From 2ec86c11f3c7138b099669bb270b0c5ffcdb6f83 Mon Sep 17 00:00:00 2001 From: Chengyuan Zhang Date: Thu, 27 Feb 2020 13:25:49 -0800 Subject: [PATCH] xds: update envoy proto and udpa proto (v1.28.v backport) (#6769) Update envoy proto to c0ab3a4374144728c1e193fc2d43951ed36ccdb7 and udpa proto to edbea6a78f6d1ba34edc69c53a396b1d88d59651. --- .../v2/ScopedRoutesDiscoveryServiceGrpc.java | 10 - .../v2/VirtualHostDiscoveryServiceGrpc.java | 40 +- .../main/java/io/grpc/xds/Bootstrapper.java | 1 + .../java/io/grpc/xds/BootstrapperTest.java | 5 + .../io/grpc/xds/EnvoyServerProtoDataTest.java | 1 + .../java/io/grpc/xds/XdsClientTestHelper.java | 1 + .../sds/CommonTlsContextTestsUtil.java | 1 + .../sds/SdsClientFileBasedMetadataTest.java | 1 + .../sds/trust/SdsX509TrustManagerTest.java | 11 + xds/third_party/envoy/import.sh | 16 +- .../proto/envoy/annotations/deprecation.proto | 22 + .../proto/envoy/annotations/resource.proto | 18 + .../main/proto/envoy/api/v2/auth/cert.proto | 104 +- .../src/main/proto/envoy/api/v2/cds.proto | 825 +-------- .../src/main/proto/envoy/api/v2/cluster.proto | 848 ++++++++++ .../api/v2/cluster/circuit_breaker.proto | 49 +- .../proto/envoy/api/v2/cluster/filter.proto | 14 +- .../api/v2/cluster/outlier_detection.proto | 15 +- .../proto/envoy/api/v2/core/address.proto | 16 +- .../main/proto/envoy/api/v2/core/base.proto | 103 +- .../envoy/api/v2/core/config_source.proto | 45 +- .../envoy/api/v2/core/grpc_service.proto | 70 +- .../envoy/api/v2/core/health_check.proto | 60 +- .../proto/envoy/api/v2/core/http_uri.proto | 10 +- .../proto/envoy/api/v2/core/protocol.proto | 90 +- .../main/proto/envoy/api/v2/discovery.proto | 16 +- .../src/main/proto/envoy/api/v2/eds.proto | 119 +- .../main/proto/envoy/api/v2/endpoint.proto | 117 ++ .../envoy/api/v2/endpoint/endpoint.proto | 123 +- .../api/v2/endpoint/endpoint_components.proto | 131 ++ .../envoy/api/v2/endpoint/load_report.proto | 38 +- .../src/main/proto/envoy/api/v2/lds.proto | 203 +-- .../main/proto/envoy/api/v2/listener.proto | 239 +++ .../envoy/api/v2/listener/listener.proto | 203 +-- .../api/v2/listener/listener_components.proto | 271 +++ .../api/v2/listener/udp_listener_config.proto | 18 +- .../src/main/proto/envoy/api/v2/rds.proto | 115 +- .../src/main/proto/envoy/api/v2/route.proto | 105 ++ .../main/proto/envoy/api/v2/route/route.proto | 1395 +-------------- .../envoy/api/v2/route/route_components.proto | 1495 +++++++++++++++++ .../proto/envoy/api/v2/scoped_route.proto | 107 ++ .../src/main/proto/envoy/api/v2/srds.proto | 123 +- .../filter/accesslog/v2/accesslog.proto | 30 +- .../v2/http_connection_manager.proto | 67 +- .../config/listener/v2/api_listener.proto | 12 +- .../envoy/service/discovery/v2/ads.proto | 6 +- .../envoy/service/discovery/v2/sds.proto | 40 +- .../envoy/service/load_stats/v2/lrs.proto | 16 +- .../src/main/proto/envoy/type/http.proto | 20 + .../main/proto/envoy/type/matcher/regex.proto | 10 +- .../proto/envoy/type/matcher/string.proto | 23 +- .../envoy/type/metadata/v2/metadata.proto | 97 ++ .../src/main/proto/envoy/type/percent.proto | 6 +- .../src/main/proto/envoy/type/range.proto | 12 +- .../proto/envoy/type/semantic_version.proto | 20 + .../envoy/type/tracing/v2/custom_tag.proto | 83 + xds/third_party/udpa/import.sh | 4 +- .../main/proto/udpa/annotations/migrate.proto | 49 + .../proto/udpa/annotations/sensitive.proto | 14 + 59 files changed, 4477 insertions(+), 3226 deletions(-) create mode 100644 xds/third_party/envoy/src/main/proto/envoy/annotations/deprecation.proto create mode 100644 xds/third_party/envoy/src/main/proto/envoy/annotations/resource.proto create mode 100644 xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster.proto create mode 100644 xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint.proto create mode 100644 xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint/endpoint_components.proto create mode 100644 xds/third_party/envoy/src/main/proto/envoy/api/v2/listener.proto create mode 100644 xds/third_party/envoy/src/main/proto/envoy/api/v2/listener/listener_components.proto create mode 100644 xds/third_party/envoy/src/main/proto/envoy/api/v2/route.proto create mode 100644 xds/third_party/envoy/src/main/proto/envoy/api/v2/route/route_components.proto create mode 100644 xds/third_party/envoy/src/main/proto/envoy/api/v2/scoped_route.proto create mode 100644 xds/third_party/envoy/src/main/proto/envoy/type/http.proto create mode 100644 xds/third_party/envoy/src/main/proto/envoy/type/metadata/v2/metadata.proto create mode 100644 xds/third_party/envoy/src/main/proto/envoy/type/semantic_version.proto create mode 100644 xds/third_party/envoy/src/main/proto/envoy/type/tracing/v2/custom_tag.proto create mode 100644 xds/third_party/udpa/src/main/proto/udpa/annotations/migrate.proto create mode 100644 xds/third_party/udpa/src/main/proto/udpa/annotations/sensitive.proto diff --git a/xds/src/generated/main/grpc/io/envoyproxy/envoy/api/v2/ScopedRoutesDiscoveryServiceGrpc.java b/xds/src/generated/main/grpc/io/envoyproxy/envoy/api/v2/ScopedRoutesDiscoveryServiceGrpc.java index c19809f816e..db849c6b984 100644 --- a/xds/src/generated/main/grpc/io/envoyproxy/envoy/api/v2/ScopedRoutesDiscoveryServiceGrpc.java +++ b/xds/src/generated/main/grpc/io/envoyproxy/envoy/api/v2/ScopedRoutesDiscoveryServiceGrpc.java @@ -17,8 +17,6 @@ /** * 
- * [#protodoc-title: HTTP scoped routing configuration]
- * * Routing :ref:`architecture overview <arch_overview_http_routing>`
  * The Scoped Routes Discovery Service (SRDS) API distributes
  * :ref:`ScopedRouteConfiguration<envoy_api_msg.ScopedRouteConfiguration>`
  * resources. Each ScopedRouteConfiguration resource represents a "routing
@@ -177,8 +175,6 @@ public ScopedRoutesDiscoveryServiceFutureStub newStub(io.grpc.Channel channel, i
 
   /**
    * 
-   * [#protodoc-title: HTTP scoped routing configuration]
-   * * Routing :ref:`architecture overview <arch_overview_http_routing>`
    * The Scoped Routes Discovery Service (SRDS) API distributes
    * :ref:`ScopedRouteConfiguration<envoy_api_msg.ScopedRouteConfiguration>`
    * resources. Each ScopedRouteConfiguration resource represents a "routing
@@ -240,8 +236,6 @@ public void fetchScopedRoutes(io.envoyproxy.envoy.api.v2.DiscoveryRequest reques
 
   /**
    * 
-   * [#protodoc-title: HTTP scoped routing configuration]
-   * * Routing :ref:`architecture overview <arch_overview_http_routing>`
    * The Scoped Routes Discovery Service (SRDS) API distributes
    * :ref:`ScopedRouteConfiguration<envoy_api_msg.ScopedRouteConfiguration>`
    * resources. Each ScopedRouteConfiguration resource represents a "routing
@@ -290,8 +284,6 @@ public void fetchScopedRoutes(io.envoyproxy.envoy.api.v2.DiscoveryRequest reques
 
   /**
    * 
-   * [#protodoc-title: HTTP scoped routing configuration]
-   * * Routing :ref:`architecture overview <arch_overview_http_routing>`
    * The Scoped Routes Discovery Service (SRDS) API distributes
    * :ref:`ScopedRouteConfiguration<envoy_api_msg.ScopedRouteConfiguration>`
    * resources. Each ScopedRouteConfiguration resource represents a "routing
@@ -323,8 +315,6 @@ public io.envoyproxy.envoy.api.v2.DiscoveryResponse fetchScopedRoutes(io.envoypr
 
   /**
    * 
-   * [#protodoc-title: HTTP scoped routing configuration]
-   * * Routing :ref:`architecture overview <arch_overview_http_routing>`
    * The Scoped Routes Discovery Service (SRDS) API distributes
    * :ref:`ScopedRouteConfiguration<envoy_api_msg.ScopedRouteConfiguration>`
    * resources. Each ScopedRouteConfiguration resource represents a "routing
diff --git a/xds/src/generated/main/grpc/io/envoyproxy/envoy/api/v2/VirtualHostDiscoveryServiceGrpc.java b/xds/src/generated/main/grpc/io/envoyproxy/envoy/api/v2/VirtualHostDiscoveryServiceGrpc.java
index dac821b715e..4b2272666f5 100644
--- a/xds/src/generated/main/grpc/io/envoyproxy/envoy/api/v2/VirtualHostDiscoveryServiceGrpc.java
+++ b/xds/src/generated/main/grpc/io/envoyproxy/envoy/api/v2/VirtualHostDiscoveryServiceGrpc.java
@@ -20,13 +20,13 @@
  * Virtual Host Discovery Service (VHDS) is used to dynamically update the list of virtual hosts for
  * a given RouteConfiguration. If VHDS is configured a virtual host list update will be triggered
  * during the processing of an HTTP request if a route for the request cannot be resolved. The
- * :ref:`resource_names_subscribe <envoy_api_msg_DeltaDiscoveryRequest.resource_names_subscribe>`
+ * :ref:`resource_names_subscribe <envoy_api_field_DeltaDiscoveryRequest.resource_names_subscribe>`
  * field contains a list of virtual host names or aliases to track. The contents of an alias would
  * be the contents of a *host* or *authority* header used to make an http request. An xDS server
  * will match an alias to a virtual host based on the content of :ref:`domains'
- * <envoy_api_msg_route.VirtualHost.domains>` field. The *resource_names_unsubscribe* field contains
- * a list of virtual host names that have been :ref:`unsubscribed <xds_protocol_unsubscribe>`
- * from the routing table associated with the RouteConfiguration.
+ * <envoy_api_field_route.VirtualHost.domains>` field. The *resource_names_unsubscribe* field
+ * contains a list of virtual host names that have been :ref:`unsubscribed
+ * <xds_protocol_unsubscribe>` from the routing table associated with the RouteConfiguration.
  * 

  */
 @javax.annotation.Generated(
@@ -119,13 +119,13 @@ public VirtualHostDiscoveryServiceFutureStub newStub(io.grpc.Channel channel, io
    * Virtual Host Discovery Service (VHDS) is used to dynamically update the list of virtual hosts for
    * a given RouteConfiguration. If VHDS is configured a virtual host list update will be triggered
    * during the processing of an HTTP request if a route for the request cannot be resolved. The
-   * :ref:`resource_names_subscribe <envoy_api_msg_DeltaDiscoveryRequest.resource_names_subscribe>`
+   * :ref:`resource_names_subscribe <envoy_api_field_DeltaDiscoveryRequest.resource_names_subscribe>`
    * field contains a list of virtual host names or aliases to track. The contents of an alias would
    * be the contents of a *host* or *authority* header used to make an http request. An xDS server
    * will match an alias to a virtual host based on the content of :ref:`domains'
-   * <envoy_api_msg_route.VirtualHost.domains>` field. The *resource_names_unsubscribe* field contains
-   * a list of virtual host names that have been :ref:`unsubscribed <xds_protocol_unsubscribe>`
-   * from the routing table associated with the RouteConfiguration.
+   * <envoy_api_field_route.VirtualHost.domains>` field. The *resource_names_unsubscribe* field
+   * contains a list of virtual host names that have been :ref:`unsubscribed
+   * <xds_protocol_unsubscribe>` from the routing table associated with the RouteConfiguration.
    * 

    */
   public static abstract class VirtualHostDiscoveryServiceImplBase implements io.grpc.BindableService {
@@ -155,13 +155,13 @@ public io.grpc.stub.StreamObserver
    */
   public static final class VirtualHostDiscoveryServiceStub extends io.grpc.stub.AbstractAsyncStub {
@@ -190,13 +190,13 @@ public io.grpc.stub.StreamObserver
    */
   public static final class VirtualHostDiscoveryServiceBlockingStub extends io.grpc.stub.AbstractBlockingStub {
@@ -217,13 +217,13 @@ protected VirtualHostDiscoveryServiceBlockingStub build(
    * Virtual Host Discovery Service (VHDS) is used to dynamically update the list of virtual hosts for
    * a given RouteConfiguration. If VHDS is configured a virtual host list update will be triggered
    * during the processing of an HTTP request if a route for the request cannot be resolved. The
-   * :ref:`resource_names_subscribe <envoy_api_msg_DeltaDiscoveryRequest.resource_names_subscribe>`
+   * :ref:`resource_names_subscribe <envoy_api_field_DeltaDiscoveryRequest.resource_names_subscribe>`
    * field contains a list of virtual host names or aliases to track. The contents of an alias would
    * be the contents of a *host* or *authority* header used to make an http request. An xDS server
    * will match an alias to a virtual host based on the content of :ref:`domains'
-   * <envoy_api_msg_route.VirtualHost.domains>` field. The *resource_names_unsubscribe* field contains
-   * a list of virtual host names that have been :ref:`unsubscribed <xds_protocol_unsubscribe>`
-   * from the routing table associated with the RouteConfiguration.
+   * <envoy_api_field_route.VirtualHost.domains>` field. The *resource_names_unsubscribe* field
+   * contains a list of virtual host names that have been :ref:`unsubscribed
+   * <xds_protocol_unsubscribe>` from the routing table associated with the RouteConfiguration.
    * 

    */
   public static final class VirtualHostDiscoveryServiceFutureStub extends io.grpc.stub.AbstractFutureStub {
diff --git a/xds/src/main/java/io/grpc/xds/Bootstrapper.java b/xds/src/main/java/io/grpc/xds/Bootstrapper.java
index 3b3c38cc150..02de61e5c72 100644
--- a/xds/src/main/java/io/grpc/xds/Bootstrapper.java
+++ b/xds/src/main/java/io/grpc/xds/Bootstrapper.java
@@ -74,6 +74,7 @@ public static Bootstrapper getInstance() {
   public abstract BootstrapInfo readBootstrap() throws IOException;
 
   @VisibleForTesting
+  @SuppressWarnings("deprecation")
   static BootstrapInfo parseConfig(String rawData) throws IOException {
     XdsLogger logger = XdsLogger.withPrefix(LOG_PREFIX);
     logger.log(XdsLogLevel.INFO, "Reading bootstrap information");
diff --git a/xds/src/test/java/io/grpc/xds/BootstrapperTest.java b/xds/src/test/java/io/grpc/xds/BootstrapperTest.java
index 87c46dcc32d..b1b227dcfae 100644
--- a/xds/src/test/java/io/grpc/xds/BootstrapperTest.java
+++ b/xds/src/test/java/io/grpc/xds/BootstrapperTest.java
@@ -41,6 +41,7 @@ public class BootstrapperTest {
   @Rule public ExpectedException thrown = ExpectedException.none();
 
   @Test
+  @SuppressWarnings("deprecation")
   public void parseBootstrap_validData_singleXdsServer() throws IOException {
     String rawData = "{\n"
         + "  \"node\": {\n"
@@ -96,6 +97,7 @@ public void parseBootstrap_validData_singleXdsServer() throws IOException {
   }
 
   @Test
+  @SuppressWarnings("deprecation")
   public void parseBootstrap_validData_multipleXdsServers() throws IOException {
     String rawData = "{\n"
         + "  \"node\": {\n"
@@ -160,6 +162,7 @@ public void parseBootstrap_validData_multipleXdsServers() throws IOException {
   }
 
   @Test
+  @SuppressWarnings("deprecation")
   public void parseBootstrap_IgnoreIrrelevantFields() throws IOException {
     String rawData = "{\n"
         + "  \"node\": {\n"
@@ -225,6 +228,7 @@ public void parseBootstrap_emptyData() throws IOException {
   }
 
   @Test
+  @SuppressWarnings("deprecation")
   public void parseBootstrap_minimumRequiredFields() throws IOException {
     String rawData = "{\n"
         + "  \"xds_servers\": []\n"
@@ -241,6 +245,7 @@ public void parseBootstrap_minimumRequiredFields() throws IOException {
   }
 
   @Test
+  @SuppressWarnings("deprecation")
   public void parseBootstrap_minimalUsableData() throws IOException {
     String rawData = "{\n"
         + "  \"xds_servers\": [\n"
diff --git a/xds/src/test/java/io/grpc/xds/EnvoyServerProtoDataTest.java b/xds/src/test/java/io/grpc/xds/EnvoyServerProtoDataTest.java
index a9e76474b2c..c132410001e 100644
--- a/xds/src/test/java/io/grpc/xds/EnvoyServerProtoDataTest.java
+++ b/xds/src/test/java/io/grpc/xds/EnvoyServerProtoDataTest.java
@@ -107,6 +107,7 @@ private static FilterChain createOutFilter() {
     return filterChain;
   }
 
+  @SuppressWarnings("deprecation")
   private static FilterChain createInFilter() {
     FilterChain filterChain =
         FilterChain.newBuilder()
diff --git a/xds/src/test/java/io/grpc/xds/XdsClientTestHelper.java b/xds/src/test/java/io/grpc/xds/XdsClientTestHelper.java
index 6ef308f0e3d..2090c3af339 100644
--- a/xds/src/test/java/io/grpc/xds/XdsClientTestHelper.java
+++ b/xds/src/test/java/io/grpc/xds/XdsClientTestHelper.java
@@ -125,6 +125,7 @@ static Cluster buildCluster(String clusterName, @Nullable String edsServiceName,
     return buildSecureCluster(clusterName, edsServiceName, enableLrs, null);
   }
 
+  @SuppressWarnings("deprecation")
   static Cluster buildSecureCluster(String clusterName, @Nullable String edsServiceName,
       boolean enableLrs, @Nullable UpstreamTlsContext upstreamTlsContext) {
     Cluster.Builder clusterBuilder = Cluster.newBuilder();
diff --git a/xds/src/test/java/io/grpc/xds/internal/sds/CommonTlsContextTestsUtil.java b/xds/src/test/java/io/grpc/xds/internal/sds/CommonTlsContextTestsUtil.java
index 0fc7511c2f7..fec1e8daf37 100644
--- a/xds/src/test/java/io/grpc/xds/internal/sds/CommonTlsContextTestsUtil.java
+++ b/xds/src/test/java/io/grpc/xds/internal/sds/CommonTlsContextTestsUtil.java
@@ -77,6 +77,7 @@ static CommonTlsContext buildCommonTlsContextFromSdsConfigForTlsCertificate(
   }
 
   /** takes additional values and creates CombinedCertificateValidationContext as needed. */
+  @SuppressWarnings("deprecation")
   static CommonTlsContext buildCommonTlsContextWithAdditionalValues(
       String certName,
       String certTargetUri,
diff --git a/xds/src/test/java/io/grpc/xds/internal/sds/SdsClientFileBasedMetadataTest.java b/xds/src/test/java/io/grpc/xds/internal/sds/SdsClientFileBasedMetadataTest.java
index d67e37649b2..fda58feaaae 100644
--- a/xds/src/test/java/io/grpc/xds/internal/sds/SdsClientFileBasedMetadataTest.java
+++ b/xds/src/test/java/io/grpc/xds/internal/sds/SdsClientFileBasedMetadataTest.java
@@ -68,6 +68,7 @@ public class SdsClientFileBasedMetadataTest {
   private SdsSecretConfig sdsSecretConfig;
   private File tempTokenFile;
 
+  @SuppressWarnings("deprecation")
   static ConfigSource buildConfigSourceWithCreds(
       String targetUri,
       String channelType,
diff --git a/xds/src/test/java/io/grpc/xds/internal/sds/trust/SdsX509TrustManagerTest.java b/xds/src/test/java/io/grpc/xds/internal/sds/trust/SdsX509TrustManagerTest.java
index b0618bfd0fa..78cadd4453b 100644
--- a/xds/src/test/java/io/grpc/xds/internal/sds/trust/SdsX509TrustManagerTest.java
+++ b/xds/src/test/java/io/grpc/xds/internal/sds/trust/SdsX509TrustManagerTest.java
@@ -93,6 +93,7 @@ public void emptySanListContextTest() throws CertificateException, IOException {
   }
 
   @Test
+  @SuppressWarnings("deprecation")
   public void missingPeerCerts() throws CertificateException, FileNotFoundException {
     CertificateValidationContext certContext =
         CertificateValidationContext.newBuilder().addVerifySubjectAltName("foo.com").build();
@@ -106,6 +107,7 @@ public void missingPeerCerts() throws CertificateException, FileNotFoundExceptio
   }
 
   @Test
+  @SuppressWarnings("deprecation")
   public void emptyArrayPeerCerts() throws CertificateException, FileNotFoundException {
     CertificateValidationContext certContext =
         CertificateValidationContext.newBuilder().addVerifySubjectAltName("foo.com").build();
@@ -119,6 +121,7 @@ public void emptyArrayPeerCerts() throws CertificateException, FileNotFoundExcep
   }
 
   @Test
+  @SuppressWarnings("deprecation")
   public void noSansInPeerCerts() throws CertificateException, IOException {
     CertificateValidationContext certContext =
         CertificateValidationContext.newBuilder().addVerifySubjectAltName("foo.com").build();
@@ -134,6 +137,7 @@ public void noSansInPeerCerts() throws CertificateException, IOException {
   }
 
   @Test
+  @SuppressWarnings("deprecation")
   public void oneSanInPeerCertsVerifies() throws CertificateException, IOException {
     CertificateValidationContext certContext =
         CertificateValidationContext.newBuilder()
@@ -146,6 +150,7 @@ public void oneSanInPeerCertsVerifies() throws CertificateException, IOException
   }
 
   @Test
+  @SuppressWarnings("deprecation")
   public void oneSanInPeerCertsVerifiesMultipleVerifySans()
       throws CertificateException, IOException {
     CertificateValidationContext certContext =
@@ -160,6 +165,7 @@ public void oneSanInPeerCertsVerifiesMultipleVerifySans()
   }
 
   @Test
+  @SuppressWarnings("deprecation")
   public void oneSanInPeerCertsNotFoundException()
       throws CertificateException, IOException {
     CertificateValidationContext certContext =
@@ -176,6 +182,7 @@ public void oneSanInPeerCertsNotFoundException()
   }
 
   @Test
+  @SuppressWarnings("deprecation")
   public void wildcardSanInPeerCertsVerifiesMultipleVerifySans()
       throws CertificateException, IOException {
     CertificateValidationContext certContext =
@@ -190,6 +197,7 @@ public void wildcardSanInPeerCertsVerifiesMultipleVerifySans()
   }
 
   @Test
+  @SuppressWarnings("deprecation")
   public void wildcardSanInPeerCertsVerifiesMultipleVerifySans1()
       throws CertificateException, IOException {
     CertificateValidationContext certContext =
@@ -204,6 +212,7 @@ public void wildcardSanInPeerCertsVerifiesMultipleVerifySans1()
   }
 
   @Test
+  @SuppressWarnings("deprecation")
   public void wildcardSanInPeerCertsSubdomainMismatch()
       throws CertificateException, IOException {
     // 2. Asterisk (*) cannot match across domain name labels.
@@ -225,6 +234,7 @@ public void wildcardSanInPeerCertsSubdomainMismatch()
   }
 
   @Test
+  @SuppressWarnings("deprecation")
   public void oneIpAddressInPeerCertsVerifies() throws CertificateException, IOException {
     CertificateValidationContext certContext =
         CertificateValidationContext.newBuilder()
@@ -238,6 +248,7 @@ public void oneIpAddressInPeerCertsVerifies() throws CertificateException, IOExc
   }
 
   @Test
+  @SuppressWarnings("deprecation")
   public void oneIpAddressInPeerCertsMismatch() throws CertificateException, IOException {
     CertificateValidationContext certContext =
         CertificateValidationContext.newBuilder()
diff --git a/xds/third_party/envoy/import.sh b/xds/third_party/envoy/import.sh
index 7a253716b0b..ccc50b3522c 100755
--- a/xds/third_party/envoy/import.sh
+++ b/xds/third_party/envoy/import.sh
@@ -18,14 +18,17 @@
 set -e
 BRANCH=master
 # import VERSION from one of the google internal CLs
-VERSION=f709434b37e9ff74666d5b854aa11fb2f1ec37f3
+VERSION=c0ab3a4374144728c1e193fc2d43951ed36ccdb7
 GIT_REPO="https://github.com/envoyproxy/envoy.git"
 GIT_BASE_DIR=envoy
 SOURCE_PROTO_BASE_DIR=envoy/api
 TARGET_PROTO_BASE_DIR=src/main/proto
 FILES=(
+envoy/annotations/deprecation.proto
+envoy/annotations/resource.proto
 envoy/api/v2/auth/cert.proto
 envoy/api/v2/cds.proto
+envoy/api/v2/cluster.proto
 envoy/api/v2/cluster/circuit_breaker.proto
 envoy/api/v2/cluster/filter.proto
 envoy/api/v2/cluster/outlier_detection.proto
@@ -38,13 +41,20 @@ envoy/api/v2/core/http_uri.proto
 envoy/api/v2/core/protocol.proto
 envoy/api/v2/discovery.proto
 envoy/api/v2/eds.proto
+envoy/api/v2/endpoint.proto
 envoy/api/v2/endpoint/endpoint.proto
+envoy/api/v2/endpoint/endpoint_components.proto
 envoy/api/v2/endpoint/load_report.proto
 envoy/api/v2/lds.proto
+envoy/api/v2/listener.proto
 envoy/api/v2/listener/listener.proto
+envoy/api/v2/listener/listener_components.proto
 envoy/api/v2/listener/udp_listener_config.proto
 envoy/api/v2/rds.proto
+envoy/api/v2/route.proto
 envoy/api/v2/route/route.proto
+envoy/api/v2/route/route_components.proto
+envoy/api/v2/scoped_route.proto
 envoy/api/v2/srds.proto
 envoy/config/filter/accesslog/v2/accesslog.proto
 envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto
@@ -52,10 +62,14 @@ envoy/config/listener/v2/api_listener.proto
 envoy/service/discovery/v2/ads.proto
 envoy/service/discovery/v2/sds.proto
 envoy/service/load_stats/v2/lrs.proto
+envoy/type/http.proto
 envoy/type/matcher/regex.proto
 envoy/type/matcher/string.proto
+envoy/type/metadata/v2/metadata.proto
 envoy/type/percent.proto
 envoy/type/range.proto
+envoy/type/semantic_version.proto
+envoy/type/tracing/v2/custom_tag.proto
 )
 
 # clone the envoy github repo in a tmp directory
diff --git a/xds/third_party/envoy/src/main/proto/envoy/annotations/deprecation.proto b/xds/third_party/envoy/src/main/proto/envoy/annotations/deprecation.proto
new file mode 100644
index 00000000000..7f9b64e32b0
--- /dev/null
+++ b/xds/third_party/envoy/src/main/proto/envoy/annotations/deprecation.proto
@@ -0,0 +1,22 @@
+syntax = "proto3";
+
+package envoy.annotations;
+
+import "google/protobuf/descriptor.proto";
+
+// [#protodoc-title: Deprecation]
+// Allows tagging proto fields as fatal by default. One Envoy release after
+// deprecation, deprecated fields will be disallowed by default, a state which
+// is reversible with :ref:`runtime overrides `.
+
+// Magic number in this file derived from top 28bit of SHA256 digest of
+// "envoy.annotation.disallowed_by_default"
+extend google.protobuf.FieldOptions {
+  bool disallowed_by_default = 189503207;
+}
+
+// Magic number in this file derived from top 28bit of SHA256 digest of
+// "envoy.annotation.disallowed_by_default_enum"
+extend google.protobuf.EnumValueOptions {
+  bool disallowed_by_default_enum = 70100853;
+}
diff --git a/xds/third_party/envoy/src/main/proto/envoy/annotations/resource.proto b/xds/third_party/envoy/src/main/proto/envoy/annotations/resource.proto
new file mode 100644
index 00000000000..bd794c68dd7
--- /dev/null
+++ b/xds/third_party/envoy/src/main/proto/envoy/annotations/resource.proto
@@ -0,0 +1,18 @@
+syntax = "proto3";
+
+package envoy.annotations;
+
+import "google/protobuf/descriptor.proto";
+
+// [#protodoc-title: Resource]
+
+// Magic number in this file derived from top 28bit of SHA256 digest of "envoy.annotation.resource".
+extend google.protobuf.ServiceOptions {
+  ResourceAnnotation resource = 265073217;
+}
+
+message ResourceAnnotation {
+  // Annotation for xDS services that indicates the fully-qualified Protobuf type for the resource
+  // type.
+  string type = 1;
+}
diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/auth/cert.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/auth/cert.proto
index ebf199a4743..52e5e29a839 100644
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/auth/cert.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/auth/cert.proto
@@ -2,19 +2,26 @@ syntax = "proto3";
 
 package envoy.api.v2.auth;
 
-option java_outer_classname = "CertProto";
-option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.api.v2.auth";
-
 import "envoy/api/v2/core/base.proto";
 import "envoy/api/v2/core/config_source.proto";
+import "envoy/type/matcher/string.proto";
 
 import "google/protobuf/any.proto";
+import "google/protobuf/duration.proto";
 import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";
 
+import "udpa/annotations/sensitive.proto";
+
+import "udpa/annotations/migrate.proto";
 import "validate/validate.proto";
 
+option java_package = "io.envoyproxy.envoy.api.v2.auth";
+option java_outer_classname = "CertProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_migrate).move_to_package =
+    "envoy.extensions.transport_sockets.tls.v3";
+
 // [#protodoc-title: Common TLS configuration]
 
 message TlsParameters {
@@ -35,7 +42,8 @@ message TlsParameters {
     TLSv1_3 = 4;
   }
 
-  // Minimum TLS protocol version. By default, it's ``TLSv1_0``.
+  // Minimum TLS protocol version. By default, it's ``TLSv1_2`` for clients and ``TLSv1_0`` for
+  // servers.
   TlsProtocol tls_minimum_protocol_version = 1 [(validate.rules).enum = {defined_only: true}];
 
   // Maximum TLS protocol version. By default, it's ``TLSv1_3`` for servers in non-FIPS builds, and
@@ -110,18 +118,19 @@ message PrivateKeyProvider {
 
   // Private key method provider specific configuration.
   oneof config_type {
-    google.protobuf.Struct config = 2;
+    google.protobuf.Struct config = 2 [deprecated = true, (udpa.annotations.sensitive) = true];
 
-    google.protobuf.Any typed_config = 3;
+    google.protobuf.Any typed_config = 3 [(udpa.annotations.sensitive) = true];
   }
 }
 
+// [#next-free-field: 7]
 message TlsCertificate {
   // The TLS certificate chain.
   core.DataSource certificate_chain = 1;
 
   // The TLS private key.
-  core.DataSource private_key = 2;
+  core.DataSource private_key = 2 [(udpa.annotations.sensitive) = true];
 
   // BoringSSL private key method provider. This is an alternative to :ref:`private_key
   // ` field. This can't be
@@ -134,7 +143,7 @@ message TlsCertificate {
 
   // The password to decrypt the TLS private key. If this field is not set, it is assumed that the
   // TLS private key is not password encrypted.
-  core.DataSource password = 3;
+  core.DataSource password = 3 [(udpa.annotations.sensitive) = true];
 
