[NET-4931] xdsv2, sidecarproxycontroller, l4 trafficpermissions: support L7 (#19185)

* xdsv2: support l7 by adding xfcc policy/headers, tweaking routes, and make a bunch of listeners l7 tests pass * sidecarproxycontroller: add l7 local app support * trafficpermissions: make l4 traffic permissions work on l7 workloads * rename route name field for consistency with l4 cluster name field * resolve conflicts and rebase * fix: ensure route name is used in l7 destination route name as well. previously it was only in the route names themselves, now the route name and l7 destination route name line up
2023-10-12 16:45:45 -07:00 · 2023-10-12 16:45:45 -07:00 · 95d9b2c7e4
parent e3cb4ec35e
commit 95d9b2c7e4
22 changed files with 1433 additions and 187 deletions
--- a/agent/xds/listeners_test.go
+++ b/agent/xds/listeners_test.go
@ -70,6 +70,7 @@ func makeListenerDiscoChainTests(enterprise bool) []listenerTestCase {
 			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
 				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "splitter-with-resolver-redirect-multidc", enterprise, nil, nil)
 			},
+			alsoRunTestForV2: true,
 		},
 		{
 			name: "connect-proxy-with-tcp-chain",
@ -91,6 +92,7 @@ func makeListenerDiscoChainTests(enterprise bool) []listenerTestCase {
 					},
 				)
 			},
+			alsoRunTestForV2: true,
 		},
 		{
 			name: "connect-proxy-with-http2-chain",
@ -105,6 +107,7 @@ func makeListenerDiscoChainTests(enterprise bool) []listenerTestCase {
 					},
 				)
 			},
+			alsoRunTestForV2: true,
 		},
 		{
 			name: "connect-proxy-with-grpc-chain",
@ -119,6 +122,7 @@ func makeListenerDiscoChainTests(enterprise bool) []listenerTestCase {
 					},
 				)
 			},
+			alsoRunTestForV2: true,
 		},
 		{
 			name: "connect-proxy-with-chain-external-sni",
@ -132,6 +136,7 @@ func makeListenerDiscoChainTests(enterprise bool) []listenerTestCase {
 			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
 				return proxycfg.TestConfigSnapshotDiscoveryChain(t, "simple-with-overrides", enterprise, nil, nil)
 			},
+			alsoRunTestForV2: true,
 		},
 		{
 			name: "connect-proxy-with-tcp-chain-failover-through-remote-gateway",
@ -308,6 +313,7 @@ func TestListenersFromSnapshot(t *testing.T) {
 					ns.Proxy.Config["protocol"] = "grpc"
 				}, nil)
 			},
+			alsoRunTestForV2: true,
 		},
 		{
 			name: "listener-bind-address",
@ -365,6 +371,7 @@ func TestListenersFromSnapshot(t *testing.T) {
 					ns.Proxy.Config["protocol"] = "http2"
 				}, nil)
 			},
+			alsoRunTestForV2: true,
 		},
 		{
 			name: "listener-balance-inbound-connections",
@ -391,6 +398,7 @@ func TestListenersFromSnapshot(t *testing.T) {
 					ns.Proxy.Config["protocol"] = "http"
 				}, nil)
 			},
+			alsoRunTestForV2: true,
 		},
 		{
 			name: "http-public-listener-no-xfcc",
@ -412,6 +420,7 @@ func TestListenersFromSnapshot(t *testing.T) {
 						},
 					})
 			},
+			alsoRunTestForV2: true,
 		},
 		{
 			name: "http-listener-with-timeouts",
@ -423,6 +432,7 @@ func TestListenersFromSnapshot(t *testing.T) {
 					ns.Proxy.Config["local_idle_timeout_ms"] = 3456
 				}, nil)
 			},
+			alsoRunTestForV2: true,
 		},
 		{
 			name: "http-upstream",
@ -431,6 +441,7 @@ func TestListenersFromSnapshot(t *testing.T) {
 					ns.Proxy.Upstreams[0].Config["protocol"] = "http"
 				}, nil)
 			},
+			alsoRunTestForV2: true,
 		},
 		{
 			name: "custom-public-listener",
@ -558,6 +569,7 @@ func TestListenersFromSnapshot(t *testing.T) {
 					}
 				}, nil)
 			},
+			alsoRunTestForV2: true,
 		},
 		{
 			name: "expose-paths-local-app-paths",
@ -1220,10 +1232,12 @@ func TestListenersFromSnapshot(t *testing.T) {
 			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
 				return proxycfg.TestConfigSnapshotTransparentProxyHTTPUpstream(t)
 			},
+			alsoRunTestForV2: true,
 		},
 		{
-			name:   "transparent-proxy-with-resolver-redirect-upstream",
-			create: proxycfg.TestConfigSnapshotTransparentProxyResolverRedirectUpstream,
+			name:             "transparent-proxy-with-resolver-redirect-upstream",
+			create:           proxycfg.TestConfigSnapshotTransparentProxyResolverRedirectUpstream,
+			alsoRunTestForV2: true,
 		},
 		{
 			name:             "transparent-proxy-catalog-destinations-only",
--- a/agent/xds/proxystateconverter/listeners.go
+++ b/agent/xds/proxystateconverter/listeners.go
@ -1009,7 +1009,8 @@ func (s *Converter) makeInboundListener(cfgSnap *proxycfg.ConfigSnapshot, name s
 			return nil, fmt.Errorf("l7 destination on inbound listener should not be empty")
 		}

-		// TODO(proxystate): L7 Intentions and JWT Auth will be added in the future.
+		// TODO(proxystate): L7 traffic permissions and JWT Auth will be added in the future. For now, just add an empty traffic permission.
+		l7Dest.TrafficPermissions = &pbproxystate.TrafficPermissions{}
 		//jwtFilter, jwtFilterErr := makeJWTAuthFilter(cfgSnap.JWTProviders, cfgSnap.ConnectProxy.Intentions)
 		//if jwtFilterErr != nil {
 		//	return nil, jwtFilterErr
@ -1036,7 +1037,12 @@ func (s *Converter) makeInboundListener(cfgSnap *proxycfg.ConfigSnapshot, name s

 		meshConfig := cfgSnap.MeshConfig()
 		includeXFCC := meshConfig == nil || meshConfig.HTTP == nil || !meshConfig.HTTP.SanitizeXForwardedClientCert
-		l7Dest.IncludeXfcc = includeXFCC
+		notGRPC := cfg.Protocol != "grpc"
+		if includeXFCC && notGRPC {
+			l7Dest.IncludeXfccPolicy = includeXFCC
+			l7Dest.XfccPolicy = pbproxystate.XFCCPolicy_XFCC_POLICY_APPEND_FORWARD
+			l7Dest.ParseXfccHeaders = true
+		}
 		l7Dest.Protocol = l7Protocols[cfg.Protocol]
 		if cfg.MaxInboundConnections > 0 {
 			l7Dest.MaxInboundConnections = uint64(cfg.MaxInboundConnections)
@ -1227,14 +1233,14 @@ func (s *Converter) makeExposedCheckListener(cfgSnap *proxycfg.ConfigSnapshot, c

 type routerOpts struct {
 	//accessLogs           *structs.AccessLogsConfig
-	routeName   string
-	clusterName string
-	filterName  string
-	protocol    string
-	useRDS      bool
-	statPrefix  string
-	//forwardClientDetails bool
-	//forwardClientPolicy  envoy_http_v3.HttpConnectionManager_ForwardClientCertDetails
+	routeName            string
+	clusterName          string
+	filterName           string
+	protocol             string
+	useRDS               bool
+	statPrefix           string
+	forwardClientDetails bool
+	forwardClientPolicy  pbproxystate.XFCCPolicy
 	//tracing              *envoy_http_v3.HttpConnectionManager_Tracing
 }

@ -1246,14 +1252,14 @@ func (g *Converter) makeUpstreamRouter(opts routerOpts) (*pbproxystate.Router, e
 	router := &pbproxystate.Router{}

 	err := g.addRouterDestination(destinationOpts{
-		useRDS:     opts.useRDS,
-		protocol:   opts.protocol,
-		filterName: opts.filterName,
-		routeName:  opts.routeName,
-		cluster:    opts.clusterName,
-		statPrefix: opts.statPrefix,
-		//forwardClientDetails: opts.forwardClientDetails,
-		//forwardClientPolicy:  opts.forwardClientPolicy,
+		useRDS:               opts.useRDS,
+		protocol:             opts.protocol,
+		filterName:           opts.filterName,
+		routeName:            opts.routeName,
+		cluster:              opts.clusterName,
+		statPrefix:           opts.statPrefix,
+		forwardClientDetails: opts.forwardClientDetails,
+		forwardClientPolicy:  opts.forwardClientPolicy,
 		//tracing:              opts.tracing,
 		//accessLogs:           opts.accessLogs,
 		logger: g.Logger,
@ -1392,7 +1398,7 @@ type destinationOpts struct {

 	// HTTP listener filter options
 	forwardClientDetails bool
-	forwardClientPolicy  envoy_http_v3.HttpConnectionManager_ForwardClientCertDetails
+	forwardClientPolicy  pbproxystate.XFCCPolicy
 	httpAuthzFilters     []*envoy_http_v3.HttpFilter
 	idleTimeoutMs        *int
 	requestTimeoutMs     *int
@ -1469,7 +1475,9 @@ func (g *Converter) makeL7Destination(opts destinationOpts) (*pbproxystate.L7Des
 	//}

 	// An L7 Destination's name will be the route name, so during xds generation the route can be looked up.
-	dest.Name = opts.routeName
+	dest.Route = &pbproxystate.L7DestinationRoute{
+		Name: opts.routeName,
+	}
 	dest.StatPrefix = makeStatPrefix(opts.statPrefix, opts.filterName)

 	// TODO(proxystate) tracing will be added at the top level proxystate and xds generation
@ -1557,18 +1565,11 @@ func (g *Converter) makeL7Destination(opts destinationOpts) (*pbproxystate.L7Des

 	dest.Protocol = l7Protocols[opts.protocol]

-	// TODO(proxystate) need to include xfcc policy in future L7 task
-	//// Note the default leads to setting HttpConnectionManager_SANITIZE
-	//if opts.forwardClientDetails {
-	//	cfg.ForwardClientCertDetails = opts.forwardClientPolicy
-	//	cfg.SetCurrentClientCertDetails = &envoy_http_v3.HttpConnectionManager_SetCurrentClientCertDetails{
-	//		Subject: &wrapperspb.BoolValue{Value: true},
-	//		Cert:    true,
-	//		Chain:   true,
-	//		Dns:     true,
-	//		Uri:     true,
-	//	}
-	//}
+	// Note the default leads to setting HttpConnectionManager_SANITIZE
+	if opts.forwardClientDetails {
+		dest.IncludeXfccPolicy = true
+		dest.XfccPolicy = opts.forwardClientPolicy
+	}

 	// Like injectConnectFilters for L4, here we ensure that the first filter
 	// (other than the "envoy.grpc_http1_bridge" filter) in the http filter
--- a/agent/xds/rbac_test.go
+++ b/agent/xds/rbac_test.go
@ -1085,7 +1085,7 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {

 					tt.v2L4TrafficPermissions.DefaultAllow = tt.intentionDefaultAllow

-					filters, err := xdsv2.MakeL4RBAC(tt.v2L4TrafficPermissions)
+					filters, err := xdsv2.MakeRBACNetworkFilters(tt.v2L4TrafficPermissions)
 					require.NoError(t, err)

 					var gotJSON string
--- a/agent/xdsv2/listener_resources.go
+++ b/agent/xdsv2/listener_resources.go
@ -12,6 +12,7 @@ import (
 	envoy_listener_v3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
 	envoy_grpc_http1_bridge_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/grpc_http1_bridge/v3"
 	envoy_grpc_stats_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/grpc_stats/v3"
+	envoy_http_header_to_meta_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/header_to_metadata/v3"
 	envoy_http_router_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/router/v3"
 	envoy_extensions_filters_listener_http_inspector_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/http_inspector/v3"
 	envoy_original_dst_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/original_dst/v3"
@ -336,7 +337,7 @@ func getAlpnProtocols(protocol pbproxystate.L7Protocol) []string {
 func makeL4Filters(l4 *pbproxystate.L4Destination) ([]*envoy_listener_v3.Filter, error) {
 	var envoyFilters []*envoy_listener_v3.Filter
 	if l4 != nil {
-		rbacFilters, err := MakeL4RBAC(l4.TrafficPermissions)
+		rbacFilters, err := MakeRBACNetworkFilters(l4.TrafficPermissions)
 		if err != nil {
 			return nil, err
 		}
@ -426,12 +427,16 @@ func (pr *ProxyResources) makeL7Filters(l7 *pbproxystate.L7Destination) ([]*envo
 			},
 		}

