website: changes for 1.6.0 beta (#6083)

* website: link to 1.6.0 beta in downloads page * website: reorganize intention replication/ca federation * website: remove announcement bar * Update website/source/docs/connect/connect-internals.html.md Co-Authored-By: Paul Banks <banks@banksco.de> * website: update homepage and service mesh page Aligning messaging to current product. * website: fix link TODOs * Add Mesh Gateway to mesh page, update use case wording
2019-07-08 07:12:42 -07:00 · 2019-07-08 07:12:42 -07:00 · 40e58dfb2d
parent d770500730
commit 40e58dfb2d
14 changed files with 163 additions and 126 deletions
--- a/website/source/assets/images/consul-connect/mesh-gateway/gateway_1200.png
+++ b/website/source/assets/images/consul-connect/mesh-gateway/gateway_1200.png
--- a/website/source/assets/images/consul-connect/mesh-observability/metrics_1200.png
+++ b/website/source/assets/images/consul-connect/mesh-observability/metrics_1200.png
--- a/website/source/assets/images/consul-connect/mesh-observability/metrics_300.png
+++ b/website/source/assets/images/consul-connect/mesh-observability/metrics_300.png
--- a/website/source/assets/images/consul-connect/mesh-observability/metrics_976.png
+++ b/website/source/assets/images/consul-connect/mesh-observability/metrics_976.png
--- a/website/source/docs/agent/options.html.md
+++ b/website/source/docs/agent/options.html.md
@ -468,7 +468,7 @@ will exit with an error at startup.
  the Web UI resources for Consul. This will automatically enable the Web UI. The directory must be
  readable to the agent. Starting with Consul version 0.7.0 and later, the Web UI assets are included in the binary so this flag is no longer necessary; specifying only the `-ui` flag is enough to enable the Web UI. Specifying both the '-ui' and '-ui-dir' flags will result in an error.
-* <a name="_ui_content_path"></a><a href="#_ui_content_path">`-ui-content-path`</a> - This flag provides the option to change the path the Consul UI loads from and will be displayed in the browser. By default, the path is `/ui/`, for example `http://localhost:8500/ui/`. Only alphanumerics, `-`, and `_` are allowed in a custom path. `/v1/` is not allowed as it would overwrite the API endpoint. 
+* <a name="_ui_content_path"></a><a href="#_ui_content_path">`-ui-content-path`</a> - This flag provides the option to change the path the Consul UI loads from and will be displayed in the browser. By default, the path is `/ui/`, for example `http://localhost:8500/ui/`. Only alphanumerics, `-`, and `_` are allowed in a custom path. `/v1/` is not allowed as it would overwrite the API endpoint.
 ## <a name="configuration_files"></a>Configuration Files
@ -638,7 +638,7 @@ default will automatically work with some tooling.
        ACLs are enabled. This token may be provided later using the [agent token API](/api/agent.html#update-acl-tokens)
        on each server. This token must have at least "read" permissions on ACL data but if ACL
        token replication is enabled then it must have "write" permissions. This also enables
-        Connect replication in Consul Enterprise, for which the token will require both operator
+        Connect replication, for which the token will require both operator
        "write" and intention "read" permissions for replicating CA and Intention data.
 * <a name="acl_datacenter"></a><a href="#acl_datacenter">`acl_datacenter`</a> - **This field is
@ -811,7 +811,7 @@ default will automatically work with some tooling.
    * <a name="allow_tls"></a><a href="#allow_tls">`allow_tls`</a> (Defaults to `false`) This option enables `auto_encrypt` on the servers and allows them to automatically distribute certificates from the Connect CA to the clients. If enabled, the server can accept incoming connections from both the built-in CA and the Connect CA, as well as their certificates. Note, the server will only present the built-in CA and certificate, which the client can verify using the CA it received from `auto_encrypt` endpoint. If disabled, a client configured with `auto_encrypt.tls` will be unable to start.