   // [#not-implemented-hide:]
   core.DataSource ocsp_staple = 4;
@@ -167,10 +176,23 @@ message TlsSessionTicketKeys {
   //   * Keep the session ticket keys at least as secure as your TLS certificate private keys
   //   * Rotate session ticket keys at least daily, and preferably hourly
   //   * Always generate keys using a cryptographically-secure random data source
-  repeated core.DataSource keys = 1 [(validate.rules).repeated = {min_items: 1}];
+  repeated core.DataSource keys = 1
+      [(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true];
 }
 
+// [#next-free-field: 11]
 message CertificateValidationContext {
+  // Peer certificate verification mode.
+  enum TrustChainVerification {
+    // Perform default certificate verification (e.g., against CA / verification lists)
+    VERIFY_TRUST_CHAIN = 0;
+
+    // Connections where the certificate fails verification will be permitted.
+    // For HTTP connections, the result of certificate verification can be used in route matching. (
+    // see :ref:`validated ` ).
+    ACCEPT_UNTRUSTED = 1;
+  }
+
   // TLS certificate data containing certificate authority certificates to use in verifying
   // a presented peer certificate (e.g. server certificate for clusters or client certificate
   // for listeners). If not specified and a peer certificate is presented it will not be
@@ -181,8 +203,8 @@ message CertificateValidationContext {
   // `,
   // :ref:`verify_certificate_hash
   // `, or
-  // :ref:`verify_subject_alt_name
-  // `) is also
+  // :ref:`match_subject_alt_names
+  // `) is also
   // specified.
   //
   // It can optionally contain certificate revocation lists, in which case Envoy will verify
@@ -262,7 +284,27 @@ message CertificateValidationContext {
   //   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   //   therefore this option must be used together with :ref:`trusted_ca
   //   `.
-  repeated string verify_subject_alt_name = 4;
+  repeated string verify_subject_alt_name = 4 [deprecated = true];
+
+  // An optional list of Subject Alternative name matchers. Envoy will verify that the
+  // Subject Alternative Name of the presented certificate matches one of the specified matches.
+  //
+  // When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
+  // configured with exact match type in the :ref:`string matcher `.
+  // For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
+  // it should be configured as shown below.
+  //
+  // .. code-block:: yaml
+  //
+  // match_subject_alt_names:
+  //   exact: "api.example.com"
+  //
+  // .. attention::
+  //
+  //   Subject Alternative Names are easily spoofable and verifying only them is insecure,
+  //   therefore this option must be used together with :ref:`trusted_ca
+  //   `.
+  repeated type.matcher.StringMatcher match_subject_alt_names = 9;
 
   // [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
   google.protobuf.BoolValue require_ocsp_staple = 5;
@@ -279,9 +321,14 @@ message CertificateValidationContext {
 
   // If specified, Envoy will not reject expired certificates.
   bool allow_expired_certificate = 8;
+
+  // Certificate trust chain verification mode.
+  TrustChainVerification trust_chain_verification = 10
+      [(validate.rules).enum = {defined_only: true}];
 }
 
 // TLS context shared by both client and server TLS contexts.
+// [#next-free-field: 9]
 message CommonTlsContext {
   message CombinedCertificateValidationContext {
     // How to validate peer certificates.
@@ -342,6 +389,12 @@ message CommonTlsContext {
 
 message UpstreamTlsContext {
   // Common TLS context settings.
+  //
+  // .. attention::
+  //
+  //   Server certificate verification is not enabled by default. Configure
+  //   :ref:`trusted_ca` to enable
+  //   verification.
   CommonTlsContext common_tls_context = 1;
 
   // SNI string to use when creating TLS backend connections.
@@ -361,6 +414,7 @@ message UpstreamTlsContext {
   google.protobuf.UInt32Value max_session_keys = 4;
 }
 
+// [#next-free-field: 7]
 message DownstreamTlsContext {
   // Common TLS context settings.
   CommonTlsContext common_tls_context = 1;
@@ -377,21 +431,35 @@ message DownstreamTlsContext {
     // TLS session ticket key settings.
     TlsSessionTicketKeys session_ticket_keys = 4;
 
-    // [#not-implemented-hide:]
+    // Config for fetching TLS session ticket keys via SDS API.
     SdsSecretConfig session_ticket_keys_sds_secret_config = 5;
   }
+
+  // If specified, session_timeout will change maximum lifetime (in seconds) of TLS session
+  // Currently this value is used as a hint to `TLS session ticket lifetime (for TLSv1.2)
+  // `
+  // only seconds could be specified (fractional seconds are going to be ignored).
+  google.protobuf.Duration session_timeout = 6 [(validate.rules).duration = {
+    lt {seconds: 4294967296}
+    gte {}
+  }];
+}
+
+message GenericSecret {
+  // Secret of generic type and is available to filters.
+  core.DataSource secret = 1 [(udpa.annotations.sensitive) = true];
 }
 
 message SdsSecretConfig {
   // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
-  // When both name and config are specified, then secret can be fetched and/or reloaded via SDS.
-  // When only name is specified, then secret will be loaded from static
-  // resources.
+  // When both name and config are specified, then secret can be fetched and/or reloaded via
+  // SDS. When only name is specified, then secret will be loaded from static resources.
   string name = 1;
 
   core.ConfigSource sds_config = 2;
 }
 
+// [#next-free-field: 6]
 message Secret {
   // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
   string name = 1;
@@ -402,5 +470,7 @@ message Secret {
     TlsSessionTicketKeys session_ticket_keys = 3;
 
     CertificateValidationContext validation_context = 4;
+
+    GenericSecret generic_secret = 5;
   }
 }
diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/cds.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/cds.proto
index cbd0eea5de4..dcd5c3fd0fb 100644
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/cds.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/cds.proto
@@ -2,36 +2,27 @@ syntax = "proto3";
 
 package envoy.api.v2;
 
-option java_outer_classname = "CdsProto";
-option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.api.v2";
-option java_generic_services = true;
-
-import "envoy/api/v2/auth/cert.proto";
-import "envoy/api/v2/cluster/circuit_breaker.proto";
-import "envoy/api/v2/cluster/filter.proto";
-import "envoy/api/v2/cluster/outlier_detection.proto";
-import "envoy/api/v2/core/address.proto";
-import "envoy/api/v2/core/base.proto";
-import "envoy/api/v2/core/config_source.proto";
-import "envoy/api/v2/core/health_check.proto";
-import "envoy/api/v2/core/protocol.proto";
 import "envoy/api/v2/discovery.proto";
-import "envoy/api/v2/eds.proto";
-import "envoy/type/percent.proto";
 
 import "google/api/annotations.proto";
-import "google/protobuf/any.proto";
-import "google/protobuf/duration.proto";
-import "google/protobuf/struct.proto";
-import "google/protobuf/wrappers.proto";
 
-import "validate/validate.proto";
+import "envoy/annotations/resource.proto";
+import "udpa/annotations/migrate.proto";
 
-// [#protodoc-title: Clusters]
+import public "envoy/api/v2/cluster.proto";
+
+option java_package = "io.envoyproxy.envoy.api.v2";
+option java_outer_classname = "CdsProto";
+option java_multiple_files = true;
+option java_generic_services = true;
+option (udpa.annotations.file_migrate).move_to_package = "envoy.service.cluster.v3";
+
+// [#protodoc-title: CDS]
 
 // Return list of all clusters this proxy will load balance to.
 service ClusterDiscoveryService {
+  option (envoy.annotations.resource).type = "envoy.api.v2.Cluster";
+
   rpc StreamClusters(stream DiscoveryRequest) returns (stream DiscoveryResponse) {
   }
 
@@ -39,792 +30,12 @@ service ClusterDiscoveryService {
   }
 
   rpc FetchClusters(DiscoveryRequest) returns (DiscoveryResponse) {
-    option (google.api.http) = {
-      post: "/v2/discovery:clusters"
-      body: "*"
-    };
-  }
-}
-
-// Configuration for a single upstream cluster.
-// [#comment:next free field: 45]
-message Cluster {
-  // Refer to :ref:`service discovery type `
-  // for an explanation on each type.
-  enum DiscoveryType {
-    // Refer to the :ref:`static discovery type`
-    // for an explanation.
-    STATIC = 0;
-
-    // Refer to the :ref:`strict DNS discovery
-    // type`
-    // for an explanation.
-    STRICT_DNS = 1;
-
-    // Refer to the :ref:`logical DNS discovery
-    // type`
-    // for an explanation.
-    LOGICAL_DNS = 2;
-
-    // Refer to the :ref:`service discovery type`
-    // for an explanation.
-    EDS = 3;
-
-    // Refer to the :ref:`original destination discovery
-    // type`
-    // for an explanation.
-    ORIGINAL_DST = 4;
-  }
-
-  // Refer to :ref:`load balancer type ` architecture
-  // overview section for information on each type.
-  enum LbPolicy {
-    // Refer to the :ref:`round robin load balancing
-    // policy`
-    // for an explanation.
-    ROUND_ROBIN = 0;
-
-    // Refer to the :ref:`least request load balancing
-    // policy`
-    // for an explanation.
-    LEAST_REQUEST = 1;
-
-    // Refer to the :ref:`ring hash load balancing
-    // policy`
-    // for an explanation.
-    RING_HASH = 2;
-
-    // Refer to the :ref:`random load balancing
-    // policy`
-    // for an explanation.
-    RANDOM = 3;
-
-    // Refer to the :ref:`original destination load balancing
-    // policy`
-    // for an explanation.
-    //
-    // .. attention::
-    //
-    //   **This load balancing policy is deprecated**. Use CLUSTER_PROVIDED instead.
-    //
-    ORIGINAL_DST_LB = 4 [deprecated = true];
-
-    // Refer to the :ref:`Maglev load balancing policy`
-    // for an explanation.
-    MAGLEV = 5;
-
-    // This load balancer type must be specified if the configured cluster provides a cluster
-    // specific load balancer. Consult the configured cluster's documentation for whether to set
-    // this option or not.
-    CLUSTER_PROVIDED = 6;
-
-    // [#not-implemented-hide:] Use the new :ref:`load_balancing_policy
-    // ` field to determine the LB policy.
-    // [#next-major-version: In the v3 API, we should consider deprecating the lb_policy field
-    // and instead using the new load_balancing_policy field as the one and only mechanism for
-    // configuring this.]
-    LOAD_BALANCING_POLICY_CONFIG = 7;
-  }
-
-  // When V4_ONLY is selected, the DNS resolver will only perform a lookup for
-  // addresses in the IPv4 family. If V6_ONLY is selected, the DNS resolver will
-  // only perform a lookup for addresses in the IPv6 family. If AUTO is
-  // specified, the DNS resolver will first perform a lookup for addresses in
-  // the IPv6 family and fallback to a lookup for addresses in the IPv4 family.
-  // For cluster types other than
-  // :ref:`STRICT_DNS` and
-  // :ref:`LOGICAL_DNS`,
-  // this setting is
-  // ignored.
-  enum DnsLookupFamily {
-    AUTO = 0;
-    V4_ONLY = 1;
-    V6_ONLY = 2;
-  }
-
-  enum ClusterProtocolSelection {
-    // Cluster can only operate on one of the possible upstream protocols (HTTP1.1, HTTP2).
-    // If :ref:`http2_protocol_options ` are
-    // present, HTTP2 will be used, otherwise HTTP1.1 will be used.
-    USE_CONFIGURED_PROTOCOL = 0;
-
-    // Use HTTP1.1 or HTTP2, depending on which one is used on the downstream connection.
-    USE_DOWNSTREAM_PROTOCOL = 1;
-  }
-
-  // TransportSocketMatch specifies what transport socket config will be used
-  // when the match conditions are satisfied.
-  message TransportSocketMatch {
-    // The name of the match, used in stats generation.
-    string name = 1 [(validate.rules).string = {min_len: 1}];
-
-    // Optional endpoint metadata match criteria.
-    // The connection to the endpoint with metadata matching what is set in this field
-    // will use the transport socket configuration specified here.
-    // The endpoint's metadata entry in *envoy.transport_socket* is used to match
-    // against the values specified in this field.
-    google.protobuf.Struct match = 2;
-
-    // The configuration of the transport socket.
-    core.TransportSocket transport_socket = 3;
-  }
-
-  // Extended cluster type.
-  message CustomClusterType {
-    // The type of the cluster to instantiate. The name must match a supported cluster type.
-    string name = 1 [(validate.rules).string = {min_bytes: 1}];
-
-    // Cluster specific configuration which depends on the cluster being instantiated.
-    // See the supported cluster for further documentation.
-    google.protobuf.Any typed_config = 2;
-  }
-
-  // Only valid when discovery type is EDS.
-  message EdsClusterConfig {
-    // Configuration for the source of EDS updates for this Cluster.
-    core.ConfigSource eds_config = 1;
-
-    // Optional alternative to cluster name to present to EDS. This does not
-    // have the same restrictions as cluster name, i.e. it may be arbitrary
-    // length.
-    string service_name = 2;
-  }
-
-  // Optionally divide the endpoints in this cluster into subsets defined by
-  // endpoint metadata and selected by route and weighted cluster metadata.
-  message LbSubsetConfig {
-    // If NO_FALLBACK is selected, a result
-    // equivalent to no healthy hosts is reported. If ANY_ENDPOINT is selected,
-    // any cluster endpoint may be returned (subject to policy, health checks,
-    // etc). If DEFAULT_SUBSET is selected, load balancing is performed over the
-    // endpoints matching the values from the default_subset field.
-    enum LbSubsetFallbackPolicy {
-      NO_FALLBACK = 0;
-      ANY_ENDPOINT = 1;
-      DEFAULT_SUBSET = 2;
-    }
-
-    // Specifications for subsets.
-    message LbSubsetSelector {
-      // Allows to override top level fallback policy per selector.
-      enum LbSubsetSelectorFallbackPolicy {
-        // If NOT_DEFINED top level config fallback policy is used instead.
-        NOT_DEFINED = 0;
-
-        // If NO_FALLBACK is selected, a result equivalent to no healthy hosts is reported.
-        NO_FALLBACK = 1;
-
-        // If ANY_ENDPOINT is selected, any cluster endpoint may be returned
-        // (subject to policy, health checks, etc).
-        ANY_ENDPOINT = 2;
-
-        // If DEFAULT_SUBSET is selected, load balancing is performed over the
-        // endpoints matching the values from the default_subset field.
-        DEFAULT_SUBSET = 3;
-      }
-
-      // List of keys to match with the weighted cluster metadata.
-      repeated string keys = 1;
-
-      // The behavior used when no endpoint subset matches the selected route's
-      // metadata.
-      LbSubsetSelectorFallbackPolicy fallback_policy = 2
-          [(validate.rules).enum = {defined_only: true}];
-    }
-
-    // The behavior used when no endpoint subset matches the selected route's
-    // metadata. The value defaults to
-    // :ref:`NO_FALLBACK`.
-    LbSubsetFallbackPolicy fallback_policy = 1 [(validate.rules).enum = {defined_only: true}];
-
-    // Specifies the default subset of endpoints used during fallback if
-    // fallback_policy is
-    // :ref:`DEFAULT_SUBSET`.
-    // Each field in default_subset is
-    // compared to the matching LbEndpoint.Metadata under the *envoy.lb*
-    // namespace. It is valid for no hosts to match, in which case the behavior
-    // is the same as a fallback_policy of
-    // :ref:`NO_FALLBACK`.
-    google.protobuf.Struct default_subset = 2;
-
-    // For each entry, LbEndpoint.Metadata's
-    // *envoy.lb* namespace is traversed and a subset is created for each unique
-    // combination of key and value. For example:
-    //
-    // .. code-block:: json
-    //
-    //   { "subset_selectors": [
-    //       { "keys": [ "version" ] },
-    //       { "keys": [ "stage", "hardware_type" ] }
-    //   ]}
-    //
-    // A subset is matched when the metadata from the selected route and
-    // weighted cluster contains the same keys and values as the subset's
-    // metadata. The same host may appear in multiple subsets.
-    repeated LbSubsetSelector subset_selectors = 3;
-
-    // If true, routing to subsets will take into account the localities and locality weights of the
-    // endpoints when making the routing decision.
-    //
-    // There are some potential pitfalls associated with enabling this feature, as the resulting
-    // traffic split after applying both a subset match and locality weights might be undesirable.
-    //
-    // Consider for example a situation in which you have 50/50 split across two localities X/Y
-    // which have 100 hosts each without subsetting. If the subset LB results in X having only 1
-    // host selected but Y having 100, then a lot more load is being dumped on the single host in X
-    // than originally anticipated in the load balancing assignment delivered via EDS.
-    bool locality_weight_aware = 4;
-
-    // When used with locality_weight_aware, scales the weight of each locality by the ratio
-    // of hosts in the subset vs hosts in the original subset. This aims to even out the load
-    // going to an individual locality if said locality is disproportionally affected by the
-    // subset predicate.
-    bool scale_locality_weight = 5;
-
-    // If true, when a fallback policy is configured and its corresponding subset fails to find
-    // a host this will cause any host to be selected instead.
-    //
-    // This is useful when using the default subset as the fallback policy, given the default
-    // subset might become empty. With this option enabled, if that happens the LB will attempt
-    // to select a host from the entire cluster.
-    bool panic_mode_any = 6;
-
-    // If true, metadata specified for a metadata key will be matched against the corresponding
-    // endpoint metadata if the endpoint metadata matches the value exactly OR it is a list value
-    // and any of the elements in the list matches the criteria.
-    bool list_as_any = 7;
-  }
-
-  // Specific configuration for the LeastRequest load balancing policy.
-  message LeastRequestLbConfig {
-    // The number of random healthy hosts from which the host with the fewest active requests will
-    // be chosen. Defaults to 2 so that we perform two-choice selection if the field is not set.
-    google.protobuf.UInt32Value choice_count = 1 [(validate.rules).uint32 = {gte: 2}];
-  }
-
-  // Specific configuration for the :ref:`RingHash`
-  // load balancing policy.
-  message RingHashLbConfig {
-    // The hash function used to hash hosts onto the ketama ring.
-    enum HashFunction {
-      // Use `xxHash `_, this is the default hash function.
-      XX_HASH = 0;
-
-      // Use `MurmurHash2 `_, this is compatible with
-      // std:hash in GNU libstdc++ 3.4.20 or above. This is typically the case when compiled
-      // on Linux and not macOS.
-      MURMUR_HASH_2 = 1;
-    }
-
-    reserved 2;
-
-    // Minimum hash ring size. The larger the ring is (that is, the more hashes there are for each
-    // provided host) the better the request distribution will reflect the desired weights. Defaults
-    // to 1024 entries, and limited to 8M entries. See also
-    // :ref:`maximum_ring_size`.
-    google.protobuf.UInt64Value minimum_ring_size = 1 [(validate.rules).uint64 = {lte: 8388608}];
-
-    // The hash function used to hash hosts onto the ketama ring. The value defaults to
-    // :ref:`XX_HASH`.
-    HashFunction hash_function = 3 [(validate.rules).enum = {defined_only: true}];
-
-    // Maximum hash ring size. Defaults to 8M entries, and limited to 8M entries, but can be lowered
-    // to further constrain resource use. See also
-    // :ref:`minimum_ring_size`.
-    google.protobuf.UInt64Value maximum_ring_size = 4 [(validate.rules).uint64 = {lte: 8388608}];
-  }
-
-  // Specific configuration for the
-  // :ref:`Original Destination `
-  // load balancing policy.
-  message OriginalDstLbConfig {
-    // When true, :ref:`x-envoy-original-dst-host
-    // ` can be used to override destination
-    // address.
-    //
-    // .. attention::
-    //
-    //   This header isn't sanitized by default, so enabling this feature allows HTTP clients to
-    //   route traffic to arbitrary hosts and/or ports, which may have serious security
-    //   consequences.
-    bool use_http_header = 1;
-  }
-
-  // Common configuration for all load balancer implementations.
-  message CommonLbConfig {
-    // Configuration for :ref:`zone aware routing
-    // `.
-    message ZoneAwareLbConfig {
-      // Configures percentage of requests that will be considered for zone aware routing
-      // if zone aware routing is configured. If not specified, the default is 100%.
-      // * :ref:`runtime values `.
-      // * :ref:`Zone aware routing support `.
-      type.Percent routing_enabled = 1;
-
-      // Configures minimum upstream cluster size required for zone aware routing
-      // If upstream cluster size is less than specified, zone aware routing is not performed
-      // even if zone aware routing is configured. If not specified, the default is 6.
-      // * :ref:`runtime values `.
-      // * :ref:`Zone aware routing support `.
-      google.protobuf.UInt64Value min_cluster_size = 2;
-
-      // If set to true, Envoy will not consider any hosts when the cluster is in :ref:`panic
-      // mode`. Instead, the cluster will fail all
-      // requests as if all hosts are unhealthy. This can help avoid potentially overwhelming a
-      // failing service.
-      bool fail_traffic_on_panic = 3;
-    }
-
-    // Configuration for :ref:`locality weighted load balancing
-    // `
-    message LocalityWeightedLbConfig {
-    }
-
-    // Configures the :ref:`healthy panic threshold `.
-    // If not specified, the default is 50%.
-    // To disable panic mode, set to 0%.
-    //
-    // .. note::
-    //   The specified percent will be truncated to the nearest 1%.
-    type.Percent healthy_panic_threshold = 1;
-
-    oneof locality_config_specifier {
-      ZoneAwareLbConfig zone_aware_lb_config = 2;
-
-      LocalityWeightedLbConfig locality_weighted_lb_config = 3;
-    }
-
-    // If set, all health check/weight/metadata updates that happen within this duration will be
-    // merged and delivered in one shot when the duration expires. The start of the duration is when
-    // the first update happens. This is useful for big clusters, with potentially noisy deploys
-    // that might trigger excessive CPU usage due to a constant stream of healthcheck state changes
-    // or metadata updates. The first set of updates to be seen apply immediately (e.g.: a new
-    // cluster). Please always keep in mind that the use of sandbox technologies may change this
-    // behavior.
-    //
-    // If this is not set, we default to a merge window of 1000ms. To disable it, set the merge
-    // window to 0.
-    //
-    // Note: merging does not apply to cluster membership changes (e.g.: adds/removes); this is
-    // because merging those updates isn't currently safe. See
-    // https://github.com/envoyproxy/envoy/pull/3941.
-    google.protobuf.Duration update_merge_window = 4;
-
-    // If set to true, Envoy will not consider new hosts when computing load balancing weights until
-    // they have been health checked for the first time. This will have no effect unless
-    // active health checking is also configured.
-    //
-    // Ignoring a host means that for any load balancing calculations that adjust weights based
-    // on the ratio of eligible hosts and total hosts (priority spillover, locality weighting and
-    // panic mode) Envoy will exclude these hosts in the denominator.
-    //
-    // For example, with hosts in two priorities P0 and P1, where P0 looks like
-    // {healthy, unhealthy (new), unhealthy (new)}
-    // and where P1 looks like
-    // {healthy, healthy}
-    // all traffic will still hit P0, as 1 / (3 - 2) = 1.
-    //
-    // Enabling this will allow scaling up the number of hosts for a given cluster without entering
-    // panic mode or triggering priority spillover, assuming the hosts pass the first health check.
-    //
-    // If panic mode is triggered, new hosts are still eligible for traffic; they simply do not
-    // contribute to the calculation when deciding whether panic mode is enabled or not.
-    bool ignore_new_hosts_until_first_hc = 5;
-
-    // If set to `true`, the cluster manager will drain all existing
-    // connections to upstream hosts whenever hosts are added or removed from the cluster.
-    bool close_connections_on_host_set_change = 6;
-  }
-
-  message RefreshRate {
-    // Specifies the base interval between refreshes. This parameter is required and must be greater
-    // than zero and less than
-    // :ref:`max_interval `.
-    google.protobuf.Duration base_interval = 1 [(validate.rules).duration = {
-      required: true
-      gt {nanos: 1000000}
-    }];
-
-    // Specifies the maximum interval between refreshes. This parameter is optional, but must be
-    // greater than or equal to the
-    // :ref:`base_interval `  if set. The default
-    // is 10 times the :ref:`base_interval `.
-    google.protobuf.Duration max_interval = 2 [(validate.rules).duration = {gt {nanos: 1000000}}];
-  }
-
-  reserved 12, 15;
-
-  // Configuration to use different transport sockets for different endpoints.
-  // The entry of *envoy.transport_socket* in the
-  // :ref:`LbEndpoint.Metadata `
-  // is used to match against the transport sockets as they appear in the list. The first
-  // :ref:`match ` is used.
-  // For example, with the following match
-  //
-  // .. code-block:: yaml
-  //
-  //  transport_socket_matches:
-  //  - name: "enableMTLS"
-  //    match:
-  //      acceptMTLS: true
-  //    transport_socket:
-  //      name: tls
-  //      config: { ... } # tls socket configuration
-  //  - name: "defaultToPlaintext"
-  //    match: {}
-  //    transport_socket:
-  //      name: "rawbuffer"
-  //
-  // Connections to the endpoints whose metadata value under *envoy.transport_socket*
-  // having "acceptMTLS"/"true" key/value pair use the "enableMTLS" socket configuration.
-  //
-  // If a :ref:`socket match ` with empty match
-  // criteria is provided, that always match any endpoint. For example, the "defaultToPlaintext"
-  // socket match in case above.
-  //
-  // If an endpoint metadata's value under *envoy.transport_socket* does not match any
-  // *TransportSocketMatch*, socket configuration fallbacks to use the *tls_context* or
-  // *transport_socket* specified in this cluster.
-  //
-  // This field allows gradual and flexible transport socket configuration changes.
-  //
-  // The metadata of endpoints in EDS can indicate transport socket capabilities. For example,
-  // an endpoint's metadata can have two key value pairs as "acceptMTLS": "true",
-  // "acceptPlaintext": "true". While some other endpoints, only accepting plaintext traffic
-  // has "acceptPlaintext": "true" metadata information.
-  //
-  // Then the xDS server can configure the CDS to a client, Envoy A, to send mutual TLS
-  // traffic for endpoints with "acceptMTLS": "true", by adding a corresponding
-  // *TransportSocketMatch* in this field. Other client Envoys receive CDS without
-  // *transport_socket_match* set, and still send plain text traffic to the same cluster.
-  //
-  // TODO(incfly): add a detailed architecture doc on intended usage.
-  // [#not-implemented-hide:]
-  repeated TransportSocketMatch transport_socket_matches = 43;
-
-  // Supplies the name of the cluster which must be unique across all clusters.
-  // The cluster name is used when emitting
-  // :ref:`statistics ` if :ref:`alt_stat_name
-  // ` is not provided.
-  // Any ``:`` in the cluster name will be converted to ``_`` when emitting statistics.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
-
-  // An optional alternative to the cluster name to be used while emitting stats.
-  // Any ``:`` in the name will be converted to ``_`` when emitting statistics. This should not be
-  // confused with :ref:`Router Filter Header
-  // `.
-  string alt_stat_name = 28;
-
-  oneof cluster_discovery_type {
-    // The :ref:`service discovery type `
-    // to use for resolving the cluster.
-    DiscoveryType type = 2 [(validate.rules).enum = {defined_only: true}];
-
-    // The custom cluster type.
-    CustomClusterType cluster_type = 38;
-  }
-
-  // Configuration to use for EDS updates for the Cluster.
-  EdsClusterConfig eds_cluster_config = 3;
-
-  // The timeout for new network connections to hosts in the cluster.
-  google.protobuf.Duration connect_timeout = 4 [(validate.rules).duration = {gt {}}];
-
-  // Soft limit on size of the cluster’s connections read and write buffers. If
-  // unspecified, an implementation defined default is applied (1MiB).
-  google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5;
-
-  // The :ref:`load balancer type ` to use
-  // when picking a host in the cluster.
-  LbPolicy lb_policy = 6 [(validate.rules).enum = {defined_only: true}];
-
-  // If the service discovery type is
-  // :ref:`STATIC`,
-  // :ref:`STRICT_DNS`
-  // or :ref:`LOGICAL_DNS`,
-  // then hosts is required.
-  //
-  // .. attention::
-  //
-  //   **This field is deprecated**. Set the
-  //   :ref:`load_assignment` field instead.
-  //
-  repeated core.Address hosts = 7;
-
-  // Setting this is required for specifying members of
-  // :ref:`STATIC`,
-  // :ref:`STRICT_DNS`
-  // or :ref:`LOGICAL_DNS` clusters.
-  // This field supersedes :ref:`hosts` field.
-  // [#comment:TODO(dio): Deprecate the hosts field and add it to :ref:`deprecated log`
-  // once load_assignment is implemented.]
-  //
-  // .. attention::
-  //
-  //   Setting this allows non-EDS cluster types to contain embedded EDS equivalent
-  //   :ref:`endpoint assignments`.
-  //   Setting this overrides :ref:`hosts` values.
-  //
-  ClusterLoadAssignment load_assignment = 33;
-
-  // Optional :ref:`active health checking `
-  // configuration for the cluster. If no
-  // configuration is specified no health checking will be done and all cluster
-  // members will be considered healthy at all times.
-  repeated core.HealthCheck health_checks = 8;
-
-  // Optional maximum requests for a single upstream connection. This parameter
-  // is respected by both the HTTP/1.1 and HTTP/2 connection pool
-  // implementations. If not specified, there is no limit. Setting this
-  // parameter to 1 will effectively disable keep alive.
-  google.protobuf.UInt32Value max_requests_per_connection = 9;
-
-  // Optional :ref:`circuit breaking ` for the cluster.
-  cluster.CircuitBreakers circuit_breakers = 10;
-
-  // The TLS configuration for connections to the upstream cluster. If no TLS
-  // configuration is specified, TLS will not be used for new connections.
-  //
-  // .. attention::
-  //
-  //   Server certificate verification is not enabled by default. Configure
-  //   :ref:`trusted_ca` to enable
-  //   verification.
-  auth.UpstreamTlsContext tls_context = 11;
-
-  // Additional options when handling HTTP requests. These options will be applicable to both
-  // HTTP1 and HTTP2 requests.
-  core.HttpProtocolOptions common_http_protocol_options = 29;
-
-  // Additional options when handling HTTP1 requests.
-  core.Http1ProtocolOptions http_protocol_options = 13;
-
-  // Even if default HTTP2 protocol options are desired, this field must be
-  // set so that Envoy will assume that the upstream supports HTTP/2 when
-  // making new HTTP connection pool connections. Currently, Envoy only
-  // supports prior knowledge for upstream connections. Even if TLS is used
-  // with ALPN, `http2_protocol_options` must be specified. As an aside this allows HTTP/2
-  // connections to happen over plain text.
-  core.Http2ProtocolOptions http2_protocol_options = 14;
-
-  // The extension_protocol_options field is used to provide extension-specific protocol options
-  // for upstream connections. The key should match the extension filter name, such as
-  // "envoy.filters.network.thrift_proxy". See the extension's documentation for details on
-  // specific options.
-  map extension_protocol_options = 35;
-
-  // The extension_protocol_options field is used to provide extension-specific protocol options
-  // for upstream connections. The key should match the extension filter name, such as
-  // "envoy.filters.network.thrift_proxy". See the extension's documentation for details on
-  // specific options.
-  map typed_extension_protocol_options = 36;
-
-  // If the DNS refresh rate is specified and the cluster type is either
-  // :ref:`STRICT_DNS`,
-  // or :ref:`LOGICAL_DNS`,
-  // this value is used as the cluster’s DNS refresh
-  // rate. If this setting is not specified, the value defaults to 5000ms. For
-  // cluster types other than
-  // :ref:`STRICT_DNS`
-  // and :ref:`LOGICAL_DNS`
-  // this setting is ignored.
-  google.protobuf.Duration dns_refresh_rate = 16 [(validate.rules).duration = {gt {}}];
-
-  // If the DNS failure refresh rate is specified and the cluster type is either
-  // :ref:`STRICT_DNS`,
-  // or :ref:`LOGICAL_DNS`,
-  // this is used as the cluster’s DNS refresh rate when requests are failing. If this setting is
-  // not specified, the failure refresh rate defaults to the DNS refresh rate. For cluster types
-  // other than :ref:`STRICT_DNS` and
-  // :ref:`LOGICAL_DNS` this setting is
-  // ignored.
-  //
-  // Note: Currently, DNS failures and empty DNS responses are not treated differently and this
-  // configuration is applied in both situations.
-  RefreshRate dns_failure_refresh_rate = 44;
-
-  // Optional configuration for setting cluster's DNS refresh rate. If the value is set to true,
-  // cluster's DNS refresh rate will be set to resource record's TTL which comes from DNS
-  // resolution.
-  bool respect_dns_ttl = 39;
-
-  // The DNS IP address resolution policy. If this setting is not specified, the
-  // value defaults to
-  // :ref:`AUTO`.
-  DnsLookupFamily dns_lookup_family = 17 [(validate.rules).enum = {defined_only: true}];
-
-  // If DNS resolvers are specified and the cluster type is either
-  // :ref:`STRICT_DNS`,
-  // or :ref:`LOGICAL_DNS`,
-  // this value is used to specify the cluster’s dns resolvers.
-  // If this setting is not specified, the value defaults to the default
-  // resolver, which uses /etc/resolv.conf for configuration. For cluster types
-  // other than
-  // :ref:`STRICT_DNS`
-  // and :ref:`LOGICAL_DNS`
-  // this setting is ignored.
-  repeated core.Address dns_resolvers = 18;
-
-  // If specified, outlier detection will be enabled for this upstream cluster.
-  // Each of the configuration values can be overridden via
-  // :ref:`runtime values `.
-  cluster.OutlierDetection outlier_detection = 19;
-
-  // The interval for removing stale hosts from a cluster type
-  // :ref:`ORIGINAL_DST`.
-  // Hosts are considered stale if they have not been used
-  // as upstream destinations during this interval. New hosts are added
-  // to original destination clusters on demand as new connections are
-  // redirected to Envoy, causing the number of hosts in the cluster to
-  // grow over time. Hosts that are not stale (they are actively used as
-  // destinations) are kept in the cluster, which allows connections to
-  // them remain open, saving the latency that would otherwise be spent
-  // on opening new connections. If this setting is not specified, the
-  // value defaults to 5000ms. For cluster types other than
-  // :ref:`ORIGINAL_DST`
-  // this setting is ignored.
-  google.protobuf.Duration cleanup_interval = 20 [(validate.rules).duration = {gt {}}];
-
-  // Optional configuration used to bind newly established upstream connections.
-  // This overrides any bind_config specified in the bootstrap proto.
-  // If the address and port are empty, no bind will be performed.
-  core.BindConfig upstream_bind_config = 21;
-
-  // Configuration for load balancing subsetting.
-  LbSubsetConfig lb_subset_config = 22;
-
-  // Optional configuration for the load balancing algorithm selected by
-  // LbPolicy. Currently only
-  // :ref:`RING_HASH` and
-  // :ref:`LEAST_REQUEST`
-  // has additional configuration options.
-  // Specifying ring_hash_lb_config or least_request_lb_config without setting the corresponding
-  // LbPolicy will generate an error at runtime.
-  oneof lb_config {
-    // Optional configuration for the Ring Hash load balancing policy.
-    RingHashLbConfig ring_hash_lb_config = 23;
-
-    // Optional configuration for the Original Destination load balancing policy.
-    OriginalDstLbConfig original_dst_lb_config = 34;
-
-    // Optional configuration for the LeastRequest load balancing policy.
-    LeastRequestLbConfig least_request_lb_config = 37;
-  }
-
-  // Common configuration for all load balancer implementations.
-  CommonLbConfig common_lb_config = 27;
-
-  // Optional custom transport socket implementation to use for upstream connections.
-  core.TransportSocket transport_socket = 24;
-
-  // The Metadata field can be used to provide additional information about the
-  // cluster. It can be used for stats, logging, and varying filter behavior.
-  // Fields should use reverse DNS notation to denote which entity within Envoy
-  // will need the information. For instance, if the metadata is intended for
-  // the Router filter, the filter name should be specified as *envoy.router*.
-  core.Metadata metadata = 25;
-
-  // Determines how Envoy selects the protocol used to speak to upstream hosts.
-  ClusterProtocolSelection protocol_selection = 26;
-
-  // Optional options for upstream connections.
-  UpstreamConnectionOptions upstream_connection_options = 30;
-
-  // If an upstream host becomes unhealthy (as determined by the configured health checks
-  // or outlier detection), immediately close all connections to the failed host.
-  //
-  // .. note::
-  //
-  //   This is currently only supported for connections created by tcp_proxy.
-  //
-  // .. note::
-  //
-  //   The current implementation of this feature closes all connections immediately when
-  //   the unhealthy status is detected. If there are a large number of connections open
-  //   to an upstream host that becomes unhealthy, Envoy may spend a substantial amount of
-  //   time exclusively closing these connections, and not processing any other traffic.
-  bool close_connections_on_host_health_failure = 31;
-
-  // If this cluster uses EDS or STRICT_DNS to configure its hosts, immediately drain
-  // connections from any hosts that are removed from service discovery.
-  //
-  // This only affects behavior for hosts that are being actively health checked.
-  // If this flag is not set to true, Envoy will wait until the hosts fail active health
-  // checking before removing it from the cluster.
-  bool drain_connections_on_host_removal = 32;
-
-  // An (optional) network filter chain, listed in the order the filters should be applied.
-  // The chain will be applied to all outgoing connections that Envoy makes to the upstream
-  // servers of this cluster.
-  repeated cluster.Filter filters = 40;
-
-  // [#not-implemented-hide:] New mechanism for LB policy configuration. Used only if the
-  // :ref:`lb_policy` field has the value
-  // :ref:`LOAD_BALANCING_POLICY_CONFIG`.
-  LoadBalancingPolicy load_balancing_policy = 41;
-
-  // [#not-implemented-hide:]
-  // If present, tells the client where to send load reports via LRS. If not present, the
-  // client will fall back to a client-side default, which may be either (a) don't send any
-  // load reports or (b) send load reports for all clusters to a single default server
-  // (which may be configured in the bootstrap file).
-  //
-  // Note that if multiple clusters point to the same LRS server, the client may choose to
-  // create a separate stream for each cluster or it may choose to coalesce the data for
-  // multiple clusters onto a single stream. Either way, the client must make sure to send
-  // the data for any given cluster on no more than one stream.
-  //
-  // [#next-major-version: In the v3 API, we should consider restructuring this somehow,
-  // maybe by allowing LRS to go on the ADS stream, or maybe by moving some of the negotiation
-  // from the LRS stream here.]
-  core.ConfigSource lrs_server = 42;
-}
-
-// [#not-implemented-hide:] Extensible load balancing policy configuration.
-//
-// Every LB policy defined via this mechanism will be identified via a unique name using reverse
-// DNS notation. If the policy needs configuration parameters, it must define a message for its
-// own configuration, which will be stored in the config field. The name of the policy will tell
-// clients which type of message they should expect to see in the config field.
-//
-// Note that there are cases where it is useful to be able to independently select LB policies
-// for choosing a locality and for choosing an endpoint within that locality. For example, a
-// given deployment may always use the same policy to choose the locality, but for choosing the
-// endpoint within the locality, some clusters may use weighted-round-robin, while others may
-// use some sort of session-based balancing.
-//
-// This can be accomplished via hierarchical LB policies, where the parent LB policy creates a
-// child LB policy for each locality. For each request, the parent chooses the locality and then
-// delegates to the child policy for that locality to choose the endpoint within the locality.
-//
-// To facilitate this, the config message for the top-level LB policy may include a field of
-// type LoadBalancingPolicy that specifies the child policy.
-message LoadBalancingPolicy {
-  message Policy {
-    // Required. The name of the LB policy.
-    string name = 1;
-
-    // Optional config for the LB policy.
-    // No more than one of these two fields may be populated.
-    google.protobuf.Struct config = 2;
-
-    google.protobuf.Any typed_config = 3;
+    option (google.api.http).post = "/v2/discovery:clusters";
+    option (google.api.http).body = "*";
   }
-
-  // Each client will iterate over the list in order and stop at the first policy that it
-  // supports. This provides a mechanism for starting to use new LB policies that are not yet
-  // supported by all clients.
-  repeated Policy policies = 1;
-}
-
-// An extensible structure containing the address Envoy should bind to when
-// establishing upstream connections.
-message UpstreamBindConfig {
-  // The address Envoy should bind to when establishing upstream connections.
-  core.Address source_address = 1;
 }
 
