From 5732d3b49bb23df9ff0746fe7c480afacef0ded2 Mon Sep 17 00:00:00 2001
From: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
Date: Thu, 8 Jun 2023 09:43:05 -0700
Subject: [PATCH] Merge pull request #5734 from hashicorp/docs/envoy-ext-1.16

Docs/envoy ext 1.16
---
 .../configuration/ext-authz.mdx               | 726 ++++++++++++++++++
 .../configuration/property-override.mdx       | 273 +++++++
 .../envoy-extensions/configuration/wasm.mdx   | 484 ++++++++++++
 .../proxies/envoy-extensions/index.mdx        |  23 +-
 .../envoy-extensions/usage/ext-authz.mdx      | 147 ++++
 .../usage/property-override.mdx               | 203 +++++
 .../proxies/envoy-extensions/usage/wasm.mdx   | 191 +++++
 .../partials/envoy_ext_rule_matcher.mdx       |   9 +
 website/data/docs-nav-data.json               |  30 +-
 9 files changed, 2081 insertions(+), 5 deletions(-)
 create mode 100644 website/content/docs/connect/proxies/envoy-extensions/configuration/ext-authz.mdx
 create mode 100644 website/content/docs/connect/proxies/envoy-extensions/configuration/property-override.mdx
 create mode 100644 website/content/docs/connect/proxies/envoy-extensions/configuration/wasm.mdx
 create mode 100644 website/content/docs/connect/proxies/envoy-extensions/usage/ext-authz.mdx
 create mode 100644 website/content/docs/connect/proxies/envoy-extensions/usage/property-override.mdx
 create mode 100644 website/content/docs/connect/proxies/envoy-extensions/usage/wasm.mdx
 create mode 100644 website/content/partials/envoy_ext_rule_matcher.mdx

diff --git a/website/content/docs/connect/proxies/envoy-extensions/configuration/ext-authz.mdx b/website/content/docs/connect/proxies/envoy-extensions/configuration/ext-authz.mdx
new file mode 100644
index 000000000000..6b5d8cc272aa
--- /dev/null
+++ b/website/content/docs/connect/proxies/envoy-extensions/configuration/ext-authz.mdx
@@ -0,0 +1,726 @@
+---
+layout: docs
+page_title: External authorization extension configuration reference
+description: Learn how to configure the ext-authz Envoy extension, which is a builtin Consul extension that configures Envoy proxies to request authorization from an external service.
+---
+
+# External authorization extension configuration reference
+
+This topic describes how to configure the external authorization Envoy extension, which configures Envoy proxies to request authorization from an external service. Refer to [Delegate authorization to an external service](/consul/docs/connect/proxies/envoy-extensions/usage/ext-authz) for usage information.
+
+## Configuration model
+
+The following list outlines the field hierarchy, data types, and requirements for the external authorization configuration. Place the configuration inside the `EnvoyExtension.Arguments` field in the proxy defaults or service defaults configuration entry. Refer to the following documentation for additional information:
+
+- [`EnvoyExtensions` in proxy defaults](/consul/docs/connect/config-entries/proxy-defaults#envoyextensions)
+- [`EnvoyExtensions` in service defaults](/consul/docs/connect/config-entries/service-defaults#envoyextensions)
+ - [Envoy External Authorization documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_authz/v3/ext_authz.proto)
+
+Click on a property name to view additional details, including default values.
+
+- [`Name`](#name): string | required | must be set to `builtin/ext-authz` 
+- [`Arguments`](#arguments): map | required
+   - [`ProxyType`](#arguments-proxytype): string | required | `connect-proxy`
+   - [`InsertOptions`](#arguments-insertoptions): map
+      - [`Location`](#arguments-insertoptions-location): string
+      - [FilterName](#arguments-insertoptions-filtername): string
+   - [`Config`](#arguments-config): map | required
+      - [`BootstrapMetadataLabelsKey`](#arguments-config-bootstrapmetadatalabelskey): string
+      - [`ClearRouteCache`](#arguments-config-grpcservice): boolean | `false` | HTTP only
+      - [`GrpcService`](#arguments-config-grpcservice): map
+        - [`Target`](#arguments-config-grpcservice-target): map | required
+           - [`Service`](#arguments-config-grpcservice-target-service): map
+              - [`Name`](#arguments-config-grpcservice-target-service): string
+              - [`Namespace`](#arguments-config-grpcservice-target-service): string | <EnterpriseAlert inline/>
+              - [`Partition`](#arguments-config-grpcservice-target-service): string | <EnterpriseAlert inline/>
+           - [`URI`](#arguments-config-grpcservice-target-uri): string   
+           - [`Timeout`](#arguments-config-grpcservice-target-uri): string | `1s`
+        - [`Authority`](#arguments-config-grpcservice-authority): string    
+        - [`InitialMetadata`](#arguments-config-grpcservice-initialmetadata): list
+           - [`Key`](#arguments-config-grpcservice-initialmetadata): string  
+           - [`Value`](#arguments-config-grpcservice-initialmetadata): string  
+      - [`HttpService`](#arguments-config-httpservice): map
+        - [`Target`](#arguments-config-httpservice-target): map | required
+           - [`Service`](#arguments-config-httpservice): string
+              - [`Name`](#arguments-config-httpservice-target-service): string
+              - [`Namespace`](#arguments-config-httpservice-target-service): string | <EnterpriseAlert inline/>
+              - [`Partition`](#arguments-config-httpservice-target-service): string | <EnterpriseAlert inline/>     
+           - [`URI`](#arguments-config-httpservice): string   
+           - [`Timeout`](#arguments-config-httpservice): string | `1s`   
+        - [`PathPrefix`](#arguments-config-httpservice-pathprefix): string    
+        - [`AuthorizationRequest`](#arguments-config-httpservice-authorizationrequest): map    
+           - [`AllowedHeaders`](#arguments-config-httpservice-authorizationrequest-allowedheaders): list
+              - [`Contains`](#arguments-config-httpservice-authorizationrequest-allowedheaders): string   
+              - [`Exact`](#arguments-config-httpservice-authorizationrequest-allowedheaders): string   
+              - [`IgnoreCase`](#arguments-config-httpservice-authorizationrequest-allowedheaders): boolean  
+              - [`Prefix`](#arguments-config-httpservice-authorizationrequest-allowedheaders): string   
+              - [`SafeRegex`](#arguments-config-httpservice-authorizationrequest-allowedheaders): string   
+           - [`HeadersToAdd`](#arguments-config-httpservice-authorizationrequest-headerstoadd): list
+              - [`Key`](#arguments-config-httpservice-authorizationrequest-headerstoadd): string  
+              - [`Value`](#arguments-config-httpservice-authorizationrequest-headerstoadd): string  
+        - [`AuthorizationResponse`](#arguments-config-httpservice-authorizationresponse): map
+           - [`AllowedUpstreamHeaders`](#arguments-config-httpservice-authorizationresponse-allowedupstreamheaders): list
+              - [`Contains`](#arguments-config-httpservice-authorizationresponse-allowedupstreamheaders): string   
+              - [`Exact`](#arguments-config-httpservice-authorizationresponse-allowedheaders): string   
+              - [`IgnoreCase`](#arguments-config-httpservice-authorizationresponse-allowedheaders): boolean  
+              - [`Prefix`](#arguments-config-httpservice-authorizationresponse-allowedheaders): string   
+              - [`SafeRegex`](#arguments-config-httpservice-authorizationresponse-allowedheaders): string   
+              - [`Suffix`](#arguments-config-httpservice-authorizationresponse-allowedheaders): string   
+           - [`AllowedUpstreamHeadersToAppend`](#arguments-config-httpservice-authorizationresponse-allowedupstreamheaderstoappend): list
+              - [`Contains`](#arguments-config-httpservice-authorizationresponse-allowedupstreamheaderstoappend): string   
+              - [`Exact`](#arguments-config-httpservice-authorizationresponse-allowedupstreamheaderstoappend): string   
+              - [`IgnoreCase`](#arguments-config-httpservice-authorizationresponse-allowedupstreamheaderstoappend): boolean  
+              - [`Prefix`](#arguments-config-httpservice-authorizationresponse-allowedupstreamheaderstoappend): string   
+              - [`SafeRegex`](#arguments-config-httpservice-authorizationresponse-allowedupstreamheaderstoappend): string   
+              - [`Suffix`](#arguments-config-httpservice-authorizationresponse-allowedupstreamheaderstoappend): string   
+           - [`AllowedClientHeaders`](#arguments-config-httpservice-authorizationresponse-allowedclientheaders): list
+              - [`Contains`](#arguments-config-httpservice-authorizationresponse-allowedclientheaders): string   
+              - [`Exact`](#arguments-config-httpservice-authorizationresponse-allowedclientheaders): string   
+              - [`IgnoreCase`](#arguments-config-httpservice-authorizationresponse-allowedclientheaders): boolean  
+              - [`Prefix`](#arguments-config-httpservice-authorizationresponse-allowedclientheaders): string   
+              - [`SafeRegex`](#arguments-config-httpservice-authorizationresponse-allowedclientheaders): string   
+              - [`Suffix`](#arguments-config-httpservice-authorizationresponse-allowedclientheaders): string   
+           - [`AllowedClientHeadersOnSuccess`](#arguments-config-httpservice-authorizationresponse-allowedclientheadersonsuccess): list
+              - [`Contains`](#arguments-config-httpservice-authorizationresponse-allowedclientheadersonsuccess): string   
+              - [`Exact`](#arguments-config-httpservice-authorizationresponse-allowedclientheadersonsuccess): string   
+              - [`IgnoreCase`](#arguments-config-httpservice-authorizationresponse-allowedclientheadersonsuccess): boolean  
+              - [`Prefix`](#arguments-config-httpservice-authorizationresponse-allowedclientheadersonsuccess): string   
+              - [`SafeRegex`](#arguments-config-httpservice-authorizationresponse-allowedclientheadersonsuccess): string   
+              - [`Suffix`](#arguments-config-httpservice-authorizationresponse-allowedclientheadersonsuccess): string   
+           - [`DynamicMetadataFromHeaders`](#arguments-config-httpservice-authorizationresponse-dynamicmetadatafromheaders): list
+              - [`Contains`](#arguments-config-httpservice-authorizationresponse-dynamicmetadatafromheaders): string   
+              - [`Exact`](#arguments-config-httpservice-authorizationresponse-dynamicmetadatafromheaders): string   
+              - [`IgnoreCase`](#arguments-config-httpservice-authorizationresponse-dynamicmetadatafromheaders): boolean  
+              - [`Prefix`](#arguments-config-httpservice-authorizationresponse-dynamicmetadatafromheaders): string   
+              - [`SafeRegex`](#arguments-config-httpservice-authorizationresponse-dynamicmetadatafromheaders): string   
+              - [`Suffix`](#arguments-config-httpservice-authorizationresponse-dynamicmetadatafromheaders): string   
+      - [`IncludePeerCertificate`](#arguments-config-includepeercertificate): boolean | `false`
+      - [`MetadataContextNamespaces`](#arguments-config-metadatacontextnamespaces): list of strings | HTTP only
+      - [`StatusOnError`](#arguments-config-statusonerror): number | `403` | HTTP only
+      - [`StatPrefix`](#arguments-config-statprefix): string | `response`
+      - [`WithRequestBody`](#arguments-config-withrequestbody): map | HTTP only
+         - [`MaxRequestBytes`](#arguments-config-withrequestbody-maxrequestbytes): number 
+         - [`AllowPartialMessage`](#arguments-config-withrequestbody-allowpartialmessage): boolean | `false`
+         - [`PackAsBytes`](#arguments-config-withrequestbody-packasbytes): boolean | `false`
+
+## Complete configuration
+
+When each field is defined, an `ext-authz` configuration has the following form:
+
+```hcl
+Name = "builtin/ext-authz" 
+Arguments = {
+   ProxyType = "connect-proxy"
+   InsertOptions = {
+      Location = "<location in the filter chain>" 
+      FilterName = "<filter relative to the location>"
+   }
+   Config = {
+      BootstrapMetadataLabelsKey = "<key from bootstrap metadata>"
+      ClearRouteCache = false // HTTP only
+      GrpcService = {
+         Target = {
+            Service = {
+               Name = "<upstream service to send gRPC authorization requests to>"
+               Namespace = "<namespace containing the upstream service>"
+               Partition = "<partition containing the upstream service>"
+            URI = "<URI of the upstream service>"   