-    * <a name="tls"></a><a href="#tls">`tls`</a> (Defaults to `false`) Allows the client to request the Connect CA and certificates from the servers, for encrypting RPC communication. The client will make the request to any servers listed in the `-join` or `-retry-join` option. This requires that every server to have `auto_encrypt.allow_tls` enabled. When both `auto_encrypt` options are used, it allows clients to receive certificates that are generated on the servers. If the `-server-port` is not the default one, it has to be provided to the client as well. Usually this is discovered through LAN gossip, but `auto_encrypt` provision happens before the information can be distributed through gossip. The most secure `auto_encrypt` setup is when the client is provided with the built-in CA, `verify_server_hostname` is turned on, and when an ACL token with `node.write` permissions is setup. It is also possible to use `auto_encrypt` with a CA and ACL, but without `verify_server_hostname`, or only with a ACL enabled, or only with CA and `verify_server_hostname`, or only with a CA, or finally without a CA and without ACL enabled. In any case, the communication to the `auto_encrypt` endpoint is always TLS encrypted. 
+    * <a name="tls"></a><a href="#tls">`tls`</a> (Defaults to `false`) Allows the client to request the Connect CA and certificates from the servers, for encrypting RPC communication. The client will make the request to any servers listed in the `-join` or `-retry-join` option. This requires that every server to have `auto_encrypt.allow_tls` enabled. When both `auto_encrypt` options are used, it allows clients to receive certificates that are generated on the servers. If the `-server-port` is not the default one, it has to be provided to the client as well. Usually this is discovered through LAN gossip, but `auto_encrypt` provision happens before the information can be distributed through gossip. The most secure `auto_encrypt` setup is when the client is provided with the built-in CA, `verify_server_hostname` is turned on, and when an ACL token with `node.write` permissions is setup. It is also possible to use `auto_encrypt` with a CA and ACL, but without `verify_server_hostname`, or only with a ACL enabled, or only with CA and `verify_server_hostname`, or only with a CA, or finally without a CA and without ACL enabled. In any case, the communication to the `auto_encrypt` endpoint is always TLS encrypted.
 * <a name="bootstrap"></a><a href="#bootstrap">`bootstrap`</a> Equivalent to the
  [`-bootstrap` command-line flag](#_bootstrap).
--- a/website/source/docs/connect/connect-internals.html.md
+++ b/website/source/docs/connect/connect-internals.html.md
@ -3,7 +3,7 @@ layout: "docs"
 page_title: "Connect - Architecture"
 sidebar_current: "docs-connect-internals"
 description: |-
-  This page details the internals of Consul Connect: mutual TLS, agent caching and performance, and multi-datacenter Enterprise functionality.
+  This page details the internals of Consul Connect: mutual TLS, agent caching and performance, intention and certificate authority replication.
 ---
 # How Connect Works
@ -87,16 +87,44 @@ agent may begin failing and eventually crash. Cache entries do have TTLs
 associated with them and will evict their entries if they're not used. Given
 a long period of inactivity (3 days by default), the cache will empty itself.
-## Multi-Datacenter
+## Connections Across Datacenters
-Using Connect for service-to-service communications across multiple datacenters
+Sidecar proxy's [upstream configuration](/docs/connect/registration/service-registration.html#upstream-configuration-reference)
-requires Consul Enterprise.
+may specify an alternative datacenter or a prepared query that can address services
 in multiple datacenters (such as the [geo failover](https://learn.hashicorp.com/consul/developer-discovery/geo-failover) pattern).
-With Open Source Consul, Connect may be enabled on multiple Consul datacenters,
+[Intentions](/docs/connect/intentions.html) verify connections between services by
-but only services within the same datacenter can establish Connect-based,
+source and destination name seamlessly across datacenters.
 Authenticated and Authorized connections. In this version, Certificate Authority
 configurations and intentions are both local to their respective datacenters;
 they are not replicated across datacenters.
-Full multi-datacenter support for Connect is available in
+Connections can be made via gateways to enable when communciating across
-[Consul Enterprise](/docs/enterprise/connect-multi-datacenter/index.html).
+network topologies allowing connections between services in each datacenter
 without externally routable IPs at the service level.
 ## Intention Replication
 Intention replication happens automatically but requires the
 [`primary_datacenter`](/docs/agent/options.html#primary_datacenter)
 configuration to be set to specify a datacenter that is authoritative
 for intentions. In production setups with ACLs enabled, the
 [replication token](/docs/agent/options.html#acl_tokens_replication) must also
 be set in the secondary datacenter server's configuration.
 ## Certificate Authority Federation
 The primary datacenter also acts as the root Certificate Authority (CA) for Connect.
 The primary datacenter generates a trust-domain UUID and obtains a root certificate
 from the configured CA provider which defaults to the built-in one.
