTER2}" | grep --color=never 'gateway.networking.k8s.io' | xargs kubectl delete --context "${CTX_CLUSTER2}"
+}
--- a/content/en/docs/ambient/install/multicluster/multi-primary_multi-network/test.sh
+++ b/content/en/docs/ambient/install/multicluster/multi-primary_multi-network/test.sh
@ -0,0 +1,90 @@
+#!/usr/bin/env bash
+# shellcheck disable=SC1090,SC2154
+
+# Copyright Istio Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# @setup multicluster
+
+set -e
+set -u
+set -o pipefail
+
+source content/en/docs/ambient/install/multicluster/common.sh
+source "tests/util/gateway-api.sh"
+set_multi_network_vars
+
+function install_istio_on_cluster1_istioctl {
+    echo "Installing Gateway API CRDs on Primary cluster: ${CTX_CLUSTER1}"
+    install_gateway_api_crds "${CTX_CLUSTER1}"
+
+    echo "Installing Istio on Primary cluster: ${CTX_CLUSTER1}"
+
+    snip_set_the_default_network_for_cluster1_1
+
+    snip_configure_cluster1_as_a_primary_1
+    echo y | snip_configure_cluster1_as_a_primary_2
+
+    echo "Creating the east-west gateway"
+    snip_install_an_ambient_eastwest_gateway_in_cluster1_1
+
+    echo "Waiting for the east-west gateway to have an external IP"
+    _verify_like snip_install_an_ambient_eastwest_gateway_in_cluster1_4 "$snip_install_an_ambient_eastwest_gateway_in_cluster1_4_out"
+}
+
+function install_istio_on_cluster2_istioctl {
+    echo "Installing Gateway API CRDs on Primary cluster: ${CTX_CLUSTER2}"
+    install_gateway_api_crds "${CTX_CLUSTER2}"
+
+    echo "Installing Istio on Primary cluster: ${CTX_CLUSTER2}"
+
+    snip_set_the_default_network_for_cluster2_1
+
+    snip_configure_cluster2_as_a_primary_1
+    echo y | snip_configure_cluster2_as_a_primary_2
+
+    echo "Creating the east-west gateway"
+    snip_install_an_ambient_eastwest_gateway_in_cluster2_1
+
+    echo "Waiting for the east-west gateway to have an external IP"
+    _verify_like snip_install_an_ambient_eastwest_gateway_in_cluster2_4 "$snip_install_an_ambient_eastwest_gateway_in_cluster2_4_out"
+}
+
+function install_istio_istioctl {
+  # Install Istio on the 2 clusters. Executing in
+  # parallel to reduce test time.
+  install_istio_on_cluster1_istioctl &
+  install_istio_on_cluster2_istioctl &
+  wait
+}
+
+function enable_endpoint_discovery {
+  snip_enable_endpoint_discovery_1
+  snip_enable_endpoint_discovery_2
+}
+
+time configure_trust
+time install_istio_istioctl
+time enable_endpoint_discovery
+time verify_load_balancing
+
+# @cleanup
+source content/en/docs/ambient/install/multicluster/common.sh
+set_multi_network_vars
+time cleanup_istioctl
+time snip_delete_gateway_crds
+
+# Everything should be removed once cleanup completes. Use a small
+# timeout for comparing cluster snapshots before/after the test.
+export VERIFY_TIMEOUT=20
--- a/content/en/docs/ambient/install/multicluster/verify/index.md
+++ b/content/en/docs/ambient/install/multicluster/verify/index.md
@ -0,0 +1,220 @@
+---
+title: Verify the ambient installation
+description: Verify that Istio ambient mesh has been installed properly on multiple clusters.
+weight: 50
+keywords: [kubernetes,multicluster,ambient]
+test: yes
+owner: istio/wg-environments-maintainers
+prev: /docs/ambient/install/multicluster/multi-primary_multi-network
+---
+Follow this guide to verify that your ambient multicluster Istio installation is working
+properly.