-		routeConfig, err := pr.makeEnvoyRoute(l7.Name)
+		if l7.Route == nil {
+			return nil, fmt.Errorf("route should not be nil")
+		}
+		routeConfig := pr.makeEnvoyRouteConfigFromProxystateRoute(l7.Route.Name, pr.proxyState.Routes[l7.Route.Name])
 		if err != nil {
 			return nil, err
 		}

 		if l7.StaticRoute {
+			routeConfig.ValidateClusters = nil
 			httpConnMgr.RouteSpecifier = &envoy_http_v3.HttpConnectionManager_RouteConfig{
 				RouteConfig: routeConfig,
 			}
@ -441,7 +446,7 @@ func (pr *ProxyResources) makeL7Filters(l7 *pbproxystate.L7Destination) ([]*envo

 			httpConnMgr.RouteSpecifier = &envoy_http_v3.HttpConnectionManager_Rds{
 				Rds: &envoy_http_v3.Rds{
-					RouteConfigName: l7.Name,
+					RouteConfigName: l7.Route.Name,
 					ConfigSource: &envoy_core_v3.ConfigSource{
 						ResourceApiVersion: envoy_core_v3.ApiVersion_V3,
 						ConfigSourceSpecifier: &envoy_core_v3.ConfigSource_Ads{
@ -452,11 +457,52 @@ func (pr *ProxyResources) makeL7Filters(l7 *pbproxystate.L7Destination) ([]*envo
 			}
 		}

+		if l7.IncludeXfccPolicy {
+			httpConnMgr.ForwardClientCertDetails = envoyXFCCPolicy[l7.XfccPolicy]
+			httpConnMgr.SetCurrentClientCertDetails = &envoy_http_v3.HttpConnectionManager_SetCurrentClientCertDetails{
+				Subject: &wrapperspb.BoolValue{Value: true},
+				Cert:    true,
+				Chain:   true,
+				Dns:     true,
+				Uri:     true,
+			}
+		}
+
 		// Add http2 protocol options
 		if l7.Protocol == pbproxystate.L7Protocol_L7_PROTOCOL_HTTP2 || l7.Protocol == pbproxystate.L7Protocol_L7_PROTOCOL_GRPC {
 			httpConnMgr.Http2ProtocolOptions = &envoy_core_v3.Http2ProtocolOptions{}
 		}

+		// Add http authorization filters. First are jwt auth filters (not yet implemented), then traffic permission filters (not yet implemented), then xfcc filters.
+		var httpAuthzFilters []*envoy_http_v3.HttpFilter
+
+		// Add traffic permission filters.
+		// Currently only adds the empty filter since L7 traffic permissions are not yet implemented.
+		if l7.TrafficPermissions != nil {
+			// For now, MakeRBACHTTPFilters only has L4 granularity traffic permissions in it.
+			l7TrafficPermsFilters, err := MakeRBACHTTPFilters(l7.TrafficPermissions)
+			if err != nil {
+				return nil, err
+			}
+			httpAuthzFilters = append(httpAuthzFilters, l7TrafficPermsFilters...)
+		}
+
+		if l7.ParseXfccHeaders {
+			parseXFCCFilter, err := parseXFCCToDynamicMetaHTTPFilter()
+			if err != nil {
+				return nil, err
+			}
+			httpAuthzFilters = append(httpAuthzFilters, parseXFCCFilter)
+		}
+
+		// Here we ensure that the first filter
+		// (other than the "envoy.grpc_http1_bridge" filter) in the http filter
+		// chain of a public listener is the authz filter to prevent unauthorized
+		// access and that every filter chain uses our TLS certs.
+		if len(httpAuthzFilters) > 0 {
+			httpConnMgr.HttpFilters = append(httpAuthzFilters, httpConnMgr.HttpFilters...)
+		}
+
 		// Add grpc envoy http filters.
 		if l7.Protocol == pbproxystate.L7Protocol_L7_PROTOCOL_GRPC {
 			grpcHttp1Bridge, err := makeEnvoyHTTPFilter(
@ -944,6 +990,14 @@ var envoyTLSVersions = map[pbproxystate.TLSVersion]envoy_tls_v3.TlsParameters_Tl
 	pbproxystate.TLSVersion_TLS_VERSION_1_3:  envoy_tls_v3.TlsParameters_TLSv1_3,
 }

+var envoyXFCCPolicy = map[pbproxystate.XFCCPolicy]envoy_http_v3.HttpConnectionManager_ForwardClientCertDetails{
+	pbproxystate.XFCCPolicy_XFCC_POLICY_SANITIZE:            envoy_http_v3.HttpConnectionManager_SANITIZE,
+	pbproxystate.XFCCPolicy_XFCC_POLICY_FORWARD_ONLY:        envoy_http_v3.HttpConnectionManager_FORWARD_ONLY,
+	pbproxystate.XFCCPolicy_XFCC_POLICY_APPEND_FORWARD:      envoy_http_v3.HttpConnectionManager_APPEND_FORWARD,
+	pbproxystate.XFCCPolicy_XFCC_POLICY_SANITIZE_SET:        envoy_http_v3.HttpConnectionManager_SANITIZE_SET,
+	pbproxystate.XFCCPolicy_XFCC_POLICY_ALWAYS_FORWARD_ONLY: envoy_http_v3.HttpConnectionManager_ALWAYS_FORWARD_ONLY,
+}
+
 // Sort the trust domains so that the output is stable.
 // This benefits tests but also prevents Envoy from mistakenly thinking the listener
 // changed and needs to be drained only because this ordering is different.
@ -1002,3 +1056,91 @@ func sortPrefixRanges(prefixRanges []*pbproxystate.CidrRange) {
 		return prefixRanges[i].AddressPrefix < prefixRanges[j].AddressPrefix
 	})
 }
+
+const (
+	anyPath     = `[^/]+`
+	trustDomain = anyPath + "." + anyPath
+)
+
+// downstreamServiceIdentityMatcher needs to match XFCC headers in two cases:
+// 1. Requests to cluster peered services through a mesh gateway. In this case, the XFCC header looks like the following (I added a new line after each ; for readability)
+// By=spiffe://950df996-caef-ddef-ec5f-8d18a153b7b2.consul/gateway/mesh/dc/alpha;
+// Hash=...;
+// Cert=...;
+// Chain=...;
+// Subject="";
+// URI=spiffe://c7e1d24a-eed8-10a3-286a-52bdb6b6a6fd.consul/ns/default/dc/primary/svc/s1,By=spiffe://950df996-caef-ddef-ec5f-8d18a153b7b2.consul/ns/default/dc/alpha/svc/s2;
+// Hash=...;
+// Cert=...;
+// Chain=...;
+// Subject="";
+// URI=spiffe://950df996-caef-ddef-ec5f-8d18a153b7b2.consul/gateway/mesh/dc/alpha
+//
+// 2. Requests directly to another service
+// By=spiffe://ae9dbea8-c1dd-7356-b211-c564f7917100.consul/ns/default/dc/primary/svc/s2;
+// Hash=396218588ebc1655d32a49b68cedd6b66b9de7b3d69d0c0451bc5818132377d0;
+// Cert=...;
+// Chain=...;
+// Subject="";
+// URI=spiffe://ae9dbea8-c1dd-7356-b211-c564f7917100.consul/ns/default/dc/primary/svc/s1
+//
+// In either case, the regex matches the downstream service's spiffe id because mesh gateways use a different spiffe id format.
+// Envoy requires us to include the trailing and leading .* to properly extract the properly submatch.
+const downstreamServiceIdentityMatcher = ".*URI=spiffe://(" + trustDomain +
+	")(?:/ap/(" + anyPath +
+	"))?/ns/(" + anyPath +
+	")/dc/(" + anyPath +
+	")/svc/([^/;,]+).*"
+
+func parseXFCCToDynamicMetaHTTPFilter() (*envoy_http_v3.HttpFilter, error) {
+	var rules []*envoy_http_header_to_meta_v3.Config_Rule
+
+	fields := []struct {
+		name string
+		sub  string
+	}{
+		{
+			name: "trust-domain",
+			sub:  `\1`,
+		},
+		{
+			name: "partition",
+			sub:  `\2`,
+		},
+		{
+			name: "namespace",
+			sub:  `\3`,
+		},
+		{
+			name: "datacenter",
+			sub:  `\4`,
+		},
+		{
+			name: "service",
+			sub:  `\5`,
+		},
+	}
+
+	for _, f := range fields {
+		rules = append(rules, &envoy_http_header_to_meta_v3.Config_Rule{
+			Header: "x-forwarded-client-cert",
+			OnHeaderPresent: &envoy_http_header_to_meta_v3.Config_KeyValuePair{
+				MetadataNamespace: "consul",
+				Key:               f.name,
+				RegexValueRewrite: &envoy_matcher_v3.RegexMatchAndSubstitute{
+					Pattern: &envoy_matcher_v3.RegexMatcher{
+						Regex: downstreamServiceIdentityMatcher,
+						EngineType: &envoy_matcher_v3.RegexMatcher_GoogleRe2{
+							GoogleRe2: &envoy_matcher_v3.RegexMatcher_GoogleRE2{},
+						},
+					},
+					Substitution: f.sub,
+				},
+			},
+		})
+	}
+
+	cfg := &envoy_http_header_to_meta_v3.Config{RequestRules: rules}
+
+	return makeEnvoyHTTPFilter("envoy.filters.http.header_to_metadata", cfg)
+}
--- a/agent/xdsv2/rbac_resources.go
+++ b/agent/xdsv2/rbac_resources.go
@ -9,6 +9,8 @@ import (
 	envoy_listener_v3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
 	envoy_rbac_v3 "github.com/envoyproxy/go-control-plane/envoy/config/rbac/v3"
 	envoy_route_v3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
+	envoy_http_rbac_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/rbac/v3"
+	envoy_http_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
 	envoy_network_rbac_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/rbac/v3"
 	envoy_matcher_v3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3"

@ -20,50 +22,114 @@ const (
 	baseL4PermissionKey = "consul-intentions-layer4"
 )

-func MakeL4RBAC(trafficPermissions *pbproxystate.TrafficPermissions) ([]*envoy_listener_v3.Filter, error) {
-	var filters []*envoy_listener_v3.Filter
+// MakeL4RBAC returns the envoy deny and allow rules from the traffic permissions. After calling this function these
+// rules can be put into a network rbac filter or http rbac filter depending on the local app port protocol.
+func MakeL4RBAC(trafficPermissions *pbproxystate.TrafficPermissions) (deny *envoy_rbac_v3.RBAC, allow *envoy_rbac_v3.RBAC, err error) {
+	var denyRBAC *envoy_rbac_v3.RBAC
+	var allowRBAC *envoy_rbac_v3.RBAC

 	if trafficPermissions == nil {
-		return nil, nil
+		return nil, nil, nil
 	}

 	if len(trafficPermissions.DenyPermissions) > 0 {
-		denyRBAC := &envoy_rbac_v3.RBAC{
+		denyRBAC = &envoy_rbac_v3.RBAC{
 			Action:   envoy_rbac_v3.RBAC_DENY,
 			Policies: make(map[string]*envoy_rbac_v3.Policy),
 		}
 		denyRBAC.Policies = makeRBACPolicies(trafficPermissions.DenyPermissions)
-		filter, err := makeRBACFilter(denyRBAC)
-		if err != nil {
-			return nil, err
-		}
-		filters = append(filters, filter)
 	}

 	// Only include the allow RBAC when Consul is in default deny.
 	if !trafficPermissions.DefaultAllow {
-		allowRBAC := &envoy_rbac_v3.RBAC{
+		allowRBAC = &envoy_rbac_v3.RBAC{
 			Action:   envoy_rbac_v3.RBAC_ALLOW,
 			Policies: make(map[string]*envoy_rbac_v3.Policy),
 		}

 		allowRBAC.Policies = makeRBACPolicies(trafficPermissions.AllowPermissions)
-		filter, err := makeRBACFilter(allowRBAC)
+	}
+
+	return denyRBAC, allowRBAC, nil
+}
+
+// MakeRBACNetworkFilters calls MakeL4RBAC and wraps the result in envoy network filters meant for L4 protocols.
+func MakeRBACNetworkFilters(trafficPermissions *pbproxystate.TrafficPermissions) ([]*envoy_listener_v3.Filter, error) {
+	var filters []*envoy_listener_v3.Filter
+
+	deny, allow, err := MakeL4RBAC(trafficPermissions)
+	if err != nil {
+		return nil, err
+	}
+
+	if deny != nil {
+		filter, err := makeRBACFilter(deny)
 		if err != nil {
 			return nil, err
 		}
 		filters = append(filters, filter)
 	}