 Secondary datacenters fetch the root CA public key and trust-domain ID from the
 primary and generate their own key and Certificate Signing Request (CSR) for an
 intermediate CA certificate. This CSR is signed by the root in the primary
 datacenter and the certificate is returned. The secondary datacenter can now use
 this intermediate to sign new Connect certificates in the secondary datacenter
 without WAN communication. CA keys are never replicated between datacenters.
 The secondary maintains watches on the root CA certificate in the primary. If the
 CA root changes for any reason such as rotation or migration to a new CA, the
 secondary automatically generates new keys and has them signed by the primary
 datacenter's new root before initiating an automatic rotation of all issued
 certificates in use throughout the secondary datacenter. This makes CA root key
 rotation fully automatic and with zero downtime across multiple datacenters.
--- a/website/source/docs/connect/proxies/managed-deprecated.html.md
+++ b/website/source/docs/connect/proxies/managed-deprecated.html.md
@ -205,12 +205,6 @@ service.
 }
 ```
 -> **Note:** Connect does not currently support cross-datacenter
 service communication. Therefore, prepared queries with Connect should
 only be used to discover services within a single datacenter. See
 [Multi-Datacenter Connect](/docs/connect/index.html#multi-datacenter) for
 more information.
 For full details of the additional configurable options available when using the
 built-in proxy see the [built-in proxy configuration
 reference](/docs/connect/configuration.html#built-in-proxy-options).
--- a/website/source/docs/enterprise/connect-multi-datacenter/index.html.md
+++ b/website/source/docs/enterprise/connect-multi-datacenter/index.html.md
@ -1,53 +0,0 @@
 ---
 layout: "docs"
 page_title: "Consul Enterprise Multi-Datacenter Connect"
 sidebar_current: "docs-enterprise-connect-multi-datacenter"
 description: |-
  Consul Enterprise supports cross datacenter connections using Consul Connect.
 ---
 # Consul Connect Multi-Datacenter
 [Consul Enterprise](https://www.hashicorp.com/consul.html) enables service-to-service
 connections across multiple Consul datacenters. This includes replication of intentions
 and federation of Certificate Authority trust.
 Sidecar proxy's [upstream configuration](/docs/connect/registration/service-registration.html#upstream-configuration-reference)
 may specify an alternative datacenter or a prepared query that can address services
 in multiple datacenters (such as the [geo failover](https://learn.hashicorp.com/consul/developer-discovery/geo-failover) pattern).
 [Intentions](/docs/connect/intentions.html) verify connections between services by
 source and destination name seamlessly across datacenters. Support for constraining Intentions
 by source or destination datacenter is planned for the near future.
 It is assumed that workloads can communicate between datacenters via existing network
 routes and VPN tunnels, potentially using Consul's
 [`translate_wan_addrs`](/docs/agent/options.html#translate_wan_addrs) to ensure remote
 workloads discover an externally routable IP.
 # Replication
 Intention replication happens automatically but requires the [`primary_datacenter`](/docs/agent/options.html#primary_datacenter)
 configuration to be set to specify a datacenter that is authoritative
 for intentions. In production setups with ACLs enabled, the [replication token](/docs/agent/options.html#acl_tokens_replication)
 must also be set in secondary datacenter server's configuration.
 # Certificate Authority Federation
 The primary datacenter also acts as the root Certificate Authority (CA) for Connect.
 The primary datacenter generates a trust-domain UUID and obtains a root certificate
 from the configured CA provider which defaults to the built-in one.
 Secondary datacenters fetch the root CA public key and trust-domain ID from the primary and
 generate their own key and Certificate Signing Request (CSR) for an intermediate CA certificate.
 This CSR is signed by the root in the primary datacenter and the certificate is returned.
 The secondary datacenter can now use this intermediate to sign new Connect certificates
 in the secondary datacenter without WAN communication. CA keys are never replicated between
 datacenters.
 The secondary maintains watches on the root CA certificate in the primary. If the CA root
 changes for any reason such as rotation or migration to a new CA, the secondary automatically
 generates new keys and has them signed by the primary datacenter's new root before initiating
 an automatic rotation of all issued certificates in use throughout the secondary datacenter.
 This makes CA root key rotation fully automatic and with zero downtime across multiple data
 centers.