+
+Before proceeding, be sure to complete the steps under
+[before you begin](/docs/ambient/install/multicluster/before-you-begin) as well as
+choosing and following one of the [multicluster installation guides](/docs/ambient/install/multicluster).
+
+In this guide, we will verify multicluster is functional, deploy the `HelloWorld`
+application `v1` to `cluster1` and `v2` to `cluster2`. Upon receiving a request,
+`HelloWorld` will include its version in its response when we call the `/hello` path.
+
+We will also deploy the `curl` container to both clusters. We will use these
+pods as the source of requests to the `HelloWorld` service,
+simulating in-mesh traffic. Finally, after generating traffic, we will observe
+which cluster received the requests.
+
+## Verify Multicluster
+
+To confirm that Istiod is now able to communicate with the Kubernetes control plane
+of the remote cluster.
+
+{{< text bash >}}
+$ istioctl remote-clusters --context="${CTX_CLUSTER1}"
+NAME         SECRET                                        STATUS      ISTIOD
+cluster1                                                   synced      istiod-7b74b769db-kb4kj
+cluster2     istio-system/istio-remote-secret-cluster2     synced      istiod-7b74b769db-kb4kj
+{{< /text >}}
+
+All clusters should indicate their status as `synced`. If a cluster is listed with
+a `STATUS` of `timeout` that means that Istiod in the primary cluster is unable to
+communicate with the remote cluster. See the Istiod logs for detailed error
+messages.
+
+Note: if you do see `timeout` issues and there is an intermediary host (such as the [Rancher auth proxy](https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/manage-clusters/access-clusters/authorized-cluster-endpoint#two-authentication-methods-for-rke-clusters))
+sitting between Istiod in the primary cluster and the Kubernetes control plane in
+the remote cluster, you may need to update the `certificate-authority-data` field
+of the kubeconfig that `istioctl create-remote-secret` generates in order to
+match the certificate being used by the intermediate host.
+
+## Deploy the `HelloWorld` Service
+
+In order to make the `HelloWorld` service callable from any cluster, the DNS
+lookup must succeed in each cluster (see
+[deployment models](/docs/ops/deployment/deployment-models#dns-with-multiple-clusters)
+for details). We will address this by deploying the `HelloWorld` Service to
+each cluster in the mesh.
+
+{{< tip >}}
+Before proceeding, ensure that the istio-system namespaces in both clusters have the `istio.io/topology-network` set to the appropriate value (e.g., `network1` for `cluster1` and `network2` for `cluster2`).
+{{< /tip >}}
+
+To begin, create the `sample` namespace in each cluster:
+
+{{< text bash >}}
+$ kubectl create --context="${CTX_CLUSTER1}" namespace sample
+$ kubectl create --context="${CTX_CLUSTER2}" namespace sample
+{{< /text >}}
+
+Enroll the `sample` namespace in the mesh:
+
+{{< text bash >}}
+$ kubectl label --context="${CTX_CLUSTER1}" namespace sample \
+    istio.io/dataplane-mode=ambient
+$ kubectl label --context="${CTX_CLUSTER2}" namespace sample \
+    istio.io/dataplane-mode=ambient
+{{< /text >}}
+
+Create the `HelloWorld` service in both clusters:
+
+{{< text bash >}}
+$ kubectl apply --context="${CTX_CLUSTER1}" \
+    -f @samples/helloworld/helloworld.yaml@ \
+    -l service=helloworld -n sample
+$ kubectl apply --context="${CTX_CLUSTER2}" \
+    -f @samples/helloworld/helloworld.yaml@ \
+    -l service=helloworld -n sample
+{{< /text >}}
+
+## Deploy `HelloWorld` `V1`
+
+Deploy the `helloworld-v1` application to `cluster1`:
+
+{{< text bash >}}
+$ kubectl apply --context="${CTX_CLUSTER1}" \
+    -f @samples/helloworld/helloworld.yaml@ \
+    -l version=v1 -n sample
+{{< /text >}}
+
+Confirm the `helloworld-v1` pod status:
+
+{{< text bash >}}
+$ kubectl get pod --context="${CTX_CLUSTER1}" -n sample -l app=helloworld
+NAME                            READY     STATUS    RESTARTS   AGE
+helloworld-v1-86f77cd7bd-cpxhv  1/1       Running   0          40s
+{{< /text >}}
+
+Wait until the status of `helloworld-v1` is `Running`.