+            Timeout = "1s"
+         Authority = "<authority header to send in the gRPC request>"     
+         InitialMetadata = [
+            "<Key>" : "<value>"  
+      HttpService = {
+         Target = {
+            Service = {
+               Name = "<upstream service to send gRPC authorization requests to>"
+               Namespace = "<namespace containing the upstream service>"
+               Partition = "<partition containing the upstream service>"
+            URI = "<URI of the upstream service>"   
+            Timeout = "1s"
+            }
+         }
+         PathPrefix = "/<authorization-request-header-prefix>/"    
+         AuthorizationRequest = {
+            AllowedHeaders = [
+               Contains = "<client request headers must contain this value>",   
+               Exact = "<client request headers can only be this value>",   
+               IgnoreCase = false,  
+               Prefix = "<client request headers must begin with this value>",   
+               SafeRegex = "<client request headers can match this regex pattern>"
+            ]   
+            HeadersToAdd = [ 
+               "<header key>" = "<header value>"
+            ]
+         }  
+         AuthorizationResponse = {
+            AllowedUpstreamHeaders = [
+               Contains = "<authorization response headers must contain this value>",   
+               Exact = "<authorization response headers can only be this value>",   
+               IgnoreCase = false,  
+               Prefix = "<authorization response headers must begin with this value>",   
+               SafeRegex = "<authorization response headers can match this regex pattern>"
+               Suffix = "<authorization response headers must end with this value>"
+            ]   
+            AllowedUpstreamHeadersToAppend = [
+               Contains = "<authorization response headers must contain this value>",   
+               Exact = "<authorization response headers can only be this value>",   
+               IgnoreCase = false,  
+               Prefix = "<authorization response headers must begin with this value>",   
+               SafeRegex = "<authorization response headers can match this regex pattern>"
+               Suffix = "<authorization response headers must end with this value>"   
+             ]   
+            AllowedClientHeaders = [
+               Contains = "<client response headers must contain this value>",   
+               Exact = "<client response headers can only be this value>",   
+               IgnoreCase = false,  
+               Prefix = "<client response headers must begin with this value>",   
+               SafeRegex = "<client response headers can match this regex pattern>"
+               Suffix = "<client response headers must end with the value>"
+            ]   
+            AllowedClientHeadersOnSuccess = [
+               Contains = "<client response headers must contain this value>",   
+               Exact = "<client response headers can only be this value>",   
+               IgnoreCase = false,  
+               Prefix = "<client response headers must begin with this value>",   
+               SafeRegex = "<client response headers can match this regex pattern>"
+               Suffix = "<client response headers must end with the value>"
+            DynamicMetadataFromHeaders = [
+               Contains = "<authorization response headers must contain this value>",   
+               Exact = "<authorization response headers can only be this value>",   
+               IgnoreCase = false,  
+               Prefix = "<authorization response headers must begin with this value>",   
+               SafeRegex = "<authorization response headers can match this regex pattern>"
+               Suffix = "<authorization response headers must end with the value>"
+            ]
+      IncludePeerCertificate = false
+      MetadataContextNamespaces = [ 
+         "<metadata namespace>"
+      ]
+      StatusOnError = 403 // HTTP only
+      StatPrefix = "response"
+      WithRequestBody = {   //HTTP only
+         MaxRequestBytes = <uint32 value specifying the max size of the message body>  
+         AllowPartialMessage = false
+         PackAsBytes = false
+```
+
+## Specification
+
+This section provides details about the fields you can configure for the external authorization extension.
+### `Name`
+
+Specifies the name of the extension. Must be set to `builtin/ext-authz`.
+
+#### Values
+
+- Default: None
+- This field is required.
+- Data type: String value set to `builtin/ext-authz`.
+
+### `Arguments`
+
+Contains the global configuration for the extension.
+
+#### Values
+
+- Default: None
+- This field is required.
+- Data type: Map
+
+### `Arguments.ProxyType`
+
+Specifies the type of Envoy proxy that this extension applies to. The extension only applies to proxies that match this type and is ignored for all other proxy types. The only supported value is `connect-proxy`.
+
+#### Values
+
+- Default: `connect-proxy`
+- This field is required.
+- Data type: String
+
+### `Arguments.InsertOptions`
+
+Specifies options for defining the insertion point for the external authorization filter in the Envoy filter chain. By default, the external authorization filter is inserted as the first filter in the filter chain per the default setting for the [`Location`](#arguments-insertoptions-location) field. 
+
+#### Values
+
+- Default: None
+- Data type: Map
+
+### `Arguments.InsertOptions.Location`
+
+Specifies the insertion point for the external authorization filter in the Envoy filter chain. You can specify one of the following string values:
+
+- `First`: Inserts the filter as the first filter in the filter chain, regardless of the filter specified in the `FilterName` field.
+- `BeforeLast`: Inserts the filter before the last filter in the chain, regardless of the filter specified in the `FilterName` field. This allows the filter to be inserted after all other filters and immediately before the terminal filter. 
+- `AfterFirstMatch`: Inserts the filter after the first filter in the chain that has a name matching the value of the `FilterName` field.
+- `AfterLastMatch`: Inserts the filter after the last filter in the chain that has a name matching the value of the `FilterName` field.
+- `BeforeFirstMatch`: Inserts the filter before the first filter in the chain that has a name matching the value of the `FilterName` field.
+- `BeforeLastMatch`: Inserts the filter before the last filter in the chain that has a name matching the value of the `FilterName` field. 
+
+#### Values
+
+- Default: `BeforeFirstMatch`
+- Data type: String
+
+### `Arguments.InsertOptions.FilterName`
+
+Specifies the name of an existing filter in the chain to match when inserting the external authorization filter. Specifying a filter name enables  you to configure an insertion point relative to the position of another filter in the chain.  
+
+#### Values
+
+- Default: `envoy.filters.network.tcp_proxy` for TCP services. `envoy.filters.http.router` for HTTP services.
+- Data type: String
+
+### `Arguments.Config`
+
+Contains the configuration settings for the extension.  
+
+#### Values
+
+- Default: None
+- This field is required.
+- Data type: Map
+
+### `Arguments.Config.BootstrapMetadataLabelsKey`
+
+Specifies a key from the Envoy bootstrap metadata. Envoy adds labels associated with the key to the authorization request context. 
+
+#### Values
+
+- Default: None
+- Data type: String
+
+### `Arguments.Config.ClearRouteCache`
+
+Directs Envoy to clear the route cache so that the external authorization service correctly affects routing decisions. If set to `true`, the filter clears all cached routes. 
+
+Envoy also clears cached routes if the status returned from the authorization service is `200` for HTTP responses or `0` for gRPC responses. Envoy also clears cached routes if at least one authorization response header is added to the client request or is used for altering another client request header.
+
+#### Values
+
+- Default: `false`
+- Data type: Boolean
+
+
+### `Arguments.Config.GrpcService`
+
+Specifies the external authorization configuration for gRPC requests. Configure the `GrpcService` or the [`HttpService`](#arguments-config-httpservice) settings, but not both.
+
+#### Values
+
+- Default: None
+- Either the `GrpcService` or the `HttpService` configuration is required.
+- Data type: Map
+
+### `Arguments.Config.GrpcService.Target`
+
+Configuration for specifying the service to send gRPC authorization requests to. The `Target` field may contain the following fields:
+
+- [`Service`](#arguments-config-grpcservice-target-service) or [`Uri`](#arguments-config-grpcservice-target-uri)
+- [`Timeout`](#arguments-config-grpcservice-target-timeout)
+
+
+#### Values
+
+- Default: None
+- This field is required.
+- Data type: Map
+
+### `Arguments{}.Config{}.GrpcService{}.Target{}.Service{}`
+
+Specifies the upstream external authorization service. Configure this field when authorization requests are sent to an upstream service within the service mesh. The service must be configured as an upstream of the service that the filter is applied to.
+
+Configure either the `Service` field or the [`Uri`](#arguments-config-grpcservice-target-uri) field, but not both. 
+ 
+#### Values
+
+- Default: None
+- This field or [`Uri`](#arguments-config-grpcservice-target-uri) is required.
+- Data type: Map
+
+The following table describes how to configure parameters for the `Service` field:
+
+| Parameter | Description | Data type | Default |
+| ---       | ---         | ---       | ---     |
+| `Name` | Specifies the name of the upstream service. | String | None |
+| `Namespace` | <EnterpriseAlert inline/> Specifies the Consul namespace that the upstream service belongs to. | String | `default` |
+| `Partition` | <EnterpriseAlert inline/> Specifies the Consul admin partition that the upstream service belongs to. | String | `default` |
+
+### `Arguments.Config.GrpcService.Target.Uri`
+
+Specifies the URI of the external authorization service. Configure this field when you must provide an explicit URI to the external authorization service, such as cases in which the authorization service is running on the same host or pod. If set, the value of this field must be either `localhost:<port>` or `127.0.0.1:<port>`
+
+Configure either the `Uri` field or the [`Service`](#arguments-config-grpcservice-target-service) field, but not both. 
+ 
+#### Values
+
+- Default: None
+- This field or [`Service`](#arguments-config-grpcservice-target-service) is required.
+- Data type: String
+
+### `Arguments.Config.GrpcService.Target.Timeout`
+
+Specifies the maximum duration that a response can take to arrive upon request.
+ 
+#### Values
+
+- Default: `1s`
+- Data type: String
+
+### `Arguments.Config.GrpcService.Authority`
+
+Specifies the authority header to send in the gRPC request. If this field is not set, the authority field is set to the cluster name. This field does not override the SNI that Envoy sends to the external authorization service.
+ 
+#### Values
+
+- Default: Cluster name
+- Data type: String
+
+### `Arguments.Config.GrpcService.InitialMetadata[]`
+
+Specifies additional metadata to include in streams initiated to the `GrpcService`. You can specify metadata for injecting additional ad-hoc authorization headers, for example, `x-foo-bar: baz-key`. For more information, including details on header value syntax, refer to the [Envoy documentation on custom request headers](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-custom-request-headers).
+ 
+#### Values
+
+- Default: None
+- Data type: List of one or more key-value pairs:
+
+   - KEY: String
+   - VALUE: String
+
+### `Arguments{}.Config{}.HttpService{}`
+
+Contains the configuration for raw HTTP communication between the filter and the external authorization service. Configure the `HttpService` or the [`GrpcService`](#arguments-config-grpcservice) settings, but not both.
+
+#### Values
+
+- Default: None
+- Either the `HttpService` or the `GrpcService` configuration is required.
+- Data type: Map
+
+### `Arguments{}.Config{}.HttpService{}.Target{}`
+
+Configuration for specifying the service to send HTTP authorization requests to. The `Target` field may contain the following fields:
+
+- [`Service`](#arguments-config-httpservice-target-service) or [`Uri`](#arguments-config-httpservice-target-uri)
+- [`Timeout`](#arguments-config-httpservice-target-timeout)
+
+
+#### Values
+
+- Default: None
+- This field is required.