--- a/website/source/downloads.html.erb
+++ b/website/source/downloads.html.erb
@ -8,6 +8,13 @@ description: |-
 <h1>Download Consul</h1>
 <div class="alert alert-info" id="rc-1-4" role="alert">
  <p><strong>1.6.0 beta Available:</strong> Read more about the new features coming in 1.6.0 in the
  <a href="https://www.hashicorp.com/blog/hashicorp-consul-1-6">announcement post</a>. Binaries can be accessed on <a href="https://releases.hashicorp.com/consul/">releases.hashicorp.com</a>.
  </p>
 </div>
 <section class="downloads">
  <div class="description row">
    <div class="col-md-12">
--- a/website/source/index.html.erb
+++ b/website/source/index.html.erb
@ -1,8 +1,7 @@
 ---
 description: |-
-  Consul is a highly available and distributed service discovery and KV
+  Consul is a service networking solution to connect and secure services across
-  store designed with support for the modern data center to make distributed
+  any runtime platform and public or private cloud
  systems and configuration easy.
 ---
 <div class='consul-connect'>
@ -11,11 +10,8 @@ description: |-
      <div>
        <div>
          <div>
-            <a class='notification' href='/downloads.html'>
+            <h1>Easy Service Networking</h1>
-              <span>New</span> HashiCorp Consul 1.5 has been released! Download now <span><svg xmlns='http://www.w3.org/2000/svg' width='6' height='10' viewBox='0 0 6 10'><path fill='#650D34' d='M1.138.529a.666.666 0 1 0-.942.943L3.724 5 .195 8.53a.666.666 0 1 0 .943.943l4-4a.666.666 0 0 0 0-.943l-4-4z'/></svg><span>
+            <p>Consul is a service networking solution to connect and secure services across any runtime platform and public or private cloud</p>
            </a>
            <h1>Service Mesh Made Easy</h1>
            <p>Consul is a distributed service mesh to connect, secure, and configure services across any runtime platform and public or private cloud</p>
            <a href='/downloads.html' class='g-btn download'>
              <svg xmlns='http://www.w3.org/2000/svg' width='20' height='22' viewBox='0 0 20 22'>
                <path d='M9.292 15.706a1 1 0 0 0 1.416 0l3.999-3.999a1 1 0 1 0-1.414-1.414L11 12.586V1a1 1 0 1 0-2 0v11.586l-2.293-2.293a1 1 0 1 0-1.414 1.414l3.999 3.999zM20 16v3c0 1.654-1.346 3-3 3H3c-1.654 0-3-1.346-3-3v-3a1 1 0 1 1 2 0v3c0 .551.448 1 1 1h14c.552 0 1-.449 1-1v-3a1 1 0 1 1 2 0z'/>
@ -77,7 +73,7 @@ description: |-
          infrastructure changes the approach to networking from host-based to
          service-based. Connectivity moves from the use of static IPs to
          dynamic service discovery, and security moves from static firewalls to
-          dynamic service segmentation.</p>
+          service identity.</p>
      </div>
      <div class='g-timeline'>
        <div>
@ -108,13 +104,15 @@ description: |-
    <div class='g-container'>
      <div class='intro'>
        <h2>Use Cases</h2>
        <p>Consul can be run as a platform to solve a range of use-cases
      in service networking.</p>
      </div>
      <div class='g-use-cases'>
        <div>
          <div>
            <img src='/assets/images/consul-connect/svgs/discovery-simple.svg' alt='Service Discovery'>
-            <h3>Service Discovery <span>for connectivity</h3>
+            <h3>Service Discovery</h3>
-            <p>Service Registry enables services to register and discover each other.</p>
+            <p>Use the service registry to address and discover services across multiple runtime platforms, cloud providers and regions.</p>
          </div>
          <div>
            <a href='/discovery.html' class='g-btn dark-outline'>Learn more</a>
@ -122,19 +120,19 @@ description: |-
        </div>
        <div>
          <div>
-            <img src='/assets/images/consul-connect/svgs/segmentation-simple.svg' alt='Service Segmentation'>
+            <img src='/assets/images/consul-connect/svgs/segmentation-simple.svg' alt='Service Mesh'>
-            <h3>Service Segmentation <span>for security</h3>
+            <h3>Service Mesh</h3>
-            <p>Secure service-to-service communication with automatic TLS encryption and identity-based authorization.</p>
+          <p>Service discovery, identity-based authorization, and L7 traffic management abstracted from application code with proxies in the service mesh pattern.</p>
          </div>
          <div>
-            <a href='/segmentation.html' class='g-btn dark-outline'>Learn more</a>
+            <a href='/mesh.html' class='g-btn dark-outline'>Learn more</a>
          </div>
        </div>
        <div>
          <div>
            <img src='/assets/images/consul-connect/svgs/configuration-simple.svg' alt='Service Configuration'>
-            <h3>Service Configuration <span>for runtime configuration</h3>
+            <h3>Service Configuration</h3>
-            <p>Feature rich Key/Value store to easily configure services.</p>
+            <p>Utilize the distributed Key/Value store to dynamically configure services and manage complex availability requirements.</p>
          </div>
          <div>
            <a href='/configuration.html' class='g-btn dark-outline'>Learn more</a>
@ -212,11 +210,9 @@ description: |-
        <div>
          <div>
            <h3>Extend and Integrate</h3>
-            <ul>
+            <p>
-              <li>Provision clusters on any infrastructure.</li>
+              Provision clusters on any infrastructure, connect to services over TLS via proxy integrations, and Serve TLS certificates with pluggable Certificate Authorities.