+
+Now, mark the helloworld service in `cluster1` as global so that it can be accessed from other clusters in the mesh:
+
+{{< text bash >}}
+$ kubectl label --context="${CTX_CLUSTER1}" svc helloworld -n sample \
+    istio.io/global="true"
+{{< /text >}}
+
+## Deploy `HelloWorld` `V2`
+
+Deploy the `helloworld-v2` application to `cluster2`:
+
+{{< text bash >}}
+$ kubectl apply --context="${CTX_CLUSTER2}" \
+    -f @samples/helloworld/helloworld.yaml@ \
+    -l version=v2 -n sample
+{{< /text >}}
+
+Confirm the status the `helloworld-v2` pod status:
+
+{{< text bash >}}
+$ kubectl get pod --context="${CTX_CLUSTER2}" -n sample -l app=helloworld
+NAME                            READY     STATUS    RESTARTS   AGE
+helloworld-v2-758dd55874-6x4t8  1/1       Running   0          40s
+{{< /text >}}
+
+Wait until the status of `helloworld-v2` is `Running`.
+
+Now, mark the helloworld service in `cluster2` as global so that it can be accessed from other clusters in the mesh:
+
+{{< text bash >}}
+$ kubectl label --context="${CTX_CLUSTER2}" svc helloworld -n sample \
+    istio.io/global="true"
+{{< /text >}}
+
+## Deploy `curl`
+
+Deploy the `curl` application to both clusters:
+
+{{< text bash >}}
+$ kubectl apply --context="${CTX_CLUSTER1}" \
+    -f @samples/curl/curl.yaml@ -n sample
+$ kubectl apply --context="${CTX_CLUSTER2}" \
+    -f @samples/curl/curl.yaml@ -n sample
+{{< /text >}}
+
+Confirm the status `curl` pod on `cluster1`:
+
+{{< text bash >}}
+$ kubectl get pod --context="${CTX_CLUSTER1}" -n sample -l app=curl
+NAME                             READY   STATUS    RESTARTS   AGE
+curl-754684654f-n6bzf            1/1     Running   0          5s
+{{< /text >}}
+
+Wait until the status of the `curl` pod is `Running`.
+
+Confirm the status of the `curl` pod on `cluster2`:
+
+{{< text bash >}}
+$ kubectl get pod --context="${CTX_CLUSTER2}" -n sample -l app=curl
+NAME                             READY   STATUS    RESTARTS   AGE
+curl-754684654f-dzl9j            1/1     Running   0          5s
+{{< /text >}}
+
+Wait until the status of the `curl` pod is `Running`.
+
+## Verifying Cross-Cluster Traffic
+
+To verify that cross-cluster load balancing works as expected, call the
+`HelloWorld` service several times using the `curl` pod. To ensure load
+balancing is working properly, call the `HelloWorld` service from all
+clusters in your deployment.
+
+Send one request from the `curl` pod on `cluster1` to the `HelloWorld` service:
+
+{{< text bash >}}
+$ kubectl exec --context="${CTX_CLUSTER1}" -n sample -c curl \
+    "$(kubectl get pod --context="${CTX_CLUSTER1}" -n sample -l \
+    app=curl -o jsonpath='{.items[0].metadata.name}')" \
+    -- curl -sS helloworld.sample:5000/hello
+{{< /text >}}
+
+Repeat this request several times and verify that the `HelloWorld` version
+should change between `v1` and `v2`, signifying that endpoints in both
+clusters are being used:
+
+{{< text plain >}}
+Hello version: v2, instance: helloworld-v2-758dd55874-6x4t8
+Hello version: v1, instance: helloworld-v1-86f77cd7bd-cpxhv
+...