-message UpstreamConnectionOptions {
-  // If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.
-  core.TcpKeepalive tcp_keepalive = 1;
+// [#not-implemented-hide:] Not configuration. Workaround c++ protobuf issue with importing
+// services: https://github.com/google/protobuf/issues/4221 and protoxform to upgrade the file.
+message CdsDummy {
 }
diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster.proto
new file mode 100644
index 00000000000..2d61ef3f22b
--- /dev/null
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster.proto
@@ -0,0 +1,848 @@
+syntax = "proto3";
+
+package envoy.api.v2;
+
+import "envoy/api/v2/auth/cert.proto";
+import "envoy/api/v2/cluster/circuit_breaker.proto";
+import "envoy/api/v2/cluster/filter.proto";
+import "envoy/api/v2/cluster/outlier_detection.proto";
+import "envoy/api/v2/core/address.proto";
+import "envoy/api/v2/core/base.proto";
+import "envoy/api/v2/core/config_source.proto";
+import "envoy/api/v2/core/health_check.proto";
+import "envoy/api/v2/core/protocol.proto";
+import "envoy/api/v2/endpoint.proto";
+import "envoy/type/percent.proto";
+
+import "google/protobuf/any.proto";
+import "google/protobuf/duration.proto";
+import "google/protobuf/struct.proto";
+import "google/protobuf/wrappers.proto";
+
+import "envoy/annotations/deprecation.proto";
+import "udpa/annotations/migrate.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.api.v2";
+option java_outer_classname = "ClusterProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_migrate).move_to_package = "envoy.config.cluster.v3";
+
+// [#protodoc-title: Cluster configuration]
+
+// Configuration for a single upstream cluster.
+// [#next-free-field: 48]
+message Cluster {
+  // Refer to :ref:`service discovery type `
+  // for an explanation on each type.
+  enum DiscoveryType {
+    // Refer to the :ref:`static discovery type`
+    // for an explanation.
+    STATIC = 0;
+
+    // Refer to the :ref:`strict DNS discovery
+    // type`
+    // for an explanation.
+    STRICT_DNS = 1;
+
+    // Refer to the :ref:`logical DNS discovery
+    // type`
+    // for an explanation.
+    LOGICAL_DNS = 2;
+
+    // Refer to the :ref:`service discovery type`
+    // for an explanation.
+    EDS = 3;
+
+    // Refer to the :ref:`original destination discovery
+    // type`
+    // for an explanation.
+    ORIGINAL_DST = 4;
+  }
+
+  // Refer to :ref:`load balancer type ` architecture
+  // overview section for information on each type.
+  enum LbPolicy {
+    // Refer to the :ref:`round robin load balancing
+    // policy`
+    // for an explanation.
+    ROUND_ROBIN = 0;
+
+    // Refer to the :ref:`least request load balancing
+    // policy`
+    // for an explanation.
+    LEAST_REQUEST = 1;
+
+    // Refer to the :ref:`ring hash load balancing
+    // policy`
+    // for an explanation.
+    RING_HASH = 2;
+
+    // Refer to the :ref:`random load balancing
+    // policy`
+    // for an explanation.
+    RANDOM = 3;
+
+    // Refer to the :ref:`original destination load balancing
+    // policy`
+    // for an explanation.
+    //
+    // .. attention::
+    //
+    //   **This load balancing policy is deprecated**. Use CLUSTER_PROVIDED instead.
+    //
+    ORIGINAL_DST_LB = 4 [deprecated = true, (envoy.annotations.disallowed_by_default_enum) = true];
+
+    // Refer to the :ref:`Maglev load balancing policy`
+    // for an explanation.
+    MAGLEV = 5;
+
+    // This load balancer type must be specified if the configured cluster provides a cluster
+    // specific load balancer. Consult the configured cluster's documentation for whether to set
+    // this option or not.
+    CLUSTER_PROVIDED = 6;
+
+    // [#not-implemented-hide:] Use the new :ref:`load_balancing_policy
+    // ` field to determine the LB policy.
+    // [#next-major-version: In the v3 API, we should consider deprecating the lb_policy field
+    // and instead using the new load_balancing_policy field as the one and only mechanism for
+    // configuring this.]
+    LOAD_BALANCING_POLICY_CONFIG = 7;
+  }
+
+  // When V4_ONLY is selected, the DNS resolver will only perform a lookup for
+  // addresses in the IPv4 family. If V6_ONLY is selected, the DNS resolver will
+  // only perform a lookup for addresses in the IPv6 family. If AUTO is
+  // specified, the DNS resolver will first perform a lookup for addresses in
+  // the IPv6 family and fallback to a lookup for addresses in the IPv4 family.
+  // For cluster types other than
+  // :ref:`STRICT_DNS` and
+  // :ref:`LOGICAL_DNS`,
+  // this setting is
+  // ignored.
+  enum DnsLookupFamily {
+    AUTO = 0;
+    V4_ONLY = 1;
+    V6_ONLY = 2;
+  }
+
+  enum ClusterProtocolSelection {
+    // Cluster can only operate on one of the possible upstream protocols (HTTP1.1, HTTP2).
+    // If :ref:`http2_protocol_options ` are
+    // present, HTTP2 will be used, otherwise HTTP1.1 will be used.
+    USE_CONFIGURED_PROTOCOL = 0;
+
+    // Use HTTP1.1 or HTTP2, depending on which one is used on the downstream connection.
+    USE_DOWNSTREAM_PROTOCOL = 1;
+  }
+
+  // TransportSocketMatch specifies what transport socket config will be used
+  // when the match conditions are satisfied.
+  message TransportSocketMatch {
+    // The name of the match, used in stats generation.
+    string name = 1 [(validate.rules).string = {min_len: 1}];
+
+    // Optional endpoint metadata match criteria.
+    // The connection to the endpoint with metadata matching what is set in this field
+    // will use the transport socket configuration specified here.
+    // The endpoint's metadata entry in *envoy.transport_socket_match* is used to match
+    // against the values specified in this field.
+    google.protobuf.Struct match = 2;
+
+    // The configuration of the transport socket.
+    core.TransportSocket transport_socket = 3;
+  }
+
+  // Extended cluster type.
+  message CustomClusterType {
+    // The type of the cluster to instantiate. The name must match a supported cluster type.
+    string name = 1 [(validate.rules).string = {min_bytes: 1}];
+
+    // Cluster specific configuration which depends on the cluster being instantiated.
+    // See the supported cluster for further documentation.
+    google.protobuf.Any typed_config = 2;
+  }
+
+  // Only valid when discovery type is EDS.
+  message EdsClusterConfig {
+    // Configuration for the source of EDS updates for this Cluster.
+    core.ConfigSource eds_config = 1;
+
+    // Optional alternative to cluster name to present to EDS. This does not
+    // have the same restrictions as cluster name, i.e. it may be arbitrary
+    // length.
+    string service_name = 2;
+  }
+
+  // Optionally divide the endpoints in this cluster into subsets defined by
+  // endpoint metadata and selected by route and weighted cluster metadata.
+  // [#next-free-field: 8]
+  message LbSubsetConfig {
+    // If NO_FALLBACK is selected, a result
+    // equivalent to no healthy hosts is reported. If ANY_ENDPOINT is selected,
+    // any cluster endpoint may be returned (subject to policy, health checks,
+    // etc). If DEFAULT_SUBSET is selected, load balancing is performed over the
+    // endpoints matching the values from the default_subset field.
+    enum LbSubsetFallbackPolicy {
+      NO_FALLBACK = 0;
+      ANY_ENDPOINT = 1;
+      DEFAULT_SUBSET = 2;
+    }
+
+    // Specifications for subsets.
+    message LbSubsetSelector {
+      // Allows to override top level fallback policy per selector.
+      enum LbSubsetSelectorFallbackPolicy {
+        // If NOT_DEFINED top level config fallback policy is used instead.
+        NOT_DEFINED = 0;
+
+        // If NO_FALLBACK is selected, a result equivalent to no healthy hosts is reported.
+        NO_FALLBACK = 1;
+
+        // If ANY_ENDPOINT is selected, any cluster endpoint may be returned
+        // (subject to policy, health checks, etc).
+        ANY_ENDPOINT = 2;
+
+        // If DEFAULT_SUBSET is selected, load balancing is performed over the
+        // endpoints matching the values from the default_subset field.
+        DEFAULT_SUBSET = 3;
+
+        // If KEYS_SUBSET is selected, subset selector matching is performed again with metadata
+        // keys reduced to
+        // :ref:`fallback_keys_subset`.
+        // It allows for a fallback to a different, less specific selector if some of the keys of
+        // the selector are considered optional.
+        KEYS_SUBSET = 4;
+      }
+
+      // List of keys to match with the weighted cluster metadata.
+      repeated string keys = 1;
+
+      // The behavior used when no endpoint subset matches the selected route's
+      // metadata.
+      LbSubsetSelectorFallbackPolicy fallback_policy = 2
+          [(validate.rules).enum = {defined_only: true}];
+
+      // Subset of
+      // :ref:`keys` used by
+      // :ref:`KEYS_SUBSET`
+      // fallback policy.
+      // It has to be a non empty list if KEYS_SUBSET fallback policy is selected.
+      // For any other fallback policy the parameter is not used and should not be set.
+      // Only values also present in
+      // :ref:`keys` are allowed, but
+      // `fallback_keys_subset` cannot be equal to `keys`.
+      repeated string fallback_keys_subset = 3;
+    }
+
+    // The behavior used when no endpoint subset matches the selected route's
+    // metadata. The value defaults to
+    // :ref:`NO_FALLBACK`.
+    LbSubsetFallbackPolicy fallback_policy = 1 [(validate.rules).enum = {defined_only: true}];
+
+    // Specifies the default subset of endpoints used during fallback if
+    // fallback_policy is
+    // :ref:`DEFAULT_SUBSET`.
+    // Each field in default_subset is
+    // compared to the matching LbEndpoint.Metadata under the *envoy.lb*
+    // namespace. It is valid for no hosts to match, in which case the behavior
+    // is the same as a fallback_policy of
+    // :ref:`NO_FALLBACK`.
+    google.protobuf.Struct default_subset = 2;
+
+    // For each entry, LbEndpoint.Metadata's
+    // *envoy.lb* namespace is traversed and a subset is created for each unique
+    // combination of key and value. For example:
+    //
+    // .. code-block:: json
+    //
+    //   { "subset_selectors": [
+    //       { "keys": [ "version" ] },
+    //       { "keys": [ "stage", "hardware_type" ] }
+    //   ]}
+    //
+    // A subset is matched when the metadata from the selected route and
+    // weighted cluster contains the same keys and values as the subset's
+    // metadata. The same host may appear in multiple subsets.
+    repeated LbSubsetSelector subset_selectors = 3;
+
+    // If true, routing to subsets will take into account the localities and locality weights of the
+    // endpoints when making the routing decision.
+    //
+    // There are some potential pitfalls associated with enabling this feature, as the resulting
+    // traffic split after applying both a subset match and locality weights might be undesirable.
+    //
+    // Consider for example a situation in which you have 50/50 split across two localities X/Y
+    // which have 100 hosts each without subsetting. If the subset LB results in X having only 1
+    // host selected but Y having 100, then a lot more load is being dumped on the single host in X
+    // than originally anticipated in the load balancing assignment delivered via EDS.
+    bool locality_weight_aware = 4;
+
+    // When used with locality_weight_aware, scales the weight of each locality by the ratio
+    // of hosts in the subset vs hosts in the original subset. This aims to even out the load
+    // going to an individual locality if said locality is disproportionately affected by the
+    // subset predicate.
+    bool scale_locality_weight = 5;
+
+    // If true, when a fallback policy is configured and its corresponding subset fails to find
+    // a host this will cause any host to be selected instead.
+    //
+    // This is useful when using the default subset as the fallback policy, given the default
+    // subset might become empty. With this option enabled, if that happens the LB will attempt
+    // to select a host from the entire cluster.
+    bool panic_mode_any = 6;
+
+    // If true, metadata specified for a metadata key will be matched against the corresponding
+    // endpoint metadata if the endpoint metadata matches the value exactly OR it is a list value
+    // and any of the elements in the list matches the criteria.
+    bool list_as_any = 7;
+  }
+
+  // Specific configuration for the LeastRequest load balancing policy.
+  message LeastRequestLbConfig {
+    // The number of random healthy hosts from which the host with the fewest active requests will
+    // be chosen. Defaults to 2 so that we perform two-choice selection if the field is not set.
+    google.protobuf.UInt32Value choice_count = 1 [(validate.rules).uint32 = {gte: 2}];
+  }
+
+  // Specific configuration for the :ref:`RingHash`
+  // load balancing policy.
+  message RingHashLbConfig {
+    // The hash function used to hash hosts onto the ketama ring.
+    enum HashFunction {
+      // Use `xxHash `_, this is the default hash function.
+      XX_HASH = 0;
+
+      // Use `MurmurHash2 `_, this is compatible with
+      // std:hash in GNU libstdc++ 3.4.20 or above. This is typically the case when compiled
+      // on Linux and not macOS.
+      MURMUR_HASH_2 = 1;
+    }
+
+    reserved 2;
+
+    // Minimum hash ring size. The larger the ring is (that is, the more hashes there are for each
+    // provided host) the better the request distribution will reflect the desired weights. Defaults
+    // to 1024 entries, and limited to 8M entries. See also
+    // :ref:`maximum_ring_size`.
+    google.protobuf.UInt64Value minimum_ring_size = 1 [(validate.rules).uint64 = {lte: 8388608}];
+
+    // The hash function used to hash hosts onto the ketama ring. The value defaults to
+    // :ref:`XX_HASH`.
+    HashFunction hash_function = 3 [(validate.rules).enum = {defined_only: true}];
+
+    // Maximum hash ring size. Defaults to 8M entries, and limited to 8M entries, but can be lowered
+    // to further constrain resource use. See also
+    // :ref:`minimum_ring_size`.
+    google.protobuf.UInt64Value maximum_ring_size = 4 [(validate.rules).uint64 = {lte: 8388608}];
+  }
+
+  // Specific configuration for the
+  // :ref:`Original Destination `
+  // load balancing policy.
+  message OriginalDstLbConfig {
+    // When true, :ref:`x-envoy-original-dst-host
+    // ` can be used to override destination
+    // address.
+    //
+    // .. attention::
+    //
+    //   This header isn't sanitized by default, so enabling this feature allows HTTP clients to
+    //   route traffic to arbitrary hosts and/or ports, which may have serious security
+    //   consequences.
+    bool use_http_header = 1;
+  }
+
+  // Common configuration for all load balancer implementations.
+  // [#next-free-field: 7]
+  message CommonLbConfig {
+    // Configuration for :ref:`zone aware routing
+    // `.
+    message ZoneAwareLbConfig {
+      // Configures percentage of requests that will be considered for zone aware routing
+      // if zone aware routing is configured. If not specified, the default is 100%.
+      // * :ref:`runtime values `.
+      // * :ref:`Zone aware routing support `.
+      type.Percent routing_enabled = 1;
+
+      // Configures minimum upstream cluster size required for zone aware routing
+      // If upstream cluster size is less than specified, zone aware routing is not performed
+      // even if zone aware routing is configured. If not specified, the default is 6.
+      // * :ref:`runtime values `.
+      // * :ref:`Zone aware routing support `.
+      google.protobuf.UInt64Value min_cluster_size = 2;
+
+      // If set to true, Envoy will not consider any hosts when the cluster is in :ref:`panic
+      // mode`. Instead, the cluster will fail all
+      // requests as if all hosts are unhealthy. This can help avoid potentially overwhelming a
+      // failing service.
+      bool fail_traffic_on_panic = 3;
+    }
+
+    // Configuration for :ref:`locality weighted load balancing
+    // `
+    message LocalityWeightedLbConfig {
+    }
+
+    // Configures the :ref:`healthy panic threshold `.
+    // If not specified, the default is 50%.
+    // To disable panic mode, set to 0%.
+    //
+    // .. note::
+    //   The specified percent will be truncated to the nearest 1%.
+    type.Percent healthy_panic_threshold = 1;
+
+    oneof locality_config_specifier {
+      ZoneAwareLbConfig zone_aware_lb_config = 2;
+
+      LocalityWeightedLbConfig locality_weighted_lb_config = 3;
+    }
+
+    // If set, all health check/weight/metadata updates that happen within this duration will be
+    // merged and delivered in one shot when the duration expires. The start of the duration is when
+    // the first update happens. This is useful for big clusters, with potentially noisy deploys
+    // that might trigger excessive CPU usage due to a constant stream of healthcheck state changes
+    // or metadata updates. The first set of updates to be seen apply immediately (e.g.: a new
+    // cluster). Please always keep in mind that the use of sandbox technologies may change this
+    // behavior.
+    //
+    // If this is not set, we default to a merge window of 1000ms. To disable it, set the merge
+    // window to 0.
+    //
+    // Note: merging does not apply to cluster membership changes (e.g.: adds/removes); this is
+    // because merging those updates isn't currently safe. See
+    // https://github.com/envoyproxy/envoy/pull/3941.
+    google.protobuf.Duration update_merge_window = 4;
+
+    // If set to true, Envoy will not consider new hosts when computing load balancing weights until
+    // they have been health checked for the first time. This will have no effect unless
+    // active health checking is also configured.
+    //
+    // Ignoring a host means that for any load balancing calculations that adjust weights based
+    // on the ratio of eligible hosts and total hosts (priority spillover, locality weighting and
+    // panic mode) Envoy will exclude these hosts in the denominator.
+    //
+    // For example, with hosts in two priorities P0 and P1, where P0 looks like
+    // {healthy, unhealthy (new), unhealthy (new)}
+    // and where P1 looks like
+    // {healthy, healthy}
+    // all traffic will still hit P0, as 1 / (3 - 2) = 1.
+    //
+    // Enabling this will allow scaling up the number of hosts for a given cluster without entering
+    // panic mode or triggering priority spillover, assuming the hosts pass the first health check.
+    //
+    // If panic mode is triggered, new hosts are still eligible for traffic; they simply do not
+    // contribute to the calculation when deciding whether panic mode is enabled or not.
+    bool ignore_new_hosts_until_first_hc = 5;
+
+    // If set to `true`, the cluster manager will drain all existing
+    // connections to upstream hosts whenever hosts are added or removed from the cluster.
+    bool close_connections_on_host_set_change = 6;
+  }
+
+  message RefreshRate {
+    // Specifies the base interval between refreshes. This parameter is required and must be greater
+    // than zero and less than
+    // :ref:`max_interval `.
+    google.protobuf.Duration base_interval = 1 [(validate.rules).duration = {
+      required: true
+      gt {nanos: 1000000}
+    }];
+
+    // Specifies the maximum interval between refreshes. This parameter is optional, but must be
+    // greater than or equal to the
+    // :ref:`base_interval `  if set. The default
+    // is 10 times the :ref:`base_interval `.
+    google.protobuf.Duration max_interval = 2 [(validate.rules).duration = {gt {nanos: 1000000}}];
+  }
+
+  reserved 12, 15;
+
+  // Configuration to use different transport sockets for different endpoints.
+  // The entry of *envoy.transport_socket* in the
+  // :ref:`LbEndpoint.Metadata `
+  // is used to match against the transport sockets as they appear in the list. The first
+  // :ref:`match ` is used.
+  // For example, with the following match
+  //
+  // .. code-block:: yaml
+  //
+  //  transport_socket_matches:
+  //  - name: "enableMTLS"
+  //    match:
+  //      acceptMTLS: true
+  //    transport_socket:
+  //      name: envoy.transport_sockets.tls
+  //      config: { ... } # tls socket configuration
+  //  - name: "defaultToPlaintext"
+  //    match: {}
+  //    transport_socket:
+  //      name: envoy.transport_sockets.raw_buffer
+  //
+  // Connections to the endpoints whose metadata value under *envoy.transport_socket*
+  // having "acceptMTLS"/"true" key/value pair use the "enableMTLS" socket configuration.
+  //
+  // If a :ref:`socket match ` with empty match
+  // criteria is provided, that always match any endpoint. For example, the "defaultToPlaintext"
+  // socket match in case above.
+  //
+  // If an endpoint metadata's value under *envoy.transport_socket* does not match any
+  // *TransportSocketMatch*, socket configuration fallbacks to use the *tls_context* or
+  // *transport_socket* specified in this cluster.
+  //
+  // This field allows gradual and flexible transport socket configuration changes.
+  //
+  // The metadata of endpoints in EDS can indicate transport socket capabilities. For example,
+  // an endpoint's metadata can have two key value pairs as "acceptMTLS": "true",
+  // "acceptPlaintext": "true". While some other endpoints, only accepting plaintext traffic
+  // has "acceptPlaintext": "true" metadata information.
+  //
+  // Then the xDS server can configure the CDS to a client, Envoy A, to send mutual TLS
+  // traffic for endpoints with "acceptMTLS": "true", by adding a corresponding
+  // *TransportSocketMatch* in this field. Other client Envoys receive CDS without
+  // *transport_socket_match* set, and still send plain text traffic to the same cluster.
+  //
+  // [#comment:TODO(incfly): add a detailed architecture doc on intended usage.]
+  repeated TransportSocketMatch transport_socket_matches = 43;
+
+  // Supplies the name of the cluster which must be unique across all clusters.
+  // The cluster name is used when emitting
+  // :ref:`statistics ` if :ref:`alt_stat_name
+  // ` is not provided.
+  // Any ``:`` in the cluster name will be converted to ``_`` when emitting statistics.
+  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+
+  // An optional alternative to the cluster name to be used while emitting stats.
+  // Any ``:`` in the name will be converted to ``_`` when emitting statistics. This should not be
+  // confused with :ref:`Router Filter Header
+  // `.
+  string alt_stat_name = 28;
+
+  oneof cluster_discovery_type {
+    // The :ref:`service discovery type `
+    // to use for resolving the cluster.
+    DiscoveryType type = 2 [(validate.rules).enum = {defined_only: true}];
+
+    // The custom cluster type.
+    CustomClusterType cluster_type = 38;
+  }
+
+  // Configuration to use for EDS updates for the Cluster.
+  EdsClusterConfig eds_cluster_config = 3;
+
+  // The timeout for new network connections to hosts in the cluster.
+  google.protobuf.Duration connect_timeout = 4 [(validate.rules).duration = {gt {}}];
+
+  // Soft limit on size of the cluster’s connections read and write buffers. If
+  // unspecified, an implementation defined default is applied (1MiB).
+  google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5;
+
+  // The :ref:`load balancer type ` to use
+  // when picking a host in the cluster.
+  LbPolicy lb_policy = 6 [(validate.rules).enum = {defined_only: true}];
+
+  // If the service discovery type is
+  // :ref:`STATIC`,
+  // :ref:`STRICT_DNS`
+  // or :ref:`LOGICAL_DNS`,
+  // then hosts is required.
+  //
+  // .. attention::
+  //
+  //   **This field is deprecated**. Set the
+  //   :ref:`load_assignment` field instead.
+  //
+  repeated core.Address hosts = 7 [deprecated = true];
+
+  // Setting this is required for specifying members of
+  // :ref:`STATIC`,
+  // :ref:`STRICT_DNS`
+  // or :ref:`LOGICAL_DNS` clusters.
+  // This field supersedes the *hosts* field in the v2 API.
+  //
+  // .. attention::
+  //
+  //   Setting this allows non-EDS cluster types to contain embedded EDS equivalent
+  //   :ref:`endpoint assignments`.
+  //
+  ClusterLoadAssignment load_assignment = 33;
+
+  // Optional :ref:`active health checking `
+  // configuration for the cluster. If no
+  // configuration is specified no health checking will be done and all cluster
+  // members will be considered healthy at all times.
+  repeated core.HealthCheck health_checks = 8;
+
+  // Optional maximum requests for a single upstream connection. This parameter
+  // is respected by both the HTTP/1.1 and HTTP/2 connection pool
+  // implementations. If not specified, there is no limit. Setting this
+  // parameter to 1 will effectively disable keep alive.
+  google.protobuf.UInt32Value max_requests_per_connection = 9;
+
+  // Optional :ref:`circuit breaking ` for the cluster.
+  cluster.CircuitBreakers circuit_breakers = 10;
+
+  // The TLS configuration for connections to the upstream cluster.
+  //
+  // .. attention::
+  //
+  //   **This field is deprecated**. Use `transport_socket` with name `tls` instead. If both are
+  //   set, `transport_socket` takes priority.
+  auth.UpstreamTlsContext tls_context = 11
+      [deprecated = true, (envoy.annotations.disallowed_by_default) = true];
+
+  // HTTP protocol options that are applied only to upstream HTTP connections.
+  // These options apply to all HTTP versions.
+  core.UpstreamHttpProtocolOptions upstream_http_protocol_options = 46;
+
+  // Additional options when handling HTTP requests upstream. These options will be applicable to
+  // both HTTP1 and HTTP2 requests.
+  core.HttpProtocolOptions common_http_protocol_options = 29;
+
+  // Additional options when handling HTTP1 requests.
+  core.Http1ProtocolOptions http_protocol_options = 13;
+
+  // Even if default HTTP2 protocol options are desired, this field must be
+  // set so that Envoy will assume that the upstream supports HTTP/2 when
+  // making new HTTP connection pool connections. Currently, Envoy only
+  // supports prior knowledge for upstream connections. Even if TLS is used
+  // with ALPN, `http2_protocol_options` must be specified. As an aside this allows HTTP/2
+  // connections to happen over plain text.
+  core.Http2ProtocolOptions http2_protocol_options = 14;
+
+  // The extension_protocol_options field is used to provide extension-specific protocol options
+  // for upstream connections. The key should match the extension filter name, such as
+  // "envoy.filters.network.thrift_proxy". See the extension's documentation for details on
+  // specific options.
+  map extension_protocol_options = 35
+      [deprecated = true, (envoy.annotations.disallowed_by_default) = true];
+
+  // The extension_protocol_options field is used to provide extension-specific protocol options
+  // for upstream connections. The key should match the extension filter name, such as
+  // "envoy.filters.network.thrift_proxy". See the extension's documentation for details on
+  // specific options.
+  map typed_extension_protocol_options = 36;
+
+  // If the DNS refresh rate is specified and the cluster type is either
+  // :ref:`STRICT_DNS`,
+  // or :ref:`LOGICAL_DNS`,
+  // this value is used as the cluster’s DNS refresh
+  // rate. The value configured must be at least 1ms. If this setting is not specified, the
+  // value defaults to 5000ms. For cluster types other than
+  // :ref:`STRICT_DNS`
+  // and :ref:`LOGICAL_DNS`
+  // this setting is ignored.
+  google.protobuf.Duration dns_refresh_rate = 16
+      [(validate.rules).duration = {gt {nanos: 1000000}}];
+
+  // If the DNS failure refresh rate is specified and the cluster type is either
+  // :ref:`STRICT_DNS`,
+  // or :ref:`LOGICAL_DNS`,
+  // this is used as the cluster’s DNS refresh rate when requests are failing. If this setting is
+  // not specified, the failure refresh rate defaults to the DNS refresh rate. For cluster types
+  // other than :ref:`STRICT_DNS` and
+  // :ref:`LOGICAL_DNS` this setting is
+  // ignored.
+  //
+  // Note: Currently, DNS failures and empty DNS responses are not treated differently and this
+  // configuration is applied in both situations.
+  RefreshRate dns_failure_refresh_rate = 44;
+
+  // Optional configuration for setting cluster's DNS refresh rate. If the value is set to true,
+  // cluster's DNS refresh rate will be set to resource record's TTL which comes from DNS
+  // resolution.
+  bool respect_dns_ttl = 39;
+
+  // The DNS IP address resolution policy. If this setting is not specified, the
+  // value defaults to
+  // :ref:`AUTO`.
+  DnsLookupFamily dns_lookup_family = 17 [(validate.rules).enum = {defined_only: true}];
+
+  // If DNS resolvers are specified and the cluster type is either
+  // :ref:`STRICT_DNS`,
+  // or :ref:`LOGICAL_DNS`,
+  // this value is used to specify the cluster’s dns resolvers.
+  // If this setting is not specified, the value defaults to the default
+  // resolver, which uses /etc/resolv.conf for configuration. For cluster types
+  // other than
+  // :ref:`STRICT_DNS`
+  // and :ref:`LOGICAL_DNS`
+  // this setting is ignored.
+  repeated core.Address dns_resolvers = 18;
+
+  // [#next-major-version: Reconcile DNS options in a single message.]
+  // Always use TCP queries instead of UDP queries for DNS lookups.
+  bool use_tcp_for_dns_lookups = 45;
+
+  // If specified, outlier detection will be enabled for this upstream cluster.
+  // Each of the configuration values can be overridden via
+  // :ref:`runtime values `.
+  cluster.OutlierDetection outlier_detection = 19;
+
+  // The interval for removing stale hosts from a cluster type
+  // :ref:`ORIGINAL_DST`.
+  // Hosts are considered stale if they have not been used
+  // as upstream destinations during this interval. New hosts are added
+  // to original destination clusters on demand as new connections are
+  // redirected to Envoy, causing the number of hosts in the cluster to
+  // grow over time. Hosts that are not stale (they are actively used as
+  // destinations) are kept in the cluster, which allows connections to
+  // them remain open, saving the latency that would otherwise be spent
+  // on opening new connections. If this setting is not specified, the
+  // value defaults to 5000ms. For cluster types other than
+  // :ref:`ORIGINAL_DST`
+  // this setting is ignored.
+  google.protobuf.Duration cleanup_interval = 20 [(validate.rules).duration = {gt {}}];
+
+  // Optional configuration used to bind newly established upstream connections.
+  // This overrides any bind_config specified in the bootstrap proto.
+  // If the address and port are empty, no bind will be performed.
+  core.BindConfig upstream_bind_config = 21;
+
+  // Configuration for load balancing subsetting.
+  LbSubsetConfig lb_subset_config = 22;
+
+  // Optional configuration for the load balancing algorithm selected by
+  // LbPolicy. Currently only
+  // :ref:`RING_HASH` and
+  // :ref:`LEAST_REQUEST`
+  // has additional configuration options.
+  // Specifying ring_hash_lb_config or least_request_lb_config without setting the corresponding
+  // LbPolicy will generate an error at runtime.
+  oneof lb_config {
+    // Optional configuration for the Ring Hash load balancing policy.
+    RingHashLbConfig ring_hash_lb_config = 23;
+
+    // Optional configuration for the Original Destination load balancing policy.
+    OriginalDstLbConfig original_dst_lb_config = 34;
+
+    // Optional configuration for the LeastRequest load balancing policy.
+    LeastRequestLbConfig least_request_lb_config = 37;
+  }
+
+  // Common configuration for all load balancer implementations.
+  CommonLbConfig common_lb_config = 27;
+
+  // Optional custom transport socket implementation to use for upstream connections.
+  // To setup TLS, set a transport socket with name `tls` and
+  // :ref:`UpstreamTlsContexts ` in the `typed_config`.
+  // If no transport socket configuration is specified, new connections
+  // will be set up with plaintext.
+  core.TransportSocket transport_socket = 24;
+
+  // The Metadata field can be used to provide additional information about the
+  // cluster. It can be used for stats, logging, and varying filter behavior.
+  // Fields should use reverse DNS notation to denote which entity within Envoy
+  // will need the information. For instance, if the metadata is intended for
+  // the Router filter, the filter name should be specified as *envoy.router*.
+  core.Metadata metadata = 25;
+
+  // Determines how Envoy selects the protocol used to speak to upstream hosts.
+  ClusterProtocolSelection protocol_selection = 26;
+
+  // Optional options for upstream connections.
+  UpstreamConnectionOptions upstream_connection_options = 30;
+
+  // If an upstream host becomes unhealthy (as determined by the configured health checks
+  // or outlier detection), immediately close all connections to the failed host.
+  //
+  // .. note::
+  //
+  //   This is currently only supported for connections created by tcp_proxy.
+  //
+  // .. note::
+  //
+  //   The current implementation of this feature closes all connections immediately when
+  //   the unhealthy status is detected. If there are a large number of connections open
+  //   to an upstream host that becomes unhealthy, Envoy may spend a substantial amount of
+  //   time exclusively closing these connections, and not processing any other traffic.
+  bool close_connections_on_host_health_failure = 31;
+
+  // If set to true, Envoy will ignore the health value of a host when processing its removal
+  // from service discovery. This means that if active health checking is used, Envoy will *not*
+  // wait for the endpoint to go unhealthy before removing it.
+  bool drain_connections_on_host_removal = 32
+      [(udpa.annotations.field_migrate).rename = "ignore_health_on_host_removal"];
+
+  // An (optional) network filter chain, listed in the order the filters should be applied.
+  // The chain will be applied to all outgoing connections that Envoy makes to the upstream
+  // servers of this cluster.
+  repeated cluster.Filter filters = 40;
+
+  // [#not-implemented-hide:] New mechanism for LB policy configuration. Used only if the
+  // :ref:`lb_policy` field has the value
+  // :ref:`LOAD_BALANCING_POLICY_CONFIG`.
+  LoadBalancingPolicy load_balancing_policy = 41;
+
+  // [#not-implemented-hide:]
+  // If present, tells the client where to send load reports via LRS. If not present, the
+  // client will fall back to a client-side default, which may be either (a) don't send any
+  // load reports or (b) send load reports for all clusters to a single default server
+  // (which may be configured in the bootstrap file).
+  //
+  // Note that if multiple clusters point to the same LRS server, the client may choose to
+  // create a separate stream for each cluster or it may choose to coalesce the data for
+  // multiple clusters onto a single stream. Either way, the client must make sure to send
+  // the data for any given cluster on no more than one stream.
+  //
+  // [#next-major-version: In the v3 API, we should consider restructuring this somehow,
+  // maybe by allowing LRS to go on the ADS stream, or maybe by moving some of the negotiation
+  // from the LRS stream here.]
+  core.ConfigSource lrs_server = 42;
+
+  // If track_timeout_budgets is true, the :ref:`timeout budget histograms
+  // ` will be published for each
+  // request. These show what percentage of a request's per try and global timeout was used. A value
+  // of 0 would indicate that none of the timeout was used or that the timeout was infinite. A value
+  // of 100 would indicate that the request took the entirety of the timeout given to it.
+  bool track_timeout_budgets = 47;
+}
+
+// [#not-implemented-hide:] Extensible load balancing policy configuration.
+//
+// Every LB policy defined via this mechanism will be identified via a unique name using reverse
+// DNS notation. If the policy needs configuration parameters, it must define a message for its
+// own configuration, which will be stored in the config field. The name of the policy will tell
+// clients which type of message they should expect to see in the config field.
+//
+// Note that there are cases where it is useful to be able to independently select LB policies
+// for choosing a locality and for choosing an endpoint within that locality. For example, a
+// given deployment may always use the same policy to choose the locality, but for choosing the
+// endpoint within the locality, some clusters may use weighted-round-robin, while others may
+// use some sort of session-based balancing.
+//
+// This can be accomplished via hierarchical LB policies, where the parent LB policy creates a
+// child LB policy for each locality. For each request, the parent chooses the locality and then
+// delegates to the child policy for that locality to choose the endpoint within the locality.
+//
+// To facilitate this, the config message for the top-level LB policy may include a field of
+// type LoadBalancingPolicy that specifies the child policy.
+message LoadBalancingPolicy {
+  message Policy {
+    // Required. The name of the LB policy.
+    string name = 1;
+
+    // Optional config for the LB policy.
+    // No more than one of these two fields may be populated.
+    google.protobuf.Struct config = 2 [deprecated = true];
+
+    google.protobuf.Any typed_config = 3;
+  }
+
+  // Each client will iterate over the list in order and stop at the first policy that it
+  // supports. This provides a mechanism for starting to use new LB policies that are not yet
+  // supported by all clients.
+  repeated Policy policies = 1;
+}
+
+// An extensible structure containing the address Envoy should bind to when
+// establishing upstream connections.
+message UpstreamBindConfig {
+  // The address Envoy should bind to when establishing upstream connections.
+  core.Address source_address = 1;
+}
+
+message UpstreamConnectionOptions {
+  // If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.
+  core.TcpKeepalive tcp_keepalive = 1;
+}
diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster/circuit_breaker.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster/circuit_breaker.proto
index d2e0a328e49..893d1f1aa16 100644
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster/circuit_breaker.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster/circuit_breaker.proto
@@ -2,15 +2,20 @@ syntax = "proto3";
 
