diff --git a/docs/configuration/cluster_manager/cluster.rst b/docs/configuration/cluster_manager/cluster.rst
index 68731dce5b8c..117959eb8b0e 100644
--- a/docs/configuration/cluster_manager/cluster.rst
+++ b/docs/configuration/cluster_manager/cluster.rst
@@ -41,6 +41,8 @@ connect_timeout_ms
   *(required, integer)* The timeout for new network connections to hosts in the cluster specified
   in milliseconds.
 
+.. _config_cluster_manager_cluster_per_connection_buffer_limit_bytes:
+
 per_connection_buffer_limit_bytes
   *(optional, integer)* Soft limit on size of the cluster's connections read and write buffers.
   If unspecified, an implementation defined default is applied (1MiB).
diff --git a/docs/configuration/cluster_manager/cluster_hc.rst b/docs/configuration/cluster_manager/cluster_hc.rst
index 6afc7fe27d74..4b9a1ec92c1d 100644
--- a/docs/configuration/cluster_manager/cluster_hc.rst
+++ b/docs/configuration/cluster_manager/cluster_hc.rst
@@ -81,6 +81,8 @@ service_name
   the health checked cluster. See the :ref:`architecture overview
   <arch_overview_health_checking_identity>` for more information.
 
+.. _config_cluster_manager_cluster_hc_tcp_health_checking:
+
 TCP health checking
 -------------------
 
diff --git a/docs/configuration/http_conn_man/runtime.rst b/docs/configuration/http_conn_man/runtime.rst
index 680af8a9b356..22fc453b3ad9 100644
--- a/docs/configuration/http_conn_man/runtime.rst
+++ b/docs/configuration/http_conn_man/runtime.rst
@@ -1,3 +1,5 @@
+.. _config_http_conn_man_runtime:
+
 Runtime
 =======
 
diff --git a/docs/configuration/listeners/listeners.rst b/docs/configuration/listeners/listeners.rst
index 3a789b8a90c6..3fa88e5c90f2 100644
--- a/docs/configuration/listeners/listeners.rst
+++ b/docs/configuration/listeners/listeners.rst
@@ -54,6 +54,8 @@ use_original_dst
   destination port. If there is no listener associated with the original destination port, the
   connection is handled by the listener that receives it. Default is false.
 
+.. _config_listeners_per_connection_buffer_limit_bytes:
+
 per_connection_buffer_limit_bytes
   *(optional, integer)* Soft limit on size of the listener's new connection read and write buffers.
   If unspecified, an implementation defined default is applied (1MiB).
diff --git a/docs/intro/version_history.rst b/docs/intro/version_history.rst
index 94ec270dc587..0c5b702de5ad 100644
--- a/docs/intro/version_history.rst
+++ b/docs/intro/version_history.rst
@@ -1,6 +1,77 @@
 Version history
 ---------------
 