+	if allow != nil {
+		filter, err := makeRBACFilter(allow)
+		if err != nil {
+			return nil, err
+		}
+		filters = append(filters, filter)
+
+	}
+
 	return filters, nil
 }

+// MakeRBACHTTPFilters calls MakeL4RBAC and wraps the result in envoy http filters meant for L7 protocols. Eventually
+// this will need to also accumulate any L7 traffic permissions when that is implemented.
+func MakeRBACHTTPFilters(trafficPermissions *pbproxystate.TrafficPermissions) ([]*envoy_http_v3.HttpFilter, error) {
+	var httpFilters []*envoy_http_v3.HttpFilter
+
+	deny, allow, err := MakeL4RBAC(trafficPermissions)
+	if err != nil {
+		return nil, err
+	}
+
+	if deny != nil {
+		filter, err := makeRBACHTTPFilter(deny)
+		if err != nil {
+			return nil, err
+		}
+		httpFilters = append(httpFilters, filter)
+	}
+
+	if allow != nil {
+		filter, err := makeRBACHTTPFilter(allow)
+		if err != nil {
+			return nil, err
+		}
+		httpFilters = append(httpFilters, filter)
+
+	}
+
+	return httpFilters, nil
+}
+
+const (
+	envoyNetworkRBACFilterKey = "envoy.filters.network.rbac"
+	envoyHTTPRBACFilterKey    = "envoy.filters.http.rbac"
+)
+
 func makeRBACFilter(rbac *envoy_rbac_v3.RBAC) (*envoy_listener_v3.Filter, error) {
 	cfg := &envoy_network_rbac_v3.RBAC{
 		StatPrefix: "connect_authz",
 		Rules:      rbac,
 	}
-	return makeEnvoyFilter("envoy.filters.network.rbac", cfg)
+	return makeEnvoyFilter(envoyNetworkRBACFilterKey, cfg)
+}
+
+func makeRBACHTTPFilter(rbac *envoy_rbac_v3.RBAC) (*envoy_http_v3.HttpFilter, error) {
+	cfg := &envoy_http_rbac_v3.RBAC{
+		Rules: rbac,
+	}
+	return makeEnvoyHTTPFilter(envoyHTTPRBACFilterKey, cfg)
 }

 func makeRBACPolicies(l4Permissions []*pbproxystate.Permission) map[string]*envoy_rbac_v3.Policy {
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/destination_multiport_test.go
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/destination_multiport_test.go
@ -193,17 +193,17 @@ func TestBuildMultiportImplicitDestinations(t *testing.T) {
 		getDestinations func() []*intermediate.Destination
 	}{
 		// Most basic test that multiport configuration works
-		"destination/multiport-l4-single-implicit-destination-tproxy": {
+		"destination/multiport-l4-and-l7-single-implicit-destination-tproxy": {
 			getDestinations: func() []*intermediate.Destination { return apiAppDestinations },
 		},
 		// Test shows that with multiple workloads for a service exposing the same ports, the routers
 		// and clusters do not get duplicated.
-		"destination/multiport-l4-single-implicit-destination-with-multiple-workloads-tproxy": {
+		"destination/multiport-l4-and-l7-single-implicit-destination-with-multiple-workloads-tproxy": {
 			getDestinations: func() []*intermediate.Destination { return mwDestinations },
 		},
 		// Test shows that with multiple workloads for a service exposing the same ports, the routers
 		// and clusters do not get duplicated.
-		"destination/multiport-l4-multiple-implicit-destinations-tproxy": {
+		"destination/multiport-l4-and-l7-multiple-implicit-destinations-tproxy": {
 			getDestinations: func() []*intermediate.Destination { return twoImplicitDestinations },
 		},
 	}
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/destinations.go
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/destinations.go
@ -5,9 +5,10 @@ package builder

 import (
 	"fmt"
-	"github.com/hashicorp/consul/agent/xds/naming"
 	"time"

+	"github.com/hashicorp/consul/agent/xds/naming"
+
 	"google.golang.org/protobuf/types/known/durationpb"
 	"google.golang.org/protobuf/types/known/wrapperspb"

@ -245,7 +246,7 @@ func (b *Builder) buildDestination(
 			panic(fmt.Sprintf("it should not be possible to have a tcp protocol here: %v", effectiveProtocol))
 		}

-		rb := lb.addL7Router("", effectiveProtocol)
+		rb := lb.addL7Router(routeName, "", effectiveProtocol)
 		if destination.Explicit == nil {
 			rb.addIPAndPortMatch(destination.VirtualIPs, virtualPortNumber)
 		}
@ -425,14 +426,13 @@ func (b *ListenerBuilder) addL4RouterForSplit(
 	return b.NewRouterBuilder(router)
 }

-func (b *ListenerBuilder) addL7Router(statPrefix string, protocol pbcatalog.Protocol) *RouterBuilder {
+func (b *ListenerBuilder) addL7Router(routeName string, statPrefix string, protocol pbcatalog.Protocol) *RouterBuilder {
 	// For explicit destinations, we have no filter chain match, and filters
 	// are based on port protocol.
 	router := &pbproxystate.Router{}

-	listenerName := b.listener.Name
-	if listenerName == "" {
-		panic("listenerName is required")
+	if routeName == "" {
+		panic("routeName is required")
 	}

 	if statPrefix == "" {
@ -445,7 +445,9 @@ func (b *ListenerBuilder) addL7Router(statPrefix string, protocol pbcatalog.Prot

 	router.Destination = &pbproxystate.Router_L7{
 		L7: &pbproxystate.L7Destination{
-			Name:        listenerName,
+			Route: &pbproxystate.L7DestinationRoute{
+				Name: routeName,
+			},
 			StatPrefix:  statPrefix,
 			StaticRoute: false,
 		},
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/expose_paths.go
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/expose_paths.go
@ -69,7 +69,9 @@ func (b *ListenerBuilder) addExposePathsRouter(exposePath *pbmesh.ExposePath) *L
 	}
 	routerDestination := &pbproxystate.Router_L7{
 		L7: &pbproxystate.L7Destination{
-			Name:        destinationName,
+			Route: &pbproxystate.L7DestinationRoute{
+				Name: destinationName,
+			},
 			StatPrefix:  destinationName,
 			StaticRoute: true,
 			Protocol:    l7Protocol,
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/local_app.go
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/local_app.go
@ -27,12 +27,16 @@ func (b *Builder) BuildLocalApp(workload *pbcatalog.Workload, ctp *pbauth.Comput
 	foundInboundNonMeshPorts := false
 	for portName, port := range workload.Ports {
 		clusterName := fmt.Sprintf("%s:%s", xdscommon.LocalAppClusterName, portName)
+		routeName := fmt.Sprintf("%s:%s", lb.listener.Name, portName)

 		if port.Protocol != pbcatalog.Protocol_PROTOCOL_MESH {
 			foundInboundNonMeshPorts = true
-			lb.addInboundRouter(clusterName, port, portName, trafficPermissions[portName]).
+			lb.addInboundRouter(clusterName, routeName, port, portName, trafficPermissions[portName]).
 				addInboundTLS()

+			if isL7(port.Protocol) {
+				b.addLocalAppRoute(routeName, clusterName)
+			}
 			b.addLocalAppCluster(clusterName).
 				addLocalAppStaticEndpoints(clusterName, port.GetPort())
 		}
@ -263,7 +267,7 @@ func (b *Builder) addInboundListener(name string, workload *pbcatalog.Workload)
 	return b.NewListenerBuilder(listener)
 }

-func (l *ListenerBuilder) addInboundRouter(clusterName string, port *pbcatalog.WorkloadPort, portName string, tp *pbproxystate.TrafficPermissions) *ListenerBuilder {
+func (l *ListenerBuilder) addInboundRouter(clusterName string, routeName string, port *pbcatalog.WorkloadPort, portName string, tp *pbproxystate.TrafficPermissions) *ListenerBuilder {
 	if l.listener == nil {
 		return l
 	}
@ -286,6 +290,25 @@ func (l *ListenerBuilder) addInboundRouter(clusterName string, port *pbcatalog.W
 			},
 		}
 		l.listener.Routers = append(l.listener.Routers, r)
+	} else if isL7(port.Protocol) {
+		r := &pbproxystate.Router{
+			Destination: &pbproxystate.Router_L7{
+				L7: &pbproxystate.L7Destination{
+					StatPrefix:         l.listener.Name,
+					Protocol:           protocolMap[port.Protocol],
+					TrafficPermissions: tp,
+					StaticRoute:        true,
+					// Route name for l7 local app destinations differentiates between routes for each port.
+					Route: &pbproxystate.L7DestinationRoute{
+						Name: routeName,
+					},
+				},
+			},
+			Match: &pbproxystate.Match{
+				AlpnProtocols: []string{getAlpnProtocolFromPortName(portName)},
+			},
+		}
+		l.listener.Routers = append(l.listener.Routers, r)
 	}
 	return l
 }
@ -316,6 +339,40 @@ func getAlpnProtocolFromPortName(portName string) string {
 	return fmt.Sprintf("consul~%s", portName)
 }