+- Data type: Map
+
+### `Arguments{}.Config{}.HttpService{}.Target{}.Service{}`
+
+Specifies the upstream external authorization service. Configure this field when HTTP authorization requests are sent to an upstream service within the service mesh. The service must be configured as an upstream of the service that the filter is applied to.
+
+Configure either the `Service` field or the [`Uri`](#arguments-config-httpservice-target-uri) field, but not both. 
+ 
+#### Values
+
+- Default: None
+- This field or [`Uri`](#arguments-config-httpservice-target-uri) is required.
+- Data type: Map
+
+The following table describes how to configure parameters for the `Service` field:
+
+| Parameter | Description | Data type | Default |
+| ---       | ---         | ---       | ---     |
+| `Name` | Specifies the name of the upstream service. | String | None |
+| `Namespace` | <EnterpriseAlert inline/> Specifies the Consul namespace that the upstream service belongs to. | String | `default` |
+| `Partition` | <EnterpriseAlert inline/> Specifies the Consul admin partition that the upstream service belongs to. | String | `default` |
+
+### `Arguments{}.Config{}.HttpService{}.Target{}.Uri`
+
+Specifies the URI of the external authorization service. Configure this field when you must provide an explicit URI to the external authorization service, such as cases in which the authorization service is running on the same host or pod. 
+
+Configure either the `Uri` field or the [`Service`](#arguments-config-httpservice-target-service) field, but not both. 
+ 
+#### Values
+
+- Default: None
+- This field or [`Service`](#arguments-config-httpservice-target-service) is required.
+- Data type: String
+
+### `Arguments{}.Config{}.HttpService{}.Target{}.Timeout`
+
+Specifies the maximum duration that a response can take to arrive upon request.
+ 
+#### Values
+
+- Default: `1s`
+- Data type: String
+
+### `Arguments{}.Config{}.HttpService{}.PathPrefix`
+
+Specifies a prefix for the value of the authorization request header `Path`. You must include the preceding forward slash (`/`).
+ 
+#### Values
+
+- Default: None
+- Data type: String
+
+### `Arguments{}.Config{}.HttpService{}.AuthorizationRequest{}`
+
+HTTP-only configuration that controls the HTTP authorization request metadata. The `AuthorizationRequest` field may contain the following parameters:
+
+- [`AllowHeaders`](#arguments-config-httpservice-authorizationrequest-allowheaders)
+- [`HeadersToAdd`](#arguments-config-httpservice-authorizationrequest-headerstoadd)
+
+#### Values
+
+- Default: None
+- Data type: Map
+
+### `Arguments{}.Config{}.HttpService{}.AuthorizationRequest{}.AllowHeaders[]`
+
+Specifies a set of rules for matching client request headers. The request to the external authorization service includes any client request headers that satisfy any of the rules. Refer to the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_authz/v3/ext_authz.proto#extensions-filters-http-ext-authz-v3-extauthz) for a detailed explanation.
+
+#### Values
+
+- Default: None
+- Data type: List of key-value pairs
+
+The following table describes the matching rules you can configure in the `AllowHeaders` field:
+
+@include 'envoy_ext_rule_matcher.mdx'
+
+### `Arguments{}.Config{}.HttpService{}.AuthorizationRequest{}.HeadersToAdd[]`
+
+Specifies a list of headers to include in the request to the authorization service. Note that Envoy overwrites client request headers with the same key.
+
+#### Values
+
+- Default: None
+- Data type: List of one or more key-value pairs:
+
+   - KEY: String
+   - VALUE: String
+
+### `Arguments{}.Config{}.HttpService{}.AuthorizationResponse{}`
+
+HTTP-only configuration that controls HTTP authorization response metadata. The `AuthorizationResponse` field may contain the following parameters:
+
+- [`AllowedUpstreamHeaders`](#arguments-config-httpservice-authorizationresponse-allowedupstreamheaders)
+- [`AllowedUpstreamHeadersToAppend`](#arguments-config-httpservice-authorizationresponse-allowedupstreamheaderstoappend)
+- [`AllowedClientHeaders`](#arguments-config-httpservice-authorizationresponse-allowedclientheaders)
+- [`AllowedClientHeadersOnSuccess`](#arguments-config-httpservice-authorizationresponse-allowedclientheadersonsuccess)
+- [`DynamicMetadataFromHeaders`](#arguments-config-httpservice-authorizationresponse-dynamicmetadatafromheaders)
+
+#### Values
+
+- Default: None
+- Data type: Map
+
+### `Arguments{}.Config{}.HttpService{}.AuthorizationResponse{}.AllowedUpstreamHeaders[]`
+
+Specifies a set of rules for matching authorization response headers. Envoy adds any headers from the external authorization service to the client response that satisfy the rules. Envoy overwrites existing headers.
+
+#### Values
+
+- Default: None
+- Data type: Map
+
+The following table describes the matching rules you can configure in the `AllowedUpstreamHeaders` field:
+
+@include 'envoy_ext_rule_matcher.mdx'
+
+### `Arguments{}.Config{}.HttpService{}.AuthorizationResponse{}.AllowedUpstreamHeadersToAppend[]`
+
+Specifies a set of rules for matching authorization response headers. Envoy appends any headers from the external authorization service to the client response that satisfy the rules. Envoy appends existing headers.
+
+#### Values
+
+- Default: None
+- Data type: Map
+
+The following table describes the matching rules you can configure in the `AllowedUpstreamHeadersToAppend` field:
+
+@include 'envoy_ext_rule_matcher.mdx'
+
+### `Arguments{}.Config{}.HttpService{}.AuthorizationResponse{}.AllowedClientHeaders[]`
+
+Specifies a set of rules for matching client response headers. Envoy adds any headers from the external authorization service to the client response that satisfy the rules. When the list is not set, Envoy includes all authorization response headers except `Authority (Host)`. When a header is included in this list, Envoy automatically adds the following headers: 
+
+- `Path`
+- `Status`
+- `Content-Length`
+- `WWWAuthenticate`
+- `Location`
+
+#### Values
+
+- Default: None
+- Data type: Map
+
+The following table describes the matching rules you can configure in the `AllowedClientHeaders` field:
+
+@include 'envoy_ext_rule_matcher.mdx'
+
+### `Arguments{}.Config{}.HttpService{}.AuthorizationResponse{}.AllowedClientHeadersOnSuccess[]`
+
+Specifies a set of rules for matching client response headers. Envoy adds headers from the external authorization service to the client response when the headers satisfy the rules and the authorization is successful. If the headers match the rules but the authorization fails or is denied, the headers are not added. If this field is not set, Envoy does not add any additional headers to the client's response on success. 
+
+#### Values
+
+- Default: None
+- Data type: Map
+
+The following table describes the matching rules you can configure in the `AllowedClientHeadersOnSuccess` field:
+
+@include 'envoy_ext_rule_matcher.mdx'
+
+### `Arguments{}.Config{}.HttpService{}.AuthorizationResponse{}.DynamicMetadataFromHeaders[]`
+
+Specifies a set of rules for matching authorization response headers. Envoy emits headers from the external authorization service as dynamic metadata that the next filter in the chain can consume. 
+
+#### Values
+
+- Default: None
+- Data type: Map
+
+The following table describes the matching rules you can configure in the `DynamicMetadataFromHeaders` field:
+
+@include 'envoy_ext_rule_matcher.mdx'
+
+### `Arguments{}.Config{}.IncludePeerCertificate`
+
+If set to `true`, Envoy includes the peer X.509 certificate in the authorization request if the certificate is available.  
+
+#### Values
+
+- Default: `false`
+- Data type: Boolean
+
+### `Arguments{}.Config{}.MetadataContextNamespace[]`
+
+HTTP only field that specifies a list of metadata namespaces. The values of the namespaces  are included in the authorization request context.  The `consul` namespace is always included in addition to the namespaces you configure.
+
+#### Values
+
+- Default: `["consul"]`
+- Data type: List of string values
+
+### `Arguments{}.Config{}.StatusOnError`
+
+HTTP only field that specifies a return code status to respond with on error. Refer to the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/type/v3/http_status.proto#enum-type-v3-statuscode) for additional information.
+
+#### Values
+
+- Default: `403`
+- Data type: Integer
+
+### `Arguments{}.Config{}.StatPrefix`
+
+Specifies a prefix to add when writing statistics.
+
+#### Values
+
+- Default: `response`
+- Data type: String
+
+### `Arguments{}.Config{}.WithRequestBody{}`
+
+HTTP only field that configures Envoy to buffer the client request body and send it with the authorization request. If unset, the request body is not sent with the authorization request.
+
+#### Values
+
+- Default: None
+- Data type: Map
+
+The following table describes the parameters that you can include in the `WithRequestBody` field:
+
+| Parameter | Description | Data type | Default |
+| ---       | ---         | ---       | ---     |
+| `MaxRequestBytes` | Specifies the maximum size of the message body that the filter holds in memory. Envoy returns HTTP `403` and does not initiate the authorization process when the buffer reaches the number set in this field unless `AllowPartialMessage` is set to `true`. | uint32 | None |
+| `AllowPartialMessage` | If set to `true`, Envoy buffers the request body until the value of `MaxRequestBytes` is reached. The authorization request is dispatched with a partial body and no `413` HTTP error returns by the filter. | Boolean | `false` |
+| `PackAsBytes` | If set to `true`, Envoy sends the request body to the external authorization as raw bytes. Otherwise, Envoy sends the request body as a UTF-8 encoded string. | Boolean | `false` |
+
+## Examples
+
+The following examples demonstrate common configuration patterns for specific use cases.
+
+### Authorize gRPC requests to a URI
+
+In the following example, a service defaults configuration entry contains an `ext-authz` configuration. The configuration allows the `api` service to make gRPC authorization requests to a service at `localhost:9191`:
+
+```hcl
+Kind = "service-defaults"
+Name = "api"
+EnvoyExtensions = [
+  {
+    Name = "builtin/ext-authz"
+    Arguments = {
+      ProxyType = "connect-proxy"
+      Config = {
+        GrpcService = {
+          Target = {
+            URI = "127.0.0.1:9191"
+          }
+        }
+      }
+    }
+  }
+]
+```
+  
+### Upstream authorization
+
+In the following example, a service defaults configuration entry contains an `ext-authz` configuration. The configuration allows the `api` service to make gRPC authorization requests to a service named `authz`:
+
+```hcl
+Kind = "service-defaults"
+Name = "api"
+EnvoyExtensions = [
+  {
+    Name = "builtin/ext-authz"
+    Arguments = {
+      ProxyType = "connect-proxy"
+      Config = {
+        GrpcService = {
+          Target = {
+            Service = {
+              Name = "authz"
+            }
+          }
+        }
+      }
+    }
+  }
+]
+```
+
+### Authorization requests after service intentions for Consul Enterprise
+
+In the following example for Consul Enterprise, the `api` service is configured to make an HTTP authorization requests to a service named `authz` in the `foo` namespace and `bar` partition. Envoy also inserts the external authorization filter after the `envoy.filters.http.rbac` filter:
+
+```hcl
+Kind = "service-defaults"
+Name = "api"
+Protocol = "http"
+EnvoyExtensions = [
+  {
+    Name = "builtin/ext-authz"
+    Arguments = {
+      ProxyType = "connect-proxy"
+      InsertOptions = {
+        Location   = "AfterLastMatch"
+        FilterName = "envoy.filters.http.rbac"
+      }
+      Config = {
+        HttpService = {
+          Target = {
+            Service = {
+              Name      = "authz"
+              Namespace = "foo"
+              Partition = "bar"
+            }
+          }
+        }
+      }
+    }
+  }
+]
+```
diff --git a/website/content/docs/connect/proxies/envoy-extensions/configuration/property-override.mdx b/website/content/docs/connect/proxies/envoy-extensions/configuration/property-override.mdx
new file mode 100644
index 000000000000..266a4045e958
--- /dev/null
+++ b/website/content/docs/connect/proxies/envoy-extensions/configuration/property-override.mdx
@@ -0,0 +1,273 @@
+--- 
+layout: docs
+page_title: Property override configuration reference
+description: Learn how to configure the property-override plugin, which is a builtin Consul plugin that allows you to set and remove Envoy proxy properties.