 package envoy.api.v2.cluster;
 
+import "envoy/api/v2/core/base.proto";
+import "envoy/type/percent.proto";
+
+import "google/protobuf/wrappers.proto";
+
+import "udpa/annotations/migrate.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.api.v2.cluster";
 option java_outer_classname = "CircuitBreakerProto";
 option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.api.v2.cluster";
 option csharp_namespace = "Envoy.Api.V2.ClusterNS";
 option ruby_package = "Envoy.Api.V2.ClusterNS";
-
-import "envoy/api/v2/core/base.proto";
-
-import "google/protobuf/wrappers.proto";
+option (udpa.annotations.file_migrate).move_to_package = "envoy.config.cluster.v3";
 
 // [#protodoc-title: Circuit breakers]
 
@@ -19,12 +24,26 @@ import "google/protobuf/wrappers.proto";
 message CircuitBreakers {
   // A Thresholds defines CircuitBreaker settings for a
   // :ref:`RoutingPriority`.
+  // [#next-free-field: 9]
   message Thresholds {
+    message RetryBudget {
+      // Specifies the limit on concurrent retries as a percentage of the sum of active requests and
+      // active pending requests. For example, if there are 100 active requests and the
+      // budget_percent is set to 25, there may be 25 active retries.
+      //
+      // This parameter is optional. Defaults to 20%.
+      type.Percent budget_percent = 1;
+
+      // Specifies the minimum retry concurrency allowed for the retry budget. The limit on the
+      // number of active retries may never go below this number.
+      //
+      // This parameter is optional. Defaults to 3.
+      google.protobuf.UInt32Value min_retry_concurrency = 2;
+    }
+
     // The :ref:`RoutingPriority`
     // the specified CircuitBreaker settings apply to.
-    // [#comment:TODO(htuch): add (validate.rules).enum.defined_only = true once
-    // https://github.com/lyft/protoc-gen-validate/issues/42 is resolved.]
-    core.RoutingPriority priority = 1;
+    core.RoutingPriority priority = 1 [(validate.rules).enum = {defined_only: true}];
 
     // The maximum number of connections that Envoy will make to the upstream
     // cluster. If not specified, the default is 1024.
@@ -42,9 +61,23 @@ message CircuitBreakers {
     // upstream cluster. If not specified, the default is 3.
     google.protobuf.UInt32Value max_retries = 5;
 
+    // Specifies a limit on concurrent retries in relation to the number of active requests. This
+    // parameter is optional.
+    //
+    // .. note::
+    //
+    //    If this field is set, the retry budget will override any configured retry circuit
+    //    breaker.
+    RetryBudget retry_budget = 8;
+
     // If track_remaining is true, then stats will be published that expose
     // the number of resources remaining until the circuit breakers open. If
     // not specified, the default is false.
+    //
+    // .. note::
+    //
+    //    If a retry budget is used in lieu of the max_retries circuit breaker,
+    //    the remaining retry resources remaining will not be tracked.
     bool track_remaining = 6;
 
     // The maximum number of connection pools per cluster that Envoy will concurrently support at
diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster/filter.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster/filter.proto
index b89b2a6b778..67f3c3ba5e0 100644
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster/filter.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster/filter.proto
@@ -2,19 +2,21 @@ syntax = "proto3";
 
 package envoy.api.v2.cluster;
 
+import "google/protobuf/any.proto";
+
+import "udpa/annotations/migrate.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.api.v2.cluster";
 option java_outer_classname = "FilterProto";
 option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.api.v2.cluster";
 option csharp_namespace = "Envoy.Api.V2.ClusterNS";
 option ruby_package = "Envoy.Api.V2.ClusterNS";
-
-import "google/protobuf/any.proto";
-
-import "validate/validate.proto";
+option (udpa.annotations.file_migrate).move_to_package = "envoy.config.cluster.v3";
 
 // [#protodoc-title: Upstream filters]
-//
 // Upstream filters apply to the connections to the upstream cluster hosts.
+
 message Filter {
   // The name of the filter to instantiate. The name must match a
   // :ref:`supported filter `.
diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster/outlier_detection.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster/outlier_detection.proto
index 4702bd0a6f1..0cc638ceb49 100644
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster/outlier_detection.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster/outlier_detection.proto
@@ -2,21 +2,24 @@ syntax = "proto3";
 
 package envoy.api.v2.cluster;
 
-option java_outer_classname = "OutlierDetectionProto";
-option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.api.v2.cluster";
-option csharp_namespace = "Envoy.Api.V2.ClusterNS";
-option ruby_package = "Envoy.Api.V2.ClusterNS";
-
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";
 
+import "udpa/annotations/migrate.proto";
 import "validate/validate.proto";
 
+option java_package = "io.envoyproxy.envoy.api.v2.cluster";
+option java_outer_classname = "OutlierDetectionProto";
+option java_multiple_files = true;
+option csharp_namespace = "Envoy.Api.V2.ClusterNS";
+option ruby_package = "Envoy.Api.V2.ClusterNS";
+option (udpa.annotations.file_migrate).move_to_package = "envoy.config.cluster.v3";
+
 // [#protodoc-title: Outlier detection]
 
 // See the :ref:`architecture overview ` for
 // more information on outlier detection.
+// [#next-free-field: 21]
 message OutlierDetection {
   // The number of consecutive 5xx responses or local origin errors that are mapped
   // to 5xx error codes before a consecutive 5xx ejection
diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/address.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/address.proto
index 89fd0adb1eb..d2e2b653900 100644
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/address.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/address.proto
@@ -2,16 +2,18 @@ syntax = "proto3";
 
 package envoy.api.v2.core;
 
-option java_outer_classname = "AddressProto";
-option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.api.v2.core";
-
 import "envoy/api/v2/core/base.proto";
 
 import "google/protobuf/wrappers.proto";
 
+import "udpa/annotations/migrate.proto";
 import "validate/validate.proto";
 
+option java_package = "io.envoyproxy.envoy.api.v2.core";
+option java_outer_classname = "AddressProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3";
+
 // [#protodoc-title: Network addresses]
 
 message Pipe {
@@ -20,13 +22,15 @@ message Pipe {
   // Paths starting with '@' will result in an error in environments other than
   // Linux.
   string path = 1 [(validate.rules).string = {min_bytes: 1}];
+
+  // The mode for the Pipe. Not applicable for abstract sockets.
+  uint32 mode = 2 [(validate.rules).uint32 = {lte: 511}];
 }
 
+// [#next-free-field: 7]
 message SocketAddress {
   enum Protocol {
     TCP = 0;
-
-    // [#not-implemented-hide:]
     UDP = 1;
   }
 
diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/base.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/base.proto
index eca00760575..67a97dd6e25 100644
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/base.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/base.proto
@@ -2,19 +2,22 @@ syntax = "proto3";
 
 package envoy.api.v2.core;
 
-option java_outer_classname = "BaseProto";
-option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.api.v2.core";
-
 import "envoy/api/v2/core/http_uri.proto";
 import "envoy/type/percent.proto";
+import "envoy/type/semantic_version.proto";
 
 import "google/protobuf/any.proto";
 import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";
 
+import "udpa/annotations/migrate.proto";
 import "validate/validate.proto";
 
+option java_package = "io.envoyproxy.envoy.api.v2.core";
+option java_outer_classname = "BaseProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3";
+
 // [#protodoc-title: Common types]
 
 // Envoy supports :ref:`upstream priority routing
@@ -76,9 +79,49 @@ message Locality {
   string sub_zone = 3;
 }
 
+// BuildVersion combines SemVer version of extension with free-form build information
+// (i.e. 'alpha', 'private-build') as a set of strings.
+message BuildVersion {
+  // SemVer version of extension.
+  type.SemanticVersion version = 1;
+
+  // Free-form build information.
+  // Envoy defines several well known keys in the source/common/common/version.h file
+  google.protobuf.Struct metadata = 2;
+}
+
+// Version and identification for an Envoy extension.
+// [#next-free-field: 6]
+message Extension {
+  // This is the name of the Envoy filter as specified in the Envoy
+  // configuration, e.g. envoy.router, com.acme.widget.
+  string name = 1;
+
+  // Category of the extension.
+  // Extension category names use reverse DNS notation. For instance "envoy.filters.listener"
+  // for Envoy's built-in listener filters or "com.acme.filters.http" for HTTP filters from
+  // acme.com vendor.
+  // [#comment:TODO(yanavlasov): Link to the doc with existing envoy category names.]
+  string category = 2;
+
+  // [#not-implemented-hide:] Type descriptor of extension configuration proto.
+  // [#comment:TODO(yanavlasov): Link to the doc with existing configuration protos.]
+  // [#comment:TODO(yanavlasov): Add tests when PR #9391 lands.]
+  string type_descriptor = 3;
+
+  // The version is a property of the extension and maintained independently
+  // of other extensions and the Envoy API.
+  // This field is not set when extension did not provide version information.
+  BuildVersion version = 4;
+
+  // Indicates that the extension is present but was disabled via dynamic configuration.
+  bool disabled = 5;
+}
+
 // Identifies a specific Envoy instance. The node identifier is presented to the
 // management server, which may use this identifier to distinguish per Envoy
 // configuration for serving.
+// [#next-free-field: 11]
 message Node {
   // An opaque node identifier for the Envoy node. This also provides the local
   // service node name. It should be set if any of the following features are
@@ -91,7 +134,8 @@ message Node {
   // Defines the local service cluster name where Envoy is running. Though
   // optional, it should be set if any of the following features are used:
   // :ref:`statsd `, :ref:`health check cluster
-  // verification `,
+  // verification
+  // `,
   // :ref:`runtime override directory `,
   // :ref:`user agent addition
   // `,
@@ -111,7 +155,31 @@ message Node {
   // This is motivated by informing a management server during canary which
   // version of Envoy is being tested in a heterogeneous fleet. This will be set
   // by Envoy in management server RPCs.
-  string build_version = 5;
+  // This field is deprecated in favor of the user_agent_name and user_agent_version values.
+  string build_version = 5 [deprecated = true];
+
+  // Free-form string that identifies the entity requesting config.
+  // E.g. "envoy" or "grpc"
+  string user_agent_name = 6;
+
+  oneof user_agent_version_type {
+    // Free-form string that identifies the version of the entity requesting config.
+    // E.g. "1.12.2" or "abcd1234", or "SpecialEnvoyBuild"
+    string user_agent_version = 7;
+
+    // Structured version of the entity requesting config.
+    BuildVersion user_agent_build_version = 8;
+  }
+
+  // List of extensions and their versions supported by the node.
+  repeated Extension extensions = 9;
+
+  // Client feature support list. These are well known features described
+  // in the Envoy API repository for a given major version of an API. Client features
+  // use reverse DNS naming scheme, for example `com.acme.feature`.
+  // See :ref:`the list of features ` that xDS client may
+  // support.
+  repeated string client_features = 10;
 }
 
 // Metadata provides additional inputs to filters based on matched listeners,
@@ -135,6 +203,7 @@ message Node {
 // * ``{"envoy.lb": {"canary":  }}`` This indicates the canary status of an
 //   endpoint and is also used during header processing
 //   (x-envoy-upstream-canary) and for stats purposes.
+// [#next-major-version: move to type/metadata/v2]
 message Metadata {
   // Key is the reverse DNS filter name, e.g. com.acme.widget. The envoy.*
   // namespace is reserved for Envoy's built-in filters.
@@ -150,6 +219,17 @@ message RuntimeUInt32 {
   string runtime_key = 3 [(validate.rules).string = {min_bytes: 1}];
 }
 
+// Runtime derived bool with a default when not specified.
+message RuntimeFeatureFlag {
+  // Default value if runtime value is not available.
+  google.protobuf.BoolValue default_value = 1 [(validate.rules).message = {required: true}];
+
+  // Runtime key to get value for comparison. This value is used if defined. The boolean value must
+  // be represented via its
+  // `canonical JSON encoding `_.
+  string runtime_key = 2 [(validate.rules).string = {min_bytes: 1}];
+}
+
 // Header name/value pair.
 message HeaderValue {
   // Header name.
@@ -228,7 +308,7 @@ message TransportSocket {
   // Implementation specific configuration which depends on the implementation being instantiated.
   // See the supported transport socket implementations for further documentation.
   oneof config_type {
-    google.protobuf.Struct config = 2;
+    google.protobuf.Struct config = 2 [deprecated = true];
 
     google.protobuf.Any typed_config = 3;
   }
@@ -236,6 +316,7 @@ message TransportSocket {
 
 // Generic socket option message. This would be used to set socket options that
 // might not exist in upstream kernels or precompiled Envoy binaries.
+// [#next-free-field: 7]
 message SocketOption {
   enum SocketState {
     // Socket options are applied after socket creation but before binding the socket to a port
@@ -275,6 +356,14 @@ message SocketOption {
 
 // Runtime derived FractionalPercent with defaults for when the numerator or denominator is not
 // specified via a runtime key.
+//
+// .. note::
+//
+//   Parsing of the runtime key's data is implemented such that it may be represented as a
+//   :ref:`FractionalPercent ` proto represented as JSON/YAML
+//   and may also be represented as an integer with the assumption that the value is an integral
+//   percentage out of 100. For instance, a runtime key lookup returning the value "42" would parse
+//   as a `FractionalPercent` whose numerator is 42 and denominator is HUNDRED.
 message RuntimeFractionalPercent {
   // Default value if the runtime value's for the numerator/denominator keys are not available.
   type.FractionalPercent default_value = 1 [(validate.rules).message = {required: true}];
diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/config_source.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/config_source.proto
index 240d37b81ee..60949ca1c8e 100644
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/config_source.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/config_source.proto
@@ -2,27 +2,47 @@ syntax = "proto3";
 
 package envoy.api.v2.core;
 
-option java_outer_classname = "ConfigSourceProto";
-option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.api.v2.core";
-
 import "envoy/api/v2/core/grpc_service.proto";
 
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";
 
+import "envoy/annotations/deprecation.proto";
+import "udpa/annotations/migrate.proto";
 import "validate/validate.proto";
 
+option java_package = "io.envoyproxy.envoy.api.v2.core";
+option java_outer_classname = "ConfigSourceProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3";
+
 // [#protodoc-title: Configuration sources]
 
+// xDS API version. This is used to describe both resource and transport
+// protocol versions (in distinct configuration fields).
+enum ApiVersion {
+  // When not specified, we assume v2, to ease migration to Envoy's stable API
+  // versioning. If a client does not support v2 (e.g. due to deprecation), this
+  // is an invalid value.
+  AUTO = 0;
+
+  // Use xDS v2 API.
+  V2 = 1;
+
+  // Use xDS v3 API.
+  V3 = 2;
+}
+
 // API configuration source. This identifies the API type and cluster that Envoy
 // will use to fetch an xDS API.
+// [#next-free-field: 9]
 message ApiConfigSource {
   // APIs may be fetched via either REST or gRPC.
   enum ApiType {
     // Ideally this would be 'reserved 0' but one can't reserve the default
     // value. Instead we throw an exception if this is ever used.
-    UNSUPPORTED_REST_LEGACY = 0 [deprecated = true];
+    UNSUPPORTED_REST_LEGACY = 0
+        [deprecated = true, (envoy.annotations.disallowed_by_default_enum) = true];
 
     // REST-JSON v2 API. The `canonical JSON encoding
     // `_ for
@@ -37,12 +57,18 @@ message ApiConfigSource {
     // with every update, the xDS server only sends what has changed since the last update.
     //
     // DELTA_GRPC is not yet entirely implemented! Initially, only CDS is available.
-    // Do not use for other xDSes. TODO(fredlas) update/remove this warning when appropriate.
+    // Do not use for other xDSes.
+    // [#comment:TODO(fredlas) update/remove this warning when appropriate.]
     DELTA_GRPC = 3;
   }
 
+  // API type (gRPC, REST, delta gRPC)
   ApiType api_type = 1 [(validate.rules).enum = {defined_only: true}];
 
+  // API version for xDS transport protocol. This describes the xDS gRPC/REST
+  // endpoint and version of [Delta]DiscoveryRequest/Response used on the wire.
+  ApiVersion transport_api_version = 8 [(validate.rules).enum = {defined_only: true}];
+
   // Cluster names should be used only with REST. If > 1
   // cluster is defined, clusters will be cycled through if any kind of failure
   // occurs.
@@ -101,7 +127,7 @@ message RateLimitSettings {
 // ` etc. may either be sourced from the
 // filesystem or from an xDS API source. Filesystem configs are watched with
 // inotify for updates.
-// [#comment:next free field: 6]
+// [#next-free-field: 7]
 message ConfigSource {
   oneof config_source_specifier {
     option (validate.required) = true;
@@ -148,4 +174,9 @@ message ConfigSource {
   // means no timeout - Envoy will wait indefinitely for the first xDS config (unless another
   // timeout applies). The default is 15s.
   google.protobuf.Duration initial_fetch_timeout = 4;
+
+  // API version for xDS resources. This implies the type URLs that the client
+  // will request for resources and the resource type that the client will in
+  // turn expect to be delivered.
+  ApiVersion resource_api_version = 6 [(validate.rules).enum = {defined_only: true}];
 }
diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/grpc_service.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/grpc_service.proto
index cbe6c8296e1..17f769b14e8 100644
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/grpc_service.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/grpc_service.proto
@@ -2,10 +2,6 @@ syntax = "proto3";
 
 package envoy.api.v2.core;
 
-option java_outer_classname = "GrpcServiceProto";
-option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.api.v2.core";
-
 import "envoy/api/v2/core/base.proto";
 
 import "google/protobuf/any.proto";
@@ -13,20 +9,30 @@ import "google/protobuf/duration.proto";
 import "google/protobuf/empty.proto";
 import "google/protobuf/struct.proto";
 
+import "udpa/annotations/sensitive.proto";
+
+import "udpa/annotations/migrate.proto";
 import "validate/validate.proto";
 
+option java_package = "io.envoyproxy.envoy.api.v2.core";
+option java_outer_classname = "GrpcServiceProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3";
+
 // [#protodoc-title: gRPC services]
 
 // gRPC service configuration. This is used by :ref:`ApiConfigSource
 // ` and filter configurations.
+// [#next-free-field: 6]
 message GrpcService {
   message EnvoyGrpc {
     // The name of the upstream gRPC cluster. SSL credentials will be supplied
-    // in the :ref:`Cluster ` :ref:`tls_context
-    // `.
+    // in the :ref:`Cluster ` :ref:`transport_socket
+    // `.
     string cluster_name = 1 [(validate.rules).string = {min_bytes: 1}];
   }
 
+  // [#next-free-field: 7]
   message GoogleGrpc {
     // See https://grpc.io/grpc/cpp/structgrpc_1_1_ssl_credentials_options.html.
     message SslCredentials {
@@ -34,7 +40,7 @@ message GrpcService {
       DataSource root_certs = 1;
 
       // PEM encoded client private key.
-      DataSource private_key = 2;
+      DataSource private_key = 2 [(udpa.annotations.sensitive) = true];
 
       // PEM encoded client certificate chain.
       DataSource cert_chain = 3;
@@ -60,6 +66,7 @@ message GrpcService {
       }
     }
 
