gofogo
diff --git a/‎docs/sources/gateway.md‎
Lines changed: 6 additions & 11 deletions b/‎docs/sources/gateway.md‎
Lines changed: 6 additions & 11 deletions
diff --git a/‎docs/tutorials/aws-filters.md‎
Lines changed: 177 additions & 0 deletions b/‎docs/tutorials/aws-filters.md‎
Lines changed: 177 additions & 0 deletions
diff --git a/‎docs/tutorials/aws-load-balancer-controller.md‎
Lines changed: 20 additions & 13 deletions b/‎docs/tutorials/aws-load-balancer-controller.md‎
Lines changed: 20 additions & 13 deletions
@@ -83,19 +83,18 @@ The targets from each parent Gateway matching the \*Route are then combined and
 
 ## Dualstack Routes
 
-Gateway resources may be served from an external-loadbalancer which may support both IPv4 and "dualstack" (both IPv4 and IPv6) interfaces.
-External DNS Controller uses the `external-dns.alpha.kubernetes.io/dualstack` annotation to determine this. If this annotation is
-set to `true` then ExternalDNS will create two records (one A record
-and one AAAA record) for each hostname associated with the Route resource.
+Gateway resources may be served from an external-loadbalancer which may support
+both IPv4 and "dualstack" (both IPv4 and IPv6) interfaces. When using the AWS
+Route53 provider, External DNS Controller will always create both A and AAAA
+alias DNS records by default, regardless of whether the load balancer is dual
+stack or not.
 
-Example:
+## Example
 
 ```yaml
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
-  annotations:
-    external-dns.alpha.kubernetes.io/dualstack: "true"
   name: echo
 spec:
   hostnames:
@@ -112,7 +111,3 @@ spec:
             type: PathPrefix
             value: /echo
 ```
-
-The above HTTPRoute resource is backed by a dualstack Gateway.
-ExternalDNS will create both an A `echoserver.example.org` record and
-an AAAA record of the same name, that each are aliases for the same LB.
@@ -0,0 +1,177 @@
+# AWS Filters
+
+This document provides guidance on filtering AWS zones using various strategies and flags.
+
+## Strategies for Scoping Zones
+
+> Without specifying these flags, management applies to all zones.
+
+In order to manage specific zones,  there is a possibility to combine multiple options
+
+| Argument                   | Description                                                | Flow Control |
+|:---------------------------|:-----------------------------------------------------------|:------------:|
+| `--zone-id-filter`         | Specify multiple times if needed                           |      OR      |
+| `--domain-filter`          | By domain suffix - specify multiple times if needed        |      OR      |
+| `--regex-domain-filter`    | By domain suffix but as a regex - overrides domain-filter  |     AND      |
+| `--exclude-domains`        | To exclude a domain or subdomain                           |      OR      |
+| `--regex-domain-exclusion` | Subtracts its matches from `regex-domain-filter`'s matches |     AND      |
+| `--aws-zone-type`          | Only sync zones of this type `[public\|private]`           |      OR      |
+| `--aws-zone-tags`          | Only sync zones with this tag                              |     AND      |
+
+Minimum required configuration
+
+```sh
+args:
+    --provider=aws
+    --registry=txt
+    --source=service
+```
+
+### Filter by Zone Type
+
+> If this flag is not specified, management applies to both public and private zones.
+
+```sh
+args:
+    --aws-zone-type=private|public # choose between public or private
+    ...
+```
+
+### Filter by Domain
+
+> Specify multiple times if needed.
+
+```sh
+args:
+    --domain-filter=example.com
+    --domain-filter=.paradox.example.com
+    ...
+```
+
+Example `--domain-filter=example.com` will allow for zone `example.com` and any zones that end in `.example.com`, including `an.example.com`, i.e., the subdomains of example.com.
+
+When there are multiple domains, filter `--domain-filter=example.com` will match domains `example.com`, `ex.par.example.com`, `par.example.com`, `x.par.eu-west-1.example.com`.
+
+And if the filter is prepended with `.` e.g., `--domain-filter=.example.com` it will allow *only* zones that end in `.example.com`, i.e., the subdomains of example.com but not the `example.com` zone itself. Example result: `ex.par.eu-west-1.example.com`, `ex.par.example.com`, `par.example.com`.
+
+> Note: if you prepend the filter with ".", it will not attempt to match parent zones.
+
+### Filter by Zone ID
+
+> Specify multiple times if needed, the flow logic is OR
+
+```sh
+args:
+    --zone-id-filter=ABCDEF12345678
+    --zone-id-filter=XYZDEF12345888
+    ...
+```
+
+### Filter by Tag
+
+> Specify multiple times if needed, the flow logic is AND
+
+Keys only
+
+```sh
+args:
+    --aws-zone-tags=owner
+    --aws-zone-tags=vertical
+```
+
+Or specify keys with values
+
+```sh
+args:
+    --aws-zone-tags=owner=k8s
+    --aws-zone-tags=vertical=k8s
+```
+
+Can't specify multiple or separate values with commas: `key1=val1,key2=val2` at the moment.
+Filter only by value `--aws-zone-tags==tag-value` is not supported.
+
+```sh
+args:
+    --aws-zone-tags=team=k8s,vertical=platform # this is not supported
+    --aws-zone-tags==tag-value # this is not supported
+```
+
+## Filtering Workflows
+
+***Filtering Sequence***
+
+The diagram describes the sequence for filtering AWS zones.
+
+```mermaid
+flowchart TD
+    A["zones"] --> B{"Is zonesCache valid?"}
+    B -- Yes --> C["Return cached zones"]
+    B -- No --> D["Initialize zones map"]
+    D --> E["For each profile and client"]
+    E --> F["Create paginator"]
+    F --> G{"Has more pages?"}
+    G -- Yes --> H["Get next page"]
+    H --> I["For each zone in page"]
+    I --> J{"Match zoneIDFilter?"}
+    J -- No --> G
+    J -- Yes --> K{"Match zoneTypeFilter?"}
+    K -- No --> G
+    K -- Yes --> L{"Match domainFilter?"}
+    L -- No --> M{"zoneMatchParent?"}
+    M -- No --> G
+    M -- Yes --> N{"Match domainFilter parent?"}
+    N -- No --> G
+    N -- Yes --> O{"zoneTagFilter specified?"}
+    O -- Yes --> P["Add zone to zonesToValidate"]
+    O -- No --> Q["Add zone to zones map"]
+    P --> Q
+    Q --> G
+    G -- No --> R{"zonesToValidate not empty?"}
+    R -- Yes --> S["Get tags for zones"]
+    S --> T["For each zone and tags"]
+    T --> U{"Match zoneTagFilter?"}
+    U -- No --> V["Delete zone from zones map"]
+    U -- Yes --> W["Keep zone in zones map"]
+    V --> W
+    W --> R
+    R -- No --> X["Update zonesCache"]
+    X --> Y["Return zones"]
+```
+
+***Filtering Flow***
+
+The is a sequence diagram that describes the interaction between `external-dns`, `AWSProvider`, and `Route53Client`
+during the filtering process. Here is a high-level description:
+
+```mermaid
+sequenceDiagram
+    participant external-dns
+    participant AWSProvider
+    participant Route53Client
+
+    external-dns->>AWSProvider: zones
+    alt Cache is valid
+        AWSProvider-->>external-dns: return cached zones
+    else
+
+        AWSProvider->>Route53Client: ListHostedZonesPaginator
+        loop While paginator.HasMorePages
+            Route53Client->>AWSProvider: paginator.NextPage
+            alt ThrottlingException
+                AWSProvider->>external-dns: error
+            else
+                AWSProvider-->>external-dns: return error
+            end
+            AWSProvider->>AWSProvider: Filter zones
+            alt Tags need validation
+                AWSProvider->>Route53Client: ListTagsForResources
+                Route53Client->>AWSProvider: return tags
+                AWSProvider->>AWSProvider: Validate tags
+            end
+        end
+        alt Cache duration > 0
+            AWSProvider->>AWSProvider: Update cache
+        end
+        AWSProvider-->>external-dns: return zones
+    end
+```
@@ -101,11 +101,17 @@ spec:
 The above should result in the creation of an (ipv4) ALB in AWS which will forward
 traffic to the echoserver application.
 