+--- 
+
+# Property override configuration reference
+
+This topic describes how to configure the `property-override` extension so that you can set and remove individual properties on the Envoy resources Consul generates. Refer to [Configure Envoy proxy properties](/consul/docs/connect/proxies/envoy-extensions/usage/property-override) for usage information.
+
+## Configuration model
+
+The following list outlines the field hierarchy, data types, and requirements for the `property-override` configuration. Place the configuration inside the `EnvoyExtension.Arguments` field in the proxy defaults or service defaults configuration entry. Refer the following documentation for additional information:
+
+- [`EnvoyExtensions` in proxy defaults](/consul/docs/connect/config-entries/proxy-defaults#envoyextensions)
+- [`EnvoyExtensions` in service defaults](/consul/docs/connect/config-entries/service-defaults#envoyextensions)
+
+Click on a property name to view additional details, including default values.
+  
+- [`ProxyType`](#proxytype): string | required 
+- [`Debug`](#debug): bool | `false` 
+- [`Patches`](#patches): list | required
+   - [`ResourceFilter`](#patches-resourcefilter): map         
+      - [`ResourceType`](patches-resourcefilter-resourcetype): string | required
+      - [`TrafficDirection`](patches-resourcefilter-trafficdirection): string | required
+      - [`Services`](patches-resourcefilter-services): list
+         - [`Name`](patches-resourcefilter-services-name): string
+         - [`Namespace`](patches-resourcefilter-services-namespace): string | `default` | <EnterpriseAlert inline/>
+         - [`Partition`](patches-resourcefilter-services-partition): string | `default` | <EnterpriseAlert inline/>
+   - [`Op`](#patches-op): string | required
+   - [`Path`](#patches-path): string | required
+   - [`Value`](#patches-value): map, number, boolean, or string
+
+## Complete configuration
+
+When each field is defined, a `property-override` configuration has the following form:
+
+
+```hcl
+ProxyType = "connect-proxy"
+Debug = false
+Patches = [
+  {
+    ResourceFilter = {
+      ResourceType = "<type of resource>"
+      TrafficDirection = "<inbound or outbound>"
+      Services = [
+        {
+          Name = "<name of service to filter for>", 
+          Namespace = "<Consul namespace containing the service>"
+          Partition = "<Consul partition containing the service>"
+        }
+      ]
+    Op = "<add or remove>",
+    Path = "<path/to/field>",
+    Value = "<values or map of field-values>"
+  }
+]
+```       
+
+## Specification
+
+This section provides details about the fields you can configure for the `property-override` extension.
+
+### `ProxyType`
+
+Specifies the type of Envoy proxy that the extension applies to. The only supported value is `connect-proxy`.
+
+#### Values
+
+- Default: `connect-proxy`
+- This field is required.
+- Data type: String 
+
+### `Debug`
+
+Enables full debug mode. When `Debug` is set to `true`, all possible fields for the given `ResourceType` and first unmatched segment of `Path` are returned on error. When set to `false`, the error message only includes the first ten possible fields. 
+
+#### Values
+
+- Default: `false`
+- Data type: Boolean
+
+### `Patches[]`
+
+Specifies a list of one or more JSON Patches that map to the Envoy proxy configurations you want to modify. Refer to [IETF RFC 6902](https://datatracker.ietf.org/doc/html/rfc6902/) for information about the JSON Patch specification. 
+
+#### Values
+
+- Default: None
+- The `Patches` parameter is a list of configurations in JSON Patch format. Each patch can contain the following fields:
+   - [`ResourceFilter`](#patches-resourcefilter)
+   - [`Op`](#patches-op)
+   - [`Path`](#patches-path)
+   - [`Value`](#patches-value)
+
+
+### `Patches[].ResourceFilter{}`
+
+Specifies the filter for targeting specific Envoy resources. The `ResourceFilter` configuration is not part of the JSON Patch specification. 
+
+#### Values
+
+- Default: None
+- This field is required.
+- Data type: Map
+
+The following table describes how to configure a `ResourceFilter`:
+
+| Parameter | Description | Type |
+| ---       | ---         | ---  |
+| `ProxyType` | Specifies the proxy type that the extension applies to. The only supported value is `connect-proxy`. | String |
+| `ResourceType` | Specifies the Envoy resource type that the extension applies to. You can specify one of the following values for each `ResourceFilter`: <ul><li>`cluster`</li><li>`cluster-load-assignment`</li><li>`route`</li><li>`listener`</li></ul> | String |
+| `TrafficDirection` | Specifies the type of traffic that the extension applies to relative to the current proxy. You can specify one of the following values for each `ResourceFilter`: <ul><li>`inbound`: Targets resources for the proxy's inbound traffic.</li> <li>`outbound`: Targets resources for the proxy's upstream services.</li></ul> | String |
+| `Services` | Specifies a list of services to target. Each member of the list has the following fields:<ul><li>`Name`: Specifies the service associated with the traffic.</li><li>`Namespace`: Specifies the Consul Enterprise namespace the service is in.</li><li>`Partition`: Specifies the Consul Enterprise admin partition the service is in.</li> </ul>If `TrafficDirection` is set to `outbound`, upstream services in this field correspond to local Envoy resources that Consul patches at runtime. <p>Do not configure the `Services` field if `TrafficDirection` is set to `inbound`.</p> If this field is not set, Envoy targets all applicable resources. When patching outbound listeners, the patch includes the outbound transparent proxy listener only if `Services` is unset and if the local service is in transparent proxy mode. | List of maps |
+
+### `Patches[].Op`
+
+Specifies the JSON Patch operation to perform when the `ResourceFilter` matches a local Envoy proxy configuration. You can specify one of the following values for each patch:
+
+- `add`: Replaces a property or message specified by [`Path`](#patches-path) with the given value. The JSON patch format does not merge objects. To emulate merges, you must configure discrete `add` operations for each changed field. Consul returns an error if the target field does not exist in the corresponding schema.
+- `remove`: Unsets the value of the field specified by [`Path`](#patches-path). If the field is not set, no changes are made. Consul returns an error if the target field does not exist in the corresponding schema.
+
+#### Values
+
+- Default: None
+- This field is required.
+- Data type is one of the following string values:
+   - `add`
+   - `remove`
+
+### `Patches[].Path`
+
+Specifies where the extension performs the associated operation on the specified resource type. Refer to [`ResourceType`](#patches-resourcefilter) for information about specifying a resource type to target. Refer to [`Op`](#patches-op) for information about setting an operation to perform on the resources. 
+
+The `Path` field does not support addressing array elements or protobuf map field entries. Refer to [Constructing paths](/consul/docs/connect/proxies/envoy-extensions/usage/property-override#constructing-paths) for information about how to construct paths. 
+
+When setting fields, the extension sets any unset intermediate fields to their default values. A a single operation on a nested field can set multiple intermediate fields. Because Consul sets the intermediate fields to their default values, you may need to configure subsequent patches to satisfy Envoy or Consul validation. 
+
+#### Values
+
+- Default: None
+- This field is required.
+- Data type: String
+
+### `Patches[].Value{}`
+
+Defines a value to set at the specified [path](#patches-path) if the [operation](#patches-op) is set to `add`.  You can specify either a scalar or enum value or define a map that contains string keys and values corresponding to scalar or enum child fields. Refer to the [example configurations](#examples) for additional guidance and to the [Envoy API documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/api) for additional information about Envoy proxy interfaces.
+
+If Envoy specifies a wrapper as the target field type, the extension automatically coerces simple values to the wrapped type when patching. For example, the value `32768` is allowed when targeting a cluster's `per_connection_buffer_limit_bytes`, which is a `UInt32Value` field. Refer to the [protobuf documentation](https://github.com/protocolbuffers/protobuf/blob/main/src/google/protobuf/wrappers.proto) for additional information about wrappers.
+#### Values
+
+- Default: None
+- This field is required if [`Op`](#patches-op) is set to `add`, otherwise you must omit the field.
+- This field takes one of the following data types:
+   - scalar
+   - enum
+   - map 
+
+## Examples
+
+The following examples demonstrate patterns that you may be able to model your configurations on.
+
+### Enable `enforcing_consecutive_5xx` outlier detection 
+
+In the following example, the `add` operation patches an outlier detection property into outbound cluster traffic. The `Path` specifies the `enforcing_consecutive_5xx` interface and sets a value of `1234`:
+
+```hcl
+Kind = "service-defaults"
+Name = "my-svc"
+Protocol = "http"
+EnvoyExtensions = [
+  {
+    Name = "builtin/property-override",
+    Arguments = {
+      ProxyType = "connect-proxy",
+      Patches = [
+        {
+          "ResourceFilter" = {
+            "ResourceType" = "cluster",
+            "TrafficDirection" = "outbound",
+            "Service" = {
+              "Name" = "other-svc"
+            },
+          },
+          "Op" = "add",
+          "Path" =  "/outlier_detection/enforcing_consecutive_5xx",
+          "Value" = 1234,
+        }
+      ]
+    }
+  }
+]
+```
+
+### Update multiple values in the default map
+
+In the following example, two `ResourceFilter` blocks target outbound traffic to the `db` service and add `/outlier_detection/enforcing_consecutive_5xx` and `/outlier_detection/failure_percentage_request_volume` properties:
+
+```hcl
+Kind = "service-defaults"
+Name = "my-svc"
+Protocol = "http"
+EnvoyExtensions = [
+  {
+    Name = "builtin/property-override",
+    Arguments = {
+      ProxyType = "connect-proxy",
+      Patches = [
+        {
+          ResourceFilter = {
+            ResourceType = "cluster",
+            TrafficDirection = "outbound",
+            Services = [{
+              Name = "other-svc"
+            }],
+          },
+          Op = "add",
+          Path =  "/outlier_detection/enforcing_consecutive_5xx",
+          Value = 1234,
+        },
+        {
+          ResourceFilter = {
+            ResourceType = "cluster",
+            TrafficDirection = "outbound",
+            Services = [{
+              Name = "other-svc"
+            }],
+          },
+          Op = "add",
+          Path =  "/outlier_detection/failure_percentage_request_volume",
+          Value = 2345,
+        }
+      ]
+    }
+  }
+]
+```
+
+### Set multiple values that replace the map
+
+In the following example, a `ResourceFilter` targets outbound traffic to the `db` service and replaces the map of properties located at `/outlier_detection` with `enforcing_consecutive_5xx` and `failure_percentage_request_volume` and properties:
+
+```hcl
+Kind = "service-defaults"
+Name = "my-svc"
+Protocol = "http"
+EnvoyExtensions = [
+  {
+    Name = "builtin/property-override",
+    Arguments = {
+      ProxyType = "connect-proxy",
+      Patches = [
+        {
+          ResourceFilter = {
+            ResourceType = "cluster",
+            TrafficDirection = "outbound",
+            Services = [{
+              Name = "other-svc"
+            }],
+          },
+          Op = "add",
+          Path =  "/outlier_detection",
+          Value = {
+            "enforcing_consecutive_5xx" = 1234,
+            "failure_percentage_request_volume" = 2345,
+          },
+        }
+      ]
+    }
+  }
+]
+```
diff --git a/website/content/docs/connect/proxies/envoy-extensions/configuration/wasm.mdx b/website/content/docs/connect/proxies/envoy-extensions/configuration/wasm.mdx
new file mode 100644
index 000000000000..ed1e2061a5d5
--- /dev/null
+++ b/website/content/docs/connect/proxies/envoy-extensions/configuration/wasm.mdx
@@ -0,0 +1,484 @@
+---
+layout: docs
+page_title: WebAssembly extension configuration reference 
+description: Learn how to configure the wasm Envoy extension, which is a builtin Consul extension that allows you to run WebAssembly plugins in Envoy proxies.