-              <li>Connect to services over TLS via proxy integrations.</li>
+            </p>
              <li>Serve TLS certificates with pluggable Certificate Authorities.</li>
            </ul>
          </div>
        </div>
        <div>
--- a/website/source/layouts/docs.erb
+++ b/website/source/layouts/docs.erb
@ -604,10 +604,7 @@
          <li<%= sidebar_current("docs-enterprise-federation") %>>
            <a href="/docs/enterprise/federation/index.html">Advanced Federation</a>
          </li>
-          <li<%= sidebar_current("docs-enterprise-connect-multi-datacenter") %>>
+         <li<%= sidebar_current("docs-enterprise-network-segments") %>>
            <a href="/docs/enterprise/connect-multi-datacenter/index.html">Connect Multi-Datacenter</a>
          </li>
          <li<%= sidebar_current("docs-enterprise-network-segments") %>>
            <a href="/docs/enterprise/network-segments/index.html">Network Segments</a>
          </li>
          <li<%= sidebar_current("docs-enterprise-sentinel") %>>
--- a/website/source/layouts/layout.erb
+++ b/website/source/layouts/layout.erb
@ -72,7 +72,7 @@
                  <li><span>Use Cases<svg width="9" height="5" xmlns="http://www.w3.org/2000/svg"><path d="M8.811 1.067a.612.612 0 0 0 0-.884.655.655 0 0 0-.908 0L4.5 3.491 1.097.183a.655.655 0 0 0-.909 0 .615.615 0 0 0 0 .884l3.857 3.75a.655.655 0 0 0 .91 0l3.856-3.75z" fill="#252937" fill-rule="evenodd"/></svg></span>
                    <ul class="dropdown">
                      <li><a href="/discovery.html">Service Discovery</a></li>
-                      <li><a href="/segmentation.html">Service Segmentation</a></li>
+                      <li><a href="/mesh.html">Service Mesh</a></li>
                      <li><a href="/configuration.html">Service Configuration</a></li>
                    </ul>
                  </li>
--- a/website/source/segmentation.html.erb
+++ b/website/source/segmentation.html.erb
@ -1,16 +1,14 @@
 ---
 description: |-
-  Consul is a highly available and distributed service discovery and KV
+  Consul is a service networking solution to connect and secure services across
-  store designed with support for the modern data center to make distributed
+  any runtime platform and public or private cloud
  systems and configuration easy.