+    // [#next-free-field: 8]
     message CallCredentials {
       message ServiceAccountJWTAccessCredentials {
         string json_key = 1;
@@ -77,12 +84,54 @@ message GrpcService {
         string name = 1;
 
         oneof config_type {
-          google.protobuf.Struct config = 2;
+          google.protobuf.Struct config = 2 [deprecated = true];
 
           google.protobuf.Any typed_config = 3;
         }
       }
 
+      // Security token service configuration that allows Google gRPC to
+      // fetch security token from an OAuth 2.0 authorization server.
+      // See https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16 and
+      // https://github.com/grpc/grpc/pull/19587.
+      // [#next-free-field: 10]
+      message StsService {
+        // URI of the token exchange service that handles token exchange requests.
+        // [#comment:TODO(asraa): Add URI validation when implemented. Tracked by
+        // https://github.com/envoyproxy/protoc-gen-validate/issues/303]
+        string token_exchange_service_uri = 1;
+
+        // Location of the target service or resource where the client
+        // intends to use the requested security token.
+        string resource = 2;
+
+        // Logical name of the target service where the client intends to
+        // use the requested security token.
+        string audience = 3;
+
+        // The desired scope of the requested security token in the
+        // context of the service or resource where the token will be used.
+        string scope = 4;
+
+        // Type of the requested security token.
+        string requested_token_type = 5;
+
+        // The path of subject token, a security token that represents the
+        // identity of the party on behalf of whom the request is being made.
+        string subject_token_path = 6 [(validate.rules).string = {min_bytes: 1}];
+
+        // Type of the subject token.
+        string subject_token_type = 7 [(validate.rules).string = {min_bytes: 1}];
+
+        // The path of actor token, a security token that represents the identity
+        // of the acting party. The acting party is authorized to use the
+        // requested security token and act on behalf of the subject.
+        string actor_token_path = 8;
+
+        // Type of the actor token.
+        string actor_token_type = 9;
+      }
+
       oneof credential_specifier {
         option (validate.required) = true;
 
@@ -110,6 +159,11 @@ message GrpcService {
         // https://grpc.io/grpc/cpp/namespacegrpc.html#a823c6a4b19ffc71fb33e90154ee2ad07.
         // https://grpc.io/docs/guides/auth.html#extending-grpc-to-support-other-authentication-mechanisms.
         MetadataCredentialsFromPlugin from_plugin = 6;
+
+        // Custom security token service which implements OAuth 2.0 token exchange.
+        // https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16
+        // See https://github.com/grpc/grpc/pull/19587.
+        StsService sts_service = 7;
       }
     }
 
diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/health_check.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/health_check.proto
index 078a5a4beef..91aeb76b8b4 100644
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/health_check.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/health_check.proto
@@ -2,11 +2,9 @@ syntax = "proto3";
 
 package envoy.api.v2.core;
 
-option java_outer_classname = "HealthCheckProto";
-option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.api.v2.core";
-
 import "envoy/api/v2/core/base.proto";
+import "envoy/type/http.proto";
+import "envoy/type/matcher/string.proto";
 import "envoy/type/range.proto";
 
 import "google/protobuf/any.proto";
@@ -14,8 +12,15 @@ import "google/protobuf/duration.proto";
 import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";
 
+import "envoy/annotations/deprecation.proto";
+import "udpa/annotations/migrate.proto";
 import "validate/validate.proto";
 
+option java_package = "io.envoyproxy.envoy.api.v2.core";
+option java_outer_classname = "HealthCheckProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3";
+
 // [#protodoc-title: Health check]
 // * Health checking :ref:`architecture overview `.
 // * If health checking is configured for a cluster, additional statistics are emitted. They are
@@ -47,6 +52,7 @@ enum HealthStatus {
   DEGRADED = 5;
 }
 
+// [#next-free-field: 22]
 message HealthCheck {
   // Describes the encoding of the payload bytes in the payload.
   message Payload {
@@ -61,7 +67,7 @@ message HealthCheck {
     }
   }
 
-  // [#comment:next free field: 10]
+  // [#next-free-field: 12]
   message HttpHealthCheck {
     // The value of the host header in the HTTP health check request. If
     // left empty (default value), the name of the cluster this health check is associated
@@ -81,7 +87,12 @@ message HealthCheck {
     // An optional service name parameter which is used to validate the identity of
     // the health checked cluster. See the :ref:`architecture overview
     // ` for more information.
-    string service_name = 5;
+    //
+    // .. attention::
+    //
+    //   This field has been deprecated in favor of `service_name_matcher` for better flexibility
+    //   over matching with service-cluster name.
+    string service_name = 5 [deprecated = true];
 
     // Specifies a list of HTTP headers that should be added to each request that is sent to the
     // health checked cluster. For more information, including details on header value syntax, see
@@ -95,12 +106,24 @@ message HealthCheck {
     repeated string request_headers_to_remove = 8;
 
     // If set, health checks will be made using http/2.
-    bool use_http2 = 7;
+    // Deprecated, use :ref:`codec_client_type
+    // ` instead.
+    bool use_http2 = 7 [deprecated = true, (envoy.annotations.disallowed_by_default) = true];
 
     // Specifies a list of HTTP response statuses considered healthy. If provided, replaces default
     // 200-only policy - 200 must be included explicitly as needed. Ranges follow half-open
-    // semantics of :ref:`Int64Range `.
+    // semantics of :ref:`Int64Range `. The start and end of each
+    // range are required. Only statuses in the range [100, 600) are allowed.
     repeated type.Int64Range expected_statuses = 9;
+
+    // Use specified application protocol for health checks.
+    type.CodecClientType codec_client_type = 10 [(validate.rules).enum = {defined_only: true}];
+
+    // An optional service name parameter which is used to validate the identity of
+    // the health checked cluster using a :ref:`StringMatcher
+    // `. See the :ref:`architecture overview
+    // ` for more information.
+    type.matcher.StringMatcher service_name_matcher = 11;
   }
 
   message TcpHealthCheck {
@@ -147,12 +170,24 @@ message HealthCheck {
     // A custom health checker specific configuration which depends on the custom health checker
     // being instantiated. See :api:`envoy/config/health_checker` for reference.
     oneof config_type {
-      google.protobuf.Struct config = 2;
+      google.protobuf.Struct config = 2 [deprecated = true];
 
       google.protobuf.Any typed_config = 3;
     }
   }
 
+  // Health checks occur over the transport socket specified for the cluster. This implies that if a
+  // cluster is using a TLS-enabled transport socket, the health check will also occur over TLS.
+  //
+  // This allows overriding the cluster TLS settings, just for health check connections.
+  message TlsOptions {
+    // Specifies the ALPN protocols for health check connections. This is useful if the
+    // corresponding upstream is using ALPN-based :ref:`FilterChainMatch
+    // ` along with different protocols for health checks
+    // versus data connections. If empty, no ALPN protocols will be set on health check connections.
+    repeated string alpn_protocols = 1;
+  }
+
   reserved 10;
 
   // The time to wait for a health check response. If the timeout is reached the
@@ -188,12 +223,12 @@ message HealthCheck {
   // The number of unhealthy health checks required before a host is marked
   // unhealthy. Note that for *http* health checking if a host responds with 503
   // this threshold is ignored and the host is considered unhealthy immediately.
-  google.protobuf.UInt32Value unhealthy_threshold = 4;
+  google.protobuf.UInt32Value unhealthy_threshold = 4 [(validate.rules).message = {required: true}];
 
   // The number of healthy health checks required before a host is marked
   // healthy. Note that during startup, only a single successful health check is
   // required to mark a host healthy.
-  google.protobuf.UInt32Value healthy_threshold = 5;
+  google.protobuf.UInt32Value healthy_threshold = 5 [(validate.rules).message = {required: true}];
 
   // [#not-implemented-hide:] Non-serving port for health checking.
   google.protobuf.UInt32Value alt_port = 6;
@@ -257,4 +292,7 @@ message HealthCheck {
   // initial health check failure event will be logged.
   // The default value is false.
   bool always_log_health_check_failures = 19;
+
+  // This allows overriding the cluster TLS settings, just for health check connections.
+  TlsOptions tls_options = 21;
 }
diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/http_uri.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/http_uri.proto
index 7e4b4dba43c..5f740695dd8 100644
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/http_uri.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/http_uri.proto
@@ -2,14 +2,16 @@ syntax = "proto3";
 
 package envoy.api.v2.core;
 
-option java_outer_classname = "HttpUriProto";
-option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.api.v2.core";
-
 import "google/protobuf/duration.proto";
 
+import "udpa/annotations/migrate.proto";
 import "validate/validate.proto";
 
+option java_package = "io.envoyproxy.envoy.api.v2.core";
+option java_outer_classname = "HttpUriProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3";
+
 // [#protodoc-title: HTTP Service URI ]
 
 // Envoy external URI descriptor
diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/protocol.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/protocol.proto
index c45bb7adf7d..53b6ae87467 100644
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/protocol.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/protocol.proto
@@ -2,30 +2,83 @@ syntax = "proto3";
 
 package envoy.api.v2.core;
 
-option java_outer_classname = "ProtocolProto";
-option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.api.v2.core";
-
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";
 
+import "udpa/annotations/migrate.proto";
 import "validate/validate.proto";
 
+option java_package = "io.envoyproxy.envoy.api.v2.core";
+option java_outer_classname = "ProtocolProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3";
+
 // [#protodoc-title: Protocol options]
 
 // [#not-implemented-hide:]
 message TcpProtocolOptions {
 }
 
+message UpstreamHttpProtocolOptions {
+  // Set transport socket `SNI `_ for new
+  // upstream connections based on the downstream HTTP host/authority header, as seen by the
+  // :ref:`router filter `.
+  bool auto_sni = 1;
+
+  // Automatic validate upstream presented certificate for new upstream connections based on the
+  // downstream HTTP host/authority header, as seen by the
+  // :ref:`router filter `.
+  // This field is intended to set with `auto_sni` field.
+  bool auto_san_validation = 2;
+}
+
 message HttpProtocolOptions {
-  // The idle timeout for upstream connection pool connections. The idle timeout is defined as the
+  // The idle timeout for connections. The idle timeout is defined as the
   // period in which there are no active requests. If not set, there is no idle timeout. When the
-  // idle timeout is reached the connection will be closed. Note that request based timeouts mean
-  // that HTTP/2 PINGs will not keep the connection alive.
+  // idle timeout is reached the connection will be closed. If the connection is an HTTP/2
+  // downstream connection a drain sequence will occur prior to closing the connection, see
+  // :ref:`drain_timeout
+  // `.
+  // Note that request based timeouts mean that HTTP/2 PINGs will not keep the connection alive.
+  // If not specified, this defaults to 1 hour. To disable idle timeouts explicitly set this to 0.
+  //
+  // .. warning::
+  //   Disabling this timeout has a highly likelihood of yielding connection leaks due to lost TCP
+  //   FIN packets, etc.
   google.protobuf.Duration idle_timeout = 1;
+
+  // The maximum duration of a connection. The duration is defined as a period since a connection
+  // was established. If not set, there is no max duration. When max_connection_duration is reached
+  // the connection will be closed. Drain sequence will occur prior to closing the connection if
+  // if's applicable. See :ref:`drain_timeout
+  // `.
+  // Note: not implemented for upstream connections.
+  google.protobuf.Duration max_connection_duration = 3;
+
+  // The maximum number of headers. If unconfigured, the default
+  // maximum number of request headers allowed is 100. Requests that exceed this limit will receive
+  // a 431 response for HTTP/1.x and cause a stream reset for HTTP/2.
+  google.protobuf.UInt32Value max_headers_count = 2 [(validate.rules).uint32 = {gte: 1}];
 }
 
+// [#next-free-field: 6]
 message Http1ProtocolOptions {
+  message HeaderKeyFormat {
+    message ProperCaseWords {
+    }
+
+    oneof header_format {
+      option (validate.required) = true;
+
+      // Formats the header by proper casing words: the first character and any character following
+      // a special character will be capitalized if it's an alpha character. For example,
+      // "content-type" becomes "Content-Type", and "foo$b#$are" becomes "Foo$B#$Are".
+      // Note that while this results in most headers following conventional casing, certain headers
+      // are not covered. For example, the "TE" header will be formatted as "Te".
+      ProperCaseWords proper_case_words = 1;
+    }
+  }
+
   // Handle HTTP requests with absolute URLs in the requests. These requests
   // are generally sent by clients to forward/explicit proxies. This allows clients to configure
   // envoy as their HTTP proxy. In Unix, for example, this is typically done by setting the
@@ -42,9 +95,24 @@ message Http1ProtocolOptions {
   // Envoy does not otherwise support HTTP/1.0 without a Host header.
   // This is a no-op if *accept_http_10* is not true.
   string default_host_for_http_10 = 3;
+
+  // Describes how the keys for response headers should be formatted. By default, all header keys
+  // are lower cased.
+  HeaderKeyFormat header_key_format = 4;
+
+  // Enables trailers for HTTP/1. By default the HTTP/1 codec drops proxied trailers.
+  //
+  // .. attention::
+  //
+  //   Note that this only happens when Envoy is chunk encoding which occurs when:
+  //   - The request is HTTP/1.1.
+  //   - Is neither a HEAD only request nor a HTTP Upgrade.
+  //   - Not a response to a HEAD request.
+  //   - The content length header is not present.
+  bool enable_trailers = 5;
 }
 
-// [#comment:next free field: 13]
+// [#next-free-field: 13]
 message Http2ProtocolOptions {
   // `Maximum table size `_
   // (in octets) that the encoder is permitted to use for the dynamic HPACK table. Valid values
@@ -55,6 +123,10 @@ message Http2ProtocolOptions {
   // `Maximum concurrent streams `_
   // allowed for peer on one HTTP/2 connection. Valid values range from 1 to 2147483647 (2^31 - 1)
   // and defaults to 2147483647.
+  //
+  // For upstream connections, this also limits how many streams Envoy will initiate concurrently
+  // on a single connection. If the limit is reached, Envoy may queue requests or establish
+  // additional connections (as allowed per circuit breaker limits).
   google.protobuf.UInt32Value max_concurrent_streams = 2
       [(validate.rules).uint32 = {lte: 2147483647 gte: 1}];
 
@@ -142,7 +214,7 @@ message Http2ProtocolOptions {
   // the whole HTTP/2 connection is terminated upon receiving invalid HEADERS frame. However,
   // when this option is enabled, only the offending stream is terminated.
   //
-  // See [RFC7540, sec. 8.1](https://tools.ietf.org/html/rfc7540#section-8.1) for details.
+  // See `RFC7540, sec. 8.1 `_ for details.
   bool stream_error_on_invalid_http_messaging = 12;
 }
 
diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/discovery.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/discovery.proto
index a8423f5f904..0794f82aa9d 100644
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/discovery.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/discovery.proto
@@ -2,19 +2,23 @@ syntax = "proto3";
 
 package envoy.api.v2;
 
-option java_outer_classname = "DiscoveryProto";
-option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.api.v2";
-
 import "envoy/api/v2/core/base.proto";
 
 import "google/protobuf/any.proto";
 import "google/rpc/status.proto";
 
+import "udpa/annotations/migrate.proto";
+
+option java_package = "io.envoyproxy.envoy.api.v2";
+option java_outer_classname = "DiscoveryProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_migrate).move_to_package = "envoy.service.discovery.v3";
+
 // [#protodoc-title: Common discovery API components]
 
 // A DiscoveryRequest requests a set of versioned resources of the same type for
 // a given Envoy node on some API.
+// [#next-free-field: 7]
 message DiscoveryRequest {
   // The version_info provided in the request messages will be the version_info
   // received with the most recent successfully processed response or empty on
@@ -56,6 +60,7 @@ message DiscoveryRequest {
   google.rpc.Status error_detail = 6;
 }
 
+// [#next-free-field: 7]
 message DiscoveryResponse {
   // The version of the response data.
   string version_info = 1;
@@ -130,6 +135,7 @@ message DiscoveryResponse {
 // In particular, initial_resource_versions being sent at the "start" of every
 // gRPC stream actually entails a message for each type_url, each with its own
 // initial_resource_versions.
+// [#next-free-field: 8]
 message DeltaDiscoveryRequest {
   // The node making the request.
   core.Node node = 1;
@@ -186,6 +192,7 @@ message DeltaDiscoveryRequest {
   google.rpc.Status error_detail = 7;
 }
 
+// [#next-free-field: 7]
 message DeltaDiscoveryResponse {
   // The version of the response data (used for debugging).
   string system_version_info = 1;
@@ -213,7 +220,6 @@ message Resource {
   // The resource's name, to distinguish it from others of the same type of resource.
   string name = 3;
 
-  // [#not-implemented-hide:]
   // The aliases are a list of other names that this resource can go by.
   repeated string aliases = 4;
 
diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/eds.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/eds.proto
index 15518902977..0917940aee8 100644
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/eds.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/eds.proto
@@ -2,25 +2,30 @@ syntax = "proto3";
 
 package envoy.api.v2;
 
-option java_outer_classname = "EdsProto";
-option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.api.v2";
-option java_generic_services = true;
-
 import "envoy/api/v2/discovery.proto";
-import "envoy/api/v2/endpoint/endpoint.proto";
-import "envoy/type/percent.proto";
 
 import "google/api/annotations.proto";
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";
 
+import "envoy/annotations/resource.proto";
+import "udpa/annotations/migrate.proto";
 import "validate/validate.proto";
 
+import public "envoy/api/v2/endpoint.proto";
+
+option java_package = "io.envoyproxy.envoy.api.v2";
+option java_outer_classname = "EdsProto";
+option java_multiple_files = true;
+option java_generic_services = true;
+option (udpa.annotations.file_migrate).move_to_package = "envoy.service.endpoint.v3";
+
 // [#protodoc-title: EDS]
 // Endpoint discovery :ref:`architecture overview `
 
 service EndpointDiscoveryService {
+  option (envoy.annotations.resource).type = "envoy.api.v2.ClusterLoadAssignment";
+
   // The resource_names field in DiscoveryRequest specifies a list of clusters
   // to subscribe to updates for.
   rpc StreamEndpoints(stream DiscoveryRequest) returns (stream DiscoveryResponse) {
@@ -30,102 +35,12 @@ service EndpointDiscoveryService {
   }
 
   rpc FetchEndpoints(DiscoveryRequest) returns (DiscoveryResponse) {
-    option (google.api.http) = {
-      post: "/v2/discovery:endpoints"
-      body: "*"
-    };
+    option (google.api.http).post = "/v2/discovery:endpoints";
+    option (google.api.http).body = "*";
   }
 }
 
-// Each route from RDS will map to a single cluster or traffic split across
-// clusters using weights expressed in the RDS WeightedCluster.
-//
-// With EDS, each cluster is treated independently from a LB perspective, with
-// LB taking place between the Localities within a cluster and at a finer
-// granularity between the hosts within a locality. The percentage of traffic
-// for each endpoint is determined by both its load_balancing_weight, and the
-// load_balancing_weight of its locality. First, a locality will be selected,
-// then an endpoint within that locality will be chose based on its weight.
-message ClusterLoadAssignment {
-  // Load balancing policy settings.
-  message Policy {
-    message DropOverload {
-      // Identifier for the policy specifying the drop.
-      string category = 1 [(validate.rules).string = {min_bytes: 1}];
-
-      // Percentage of traffic that should be dropped for the category.
-      type.FractionalPercent drop_percentage = 2;
-    }
-
-    reserved 1;
-
-    // Action to trim the overall incoming traffic to protect the upstream
-    // hosts. This action allows protection in case the hosts are unable to
-    // recover from an outage, or unable to autoscale or unable to handle
-    // incoming traffic volume for any reason.
-    //
-    // At the client each category is applied one after the other to generate
-    // the 'actual' drop percentage on all outgoing traffic. For example:
-    //
-    // .. code-block:: json
-    //
-    //  { "drop_overloads": [
-    //      { "category": "throttle", "drop_percentage": 60 }
-    //      { "category": "lb", "drop_percentage": 50 }
-    //  ]}
-    //
-    // The actual drop percentages applied to the traffic at the clients will be
-    //    "throttle"_drop = 60%
-    //    "lb"_drop = 20%  // 50% of the remaining 'actual' load, which is 40%.
-    //    actual_outgoing_load = 20% // remaining after applying all categories.
-    repeated DropOverload drop_overloads = 2;
-
-    // Priority levels and localities are considered overprovisioned with this
-    // factor (in percentage). This means that we don't consider a priority
-    // level or locality unhealthy until the percentage of healthy hosts
-    // multiplied by the overprovisioning factor drops below 100.
-    // With the default value 140(1.4), Envoy doesn't consider a priority level
-    // or a locality unhealthy until their percentage of healthy hosts drops
-    // below 72%. For example:
-    //
-    // .. code-block:: json
-    //
-    //  { "overprovisioning_factor": 100 }
-    //
-    // Read more at :ref:`priority levels ` and
-    // :ref:`localities `.
-    google.protobuf.UInt32Value overprovisioning_factor = 3 [(validate.rules).uint32 = {gt: 0}];
-
-    // The max time until which the endpoints from this assignment can be used.
-    // If no new assignments are received before this time expires the endpoints
-    // are considered stale and should be marked unhealthy.
-    // Defaults to 0 which means endpoints never go stale.
-    google.protobuf.Duration endpoint_stale_after = 4 [(validate.rules).duration = {gt {}}];
-
-    // The flag to disable overprovisioning. If it is set to true,
-    // :ref:`overprovisioning factor
-    // ` will be ignored
-    // and Envoy will not perform graceful failover between priority levels or
-    // localities as endpoints become unhealthy. Otherwise Envoy will perform
-    // graceful failover as :ref:`overprovisioning factor
-    // ` suggests.
-    // [#next-major-version: Unify with overprovisioning config as a single message.]
-    // [#not-implemented-hide:]
-    bool disable_overprovisioning = 5;
-  }
-
-  // Name of the cluster. This will be the :ref:`service_name
-  // ` value if specified
-  // in the cluster :ref:`EdsClusterConfig
-  // `.
-  string cluster_name = 1 [(validate.rules).string = {min_bytes: 1}];
-
-  // List of endpoints to load balance to.
-  repeated endpoint.LocalityLbEndpoints endpoints = 2;
-
-  // Map of named endpoints that can be referenced in LocalityLbEndpoints.
-  map named_endpoints = 5;
-
-  // Load balancing policy settings.
-  Policy policy = 4;
+// [#not-implemented-hide:] Not configuration. Workaround c++ protobuf issue with importing
+// services: https://github.com/google/protobuf/issues/4221 and protoxform to upgrade the file.
+message EdsDummy {
 }
diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint.proto
new file mode 100644
index 00000000000..d800c6d19e5
--- /dev/null
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint.proto
@@ -0,0 +1,117 @@
+syntax = "proto3";
+
+package envoy.api.v2;
+
+import "envoy/api/v2/endpoint/endpoint_components.proto";
+import "envoy/type/percent.proto";
+
+import "google/api/annotations.proto";
+import "google/protobuf/duration.proto";
+import "google/protobuf/wrappers.proto";
+
+import "udpa/annotations/migrate.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.api.v2";
+option java_outer_classname = "EndpointProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_migrate).move_to_package = "envoy.config.endpoint.v3";
+
+// [#protodoc-title: Endpoint configuration]
+// Endpoint discovery :ref:`architecture overview `
+
+// Each route from RDS will map to a single cluster or traffic split across
+// clusters using weights expressed in the RDS WeightedCluster.
+//
+// With EDS, each cluster is treated independently from a LB perspective, with
+// LB taking place between the Localities within a cluster and at a finer
+// granularity between the hosts within a locality. The percentage of traffic
+// for each endpoint is determined by both its load_balancing_weight, and the
+// load_balancing_weight of its locality. First, a locality will be selected,
+// then an endpoint within that locality will be chose based on its weight.
+// [#next-free-field: 6]
+message ClusterLoadAssignment {
+  // Load balancing policy settings.
+  // [#next-free-field: 6]
+  message Policy {
+    message DropOverload {
+      // Identifier for the policy specifying the drop.
+      string category = 1 [(validate.rules).string = {min_bytes: 1}];
+
+      // Percentage of traffic that should be dropped for the category.
+      type.FractionalPercent drop_percentage = 2;
+    }
+
+    reserved 1;
+
+    // Action to trim the overall incoming traffic to protect the upstream
+    // hosts. This action allows protection in case the hosts are unable to
+    // recover from an outage, or unable to autoscale or unable to handle
+    // incoming traffic volume for any reason.
+    //
+    // At the client each category is applied one after the other to generate
+    // the 'actual' drop percentage on all outgoing traffic. For example:
+    //
+    // .. code-block:: json
+    //
+    //  { "drop_overloads": [
+    //      { "category": "throttle", "drop_percentage": 60 }
+    //      { "category": "lb", "drop_percentage": 50 }
+    //  ]}
+    //
+    // The actual drop percentages applied to the traffic at the clients will be
+    //    "throttle"_drop = 60%
+    //    "lb"_drop = 20%  // 50% of the remaining 'actual' load, which is 40%.
+    //    actual_outgoing_load = 20% // remaining after applying all categories.
+    repeated DropOverload drop_overloads = 2;
+
+    // Priority levels and localities are considered overprovisioned with this
+    // factor (in percentage). This means that we don't consider a priority
+    // level or locality unhealthy until the percentage of healthy hosts
+    // multiplied by the overprovisioning factor drops below 100.
+    // With the default value 140(1.4), Envoy doesn't consider a priority level
+    // or a locality unhealthy until their percentage of healthy hosts drops
+    // below 72%. For example:
+    //
+    // .. code-block:: json
+    //
+    //  { "overprovisioning_factor": 100 }
+    //
+    // Read more at :ref:`priority levels ` and
+    // :ref:`localities `.
+    google.protobuf.UInt32Value overprovisioning_factor = 3 [(validate.rules).uint32 = {gt: 0}];
+
+    // The max time until which the endpoints from this assignment can be used.
+    // If no new assignments are received before this time expires the endpoints
+    // are considered stale and should be marked unhealthy.
+    // Defaults to 0 which means endpoints never go stale.
+    google.protobuf.Duration endpoint_stale_after = 4 [(validate.rules).duration = {gt {}}];
+
+    // The flag to disable overprovisioning. If it is set to true,
+    // :ref:`overprovisioning factor
+    // ` will be ignored
+    // and Envoy will not perform graceful failover between priority levels or
+    // localities as endpoints become unhealthy. Otherwise Envoy will perform
+    // graceful failover as :ref:`overprovisioning factor
+    // ` suggests.
+    // [#next-major-version: Unify with overprovisioning config as a single message.]
+    // [#not-implemented-hide:]
+    bool disable_overprovisioning = 5;
+  }
+
+  // Name of the cluster. This will be the :ref:`service_name
+  // ` value if specified
+  // in the cluster :ref:`EdsClusterConfig
+  // `.
+  string cluster_name = 1 [(validate.rules).string = {min_bytes: 1}];
+
+  // List of endpoints to load balance to.
+  repeated endpoint.LocalityLbEndpoints endpoints = 2;
+
+  // Map of named endpoints that can be referenced in LocalityLbEndpoints.
+  // [#not-implemented-hide:]
+  map named_endpoints = 5;
+
+  // Load balancing policy settings.
+  Policy policy = 4;
+}
diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint/endpoint.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint/endpoint.proto
index 46875a173e8..247c9ae265a 100644
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint/endpoint.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint/endpoint.proto
@@ -2,125 +2,8 @@ syntax = "proto3";
 
 package envoy.api.v2.endpoint;
 