+1.3.0
+=====
+
+* As of this release, we now have an official :repo:`breaking change policy
+  </CONTRIBUTING.md#breaking-change-policy>`. Note that there are numerous breaking configuration
+  changes in this release. They are not listed here. Future releases will adhere to the policy and
+  have clear documentation on deprecations and changes.
+* Bazel is now the canonical build system (replacing CMake). There have been a huge number of
+  changes to the development/build/test flow. See :repo:`/bazel/README.md` and
+  :repo:`/ci/README.md` for more information.
+* :ref:`Outlier detection <arch_overview_outlier_detection>` has been expanded to include success
+  rate variance, and all parameters are now configurable in both runtime and in the JSON
+  configuration.
+* TCP level :ref:`listener <config_listeners_per_connection_buffer_limit_bytes>` and
+  :ref:`cluster <config_cluster_manager_cluster_per_connection_buffer_limit_bytes>` connections now
+  have configurable receive buffer limits at which point connection level back pressure is applied.
+  Full end to end flow control will be available in a future release.
+* :ref:`Redis health checking <config_cluster_manager_cluster_hc>` has been added as an active
+  health check type. Full Redis support will be documented/supported in 1.4.0.
+* :ref:`TCP health checking <config_cluster_manager_cluster_hc_tcp_health_checking>` now supports a
+  "connect only" mode that only checks if the remote server can be connected to without
+  writing/reading any data.
+* `BoringSSL <https://boringssl.googlesource.com/boringssl>`_ is now the only supported TLS provider.
+  The default cipher suites and ECDH curves have been updated with more modern defaults for both
+  :ref:`listener <config_listener_ssl_context>` and
+  :ref:`cluster <config_cluster_manager_cluster_ssl>` connections.
+* The `header value match` :ref:`rate limit action
+  <config_http_conn_man_route_table_rate_limit_actions>` has been expanded to include an *expect
+  match* parameter.
+* Route level HTTP rate limit configurations now do not inherit the virtual host level
+  configurations by default. The :ref:`include_vh_rate_limits
+  <config_http_conn_man_route_table_route_include_vh>` to inherit the virtual host level options if
+  desired.
+* HTTP routes can now add request headers on a per route and per virtual host basis via the
+  :ref:`request_headers_to_add <config_http_conn_man_route_table_route_add_req_headers>` option.
+* The :ref:`example configurations <install_ref_configs>` have been refreshed to demonstrate the
+  latest features.
+* :ref:`per_try_timeout_ms <config_http_conn_man_route_table_route_retry>` can now be configured in
+  a route's retry policy in addition to via the :ref:`x-envoy-upstream-rq-per-try-timeout-ms
+  <config_http_filters_router_x-envoy-upstream-rq-per-try-timeout-ms>` HTTP header.
+* :ref:`HTTP virtual host matching <config_http_conn_man_route_table_vhost>` now includes support
+  for prefix wildcard domains (e.g., `*.lyft.com`).
+* The default for tracing random sampling has been changed to 100% and is still configurable in
+  :ref:`runtime <config_http_conn_man_runtime>`.
+* :ref:`HTTP tracing configuration <config_http_conn_man_tracing>` has been extended to allow tags
+  to be populated from arbitrary HTTP headers.
+* The :ref:`HTTP rate limit filter <config_http_filters_rate_limit>` can now be applied to internal,
+  external, or all requests via the `request_type` option.
+* :ref:`Listener binding <config_listeners>` now requires specifying an `address` field. This can be
+  used to bind a listener to both a specific address as well as a port.
+* The :ref:`MongoDB filter <config_network_filters_mongo_proxy>` now emits a stat for queries that
+  do not have `$maxTimeMS` set.
+* The :ref:`MongoDB filter <config_network_filters_mongo_proxy>` now emits logs that are fully valid
+  JSON.
+* The CPU profiler output path is now :ref:`configurable <config_admin>`.
+* A :ref:`watchdog system <config_overview>` has been added that can kill the server if a deadlock
+  is detected.
+* A :ref:`route table checking tool <install_tools>` has been added that can be used to test route
+  tables before use.
+* We have added an :ref:`example repo <extending>` that shows how to compile/link a custom filter.
+* Added additional cluster wide information related to outlier detection to the :ref:`/clusters
+  admin endpoint <operations_admin_interface>`.
+* Multiple SANs can now be verified via the :ref:`verify_subject_alt_name
+  <config_listener_ssl_context>` setting. Additionally, URI type SANs can be verified.
+* HTTP filters can now be passed :ref:`opaque configuration
+  <config_http_conn_man_route_table_opaque_config>` specified on a per route basis.
+* By default Envoy now has a built in crash handler that will print a back trace. This behavior can
+  be disabled if desired via the ``--define=signal_trace=disabled`` Bazel option.
+* Zipkin has been added as a supported :ref:`tracing provider <arch_overview_tracing>`.
+* Numerous small changes and fixes not listed here.
+
 1.2.0
 =====