diff --git a/networking/v1alpha3/istio.networking.v1alpha3.pb.html b/networking/v1alpha3/istio.networking.v1alpha3.pb.html
index a035e74a5c..1face7462e 100644
--- a/networking/v1alpha3/istio.networking.v1alpha3.pb.html
+++ b/networking/v1alpha3/istio.networking.v1alpha3.pb.html
@@ -266,12 +266,12 @@ <h2 id="CorsPolicy">CorsPolicy</h2>
 <section>
 <p>Describes the Cross-Origin Resource Sharing (CORS) policy, for a given
 service. Refer to
-https://developer.mozilla.org/en-US/docs/Web/HTTP/Access<em>control</em>CORS
+<a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS">https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS</a>
 for further details about cross origin resource sharing. For example,
 the following rule restricts cross origin requests to those originating
 from example.com domain using HTTP POST/GET, and sets the
-Access-Control-Allow-Credentials header to false. In addition, it only
-exposes X-Foo-bar header and sets an expiry period of 1 day.</p>
+<code>Access-Control-Allow-Credentials</code> header to false. In addition, it only
+exposes <code>X-Foo-bar</code> header and sets an expiry period of 1 day.</p>
 
 <pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
@@ -348,7 +348,7 @@ <h2 id="CorsPolicy">CorsPolicy</h2>
 <td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">google.protobuf.Duration</a></code></td>
 <td>
 <p>Specifies how long the results of a preflight request can be
-cached. Translates to the Access-Control-Max-Age header.</p>
+cached. Translates to the <code>Access-Control-Max-Age</code> header.</p>
 
 </td>
 </tr>
@@ -358,7 +358,7 @@ <h2 id="CorsPolicy">CorsPolicy</h2>
 <td>
 <p>Indicates whether the caller is allowed to send the actual request
 (not the preflight) using credentials. Translates to
-Access-Control-Allow-Credentials header.</p>
+<code>Access-Control-Allow-Credentials</code> header.</p>
 
 </td>
 </tr>
@@ -1694,8 +1694,8 @@ <h2 id="HTTPRetry">HTTPRetry</h2>
 <p>Specifies the conditions under which retry takes place.
 One or more policies can be specified using a ‘,’ delimited list.
 The supported policies can be found in
-&ldquo;https://www.envoyproxy.io/docs/envoy/latest/configuration/http<em>filters/router</em>filter#x-envoy-retry-on&rdquo;
-and &ldquo;https://www.envoyproxy.io/docs/envoy/latest/configuration/http<em>filters/router</em>filter#x-envoy-retry-grpc-on&rdquo;</p>
+<a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-on">https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-on</a>
+and <a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-grpc-on">https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-grpc-on</a></p>
 
 </td>
 </tr>
@@ -3300,7 +3300,7 @@ <h2 id="ServiceEntry">ServiceEntry</h2>
   - address: unix:///var/run/example/socket
 </code></pre>
 
-<p>For HTTP based services, it is possible to create a VirtualService
+<p>For HTTP-based services, it is possible to create a VirtualService
 backed by multiple DNS addressable endpoints. In such a scenario, the
 application can use the HTTP_PROXY environment variable to transparently
 reroute API calls for the VirtualService to a chosen backend. For
@@ -3333,10 +3333,10 @@ <h2 id="ServiceEntry">ServiceEntry</h2>
       https: 7080
 </code></pre>
 
-<p>With HTTP_PROXY=http://localhost/, calls from the application to
-http://foo.bar.com will be load balanced across the three domains
-specified above. In other words, a call to http://foo.bar.com/baz would
-be translated to http://uk.foo.bar.com/baz.</p>
+<p>With <code>HTTP_PROXY=http://localhost/</code>, calls from the application to
+<code>http://foo.bar.com</code> will be load balanced across the three domains
+specified above. In other words, a call to <code>http://foo.bar.com/baz</code> would
+be translated to <code>http://uk.foo.bar.com/baz</code>.</p>
 