+---
+
+# WebAssembly extension configuration reference 
+
+This topic describes how to configure the `wasm` extension, which directs Consul to run WebAssembly (Wasm) plugins in Envoy proxies. Refer to [Run WebAssembly plug-ins in Envoy proxy](/consul/docs/connect/proxies/envoy-extensions/usage/wasm) for usage information.
+
+## Configuration model
+
+The following list outlines the field hierarchy, data types, and requirements for the `wasm` configuration. Place the configuration inside the `EnvoyExtension.Arguments` field in the proxy defaults or service defaults configuration entry. Refer the following documentation for additional information:
+
+- [`EnvoyExtensions` in proxy defaults](/consul/docs/connect/config-entries/proxy-defaults#envoyextensions)
+- [`EnvoyExtensions` in service defaults](/consul/docs/connect/config-entries/service-defaults#envoyextensions)
+
+Click on a property name to view additional details, including default values.
+  
+- [`Protocol`](#protocol): string 
+- [`ListenerType`](#listenertype): string | required
+- [`ProxyType`](#proxytype): string | `connect-proxy`
+- [`PluginConfig`](#pluginconfig): map | required
+   - [`Name`](#pluginconfig-name): string
+   - [`RootID`](#pluginconfig-rootid): string | required
+   - [`VmConfig`](#pluginconfig-vmconfig): map
+      - [`VmID`](#pluginconfig-vmconfig-vmid): string 
+      - [`Runtime`](#pluginconfig-vmconfig): string | `v8`
+      - [`Code`](#pluginconfig-vmconfig-code): map
+         - [`Local`](#pluginconfig-vmconfig-code-local): map
+            - [`Filename`](#pluginconfig-vmconfig-code-local): string
+         - [`Remote`](#pluginconfig-vmconfig-code-remote): map
+            - [`HttpURI`](#pluginconfig-vmconfig-code-remote-httpuri): map
+               - [`Service`](#pluginconfig-vmconfig-code-remote-httpuri-service): map
+                  - [`Name`](#pluginconfig-vmconfig-code-remote-httpuri-service): string
+                  - [`Namespace`](#pluginconfig-vmconfig-code-remote-httpuri-service): string
+                  - [`Partition`](#pluginconfig-vmconfig-code-remote-httpuri-service): string
+               - [`URI`](#pluginconfig-vmconfig-code-remote-httpuri-uri): string
+               - [`Timeout`](#pluginconfig-vmconfig-code-remote-httpuri-timeout): string
+            - [`SHA256`](#pluginconfig-vmconfig-code-remote-sha256): string
+            - [`RetryPolicy`](#pluginconfig-vmconfig-code-remote-retrypolicy): map
+               - [`RetryBackOff`](#pluginconfig-vmconfig-code-remote-retrypolicy-retrybackoff): map
+                  - [`BaseInterval`](#pluginconfig-vmconfig-code-remote-retrypolicy-retrybackoff): string
+                  - [`MaxInterval`](#pluginconfig-vmconfig-code-remote-retrypolicy-retrybackoff): string
+               - [`NumRetries`](#pluginconfig-vmconfig-code-remote-retrypolicy-numretries): number | `-1`
+      - [`Configuration`](#pluginconfig-vmconfig-configuration): string
+      - [`EnvironmentVariables`](#pluginconfig-vmconfig-environmentvariables): map
+         - [`HostEnvKeys`](#pluginconfig-vmconfig-environmentvariables-hostenvkeys): list of strings
+         - [`KeyValues`](#pluginconfig-vmconfig-environmentvariables-keyvalues): map
+   - [`Configuration`](#pluginconfig-configuration): string
+   - [`CapabilityRestrictionConfiguration`](#pluginconfig-vmconfig-capabilityrestrictionconfiguration): map
+      - [`AllowedCapabilities`](#pluginconfig-vmconfig-capabilityrestrictionconfiguration): map of strings
+
+## Complete configuration
+
+When all parameters are set for the extension, the configuration has the following form:
+
+```hcl
+Protocol = "<tcp or http>" 
+ListenerType = "<inbound or outbound>"
+ProxyType = "connect-proxy"
+PluginConfig = {
+   Name = "<name for the filter>"
+   RootID = "<ID for the set of filters on a VM>"
+   VmConfig = {
+      VmID = "<ID of the VM>"
+      Runtime = "v8"
+      Code = {
+         Local = {      # Set either `Local` or `Remote', not both
+            Filename = "</path/to/plugin>"
+         }
+         Remote = {     # Set either `Local` or `Remote', not both
+            HttpURI =  {
+               Service = {
+                  Name = "<name of the upstream service>"
+                  Namespace = "<Consul namespace containing the usptream service>"
+                  Partition = "<Consul partition containing the upstream service>"
+               }
+               URI = "<URI of the plugin data>"
+               Timeout = "1s"
+            SHA256 = "<SHA256 for verifying the remote data>"
+            RetryPolicy = {
+                  RetryBackOff = {
+                     BaseInterval = "1s"
+                     MaxInterval = "10s" 
+                  }
+                  NumRetries = -1
+               }
+            }
+      Configuration = "<configuration passed to plugin on VM startup>"
+      EnvironmentVariables = {
+         HostEnvKeys = [ 
+            <"keys"> 
+         ]
+         KeyValues = {
+            [ 
+               <"key = value"> 
+            ]
+         }
+      }
+   Configuration = "<configuration passed to plugin on plugin startup>"
+   CapabilityRestrictionConfiguration = {
+      AllowedCapabilities = {
+         "fd_read"        = {}
+         "fd_seek"        = {}
+         "environ_get"    = {}
+         "clock_get_time" = {}
+      }
+   }
+}
+```
+
+## Specification
+
+This section provides details about the fields you can configure for the `wasm` extension.
+
+### `Protocol`
+
+Specifies the type of Wasm filter to apply. You can set either `tcp` or `http`. Set the `Protocol` to the protocol that the Wasm plugin implements when loaded by the filter. For Consul to apply the filter, the protocol must match the service’s protocol.
+
+#### Values
+
+- Default: None
+- This field is required.
+- Data type is one of the following string values:
+  - `tcp`
+  - `http`
+
+### `ListenerType`
+
+Specifies the type of listener the extension applies to. The listener type is either `inbound` or `outbound`. If the listener type is set to `inbound`, Consul applies the extension so the Wasm plugin is run when other services in the mesh send messages to the service attached to the proxy. If the listener type is set to `outbound`, Consul applies the extension so the Wasm plugin is run when the attached proxy sends messages to other services in the mesh. 
+
+#### Values
+
+- Default: None
+- This field is required.
+- Data type is one of the following string values:
+  - `inbound`
+  - `outbound`
+
+### `ProxyType`
+
+Specifies the type of Envoy proxy that the extension applies to. The only supported value is `connect-proxy`.
+
+#### Values
+
+- Default: `connect-proxy`
+- This field is required.
+- Data type: String 
+
+### `PluginConfig{}`
+
+Map containing the following configuration parameters for your Wasm plugin:
+
+- [`Name`](#pluginconfig-name)
+- [`RootID`](#pluginconfig-rootid)
+- [`VmConfig`](#pluginconfig-vmconfig)
+- [`Configuration`](#pluginconfig-configuration)
+- [`CapabilitiesRestrictionConfiguration`](#pluginconfig-capabilitiesrestrictionconfiguration)
+
+#### Values
+
+- Default: None
+- This field is required.
+- Data type: Map
+
+### `PluginConfig{}.Name`
+
+Specifies a unique name for a filter in a VM. Envoy uses the name to identify specific filters if multiple filters are processed on a VM with the same `VmID` and `RootID`. The name also appears in logs for debugging purposes.
+
+#### Values
+
+- Default: None
+- Data type: String
+
+### `PluginConfig{}.RootID`
+
+Specifies a unique ID for a set of filters in a VM that share a `RootContext` and `Contexts`, such as a Wasm `HttpFilter` and a Wasm `AccessLog`, if applicable. All filters with the same `RootID` and `VmID` share `Context`s.
+
+#### Values
+
+- Default: None
+- Data type: String
+
+### `PluginConfig{}.VmConfig{}`
+
+Map containing the following configuration parameters for the VM that runs your Wasm plugin:
+
+- [`VmID`](#pluginconfig-vmconfig-vmid)
+- [`Runtime`](#pluginconfig-vmconfig-runtime)
+- [`Code`](#pluginconfig-vmconfig-code)
+- [`Configuration`](#pluginconfig-vmconfig-configuration)
+- [`EnvironmentVariables`](#pluginconfig-vmconfig-environmentvariables)
+
+#### Values
+
+- Default: None
+- Data type: Map
+
+### `PluginConfig{}.VmConfig{}.VmID`
+
+Specifies an ID that Envoy uses with a hash of the Wasm code to determine which VM runs the plugin. All plugins with the same `VmID` and `Code` use the same VM. If unspecified, all plugins with the same code run in the same VM.  Sharing a VM between plugins may have security implications, but can reduce memory utilization and can make data sharing easier.
+
+#### Values
+
+- Default: None
+- Data type: String
+
+### `PluginConfig{}.VmConfig{}.Runtime`
+
+Specifies the type of Wasm runtime. 
+#### Values
+
+- Default: `v8`
+- Data type is one of the following string values:
+  - `v8`
+  - `wastime`
+  - `wamr`
+  - `wavm`
+
+### `PluginConfig{}.VmConfig{}.Code{}`
+
+Map containing one of the following configuration parameters:
+
+- [`Local`](#pluginconfig-vmconfig-code-local)
+- [`Remote`](#pluginconfig-vmconfig-code-local)
+
+You can configure either `Local` or `Remote`, but not both. The `Code` block instructs Consul how to find the Wasm plugin code for Envoy to execute. 
+
+#### Values
+
+- Default: None
+- This field is  required.
+- Data type is a map containing one of the following configurations:
+  - [`Local`](#pluginconfig-vmconfig-code-local)
+  - [`Remote`](#pluginconfig-vmconfig-code-local)
+
+### `PluginConfig{}.VmConfig{}.Code{}.Local{}`
+
+Instructs Envoy to load the plugin code from a local volume. Do not configure the `Local` parameter if the plugin code is on a remote server. 
+
+The `Local` field is a map that contains a `Filename` parameter. The `Filename` parameter takes a string value that specifies the path to the plugin on the local file system. 
+
+Local plug-ins are not supported in Kubernetes-orchestrated environments.
+
+#### Values
+
+- Default: None
+- Data type is a map containing the `Filename` parameter. The `Filename` parameter takes a string value that specifies the path to the plugin on the local file system.
+
+### `PluginConfig{}.VmConfig{}.Code{}.Remote{}`
+
+Instructs Envoy to load the plugin code from a remote server. Do not configure the `Remote` parameter if the plugin code is on the local VM. 