+{{< /text >}}
+
+Now repeat this process from the `curl` pod on `cluster2`:
+
+{{< text bash >}}
+$ kubectl exec --context="${CTX_CLUSTER2}" -n sample -c curl \
+    "$(kubectl get pod --context="${CTX_CLUSTER2}" -n sample -l \
+    app=curl -o jsonpath='{.items[0].metadata.name}')" \
+    -- curl -sS helloworld.sample:5000/hello
+{{< /text >}}
+
+Repeat this request several times and verify that the `HelloWorld` version
+should toggle between `v1` and `v2`:
+
+{{< text plain >}}
+Hello version: v2, instance: helloworld-v2-758dd55874-6x4t8
+Hello version: v1, instance: helloworld-v1-86f77cd7bd-cpxhv
+...
+{{< /text >}}
+
+**Congratulations!** You successfully installed and verified Istio on multiple
+clusters!
+
+<!-- TODO: Link to guide for locality load balancing once we add waypoint instructions -->
--- a/content/en/docs/ambient/install/multicluster/verify/snips.sh
+++ b/content/en/docs/ambient/install/multicluster/verify/snips.sh
@ -0,0 +1,143 @@
+#!/bin/bash
+# shellcheck disable=SC2034,SC2153,SC2155,SC2164
+
+# Copyright Istio Authors. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+####################################################################################################
+# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
+#          docs/ambient/install/multicluster/verify/index.md
+####################################################################################################
+
+snip_verify_multicluster_1() {
+istioctl remote-clusters --context="${CTX_CLUSTER1}"
+}
+
+! IFS=$'\n' read -r -d '' snip_verify_multicluster_1_out <<\ENDSNIP
+NAME         SECRET                                        STATUS      ISTIOD
+cluster1                                                   synced      istiod-7b74b769db-kb4kj
+cluster2     istio-system/istio-remote-secret-cluster2     synced      istiod-7b74b769db-kb4kj
+ENDSNIP
+
+snip_deploy_the_helloworld_service_1() {
+kubectl create --context="${CTX_CLUSTER1}" namespace sample
+kubectl create --context="${CTX_CLUSTER2}" namespace sample
+}
+
+snip_deploy_the_helloworld_service_2() {
+kubectl label --context="${CTX_CLUSTER1}" namespace sample \
+    istio.io/dataplane-mode=ambient
+kubectl label --context="${CTX_CLUSTER2}" namespace sample \
+    istio.io/dataplane-mode=ambient
+}
+
+snip_deploy_the_helloworld_service_3() {
+kubectl apply --context="${CTX_CLUSTER1}" \
+    -f samples/helloworld/helloworld.yaml \
+    -l service=helloworld -n sample
+kubectl apply --context="${CTX_CLUSTER2}" \
+    -f samples/helloworld/helloworld.yaml \
+    -l service=helloworld -n sample
+}
+
+snip_deploy_helloworld_v1_1() {
+kubectl apply --context="${CTX_CLUSTER1}" \
+    -f samples/helloworld/helloworld.yaml \
+    -l version=v1 -n sample
+}
+
+snip_deploy_helloworld_v1_2() {