+func (b *Builder) addLocalAppRoute(routeName string, clusterName string) {
+	proxyRouteRule := &pbproxystate.RouteRule{
+		Match: &pbproxystate.RouteMatch{
+			PathMatch: &pbproxystate.PathMatch{
+				PathMatch: &pbproxystate.PathMatch_Prefix{
+					Prefix: "/",
+				},
+			},
+		},
+		Destination: &pbproxystate.RouteDestination{
+			Destination: &pbproxystate.RouteDestination_Cluster{
+				Cluster: &pbproxystate.DestinationCluster{
+					Name: clusterName,
+				},
+			},
+		},
+	}
+	// Each route name for the local app is listenerName:port since there is a route per port on the local app listener.
+	b.addRoute(routeName, &pbproxystate.Route{
+		VirtualHosts: []*pbproxystate.VirtualHost{{
+			Name:       routeName,
+			Domains:    []string{"*"},
+			RouteRules: []*pbproxystate.RouteRule{proxyRouteRule},
+		}},
+	})
+}
+
+func isL7(protocol pbcatalog.Protocol) bool {
+	if protocol == pbcatalog.Protocol_PROTOCOL_HTTP || protocol == pbcatalog.Protocol_PROTOCOL_HTTP2 || protocol == pbcatalog.Protocol_PROTOCOL_GRPC {
+		return true
+	}
+	return false
+}
+
 func (b *Builder) addLocalAppCluster(clusterName string) *Builder {
 	// Make cluster for this router destination.
 	b.proxyStateTemplate.ProxyState.Clusters[clusterName] = &pbproxystate.Cluster{
@ -383,3 +440,9 @@ func (l *ListenerBuilder) addInboundTLS() *ListenerBuilder {
 	}
 	return l
 }
+
+var protocolMap = map[pbcatalog.Protocol]pbproxystate.L7Protocol{
+	pbcatalog.Protocol_PROTOCOL_HTTP:  pbproxystate.L7Protocol_L7_PROTOCOL_HTTP,
+	pbcatalog.Protocol_PROTOCOL_HTTP2: pbproxystate.L7Protocol_L7_PROTOCOL_HTTP2,
+	pbcatalog.Protocol_PROTOCOL_GRPC:  pbproxystate.L7Protocol_L7_PROTOCOL_GRPC,
+}
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/local_app_multiport_test.go
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/local_app_multiport_test.go
@ -18,6 +18,62 @@ func TestBuildLocalApp_Multiport(t *testing.T) {
 	cases := map[string]struct {
 		workload *pbcatalog.Workload
 	}{
+		"source/multiport-l7-single-workload-address-without-ports": {
+			workload: &pbcatalog.Workload{
+				Addresses: []*pbcatalog.WorkloadAddress{
+					{
+						Host: "10.0.0.1",
+					},
+				},
+				Ports: map[string]*pbcatalog.WorkloadPort{
+					"admin-port": {Port: 8080, Protocol: pbcatalog.Protocol_PROTOCOL_HTTP},
+					"api-port":   {Port: 9090, Protocol: pbcatalog.Protocol_PROTOCOL_HTTP2},
+					"grpc-port":  {Port: 9091, Protocol: pbcatalog.Protocol_PROTOCOL_GRPC},
+					"mesh":       {Port: 20000, Protocol: pbcatalog.Protocol_PROTOCOL_MESH},
+				},
+			},
+		},
+		"source/multiport-l7-multiple-workload-addresses-without-ports": {
+			workload: &pbcatalog.Workload{
+				Addresses: []*pbcatalog.WorkloadAddress{
+					{
+						Host: "10.0.0.1",
+					},
+					{
+						Host: "10.0.0.2",
+					},
+				},
+				Ports: map[string]*pbcatalog.WorkloadPort{
+					"admin-port": {Port: 8080, Protocol: pbcatalog.Protocol_PROTOCOL_HTTP},
+					"api-port":   {Port: 9090, Protocol: pbcatalog.Protocol_PROTOCOL_HTTP2},
+					"grpc-port":  {Port: 9091, Protocol: pbcatalog.Protocol_PROTOCOL_GRPC},
+					"mesh":       {Port: 20000, Protocol: pbcatalog.Protocol_PROTOCOL_MESH},
+				},
+			},
+		},
+		"source/multiport-l7-multiple-workload-addresses-with-specific-ports": {
+			workload: &pbcatalog.Workload{
+				Addresses: []*pbcatalog.WorkloadAddress{
+					{
+						Host:  "10.0.0.1",
+						Ports: []string{"admin-port"},
+					},
+					{
+						Host:  "10.0.0.2",
+						Ports: []string{"api-port"},
+					},
+					{
+						Host:  "10.0.0.3",
+						Ports: []string{"mesh"},
+					},
+				},
+				Ports: map[string]*pbcatalog.WorkloadPort{
+					"admin-port": {Port: 8080, Protocol: pbcatalog.Protocol_PROTOCOL_HTTP},
+					"api-port":   {Port: 9090, Protocol: pbcatalog.Protocol_PROTOCOL_HTTP2},
+					"mesh":       {Port: 20000, Protocol: pbcatalog.Protocol_PROTOCOL_MESH},
+				},
+			},
+		},
 		"source/multiport-l4-single-workload-address-without-ports": {
 			workload: &pbcatalog.Workload{
 				Addresses: []*pbcatalog.WorkloadAddress{
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/mixed-multi-destination.golden
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/mixed-multi-destination.golden
@ -225,7 +225,9 @@
        "routers": [
          {
            "l7": {
-              "name": "default/local/default/api-1:http:1.1.1.1:1234",
+              "route": {
+                "name": "default/local/default/api-1:http:1.1.1.1:1234"
+              },
              "statPrefix": "upstream."
            }
          }
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-and-l7-multiple-implicit-destinations-tproxy.golden
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-and-l7-multiple-implicit-destinations-tproxy.golden
@ -247,7 +247,9 @@
          },
          {
            "l7": {
-              "name": "outbound_listener",
+              "route": {
+                "name": "default/local/default/api-app"
+              },
              "statPrefix": "upstream."
            },
            "match": {
@ -262,7 +264,9 @@
          },
          {
            "l7": {
-              "name": "outbound_listener",
+              "route": {
+                "name": "default/local/default/api-app2"
+              },
              "statPrefix": "upstream."
            },
            "match": {
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-and-l7-single-implicit-destination-tproxy.golden
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-and-l7-single-implicit-destination-tproxy.golden
@ -145,7 +145,9 @@
          },
          {
            "l7": {
-              "name": "outbound_listener",
+              "route": {
+                "name": "default/local/default/api-app"
+              },
              "statPrefix": "upstream."
            },
            "match": {
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-and-l7-single-implicit-destination-with-multiple-workloads-tproxy.golden
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-and-l7-single-implicit-destination-with-multiple-workloads-tproxy.golden
@ -145,7 +145,9 @@
          },
          {
            "l7": {
-              "name": "outbound_listener",
+              "route": {
+                "name": "default/local/default/api-app"
+              },
              "statPrefix": "upstream."
            },
            "match": {
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l7-expose-paths.golden
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l7-expose-paths.golden
@ -113,7 +113,9 @@
        "routers": [
          {
            "l7": {
-              "name": "exposed_path_filter_health_1234",
+              "route": {
+                "name": "exposed_path_filter_health_1234"
+              },
              "statPrefix": "exposed_path_filter_health_1234",
              "staticRoute": true
            }
@ -130,8 +132,10 @@
        "routers": [
          {
            "l7": {
-              "name": "exposed_path_filter_GetHealth_1235",
              "protocol": "L7_PROTOCOL_HTTP2",
+              "route": {
+                "name": "exposed_path_filter_GetHealth_1235"
+              },
              "statPrefix": "exposed_path_filter_GetHealth_1235",
              "staticRoute": true
            }
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l7-multiple-workload-addresses-with-specific-ports.golden
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l7-multiple-workload-addresses-with-specific-ports.golden
@ -0,0 +1,181 @@
+{
+  "proxyState": {
+    "clusters": {
+      "local_app:admin-port": {
+        "endpointGroup": {
+          "static": {}
+        },
+        "name": "local_app:admin-port"
+      },
+      "local_app:api-port": {
+        "endpointGroup": {
+          "static": {}
+        },
+        "name": "local_app:api-port"
+      }
+    },
+    "endpoints": {
+      "local_app:admin-port": {
+        "endpoints": [
+          {
+            "hostPort": {
+              "host": "127.0.0.1",
+              "port": 8080
+            }
+          }
+        ]
+      },
+      "local_app:api-port": {
+        "endpoints": [
+          {
+            "hostPort": {
+              "host": "127.0.0.1",
+              "port": 9090
+            }
+          }
+        ]
+      }
+    },
+    "identity": {
+      "name": "test-identity",
+      "tenancy": {
+        "namespace": "default",
+        "partition": "default",
+        "peerName": "local"
+      },
+      "type": {
+        "group": "auth",
+        "groupVersion": "v2beta1",
+        "kind": "WorkloadIdentity"
+      }
+    },
+    "listeners": [
+      {
+        "capabilities": [
+          "CAPABILITY_L4_TLS_INSPECTION"
+        ],
+        "direction": "DIRECTION_INBOUND",
+        "hostPort": {
+          "host": "10.0.0.3",
+          "port": 20000
+        },
+        "name": "public_listener",
+        "routers": [
+          {
+            "inboundTls": {
+              "inboundMesh": {
+                "identityKey": "test-identity",
+                "validationContext": {
+                  "trustBundlePeerNameKeys": [
+                    "local"
+                  ]
+                }
+              }
+            },
+            "l7": {
+              "route": {
+                "name": "public_listener:admin-port"
+              },
+              "statPrefix": "public_listener",
+              "staticRoute": true,
+              "trafficPermissions": {}
+            },
+            "match": {
+              "alpnProtocols": [
+                "consul~admin-port"
+              ]
+            }
+          },
+          {
+            "inboundTls": {
+              "inboundMesh": {
+                "identityKey": "test-identity",
+                "validationContext": {
+                  "trustBundlePeerNameKeys": [
+                    "local"
+                  ]
+                }
+              }
+            },
+            "l7": {
+              "protocol": "L7_PROTOCOL_HTTP2",
+              "route": {
+                "name": "public_listener:api-port"
+              },
+              "statPrefix": "public_listener",
+              "staticRoute": true,
+              "trafficPermissions": {}
+            },
+            "match": {
+              "alpnProtocols": [
+                "consul~api-port"
+              ]
+            }
+          }
+        ]
+      }
+    ],
+    "routes": {
+      "public_listener:admin-port": {
+        "virtualHosts": [
+          {
+            "domains": [
+              "*"
+            ],
+            "name": "public_listener:admin-port",
+            "routeRules": [
+              {
+                "destination": {
+                  "cluster": {
+                    "name": "local_app:admin-port"
+                  }
+                },
+                "match": {
+                  "pathMatch": {
+                    "prefix": "/"
+                  }
+                }
+              }
+            ]
+          }
+        ]
+      },
+      "public_listener:api-port": {
+        "virtualHosts": [
+          {
+            "domains": [
+              "*"
+            ],
+            "name": "public_listener:api-port",
+            "routeRules": [
+              {
+                "destination": {
+                  "cluster": {
+                    "name": "local_app:api-port"
+                  }
+                },
+                "match": {
+                  "pathMatch": {
+                    "prefix": "/"
+                  }
+                }
+              }
+            ]
+          }
+        ]
+      }
+    }
+  },
+  "requiredLeafCertificates": {
+    "test-identity": {
+      "name": "test-identity",
+      "namespace": "default",
+      "partition": "default"
+    }
+  },
+  "requiredTrustBundles": {
+    "local": {
+      "peer": "local"
+    }
+  }
+}
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l7-multiple-workload-addresses-without-ports.golden
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l7-multiple-workload-addresses-without-ports.golden
@ -0,0 +1,247 @@
+{
+  "proxyState": {
+    "clusters": {
+      "local_app:admin-port": {
+        "endpointGroup": {
+          "static": {}
+        },
+        "name": "local_app:admin-port"
+      },
+      "local_app:api-port": {
+        "endpointGroup": {
+          "static": {}
+        },
+        "name": "local_app:api-port"
+      },
+      "local_app:grpc-port": {
+        "endpointGroup": {
+          "static": {}
+        },
+        "name": "local_app:grpc-port"
+      }
+    },
+    "endpoints": {
+      "local_app:admin-port": {
+        "endpoints": [
+          {
+            "hostPort": {
+              "host": "127.0.0.1",
+              "port": 8080
+            }
+          }
+        ]
+      },
+      "local_app:api-port": {
+        "endpoints": [
+          {
+            "hostPort": {
+              "host": "127.0.0.1",
+              "port": 9090
+            }
+          }
+        ]
+      },
+      "local_app:grpc-port": {
+        "endpoints": [
+          {
+            "hostPort": {
+              "host": "127.0.0.1",
+              "port": 9091
+            }
+          }
+        ]
+      }
+    },
+    "identity": {
+      "name": "test-identity",
+      "tenancy": {
+        "namespace": "default",
+        "partition": "default",
+        "peerName": "local"
+      },
+      "type": {
+        "group": "auth",
+        "groupVersion": "v2beta1",
+        "kind": "WorkloadIdentity"
+      }
+    },
+    "listeners": [
+      {
+        "capabilities": [
+          "CAPABILITY_L4_TLS_INSPECTION"
+        ],
+        "direction": "DIRECTION_INBOUND",
+        "hostPort": {
+          "host": "10.0.0.1",
+          "port": 20000
+        },
+        "name": "public_listener",
+        "routers": [
+          {
+            "inboundTls": {
+              "inboundMesh": {
+                "identityKey": "test-identity",
+                "validationContext": {
+                  "trustBundlePeerNameKeys": [
+                    "local"
+                  ]
+                }
+              }
+            },
+            "l7": {
+              "route": {
+                "name": "public_listener:admin-port"
+              },
+              "statPrefix": "public_listener",
+              "staticRoute": true,
+              "trafficPermissions": {}
+            },
+            "match": {
+              "alpnProtocols": [
+                "consul~admin-port"
+              ]
+            }
+          },
+          {
+            "inboundTls": {
+              "inboundMesh": {
+                "identityKey": "test-identity",
+                "validationContext": {
+                  "trustBundlePeerNameKeys": [
+                    "local"
+                  ]
+                }
+              }
+            },
+            "l7": {
+              "protocol": "L7_PROTOCOL_HTTP2",
+              "route": {
+                "name": "public_listener:api-port"
+              },
+              "statPrefix": "public_listener",
+              "staticRoute": true,
+              "trafficPermissions": {}
+            },
+            "match": {
+              "alpnProtocols": [
+                "consul~api-port"
+              ]
+            }
+          },
+          {
+            "inboundTls": {
+              "inboundMesh": {
+                "identityKey": "test-identity",
+                "validationContext": {
+                  "trustBundlePeerNameKeys": [
+                    "local"
+                  ]
+                }
+              }
+            },
+            "l7": {
+              "protocol": "L7_PROTOCOL_GRPC",
+              "route": {
+                "name": "public_listener:grpc-port"
+              },
+              "statPrefix": "public_listener",
+              "staticRoute": true,
+              "trafficPermissions": {}
+            },
+            "match": {
+              "alpnProtocols": [
+                "consul~grpc-port"
+              ]
+            }
+          }
+        ]
+      }
+    ],
+    "routes": {
+      "public_listener:admin-port": {
+        "virtualHosts": [
+          {
+            "domains": [
+              "*"
+            ],
+            "name": "public_listener:admin-port",
+            "routeRules": [
+              {
+                "destination": {
+                  "cluster": {
+                    "name": "local_app:admin-port"
+                  }
+                },
+                "match": {
+                  "pathMatch": {
+                    "prefix": "/"
+                  }
+                }
+              }
+            ]
+          }
+        ]
+      },
+      "public_listener:api-port": {
+        "virtualHosts": [
+          {
+            "domains": [
+              "*"
+            ],
+            "name": "public_listener:api-port",
+            "routeRules": [
+              {
+                "destination": {
+                  "cluster": {
+                    "name": "local_app:api-port"
+                  }
+                },
+                "match": {
+                  "pathMatch": {
+                    "prefix": "/"
+                  }
+                }
+              }
+            ]
+          }
+        ]
+      },
+      "public_listener:grpc-port": {
+        "virtualHosts": [
+          {
+            "domains": [
+              "*"
+            ],
+            "name": "public_listener:grpc-port",
+            "routeRules": [
+              {
+                "destination": {
+                  "cluster": {
+                    "name": "local_app:grpc-port"
+                  }
+                },
+                "match": {
+                  "pathMatch": {
+                    "prefix": "/"
+                  }
+                }
+              }
+            ]
+          }
+        ]
+      }
+    }
+  },
+  "requiredLeafCertificates": {
+    "test-identity": {
+      "name": "test-identity",
+      "namespace": "default",
+      "partition": "default"
+    }
+  },
+  "requiredTrustBundles": {
+    "local": {
+      "peer": "local"
+    }
+  }
+}
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l7-single-workload-address-without-ports.golden
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l7-single-workload-address-without-ports.golden
@ -0,0 +1,247 @@
+{
+  "proxyState": {
+    "clusters": {
+      "local_app:admin-port": {
+        "endpointGroup": {
+          "static": {}
+        },
+        "name": "local_app:admin-port"
+      },
+      "local_app:api-port": {
+        "endpointGroup": {
+          "static": {}
+        },
+        "name": "local_app:api-port"
+      },
+      "local_app:grpc-port": {
+        "endpointGroup": {
+          "static": {}
+        },
+        "name": "local_app:grpc-port"
+      }
+    },
+    "endpoints": {
+      "local_app:admin-port": {
+        "endpoints": [
+          {
+            "hostPort": {
+              "host": "127.0.0.1",
+              "port": 8080
+            }
+          }
+        ]
+      },
+      "local_app:api-port": {
+        "endpoints": [
+          {
+            "hostPort": {
+              "host": "127.0.0.1",
+              "port": 9090
+            }
+          }
+        ]
+      },
+      "local_app:grpc-port": {
+        "endpoints": [
+          {
+            "hostPort": {
+              "host": "127.0.0.1",
+              "port": 9091
+            }
+          }
+        ]
+      }
+    },
+    "identity": {
+      "name": "test-identity",
+      "tenancy": {
+        "namespace": "default",
+        "partition": "default",
+        "peerName": "local"
+      },
+      "type": {
+        "group": "auth",
+        "groupVersion": "v2beta1",
+        "kind": "WorkloadIdentity"
+      }
+    },
+    "listeners": [
+      {
+        "capabilities": [
+          "CAPABILITY_L4_TLS_INSPECTION"
+        ],
+        "direction": "DIRECTION_INBOUND",
+        "hostPort": {
+          "host": "10.0.0.1",
+          "port": 20000
+        },
+        "name": "public_listener",
+        "routers": [
+          {
+            "inboundTls": {
+              "inboundMesh": {
+                "identityKey": "test-identity",
+                "validationContext": {
+                  "trustBundlePeerNameKeys": [
+                    "local"
+                  ]
+                }
+              }
+            },
+            "l7": {
+              "route": {
+                "name": "public_listener:admin-port"
+              },
+              "statPrefix": "public_listener",
+              "staticRoute": true,
+              "trafficPermissions": {}
+            },
+            "match": {
+              "alpnProtocols": [
+                "consul~admin-port"
+              ]
+            }
+          },
+          {
+            "inboundTls": {
+              "inboundMesh": {
+                "identityKey": "test-identity",
+                "validationContext": {
+                  "trustBundlePeerNameKeys": [
+                    "local"
+                  ]
+                }
+              }
+            },
+            "l7": {
+              "protocol": "L7_PROTOCOL_HTTP2",
+              "route": {
+                "name": "public_listener:api-port"
+              },
+              "statPrefix": "public_listener",
+              "staticRoute": true,
+              "trafficPermissions": {}
+            },
+            "match": {
+              "alpnProtocols": [
+                "consul~api-port"
+              ]
+            }
+          },
+          {
+            "inboundTls": {
+              "inboundMesh": {
+                "identityKey": "test-identity",
+                "validationContext": {
+                  "trustBundlePeerNameKeys": [
+                    "local"
+                  ]
+                }
+              }
+            },
+            "l7": {
+              "protocol": "L7_PROTOCOL_GRPC",
+              "route": {
+                "name": "public_listener:grpc-port"
+              },
+              "statPrefix": "public_listener",
+              "staticRoute": true,
+              "trafficPermissions": {}
+            },
+            "match": {
+              "alpnProtocols": [
+                "consul~grpc-port"
+              ]
+            }
+          }
+        ]
+      }
+    ],
+    "routes": {
+      "public_listener:admin-port": {
+        "virtualHosts": [
+          {
+            "domains": [
+              "*"
+            ],
+            "name": "public_listener:admin-port",
+            "routeRules": [
+              {
+                "destination": {
+                  "cluster": {
+                    "name": "local_app:admin-port"
+                  }
+                },
+                "match": {
+                  "pathMatch": {
+                    "prefix": "/"
+                  }
+                }
+              }
+            ]
+          }
+        ]
+      },
+      "public_listener:api-port": {
+        "virtualHosts": [
+          {
+            "domains": [
+              "*"
+            ],
+            "name": "public_listener:api-port",
+            "routeRules": [
+              {
+                "destination": {
+                  "cluster": {
+                    "name": "local_app:api-port"
+                  }
+                },
+                "match": {
+                  "pathMatch": {
+                    "prefix": "/"
+                  }
+                }
+              }
+            ]
+          }
+        ]
+      },
+      "public_listener:grpc-port": {
+        "virtualHosts": [
+          {
+            "domains": [
+              "*"
+            ],
+            "name": "public_listener:grpc-port",
+            "routeRules": [
+              {
+                "destination": {
+                  "cluster": {
+                    "name": "local_app:grpc-port"
+                  }
+                },
+                "match": {
+                  "pathMatch": {
+                    "prefix": "/"
+                  }
+                }
+              }
+            ]
+          }
+        ]
+      }
+    }
+  },
+  "requiredLeafCertificates": {
+    "test-identity": {
+      "name": "test-identity",
+      "namespace": "default",
+      "partition": "default"
+    }
+  },
+  "requiredTrustBundles": {
+    "local": {
+      "peer": "local"
+    }
+  }
+}
--- a/internal/mesh/internal/controllers/sidecarproxy/controller_test.go
+++ b/internal/mesh/internal/controllers/sidecarproxy/controller_test.go
@ -847,7 +847,8 @@ func requireImplicitDestinationsFound(t *testing.T, name string, tmplResource *p
 					// care here.
 					foundByName = true
 				case *pbproxystate.Router_L7:
-					routerName := x.L7.Name
+					require.NotNil(t, x.L7.Route)
+					routerName := x.L7.Route.Name
 					foundByName = strings.Contains(routerName, name)
 				default:
 					t.Fatalf("unexpected type of destination: %T", r.Destination)
--- a/proto-public/pbmesh/v2beta1/pbproxystate/listener.pb.binary.go
+++ b/proto-public/pbmesh/v2beta1/pbproxystate/listener.pb.binary.go
@ -57,6 +57,16 @@ func (msg *L4Destination) UnmarshalBinary(b []byte) error {
 	return proto.Unmarshal(b, msg)
 }