 ---
 <div class='consul-connect'>
  <section class='g-hero'>
-    <span>New Feature</span>
+    <h1>Service Mesh made easy</h1>
-    <h1>Service segmentation made easy</h1>
+    <p>Service discovery, identity-based authorization, and L7 traffic management abstracted from application code with proxies in the service mesh pattern</p>
    <p>Secure service-to-service communication with automatic TLS encryption and identity-based authorization</p>
    <div>
      <a href="/downloads.html" class="g-btn download">
        <svg xmlns="http://www.w3.org/2000/svg" width="20" height="22" viewBox="0 0 20 22">
@ -34,7 +32,7 @@ description: |-
          </span>
          <span class='dot'></span>
          <h3>The Challenge</h3>
-          <span class='sub-heading'>Securing service-to-service communication with firewalls doesn’t scale in dynamic settings.</span>
+          <span class='sub-heading'>Network appliances, like load balancers or firewalls with manual processes, don't scale in dynamic settings to support modern applications.</span>
          <div id='segmentation-challenge-animation' class='g-animation-block'>
            <%= inline_svg 'consul-connect/svgs/segmentation-challenge.svg' %>
          </div>
@ -43,20 +41,21 @@ description: |-
            machines and machines are frequently created and destroyed, this
            perimeter-based approach is difficult to scale as it results in
            complex network topologies and a sprawl of short-lived
-            firewall rules.</p>
+            firewall rules and proxy configuration.</p>
        </div>
        <div>
          <span class='dot'></span>
          <h3>The Solution</h3>
-          <span class='sub-heading'>Service segmentation for dynamic service authorization.</span>
+          <span class='sub-heading'>Service mesh as an automated and distributed approach to networking and security that can operate across platforms and private and public cloud</span>
          <div id='segmentation-solution-animation' class='g-animation-block'>
            <%= inline_svg 'consul-connect/svgs/segmentation-solution.svg' %>
          </div>
-          <p>Service segmentation is a new approach to secure the service itself
+          <p>Service mesh is a new approach to secure the service itself
-            rather than relying on the network. Consul uses service policies to
+            rather than relying on the network. Consul uses centrally
-            codify which services are allowed to communicate. These policies
+            managed service policies and configuration to enable
-            scale across datacenters and large fleets without IP-based rules or
+            dynamic routing and security based on sevice identity.
-            networking middleware.</p>
+            These policies scale across datacenters and large fleets
            without IP-based rules or networking middleware.</p>
        </div>
      </div>
    </div>
@ -67,27 +66,60 @@ description: |-
      <div class='intro'>
        <h2>Features</h2>
      </div>
      <div class='g-text-asset reverse'>
        <div>
          <div>
            <h3>Layer 7 Traffic Management</h3>
            <p>Service-to-service communication policy at Layer 7 can be managed centrally, enabling advanced traffic management patterns such as service failover, path-based routing, and traffic shifting that can be applied across public and private clouds, platforms, and networks.</p>
            <p>
              <a class="learn-more" href='/docs/agent/config_entries.html'>Learn more<svg xmlns="http://www.w3.org/2000/svg" width="6" height="10" viewBox="0 0 6 10"><g fill="none" fill-rule="evenodd" transform="translate(-6 -3)"><mask id="a" fill="#fff"><path d="M7.138 3.529a.666.666 0 1 0-.942.942l3.528 3.53-3.529 3.528a.666.666 0 1 0 .943.943l4-4a.666.666 0 0 0 0-.943l-4-4z"/></mask><g fill="#1563FF" mask="url(#a)"><path d="M0 0h16v16H0z"/></g></g></svg></a>
            </p>
          </div>
        </div>
        <div class='code-sample'>
            <div>
              <span></span>
              <div class='code'><code>
 Kind = <code class="keyword">"service-splitter"</code>
 Name = <code class="keyword">"billing-api"</code>
 Splits = [
    {
        Weight        = 10
        ServiceSubset = <code class="keyword">"v2"</code>
    },
    {
        Weight        = 90
        ServiceSubset = <code class="keyword">"v1"</code>
    },
 ]</code>
            </div>
          </div>
        </div>
    </div>
  </div>
  </section>
  <section class='g-section border-top'>
    <div class='g-container'>
      <div class='g-text-asset large'>
        <div>
          <div>
-            <h3>Service Access Graph </h3>
+            <h3>Layer 7 Observability</h3>