+kubectl get pod --context="${CTX_CLUSTER1}" -n sample -l app=helloworld
+}
+
+! IFS=$'\n' read -r -d '' snip_deploy_helloworld_v1_2_out <<\ENDSNIP
+NAME                            READY     STATUS    RESTARTS   AGE
+helloworld-v1-86f77cd7bd-cpxhv  1/1       Running   0          40s
+ENDSNIP
+
+snip_deploy_helloworld_v1_3() {
+kubectl label --context="${CTX_CLUSTER1}" svc helloworld -n sample \
+    istio.io/global="true"
+}
+
+snip_deploy_helloworld_v2_1() {
+kubectl apply --context="${CTX_CLUSTER2}" \
+    -f samples/helloworld/helloworld.yaml \
+    -l version=v2 -n sample
+}
+
+snip_deploy_helloworld_v2_2() {
+kubectl get pod --context="${CTX_CLUSTER2}" -n sample -l app=helloworld
+}
+
+! IFS=$'\n' read -r -d '' snip_deploy_helloworld_v2_2_out <<\ENDSNIP
+NAME                            READY     STATUS    RESTARTS   AGE
+helloworld-v2-758dd55874-6x4t8  1/1       Running   0          40s
+ENDSNIP
+
+snip_deploy_helloworld_v2_3() {
+kubectl label --context="${CTX_CLUSTER2}" svc helloworld -n sample \
+    istio.io/global="true"
+}
+
+snip_deploy_curl_1() {
+kubectl apply --context="${CTX_CLUSTER1}" \
+    -f samples/curl/curl.yaml -n sample
+kubectl apply --context="${CTX_CLUSTER2}" \
+    -f samples/curl/curl.yaml -n sample
+}
+
+snip_deploy_curl_2() {
+kubectl get pod --context="${CTX_CLUSTER1}" -n sample -l app=curl
+}
+
+! IFS=$'\n' read -r -d '' snip_deploy_curl_2_out <<\ENDSNIP
+NAME                             READY   STATUS    RESTARTS   AGE
+curl-754684654f-n6bzf            1/1     Running   0          5s
+ENDSNIP
+
+snip_deploy_curl_3() {
+kubectl get pod --context="${CTX_CLUSTER2}" -n sample -l app=curl
+}
+
+! IFS=$'\n' read -r -d '' snip_deploy_curl_3_out <<\ENDSNIP
+NAME                             READY   STATUS    RESTARTS   AGE
+curl-754684654f-dzl9j            1/1     Running   0          5s
+ENDSNIP
+
+snip_verifying_crosscluster_traffic_1() {
+kubectl exec --context="${CTX_CLUSTER1}" -n sample -c curl \
+    "$(kubectl get pod --context="${CTX_CLUSTER1}" -n sample -l \
+    app=curl -o jsonpath='{.items[0].metadata.name}')" \
+    -- curl -sS helloworld.sample:5000/hello
+}
+
+! IFS=$'\n' read -r -d '' snip_verifying_crosscluster_traffic_2 <<\ENDSNIP
+Hello version: v2, instance: helloworld-v2-758dd55874-6x4t8
+Hello version: v1, instance: helloworld-v1-86f77cd7bd-cpxhv
+...
+ENDSNIP
+
+snip_verifying_crosscluster_traffic_3() {
+kubectl exec --context="${CTX_CLUSTER2}" -n sample -c curl \
+    "$(kubectl get pod --context="${CTX_CLUSTER2}" -n sample -l \
+    app=curl -o jsonpath='{.items[0].metadata.name}')" \
+    -- curl -sS helloworld.sample:5000/hello
+}
+
+! IFS=$'\n' read -r -d '' snip_verifying_crosscluster_traffic_4 <<\ENDSNIP
+Hello version: v2, instance: helloworld-v2-758dd55874-6x4t8
+Hello version: v1, instance: helloworld-v1-86f77cd7bd-cpxhv
+...