-If the `source=ingress` argument is specified, then ExternalDNS will create DNS
-records based on the hosts specified in ingress objects. The above example would
-result in two alias records being created, `echoserver.mycluster.example.org` and
-`echoserver.example.org`, which both alias the ALB that is associated with the
-Ingress object.
+If the `--source=ingress` argument is specified, then ExternalDNS will create
+DNS records based on the hosts specified in ingress objects. The above example
+would result in two alias records (A and AAAA) being created for each of the
+domains: `echoserver.mycluster.example.org` and `echoserver.example.org`. All
+four records alias the ALB that is associated with the Ingress object. As the
+ALB is IPv4 only, the AAAA alias records have no effect.
+
+If you would like ExternalDNS to not create AAAA records at all, you can add the
+following command line parameter: `--exclude-record-types=AAAA`. Please be
+aware, this will disable AAAA record creation even for dualstack enabled load
+balancers.
 
 Note that the above example makes use of the YAML anchor feature to avoid having
 to repeat the http section for multiple hosts that use the exact same paths. If
@@ -138,15 +144,17 @@ In the above example we create a default path that works for any hostname, and
 make use of the `external-dns.alpha.kubernetes.io/hostname` annotation to create
 multiple aliases for the resulting ALB.
 
-## Dualstack ALBs
+## Dualstack Load Balancers
 
-AWS [supports][4] both IPv4 and "dualstack" (both IPv4 and IPv6) interfaces for ALBs.
-The AWS Load Balancer Controller uses the `alb.ingress.kubernetes.io/ip-address-type`
-annotation (which defaults to `ipv4`) to determine this. If this annotation is
-set to `dualstack` then ExternalDNS will create two alias records (one A record
-and one AAAA record) for each hostname associated with the Ingress object.
+AWS [supports both IPv4 and "dualstack" (both IPv4 and IPv6) interfaces for ALBs][4]
+and [NLBs][5]. The AWS Load Balancer Controller uses the `alb.ingress.kubernetes.io/ip-address-type`
+annotation (which defaults to `ipv4`) to determine this. ExternalDNS creates
+both A and AAAA alias DNS records by default, regardless of this annotation.
+It's possible to create only A records with the following command line
+parameter: `--exclude-record-types=AAAA`
 
 [4]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html#ip-address-type
+[5]: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/network-load-balancers.html#ip-address-type
 
 Example:
 
@@ -174,5 +182,4 @@ spec:
 ```
 
 The above Ingress object will result in the creation of an ALB with a dualstack
-interface. ExternalDNS will create both an A `echoserver.example.org` record and
-an AAAA record of the same name, that each are aliases for the same ALB.
+interface.