+
+The `Remote` field is a map containing the following parameters:
+
+- [`HttpURI`](#pluginconfig-vmconfig-code-remote-httpuri)
+- [`SHA256`](#pluginconfig-vmconfig-code-remote-sha256)
+- [`RetryPolicy`](#pluginconfig-vmconfig-code-remote-retrypolicy)
+
+#### Values
+
+- Default: None
+- Data type: Map
+
+### `PluginConfig{}.VmConfig{}.Code{}.Remote{}.HttpURI{}`
+
+Specifies the configuration for fetching the remote data. The `HttpURI` field is a map containing the following parameters:
+
+- [`Service`](#pluginconfig-vmconfig-code-remote-httpuri-service)
+- [`URI`](#pluginconfig-vmconfig-code-remote-httpuri-uri)
+- [`Timeout`](#pluginconfig-vmconfig-code-remote-httpuri-uri)
+
+#### Values
+
+- Default: None
+- Data type: Map
+
+### `PluginConfig{}.VmConfig{}.Code{}.Remote{}.HttpURI{}.Service`
+
+Specifies the upstream service to fetch the remote plugin from. 
+
+#### Values
+
+- Default: None
+- Data type: Map
+
+The following table describes the fields you can specify in the `Service` map:
+
+| Parameter | Description | Data type | Default |
+| ---       | ---         | ---       | ---     |
+| `Name` | Specifies the name of the upstream service. | String | None |
+| `Namespace` | <EnterpriseAlert inline/> Specifies the Consul namespace that the upstream service belongs to. | String | `default` |
+| `Partition` | <EnterpriseAlert inline/> Specifies the Consul admin partition that the upstream service belongs to. | String | `default` |
+
+### `PluginConfig{}.VmConfig{}.Code{}.Remote{}.HttpURI{}.URI`
+
+Specifies the URI Envoy uses to fetch the plugin file from the upstream. This field is required for Envoy to retrieve plugin code from a remote location. You must specify the fully-qualified domain name (FDQN) of the remote URI, which includes the protocol, host, and path.
+
+#### Values
+
+- Default: None
+- This field is required.
+- Data type: String value that specifies a FDQN
+
+### `PluginConfig{}.VmConfig{}.Code{}.Remote{}.HttpURI{}.Timeout`
+
+Specifies the maximum duration that a response can take to complete the request for the plugin data. 
+
+#### Values
+
+- Default: `1s`
+- Data type: String
+
+### `PluginConfig{}.VmConfig{}.Code{}.Remote{}.SHA256`
+
+Specifies the required SHA256 string for verifying the remote data.
+
+#### Values
+
+- Default: None
+- This field is required.
+- Data type: String
+
+### `PluginConfig{}.VmConfig{}.Code{}.Remote{}.RetryPolicy{}`
+
+Defines a policy for retrying requests to the upstream service when fetching the plugin data. The `RetryPolicy` field is a map containing the following parameters:
+
+- [`RetryBackoff`](#pluginconfig-vmconfig-code-remote-retrypolicy)
+- [`NumRetries`](#pluginconfig-vmconfig-code-remote-numretries)
+
+#### Values
+
+- Default: None
+- Data type: Map
+### `PluginConfig{}.VmConfig{}.Code{}.Remote{}.RetryPolicy{}.RetryBackOff{}`
+
+Specifies parameters that control retry backoff strategy. 
+
+#### Values
+
+- Default: None
+- Data type: Map
+
+The following table describes the fields you can specify in the `RetryBackOff` map:
+
+| Parameter | Description | Data type | Default |
+| ---       | ---         | ---       | ---     |
+| `BaseInterval` | Specifies the base interval for determining the next backoff computation. Set a value greater than `0` and less than or equal to the `MaxInterval` value.  | String | `1s` |
+| `MaxInterval` | Specifies the maximum interval between retries. Set the value greater than or equal to the `BaseInterval` value. | String | `10s` |
+
+### `PluginConfig{}.VmConfig{}.Code{}.Remote{}.RetryPolicy{}.NumRetries`
+
+Specifies the number of times Envoy retries to fetch plugin data if the initial attempt is unsuccessful.
+
+#### Values
+
+- Default: `1`
+- Data type: Integer
+
+### `PluginConfig{}.VmConfig{}.Configuration`
+
+Specifies the configuration Envoy encodes as bytes and passes to the plugin during VM startup. Refer to [`proxy_on_vm_start` in the Proxy Wasm ABI documentation](https://github.com/proxy-wasm/spec/tree/master/abi-versions/vNEXT#proxy_on_vm_start) for additional information.
+
+#### Values
+
+- Default: None
+- This field is required.
+- Data type: String
+
+### `PluginConfig{}.VmConfig{}.EnvironmentVariables{}`
+
+Specifies environment variables for Enovy to inject into this VM so that they are available through WASI’s `environ_get` and `environ_get_sizes` system calls. 
+
+In most cases, WASI calls the functions implicitly in your language’s standard library. As a result, you do not need to call them directly. You can also access environment variables as you would on native platforms. 
+
+Envoy rejects the configuration if there’s conflict of key space.
+
+The `EnvironmentVariables` field is a map containing parameters for setting the keys and values.
+
+#### Values
+
+- Default: None
+- Data type: Map
+
+The following table describes the parameters contained in the `EnvironmentVariables` map:
+
+| Parameter | Description | Data type | Default |
+| ---       | ---         | ---       | ---     |
+| `HostEnvKeys` | Specifies a list of Envoy environment variable keys to expose to the VM. If a key exists in Envoy’s environment variables, then the key-value pair is injected. Envoy ignores `HostEnvKeys` that do not exist in its environment variables. | List | None |
+| `KeyValues` | Specifies a map of explicit key-value pairs to inject into the VM. | <nobr>Map of </nobr>string keys and values | None |
+
+### `PluginConfig{}.Configuration`
+
+Specifies the configuration Consul encodes as bytes and passes to the plugin during plugin startup. Refer to [`proxy_on_configure` in the Envoy documentation](https://github.com/proxy-wasm/spec/tree/master/abi-versions/vNEXT#proxy_on_configure) for additional information.
+
+#### Values
+
+- Default: None
+- Data type: String
+
+### `PluginConfig{}.CapabilityRestrictionConfiguration{}`
+
+Specifies a configuration for restricting the proxy-Wasm capabilities that are available to the module. 
+
+The `CapabilityRestrictionConfiguration` field is a map that contains a `AllowedCapabilities` parameter. The `AllowedCapabilities` parameter takes a map of string values that correspond to Envoy capability names. Refer to the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/wasm/v3/wasm.proto#extensions-wasm-v3-capabilityrestrictionconfig) for additional information.
+
+!> **Security warning**: Consul ignores the value that each capability maps to. You can leave the `AllowedCapabilities` empty to allow all capabilities, but doing so gives the configured plugin full unrestricted access to the runtime API provided by the Wasm VM. You must set this to a non-empty map if you want to restrict access to specific capabilities provided by the Wasm runtime API.  
+
+#### Values
+
+- Default: `""`
+- Data type is a map containing the `AllowedCapabilities` parameter. The `AllowedCapabilities` parameter takes a map of string values that correspond to Envoy capability names. Refer to the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/wasm/v3/wasm.proto#extensions-wasm-v3-capabilityrestrictionconfig) for additional information. 
+
+## Examples
+
+The following examples demonstrate patterns that you may be able to model your configurations on.
+
+### Run a Wasm plugin from a local file
+
+In the following example, Consul figures the Envoy proxy for the `db` service with an inbound TCP Wasm filter that uses the plugin code from the local `/consul/extensions/sqli.wasm` file.
+
+```hcl
+
+Kind = "service-defaults"
+Name = "db"
+Protocol = "tcp"
+EnvoyExtensions = [
+  {
+    Name      = "builtin/wasm"
+    Required  = true
+    Arguments = {
+      Protocol = "tcp"
+      ListenerType = “inbound”
+      PluginConfig = {
+        VmConfig = {
+          Code = {
+            Local = {
+              Filename = "file:///consul/extensions/sqli.wasm"
+            }
+          }
+        }
+        Configuration = <<EOF
+{
+  "key": "value"
+}
+EOF
+      }
+    }
+  }
+]
+```
+
+### Run a Wasm plugin from a remote file
+
+In the following example, Consul configures the Envoy proxy for all HTTP services with an HTTP Wasm filter. The filter uses the plugin code from a remote `https://extension-server/waf.wasm` file. The Envoy proxy for each service fetches the remote file and verify the SHA256 checksum. The proxy times if Consul cannot fetch the remote plugin after three seconds. 
+
+```hcl
+Kind   = "proxy-defaults"
+Name   = "global"
+EnvoyExtensions = [
+  {
+    Name      = "builtin/wasm"
+    Arguments = {
+      Protocol = "http"
+      ListenerType = “inbound”
+      PluginConfig = {
+        VmConfig = {
+          Code = {
+            Remote = {
+              HttpURI = {
+                URI     = "https://extension-server/waf.wasm"
+                Timeout = "3s"
+              }
+              SHA256 = "ef57657e..."
+            }
+          }
+        }
+        Configuration = "..."
+      }
+    }
+  }
+]
+```
diff --git a/website/content/docs/connect/proxies/envoy-extensions/index.mdx b/website/content/docs/connect/proxies/envoy-extensions/index.mdx
index 86648f9a9717..eb8056ee659b 100644
--- a/website/content/docs/connect/proxies/envoy-extensions/index.mdx
+++ b/website/content/docs/connect/proxies/envoy-extensions/index.mdx
@@ -18,15 +18,30 @@ Instead of modifying Consul code, you can configure your services to use Envoy e
 
 ## Supported extensions
 
-Envoy extensions enable additional service mesh functionality in Consul by changing how the sidecar proxies behave. Extensions invoke custom code when traffic passes through an Envoy proxy. Consul supports the following extensions:
+Envoy extensions enable additional service mesh functionality in Consul by changing how the sidecar proxies behave. Extensions dynamically modify the configuration of Envoy proxies based on Consul configuration entries, enabling a wider set of use cases for the service mesh  traffic that passes through an Envoy proxy. Consul supports the following extensions:
 
+- External authorization
 - Lua
 - Lambda
+- Property override
+- WebAssembly (Wasm) 
 
-### Lua
+### External authorization
 
-The `lua` Envoy extension enables HTTP Lua filters in your Consul Envoy proxies. It allows you to run Lua scripts during Envoy requests and responses from Consul-generated Envoy resources. Refer to the [`lua`](/consul/docs/connect/proxies/envoy-extensions/usage/lua) documentation for more information.
+The `ext-authz` extension lets you configure external authorization filters for Envoy proxy so that you can route requests to external authorization systems. Refer to the [external authorization documentation](/consul/docs/connect/proxies/envoy-extensions/usage/ext-authz) for more information.
 
 ### Lambda
 
-The `lambda` Envoy extension enables services to make requests to AWS Lambda functions through the mesh as if they are a normal part of the Consul catalog. Refer to the [`lambda`](/consul/docs/connect/proxies/envoy-extensions/usage/lambda) documentation for more information.
+The `lambda` Envoy extension enables services to make requests to AWS Lambda functions through the mesh as if they are a normal part of the Consul catalog. Refer to the [Lambda extension documentation](/consul/docs/connect/proxies/envoy-extensions/usage/lambda) for more information.
+
+### Lua
+
+The `lua` Envoy extension enables HTTP Lua filters in your Consul Envoy proxies. It allows you to run Lua scripts during Envoy requests and responses from Consul-generated Envoy resources. Refer to the [Lua extension documentation](/consul/docs/connect/proxies/envoy-extensions/usage/lua) for more information.
+
+### Property override
+
+The `property-override` extension lets you set and unset individual properties pm the Envoy resources that Consul generates. Use the extension instead of [escape-hatch overrides](/consul/docs/connect/proxies/envoy#escape-hatch-overrides) to enable advanced Envoy configuration. Refer to the [property override documentation](/consul/docs/connect/proxies/envoy-extensions/usage/property-override) for more information.