-            <p>Define and enforce service to service communication with a simple Intentions configuration. Service based rules, instead of IP-based rules, make it easy to manage dynamic infrastructure with frequently changing machines and service locations.</p>
+            <p>Centrally managed service observability at Layer 7 including detailed metrics on all service-to-service communication such as connections, bytes transferred, retries, timeouts, open circuits, and request rates, response codes.</p>
            <p>
-              <a class="learn-more" href='/docs/connect/intentions.html'>Learn more<svg xmlns="http://www.w3.org/2000/svg" width="6" height="10" viewBox="0 0 6 10"><g fill="none" fill-rule="evenodd" transform="translate(-6 -3)"><mask id="a" fill="#fff"><path d="M7.138 3.529a.666.666 0 1 0-.942.942l3.528 3.53-3.529 3.528a.666.666 0 1 0 .943.943l4-4a.666.666 0 0 0 0-.943l-4-4z"/></mask><g fill="#1563FF" mask="url(#a)"><path d="M0 0h16v16H0z"/></g></g></svg></a>
+              <a class="learn-more" href='/docs/agent/config_entries.html'>Learn more<svg xmlns="http://www.w3.org/2000/svg" width="6" height="10" viewBox="0 0 6 10"><g fill="none" fill-rule="evenodd" transform="translate(-6 -3)"><mask id="a" fill="#fff"><path d="M7.138 3.529a.666.666 0 1 0-.942.942l3.528 3.53-3.529 3.528a.666.666 0 1 0 .943.943l4-4a.666.666 0 0 0 0-.943l-4-4z"/></mask><g fill="#1563FF" mask="url(#a)"><path d="M0 0h16v16H0z"/></g></g></svg></a>
            </p>
          </div>
        </div>
        <div>
          <picture>
-            <source type="image/webp" srcset="
+              <source type="image/png" srcset="
-              /assets/images/consul-connect/ui-intentions-list/ui-intentions-list_230.webp 230w,
+              /assets/images/consul-connect/mesh-observability/metrics_300.png 300w,
-              /assets/images/consul-connect/ui-intentions-list/ui-intentions-list_844.webp 844w,
+              /assets/images/consul-connect/mesh-observability/metrics_976.png 976w,
-              /assets/images/consul-connect/ui-intentions-list/ui-intentions-list_1290.webp 1290w" />
+              /assets/images/consul-connect/mesh-observability/metrics_1200.png 1200w" />
-             <source type="image/jpg" srcset="
+              <img src='/assets/images/consul-connect/mesh-observability/metrics_1200.png' alt='Metrics dashboard'>
-              /assets/images/consul-connect/ui-intentions-list/ui-intentions-list_230.jpg 230w,
+            </source>
              /assets/images/consul-connect/ui-intentions-list/ui-intentions-list_844.jpg 844w,
              /assets/images/consul-connect/ui-intentions-list/ui-intentions-list_1290.jpg 1290w" />
              <img src='/assets/images/consul-connect/ui-intentions-list/ui-intentions-list_1290.jpg' alt='Service Access Graph'>
          </picture>
        </div>
      </div>
@ -191,6 +223,28 @@ Secure Sockets Layer
    </div>
  </section>
  <section class='g-section border-top'>
    <div class='g-container'>
      <div class='g-text-asset'>
        <div>
          <div>
            <h3>Mesh Gateway</h3>
            <p>Connect between different cloud regions, VPCs and between overlay and underlay networks without complex network tunnels and NAT. Mesh Gateways solve routing at TLS layer while preserving end-to-end encryption and limiting attack surface area at the edge of each network.</p>
            <p>
              <a class="learn-more" href='https://learn.hashicorp.com/consul'>Learn more<svg xmlns="http://www.w3.org/2000/svg" width="6" height="10" viewBox="0 0 6 10"><g fill="none" fill-rule="evenodd" transform="translate(-6 -3)"><mask id="a" fill="#fff"><path d="M7.138 3.529a.666.666 0 1 0-.942.942l3.528 3.53-3.529 3.528a.666.666 0 1 0 .943.943l4-4a.666.666 0 0 0 0-.943l-4-4z"/></mask><g fill="#1563FF" mask="url(#a)"><path d="M0 0h16v16H0z"/></g></g></svg></a>
            </p>
          </div>
        </div>
        <div>
          <picture>
              <img src='/assets/images/consul-connect/mesh-gateway/gateway_1200.png' style='width:600px' alt='Mesh gateway diagram'>
          </picture>
        </div>
      </div>
    </div>
  </section>
  <section class='g-section g-cta-section'>
    <div>
      <h2>Ready to get started?</h2>
--- a/website/source/redirects.txt
+++ b/website/source/redirects.txt
@ -49,6 +49,8 @@
 /docs/guides/bootstrapping.html            /docs/install/bootstrapping.html
 /docs/guides/sentinel.html                 /docs/agent/sentinel.html
 /docs/connect/proxies/sidecar-service.html /docs/connect/registration/sidecar-service.html
 /docs/enterprise/connect-multi-datacenter/index.html /docs/enterprise/index.html
 /segmentation.html /mesh.html
 # CLI renames
 /docs/commands/acl/acl-bootstrap.html       /docs/commands/acl/bootstrap.html