+import public "envoy/api/v2/endpoint/endpoint_components.proto";
+
+option java_package = "io.envoyproxy.envoy.api.v2.endpoint";
 option java_outer_classname = "EndpointProto";
 option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.api.v2.endpoint";
-
-import "envoy/api/v2/core/address.proto";
-import "envoy/api/v2/core/base.proto";
-import "envoy/api/v2/core/health_check.proto";
-
-import "google/protobuf/wrappers.proto";
-
-import "validate/validate.proto";
-
-// [#protodoc-title: Endpoints]
-
-// Upstream host identifier.
-message Endpoint {
-  // The optional health check configuration.
-  message HealthCheckConfig {
-    // Optional alternative health check port value.
-    //
-    // By default the health check address port of an upstream host is the same
-    // as the host's serving address port. This provides an alternative health
-    // check port. Setting this with a non-zero value allows an upstream host
-    // to have different health check address port.
-    uint32 port_value = 1 [(validate.rules).uint32 = {lte: 65535}];
-  }
-
-  // The upstream host address.
-  //
-  // .. attention::
-  //
-  //   The form of host address depends on the given cluster type. For STATIC or EDS,
-  //   it is expected to be a direct IP address (or something resolvable by the
-  //   specified :ref:`resolver `
-  //   in the Address). For LOGICAL or STRICT DNS, it is expected to be hostname,
-  //   and will be resolved via DNS.
-  core.Address address = 1;
-
-  // The optional health check configuration is used as configuration for the
-  // health checker to contact the health checked host.
-  //
-  // .. attention::
-  //
-  //   This takes into effect only for upstream clusters with
-  //   :ref:`active health checking ` enabled.
-  HealthCheckConfig health_check_config = 2;
-}
-
-// An Endpoint that Envoy can route traffic to.
-message LbEndpoint {
-  // Upstream host identifier or a named reference.
-  oneof host_identifier {
-    Endpoint endpoint = 1;
-
-    string endpoint_name = 5;
-  }
-
-  // Optional health status when known and supplied by EDS server.
-  core.HealthStatus health_status = 2;
-
-  // The endpoint metadata specifies values that may be used by the load
-  // balancer to select endpoints in a cluster for a given request. The filter
-  // name should be specified as *envoy.lb*. An example boolean key-value pair
-  // is *canary*, providing the optional canary status of the upstream host.
-  // This may be matched against in a route's
-  // :ref:`RouteAction ` metadata_match field
-  // to subset the endpoints considered in cluster load balancing.
-  core.Metadata metadata = 3;
-
-  // The optional load balancing weight of the upstream host; at least 1.
-  // Envoy uses the load balancing weight in some of the built in load
-  // balancers. The load balancing weight for an endpoint is divided by the sum
-  // of the weights of all endpoints in the endpoint's locality to produce a
-  // percentage of traffic for the endpoint. This percentage is then further
-  // weighted by the endpoint's locality's load balancing weight from
-  // LocalityLbEndpoints. If unspecified, each host is presumed to have equal
-  // weight in a locality.
-  google.protobuf.UInt32Value load_balancing_weight = 4 [(validate.rules).uint32 = {gte: 1}];
-}
-
-// A group of endpoints belonging to a Locality.
-// One can have multiple LocalityLbEndpoints for a locality, but this is
-// generally only done if the different groups need to have different load
-// balancing weights or different priorities.
-message LocalityLbEndpoints {
-  // Identifies location of where the upstream hosts run.
-  core.Locality locality = 1;
-
-  // The group of endpoints belonging to the locality specified.
-  repeated LbEndpoint lb_endpoints = 2;
-
-  // Optional: Per priority/region/zone/sub_zone weight; at least 1. The load
-  // balancing weight for a locality is divided by the sum of the weights of all
-  // localities  at the same priority level to produce the effective percentage
-  // of traffic for the locality.
-  //
-  // Locality weights are only considered when :ref:`locality weighted load
-  // balancing ` is
-  // configured. These weights are ignored otherwise. If no weights are
-  // specified when locality weighted load balancing is enabled, the locality is
-  // assigned no load.
-  google.protobuf.UInt32Value load_balancing_weight = 3 [(validate.rules).uint32 = {gte: 1}];
-
-  // Optional: the priority for this LocalityLbEndpoints. If unspecified this will
-  // default to the highest priority (0).
-  //
-  // Under usual circumstances, Envoy will only select endpoints for the highest
-  // priority (0). In the event all endpoints for a particular priority are
-  // unavailable/unhealthy, Envoy will fail over to selecting endpoints for the
-  // next highest priority group.
-  //
-  // Priorities should range from 0 (highest) to N (lowest) without skipping.
-  uint32 priority = 5 [(validate.rules).uint32 = {lte: 128}];
-
-  // Optional: Per locality proximity value which indicates how close this
-  // locality is from the source locality. This value only provides ordering
-  // information (lower the value, closer it is to the source locality).
-  // This will be consumed by load balancing schemes that need proximity order
-  // to determine where to route the requests.
-  // [#not-implemented-hide:]
-  google.protobuf.UInt32Value proximity = 6;
-}
diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint/endpoint_components.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint/endpoint_components.proto
new file mode 100644
index 00000000000..5d2fe527588
--- /dev/null
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint/endpoint_components.proto
@@ -0,0 +1,131 @@
+syntax = "proto3";
+
+package envoy.api.v2.endpoint;
+
+import "envoy/api/v2/core/address.proto";
+import "envoy/api/v2/core/base.proto";
+import "envoy/api/v2/core/health_check.proto";
+
+import "google/protobuf/wrappers.proto";
+
+import "udpa/annotations/migrate.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.api.v2.endpoint";
+option java_outer_classname = "EndpointComponentsProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_migrate).move_to_package = "envoy.config.endpoint.v3";
+
+// [#protodoc-title: Endpoints]
+
+// Upstream host identifier.
+message Endpoint {
+  // The optional health check configuration.
+  message HealthCheckConfig {
+    // Optional alternative health check port value.
+    //
+    // By default the health check address port of an upstream host is the same
+    // as the host's serving address port. This provides an alternative health
+    // check port. Setting this with a non-zero value allows an upstream host
+    // to have different health check address port.
+    uint32 port_value = 1 [(validate.rules).uint32 = {lte: 65535}];
+  }
+
+  // The upstream host address.
+  //
+  // .. attention::
+  //
+  //   The form of host address depends on the given cluster type. For STATIC or EDS,
+  //   it is expected to be a direct IP address (or something resolvable by the
+  //   specified :ref:`resolver `
+  //   in the Address). For LOGICAL or STRICT DNS, it is expected to be hostname,
+  //   and will be resolved via DNS.
+  core.Address address = 1;
+
+  // The optional health check configuration is used as configuration for the
+  // health checker to contact the health checked host.
+  //
+  // .. attention::
+  //
+  //   This takes into effect only for upstream clusters with
+  //   :ref:`active health checking ` enabled.
+  HealthCheckConfig health_check_config = 2;
+}
+
+// An Endpoint that Envoy can route traffic to.
+// [#next-free-field: 6]
+message LbEndpoint {
+  // Upstream host identifier or a named reference.
+  oneof host_identifier {
+    Endpoint endpoint = 1;
+
+    // [#not-implemented-hide:]
+    string endpoint_name = 5;
+  }
+
+  // Optional health status when known and supplied by EDS server.
+  core.HealthStatus health_status = 2;
+
+  // The endpoint metadata specifies values that may be used by the load
+  // balancer to select endpoints in a cluster for a given request. The filter
+  // name should be specified as *envoy.lb*. An example boolean key-value pair
+  // is *canary*, providing the optional canary status of the upstream host.
+  // This may be matched against in a route's
+  // :ref:`RouteAction ` metadata_match field
+  // to subset the endpoints considered in cluster load balancing.
+  core.Metadata metadata = 3;
+
+  // The optional load balancing weight of the upstream host; at least 1.
+  // Envoy uses the load balancing weight in some of the built in load
+  // balancers. The load balancing weight for an endpoint is divided by the sum
+  // of the weights of all endpoints in the endpoint's locality to produce a
+  // percentage of traffic for the endpoint. This percentage is then further
+  // weighted by the endpoint's locality's load balancing weight from
+  // LocalityLbEndpoints. If unspecified, each host is presumed to have equal
+  // weight in a locality.
+  google.protobuf.UInt32Value load_balancing_weight = 4 [(validate.rules).uint32 = {gte: 1}];
+}
+
+// A group of endpoints belonging to a Locality.
+// One can have multiple LocalityLbEndpoints for a locality, but this is
+// generally only done if the different groups need to have different load
+// balancing weights or different priorities.
+// [#next-free-field: 7]
+message LocalityLbEndpoints {
+  // Identifies location of where the upstream hosts run.
+  core.Locality locality = 1;
+
+  // The group of endpoints belonging to the locality specified.
+  repeated LbEndpoint lb_endpoints = 2;
+
+  // Optional: Per priority/region/zone/sub_zone weight; at least 1. The load
+  // balancing weight for a locality is divided by the sum of the weights of all
+  // localities  at the same priority level to produce the effective percentage
+  // of traffic for the locality.
+  //
+  // Locality weights are only considered when :ref:`locality weighted load
+  // balancing ` is
+  // configured. These weights are ignored otherwise. If no weights are
+  // specified when locality weighted load balancing is enabled, the locality is
+  // assigned no load.
+  google.protobuf.UInt32Value load_balancing_weight = 3 [(validate.rules).uint32 = {gte: 1}];
+
+  // Optional: the priority for this LocalityLbEndpoints. If unspecified this will
+  // default to the highest priority (0).
+  //
+  // Under usual circumstances, Envoy will only select endpoints for the highest
+  // priority (0). In the event all endpoints for a particular priority are
+  // unavailable/unhealthy, Envoy will fail over to selecting endpoints for the
+  // next highest priority group.
+  //
+  // Priorities should range from 0 (highest) to N (lowest) without skipping.
+  uint32 priority = 5 [(validate.rules).uint32 = {lte: 128}];
+
+  // Optional: Per locality proximity value which indicates how close this
+  // locality is from the source locality. This value only provides ordering
+  // information (lower the value, closer it is to the source locality).
+  // This will be consumed by load balancing schemes that need proximity order
+  // to determine where to route the requests.
+  // [#not-implemented-hide:]
+  google.protobuf.UInt32Value proximity = 6;
+}
diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint/load_report.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint/load_report.proto
index b44313ba4ee..a80d5b77d92 100644
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint/load_report.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint/load_report.proto
@@ -2,23 +2,26 @@ syntax = "proto3";
 
 package envoy.api.v2.endpoint;
 
-option java_outer_classname = "LoadReportProto";
-option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.api.v2.endpoint";
-
 import "envoy/api/v2/core/address.proto";
 import "envoy/api/v2/core/base.proto";
 
 import "google/protobuf/duration.proto";
 import "google/protobuf/struct.proto";
 
+import "udpa/annotations/migrate.proto";
 import "validate/validate.proto";
 
+option java_package = "io.envoyproxy.envoy.api.v2.endpoint";
+option java_outer_classname = "LoadReportProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_migrate).move_to_package = "envoy.config.endpoint.v3";
+
 // These are stats Envoy reports to GLB every so often. Report frequency is
 // defined by
-// :ref:`LoadStatsResponse.load_reporting_interval`.
+// :ref:`LoadStatsResponse.load_reporting_interval`.
 // Stats per upstream region/zone and optionally per subzone.
 // [#not-implemented-hide:] Not configuration. TBD how to doc proto APIs.
+// [#next-free-field: 9]
 message UpstreamLocalityStats {
   // Name of zone, region and optionally endpoint group these metrics were
   // collected from. Zone and region names could be empty if unknown.
@@ -45,7 +48,7 @@ message UpstreamLocalityStats {
 
   // Endpoint granularity stats information for this locality. This information
   // is populated if the Server requests it by setting
-  // :ref:`LoadStatsResponse.report_endpoint_granularity`.
+  // :ref:`LoadStatsResponse.report_endpoint_granularity`.
   repeated UpstreamEndpointStats upstream_endpoint_stats = 7;
 
   // [#not-implemented-hide:] The priority of the endpoint group these metrics
@@ -53,6 +56,8 @@ message UpstreamLocalityStats {
   uint32 priority = 6;
 }
 
+// [#not-implemented-hide:] Not configuration. TBD how to doc proto APIs.
+// [#next-free-field: 8]
 message UpstreamEndpointStats {
   // Upstream host address.
   core.Address address = 1;
@@ -105,12 +110,21 @@ message EndpointLoadMetricStats {
 }
 
 // Per cluster load stats. Envoy reports these stats a management server in a
-// :ref:`LoadStatsRequest`
+// :ref:`LoadStatsRequest`
 // [#not-implemented-hide:] Not configuration. TBD how to doc proto APIs.
 // Next ID: 7
+// [#next-free-field: 7]
 message ClusterStats {
+  message DroppedRequests {
+    // Identifier for the policy specifying the drop.
+    string category = 1 [(validate.rules).string = {min_bytes: 1}];
+
+    // Total number of deliberately dropped requests for the category.
+    uint64 dropped_count = 2;
+  }
+
   // The name of the cluster.
-  string cluster_name = 1 [(validate.rules).string.min_bytes = 1];
+  string cluster_name = 1 [(validate.rules).string = {min_bytes: 1}];
 
   // The eds_cluster_config service_name of the cluster.
   // It's possible that two clusters send the same service_name to EDS,
@@ -119,7 +133,7 @@ message ClusterStats {
 
   // Need at least one.
   repeated UpstreamLocalityStats upstream_locality_stats = 2
-      [(validate.rules).repeated .min_items = 1];
+      [(validate.rules).repeated = {min_items: 1}];
 
   // Cluster-level stats such as total_successful_requests may be computed by
   // summing upstream_locality_stats. In addition, below there are additional
@@ -129,12 +143,6 @@ message ClusterStats {
   // deliberately dropped by the drop_overload policy and circuit breaking.
   uint64 total_dropped_requests = 3;
 
-  message DroppedRequests {
-    // Identifier for the policy specifying the drop.
-    string category = 1 [(validate.rules).string.min_bytes = 1];
-    // Total number of deliberately dropped requests for the category.
-    uint64 dropped_count = 2;
-  }
   // Information about deliberately dropped requests for each category specified
   // in the DropOverload policy.
   repeated DroppedRequests dropped_requests = 5;
diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/lds.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/lds.proto
index 0ea940f6c47..aa13453ebc6 100644
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/lds.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/lds.proto
@@ -2,24 +2,24 @@ syntax = "proto3";
 
 package envoy.api.v2;
 
-option java_outer_classname = "LdsProto";
-option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.api.v2";
-option java_generic_services = true;
-
-import "envoy/api/v2/core/address.proto";
-import "envoy/api/v2/core/base.proto";
 import "envoy/api/v2/discovery.proto";
-import "envoy/api/v2/listener/listener.proto";
-import "envoy/api/v2/listener/udp_listener_config.proto";
-import "envoy/config/listener/v2/api_listener.proto";
 
 import "google/api/annotations.proto";
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";
 
+import "envoy/annotations/resource.proto";
+import "udpa/annotations/migrate.proto";
 import "validate/validate.proto";
 
+import public "envoy/api/v2/listener.proto";
+
+option java_package = "io.envoyproxy.envoy.api.v2";
+option java_outer_classname = "LdsProto";
+option java_multiple_files = true;
+option java_generic_services = true;
+option (udpa.annotations.file_migrate).move_to_package = "envoy.service.listener.v3";
+
 // [#protodoc-title: Listener]
 // Listener :ref:`configuration overview `
 
@@ -28,6 +28,8 @@ import "validate/validate.proto";
 // consist of a complete update of all listeners. Existing connections will be
 // allowed to drain from listeners that are no longer present.
 service ListenerDiscoveryService {
+  option (envoy.annotations.resource).type = "envoy.api.v2.Listener";
+
   rpc DeltaListeners(stream DeltaDiscoveryRequest) returns (stream DeltaDiscoveryResponse) {
   }
 
@@ -35,183 +37,12 @@ service ListenerDiscoveryService {
   }
 
   rpc FetchListeners(DiscoveryRequest) returns (DiscoveryResponse) {
-    option (google.api.http) = {
-      post: "/v2/discovery:listeners"
-      body: "*"
-    };
+    option (google.api.http).post = "/v2/discovery:listeners";
+    option (google.api.http).body = "*";
   }
 }
 
-// [#comment:next free field: 20]
-message Listener {
-  enum DrainType {
-    // Drain in response to calling /healthcheck/fail admin endpoint (along with the health check
-    // filter), listener removal/modification, and hot restart.
-    DEFAULT = 0;
-
-    // Drain in response to listener removal/modification and hot restart. This setting does not
-    // include /healthcheck/fail. This setting may be desirable if Envoy is hosting both ingress
-    // and egress listeners.
-    MODIFY_ONLY = 1;
-  }
-
-  // [#not-implemented-hide:]
-  message DeprecatedV1 {
-    // Whether the listener should bind to the port. A listener that doesn't
-    // bind can only receive connections redirected from other listeners that
-    // set use_original_dst parameter to true. Default is true.
-    //
-    // This is deprecated in v2, all Listeners will bind to their port. An
-    // additional filter chain must be created for every original destination
-    // port this listener may redirect to in v2, with the original port
-    // specified in the FilterChainMatch destination_port field.
-    //
-    // [#comment:TODO(PiotrSikora): Remove this once verified that we no longer need it.]
-    google.protobuf.BoolValue bind_to_port = 1;
-  }
-
-  reserved 14;
-
-  // The unique name by which this listener is known. If no name is provided,
-  // Envoy will allocate an internal UUID for the listener. If the listener is to be dynamically
-  // updated or removed via :ref:`LDS ` a unique name must be provided.
-  string name = 1;
-
-  // The address that the listener should listen on. In general, the address must be unique, though
-  // that is governed by the bind rules of the OS. E.g., multiple listeners can listen on port 0 on
-  // Linux as the actual port will be allocated by the OS.
-  core.Address address = 2 [(validate.rules).message = {required: true}];
-
-  // A list of filter chains to consider for this listener. The
-  // :ref:`FilterChain ` with the most specific
-  // :ref:`FilterChainMatch ` criteria is used on a
-  // connection.
-  //
-  // Example using SNI for filter chain selection can be found in the
-  // :ref:`FAQ entry `.
-  repeated listener.FilterChain filter_chains = 3;
-
-  // If a connection is redirected using *iptables*, the port on which the proxy
-  // receives it might be different from the original destination address. When this flag is set to
-  // true, the listener hands off redirected connections to the listener associated with the
-  // original destination address. If there is no listener associated with the original destination
-  // address, the connection is handled by the listener that receives it. Defaults to false.
-  //
-  // .. attention::
-  //
-  //   This field is deprecated. Use :ref:`an original_dst `
-  //   :ref:`listener filter ` instead.
-  //
-  //   Note that hand off to another listener is *NOT* performed without this flag. Once
-  //   :ref:`FilterChainMatch ` is implemented this flag
-  //   will be removed, as filter chain matching can be used to select a filter chain based on the
-  //   restored destination address.
-  google.protobuf.BoolValue use_original_dst = 4 [deprecated = true];
-
-  // Soft limit on size of the listener’s new connection read and write buffers.
-  // If unspecified, an implementation defined default is applied (1MiB).
-  google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5;
-
-  // Listener metadata.
-  core.Metadata metadata = 6;
-
-  // [#not-implemented-hide:]
-  DeprecatedV1 deprecated_v1 = 7;
-
-  // The type of draining to perform at a listener-wide level.
-  DrainType drain_type = 8;
-
-  // Listener filters have the opportunity to manipulate and augment the connection metadata that
-  // is used in connection filter chain matching, for example. These filters are run before any in
-  // :ref:`filter_chains `. Order matters as the
-  // filters are processed sequentially right after a socket has been accepted by the listener, and
-  // before a connection is created.
-  // UDP Listener filters can be specified when the protocol in the listener socket address in
-  // :ref:`protocol ` is :ref:'UDP
-  // `.
-  // UDP listeners currently support a single filter.
-  repeated listener.ListenerFilter listener_filters = 9;
-
-  // The timeout to wait for all listener filters to complete operation. If the timeout is reached,
-  // the accepted socket is closed without a connection being created unless
-  // `continue_on_listener_filters_timeout` is set to true. Specify 0 to disable the
-  // timeout. If not specified, a default timeout of 15s is used.
-  google.protobuf.Duration listener_filters_timeout = 15;
-
-  // Whether a connection should be created when listener filters timeout. Default is false.
-  //
-  // .. attention::
-  //
-  //   Some listener filters, such as :ref:`Proxy Protocol filter
-  //   `, should not be used with this option. It will cause
-  //   unexpected behavior when a connection is created.
-  bool continue_on_listener_filters_timeout = 17;
-
-  // Whether the listener should be set as a transparent socket.
-  // When this flag is set to true, connections can be redirected to the listener using an
-  // *iptables* *TPROXY* target, in which case the original source and destination addresses and
-  // ports are preserved on accepted connections. This flag should be used in combination with
-  // :ref:`an original_dst ` :ref:`listener filter
-  // ` to mark the connections' local addresses as
-  // "restored." This can be used to hand off each redirected connection to another listener
-  // associated with the connection's destination address. Direct connections to the socket without
-  // using *TPROXY* cannot be distinguished from connections redirected using *TPROXY* and are
-  // therefore treated as if they were redirected.
-  // When this flag is set to false, the listener's socket is explicitly reset as non-transparent.
-  // Setting this flag requires Envoy to run with the *CAP_NET_ADMIN* capability.
-  // When this flag is not set (default), the socket is not modified, i.e. the transparent option
-  // is neither set nor reset.
-  google.protobuf.BoolValue transparent = 10;
-
-  // Whether the listener should set the *IP_FREEBIND* socket option. When this
-  // flag is set to true, listeners can be bound to an IP address that is not
-  // configured on the system running Envoy. When this flag is set to false, the
-  // option *IP_FREEBIND* is disabled on the socket. When this flag is not set
-  // (default), the socket is not modified, i.e. the option is neither enabled
-  // nor disabled.
-  google.protobuf.BoolValue freebind = 11;
-
-  // Additional socket options that may not be present in Envoy source code or
-  // precompiled binaries.
-  repeated core.SocketOption socket_options = 13;
-
-  // Whether the listener should accept TCP Fast Open (TFO) connections.
-  // When this flag is set to a value greater than 0, the option TCP_FASTOPEN is enabled on
-  // the socket, with a queue length of the specified size
-  // (see `details in RFC7413 `_).
-  // When this flag is set to 0, the option TCP_FASTOPEN is disabled on the socket.
-  // When this flag is not set (default), the socket is not modified,
-  // i.e. the option is neither enabled nor disabled.
-  //
-  // On Linux, the net.ipv4.tcp_fastopen kernel parameter must include flag 0x2 to enable
-  // TCP_FASTOPEN.
-  // See `ip-sysctl.txt `_.
-  //
-  // On macOS, only values of 0, 1, and unset are valid; other values may result in an error.
-  // To set the queue length on macOS, set the net.inet.tcp.fastopen_backlog kernel parameter.
-  google.protobuf.UInt32Value tcp_fast_open_queue_length = 12;
-
-  // Specifies the intended direction of the traffic relative to the local Envoy.
-  core.TrafficDirection traffic_direction = 16;
-
-  // If the protocol in the listener socket address in :ref:`protocol
-  // ` is :ref:'UDP
-  // `, this field specifies the actual udp listener to create,
-  // i.e. :ref:`udp_listener_name
-  // ` = "raw_udp_listener" for
-  // creating a packet-oriented UDP listener. If not present, treat it as "raw_udp_listener".
-  listener.UdpListenerConfig udp_listener_config = 18;
-
-  // [#not-implemented-hide:]
-  // Used to represent an API listener, which is used in non-proxy clients. The type of API
-  // exposed to the non-proxy application depends on the type of API listener.
-  // When this field is set, no other field except for :ref:`name`
-  // should be set.
-  // [#next-major-version: In the v3 API, instead of this messy approach where the socket
-  // listener fields are directly in the top-level Listener message and the API listener types
-  // are in the ApiListener message, the socket listener messages should be in their own message,
-  // and the top-level Listener should essentially be a oneof that selects between the
-  // socket listener and the various types of API listener. That way, a given Listener message
-  // can structurally only contain the fields of the relevant type.]
-  config.listener.v2.ApiListener api_listener = 19;
+// [#not-implemented-hide:] Not configuration. Workaround c++ protobuf issue with importing
+// services: https://github.com/google/protobuf/issues/4221 and protoxform to upgrade the file.
+message LdsDummy {
 }
diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener.proto
new file mode 100644
index 00000000000..3fbb10070d0
--- /dev/null
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener.proto
@@ -0,0 +1,239 @@
+syntax = "proto3";
+
+package envoy.api.v2;
+
+import "envoy/api/v2/core/address.proto";
+import "envoy/api/v2/core/base.proto";
+import "envoy/api/v2/listener/listener_components.proto";
+import "envoy/api/v2/listener/udp_listener_config.proto";
+import "envoy/config/listener/v2/api_listener.proto";
+
+import "google/api/annotations.proto";
+import "google/protobuf/duration.proto";
+import "google/protobuf/wrappers.proto";
+
+import "udpa/annotations/migrate.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.api.v2";
+option java_outer_classname = "ListenerProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_migrate).move_to_package = "envoy.config.listener.v3";
+
+// [#protodoc-title: Listener configuration]
+// Listener :ref:`configuration overview `
+
+// [#next-free-field: 22]
+message Listener {
+  enum DrainType {
+    // Drain in response to calling /healthcheck/fail admin endpoint (along with the health check
+    // filter), listener removal/modification, and hot restart.
+    DEFAULT = 0;
+
+    // Drain in response to listener removal/modification and hot restart. This setting does not
+    // include /healthcheck/fail. This setting may be desirable if Envoy is hosting both ingress
+    // and egress listeners.
+    MODIFY_ONLY = 1;
+  }
+
+  // [#not-implemented-hide:]
+  message DeprecatedV1 {
+    // Whether the listener should bind to the port. A listener that doesn't
+    // bind can only receive connections redirected from other listeners that
+    // set use_original_dst parameter to true. Default is true.
+    //
+    // This is deprecated in v2, all Listeners will bind to their port. An
+    // additional filter chain must be created for every original destination
+    // port this listener may redirect to in v2, with the original port
+    // specified in the FilterChainMatch destination_port field.
+    //
+    // [#comment:TODO(PiotrSikora): Remove this once verified that we no longer need it.]
+    google.protobuf.BoolValue bind_to_port = 1;
+  }
+
+  // Configuration for listener connection balancing.
+  message ConnectionBalanceConfig {
+    // A connection balancer implementation that does exact balancing. This means that a lock is
+    // held during balancing so that connection counts are nearly exactly balanced between worker
+    // threads. This is "nearly" exact in the sense that a connection might close in parallel thus
+    // making the counts incorrect, but this should be rectified on the next accept. This balancer
+    // sacrifices accept throughput for accuracy and should be used when there are a small number of
+    // connections that rarely cycle (e.g., service mesh gRPC egress).
+    message ExactBalance {
+    }
+
+    oneof balance_type {
+      option (validate.required) = true;
+
+      // If specified, the listener will use the exact connection balancer.
+      ExactBalance exact_balance = 1;
+    }
+  }
+
+  reserved 14;
+
+  // The unique name by which this listener is known. If no name is provided,
+  // Envoy will allocate an internal UUID for the listener. If the listener is to be dynamically
+  // updated or removed via :ref:`LDS ` a unique name must be provided.
+  string name = 1;
+
+  // The address that the listener should listen on. In general, the address must be unique, though
+  // that is governed by the bind rules of the OS. E.g., multiple listeners can listen on port 0 on
+  // Linux as the actual port will be allocated by the OS.
+  core.Address address = 2 [(validate.rules).message = {required: true}];
+
+  // A list of filter chains to consider for this listener. The
+  // :ref:`FilterChain ` with the most specific
+  // :ref:`FilterChainMatch ` criteria is used on a
+  // connection.
+  //
+  // Example using SNI for filter chain selection can be found in the
+  // :ref:`FAQ entry `.
+  repeated listener.FilterChain filter_chains = 3;
+
+  // If a connection is redirected using *iptables*, the port on which the proxy
+  // receives it might be different from the original destination address. When this flag is set to
+  // true, the listener hands off redirected connections to the listener associated with the
+  // original destination address. If there is no listener associated with the original destination
+  // address, the connection is handled by the listener that receives it. Defaults to false.
+  //
+  // .. attention::
+  //
+  //   This field is deprecated. Use :ref:`an original_dst `
+  //   :ref:`listener filter ` instead.
+  //
+  //   Note that hand off to another listener is *NOT* performed without this flag. Once
+  //   :ref:`FilterChainMatch ` is implemented this flag
+  //   will be removed, as filter chain matching can be used to select a filter chain based on the
+  //   restored destination address.
+  google.protobuf.BoolValue use_original_dst = 4 [deprecated = true];
+
+  // Soft limit on size of the listener’s new connection read and write buffers.
+  // If unspecified, an implementation defined default is applied (1MiB).
+  google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5;
+
+  // Listener metadata.
+  core.Metadata metadata = 6;
+
+  // [#not-implemented-hide:]
+  DeprecatedV1 deprecated_v1 = 7;
+
+  // The type of draining to perform at a listener-wide level.
+  DrainType drain_type = 8;
+
+  // Listener filters have the opportunity to manipulate and augment the connection metadata that
+  // is used in connection filter chain matching, for example. These filters are run before any in
+  // :ref:`filter_chains `. Order matters as the
+  // filters are processed sequentially right after a socket has been accepted by the listener, and
+  // before a connection is created.
+  // UDP Listener filters can be specified when the protocol in the listener socket address in
+  // :ref:`protocol ` is :ref:`UDP
+  // `.
+  // UDP listeners currently support a single filter.
+  repeated listener.ListenerFilter listener_filters = 9;
+
+  // The timeout to wait for all listener filters to complete operation. If the timeout is reached,
+  // the accepted socket is closed without a connection being created unless
+  // `continue_on_listener_filters_timeout` is set to true. Specify 0 to disable the
+  // timeout. If not specified, a default timeout of 15s is used.
+  google.protobuf.Duration listener_filters_timeout = 15;
+
+  // Whether a connection should be created when listener filters timeout. Default is false.
+  //
+  // .. attention::
+  //
+  //   Some listener filters, such as :ref:`Proxy Protocol filter
+  //   `, should not be used with this option. It will cause
+  //   unexpected behavior when a connection is created.
+  bool continue_on_listener_filters_timeout = 17;
+
+  // Whether the listener should be set as a transparent socket.
+  // When this flag is set to true, connections can be redirected to the listener using an
+  // *iptables* *TPROXY* target, in which case the original source and destination addresses and
+  // ports are preserved on accepted connections. This flag should be used in combination with
+  // :ref:`an original_dst ` :ref:`listener filter
+  // ` to mark the connections' local addresses as
+  // "restored." This can be used to hand off each redirected connection to another listener
+  // associated with the connection's destination address. Direct connections to the socket without
+  // using *TPROXY* cannot be distinguished from connections redirected using *TPROXY* and are
+  // therefore treated as if they were redirected.
+  // When this flag is set to false, the listener's socket is explicitly reset as non-transparent.
+  // Setting this flag requires Envoy to run with the *CAP_NET_ADMIN* capability.
+  // When this flag is not set (default), the socket is not modified, i.e. the transparent option
+  // is neither set nor reset.
+  google.protobuf.BoolValue transparent = 10;
+
+  // Whether the listener should set the *IP_FREEBIND* socket option. When this
+  // flag is set to true, listeners can be bound to an IP address that is not
+  // configured on the system running Envoy. When this flag is set to false, the
+  // option *IP_FREEBIND* is disabled on the socket. When this flag is not set
+  // (default), the socket is not modified, i.e. the option is neither enabled
+  // nor disabled.
+  google.protobuf.BoolValue freebind = 11;
+
+  // Additional socket options that may not be present in Envoy source code or
+  // precompiled binaries.
+  repeated core.SocketOption socket_options = 13;
+
+  // Whether the listener should accept TCP Fast Open (TFO) connections.
+  // When this flag is set to a value greater than 0, the option TCP_FASTOPEN is enabled on
+  // the socket, with a queue length of the specified size
+  // (see `details in RFC7413 `_).
+  // When this flag is set to 0, the option TCP_FASTOPEN is disabled on the socket.
+  // When this flag is not set (default), the socket is not modified,
+  // i.e. the option is neither enabled nor disabled.
+  //
+  // On Linux, the net.ipv4.tcp_fastopen kernel parameter must include flag 0x2 to enable
+  // TCP_FASTOPEN.
+  // See `ip-sysctl.txt `_.
+  //
+  // On macOS, only values of 0, 1, and unset are valid; other values may result in an error.
+  // To set the queue length on macOS, set the net.inet.tcp.fastopen_backlog kernel parameter.
+  google.protobuf.UInt32Value tcp_fast_open_queue_length = 12;
+
+  // Specifies the intended direction of the traffic relative to the local Envoy.
+  core.TrafficDirection traffic_direction = 16;
+
+  // If the protocol in the listener socket address in :ref:`protocol
+  // ` is :ref:`UDP
+  // `, this field specifies the actual udp
+  // listener to create, i.e. :ref:`udp_listener_name
+  // ` = "raw_udp_listener" for
+  // creating a packet-oriented UDP listener. If not present, treat it as "raw_udp_listener".
+  listener.UdpListenerConfig udp_listener_config = 18;
+
+  // Used to represent an API listener, which is used in non-proxy clients. The type of API
+  // exposed to the non-proxy application depends on the type of API listener.
+  // When this field is set, no other field except for :ref:`name`
+  // should be set.
+  //
+  // .. note::
+  //
+  //  Currently only one ApiListener can be installed; and it can only be done via bootstrap config,
+  //  not LDS.
+  //
+  // [#next-major-version: In the v3 API, instead of this messy approach where the socket
+  // listener fields are directly in the top-level Listener message and the API listener types
+  // are in the ApiListener message, the socket listener messages should be in their own message,
+  // and the top-level Listener should essentially be a oneof that selects between the
+  // socket listener and the various types of API listener. That way, a given Listener message
+  // can structurally only contain the fields of the relevant type.]
+  config.listener.v2.ApiListener api_listener = 19;
+
+  // The listener's connection balancer configuration, currently only applicable to TCP listeners.
+  // If no configuration is specified, Envoy will not attempt to balance active connections between
+  // worker threads.
+  ConnectionBalanceConfig connection_balance_config = 20;
+
+  // When this flag is set to true, listeners set the *SO_REUSEPORT* socket option and
+  // create one socket for each worker thread. This makes inbound connections
+  // distribute among worker threads roughly evenly in cases where there are a high number
+  // of connections. When this flag is set to false, all worker threads share one socket.
+  //
+  // Before Linux v4.19-rc1, new TCP connections may be rejected during hot restart
+  // (see `3rd paragraph in 'soreuseport' commit message
+  // `_).
+  // This issue was fixed by `tcp: Avoid TCP syncookie rejected by SO_REUSEPORT socket
+  // `_.
+  bool reuse_port = 21;
+}
diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener/listener.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener/listener.proto
index 949075840dd..273b29cb5dd 100644
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener/listener.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener/listener.proto
@@ -2,207 +2,10 @@ syntax = "proto3";
 
 package envoy.api.v2.listener;
 