+// MarshalBinary implements encoding.BinaryMarshaler
+func (msg *L7DestinationRoute) MarshalBinary() ([]byte, error) {
+	return proto.Marshal(msg)
+}
+
+// UnmarshalBinary implements encoding.BinaryUnmarshaler
+func (msg *L7DestinationRoute) UnmarshalBinary(b []byte) error {
+	return proto.Unmarshal(b, msg)
+}
+
 // MarshalBinary implements encoding.BinaryMarshaler
 func (msg *L7Destination) MarshalBinary() ([]byte, error) {
 	return proto.Marshal(msg)
--- a/proto-public/pbmesh/v2beta1/pbproxystate/listener.pb.go
+++ b/proto-public/pbmesh/v2beta1/pbproxystate/listener.pb.go
@ -172,6 +172,71 @@ func (Capability) EnumDescriptor() ([]byte, []int) {
 	return file_pbmesh_v2beta1_pbproxystate_listener_proto_rawDescGZIP(), []int{2}
 }

+type XFCCPolicy int32
+
+const (
+	// buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX
+	// Do not send the XFCC header to the next hop. This is the default value.
+	XFCCPolicy_XFCC_POLICY_SANITIZE XFCCPolicy = 0
+	// When the client connection is mTLS (Mutual TLS), forward the XFCC header
+	// in the request.
+	XFCCPolicy_XFCC_POLICY_FORWARD_ONLY XFCCPolicy = 1
+	// When the client connection is mTLS, append the client certificate
+	// information to the request’s XFCC header and forward it.
+	XFCCPolicy_XFCC_POLICY_APPEND_FORWARD XFCCPolicy = 2
+	// When the client connection is mTLS, reset the XFCC header with the client
+	// certificate information and send it to the next hop.
+	XFCCPolicy_XFCC_POLICY_SANITIZE_SET XFCCPolicy = 3
+	// Always forward the XFCC header in the request, regardless of whether the
+	// client connection is mTLS.
+	XFCCPolicy_XFCC_POLICY_ALWAYS_FORWARD_ONLY XFCCPolicy = 4
+)
+
+// Enum value maps for XFCCPolicy.
+var (
+	XFCCPolicy_name = map[int32]string{
+		0: "XFCC_POLICY_SANITIZE",
+		1: "XFCC_POLICY_FORWARD_ONLY",
+		2: "XFCC_POLICY_APPEND_FORWARD",
+		3: "XFCC_POLICY_SANITIZE_SET",
+		4: "XFCC_POLICY_ALWAYS_FORWARD_ONLY",
+	}
+	XFCCPolicy_value = map[string]int32{
+		"XFCC_POLICY_SANITIZE":            0,
+		"XFCC_POLICY_FORWARD_ONLY":        1,
+		"XFCC_POLICY_APPEND_FORWARD":      2,
+		"XFCC_POLICY_SANITIZE_SET":        3,
+		"XFCC_POLICY_ALWAYS_FORWARD_ONLY": 4,
+	}
+)
+
+func (x XFCCPolicy) Enum() *XFCCPolicy {
+	p := new(XFCCPolicy)
+	*p = x
+	return p
+}
+
+func (x XFCCPolicy) String() string {
+	return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (XFCCPolicy) Descriptor() protoreflect.EnumDescriptor {
+	return file_pbmesh_v2beta1_pbproxystate_listener_proto_enumTypes[3].Descriptor()
+}
+
+func (XFCCPolicy) Type() protoreflect.EnumType {
+	return &file_pbmesh_v2beta1_pbproxystate_listener_proto_enumTypes[3]
+}
+
+func (x XFCCPolicy) Number() protoreflect.EnumNumber {
+	return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use XFCCPolicy.Descriptor instead.
+func (XFCCPolicy) EnumDescriptor() ([]byte, []int) {
+	return file_pbmesh_v2beta1_pbproxystate_listener_proto_rawDescGZIP(), []int{3}
+}
+
 type L7Protocol int32

 const (
@ -206,11 +271,11 @@ func (x L7Protocol) String() string {
 }

 func (L7Protocol) Descriptor() protoreflect.EnumDescriptor {
-	return file_pbmesh_v2beta1_pbproxystate_listener_proto_enumTypes[3].Descriptor()
+	return file_pbmesh_v2beta1_pbproxystate_listener_proto_enumTypes[4].Descriptor()
 }

 func (L7Protocol) Type() protoreflect.EnumType {
-	return &file_pbmesh_v2beta1_pbproxystate_listener_proto_enumTypes[3]
+	return &file_pbmesh_v2beta1_pbproxystate_listener_proto_enumTypes[4]
 }

 func (x L7Protocol) Number() protoreflect.EnumNumber {
@ -219,7 +284,7 @@ func (x L7Protocol) Number() protoreflect.EnumNumber {