+
+### WebAssembly
+
+The `wasm` extension enables you to configure TCP and HTTP filters that invoke custom WebAssembly (Wasm) plugins. Refer to the [WebAssembly extenstion documentation](/consul/docs/connect/proxies/envoy-extensions/usage/wasm) for more information.
diff --git a/website/content/docs/connect/proxies/envoy-extensions/usage/ext-authz.mdx b/website/content/docs/connect/proxies/envoy-extensions/usage/ext-authz.mdx
new file mode 100644
index 000000000000..f3cc5432846b
--- /dev/null
+++ b/website/content/docs/connect/proxies/envoy-extensions/usage/ext-authz.mdx
@@ -0,0 +1,147 @@
+---
+layout: docs
+page_title: Delegate authorization to an external service
+description: Learn how to use the `ext-authz` Envoy extension to delegate data plane authorization requests to external systems. 
+---
+
+# Delegate authorization to an external service
+
+This topic describes how to use the external authorization Envoy extension to delegate data plane authorization requests to external systems. 
+
+## Workflow
+
+Complete the following steps to use the external authorization extension:
+
+1. Configure an `EnvoyExtensions` block in a service defaults or proxy defaults configuration entry. 
+1. Apply the configuration entry.
+
+## Add the `EnvoyExtensions`
+
+Add Envoy extension configurations to a proxy defaults or service defaults configuration entry. Place the extension configuration in an `EnvoyExtensions` block in the configuration entry.
+
+- When you configure Envoy extensions on proxy defaults, they apply to every service.
+- When you configure Envoy extensions on service defaults, they apply to a specific service.
+
+Consul applies Envoy extensions configured in proxy defaults before it applies extensions in service defaults. As a result, the Envoy extension configuration in service defaults may  override configurations in proxy defaults.
+
+The following example shows a service defaults configuration entry for the `api` service that directs the Envoy proxy to make gRPC authorization requests to the `authz` service:
+
+<Tabs>
+<Tab heading="HCL" group="hcl">
+<CodeBlockConfig filename="api-auth-service-defaults.hcl">
+
+```hcl
+Kind = "service-defaults"
+Name = "api"
+EnvoyExtensions = [
+  {
+    Name = "builtin/ext-authz"
+    Arguments = {
+      ProxyType = "connect-proxy"
+      Config = {
+        GrpcService = {
+          Target = {
+            Service = {
+              Name = "authz"
+            }
+          }
+        }
+      }
+    }
+  }
+]
+```
+</CodeBlockConfig>
+</Tab>
+<Tab heading="HCL" group="hcl">
+<CodeBlockConfig filename="api-auth-service-defaults.json">
+
+```json
+"Kind": "service-defaults",
+"Name": "api",
+"EnvoyExtensions": [{
+  "Name": "builtin/ext-authz",
+  "Arguments": {
+    "ProxyType": "connect-proxy",
+    "Config": {
+      "GrpcService": {
+        "Target": {
+          "Service": {
+            "Name": "authz"
+            }
+          }
+        }
+      }
+    }
+  }
+]
+```
+
+</CodeBlockConfig>
+</Tab>
+<Tab heading="Kubernetes" group="yaml">
+<CodeBlockConfig filename="api-auth-service-defaults">
+
+```yaml
+kind: ServiceDefaults
+name: api
+envoyExtensions:
+  - name: builtin/ext-authz
+    arguments:
+      proxyType: connect-proxy
+      config:
+        grpcService:
+          target:
+            service:
+              name: authz
+```
+</CodeBlockConfig>
+</Tab>
+</Tabs>
+
+Refer to the [external authorization extension configuration reference](/consul/docs/connect/proxies/envoy-extensions/configuration/ext-authz) for details on how to configure the extension. 
+
+Refer to the [proxy defaults configuration entry reference](/consul/docs/connect/config-entries/proxy-defaults) and [service defaults configuration entry reference](/consul/docs/connect/config-entries/service-defaults) for details on how to define the configuration entries. 
+
+!> **Warning:** Adding Envoy extensions default proxy configurations may have unintended consequences. We recommend configuring `EnvoyExtensions` in service defaults configuration entries in most cases.
+
+### Unsupported Envoy configuration fields
+
+The following Envoy configurations are not supported:
+
+| Configuration | Workaround |
+| --- | --- |
+| `deny_at_disable` | Disable filter by removing it from the service’s configuration in the configuration entry. |
+| `failure_mode_allow` | Set the `EnvoyExtension.Required` field to `true` in the [service defaults configuration entry](/consul/docs/connect/config-entries/service-defaults#envoyextensions) or [proxy defaults configuration entry](/consul/docs/connect/config-entries/proxy-defaults#envoyextensions). |
+| `filter_enabled` | Set the `EnvoyExtension.Required` field to `true` in the [service defaults configuration entry](/consul/docs/connect/config-entries/service-defaults#envoyextensions) or [proxy defaults configuration entry](/consul/docs/connect/config-entries/proxy-defaults#envoyextensions). |
+| `filter_enabled_metadata` | Set the `EnvoyExtension.Required` field to `true` in the [service defaults configuration entry](/consul/docs/connect/config-entries/service-defaults#envoyextensions) or [proxy defaults configuration entry](/consul/docs/connect/config-entries/proxy-defaults#envoyextensions). |
+| `transport_api_version` | Consul only supports v3 of the transport API. As a result, there is no workaround for implement the behavior of this field. |
+
+## Apply the configuration entry
+
+If your network is deployed to virtual machines, use the `consul config write` command and specify the proxy defaults or service defaults configuration entry to apply the configuration. For Kubernetes-orchestrated networks, use the `kubectl apply` command. The following example applies the extension in a proxy defaults configuration entry.
+
+<Tabs>
+<Tab heading="HCL" group="hcl">
+
+```shell-session
+$ consul config write api-auth-service-defaults.hcl
+```
+
+</Tab>
+<Tab heading="JSON" group="json">
+
+```shell-session
+$ consul config write api-auth-service-defaults.json
+
+```
+
+</Tab>
+<Tab heading="Kubernetes" group="kubernetes">
+
+```shell-session
+$ kubectl apply api-auth-service-defaults.yaml
+```
+
+</Tab>
+</Tabs>
diff --git a/website/content/docs/connect/proxies/envoy-extensions/usage/property-override.mdx b/website/content/docs/connect/proxies/envoy-extensions/usage/property-override.mdx
new file mode 100644
index 000000000000..505d57fa5869
--- /dev/null
+++ b/website/content/docs/connect/proxies/envoy-extensions/usage/property-override.mdx
@@ -0,0 +1,203 @@
+--- 
+layout: docs
+page_title: Configure Envoy proxy properties
+description: Learn how to use the property-override extension for Envoy proxies to set and remove individual properties for the Envoy resources Consul generates.
+---
+
+# Configure Envoy proxy properties
+
+This topic describes how to use the `property-override` extension to set and remove individual properties for the Envoy resources Consul generates. The extension uses the [protoreflect](https://pkg.go.dev/google.golang.org/protobuf/reflect/protoreflect), which enables Consul to dynamically manipulate messages.
+
+## Workflow
+
+- Complete the following steps to use the `property-override` extension:
+- Configure an `EnvoyExtensions` block in a service defaults or proxy defaults configuration entry. 
+- Apply the configuration entry.
+
+!> **Security warning**: The property override extension is an advanced feature capable of introducing unintended consequences or reducing cluster security if used incorrectly. Consul does not enforce TLS retention, intentions, or other security-critical components of the Envoy configuration. Additionally, Consul does not verify that the configuration does not contain errors that affect service traffic.
+
+## Add the `EnvoyExtensions`
+
+Add Envoy extension configurations to a proxy defaults or service defaults configuration entry. Place the extension configuration in an `EnvoyExtensions` block in the configuration entry.
+
+- When you configure Envoy extensions on proxy defaults, they apply to every service.
+- When you configure Envoy extensions on service defaults, they apply to a specific service.
+
+Consul applies Envoy extensions configured in proxy defaults before it applies extensions in service defaults. As a result, the Envoy extension configuration in service defaults may  override configurations in proxy defaults.
+
+In the following service defaults configuration entry example, Consul adds a new `/upstream_connection_options/tcp_keepalive/keepalive_probes-5` field to each of the proxy's cluster configuration for the outbound `db`service upstream. The configuration applies to all `connect-proxy` proxies with services configured to communicate over HTTP:
+
+<Tabs>
+<Tab heading="HCL" group="hcl">
+<CodeBlockConfig filename="property-override-extension-service-defaults.hcl">
+
+```hcl
+Kind = "service-defaults"
+Name = "global"
+Protocol  = "http"
+EnvoyExtensions = [ 
+  {
+    Name = "builtin/property-override"
+    Arguments = {
+      ProxyType = "connect-proxy",
+      Patches = [
+        {
+          ResourceFilter  = {
+	     ResourceType  = "cluster", 
+            TrafficDirection  = "outbound"
+            Services = [{
+               Name =  "other-svc"
+            }],
+          Op = "add"
+          Path = "/upstream_connection_options/tcp_keepalive/keepalive_probes",
+          Value = 5,
+        }
+      ]  
+   }
+]
+```
+</CodeBlockConfig>
+</Tab>
+
+<Tab heading="JSON" group="json">
+<CodeBlockConfig filename="property-override-extension-service-defaults.json">
+
+```json
+"kind": "service-defaults",
+"name": "global",
+"protocol": "http",
+"envoy_extensions": [{
+  "name": "builtin/property-override",
+  "arguments": {
+    "proxyType": "connect-proxy",
+    "patches": [{
+      "resourceFilter": {
+        "resourceType": "cluster", 
+        "trafficDirection": "outbound",
+        "services": [{ "name":  "other-svc" }],
+        "op": "add",
+        "path": "/upstream_connection_options/tcp_keepalive/keepalive_probes",
+        "value": 5
+       }
+    }]
+  }
+}]
+```
+</CodeBlockConfig>
+</Tab>
+<Tab heading="Kubernetes" group="kubernetes">
+<CodeBlockConfig filename="property-override-extension-proxy-defaults.yaml">
+
+```yaml
+apiversion: consul.hashicorp.com/v1alpha1
+kind: ServiceDefaults
+metadata:
+  name: global
+spec:
+  protocol: http
+  envoyExtensions:
+    name = "builtin/property-override"
+    arguments: 
+      proxyType: "connect-proxy",
+      patches: 
+      - resourceFilter: 
+          resourceType: "cluster" 
+          trafficDirection: "outbound"
+          services: 
+            - name:  "other-svc"
+        op: "add"
+        path: "/upstream_connection_options/tcp_keepalive/keepalive_probes",
+        value: 5
+```
+
+</CodeBlockConfig>
+</Tab>
+</Tabs>
+
+
+Refer to the [property override configuration reference](/consul/docs/connect/proxies/envoy-extensions/configuration/property-override) for details on how to configure the extension. 
+
+Refer to the [proxy defaults configuration entry reference](/consul/docs/connect/config-entries/proxy-defaults) and [service defaults configuration entry reference](/consul/docs/connect/config-entries/service-defaults) for details on how to define the configuration entries. 
+
+!> **Warning:** Adding Envoy extensions default proxy configurations may have unintended consequences. We recommend configuring `EnvoyExtensions` in service defaults configuration entries in most cases.