+import public "envoy/api/v2/listener/listener_components.proto";
+
+option java_package = "io.envoyproxy.envoy.api.v2.listener";
 option java_outer_classname = "ListenerProto";
 option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.api.v2.listener";
 option csharp_namespace = "Envoy.Api.V2.ListenerNS";
 option ruby_package = "Envoy.Api.V2.ListenerNS";
-
-import "envoy/api/v2/auth/cert.proto";
-import "envoy/api/v2/core/address.proto";
-import "envoy/api/v2/core/base.proto";
-
-import "google/protobuf/any.proto";
-import "google/protobuf/struct.proto";
-import "google/protobuf/wrappers.proto";
-
-import "validate/validate.proto";
-
-// [#protodoc-title: Listener components]
-// Listener :ref:`configuration overview `
-
-message Filter {
-  reserved 3;
-
-  // The name of the filter to instantiate. The name must match a
-  // :ref:`supported filter `.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
-
-  // Filter specific configuration which depends on the filter being
-  // instantiated. See the supported filters for further documentation.
-  oneof config_type {
-    google.protobuf.Struct config = 2;
-
-    google.protobuf.Any typed_config = 4;
-  }
-}
-
-// Specifies the match criteria for selecting a specific filter chain for a
-// listener.
-//
-// In order for a filter chain to be selected, *ALL* of its criteria must be
-// fulfilled by the incoming connection, properties of which are set by the
-// networking stack and/or listener filters.
-//
-// The following order applies:
-//
-// 1. Destination port.
-// 2. Destination IP address.
-// 3. Server name (e.g. SNI for TLS protocol),
-// 4. Transport protocol.
-// 5. Application protocols (e.g. ALPN for TLS protocol).
-// 6. Source type (e.g. any, local or external network).
-// 7. Source IP address.
-// 8. Source port.
-//
-// For criteria that allow ranges or wildcards, the most specific value in any
-// of the configured filter chains that matches the incoming connection is going
-// to be used (e.g. for SNI ``www.example.com`` the most specific match would be
-// ``www.example.com``, then ``*.example.com``, then ``*.com``, then any filter
-// chain without ``server_names`` requirements).
-//
-// [#comment: Implemented rules are kept in the preference order, with deprecated fields
-// listed at the end, because that's how we want to list them in the docs.
-//
-// [#comment:TODO(PiotrSikora): Add support for configurable precedence of the rules]
-message FilterChainMatch {
-  enum ConnectionSourceType {
-    // Any connection source matches.
-    ANY = 0;
-
-    // Match a connection originating from the same host.
-    LOCAL = 1;
-
-    // Match a connection originating from a different host.
-    EXTERNAL = 2;
-  }
-
-  reserved 1;
-
-  // Optional destination port to consider when use_original_dst is set on the
-  // listener in determining a filter chain match.
-  google.protobuf.UInt32Value destination_port = 8 [(validate.rules).uint32 = {lte: 65535 gte: 1}];
-
-  // If non-empty, an IP address and prefix length to match addresses when the
-  // listener is bound to 0.0.0.0/:: or when use_original_dst is specified.
-  repeated core.CidrRange prefix_ranges = 3;
-
-  // If non-empty, an IP address and suffix length to match addresses when the
-  // listener is bound to 0.0.0.0/:: or when use_original_dst is specified.
-  // [#not-implemented-hide:]
-  string address_suffix = 4;
-
-  // [#not-implemented-hide:]
-  google.protobuf.UInt32Value suffix_len = 5;
-
-  // Specifies the connection source IP match type. Can be any, local or external network.
-  ConnectionSourceType source_type = 12 [(validate.rules).enum = {defined_only: true}];
-
-  // The criteria is satisfied if the source IP address of the downstream
-  // connection is contained in at least one of the specified subnets. If the
-  // parameter is not specified or the list is empty, the source IP address is
-  // ignored.
-  repeated core.CidrRange source_prefix_ranges = 6;
-
-  // The criteria is satisfied if the source port of the downstream connection
-  // is contained in at least one of the specified ports. If the parameter is
-  // not specified, the source port is ignored.
-  repeated uint32 source_ports = 7
-      [(validate.rules).repeated = {items {uint32 {lte: 65535 gte: 1}}}];
-
-  // If non-empty, a list of server names (e.g. SNI for TLS protocol) to consider when determining
-  // a filter chain match. Those values will be compared against the server names of a new
-  // connection, when detected by one of the listener filters.
-  //
-  // The server name will be matched against all wildcard domains, i.e. ``www.example.com``
-  // will be first matched against ``www.example.com``, then ``*.example.com``, then ``*.com``.
-  //
-  // Note that partial wildcards are not supported, and values like ``*w.example.com`` are invalid.
-  //
-  // .. attention::
-  //
-  //   See the :ref:`FAQ entry ` on how to configure SNI for more
-  //   information.
-  repeated string server_names = 11;
-
-  // If non-empty, a transport protocol to consider when determining a filter chain match.
-  // This value will be compared against the transport protocol of a new connection, when
-  // it's detected by one of the listener filters.
-  //
-  // Suggested values include:
-  //
-  // * ``raw_buffer`` - default, used when no transport protocol is detected,
-  // * ``tls`` - set by :ref:`envoy.listener.tls_inspector `
-  //   when TLS protocol is detected.
-  string transport_protocol = 9;
-
-  // If non-empty, a list of application protocols (e.g. ALPN for TLS protocol) to consider when
-  // determining a filter chain match. Those values will be compared against the application
-  // protocols of a new connection, when detected by one of the listener filters.
-  //
-  // Suggested values include:
-  //
-  // * ``http/1.1`` - set by :ref:`envoy.listener.tls_inspector
-  //   `,
-  // * ``h2`` - set by :ref:`envoy.listener.tls_inspector `
-  //
-  // .. attention::
-  //
-  //   Currently, only :ref:`TLS Inspector ` provides
-  //   application protocol detection based on the requested
-  //   `ALPN `_ values.
-  //
-  //   However, the use of ALPN is pretty much limited to the HTTP/2 traffic on the Internet,
-  //   and matching on values other than ``h2`` is going to lead to a lot of false negatives,
-  //   unless all connecting clients are known to use ALPN.
-  repeated string application_protocols = 10;
-}
-
-// A filter chain wraps a set of match criteria, an option TLS context, a set of filters, and
-// various other parameters.
-message FilterChain {
-  // The criteria to use when matching a connection to this filter chain.
-  FilterChainMatch filter_chain_match = 1;
-
-  // The TLS context for this filter chain.
-  auth.DownstreamTlsContext tls_context = 2;
-
-  // A list of individual network filters that make up the filter chain for
-  // connections established with the listener. Order matters as the filters are
-  // processed sequentially as connection events happen. Note: If the filter
-  // list is empty, the connection will close by default.
-  repeated Filter filters = 3;
-
-  // Whether the listener should expect a PROXY protocol V1 header on new
-  // connections. If this option is enabled, the listener will assume that that
-  // remote address of the connection is the one specified in the header. Some
-  // load balancers including the AWS ELB support this option. If the option is
-  // absent or set to false, Envoy will use the physical peer address of the
-  // connection as the remote address.
-  google.protobuf.BoolValue use_proxy_proto = 4;
-
-  // [#not-implemented-hide:] filter chain metadata.
-  core.Metadata metadata = 5;
-
-  // See :ref:`base.TransportSocket` description.
-  core.TransportSocket transport_socket = 6;
-
-  // [#not-implemented-hide:] The unique name (or empty) by which this filter chain is known. If no
-  // name is provided, Envoy will allocate an internal UUID for the filter chain. If the filter
-  // chain is to be dynamically updated or removed via FCDS a unique name must be provided.
-  string name = 7;
-}
-
-message ListenerFilter {
-  // The name of the filter to instantiate. The name must match a
-  // :ref:`supported filter `.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
-
-  // Filter specific configuration which depends on the filter being instantiated.
-  // See the supported filters for further documentation.
-  oneof config_type {
-    google.protobuf.Struct config = 2;
-
-    google.protobuf.Any typed_config = 3;
-  }
-}
diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener/listener_components.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener/listener_components.proto
new file mode 100644
index 00000000000..d9c8cfbfcb9
--- /dev/null
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener/listener_components.proto
@@ -0,0 +1,271 @@
+syntax = "proto3";
+
+package envoy.api.v2.listener;
+
+import "envoy/api/v2/auth/cert.proto";
+import "envoy/api/v2/core/address.proto";
+import "envoy/api/v2/core/base.proto";
+import "envoy/type/range.proto";
+
+import "google/protobuf/any.proto";
+import "google/protobuf/struct.proto";
+import "google/protobuf/wrappers.proto";
+
+import "udpa/annotations/migrate.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.api.v2.listener";
+option java_outer_classname = "ListenerComponentsProto";
+option java_multiple_files = true;
+option csharp_namespace = "Envoy.Api.V2.ListenerNS";
+option ruby_package = "Envoy.Api.V2.ListenerNS";
+option (udpa.annotations.file_migrate).move_to_package = "envoy.config.listener.v3";
+
+// [#protodoc-title: Listener components]
+// Listener :ref:`configuration overview `
+
+message Filter {
+  reserved 3;
+
+  // The name of the filter to instantiate. The name must match a
+  // :ref:`supported filter `.
+  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+
+  // Filter specific configuration which depends on the filter being
+  // instantiated. See the supported filters for further documentation.
+  oneof config_type {
+    google.protobuf.Struct config = 2 [deprecated = true];
+
+    google.protobuf.Any typed_config = 4;
+  }
+}
+
+// Specifies the match criteria for selecting a specific filter chain for a
+// listener.
+//
+// In order for a filter chain to be selected, *ALL* of its criteria must be
+// fulfilled by the incoming connection, properties of which are set by the
+// networking stack and/or listener filters.
+//
+// The following order applies:
+//
+// 1. Destination port.
+// 2. Destination IP address.
+// 3. Server name (e.g. SNI for TLS protocol),
+// 4. Transport protocol.
+// 5. Application protocols (e.g. ALPN for TLS protocol).
+// 6. Source type (e.g. any, local or external network).
+// 7. Source IP address.
+// 8. Source port.
+//
+// For criteria that allow ranges or wildcards, the most specific value in any
+// of the configured filter chains that matches the incoming connection is going
+// to be used (e.g. for SNI ``www.example.com`` the most specific match would be
+// ``www.example.com``, then ``*.example.com``, then ``*.com``, then any filter
+// chain without ``server_names`` requirements).
+//
+// [#comment: Implemented rules are kept in the preference order, with deprecated fields
+// listed at the end, because that's how we want to list them in the docs.
+//
+// [#comment:TODO(PiotrSikora): Add support for configurable precedence of the rules]
+// [#next-free-field: 13]
+message FilterChainMatch {
+  enum ConnectionSourceType {
+    // Any connection source matches.
+    ANY = 0;
+
+    // Match a connection originating from the same host.
+    LOCAL = 1 [(udpa.annotations.enum_value_migrate).rename = "SAME_IP_OR_LOOPBACK"];
+
+    // Match a connection originating from a different host.
+    EXTERNAL = 2;
+  }
+
+  reserved 1;
+
+  // Optional destination port to consider when use_original_dst is set on the
+  // listener in determining a filter chain match.
+  google.protobuf.UInt32Value destination_port = 8 [(validate.rules).uint32 = {lte: 65535 gte: 1}];
+
+  // If non-empty, an IP address and prefix length to match addresses when the
+  // listener is bound to 0.0.0.0/:: or when use_original_dst is specified.
+  repeated core.CidrRange prefix_ranges = 3;
+
+  // If non-empty, an IP address and suffix length to match addresses when the
+  // listener is bound to 0.0.0.0/:: or when use_original_dst is specified.
+  // [#not-implemented-hide:]
+  string address_suffix = 4;
+
+  // [#not-implemented-hide:]
+  google.protobuf.UInt32Value suffix_len = 5;
+
+  // Specifies the connection source IP match type. Can be any, local or external network.
+  ConnectionSourceType source_type = 12 [(validate.rules).enum = {defined_only: true}];
+
+  // The criteria is satisfied if the source IP address of the downstream
+  // connection is contained in at least one of the specified subnets. If the
+  // parameter is not specified or the list is empty, the source IP address is
+  // ignored.
+  repeated core.CidrRange source_prefix_ranges = 6;
+
+  // The criteria is satisfied if the source port of the downstream connection
+  // is contained in at least one of the specified ports. If the parameter is
+  // not specified, the source port is ignored.
+  repeated uint32 source_ports = 7
+      [(validate.rules).repeated = {items {uint32 {lte: 65535 gte: 1}}}];
+
+  // If non-empty, a list of server names (e.g. SNI for TLS protocol) to consider when determining
+  // a filter chain match. Those values will be compared against the server names of a new
+  // connection, when detected by one of the listener filters.
+  //
+  // The server name will be matched against all wildcard domains, i.e. ``www.example.com``
+  // will be first matched against ``www.example.com``, then ``*.example.com``, then ``*.com``.
+  //
+  // Note that partial wildcards are not supported, and values like ``*w.example.com`` are invalid.
+  //
+  // .. attention::
+  //
+  //   See the :ref:`FAQ entry ` on how to configure SNI for more
+  //   information.
+  repeated string server_names = 11;
+
+  // If non-empty, a transport protocol to consider when determining a filter chain match.
+  // This value will be compared against the transport protocol of a new connection, when
+  // it's detected by one of the listener filters.
+  //
+  // Suggested values include:
+  //
+  // * ``raw_buffer`` - default, used when no transport protocol is detected,
+  // * ``tls`` - set by :ref:`envoy.listener.tls_inspector `
+  //   when TLS protocol is detected.
+  string transport_protocol = 9;
+
+  // If non-empty, a list of application protocols (e.g. ALPN for TLS protocol) to consider when
+  // determining a filter chain match. Those values will be compared against the application
+  // protocols of a new connection, when detected by one of the listener filters.
+  //
+  // Suggested values include:
+  //
+  // * ``http/1.1`` - set by :ref:`envoy.listener.tls_inspector
+  //   `,
+  // * ``h2`` - set by :ref:`envoy.listener.tls_inspector `
+  //
+  // .. attention::
+  //
+  //   Currently, only :ref:`TLS Inspector ` provides
+  //   application protocol detection based on the requested
+  //   `ALPN `_ values.
+  //
+  //   However, the use of ALPN is pretty much limited to the HTTP/2 traffic on the Internet,
+  //   and matching on values other than ``h2`` is going to lead to a lot of false negatives,
+  //   unless all connecting clients are known to use ALPN.
+  repeated string application_protocols = 10;
+}
+
+// A filter chain wraps a set of match criteria, an option TLS context, a set of filters, and
+// various other parameters.
+// [#next-free-field: 8]
+message FilterChain {
+  // The criteria to use when matching a connection to this filter chain.
+  FilterChainMatch filter_chain_match = 1;
+
+  // The TLS context for this filter chain.
+  //
+  // .. attention::
+  //
+  //   **This field is deprecated**. Use `transport_socket` with name `tls` instead. If both are
+  //   set, `transport_socket` takes priority.
+  auth.DownstreamTlsContext tls_context = 2 [deprecated = true];
+
+  // A list of individual network filters that make up the filter chain for
+  // connections established with the listener. Order matters as the filters are
+  // processed sequentially as connection events happen. Note: If the filter
+  // list is empty, the connection will close by default.
+  repeated Filter filters = 3;
+
+  // Whether the listener should expect a PROXY protocol V1 header on new
+  // connections. If this option is enabled, the listener will assume that that
+  // remote address of the connection is the one specified in the header. Some
+  // load balancers including the AWS ELB support this option. If the option is
+  // absent or set to false, Envoy will use the physical peer address of the
+  // connection as the remote address.
+  google.protobuf.BoolValue use_proxy_proto = 4;
+
+  // [#not-implemented-hide:] filter chain metadata.
+  core.Metadata metadata = 5;
+
+  // Optional custom transport socket implementation to use for downstream connections.
+  // To setup TLS, set a transport socket with name `tls` and
+  // :ref:`DownstreamTlsContext ` in the `typed_config`.
+  // If no transport socket configuration is specified, new connections
+  // will be set up with plaintext.
+  core.TransportSocket transport_socket = 6;
+
+  // [#not-implemented-hide:] The unique name (or empty) by which this filter chain is known. If no
+  // name is provided, Envoy will allocate an internal UUID for the filter chain. If the filter
+  // chain is to be dynamically updated or removed via FCDS a unique name must be provided.
+  string name = 7;
+}
+
+// [#not-implemented-hide:]
+// Listener filter chain match configuration. This is a recursive structure which allows complex
+// nested match configurations to be built using various logical operators.
+// [#next-free-field: 6]
+message ListenerFilterChainMatchPredicate {
+  // A set of match configurations used for logical operations.
+  message MatchSet {
+    // The list of rules that make up the set.
+    repeated ListenerFilterChainMatchPredicate rules = 1
+        [(validate.rules).repeated = {min_items: 2}];
+  }
+
+  oneof rule {
+    option (validate.required) = true;
+
+    // A set that describes a logical OR. If any member of the set matches, the match configuration
+    // matches.
+    MatchSet or_match = 1;
+
+    // A set that describes a logical AND. If all members of the set match, the match configuration
+    // matches.
+    MatchSet and_match = 2;
+
+    // A negation match. The match configuration will match if the negated match condition matches.
+    ListenerFilterChainMatchPredicate not_match = 3;
+
+    // The match configuration will always match.
+    bool any_match = 4 [(validate.rules).bool = {const: true}];
+
+    // Match destination port. Particularly, the match evaluation must use the recovered local port if
+    // the owning listener filter is after :ref:`an original_dst listener filter `.
+    type.Int32Range destination_port_range = 5;
+  }
+}
+
+message ListenerFilter {
+  // The name of the filter to instantiate. The name must match a
+  // :ref:`supported filter `.
+  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+
+  // Filter specific configuration which depends on the filter being instantiated.
+  // See the supported filters for further documentation.
+  oneof config_type {
+    google.protobuf.Struct config = 2 [deprecated = true];
+
+    google.protobuf.Any typed_config = 3;
+  }
+
+  // [#not-implemented-hide:]
+  // Decide when to disable this listener filter on incoming traffic.
+  // Example:
+  // 0. always enable filter
+  //    don't set `filter_disabled`
+  // 1. disable when the destination port is 3306
+  //    rule.destination_port_range = Int32Range {start = 3306, end = 3307}
+  // 2. disable when the destination port is 3306 or 15000
+  //    rule.or_match = MatchSet.rules [
+  //       rule.destination_port_range = Int32Range {start = 3306, end = 3307},
+  //       rule.destination_port_range = Int32Range {start = 15000, end = 15001},
+  //    ]
+  ListenerFilterChainMatchPredicate filter_disabled = 4;
+}
diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener/udp_listener_config.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener/udp_listener_config.proto
index 4b489b99884..31404b41d53 100644
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener/udp_listener_config.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener/udp_listener_config.proto
@@ -2,16 +2,19 @@ syntax = "proto3";
 
 package envoy.api.v2.listener;
 
+import "google/protobuf/any.proto";
+import "google/protobuf/struct.proto";
+
+import "udpa/annotations/migrate.proto";
+
+option java_package = "io.envoyproxy.envoy.api.v2.listener";
 option java_outer_classname = "UdpListenerConfigProto";
 option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.api.v2.listener";
 option csharp_namespace = "Envoy.Api.V2.ListenerNS";
 option ruby_package = "Envoy.Api.V2.ListenerNS";
+option (udpa.annotations.file_migrate).move_to_package = "envoy.config.listener.v3";
 
-import "google/protobuf/any.proto";
-import "google/protobuf/struct.proto";
-
-// [#protodoc-title: Udp Listener Config]
+// [#protodoc-title: UDP Listener Config]
 // Listener :ref:`configuration overview `
 
 message UdpListenerConfig {
@@ -23,8 +26,11 @@ message UdpListenerConfig {
   // Used to create a specific listener factory. To some factory, e.g.
   // "raw_udp_listener", config is not needed.
   oneof config_type {
-    google.protobuf.Struct config = 2;
+    google.protobuf.Struct config = 2 [deprecated = true];
 
     google.protobuf.Any typed_config = 3;
   }
 }
+
+message ActiveRawUdpListenerConfig {
+}
diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/rds.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/rds.proto
index 120c4bd4e32..f54308aafb5 100644
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/rds.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/rds.proto
@@ -2,24 +2,24 @@ syntax = "proto3";
 
 package envoy.api.v2;
 
-option java_outer_classname = "RdsProto";
-option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.api.v2";
-option java_generic_services = true;
-
-import "envoy/api/v2/core/base.proto";
-import "envoy/api/v2/core/config_source.proto";
 import "envoy/api/v2/discovery.proto";
-import "envoy/api/v2/route/route.proto";
 
 import "google/api/annotations.proto";
 import "google/protobuf/wrappers.proto";
 
+import "envoy/annotations/resource.proto";
+import "udpa/annotations/migrate.proto";
 import "validate/validate.proto";
 
-// [#protodoc-title: HTTP route configuration]
-// * Routing :ref:`architecture overview `
-// * HTTP :ref:`router filter `
+import public "envoy/api/v2/route.proto";
+
+option java_package = "io.envoyproxy.envoy.api.v2";
+option java_outer_classname = "RdsProto";
+option java_multiple_files = true;
+option java_generic_services = true;
+option (udpa.annotations.file_migrate).move_to_package = "envoy.service.route.v3";
+
+// [#protodoc-title: RDS]
 
 // The resource_names field in DiscoveryRequest specifies a route configuration.
 // This allows an Envoy configuration with multiple HTTP listeners (and
@@ -27,6 +27,8 @@ import "validate/validate.proto";
 // configurations. Each listener will bind its HTTP connection manager filter to
 // a route table via this identifier.
 service RouteDiscoveryService {
+  option (envoy.annotations.resource).type = "envoy.api.v2.RouteConfiguration";
+
   rpc StreamRoutes(stream DiscoveryRequest) returns (stream DiscoveryResponse) {
   }
 
@@ -34,98 +36,29 @@ service RouteDiscoveryService {
   }
 
   rpc FetchRoutes(DiscoveryRequest) returns (DiscoveryResponse) {
-    option (google.api.http) = {
-      post: "/v2/discovery:routes"
-      body: "*"
-    };
+    option (google.api.http).post = "/v2/discovery:routes";
+    option (google.api.http).body = "*";
   }
 }
 
 // Virtual Host Discovery Service (VHDS) is used to dynamically update the list of virtual hosts for
 // a given RouteConfiguration. If VHDS is configured a virtual host list update will be triggered
 // during the processing of an HTTP request if a route for the request cannot be resolved. The
-// :ref:`resource_names_subscribe `
+// :ref:`resource_names_subscribe `
 // field contains a list of virtual host names or aliases to track. The contents of an alias would
 // be the contents of a *host* or *authority* header used to make an http request. An xDS server
 // will match an alias to a virtual host based on the content of :ref:`domains'
-// ` field. The *resource_names_unsubscribe* field contains
-// a list of virtual host names that have been :ref:`unsubscribed `
-// from the routing table associated with the RouteConfiguration.
+// ` field. The *resource_names_unsubscribe* field
+// contains a list of virtual host names that have been :ref:`unsubscribed
+// ` from the routing table associated with the RouteConfiguration.
 service VirtualHostDiscoveryService {
+  option (envoy.annotations.resource).type = "envoy.api.v2.route.VirtualHost";
+
   rpc DeltaVirtualHosts(stream DeltaDiscoveryRequest) returns (stream DeltaDiscoveryResponse) {
   }
 }
 
-// [#comment:next free field: 10]
-message RouteConfiguration {
-  // The name of the route configuration. For example, it might match
-  // :ref:`route_config_name
-  // ` in
-  // :ref:`envoy_api_msg_config.filter.network.http_connection_manager.v2.Rds`.
-  string name = 1;
-
-  // An array of virtual hosts that make up the route table.
-  repeated route.VirtualHost virtual_hosts = 2;
-
-  // An array of virtual hosts will be dynamically loaded via the VHDS API.
-  // Both *virtual_hosts* and *vhds* fields will be used when present. *virtual_hosts* can be used
-  // for a base routing table or for infrequently changing virtual hosts. *vhds* is used for
-  // on-demand discovery of virtual hosts. The contents of these two fields will be merged to
-  // generate a routing table for a given RouteConfiguration, with *vhds* derived configuration
-  // taking precedence.
-  // [#not-implemented-hide:]
-  Vhds vhds = 9;
-
-  // Optionally specifies a list of HTTP headers that the connection manager
-  // will consider to be internal only. If they are found on external requests they will be cleaned
-  // prior to filter invocation. See :ref:`config_http_conn_man_headers_x-envoy-internal` for more
-  // information.
-  repeated string internal_only_headers = 3;
-
-  // Specifies a list of HTTP headers that should be added to each response that
-  // the connection manager encodes. Headers specified at this level are applied
-  // after headers from any enclosed :ref:`envoy_api_msg_route.VirtualHost` or
-  // :ref:`envoy_api_msg_route.RouteAction`. For more information, including details on
-  // header value syntax, see the documentation on :ref:`custom request headers
-  // `.
-  repeated core.HeaderValueOption response_headers_to_add = 4
-      [(validate.rules).repeated = {max_items: 1000}];
-
-  // Specifies a list of HTTP headers that should be removed from each response
-  // that the connection manager encodes.
-  repeated string response_headers_to_remove = 5;
-
-  // Specifies a list of HTTP headers that should be added to each request
-  // routed by the HTTP connection manager. Headers specified at this level are
-  // applied after headers from any enclosed :ref:`envoy_api_msg_route.VirtualHost` or
-  // :ref:`envoy_api_msg_route.RouteAction`. For more information, including details on
-  // header value syntax, see the documentation on :ref:`custom request headers
-  // `.
-  repeated core.HeaderValueOption request_headers_to_add = 6
-      [(validate.rules).repeated = {max_items: 1000}];
-
-  // Specifies a list of HTTP headers that should be removed from each request
-  // routed by the HTTP connection manager.
-  repeated string request_headers_to_remove = 8;
-
-  // An optional boolean that specifies whether the clusters that the route
-  // table refers to will be validated by the cluster manager. If set to true
-  // and a route refers to a non-existent cluster, the route table will not
-  // load. If set to false and a route refers to a non-existent cluster, the
-  // route table will load and the router filter will return a 404 if the route
-  // is selected at runtime. This setting defaults to true if the route table
-  // is statically defined via the :ref:`route_config
-  // `
-  // option. This setting default to false if the route table is loaded dynamically via the
-  // :ref:`rds
-  // `
-  // option. Users may wish to override the default behavior in certain cases (for example when
-  // using CDS with a static route table).
-  google.protobuf.BoolValue validate_clusters = 7;
-}
-
-// [#not-implemented-hide:]
-message Vhds {
-  // Configuration source specifier for VHDS.
-  core.ConfigSource config_source = 1 [(validate.rules).message = {required: true}];
+// [#not-implemented-hide:] Not configuration. Workaround c++ protobuf issue with importing
+// services: https://github.com/google/protobuf/issues/4221 and protoxform to upgrade the file.
+message RdsDummy {
 }
diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/route.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/route.proto
new file mode 100644
index 00000000000..11ae686239d
--- /dev/null
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/route.proto
@@ -0,0 +1,105 @@
+syntax = "proto3";
+
+package envoy.api.v2;
+
+import "envoy/api/v2/core/base.proto";
+import "envoy/api/v2/core/config_source.proto";
+import "envoy/api/v2/route/route_components.proto";
+
+import "google/protobuf/wrappers.proto";
+
+import "udpa/annotations/migrate.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.api.v2";
+option java_outer_classname = "RouteProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_migrate).move_to_package = "envoy.config.route.v3";
+
+// [#protodoc-title: HTTP route configuration]
+// * Routing :ref:`architecture overview `
+// * HTTP :ref:`router filter `
+
+// [#next-free-field: 11]
+message RouteConfiguration {
+  // The name of the route configuration. For example, it might match
+  // :ref:`route_config_name
+  // ` in
+  // :ref:`envoy_api_msg_config.filter.network.http_connection_manager.v2.Rds`.
+  string name = 1;
+
+  // An array of virtual hosts that make up the route table.
+  repeated route.VirtualHost virtual_hosts = 2;
+
+  // An array of virtual hosts will be dynamically loaded via the VHDS API.
+  // Both *virtual_hosts* and *vhds* fields will be used when present. *virtual_hosts* can be used
+  // for a base routing table or for infrequently changing virtual hosts. *vhds* is used for
+  // on-demand discovery of virtual hosts. The contents of these two fields will be merged to
+  // generate a routing table for a given RouteConfiguration, with *vhds* derived configuration
+  // taking precedence.
+  Vhds vhds = 9;
+
+  // Optionally specifies a list of HTTP headers that the connection manager
+  // will consider to be internal only. If they are found on external requests they will be cleaned
+  // prior to filter invocation. See :ref:`config_http_conn_man_headers_x-envoy-internal` for more
+  // information.
+  repeated string internal_only_headers = 3;
+
+  // Specifies a list of HTTP headers that should be added to each response that
+  // the connection manager encodes. Headers specified at this level are applied
+  // after headers from any enclosed :ref:`envoy_api_msg_route.VirtualHost` or
+  // :ref:`envoy_api_msg_route.RouteAction`. For more information, including details on
+  // header value syntax, see the documentation on :ref:`custom request headers
+  // `.
+  repeated core.HeaderValueOption response_headers_to_add = 4
+      [(validate.rules).repeated = {max_items: 1000}];
+
+  // Specifies a list of HTTP headers that should be removed from each response
+  // that the connection manager encodes.
+  repeated string response_headers_to_remove = 5;
+
+  // Specifies a list of HTTP headers that should be added to each request
+  // routed by the HTTP connection manager. Headers specified at this level are
+  // applied after headers from any enclosed :ref:`envoy_api_msg_route.VirtualHost` or
+  // :ref:`envoy_api_msg_route.RouteAction`. For more information, including details on
+  // header value syntax, see the documentation on :ref:`custom request headers
+  // `.
+  repeated core.HeaderValueOption request_headers_to_add = 6
+      [(validate.rules).repeated = {max_items: 1000}];
+
+  // Specifies a list of HTTP headers that should be removed from each request
+  // routed by the HTTP connection manager.
+  repeated string request_headers_to_remove = 8;
+
+  // By default, headers that should be added/removed are evaluated from most to least specific:
+  //
+  // * route level
+  // * virtual host level
+  // * connection manager level
+  //
+  // To allow setting overrides at the route or virtual host level, this order can be reversed
+  // by setting this option to true. Defaults to false.
+  //
+  // [#next-major-version: In the v3 API, this will default to true.]
+  bool most_specific_header_mutations_wins = 10;
+
+  // An optional boolean that specifies whether the clusters that the route
+  // table refers to will be validated by the cluster manager. If set to true
+  // and a route refers to a non-existent cluster, the route table will not
+  // load. If set to false and a route refers to a non-existent cluster, the
+  // route table will load and the router filter will return a 404 if the route
+  // is selected at runtime. This setting defaults to true if the route table
+  // is statically defined via the :ref:`route_config
+  // `
+  // option. This setting default to false if the route table is loaded dynamically via the
+  // :ref:`rds
+  // `
+  // option. Users may wish to override the default behavior in certain cases (for example when
+  // using CDS with a static route table).
+  google.protobuf.BoolValue validate_clusters = 7;
+}
+
+message Vhds {
+  // Configuration source specifier for VHDS.
+  core.ConfigSource config_source = 1 [(validate.rules).message = {required: true}];
+}
diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/route/route.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/route/route.proto
index c4fe54419b1..ec13e9e5c80 100644
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/route/route.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/route/route.proto
@@ -2,1397 +2,8 @@ syntax = "proto3";
 
 package envoy.api.v2.route;
 