 // Deprecated: Use L7Protocol.Descriptor instead.
 func (L7Protocol) EnumDescriptor() ([]byte, []int) {
-	return file_pbmesh_v2beta1_pbproxystate_listener_proto_rawDescGZIP(), []int{3}
+	return file_pbmesh_v2beta1_pbproxystate_listener_proto_rawDescGZIP(), []int{4}
 }

 type Listener struct {
@ -740,32 +805,84 @@ func (*L4Destination_Cluster) isL4Destination_Destination() {}

 func (*L4Destination_WeightedClusters) isL4Destination_Destination() {}

-type L7Destination struct {
+type L7DestinationRoute struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

 	// name is a key in the top level routes map. This specifies which route to go to in this L7 destination.
 	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+}
+
+func (x *L7DestinationRoute) Reset() {
+	*x = L7DestinationRoute{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_pbmesh_v2beta1_pbproxystate_listener_proto_msgTypes[5]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *L7DestinationRoute) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*L7DestinationRoute) ProtoMessage() {}
+
+func (x *L7DestinationRoute) ProtoReflect() protoreflect.Message {
+	mi := &file_pbmesh_v2beta1_pbproxystate_listener_proto_msgTypes[5]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use L7DestinationRoute.ProtoReflect.Descriptor instead.
+func (*L7DestinationRoute) Descriptor() ([]byte, []int) {
+	return file_pbmesh_v2beta1_pbproxystate_listener_proto_rawDescGZIP(), []int{5}
+}
+
+func (x *L7DestinationRoute) GetName() string {
+	if x != nil {
+		return x.Name
+	}
+	return ""
+}
+
+type L7Destination struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// route specifies which route to go to in this L7 destination.
+	Route *L7DestinationRoute `protobuf:"bytes,1,opt,name=route,proto3" json:"route,omitempty"`
 	// stat_prefix is for compatibility with v1 xds configuration, so it is generated in exactly the same way.
 	StatPrefix string `protobuf:"bytes,2,opt,name=stat_prefix,json=statPrefix,proto3" json:"stat_prefix,omitempty"`
 	// protocol for the destination.
 	Protocol L7Protocol `protobuf:"varint,3,opt,name=protocol,proto3,enum=hashicorp.consul.mesh.v2beta1.pbproxystate.L7Protocol" json:"protocol,omitempty"`
 	// traffic_permissions is a list of intentions for this destination.
 	TrafficPermissions *TrafficPermissions `protobuf:"bytes,4,opt,name=traffic_permissions,json=trafficPermissions,proto3" json:"traffic_permissions,omitempty"`
-	// include_xfcc specifies whether to add xfcc header.
-	IncludeXfcc bool `protobuf:"varint,5,opt,name=include_xfcc,json=includeXfcc,proto3" json:"include_xfcc,omitempty"`
+	// include_xfcc specifies whether to add an xfcc policy for handling xfcc headers.
+	IncludeXfccPolicy bool `protobuf:"varint,5,opt,name=include_xfcc_policy,json=includeXfccPolicy,proto3" json:"include_xfcc_policy,omitempty"`
+	// xfcc_policy determines how to handle xfcc headers.
+	XfccPolicy XFCCPolicy `protobuf:"varint,6,opt,name=xfcc_policy,json=xfccPolicy,proto3,enum=hashicorp.consul.mesh.v2beta1.pbproxystate.XFCCPolicy" json:"xfcc_policy,omitempty"`
+	// parse_xfcc_headers determines whether to add filters to parse xfcc headers on incoming connections.
+	ParseXfccHeaders bool `protobuf:"varint,7,opt,name=parse_xfcc_headers,json=parseXfccHeaders,proto3" json:"parse_xfcc_headers,omitempty"`
 	// static_route specifies whether this is a static route that is inlined in the listener filter. This is required to
 	// match existing xds config.
-	StaticRoute bool `protobuf:"varint,6,opt,name=static_route,json=staticRoute,proto3" json:"static_route,omitempty"`
+	StaticRoute bool `protobuf:"varint,8,opt,name=static_route,json=staticRoute,proto3" json:"static_route,omitempty"`
 	// max_inbound_connections specifies how many connections this destination can accept.
-	MaxInboundConnections uint64 `protobuf:"varint,7,opt,name=max_inbound_connections,json=maxInboundConnections,proto3" json:"max_inbound_connections,omitempty"`
+	MaxInboundConnections uint64 `protobuf:"varint,9,opt,name=max_inbound_connections,json=maxInboundConnections,proto3" json:"max_inbound_connections,omitempty"`
 }

 func (x *L7Destination) Reset() {
 	*x = L7Destination{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_pbmesh_v2beta1_pbproxystate_listener_proto_msgTypes[5]
+		mi := &file_pbmesh_v2beta1_pbproxystate_listener_proto_msgTypes[6]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@ -778,7 +895,7 @@ func (x *L7Destination) String() string {
 func (*L7Destination) ProtoMessage() {}

 func (x *L7Destination) ProtoReflect() protoreflect.Message {
-	mi := &file_pbmesh_v2beta1_pbproxystate_listener_proto_msgTypes[5]
+	mi := &file_pbmesh_v2beta1_pbproxystate_listener_proto_msgTypes[6]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@ -791,14 +908,14 @@ func (x *L7Destination) ProtoReflect() protoreflect.Message {

 // Deprecated: Use L7Destination.ProtoReflect.Descriptor instead.
 func (*L7Destination) Descriptor() ([]byte, []int) {
-	return file_pbmesh_v2beta1_pbproxystate_listener_proto_rawDescGZIP(), []int{5}
+	return file_pbmesh_v2beta1_pbproxystate_listener_proto_rawDescGZIP(), []int{6}
 }

-func (x *L7Destination) GetName() string {
+func (x *L7Destination) GetRoute() *L7DestinationRoute {
 	if x != nil {
-		return x.Name
+		return x.Route
 	}
-	return ""
+	return nil
 }

 func (x *L7Destination) GetStatPrefix() string {
@ -822,9 +939,23 @@ func (x *L7Destination) GetTrafficPermissions() *TrafficPermissions {
 	return nil
 }

-func (x *L7Destination) GetIncludeXfcc() bool {
+func (x *L7Destination) GetIncludeXfccPolicy() bool {
 	if x != nil {
-		return x.IncludeXfcc
+		return x.IncludeXfccPolicy
+	}
+	return false
+}
+
+func (x *L7Destination) GetXfccPolicy() XFCCPolicy {
+	if x != nil {
+		return x.XfccPolicy
+	}
+	return XFCCPolicy_XFCC_POLICY_SANITIZE
+}
+
+func (x *L7Destination) GetParseXfccHeaders() bool {
+	if x != nil {
+		return x.ParseXfccHeaders
 	}
 	return false
 }
@ -855,7 +986,7 @@ type SNIDestination struct {
 func (x *SNIDestination) Reset() {
 	*x = SNIDestination{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_pbmesh_v2beta1_pbproxystate_listener_proto_msgTypes[6]
+		mi := &file_pbmesh_v2beta1_pbproxystate_listener_proto_msgTypes[7]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@ -868,7 +999,7 @@ func (x *SNIDestination) String() string {
 func (*SNIDestination) ProtoMessage() {}

 func (x *SNIDestination) ProtoReflect() protoreflect.Message {
-	mi := &file_pbmesh_v2beta1_pbproxystate_listener_proto_msgTypes[6]
+	mi := &file_pbmesh_v2beta1_pbproxystate_listener_proto_msgTypes[7]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@ -881,7 +1012,7 @@ func (x *SNIDestination) ProtoReflect() protoreflect.Message {

 // Deprecated: Use SNIDestination.ProtoReflect.Descriptor instead.
 func (*SNIDestination) Descriptor() ([]byte, []int) {
-	return file_pbmesh_v2beta1_pbproxystate_listener_proto_rawDescGZIP(), []int{6}
+	return file_pbmesh_v2beta1_pbproxystate_listener_proto_rawDescGZIP(), []int{7}
 }