+
+### Constructing paths
+
+To target the properties for an Envoy resource type, you must specify the path where the properties exist in the [`Path` field](/consul/docs/connect/proxies/envoy-extensions/configuration/property-override#patches-path) of the property override extension configuration. Set the `Path` field to an empty or partially invalid string when saving the configuration entry and Consul returns an error with a list of supported fields for the first unrecognized segment of the path. By default, Consul only returns the first ten fields, but you can set the [`Debug` field](/consul/docs/connect/proxies/envoy-extensions/configuration/property-override#debug) to `true`  to direct Consul to output all possible fields. 
+
+In the following example, Consul outputs the top-level fields available for the Envoy cluster resource:
+
+```hcl
+Kind = "service-defaults"
+Name = "api"
+EnvoyExtensions = [
+  {
+    Name = "builtin/property-override"
+    Arguments = {
+      ProxyType = "connect-proxy"
+      Patches = [
+        {
+          ResourceFilter = {
+            ResourceType = "cluster"
+            TrafficDirection = "outbound"
+          }
+          Op = "add"
+          Path =  ""
+          Value =  5
+         }
+      ]
+    }
+  }
+]
+```
+
+After applying the configuration entry, Consul prints a message that includes the possible fields for the resource:
+
+```shell-session
+$ consul config write api.hcl
+non-empty, non-root Path is required. available cluster fields:
+/outlier_detection
+/outlier_detection/enforcing_consecutive_5xx
+/outlier_detection/failure_percentage_request_volume
+/round_robin_lb_config
+/round_robin_lb_config/slow_start_config
+```
+
+You can use the output to help you construct the appropriate value for the `Path` field. For example:
+
+```shell-session
+$ consul config write api.hcl | grep round_robin
+/round_robin_lb_config
+```
+
+
+
+
+## Apply the configuration entry
+
+If your network is deployed to virtual machines, use the `consul config write` command and specify the proxy defaults or service defaults configuration entry to apply the configuration. For Kubernetes-orchestrated networks, use the `kubectl apply` command. The following example applies the extension in a proxy defaults configuration entry.
+
+<Tabs>
+<Tab heading="HCL" group="hcl">
+
+```shell-session
+$ consul config write property-override-extension-service-defaults.hcl
+```
+
+</Tab>
+<Tab heading="JSON" group="json">
+
+```shell-session
+$ consul config write property-override-extension-service-defaults.json
+
+```
+
+</Tab>
+<Tab heading="Kubernetes" group="kubernetes">
+
+```shell-session
+$ kubectl apply property-override-extension-service-defaults.yaml
+```
+
+</Tab>
+</Tabs>
diff --git a/website/content/docs/connect/proxies/envoy-extensions/usage/wasm.mdx b/website/content/docs/connect/proxies/envoy-extensions/usage/wasm.mdx
new file mode 100644
index 000000000000..e384d7545810
--- /dev/null
+++ b/website/content/docs/connect/proxies/envoy-extensions/usage/wasm.mdx
@@ -0,0 +1,191 @@
+--- 
+layout: docs
+page_title: Run WebAssembly plug-ins in Envoy proxy
+description: Learn how to use the Consul wasm extension for Envoy, which directs Consul to run your WebAssembly (Wasm) plugins for Envoy proxies in your service mesh.
+---
+
+
+# Run WebAssembly plug-ins in Envoy proxy     
+
+This topic describes how to use the `wasm` extension, which directs Consul to run your WebAssembly (Wasm) plug-ins for Envoy proxies. 
+
+## Workflow
+
+You can create Wasm plugins for Envoy and integrate them using the `wasm` extension. Wasm is a binary instruction format for stack-based virtual machines that has the potential to run anywhere after it has been compiled. Wasm plug-ins run as filters in a service mesh application's sidecar proxy.
+
+The following steps describe the process of integrating Wasm plugins:
+
+- Create your Wasm plugin. You must ensure that your plugin functions as expected. Refer to the [WebAssembly website](https://webassembly.org/) for information and links to documentation.
+- Configure an `EnvoyExtensions` block in a service defaults or proxy defaults configuration entry. 
+- Apply the configuration entry.
+
+## Add the `EnvoyExtensions`
+
+Add Envoy extension configuration to a proxy defaults or service defaults configuration entry. Place the extension configuration in an `EnvoyExtensions` block in the configuration entry.
+
+- When you configure Envoy extensions on proxy defaults, they apply to every service.
+- When you configure Envoy extensions on service defaults, they apply to a specific service.
+
+Consul applies Envoy extensions configured in proxy defaults before it applies extensions in service defaults. As a result, the Envoy extension configuration in service defaults may override configurations in proxy defaults.
+
+In the following example, the extension uses an upstream service named `file-server` to serve a Wasm-based web application firewall (WAF). 
+
+<Tabs>
+<Tab heading="HCL" group="hcl">
+<CodeBlockConfig filename="wasm-extension-serve-waf.hcl">
+
+```hcl
+Kind = "service-defaults"
+Name = "api"
+Protocol = "http"
+EnvoyExtensions = [
+  {
+    Name = "builtin/wasm"
+    Arguments = {
+      Protocol = "http"
+      ListenerType = "inbound"
+      PluginConfig = {
+        VmConfig = {
+          Code = {
+            Remote = {
+              HttpURI = {
+                Service = {
+                  Name = "file-server"
+                }
+                URI = "https://file-server/waf.wasm"
+              }
+              SHA256  = "c9ef17f48dcf0738b912111646de6d30575718ce16c0cbde3e38b21bb1771807"
+            }
+          }
+        }
+      Configuration =  <<EOF
+{
+  "rules": [
+    "Include @demo-conf",
+    "Include @crs-setup-demo-conf",
+    "SecDebugLogLevel 9",
+    "SecRuleEngine On",
+    "Include @owasp_crs/*.conf"
+  ]
+}
+EOF
+      }
+    }
+  }
+]
+```
+</CodeBlockConfig>
+</Tab>
+<Tab heading="JSON" group="json">
+<CodeBlockConfig filename="wasm-extension-serve-waf.json">
+
+```json
+{
+	"kind": "service-defaults",
+	"name": "api",
+	"protocol": "http",
+	"envoyExtensions": [{
+		"name": "builtin/wasm",
+		"arguments": {
+			"protocol": "http",
+			"listenerType": "inbound",
+			"pluginConfig": {
+				"VmConfig": {
+					"Code": {
+						"Remote": {
+							"HttpURI": {
+								"Service": {
+									"Name": "file-server"
+								},
+								"URI": "https://file-server/waf.wasm"
+							}
+						}
+					}
+				},
+				"Configuration": {
+					"rules": [
+						"Include @demo-conf",
+						"Include @crs-setup-demo-conf",
+						"SecDebugLogLevel 9",
+						"SecRuleEngine On",
+						"Include @owasp_crs/*.conf"
+					]
+				}
+
+			}
+		}
+	}]
+}
+```
+
+
+</CodeBlockConfig>
+</Tab>
+<Tab heading="YAML" group="yaml">
+<CodeBlockConfig filename="wasm-extension-serve-waf.yaml">
+
+```yaml
+kind: service-defaults
+name: api
+protocol: http
+envoyExtensions:
+  - name: builtin/wasm
+    required: true
+    arguments:
+      protocol: http
+      listenerType: inbound
+      pluginConfig:
+        VmConfig:
+          Code:
+            Remote:
+              HttpURI:
+                Service:
+                  Name: file-server
+                  URI: https://file-server/waf.wasm
+         Configuration:
+           rules:
+           - Include @demo-conf
+           - Include @crs-setup-demo-conf
+           - SecDebugLogLevel 9
+           - SecRuleEngine On
+           - Include @owasp_crs/*.conf
+```
+
+</CodeBlockConfig>
+</Tab>
+</Tabs>
+
+
+Refer to the [Wasm extension configuration reference](/consul/docs/connect/proxies/envoy-extensions/configuration/wasm) for details on how to configure the extension. 
+
+Refer to the [proxy defaults configuration entry reference](/consul/docs/connect/config-entries/proxy-defaults) and [service defaults configuration entry reference](/consul/docs/connect/config-entries/service-defaults) for details on how to define the configuration entries. 
+
+!> **Warning:** Adding Envoy extensions default proxy configurations may have unintended consequences. We recommend configuring `EnvoyExtensions` in service defaults configuration entries in most cases.
+
+## Apply the configuration entry
+
+If your network is deployed to virtual machines, use the `consul config write` command and specify the proxy defaults or service defaults configuration entry to apply the configuration. For Kubernetes-orchestrated networks, use the `kubectl apply` command. The following example applies the extension in a proxy defaults configuration entry.
+
+<Tabs>
+<Tab heading="HCL" group="hcl">
+
+```shell-session
+$ consul config write wasm-extension-serve-waf.hcl
+```
+
+</Tab>
+<Tab heading="JSON" group="json">
+
+```shell-session
+$ consul config write wasm-extension-serve-waf.json
+```
+
+</Tab>
+<Tab heading="Kubernetes" group="kubernetes">
+
+```shell-session
+$ kubectl apply wasm-extension-serve-waf.yaml
+```
+
+</Tab>
+</Tabs>
diff --git a/website/content/partials/envoy_ext_rule_matcher.mdx b/website/content/partials/envoy_ext_rule_matcher.mdx
new file mode 100644
index 000000000000..1d97c34e4b8d
--- /dev/null
+++ b/website/content/partials/envoy_ext_rule_matcher.mdx
@@ -0,0 +1,9 @@
+<!-- Potentially adapt to all conf refs that use this matching scheme-->
+| Rule | Description | Data type | Default |
+| ---  | ---         | ---       | ---     |
+| `Contains` | Specifies a string that the input string must contain. | String | N/A |
+| `Exact` | Specifies a string that the input string must match exactly. | String | N/A |
+| `IgnoreCase` | Directs Envoy to ignore capitalization. If set to `true`, the other matching rules in the configuration are not case sensitive. This rule does not affect `SafeRegex`. | Boolean | `false` |
+| `Prefix` | Specifies a string that the input string must begin with. | String | N/A |
+| `SafeRegex` | Specifies a regular expression for matching the input string programmatically. Envoy supports [Google's RE2 regex engine](https://github.com/google/re2/wiki/Syntax). | String | N/A |
+| `Suffix` | Specifies a string that the input string must end with. | String | N/A |
\ No newline at end of file
diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json
index 82444026a097..edd16a4eb86f 100644
--- a/website/data/docs-nav-data.json
+++ b/website/data/docs-nav-data.json
@@ -503,6 +503,10 @@
               {
                 "title": "Usage",
                 "routes": [
+                  {
+                    "title": "Delegate authorization to external services",
+                    "path": "connect/proxies/envoy-extensions/usage/ext-authz"
+                  },                  
                   {
                     "title": "Run Lua scripts in Envoy proxies",
                     "path": "connect/proxies/envoy-extensions/usage/lua"
@@ -510,8 +514,32 @@
                   {
                     "title": "Invoke Lambda functions in Envoy proxies",
                     "path": "connect/proxies/envoy-extensions/usage/lambda"
+                  },
+                  {
+                    "title": "Configure Envoy proxy properties",
+                    "path": "connect/proxies/envoy-extensions/usage/property-override"
+                  },
+                  {
+                    "title": "Run WebAssembly plug-ins in Envoy proxies",
+                    "path": "connect/proxies/envoy-extensions/usage/wasm"
+                  }                ]
+              },
+              {
+                "title": "Configuration",
+                "routes": [
+                  {
+                    "title": "External authorization",
+                    "path": "connect/proxies/envoy-extensions/configuration/ext-authz"
+                  },                  
+                  {
+                    "title": "Property override",
+                    "path": "connect/proxies/envoy-extensions/configuration/property-override"
+                  },                  
+                  {
+                    "title": "WebAssembly",
+                    "path": "connect/proxies/envoy-extensions/configuration/wasm"
                   }
-                ]
+                ]              
               }
             ]
           },