diff --git a/.github/styles/config/vocabularies/Base/accept.txt b/.github/styles/config/vocabularies/Base/accept.txt
index d2d0d9c14..ec18e6daf 100644
--- a/.github/styles/config/vocabularies/Base/accept.txt
+++ b/.github/styles/config/vocabularies/Base/accept.txt
@@ -100,6 +100,7 @@ MADR
 md
 minikube
 Maglev
+MeshExternalService
 MeshGateway
 matchers
 Mockbin
diff --git a/app/_src/networking/meshexternalservice.md b/app/_src/networking/meshexternalservice.md
index 5f079188f..f62ce87be 100644
--- a/app/_src/networking/meshexternalservice.md
+++ b/app/_src/networking/meshexternalservice.md
@@ -12,12 +12,14 @@ The `MeshExternalService` resource allows you to declare external resources inst
 {% tip %}
 What is the difference between `MeshPassthrough` and `MeshExternalService`?
 
-The main difference is that `MeshExternalService` is assigned a custom domain and can be targeted by policies. `MeshPassthrough`, on the other hand, does not alter the address of the original host and cannot be targeted by policies.
+The main difference is that `MeshExternalService` assigns a custom domain and can be targeted by policies. 
+`MeshPassthrough` does not alter the address of the original host and cannot be targeted by policies.
 {% endtip %}
 
 {% warning %}
-Currently `MeshExternalService` resource only supports targeting by [MeshTrafficPermission](/docs/{{ page.release }}/policies/meshtrafficpermission) with [Zone Egress](/docs/{{ page.release }}/production/cp-deployment/zoneegress).
-This limitation will be lifted in the next release.
+Currently you can not configure granular [MeshTrafficPermission](/docs/{{ page.release }}/policies/meshtrafficpermission) for MeshExternalService.
+You can only enable or disable whole traffic to MeshExternalService from Mesh by [Mesh resource configuration](/docs/{{ page.release }}/production/mesh/).
+More on this in [Controlling MeshExternalService access from Mesh](/docs/{{ page.release }}/networking/meshexternalservice/#controlling-meshexternalservice-access-from-mesh) section.
 {% endwarning %}
 
 ## Configuration
@@ -142,6 +144,34 @@ networking:
     port: 9901"
 ```
 
+### Controlling MeshExternalService access from Mesh 
+
+At this moment you cannot configure [MeshTrafficPermission](/docs/{{ page.release }}/policies/meshtrafficpermission) for 
+MeshExternalService. But you can configure access to all external services on Mesh level. For example, you can disable 
+outgoing traffic to all MeshExternalServices:
+
+{% tabs usage useUrlFragment=false %}
+{% tab usage Kubernetes %}
+```yaml
+apiVersion: kuma.io/v1alpha1
+kind: Mesh
+metadata:
+  name: default
+spec:
+  routing:
+    defaultForbidMeshExternalServiceAccess: true
+```
+{% endtab %}
+{% tab usage Universal %}
+```yaml
+type: Mesh
+name: default
+routing:
+  defaultForbidMeshExternalServiceAccess: true
+```
+{% endtab %}
+{% endtabs %}
+
 ## Examples
 
 TCP examples use https://tcpbin.com/ service which is a TCP echo service, check out the website for more details.