 <table class="message-fields">
 <thead>
diff --git a/networking/v1alpha3/service_entry.pb.go b/networking/v1alpha3/service_entry.pb.go
index 2642cde348..47f0813a73 100644
--- a/networking/v1alpha3/service_entry.pb.go
+++ b/networking/v1alpha3/service_entry.pb.go
@@ -324,7 +324,7 @@ func (ServiceEntry_Resolution) EnumDescriptor() ([]byte, []int) {
 //   - address: unix:///var/run/example/socket
 // ```
 //
-// For HTTP based services, it is possible to create a VirtualService
+// For HTTP-based services, it is possible to create a VirtualService
 // backed by multiple DNS addressable endpoints. In such a scenario, the
 // application can use the HTTP_PROXY environment variable to transparently
 // reroute API calls for the VirtualService to a chosen backend. For
@@ -358,10 +358,10 @@ func (ServiceEntry_Resolution) EnumDescriptor() ([]byte, []int) {
 //       https: 7080
 // ```
 //
-// With HTTP_PROXY=http://localhost/, calls from the application to
-// http://foo.bar.com will be load balanced across the three domains
-// specified above. In other words, a call to http://foo.bar.com/baz would
-// be translated to http://uk.foo.bar.com/baz.
+// With `HTTP_PROXY=http://localhost/`, calls from the application to
+// `http://foo.bar.com` will be load balanced across the three domains
+// specified above. In other words, a call to `http://foo.bar.com/baz` would
+// be translated to `http://uk.foo.bar.com/baz`.
 //
 type ServiceEntry struct {
 	// REQUIRED. The hosts associated with the ServiceEntry. Could be a DNS
diff --git a/networking/v1alpha3/service_entry.proto b/networking/v1alpha3/service_entry.proto
index b4f16f8b34..7c200a59aa 100644
--- a/networking/v1alpha3/service_entry.proto
+++ b/networking/v1alpha3/service_entry.proto
@@ -246,7 +246,7 @@ option go_package = "istio.io/api/networking/v1alpha3";
 //   - address: unix:///var/run/example/socket
 // ```
 //
-// For HTTP based services, it is possible to create a VirtualService
+// For HTTP-based services, it is possible to create a VirtualService
 // backed by multiple DNS addressable endpoints. In such a scenario, the
 // application can use the HTTP_PROXY environment variable to transparently
 // reroute API calls for the VirtualService to a chosen backend. For
@@ -280,10 +280,10 @@ option go_package = "istio.io/api/networking/v1alpha3";
 //       https: 7080
 // ```
 //
-// With HTTP_PROXY=http://localhost/, calls from the application to
-// http://foo.bar.com will be load balanced across the three domains
-// specified above. In other words, a call to http://foo.bar.com/baz would
-// be translated to http://uk.foo.bar.com/baz.
+// With `HTTP_PROXY=http://localhost/`, calls from the application to
+// `http://foo.bar.com` will be load balanced across the three domains
+// specified above. In other words, a call to `http://foo.bar.com/baz` would
+// be translated to `http://uk.foo.bar.com/baz`.
 //
 message ServiceEntry {
   // REQUIRED. The hosts associated with the ServiceEntry. Could be a DNS
@@ -371,7 +371,7 @@ message ServiceEntry {
 
   // REQUIRED: Service discovery mode for the hosts. Care must be taken
   // when setting the resolution mode to NONE for a TCP port without
-  // accompanying IP addresses. In such cases, traffic to any IP on 
+  // accompanying IP addresses. In such cases, traffic to any IP on
   // said port will be allowed (i.e. 0.0.0.0:<port>).
   Resolution resolution = 5;
 
diff --git a/networking/v1alpha3/virtual_service.pb.go b/networking/v1alpha3/virtual_service.pb.go
index 0e2c10eb3c..f5ddde8588 100644
--- a/networking/v1alpha3/virtual_service.pb.go
+++ b/networking/v1alpha3/virtual_service.pb.go
@@ -1485,8 +1485,8 @@ type HTTPRetry struct {
 	// Specifies the conditions under which retry takes place.
 	// One or more policies can be specified using a ‘,’ delimited list.
 	// The supported policies can be found in
-	// "https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-on"
-	// and "https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-grpc-on"
+	// <https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-on>
+	// and <https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-grpc-on>
 	RetryOn string `protobuf:"bytes,3,opt,name=retry_on,json=retryOn,proto3" json:"retry_on,omitempty"`
 }
 