 func (x *SNIDestination) GetStatPrefix() string {
@ -1047,30 +1178,46 @@ var file_pbmesh_v2beta1_pbproxystate_listener_proto_rawDesc = []byte{
 	0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x05, 0x20, 0x01,
 	0x28, 0x04, 0x52, 0x15, 0x6d, 0x61, 0x78, 0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x43, 0x6f,
 	0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x42, 0x0d, 0x0a, 0x0b, 0x64, 0x65, 0x73,
-	0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x87, 0x03, 0x0a, 0x0d, 0x4c, 0x37, 0x44,
-	0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61,
-	0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1f,
-	0x0a, 0x0b, 0x73, 0x74, 0x61, 0x74, 0x5f, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x18, 0x02, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x0a, 0x73, 0x74, 0x61, 0x74, 0x50, 0x72, 0x65, 0x66, 0x69, 0x78, 0x12,
-	0x52, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28,
-	0x0e, 0x32, 0x36, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f,
-	0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61,
-	0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x4c,
-	0x37, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x52, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x63, 0x6f, 0x6c, 0x12, 0x6f, 0x0a, 0x13, 0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x5f, 0x70,
-	0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b,
-	0x32, 0x3e, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e,
-	0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31,
-	0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x54, 0x72,
+	0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x28, 0x0a, 0x12, 0x4c, 0x37, 0x44, 0x65,
+	0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x12, 0x12,
+	0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61,
+	0x6d, 0x65, 0x22, 0xdd, 0x04, 0x0a, 0x0d, 0x4c, 0x37, 0x44, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61,
+	0x74, 0x69, 0x6f, 0x6e, 0x12, 0x54, 0x0a, 0x05, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x0b, 0x32, 0x3e, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e,
+	0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x32, 0x62, 0x65,
+	0x74, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65,
+	0x2e, 0x4c, 0x37, 0x44, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x6f,
+	0x75, 0x74, 0x65, 0x52, 0x05, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x73, 0x74,
+	0x61, 0x74, 0x5f, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x0a, 0x73, 0x74, 0x61, 0x74, 0x50, 0x72, 0x65, 0x66, 0x69, 0x78, 0x12, 0x52, 0x0a, 0x08, 0x70,
+	0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x36, 0x2e,
+	0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c,
+	0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x70, 0x62,
+	0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x4c, 0x37, 0x50, 0x72, 0x6f,
+	0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x52, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12,
+	0x6f, 0x0a, 0x13, 0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x5f, 0x70, 0x65, 0x72, 0x6d, 0x69,
+	0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x3e, 0x2e, 0x68,
+	0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e,
+	0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70,
+	0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69,
+	0x63, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x12, 0x74, 0x72,
 	0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73,
-	0x52, 0x12, 0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73,
-	0x69, 0x6f, 0x6e, 0x73, 0x12, 0x21, 0x0a, 0x0c, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x5f,
-	0x78, 0x66, 0x63, 0x63, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0b, 0x69, 0x6e, 0x63, 0x6c,
-	0x75, 0x64, 0x65, 0x58, 0x66, 0x63, 0x63, 0x12, 0x21, 0x0a, 0x0c, 0x73, 0x74, 0x61, 0x74, 0x69,
-	0x63, 0x5f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0b, 0x73,
+	0x12, 0x2e, 0x0a, 0x13, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x5f, 0x78, 0x66, 0x63, 0x63,
+	0x5f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x11, 0x69,
+	0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x58, 0x66, 0x63, 0x63, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79,
+	0x12, 0x57, 0x0a, 0x0b, 0x78, 0x66, 0x63, 0x63, 0x5f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18,
+	0x06, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x36, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72,
+	0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x32,
+	0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61,
+	0x74, 0x65, 0x2e, 0x58, 0x46, 0x43, 0x43, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x0a, 0x78,
+	0x66, 0x63, 0x63, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x2c, 0x0a, 0x12, 0x70, 0x61, 0x72,
+	0x73, 0x65, 0x5f, 0x78, 0x66, 0x63, 0x63, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x18,
+	0x07, 0x20, 0x01, 0x28, 0x08, 0x52, 0x10, 0x70, 0x61, 0x72, 0x73, 0x65, 0x58, 0x66, 0x63, 0x63,
+	0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x12, 0x21, 0x0a, 0x0c, 0x73, 0x74, 0x61, 0x74, 0x69,
+	0x63, 0x5f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0b, 0x73,
 	0x74, 0x61, 0x74, 0x69, 0x63, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x12, 0x36, 0x0a, 0x17, 0x6d, 0x61,
 	0x78, 0x5f, 0x69, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63,
-	0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x07, 0x20, 0x01, 0x28, 0x04, 0x52, 0x15, 0x6d, 0x61, 0x78,
+	0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x09, 0x20, 0x01, 0x28, 0x04, 0x52, 0x15, 0x6d, 0x61, 0x78,
 	0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f,
 	0x6e, 0x73, 0x22, 0x31, 0x0a, 0x0e, 0x53, 0x4e, 0x49, 0x44, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61,
 	0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1f, 0x0a, 0x0b, 0x73, 0x74, 0x61, 0x74, 0x5f, 0x70, 0x72, 0x65,
@ -1093,34 +1240,44 @@ var file_pbmesh_v2beta1_pbproxystate_listener_proto_rawDesc = []byte{
 	0x4f, 0x54, 0x4f, 0x43, 0x4f, 0x4c, 0x5f, 0x49, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x54, 0x49, 0x4f,
 	0x4e, 0x10, 0x01, 0x12, 0x20, 0x0a, 0x1c, 0x43, 0x41, 0x50, 0x41, 0x42, 0x49, 0x4c, 0x49, 0x54,
 	0x59, 0x5f, 0x4c, 0x34, 0x5f, 0x54, 0x4c, 0x53, 0x5f, 0x49, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x54,
-	0x49, 0x4f, 0x4e, 0x10, 0x02, 0x2a, 0x4f, 0x0a, 0x0a, 0x4c, 0x37, 0x50, 0x72, 0x6f, 0x74, 0x6f,
-	0x63, 0x6f, 0x6c, 0x12, 0x14, 0x0a, 0x10, 0x4c, 0x37, 0x5f, 0x50, 0x52, 0x4f, 0x54, 0x4f, 0x43,
-	0x4f, 0x4c, 0x5f, 0x48, 0x54, 0x54, 0x50, 0x10, 0x00, 0x12, 0x15, 0x0a, 0x11, 0x4c, 0x37, 0x5f,
-	0x50, 0x52, 0x4f, 0x54, 0x4f, 0x43, 0x4f, 0x4c, 0x5f, 0x48, 0x54, 0x54, 0x50, 0x32, 0x10, 0x01,
-	0x12, 0x14, 0x0a, 0x10, 0x4c, 0x37, 0x5f, 0x50, 0x52, 0x4f, 0x54, 0x4f, 0x43, 0x4f, 0x4c, 0x5f,
-	0x47, 0x52, 0x50, 0x43, 0x10, 0x02, 0x42, 0xd3, 0x02, 0x0a, 0x2e, 0x63, 0x6f, 0x6d, 0x2e, 0x68,
-	0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e,
-	0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70,
-	0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x42, 0x0d, 0x4c, 0x69, 0x73, 0x74, 0x65,
-	0x6e, 0x65, 0x72, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x44, 0x67, 0x69, 0x74, 0x68,
-	0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70,
-	0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2d, 0x70, 0x75,
-	0x62, 0x6c, 0x69, 0x63, 0x2f, 0x70, 0x62, 0x6d, 0x65, 0x73, 0x68, 0x2f, 0x76, 0x32, 0x62, 0x65,
-	0x74, 0x61, 0x31, 0x2f, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65,
-	0xa2, 0x02, 0x05, 0x48, 0x43, 0x4d, 0x56, 0x50, 0xaa, 0x02, 0x2a, 0x48, 0x61, 0x73, 0x68, 0x69,
-	0x63, 0x6f, 0x72, 0x70, 0x2e, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x4d, 0x65, 0x73, 0x68,
-	0x2e, 0x56, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x50, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79,
-	0x73, 0x74, 0x61, 0x74, 0x65, 0xca, 0x02, 0x2a, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72,
-	0x70, 0x5c, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x4d, 0x65, 0x73, 0x68, 0x5c, 0x56, 0x32,
-	0x62, 0x65, 0x74, 0x61, 0x31, 0x5c, 0x50, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61,
-	0x74, 0x65, 0xe2, 0x02, 0x36, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43,
-	0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x4d, 0x65, 0x73, 0x68, 0x5c, 0x56, 0x32, 0x62, 0x65, 0x74,
-	0x61, 0x31, 0x5c, 0x50, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x5c,
-	0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x2e, 0x48, 0x61,
-	0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x3a, 0x3a, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x3a,
-	0x3a, 0x4d, 0x65, 0x73, 0x68, 0x3a, 0x3a, 0x56, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x3a, 0x3a,
-	0x50, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x62, 0x06, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x33,
+	0x49, 0x4f, 0x4e, 0x10, 0x02, 0x2a, 0xa7, 0x01, 0x0a, 0x0a, 0x58, 0x46, 0x43, 0x43, 0x50, 0x6f,
+	0x6c, 0x69, 0x63, 0x79, 0x12, 0x18, 0x0a, 0x14, 0x58, 0x46, 0x43, 0x43, 0x5f, 0x50, 0x4f, 0x4c,
+	0x49, 0x43, 0x59, 0x5f, 0x53, 0x41, 0x4e, 0x49, 0x54, 0x49, 0x5a, 0x45, 0x10, 0x00, 0x12, 0x1c,
+	0x0a, 0x18, 0x58, 0x46, 0x43, 0x43, 0x5f, 0x50, 0x4f, 0x4c, 0x49, 0x43, 0x59, 0x5f, 0x46, 0x4f,
+	0x52, 0x57, 0x41, 0x52, 0x44, 0x5f, 0x4f, 0x4e, 0x4c, 0x59, 0x10, 0x01, 0x12, 0x1e, 0x0a, 0x1a,
+	0x58, 0x46, 0x43, 0x43, 0x5f, 0x50, 0x4f, 0x4c, 0x49, 0x43, 0x59, 0x5f, 0x41, 0x50, 0x50, 0x45,
+	0x4e, 0x44, 0x5f, 0x46, 0x4f, 0x52, 0x57, 0x41, 0x52, 0x44, 0x10, 0x02, 0x12, 0x1c, 0x0a, 0x18,
+	0x58, 0x46, 0x43, 0x43, 0x5f, 0x50, 0x4f, 0x4c, 0x49, 0x43, 0x59, 0x5f, 0x53, 0x41, 0x4e, 0x49,
+	0x54, 0x49, 0x5a, 0x45, 0x5f, 0x53, 0x45, 0x54, 0x10, 0x03, 0x12, 0x23, 0x0a, 0x1f, 0x58, 0x46,
+	0x43, 0x43, 0x5f, 0x50, 0x4f, 0x4c, 0x49, 0x43, 0x59, 0x5f, 0x41, 0x4c, 0x57, 0x41, 0x59, 0x53,
+	0x5f, 0x46, 0x4f, 0x52, 0x57, 0x41, 0x52, 0x44, 0x5f, 0x4f, 0x4e, 0x4c, 0x59, 0x10, 0x04, 0x2a,
+	0x4f, 0x0a, 0x0a, 0x4c, 0x37, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x14, 0x0a,
+	0x10, 0x4c, 0x37, 0x5f, 0x50, 0x52, 0x4f, 0x54, 0x4f, 0x43, 0x4f, 0x4c, 0x5f, 0x48, 0x54, 0x54,
+	0x50, 0x10, 0x00, 0x12, 0x15, 0x0a, 0x11, 0x4c, 0x37, 0x5f, 0x50, 0x52, 0x4f, 0x54, 0x4f, 0x43,
+	0x4f, 0x4c, 0x5f, 0x48, 0x54, 0x54, 0x50, 0x32, 0x10, 0x01, 0x12, 0x14, 0x0a, 0x10, 0x4c, 0x37,
+	0x5f, 0x50, 0x52, 0x4f, 0x54, 0x4f, 0x43, 0x4f, 0x4c, 0x5f, 0x47, 0x52, 0x50, 0x43, 0x10, 0x02,
+	0x42, 0xd3, 0x02, 0x0a, 0x2e, 0x63, 0x6f, 0x6d, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f,
+	0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76,
+	0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74,
+	0x61, 0x74, 0x65, 0x42, 0x0d, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x50, 0x72, 0x6f,
+	0x74, 0x6f, 0x50, 0x01, 0x5a, 0x44, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d,
+	0x2f, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x75,
+	0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2d, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2f, 0x70,
+	0x62, 0x6d, 0x65, 0x73, 0x68, 0x2f, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f, 0x70, 0x62,
+	0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0xa2, 0x02, 0x05, 0x48, 0x43, 0x4d,
+	0x56, 0x50, 0xaa, 0x02, 0x2a, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x43,
+	0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x4d, 0x65, 0x73, 0x68, 0x2e, 0x56, 0x32, 0x62, 0x65, 0x74,
+	0x61, 0x31, 0x2e, 0x50, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0xca,
+	0x02, 0x2a, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43, 0x6f, 0x6e, 0x73,
+	0x75, 0x6c, 0x5c, 0x4d, 0x65, 0x73, 0x68, 0x5c, 0x56, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x5c,
+	0x50, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0xe2, 0x02, 0x36, 0x48,
+	0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c,
+	0x4d, 0x65, 0x73, 0x68, 0x5c, 0x56, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x5c, 0x50, 0x62, 0x70,
+	0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74,
+	0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x2e, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72,
+	0x70, 0x3a, 0x3a, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x3a, 0x3a, 0x4d, 0x65, 0x73, 0x68, 0x3a,
+	0x3a, 0x56, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x3a, 0x3a, 0x50, 0x62, 0x70, 0x72, 0x6f, 0x78,
+	0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }

 var (
@ -1135,55 +1292,59 @@ func file_pbmesh_v2beta1_pbproxystate_listener_proto_rawDescGZIP() []byte {
 	return file_pbmesh_v2beta1_pbproxystate_listener_proto_rawDescData
 }

