Fix markdown syntax and merge upstream changes

- ssl-overview.md: Accept upstream V2 SKU improvements with proper table formatting
  - Updated V2 certificate behavior documentation
  - Added IMPORTANT callout about V2 default certificate behavior
  - Added TIP callout about SNI hole configuration
  - Fixed markdown table syntax (added trailing pipes)

- tls-policy.md: Fix table header formatting
  - Corrected pipe spacing in table header and separator

- migrate-from-agic-to-agc.md: Fix markdown linting issues
  - Removed extra space in table pipe
  - Made link text descriptive (replaced 'here' links)

Author: riturajc

articles/application-gateway/for-containers/migrate-from-agic-to-agc.md

@@ -65,7 +65,7 @@ Here's a summarized list of AGIC annotations and whether Application Gateway for
 | [Private frontend](migrate-from-agic-to-agc.md#private-frontend) | appgw.ingress.kubernetes.io/use-private-ip | Not supported | Not supported |
 | [Web Application Firewall (WAF)](migrate-from-agic-to-agc.md#waf) | appgw.ingress.kubernetes.io/waf-policy-for-path | [Web Application Firewall (WAF)](web-application-firewall.md) | Not supported |
 | [Custom health probe](migrate-from-agic-to-agc.md#custom-health-probes) | appgw.ingress.kubernetes.io/health-probe-hostname | [HealthCheckPolicy](migrate-from-agic-to-agc.md#healthcheckpolicy) | [HealthCheckPolicy](migrate-from-agic-to-agc.md#healthcheckpolicy) |
-| [Custom health probe](migrate-from-agic-to-agc.md#custom-health-probes) | appgw.ingress.kubernetes.io/health-probe-port |  [HealthCheckPolicy](migrate-from-agic-to-agc.md#healthcheckpolicy) | [HealthCheckPolicy](migrate-from-agic-to-agc.md#healthcheckpolicy) |
+| [Custom health probe](migrate-from-agic-to-agc.md#custom-health-probes) | appgw.ingress.kubernetes.io/health-probe-port | [HealthCheckPolicy](migrate-from-agic-to-agc.md#healthcheckpolicy) | [HealthCheckPolicy](migrate-from-agic-to-agc.md#healthcheckpolicy) |
 | [Custom health probe](migrate-from-agic-to-agc.md#custom-health-probes) | appgw.ingress.kubernetes.io/health-probe-path | [HealthCheckPolicy](migrate-from-agic-to-agc.md#healthcheckpolicy) | [HealthCheckPolicy](migrate-from-agic-to-agc.md#healthcheckpolicy) |
 | [Custom health probe](migrate-from-agic-to-agc.md#custom-health-probes) | appgw.ingress.kubernetes.io/health-probe-status-codes | [HealthCheckPolicy](migrate-from-agic-to-agc.md#healthcheckpolicy) | [HealthCheckPolicy](migrate-from-agic-to-agc.md#healthcheckpolicy) |
 | [Custom health probe](migrate-from-agic-to-agc.md#custom-health-probes) | appgw.ingress.kubernetes.io/health-probe-interval | [HealthCheckPolicy](migrate-from-agic-to-agc.md#healthcheckpolicy) | [HealthCheckPolicy](migrate-from-agic-to-agc.md#healthcheckpolicy) |
@@ -254,7 +254,7 @@ Application Gateway for Containers allows customers to reference prebuild TLS po
 
 #### Frontend TLS Policy in Gateway API
 
-To use this feature, you must use Gateway API. More details on TLS Policy are found [here](tls-policy.md).
+To use this feature, you must use Gateway API. More details on TLS Policy are found in the [TLS Policy documentation](tls-policy.md).
 
 >[!Note]
 >The Predefined policy names and cipher suites are different from Application Gateway Ingress Controller. Please refer to the [predefined TLS policy table](tls-policy.md#predefined-tls-policy).
@@ -366,7 +366,7 @@ AGIC annotation
 
 Application Gateway for Containers implementation
 
-Request timeouts are nonconfigurable in Application Gateway for Containers. A list of default timeout values are documented [here](application-gateway-for-containers-components.md#request-timeouts).
+Request timeouts are nonconfigurable in Application Gateway for Containers. A list of default timeout values are documented in [default timeout values](application-gateway-for-containers-components.md#request-timeouts).
 