@@ -1518,12 +1518,12 @@ func (m *HTTPRetry) GetRetryOn() string {
 
 // Describes the Cross-Origin Resource Sharing (CORS) policy, for a given
 // service. Refer to
-// https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
+// <https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS>
 // for further details about cross origin resource sharing. For example,
 // the following rule restricts cross origin requests to those originating
 // from example.com domain using HTTP POST/GET, and sets the
-// Access-Control-Allow-Credentials header to false. In addition, it only
-// exposes X-Foo-bar header and sets an expiry period of 1 day.
+// `Access-Control-Allow-Credentials` header to false. In addition, it only
+// exposes `X-Foo-bar` header and sets an expiry period of 1 day.
 //
 // ```yaml
 // apiVersion: networking.istio.io/v1alpha3
@@ -1565,11 +1565,11 @@ type CorsPolicy struct {
 	// access. Serialized into Access-Control-Expose-Headers header.
 	ExposeHeaders []string `protobuf:"bytes,4,rep,name=expose_headers,json=exposeHeaders" json:"expose_headers,omitempty"`
 	// Specifies how long the results of a preflight request can be
-	// cached. Translates to the Access-Control-Max-Age header.
+	// cached. Translates to the `Access-Control-Max-Age` header.
 	MaxAge *google_protobuf.Duration `protobuf:"bytes,5,opt,name=max_age,json=maxAge" json:"max_age,omitempty"`
 	// Indicates whether the caller is allowed to send the actual request
 	// (not the preflight) using credentials. Translates to
-	// Access-Control-Allow-Credentials header.
+	// `Access-Control-Allow-Credentials` header.
 	AllowCredentials *google_protobuf1.BoolValue `protobuf:"bytes,6,opt,name=allow_credentials,json=allowCredentials" json:"allow_credentials,omitempty"`
 }
 
diff --git a/networking/v1alpha3/virtual_service.proto b/networking/v1alpha3/virtual_service.proto
index 860c614246..9efd014cea 100644
--- a/networking/v1alpha3/virtual_service.proto
+++ b/networking/v1alpha3/virtual_service.proto
@@ -908,19 +908,19 @@ message HTTPRetry {
   // Specifies the conditions under which retry takes place.
   // One or more policies can be specified using a ‘,’ delimited list.
   // The supported policies can be found in
-  // "https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-on"
-  // and "https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-grpc-on"
+  // <https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-on>
+  // and <https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-grpc-on>
   string retry_on = 3;
 }
 
 // Describes the Cross-Origin Resource Sharing (CORS) policy, for a given
 // service. Refer to
-// https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
+// <https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS>
 // for further details about cross origin resource sharing. For example,
 // the following rule restricts cross origin requests to those originating
 // from example.com domain using HTTP POST/GET, and sets the
-// Access-Control-Allow-Credentials header to false. In addition, it only
-// exposes X-Foo-bar header and sets an expiry period of 1 day.
+// `Access-Control-Allow-Credentials` header to false. In addition, it only
+// exposes `X-Foo-bar` header and sets an expiry period of 1 day.
 //
 // ```yaml
 // apiVersion: networking.istio.io/v1alpha3
@@ -966,12 +966,12 @@ message CorsPolicy {
   repeated string expose_headers = 4;
 
   // Specifies how long the results of a preflight request can be
-  // cached. Translates to the Access-Control-Max-Age header.
+  // cached. Translates to the `Access-Control-Max-Age` header.
   google.protobuf.Duration max_age = 5;
 
   // Indicates whether the caller is allowed to send the actual request
   // (not the preflight) using credentials. Translates to
-  // Access-Control-Allow-Credentials header.
+  // `Access-Control-Allow-Credentials` header.
   google.protobuf.BoolValue allow_credentials = 6;
 }