+ENDSNIP
--- a/go.mod
+++ b/go.mod
@ -17,7 +17,7 @@ require (

 require (
 	cel.dev/expr v0.24.0 // indirect
-	cloud.google.com/go/compute/metadata v0.6.0 // indirect
+	cloud.google.com/go/compute/metadata v0.7.0 // indirect
 	dario.cat/mergo v1.0.2 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
 	github.com/BurntSushi/toml v1.5.0 // indirect
@ -61,7 +61,7 @@ require (
 	github.com/go-openapi/jsonreference v0.21.0 // indirect
 	github.com/go-openapi/swag v0.23.1 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
-	github.com/go-viper/mapstructure/v2 v2.3.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
@ -153,15 +153,15 @@ require (
 	github.com/yl2chen/cidranger v1.0.2 // indirect
 	github.com/zeebo/errs v1.4.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/otel v1.35.0 // indirect
+	go.opentelemetry.io/otel v1.36.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 // indirect
 	go.opentelemetry.io/otel/exporters/prometheus v0.57.0 // indirect
-	go.opentelemetry.io/otel/metric v1.35.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.35.0 // indirect
-	go.opentelemetry.io/otel/sdk/metric v1.35.0 // indirect
-	go.opentelemetry.io/otel/trace v1.35.0 // indirect
+	go.opentelemetry.io/otel/metric v1.36.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.36.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.36.0 // indirect
+	go.opentelemetry.io/otel/trace v1.36.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.7.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/automaxprocs v1.6.0 // indirect
@ -173,7 +173,7 @@ require (
 	golang.org/x/crypto v0.40.0 // indirect
 	golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6 // indirect
 	golang.org/x/mod v0.25.0 // indirect
-	golang.org/x/net v0.41.0 // indirect
+	golang.org/x/net v0.42.0 // indirect
 	golang.org/x/oauth2 v0.30.0 // indirect
 	golang.org/x/sys v0.34.0 // indirect
 	golang.org/x/term v0.33.0 // indirect
@ -181,9 +181,9 @@ require (
 	golang.org/x/time v0.11.0 // indirect
 	golang.org/x/tools v0.34.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 // indirect
-	google.golang.org/grpc v1.73.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250715232539-7130f93afb79 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250715232539-7130f93afb79 // indirect
+	google.golang.org/grpc v1.74.0 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
@ -191,7 +191,7 @@ require (
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	helm.sh/helm/v3 v3.18.4 // indirect
-	istio.io/api v1.27.0-beta.0.0.20250731082105-36763529c462 // indirect
+	istio.io/api v1.27.0-rc.0 // indirect
 	istio.io/client-go v1.27.0-beta.0.0.20250731082605-b098a6e566f4 // indirect
 	k8s.io/api v0.33.2 // indirect
 	k8s.io/apiextensions-apiserver v0.33.2 // indirect
--- a/go.sum
+++ b/go.sum
@ -1,8 +1,8 @@
 cel.dev/expr v0.24.0 h1:56OvJKSH3hDGL0ml5uSxZmz3/3Pq4tJ+fb1unVLAFcY=
 cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw=
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go/compute/metadata v0.6.0 h1:A6hENjEsCDtC1k8byVsgwvVcioamEHvZ4j01OwKxG9I=
-cloud.google.com/go/compute/metadata v0.6.0/go.mod h1:FjyFAW1MW0C203CEOMDTu3Dk1FlqW3Rga40jzHL4hfg=
+cloud.google.com/go/compute/metadata v0.7.0 h1:PBWF+iiAerVNe8UCHxdOt6eHLVc3ydFeOCw78U8ytSU=
+cloud.google.com/go/compute/metadata v0.7.0/go.mod h1:j5MvL9PprKL39t166CoB1uVHfQMs4tFQZZcKwksXUjo=
 dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
 dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk=
@ -128,8 +128,8 @@ github.com/go-openapi/swag v0.23.1/go.mod h1:STZs8TbRvEQQKUA+JZNAm3EWlgaOBGpyFDq