-var file_pbmesh_v2beta1_pbproxystate_listener_proto_enumTypes = make([]protoimpl.EnumInfo, 4)
-var file_pbmesh_v2beta1_pbproxystate_listener_proto_msgTypes = make([]protoimpl.MessageInfo, 7)
+var file_pbmesh_v2beta1_pbproxystate_listener_proto_enumTypes = make([]protoimpl.EnumInfo, 5)
+var file_pbmesh_v2beta1_pbproxystate_listener_proto_msgTypes = make([]protoimpl.MessageInfo, 8)
 var file_pbmesh_v2beta1_pbproxystate_listener_proto_goTypes = []interface{}{
 	(Direction)(0),                 // 0: hashicorp.consul.mesh.v2beta1.pbproxystate.Direction
 	(BalanceConnections)(0),        // 1: hashicorp.consul.mesh.v2beta1.pbproxystate.BalanceConnections
 	(Capability)(0),                // 2: hashicorp.consul.mesh.v2beta1.pbproxystate.Capability
-	(L7Protocol)(0),                // 3: hashicorp.consul.mesh.v2beta1.pbproxystate.L7Protocol
-	(*Listener)(nil),               // 4: hashicorp.consul.mesh.v2beta1.pbproxystate.Listener
-	(*Router)(nil),                 // 5: hashicorp.consul.mesh.v2beta1.pbproxystate.Router
-	(*Match)(nil),                  // 6: hashicorp.consul.mesh.v2beta1.pbproxystate.Match
-	(*CidrRange)(nil),              // 7: hashicorp.consul.mesh.v2beta1.pbproxystate.CidrRange
-	(*L4Destination)(nil),          // 8: hashicorp.consul.mesh.v2beta1.pbproxystate.L4Destination
-	(*L7Destination)(nil),          // 9: hashicorp.consul.mesh.v2beta1.pbproxystate.L7Destination
-	(*SNIDestination)(nil),         // 10: hashicorp.consul.mesh.v2beta1.pbproxystate.SNIDestination
-	(*HostPortAddress)(nil),        // 11: hashicorp.consul.mesh.v2beta1.pbproxystate.HostPortAddress
-	(*UnixSocketAddress)(nil),      // 12: hashicorp.consul.mesh.v2beta1.pbproxystate.UnixSocketAddress
-	(*TransportSocket)(nil),        // 13: hashicorp.consul.mesh.v2beta1.pbproxystate.TransportSocket
-	(*wrapperspb.UInt32Value)(nil), // 14: google.protobuf.UInt32Value
-	(*DestinationCluster)(nil),     // 15: hashicorp.consul.mesh.v2beta1.pbproxystate.DestinationCluster
-	(*L4WeightedClusterGroup)(nil), // 16: hashicorp.consul.mesh.v2beta1.pbproxystate.L4WeightedClusterGroup
-	(*TrafficPermissions)(nil),     // 17: hashicorp.consul.mesh.v2beta1.pbproxystate.TrafficPermissions
+	(XFCCPolicy)(0),                // 3: hashicorp.consul.mesh.v2beta1.pbproxystate.XFCCPolicy
+	(L7Protocol)(0),                // 4: hashicorp.consul.mesh.v2beta1.pbproxystate.L7Protocol
+	(*Listener)(nil),               // 5: hashicorp.consul.mesh.v2beta1.pbproxystate.Listener
+	(*Router)(nil),                 // 6: hashicorp.consul.mesh.v2beta1.pbproxystate.Router
+	(*Match)(nil),                  // 7: hashicorp.consul.mesh.v2beta1.pbproxystate.Match
+	(*CidrRange)(nil),              // 8: hashicorp.consul.mesh.v2beta1.pbproxystate.CidrRange
+	(*L4Destination)(nil),          // 9: hashicorp.consul.mesh.v2beta1.pbproxystate.L4Destination
+	(*L7DestinationRoute)(nil),     // 10: hashicorp.consul.mesh.v2beta1.pbproxystate.L7DestinationRoute
+	(*L7Destination)(nil),          // 11: hashicorp.consul.mesh.v2beta1.pbproxystate.L7Destination
+	(*SNIDestination)(nil),         // 12: hashicorp.consul.mesh.v2beta1.pbproxystate.SNIDestination
+	(*HostPortAddress)(nil),        // 13: hashicorp.consul.mesh.v2beta1.pbproxystate.HostPortAddress
+	(*UnixSocketAddress)(nil),      // 14: hashicorp.consul.mesh.v2beta1.pbproxystate.UnixSocketAddress
+	(*TransportSocket)(nil),        // 15: hashicorp.consul.mesh.v2beta1.pbproxystate.TransportSocket
+	(*wrapperspb.UInt32Value)(nil), // 16: google.protobuf.UInt32Value
+	(*DestinationCluster)(nil),     // 17: hashicorp.consul.mesh.v2beta1.pbproxystate.DestinationCluster
+	(*L4WeightedClusterGroup)(nil), // 18: hashicorp.consul.mesh.v2beta1.pbproxystate.L4WeightedClusterGroup
+	(*TrafficPermissions)(nil),     // 19: hashicorp.consul.mesh.v2beta1.pbproxystate.TrafficPermissions
 }
 var file_pbmesh_v2beta1_pbproxystate_listener_proto_depIdxs = []int32{
 	0,  // 0: hashicorp.consul.mesh.v2beta1.pbproxystate.Listener.direction:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.Direction
-	11, // 1: hashicorp.consul.mesh.v2beta1.pbproxystate.Listener.host_port:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.HostPortAddress
-	12, // 2: hashicorp.consul.mesh.v2beta1.pbproxystate.Listener.unix_socket:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.UnixSocketAddress
-	5,  // 3: hashicorp.consul.mesh.v2beta1.pbproxystate.Listener.routers:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.Router
-	5,  // 4: hashicorp.consul.mesh.v2beta1.pbproxystate.Listener.default_router:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.Router
+	13, // 1: hashicorp.consul.mesh.v2beta1.pbproxystate.Listener.host_port:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.HostPortAddress
+	14, // 2: hashicorp.consul.mesh.v2beta1.pbproxystate.Listener.unix_socket:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.UnixSocketAddress
+	6,  // 3: hashicorp.consul.mesh.v2beta1.pbproxystate.Listener.routers:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.Router
+	6,  // 4: hashicorp.consul.mesh.v2beta1.pbproxystate.Listener.default_router:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.Router
 	2,  // 5: hashicorp.consul.mesh.v2beta1.pbproxystate.Listener.capabilities:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.Capability
 	1,  // 6: hashicorp.consul.mesh.v2beta1.pbproxystate.Listener.balance_connections:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.BalanceConnections
-	6,  // 7: hashicorp.consul.mesh.v2beta1.pbproxystate.Router.match:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.Match
-	8,  // 8: hashicorp.consul.mesh.v2beta1.pbproxystate.Router.l4:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.L4Destination
-	9,  // 9: hashicorp.consul.mesh.v2beta1.pbproxystate.Router.l7:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.L7Destination
-	10, // 10: hashicorp.consul.mesh.v2beta1.pbproxystate.Router.sni:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.SNIDestination
-	13, // 11: hashicorp.consul.mesh.v2beta1.pbproxystate.Router.inbound_tls:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.TransportSocket
-	14, // 12: hashicorp.consul.mesh.v2beta1.pbproxystate.Match.destination_port:type_name -> google.protobuf.UInt32Value
-	7,  // 13: hashicorp.consul.mesh.v2beta1.pbproxystate.Match.prefix_ranges:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.CidrRange
-	7,  // 14: hashicorp.consul.mesh.v2beta1.pbproxystate.Match.source_prefix_ranges:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.CidrRange
-	14, // 15: hashicorp.consul.mesh.v2beta1.pbproxystate.CidrRange.prefix_len:type_name -> google.protobuf.UInt32Value
-	15, // 16: hashicorp.consul.mesh.v2beta1.pbproxystate.L4Destination.cluster:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.DestinationCluster
-	16, // 17: hashicorp.consul.mesh.v2beta1.pbproxystate.L4Destination.weighted_clusters:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.L4WeightedClusterGroup
-	17, // 18: hashicorp.consul.mesh.v2beta1.pbproxystate.L4Destination.traffic_permissions:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.TrafficPermissions
-	3,  // 19: hashicorp.consul.mesh.v2beta1.pbproxystate.L7Destination.protocol:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.L7Protocol
-	17, // 20: hashicorp.consul.mesh.v2beta1.pbproxystate.L7Destination.traffic_permissions:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.TrafficPermissions
-	21, // [21:21] is the sub-list for method output_type
-	21, // [21:21] is the sub-list for method input_type
-	21, // [21:21] is the sub-list for extension type_name
-	21, // [21:21] is the sub-list for extension extendee
-	0,  // [0:21] is the sub-list for field type_name
+	7,  // 7: hashicorp.consul.mesh.v2beta1.pbproxystate.Router.match:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.Match
+	9,  // 8: hashicorp.consul.mesh.v2beta1.pbproxystate.Router.l4:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.L4Destination
+	11, // 9: hashicorp.consul.mesh.v2beta1.pbproxystate.Router.l7:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.L7Destination
+	12, // 10: hashicorp.consul.mesh.v2beta1.pbproxystate.Router.sni:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.SNIDestination
+	15, // 11: hashicorp.consul.mesh.v2beta1.pbproxystate.Router.inbound_tls:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.TransportSocket
+	16, // 12: hashicorp.consul.mesh.v2beta1.pbproxystate.Match.destination_port:type_name -> google.protobuf.UInt32Value
+	8,  // 13: hashicorp.consul.mesh.v2beta1.pbproxystate.Match.prefix_ranges:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.CidrRange
+	8,  // 14: hashicorp.consul.mesh.v2beta1.pbproxystate.Match.source_prefix_ranges:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.CidrRange
+	16, // 15: hashicorp.consul.mesh.v2beta1.pbproxystate.CidrRange.prefix_len:type_name -> google.protobuf.UInt32Value
+	17, // 16: hashicorp.consul.mesh.v2beta1.pbproxystate.L4Destination.cluster:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.DestinationCluster
+	18, // 17: hashicorp.consul.mesh.v2beta1.pbproxystate.L4Destination.weighted_clusters:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.L4WeightedClusterGroup
+	19, // 18: hashicorp.consul.mesh.v2beta1.pbproxystate.L4Destination.traffic_permissions:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.TrafficPermissions
+	10, // 19: hashicorp.consul.mesh.v2beta1.pbproxystate.L7Destination.route:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.L7DestinationRoute
+	4,  // 20: hashicorp.consul.mesh.v2beta1.pbproxystate.L7Destination.protocol:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.L7Protocol
+	19, // 21: hashicorp.consul.mesh.v2beta1.pbproxystate.L7Destination.traffic_permissions:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.TrafficPermissions
+	3,  // 22: hashicorp.consul.mesh.v2beta1.pbproxystate.L7Destination.xfcc_policy:type_name -> hashicorp.consul.mesh.v2beta1.pbproxystate.XFCCPolicy
+	23, // [23:23] is the sub-list for method output_type
+	23, // [23:23] is the sub-list for method input_type
+	23, // [23:23] is the sub-list for extension type_name
+	23, // [23:23] is the sub-list for extension extendee
+	0,  // [0:23] is the sub-list for field type_name
 }

 func init() { file_pbmesh_v2beta1_pbproxystate_listener_proto_init() }
@ -1257,7 +1418,7 @@ func file_pbmesh_v2beta1_pbproxystate_listener_proto_init() {
 			}
 		}
 		file_pbmesh_v2beta1_pbproxystate_listener_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*L7Destination); i {
+			switch v := v.(*L7DestinationRoute); i {
 			case 0:
 				return &v.state
 			case 1:
@ -1269,6 +1430,18 @@ func file_pbmesh_v2beta1_pbproxystate_listener_proto_init() {
 			}
 		}
 		file_pbmesh_v2beta1_pbproxystate_listener_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*L7Destination); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_pbmesh_v2beta1_pbproxystate_listener_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*SNIDestination); i {
 			case 0:
 				return &v.state
@ -1299,8 +1472,8 @@ func file_pbmesh_v2beta1_pbproxystate_listener_proto_init() {
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_pbmesh_v2beta1_pbproxystate_listener_proto_rawDesc,
-			NumEnums:      4,
-			NumMessages:   7,
+			NumEnums:      5,
+			NumMessages:   8,
 			NumExtensions: 0,
 			NumServices:   0,
 		},
--- a/proto-public/pbmesh/v2beta1/pbproxystate/listener.proto
+++ b/proto-public/pbmesh/v2beta1/pbproxystate/listener.proto
@ -102,22 +102,49 @@ message L4Destination {
  uint64 max_inbound_connections = 5;
 }

-message L7Destination {
+message L7DestinationRoute {
  // name is a key in the top level routes map. This specifies which route to go to in this L7 destination.
  string name = 1;
+}
+
+message L7Destination {
+  // route specifies which route to go to in this L7 destination.
+  L7DestinationRoute route = 1;
  // stat_prefix is for compatibility with v1 xds configuration, so it is generated in exactly the same way.
  string stat_prefix = 2;
  // protocol for the destination.
  L7Protocol protocol = 3;
  // traffic_permissions is a list of intentions for this destination.
  TrafficPermissions traffic_permissions = 4;
-  // include_xfcc specifies whether to add xfcc header.
-  bool include_xfcc = 5;
+  // include_xfcc specifies whether to add an xfcc policy for handling xfcc headers.
+  bool include_xfcc_policy = 5;
+  // xfcc_policy determines how to handle xfcc headers.
+  XFCCPolicy xfcc_policy = 6;
+  // parse_xfcc_headers determines whether to add filters to parse xfcc headers on incoming connections.
+  bool parse_xfcc_headers = 7;
  // static_route specifies whether this is a static route that is inlined in the listener filter. This is required to
  // match existing xds config.
-  bool static_route = 6;
+  bool static_route = 8;
  // max_inbound_connections specifies how many connections this destination can accept.
-  uint64 max_inbound_connections = 7;
+  uint64 max_inbound_connections = 9;
+}
+
+enum XFCCPolicy {
+  // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX
+  // Do not send the XFCC header to the next hop. This is the default value.
+  XFCC_POLICY_SANITIZE = 0;
+  // When the client connection is mTLS (Mutual TLS), forward the XFCC header
+  // in the request.
+  XFCC_POLICY_FORWARD_ONLY = 1;
+  // When the client connection is mTLS, append the client certificate
+  // information to the request’s XFCC header and forward it.
+  XFCC_POLICY_APPEND_FORWARD = 2;
+  // When the client connection is mTLS, reset the XFCC header with the client
+  // certificate information and send it to the next hop.
+  XFCC_POLICY_SANITIZE_SET = 3;
+  // Always forward the XFCC header in the request, regardless of whether the
+  // client connection is mTLS.
+  XFCC_POLICY_ALWAYS_FORWARD_ONLY = 4;
 }

 enum L7Protocol {