diff --git a/README.md b/README.md
index 5447c0c7..6e0de174 100644
--- a/README.md
+++ b/README.md
@@ -378,6 +378,7 @@ No modules.
 | <a name="input_scale_down_mode"></a> [scale\_down\_mode](#input\_scale\_down\_mode) | (Optional) Specifies the autoscaling behaviour of the Kubernetes Cluster. If not specified, it defaults to `Delete`. Possible values include `Delete` and `Deallocate`. Changing this forces a new resource to be created. | `string` | `"Delete"` | no |
 | <a name="input_secret_rotation_enabled"></a> [secret\_rotation\_enabled](#input\_secret\_rotation\_enabled) | Is secret rotation enabled? This variable is only used when `key_vault_secrets_provider_enabled` is `true` and defaults to `false` | `bool` | `false` | no |
 | <a name="input_secret_rotation_interval"></a> [secret\_rotation\_interval](#input\_secret\_rotation\_interval) | The interval to poll for secret rotation. This attribute is only set when `secret_rotation` is `true` and defaults to `2m` | `string` | `"2m"` | no |
+| <a name="input_service_mesh_profile"></a> [service\_mesh\_profile](#input\_service\_mesh\_profile) | `mode` - (Required) The mode of the service mesh. Possible value is `Istio`.<br>`internal_ingress_gateway_enabled` - (Optional) Is Istio Internal Ingress Gateway enabled? Defaults to `true`.<br>`external_ingress_gateway_enabled` - (Optional) Is Istio External Ingress Gateway enabled? Defaults to `true`. | <pre>object({<br>    mode                             = string<br>    internal_ingress_gateway_enabled = optional(bool, true)<br>    external_ingress_gateway_enabled = optional(bool, true)<br>  })</pre> | `null` | no |
 | <a name="input_sku_tier"></a> [sku\_tier](#input\_sku\_tier) | The SKU Tier that should be used for this Kubernetes Cluster. Possible values are `Free` and `Standard` | `string` | `"Free"` | no |
 | <a name="input_snapshot_id"></a> [snapshot\_id](#input\_snapshot\_id) | (Optional) The ID of the Snapshot which should be used to create this default Node Pool. `temporary_name_for_rotation` must be specified when changing this property. | `string` | `null` | no |
 | <a name="input_storage_profile_blob_driver_enabled"></a> [storage\_profile\_blob\_driver\_enabled](#input\_storage\_profile\_blob\_driver\_enabled) | (Optional) Is the Blob CSI driver enabled? Defaults to `false` | `bool` | `false` | no |
diff --git a/main.tf b/main.tf
index d9d4b8da..c7f0ad69 100644
--- a/main.tf
+++ b/main.tf
@@ -454,6 +454,14 @@ resource "azurerm_kubernetes_cluster" "main" {
       msi_auth_for_monitoring_enabled = var.msi_auth_for_monitoring_enabled
     }
   }
+  dynamic "service_mesh_profile" {
+    for_each = var.service_mesh_profile == null ? [] : ["service_mesh_profile"]
+    content {
+      mode                             = var.service_mesh_profile.mode
+      external_ingress_gateway_enabled = var.service_mesh_profile.external_ingress_gateway_enabled
+      internal_ingress_gateway_enabled = var.service_mesh_profile.internal_ingress_gateway_enabled
+    }
+  }
   dynamic "service_principal" {
     for_each = var.client_id != "" && var.client_secret != "" ? ["service_principal"] : []
 
diff --git a/variables.tf b/variables.tf
index 0f76ab26..6b6babfa 100644
--- a/variables.tf
+++ b/variables.tf
@@ -1159,6 +1159,20 @@ variable "secret_rotation_interval" {
   nullable    = false
 }
 
+variable "service_mesh_profile" {
+  type = object({
+    mode                             = string
+    internal_ingress_gateway_enabled = optional(bool, true)
+    external_ingress_gateway_enabled = optional(bool, true)
+  })
+  default     = null
+  description = <<-EOT
+    `mode` - (Required) The mode of the service mesh. Possible value is `Istio`.
+    `internal_ingress_gateway_enabled` - (Optional) Is Istio Internal Ingress Gateway enabled? Defaults to `true`.
+    `external_ingress_gateway_enabled` - (Optional) Is Istio External Ingress Gateway enabled? Defaults to `true`.
+  EOT
+}
+
 variable "sku_tier" {
   type        = string
   default     = "Free"