 ### Frontend port override
 

articles/application-gateway/for-containers/tls-policy.md

@@ -28,8 +28,8 @@ Application Gateway for Containers offers two predefined security policies. You
 
 The following table shows the list of cipher suites and minimum protocol version support for each predefined policy. The ordering of the cipher suites determines the priority order during TLS negotiation. To know the exact ordering of the cipher suites for these predefined policies.
 
-| Predefined policy names | 2023-06  | 2023-06-S |
-| ---------- | ---------- | ---------- |
+| Predefined policy names | 2023-06 | 2023-06-S |
+| --- | --- | --- |
 | **Minimum protocol version** | TLS 1.2 | TLS 1.2 |
 | **Enabled protocol versions** | TLS 1.2, TLS 1.3 | TLS 1.2, TLS 1.3 |
 | TLS_AES_256_GCM_SHA384 | ✓ | ✓ |

articles/application-gateway/ssl-overview.md

@@ -120,18 +120,23 @@ The following tables outline the differences in SNI between the v1 and v2 SKU in
 
 ### Frontend TLS connection (client to application gateway)
 
-
 | Scenario | v1 | v2 |
 | --- | --- | --- |
 | If the client specifies SNI header and all the multi-site listeners are enabled with "Require SNI" flag | Returns the appropriate certificate and if the site doesn't exist (according to the server_name), then the connection is reset. | Returns appropriate certificate if available, otherwise, returns the certificate of the first HTTPS listener according to the order specified by the request routing rules associated with the HTTPS listeners |
 | If the client doesn't specify a SNI header and if all the multi-site headers are enabled with "Require SNI" | Resets the connection | Returns the certificate of the first HTTPS listener according to the order specified by the request routing rules associated with the HTTPS listeners |
-| If the client doesn't specify SNI header and if there's a basic listener configured with a certificate | Returns the certificate configured in the basic listener to the client (default or fallback certificate) | Returns the certificate configured in the basic listener |
+| If the client doesn't specify SNI header and if there's a basic listener configured with a certificate | Returns the certificate configured in the basic listener to the client (default or fallback certificate) | Returns the certificate of the HTTPS listener with the highest priority routing rule. The basic listener certificate is **not** used as a fallback. |
 
-> [!NOTE]
-> When the client does not specify an SNI header, it is recommended that the user add a basic listener and rule to present a default SSL/TLS certificate.
+> [!IMPORTANT]
+> **V2 SKU default certificate behavior:** When a client connects without an SNI header (for example, using an IP address), Application Gateway V2 does **not** fall back to a basic listener's certificate. Instead, it always returns the certificate from the HTTPS listener whose associated request routing rule has the **highest priority** (lowest priority number). This behavior differs from the V1 SKU, which returns the basic listener's certificate as a fallback.
 
 > [!TIP]
-> The SNI flag can be configured with PowerShell or by using an ARM template. For more information, see [RequireServerNameIndication](/powershell/module/az.network/set-azapplicationgatewayhttplistener#-requireservernameindication) and [Quickstart: Direct web traffic with Azure Application Gateway - ARM template](quick-create-template.md#review-the-template).
+> **Controlling the default certificate with an SNI hole:** To prevent Application Gateway V2 from exposing a production site certificate when clients connect by IP address without SNI, you can configure an "SNI hole":
+>
+> 1. Create a **multi-site HTTPS listener** with a dummy hostname that doesn't match any real site (for example, `sni-hole.invalid`).
+> 2. Upload a **self-signed certificate** to this listener.
+> 3. Create a **request routing rule** associated with this listener and assign it the **highest priority** (lowest priority number) among all your rules.
+>
+> With this configuration, any connection without a matching SNI header receives the self-signed certificate instead of a valid site certificate. This prevents IP-only connections from obtaining information about your hosted sites.
 
 ### Backend TLS connection (application gateway to the backend server)