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
-github.com/go-viper/mapstructure/v2 v2.3.0 h1:27XbWsHIqhbdR5TIC911OfYvgSaW93HM+dX7970Q7jk=
-github.com/go-viper/mapstructure/v2 v2.3.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
+github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
 github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
@ -382,8 +382,8 @@ go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJyS
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 h1:sbiXRNDSWJOTobXh5HyQKjq6wUC5tNybqjIqDpAY4CU=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0/go.mod h1:69uWxva0WgAA/4bu2Yy70SLDBwZXuQ6PbBpbsa5iZrQ=
-go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
-go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
+go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 h1:1fTNlAIJZGWLP5FVu0fikVry1IsiUnXjf7QFvoNN3Xw=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0/go.mod h1:zjPK58DtkqQFn+YUMbx0M2XV3QgKU0gS9LeGohREyK4=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0 h1:m639+BofXTvcY1q8CGs4ItwQarYtJPOWmVobfM1HpVI=
@ -392,14 +392,14 @@ go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 h1:xJ2qH
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0/go.mod h1:u5BF1xyjstDowA1R5QAO9JHzqK+ublenEW/dyqTjBVk=
 go.opentelemetry.io/otel/exporters/prometheus v0.57.0 h1:AHh/lAP1BHrY5gBwk8ncc25FXWm/gmmY3BX258z5nuk=
 go.opentelemetry.io/otel/exporters/prometheus v0.57.0/go.mod h1:QpFWz1QxqevfjwzYdbMb4Y1NnlJvqSGwyuU0B4iuc9c=
-go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
-go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
-go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY=
-go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg=
-go.opentelemetry.io/otel/sdk/metric v1.35.0 h1:1RriWBmCKgkeHEhM7a2uMjMUfP7MsOF5JpUCaEqEI9o=
-go.opentelemetry.io/otel/sdk/metric v1.35.0/go.mod h1:is6XYCUMpcKi+ZsOvfluY5YstFnhW0BidkR+gL+qN+w=
-go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
-go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
+go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE=
+go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
+go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs=
+go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
+go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis=
+go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4=
+go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
+go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
 go.opentelemetry.io/proto/otlp v1.7.0 h1:jX1VolD6nHuFzOYso2E73H85i92Mv8JQYk0K9vz09os=
 go.opentelemetry.io/proto/otlp v1.7.0/go.mod h1:fSKjH6YJ7HDlwzltzyMj036AJ3ejJLCgCSHGj4efDDo=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
@ -446,8 +446,8 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
-golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
+golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs=
+golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
 golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
@ -499,17 +499,17 @@ google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20200423170343-7949de9c1215/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 h1:oWVWY3NzT7KJppx2UKhKmzPq4SRe0LdCijVRwvGeikY=
-google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822/go.mod h1:h3c4v36UTKzUiuaOKQ6gr3S+0hovBtUrXzTG/i3+XEc=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 h1:fc6jSaCT0vBduLYZHYrBBNY4dsWuvgyff9noRNDdBeE=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/genproto/googleapis/api v0.0.0-20250715232539-7130f93afb79 h1:iOye66xuaAK0WnkPuhQPUFy8eJcmwUXqGGP3om6IxX8=
