diff --git a/agent/xds/proxystateconverter/endpoints.go b/agent/xds/proxystateconverter/endpoints.go
index 2ed7164316..4e8f14d9cf 100644
--- a/agent/xds/proxystateconverter/endpoints.go
+++ b/agent/xds/proxystateconverter/endpoints.go
@@ -301,14 +301,17 @@ func (s *Converter) filterSubsetEndpoints(subset *structs.ServiceResolverSubset,
 
 // used in clusters.go
 func makeHostPortEndpoint(host string, port int) *pbproxystate.Endpoint {
-	return &pbproxystate.Endpoint{
-		Address: &pbproxystate.Endpoint_HostPort{
-			HostPort: &pbproxystate.HostPortAddress{
-				Host: host,
-				Port: uint32(port),
+	if port >= 0 && port <= 65535 {
+		return &pbproxystate.Endpoint{
+			Address: &pbproxystate.Endpoint_HostPort{
+				HostPort: &pbproxystate.HostPortAddress{
+					Host: host,
+					Port: uint32(port),
+				},
 			},
-		},
+		}
 	}
+	return nil
 }
 
 func makeUnixSocketEndpoint(path string) *pbproxystate.Endpoint {
diff --git a/agent/xds/proxystateconverter/listeners.go b/agent/xds/proxystateconverter/listeners.go
index 11e966223b..7b4faeade5 100644
--- a/agent/xds/proxystateconverter/listeners.go
+++ b/agent/xds/proxystateconverter/listeners.go
@@ -764,17 +764,20 @@ func makeListenerWithDefault(opts makeListenerOpts) *pbproxystate.Listener {
 	//	// Since access logging is non-essential for routing, warn and move on
 	//	opts.logger.Warn("error generating access log xds", err)
 	//}
-	return &pbproxystate.Listener{
-		Name: fmt.Sprintf("%s:%s:%d", opts.name, opts.addr, opts.port),
-		//AccessLog:        accessLog,
-		BindAddress: &pbproxystate.Listener_HostPort{
-			HostPort: &pbproxystate.HostPortAddress{
-				Host: opts.addr,
-				Port: uint32(opts.port),
+	if opts.port >= 0 && opts.port <= 65535 {
+		return &pbproxystate.Listener{
+			Name: fmt.Sprintf("%s:%s:%d", opts.name, opts.addr, opts.port),
+			//AccessLog:        accessLog,
+			BindAddress: &pbproxystate.Listener_HostPort{
+				HostPort: &pbproxystate.HostPortAddress{
+					Host: opts.addr,
+					Port: uint32(opts.port),
+				},
 			},
-		},
-		Direction: opts.direction,
+			Direction: opts.direction,
+		}
 	}
+	return nil
 }
 
 func makePipeListener(opts makeListenerOpts) *pbproxystate.Listener {