+google.golang.org/genproto/googleapis/api v0.0.0-20250715232539-7130f93afb79/go.mod h1:HKJDgKsFUnv5VAGeQjz8kxcgDP0HoE0iZNp0OdZNlhE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250715232539-7130f93afb79 h1:1ZwqphdOdWYXsUHgMpU/101nCtf/kSp9hOrcvFsnl10=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250715232539-7130f93afb79/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
-google.golang.org/grpc v1.73.0 h1:VIWSmpI2MegBtTuFt5/JWy2oXxtjJ/e89Z70ImfD2ok=
-google.golang.org/grpc v1.73.0/go.mod h1:50sbHOUqWoCQGI8V2HQLJM0B+LMlIUjNSZmow7EVBQc=
+google.golang.org/grpc v1.74.0 h1:sxRSkyLxlceWQiqDofxDot3d4u7DyoHPc7SBXMj8gGY=
+google.golang.org/grpc v1.74.0/go.mod h1:NZUaK8dAMUfzhK6uxZ+9511LtOrk73UGWOFoNvz7z+s=
 google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
 google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@ -536,8 +536,8 @@ helm.sh/helm/v3 v3.18.4 h1:pNhnHM3nAmDrxz6/UC+hfjDY4yeDATQCka2/87hkZXQ=
 helm.sh/helm/v3 v3.18.4/go.mod h1:WVnwKARAw01iEdjpEkP7Ii1tT1pTPYfM1HsakFKM3LI=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-istio.io/api v1.27.0-beta.0.0.20250731082105-36763529c462 h1:rmeRAAxlNrCj96Zlaf8r6YqU5kcU8Y7/96i29KPDHaY=
-istio.io/api v1.27.0-beta.0.0.20250731082105-36763529c462/go.mod h1:DTVGH6CLXj5W8FF9JUD3Tis78iRgT1WeuAnxfTz21Wg=
+istio.io/api v1.27.0-rc.0 h1:XGgmuCj2eW3jPjvi6Q5sE+Gu/cp8IOLFYKuhVBDQZb8=
+istio.io/api v1.27.0-rc.0/go.mod h1:DTVGH6CLXj5W8FF9JUD3Tis78iRgT1WeuAnxfTz21Wg=
 istio.io/client-go v1.27.0-beta.0.0.20250731082605-b098a6e566f4 h1:mwO5Wx0H+xbEsyGHYRdWG8fjRw9Cr0EExleNW7SXQhM=
 istio.io/client-go v1.27.0-beta.0.0.20250731082605-b098a6e566f4/go.mod h1:oUPY27HFv9fW32NtjxlgrRaa0dPIN6jYj/xGcjorLA0=
 istio.io/istio v0.0.0-20250809000025-fd9608b4a51f h1:MvH1qexWTQPL5nynYrxFPiXygksGj8Y+zcqg7Tt1jhg=
--- a/pkg/test/istioio/builder.go
+++ b/pkg/test/istioio/builder.go
@ -46,6 +46,13 @@ func (b *Builder) Defer(steps ...Step) *Builder {
 	return b
 }

+func (b *Builder) DeferIf(condition bool, steps ...Step) *Builder {
+	if condition {
+		b.Defer(steps...)
+	}
+	return b
+}
+
 // Build a run function for the test
 func (b *Builder) Build() func(ctx framework.TestContext) {
 	return func(ctx framework.TestContext) {
--- a/pkg/test/istioio/framework.go
+++ b/pkg/test/istioio/framework.go
@ -215,6 +215,7 @@ func NewTestDocsFunc(config string) func(framework.TestContext) {
 				KubeConfig: kubeConfig,
 			}

+			noCleanup := ctx.Settings().NoCleanup
 			ctx.NewSubTest(path).
 				Run(NewBuilder().
 					Add(beforeSnapshotter).
@ -224,13 +225,13 @@ func NewTestDocsFunc(config string) func(framework.TestContext) {
 							Value:    testCase.testScript,
 						},
 					}).
-					Defer(Script{
+					DeferIf(!noCleanup, Script{
 						Input: Inline{
 							FileName: cleanupScriptName,
 							Value:    testCase.cleanupScript,
 						},
 					}).
-					Defer(SnapshotValidator{
+					DeferIf(!noCleanup, SnapshotValidator{
 						Before: beforeSnapshotter,
 						After:  afterSnapshotter,
 					}).
--- a/scripts/lint_site.sh
+++ b/scripts/lint_site.sh
@ -95,7 +95,7 @@ check_content() {
        FAILED=1
    fi

-    if grep -nrP --include "*.md" -e "\(https://istio.io/(?!v[0-9]\.[0-9]/|archive/)" .; then
+    if grep -nrP --include "*.md" -e "\(https://istio.io/(?!v[0-9]\.[0-9]/|archive|latest\/news)" .; then
        error "Ensure markdown content uses relative references to istio.io"
        FAILED=1
    fi