+import public "envoy/api/v2/route/route_components.proto";
+
+option java_package = "io.envoyproxy.envoy.api.v2.route";
 option java_outer_classname = "RouteProto";
 option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.api.v2.route";
-
-import "envoy/api/v2/core/base.proto";
-import "envoy/type/matcher/regex.proto";
-import "envoy/type/matcher/string.proto";
-import "envoy/type/percent.proto";
-import "envoy/type/range.proto";
-
-import "google/protobuf/any.proto";
-import "google/protobuf/duration.proto";
-import "google/protobuf/struct.proto";
-import "google/protobuf/wrappers.proto";
-
-import "validate/validate.proto";
-
-// [#protodoc-title: HTTP route]
-// * Routing :ref:`architecture overview `
-// * HTTP :ref:`router filter `
-
-// The top level element in the routing configuration is a virtual host. Each virtual host has
-// a logical name as well as a set of domains that get routed to it based on the incoming request's
-// host header. This allows a single listener to service multiple top level domain path trees. Once
-// a virtual host is selected based on the domain, the routes are processed in order to see which
-// upstream cluster to route to or whether to perform a redirect.
-// [#comment:next free field: 17]
-message VirtualHost {
-  enum TlsRequirementType {
-    // No TLS requirement for the virtual host.
-    NONE = 0;
-
-    // External requests must use TLS. If a request is external and it is not
-    // using TLS, a 301 redirect will be sent telling the client to use HTTPS.
-    EXTERNAL_ONLY = 1;
-
-    // All requests must use TLS. If a request is not using TLS, a 301 redirect
-    // will be sent telling the client to use HTTPS.
-    ALL = 2;
-  }
-
-  reserved 9;
-
-  // The logical name of the virtual host. This is used when emitting certain
-  // statistics but is not relevant for routing.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
-
-  // A list of domains (host/authority header) that will be matched to this
-  // virtual host. Wildcard hosts are supported in the suffix or prefix form.
-  //
-  // Domain search order:
-  //  1. Exact domain names: ``www.foo.com``.
-  //  2. Suffix domain wildcards: ``*.foo.com`` or ``*-bar.foo.com``.
-  //  3. Prefix domain wildcards: ``foo.*`` or ``foo-*``.
-  //  4. Special wildcard ``*`` matching any domain.
-  //
-  // .. note::
-  //
-  //   The wildcard will not match the empty string.
-  //   e.g. ``*-bar.foo.com`` will match ``baz-bar.foo.com`` but not ``-bar.foo.com``.
-  //   The longest wildcards match first.
-  //   Only a single virtual host in the entire route configuration can match on ``*``. A domain
-  //   must be unique across all virtual hosts or the config will fail to load.
-  repeated string domains = 2 [(validate.rules).repeated = {min_items: 1}];
-
-  // The list of routes that will be matched, in order, for incoming requests.
-  // The first route that matches will be used.
-  repeated Route routes = 3;
-
-  // Specifies the type of TLS enforcement the virtual host expects. If this option is not
-  // specified, there is no TLS requirement for the virtual host.
-  TlsRequirementType require_tls = 4;
-
-  // A list of virtual clusters defined for this virtual host. Virtual clusters
-  // are used for additional statistics gathering.
-  repeated VirtualCluster virtual_clusters = 5;
-
-  // Specifies a set of rate limit configurations that will be applied to the
-  // virtual host.
-  repeated RateLimit rate_limits = 6;
-
-  // Specifies a list of HTTP headers that should be added to each request
-  // handled by this virtual host. Headers specified at this level are applied
-  // after headers from enclosed :ref:`envoy_api_msg_route.Route` and before headers from the
-  // enclosing :ref:`envoy_api_msg_RouteConfiguration`. For more information, including
-  // details on header value syntax, see the documentation on :ref:`custom request headers
-  // `.
-  repeated core.HeaderValueOption request_headers_to_add = 7
-      [(validate.rules).repeated = {max_items: 1000}];
-
-  // Specifies a list of HTTP headers that should be removed from each request
-  // handled by this virtual host.
-  repeated string request_headers_to_remove = 13;
-
-  // Specifies a list of HTTP headers that should be added to each response
-  // handled by this virtual host. Headers specified at this level are applied
-  // after headers from enclosed :ref:`envoy_api_msg_route.Route` and before headers from the
-  // enclosing :ref:`envoy_api_msg_RouteConfiguration`. For more information, including
-  // details on header value syntax, see the documentation on :ref:`custom request headers
-  // `.
-  repeated core.HeaderValueOption response_headers_to_add = 10
-      [(validate.rules).repeated = {max_items: 1000}];
-
-  // Specifies a list of HTTP headers that should be removed from each response
-  // handled by this virtual host.
-  repeated string response_headers_to_remove = 11;
-
-  // Indicates that the virtual host has a CORS policy.
-  CorsPolicy cors = 8;
-
-  // The per_filter_config field can be used to provide virtual host-specific
-  // configurations for filters. The key should match the filter name, such as
-  // *envoy.buffer* for the HTTP buffer filter. Use of this field is filter
-  // specific; see the :ref:`HTTP filter documentation `
-  // for if and how it is utilized.
-  map per_filter_config = 12;
-
-  // The per_filter_config field can be used to provide virtual host-specific
-  // configurations for filters. The key should match the filter name, such as
-  // *envoy.buffer* for the HTTP buffer filter. Use of this field is filter
-  // specific; see the :ref:`HTTP filter documentation `
-  // for if and how it is utilized.
-  map typed_per_filter_config = 15;
-
-  // Decides whether the :ref:`x-envoy-attempt-count
-  // ` header should be included
-  // in the upstream request. Setting this option will cause it to override any existing header
-  // value, so in the case of two Envoys on the request path with this option enabled, the upstream
-  // will see the attempt count as perceived by the second Envoy. Defaults to false.
-  // This header is unaffected by the
-  // :ref:`suppress_envoy_headers
-  // ` flag.
-  bool include_request_attempt_count = 14;
-
-  // Indicates the retry policy for all routes in this virtual host. Note that setting a
-  // route level entry will take precedence over this config and it'll be treated
-  // independently (e.g.: values are not inherited).
-  RetryPolicy retry_policy = 16;
-
-  // Indicates the hedge policy for all routes in this virtual host. Note that setting a
-  // route level entry will take precedence over this config and it'll be treated
-  // independently (e.g.: values are not inherited).
-  HedgePolicy hedge_policy = 17;
-}
-
-// A route is both a specification of how to match a request as well as an indication of what to do
-// next (e.g., redirect, forward, rewrite, etc.).
-//
-// .. attention::
-//
-//   Envoy supports routing on HTTP method via :ref:`header matching
-//   `.
-// [#comment:next free field: 15]
-message Route {
-  reserved 6;
-
-  // Name for the route.
-  string name = 14;
-
-  // Route matching parameters.
-  RouteMatch match = 1 [(validate.rules).message = {required: true}];
-
-  oneof action {
-    option (validate.required) = true;
-
-    // Route request to some upstream cluster.
-    RouteAction route = 2;
-
-    // Return a redirect.
-    RedirectAction redirect = 3;
-
-    // Return an arbitrary HTTP response directly, without proxying.
-    DirectResponseAction direct_response = 7;
-  }
-
-  // The Metadata field can be used to provide additional information
-  // about the route. It can be used for configuration, stats, and logging.
-  // The metadata should go under the filter namespace that will need it.
-  // For instance, if the metadata is intended for the Router filter,
-  // the filter name should be specified as *envoy.router*.
-  core.Metadata metadata = 4;
-
-  // Decorator for the matched route.
-  Decorator decorator = 5;
-
-  // The per_filter_config field can be used to provide route-specific
-  // configurations for filters. The key should match the filter name, such as
-  // *envoy.buffer* for the HTTP buffer filter. Use of this field is filter
-  // specific; see the :ref:`HTTP filter documentation ` for
-  // if and how it is utilized.
-  map per_filter_config = 8;
-
-  // The per_filter_config field can be used to provide route-specific
-  // configurations for filters. The key should match the filter name, such as
-  // *envoy.buffer* for the HTTP buffer filter. Use of this field is filter
-  // specific; see the :ref:`HTTP filter documentation ` for
-  // if and how it is utilized.
-  map typed_per_filter_config = 13;
-
-  // Specifies a set of headers that will be added to requests matching this
-  // route. Headers specified at this level are applied before headers from the
-  // enclosing :ref:`envoy_api_msg_route.VirtualHost` and
-  // :ref:`envoy_api_msg_RouteConfiguration`. For more information, including details on
-  // header value syntax, see the documentation on :ref:`custom request headers
-  // `.
-  repeated core.HeaderValueOption request_headers_to_add = 9
-      [(validate.rules).repeated = {max_items: 1000}];
-
-  // Specifies a list of HTTP headers that should be removed from each request
-  // matching this route.
-  repeated string request_headers_to_remove = 12;
-
-  // Specifies a set of headers that will be added to responses to requests
-  // matching this route. Headers specified at this level are applied before
-  // headers from the enclosing :ref:`envoy_api_msg_route.VirtualHost` and
-  // :ref:`envoy_api_msg_RouteConfiguration`. For more information, including
-  // details on header value syntax, see the documentation on
-  // :ref:`custom request headers `.
-  repeated core.HeaderValueOption response_headers_to_add = 10
-      [(validate.rules).repeated = {max_items: 1000}];
-
-  // Specifies a list of HTTP headers that should be removed from each response
-  // to requests matching this route.
-  repeated string response_headers_to_remove = 11;
-
-  // Presence of the object defines whether the connection manager's tracing configuration
-  // is overridden by this route specific instance.
-  Tracing tracing = 15;
-}
-
-// Compared to the :ref:`cluster ` field that specifies a
-// single upstream cluster as the target of a request, the :ref:`weighted_clusters
-// ` option allows for specification of
-// multiple upstream clusters along with weights that indicate the percentage of
-// traffic to be forwarded to each cluster. The router selects an upstream cluster based on the
-// weights.
-// [#comment:next free field: 11]
-message WeightedCluster {
-  message ClusterWeight {
-    reserved 7;
-
-    // Name of the upstream cluster. The cluster must exist in the
-    // :ref:`cluster manager configuration `.
-    string name = 1 [(validate.rules).string = {min_bytes: 1}];
-
-    // An integer between 0 and :ref:`total_weight
-    // `. When a request matches the route,
-    // the choice of an upstream cluster is determined by its weight. The sum of weights across all
-    // entries in the clusters array must add up to the total_weight, which defaults to 100.
-    google.protobuf.UInt32Value weight = 2;
-
-    // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints in
-    // the upstream cluster with metadata matching what is set in this field will be considered for
-    // load balancing. Note that this will be merged with what's provided in :ref:
-    // `RouteAction.MetadataMatch `, with values
-    // here taking precedence. The filter name should be specified as *envoy.lb*.
-    core.Metadata metadata_match = 3;
-
-    // Specifies a list of headers to be added to requests when this cluster is selected
-    // through the enclosing :ref:`envoy_api_msg_route.RouteAction`.
-    // Headers specified at this level are applied before headers from the enclosing
-    // :ref:`envoy_api_msg_route.Route`, :ref:`envoy_api_msg_route.VirtualHost`, and
-    // :ref:`envoy_api_msg_RouteConfiguration`. For more information, including details on
-    // header value syntax, see the documentation on :ref:`custom request headers
-    // `.
-    repeated core.HeaderValueOption request_headers_to_add = 4
-        [(validate.rules).repeated = {max_items: 1000}];
-
-    // Specifies a list of HTTP headers that should be removed from each request when
-    // this cluster is selected through the enclosing :ref:`envoy_api_msg_route.RouteAction`.
-    repeated string request_headers_to_remove = 9;
-
-    // Specifies a list of headers to be added to responses when this cluster is selected
-    // through the enclosing :ref:`envoy_api_msg_route.RouteAction`.
-    // Headers specified at this level are applied before headers from the enclosing
-    // :ref:`envoy_api_msg_route.Route`, :ref:`envoy_api_msg_route.VirtualHost`, and
-    // :ref:`envoy_api_msg_RouteConfiguration`. For more information, including details on
-    // header value syntax, see the documentation on :ref:`custom request headers
-    // `.
-    repeated core.HeaderValueOption response_headers_to_add = 5
-        [(validate.rules).repeated = {max_items: 1000}];
-
-    // Specifies a list of headers to be removed from responses when this cluster is selected
-    // through the enclosing :ref:`envoy_api_msg_route.RouteAction`.
-    repeated string response_headers_to_remove = 6;
-
-    // The per_filter_config field can be used to provide weighted cluster-specific
-    // configurations for filters. The key should match the filter name, such as
-    // *envoy.buffer* for the HTTP buffer filter. Use of this field is filter
-    // specific; see the :ref:`HTTP filter documentation `
-    // for if and how it is utilized.
-    map per_filter_config = 8;
-
-    // The per_filter_config field can be used to provide weighted cluster-specific
-    // configurations for filters. The key should match the filter name, such as
-    // *envoy.buffer* for the HTTP buffer filter. Use of this field is filter
-    // specific; see the :ref:`HTTP filter documentation `
-    // for if and how it is utilized.
-    map typed_per_filter_config = 10;
-  }
-
-  // Specifies one or more upstream clusters associated with the route.
-  repeated ClusterWeight clusters = 1 [(validate.rules).repeated = {min_items: 1}];
-
-  // Specifies the total weight across all clusters. The sum of all cluster weights must equal this
-  // value, which must be greater than 0. Defaults to 100.
-  google.protobuf.UInt32Value total_weight = 3 [(validate.rules).uint32 = {gte: 1}];
-
-  // Specifies the runtime key prefix that should be used to construct the
-  // runtime keys associated with each cluster. When the *runtime_key_prefix* is
-  // specified, the router will look for weights associated with each upstream
-  // cluster under the key *runtime_key_prefix* + "." + *cluster[i].name* where
-  // *cluster[i]* denotes an entry in the clusters array field. If the runtime
-  // key for the cluster does not exist, the value specified in the
-  // configuration file will be used as the default weight. See the :ref:`runtime documentation
-  // ` for how key names map to the underlying implementation.
-  string runtime_key_prefix = 2;
-}
-
-message RouteMatch {
-  message GrpcRouteMatchOptions {
-  }
-
-  reserved 5;
-
-  oneof path_specifier {
-    option (validate.required) = true;
-
-    // If specified, the route is a prefix rule meaning that the prefix must
-    // match the beginning of the *:path* header.
-    string prefix = 1;
-
-    // If specified, the route is an exact path rule meaning that the path must
-    // exactly match the *:path* header once the query string is removed.
-    string path = 2;
-
-    // If specified, the route is a regular expression rule meaning that the
-    // regex must match the *:path* header once the query string is removed. The entire path
-    // (without the query string) must match the regex. The rule will not match if only a
-    // subsequence of the *:path* header matches the regex. The regex grammar is defined `here
-    // `_.
-    //
-    // Examples:
-    //
-    // * The regex ``/b[io]t`` matches the path */bit*
-    // * The regex ``/b[io]t`` matches the path */bot*
-    // * The regex ``/b[io]t`` does not match the path */bite*
-    // * The regex ``/b[io]t`` does not match the path */bit/bot*
-    //
-    // .. attention::
-    //   This field has been deprecated in favor of `safe_regex` as it is not safe for use with
-    //   untrusted input in all cases.
-    string regex = 3 [(validate.rules).string = {max_bytes: 1024}, deprecated = true];
-
-    // If specified, the route is a regular expression rule meaning that the
-    // regex must match the *:path* header once the query string is removed. The entire path
-    // (without the query string) must match the regex. The rule will not match if only a
-    // subsequence of the *:path* header matches the regex.
-    //
-    // [#next-major-version: In the v3 API we should redo how path specification works such
-    // that we utilize StringMatcher, and additionally have consistent options around whether we
-    // strip query strings, do a case sensitive match, etc. In the interim it will be too disruptive
-    // to deprecate the existing options. We should even consider whether we want to do away with
-    // path_specifier entirely and just rely on a set of header matchers which can already match
-    // on :path, etc. The issue with that is it is unclear how to generically deal with query string
-    // stripping. This needs more thought.]
-    type.matcher.RegexMatcher safe_regex = 10 [(validate.rules).message = {required: true}];
-  }
-
-  // Indicates that prefix/path matching should be case insensitive. The default
-  // is true.
-  google.protobuf.BoolValue case_sensitive = 4;
-
-  // Indicates that the route should additionally match on a runtime key. Every time the route
-  // is considered for a match, it must also fall under the percentage of matches indicated by
-  // this field. For some fraction N/D, a random number in the range [0,D) is selected. If the
-  // number is <= the value of the numerator N, or if the key is not present, the default
-  // value, the router continues to evaluate the remaining match criteria. A runtime_fraction
-  // route configuration can be used to roll out route changes in a gradual manner without full
-  // code/config deploys. Refer to the :ref:`traffic shifting
-  // ` docs for additional documentation.
-  //
-  // .. note::
-  //
-  //    Parsing this field is implemented such that the runtime key's data may be represented
-  //    as a FractionalPercent proto represented as JSON/YAML and may also be represented as an
-  //    integer with the assumption that the value is an integral percentage out of 100. For
-  //    instance, a runtime key lookup returning the value "42" would parse as a FractionalPercent
-  //    whose numerator is 42 and denominator is HUNDRED. This preserves legacy semantics.
-  core.RuntimeFractionalPercent runtime_fraction = 9;
-
-  // Specifies a set of headers that the route should match on. The router will
-  // check the request’s headers against all the specified headers in the route
-  // config. A match will happen if all the headers in the route are present in
-  // the request with the same values (or based on presence if the value field
-  // is not in the config).
-  repeated HeaderMatcher headers = 6;
-
-  // Specifies a set of URL query parameters on which the route should
-  // match. The router will check the query string from the *path* header
-  // against all the specified query parameters. If the number of specified
-  // query parameters is nonzero, they all must match the *path* header's
-  // query string for a match to occur.
-  repeated QueryParameterMatcher query_parameters = 7;
-
-  // If specified, only gRPC requests will be matched. The router will check
-  // that the content-type header has a application/grpc or one of the various
-  // application/grpc+ values.
-  GrpcRouteMatchOptions grpc = 8;
-}
-
-// [#comment:next free field: 11]
-message CorsPolicy {
-  // Specifies the origins that will be allowed to do CORS requests.
-  //
-  // An origin is allowed if either allow_origin or allow_origin_regex match.
-  //
-  // .. attention::
-  //  This field has been deprecated in favor of `allow_origin_string_match`.
-  repeated string allow_origin = 1 [deprecated = true];
-
-  // Specifies regex patterns that match allowed origins.
-  //
-  // An origin is allowed if either allow_origin or allow_origin_regex match.
-  //
-  // .. attention::
-  //   This field has been deprecated in favor of `allow_origin_string_match` as it is not safe for
-  //   use with untrusted input in all cases.
-  repeated string allow_origin_regex = 8
-      [(validate.rules).repeated = {items {string {max_bytes: 1024}}}, deprecated = true];
-
-  // Specifies string patterns that match allowed origins. An origin is allowed if any of the
-  // string matchers match.
-  repeated type.matcher.StringMatcher allow_origin_string_match = 11;
-
-  // Specifies the content for the *access-control-allow-methods* header.
-  string allow_methods = 2;
-
-  // Specifies the content for the *access-control-allow-headers* header.
-  string allow_headers = 3;
-
-  // Specifies the content for the *access-control-expose-headers* header.
-  string expose_headers = 4;
-
-  // Specifies the content for the *access-control-max-age* header.
-  string max_age = 5;
-
-  // Specifies whether the resource allows credentials.
-  google.protobuf.BoolValue allow_credentials = 6;
-
-  oneof enabled_specifier {
-    // Specifies if CORS is enabled. Defaults to true. Only effective on route.
-    //
-    // .. attention::
-    //
-    //   **This field is deprecated**. Set the
-    //   :ref:`filter_enabled` field instead.
-    google.protobuf.BoolValue enabled = 7 [deprecated = true];
-
-    // Specifies if CORS is enabled.
-    //
-    // More information on how this can be controlled via runtime can be found
-    // :ref:`here `.
-    //
-    // .. note::
-    //
-    //   This field defaults to 100/:ref:`HUNDRED
-    //   `.
-    core.RuntimeFractionalPercent filter_enabled = 9;
-  }
-
-  // Specifies if CORS policies are evaluated and tracked when filter is off but
-  // does not enforce any policies.
-  //
-  // More information on how this can be controlled via runtime can be found
-  // :ref:`here `.
-  //
-  // .. note::
-  //
-  //   This field defaults to 100/:ref:`HUNDRED
-  //   `.
-  core.RuntimeFractionalPercent shadow_enabled = 10;
-}
-
-// [#comment:next free field: 30]
-message RouteAction {
-  enum ClusterNotFoundResponseCode {
-    // HTTP status code - 503 Service Unavailable.
-    SERVICE_UNAVAILABLE = 0;
-
-    // HTTP status code - 404 Not Found.
-    NOT_FOUND = 1;
-  }
-
-  // Configures :ref:`internal redirect ` behavior.
-  enum InternalRedirectAction {
-    PASS_THROUGH_INTERNAL_REDIRECT = 0;
-    HANDLE_INTERNAL_REDIRECT = 1;
-  }
-
-  // The router is capable of shadowing traffic from one cluster to another. The current
-  // implementation is "fire and forget," meaning Envoy will not wait for the shadow cluster to
-  // respond before returning the response from the primary cluster. All normal statistics are
-  // collected for the shadow cluster making this feature useful for testing.
-  //
-  // During shadowing, the host/authority header is altered such that *-shadow* is appended. This is
-  // useful for logging. For example, *cluster1* becomes *cluster1-shadow*.
-  message RequestMirrorPolicy {
-    // Specifies the cluster that requests will be mirrored to. The cluster must
-    // exist in the cluster manager configuration.
-    string cluster = 1 [(validate.rules).string = {min_bytes: 1}];
-
-    // If not specified, all requests to the target cluster will be mirrored. If
-    // specified, Envoy will lookup the runtime key to get the % of requests to
-    // mirror. Valid values are from 0 to 10000, allowing for increments of
-    // 0.01% of requests to be mirrored. If the runtime key is specified in the
-    // configuration but not present in runtime, 0 is the default and thus 0% of
-    // requests will be mirrored.
-    //
-    // .. attention::
-    //
-    //   **This field is deprecated**. Set the
-    //   :ref:`runtime_fraction
-    //   ` field instead.
-    string runtime_key = 2 [deprecated = true];
-
-    // If both :ref:`runtime_key
-    // ` and this field are not
-    // specified, all requests to the target cluster will be mirrored.
-    //
-    // If specified, this field takes precedence over the `runtime_key` field and requests must also
-    // fall under the percentage of matches indicated by this field.
-    //
-    // For some fraction N/D, a random number in the range [0,D) is selected. If the
-    // number is <= the value of the numerator N, or if the key is not present, the default
-    // value, the request will be mirrored.
-    //
-    // .. note::
-    //
-    //   Parsing this field is implemented such that the runtime key's data may be represented
-    //   as a :ref:`FractionalPercent ` proto represented
-    //   as JSON/YAML and may also be represented as an integer with the assumption that the value
-    //   is an integral percentage out of 100. For instance, a runtime key lookup returning the
-    //   value "42" would parse as a `FractionalPercent` whose numerator is 42 and denominator is
-    //   HUNDRED. This is behaviour is different to that of the deprecated `runtime_key` field,
-    //   where the implicit denominator is 10000.
-    core.RuntimeFractionalPercent runtime_fraction = 3;
-  }
-
-  // Specifies the route's hashing policy if the upstream cluster uses a hashing :ref:`load balancer
-  // `.
-  message HashPolicy {
-    message Header {
-      // The name of the request header that will be used to obtain the hash
-      // key. If the request header is not present, no hash will be produced.
-      string header_name = 1 [(validate.rules).string = {min_bytes: 1}];
-    }
-
-    // Envoy supports two types of cookie affinity:
-    //
-    // 1. Passive. Envoy takes a cookie that's present in the cookies header and
-    //    hashes on its value.
-    //
-    // 2. Generated. Envoy generates and sets a cookie with an expiration (TTL)
-    //    on the first request from the client in its response to the client,
-    //    based on the endpoint the request gets sent to. The client then
-    //    presents this on the next and all subsequent requests. The hash of
-    //    this is sufficient to ensure these requests get sent to the same
-    //    endpoint. The cookie is generated by hashing the source and
-    //    destination ports and addresses so that multiple independent HTTP2
-    //    streams on the same connection will independently receive the same
-    //    cookie, even if they arrive at the Envoy simultaneously.
-    message Cookie {
-      // The name of the cookie that will be used to obtain the hash key. If the
-      // cookie is not present and ttl below is not set, no hash will be
-      // produced.
-      string name = 1 [(validate.rules).string = {min_bytes: 1}];
-
-      // If specified, a cookie with the TTL will be generated if the cookie is
-      // not present. If the TTL is present and zero, the generated cookie will
-      // be a session cookie.
-      google.protobuf.Duration ttl = 2;
-
-      // The name of the path for the cookie. If no path is specified here, no path
-      // will be set for the cookie.
-      string path = 3;
-    }
-
-    message ConnectionProperties {
-      // Hash on source IP address.
-      bool source_ip = 1;
-    }
-
-    oneof policy_specifier {
-      option (validate.required) = true;
-
-      // Header hash policy.
-      Header header = 1;
-
-      // Cookie hash policy.
-      Cookie cookie = 2;
-
-      // Connection properties hash policy.
-      ConnectionProperties connection_properties = 3;
-    }
-
-    // The flag that shortcircuits the hash computing. This field provides a
-    // 'fallback' style of configuration: "if a terminal policy doesn't work,
-    // fallback to rest of the policy list", it saves time when the terminal
-    // policy works.
-    //
-    // If true, and there is already a hash computed, ignore rest of the
-    // list of hash polices.
-    // For example, if the following hash methods are configured:
-    //
-    //  ========= ========
-    //  specifier terminal
-    //  ========= ========
-    //  Header A  true
-    //  Header B  false
-    //  Header C  false
-    //  ========= ========
-    //
-    // The generateHash process ends if policy "header A" generates a hash, as
-    // it's a terminal policy.
-    bool terminal = 4;
-  }
-
-  // Allows enabling and disabling upgrades on a per-route basis.
-  // This overrides any enabled/disabled upgrade filter chain specified in the
-  // HttpConnectionManager
-  // :ref:upgrade_configs`
-  // `
-  // but does not affect any custom filter chain specified there.
-  message UpgradeConfig {
-    // The case-insensitive name of this upgrade, e.g. "websocket".
-    // For each upgrade type present in upgrade_configs, requests with
-    // Upgrade: [upgrade_type] will be proxied upstream.
-    string upgrade_type = 1;
-
-    // Determines if upgrades are available on this route. Defaults to true.
-    google.protobuf.BoolValue enabled = 2;
-  }
-
-  reserved 12, 18, 19, 16, 22, 21;
-
-  oneof cluster_specifier {
-    option (validate.required) = true;
-
-    // Indicates the upstream cluster to which the request should be routed
-    // to.
-    string cluster = 1 [(validate.rules).string = {min_bytes: 1}];
-
-    // Envoy will determine the cluster to route to by reading the value of the
-    // HTTP header named by cluster_header from the request headers. If the
-    // header is not found or the referenced cluster does not exist, Envoy will
-    // return a 404 response.
-    //
-    // .. attention::
-    //
-    //   Internally, Envoy always uses the HTTP/2 *:authority* header to represent the HTTP/1
-    //   *Host* header. Thus, if attempting to match on *Host*, match on *:authority* instead.
-    string cluster_header = 2 [(validate.rules).string = {min_bytes: 1}];
-
-    // Multiple upstream clusters can be specified for a given route. The
-    // request is routed to one of the upstream clusters based on weights
-    // assigned to each cluster. See
-    // :ref:`traffic splitting `
-    // for additional documentation.
-    WeightedCluster weighted_clusters = 3;
-  }
-
-  // The HTTP status code to use when configured cluster is not found.
-  // The default response code is 503 Service Unavailable.
-  ClusterNotFoundResponseCode cluster_not_found_response_code = 20
-      [(validate.rules).enum = {defined_only: true}];
-
-  // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints
-  // in the upstream cluster with metadata matching what's set in this field will be considered
-  // for load balancing. If using :ref:`weighted_clusters
-  // `, metadata will be merged, with values
-  // provided there taking precedence. The filter name should be specified as *envoy.lb*.
-  core.Metadata metadata_match = 4;
-
-  // Indicates that during forwarding, the matched prefix (or path) should be
-  // swapped with this value. This option allows application URLs to be rooted
-  // at a different path from those exposed at the reverse proxy layer. The router filter will
-  // place the original path before rewrite into the :ref:`x-envoy-original-path
-  // ` header.
-  //
-  // .. attention::
-  //
-  //   Pay careful attention to the use of trailing slashes in the
-  //   :ref:`route's match ` prefix value.
-  //   Stripping a prefix from a path requires multiple Routes to handle all cases. For example,
-  //   rewriting */prefix* to */* and */prefix/etc* to */etc* cannot be done in a single
-  //   :ref:`Route `, as shown by the below config entries:
-  //
-  //   .. code-block:: yaml
-  //
-  //     - match:
-  //         prefix: "/prefix/"
-  //       route:
-  //         prefix_rewrite: "/"
-  //     - match:
-  //         prefix: "/prefix"
-  //       route:
-  //         prefix_rewrite: "/"
-  //
-  //   Having above entries in the config, requests to */prefix* will be stripped to */*, while
-  //   requests to */prefix/etc* will be stripped to */etc*.
-  string prefix_rewrite = 5;
-
-  oneof host_rewrite_specifier {
-    // Indicates that during forwarding, the host header will be swapped with
-    // this value.
-    string host_rewrite = 6;
-
-    // Indicates that during forwarding, the host header will be swapped with
-    // the hostname of the upstream host chosen by the cluster manager. This
-    // option is applicable only when the destination cluster for a route is of
-    // type *strict_dns* or *logical_dns*. Setting this to true with other cluster
-    // types has no effect.
-    google.protobuf.BoolValue auto_host_rewrite = 7;
-
-    // Indicates that during forwarding, the host header will be swapped with the content of given
-    // downstream or :ref:`custom ` header.
-    // If header value is empty, host header is left intact.
-    //
-    // .. attention::
-    //
-    //   Pay attention to the potential security implications of using this option. Provided header
-    //   must come from trusted source.
-    string auto_host_rewrite_header = 29;
-  }
-
-  // Specifies the upstream timeout for the route. If not specified, the default is 15s. This
-  // spans between the point at which the entire downstream request (i.e. end-of-stream) has been
-  // processed and when the upstream response has been completely processed. A value of 0 will
-  // disable the route's timeout.
-  //
-  // .. note::
-  //
-  //   This timeout includes all retries. See also
-  //   :ref:`config_http_filters_router_x-envoy-upstream-rq-timeout-ms`,
-  //   :ref:`config_http_filters_router_x-envoy-upstream-rq-per-try-timeout-ms`, and the
-  //   :ref:`retry overview `.
-  google.protobuf.Duration timeout = 8;
-
-  // Specifies the idle timeout for the route. If not specified, there is no per-route idle timeout,
-  // although the connection manager wide :ref:`stream_idle_timeout
-  // `
-  // will still apply. A value of 0 will completely disable the route's idle timeout, even if a
-  // connection manager stream idle timeout is configured.
-  //
-  // The idle timeout is distinct to :ref:`timeout
-  // `, which provides an upper bound
-  // on the upstream response time; :ref:`idle_timeout
-  // ` instead bounds the amount
-  // of time the request's stream may be idle.
-  //
-  // After header decoding, the idle timeout will apply on downstream and
-  // upstream request events. Each time an encode/decode event for headers or
-  // data is processed for the stream, the timer will be reset. If the timeout
-  // fires, the stream is terminated with a 408 Request Timeout error code if no
-  // upstream response header has been received, otherwise a stream reset
-  // occurs.
-  google.protobuf.Duration idle_timeout = 24;
-
-  // Indicates that the route has a retry policy. Note that if this is set,
-  // it'll take precedence over the virtual host level retry policy entirely
-  // (e.g.: policies are not merged, most internal one becomes the enforced policy).
-  RetryPolicy retry_policy = 9;
-
-  // Indicates that the route has a request mirroring policy.
-  RequestMirrorPolicy request_mirror_policy = 10;
-
-  // Optionally specifies the :ref:`routing priority `.
-  // [#comment:TODO(htuch): add (validate.rules).enum.defined_only = true once
-  // https://github.com/lyft/protoc-gen-validate/issues/42 is resolved.]
-  core.RoutingPriority priority = 11;
-
-  // Specifies a set of rate limit configurations that could be applied to the
-  // route.
-  repeated RateLimit rate_limits = 13;
-
-  // Specifies if the rate limit filter should include the virtual host rate
-  // limits. By default, if the route configured rate limits, the virtual host
-  // :ref:`rate_limits ` are not applied to the
-  // request.
-  google.protobuf.BoolValue include_vh_rate_limits = 14;
-
-  // Specifies a list of hash policies to use for ring hash load balancing. Each
-  // hash policy is evaluated individually and the combined result is used to
-  // route the request. The method of combination is deterministic such that
-  // identical lists of hash policies will produce the same hash. Since a hash
-  // policy examines specific parts of a request, it can fail to produce a hash
-  // (i.e. if the hashed header is not present). If (and only if) all configured
-  // hash policies fail to generate a hash, no hash will be produced for
-  // the route. In this case, the behavior is the same as if no hash policies
-  // were specified (i.e. the ring hash load balancer will choose a random
-  // backend). If a hash policy has the "terminal" attribute set to true, and
-  // there is already a hash generated, the hash is returned immediately,
-  // ignoring the rest of the hash policy list.
-  repeated HashPolicy hash_policy = 15;
-
-  // Indicates that the route has a CORS policy.
-  CorsPolicy cors = 17;
-
-  // If present, and the request is a gRPC request, use the
-  // `grpc-timeout header `_,
-  // or its default value (infinity) instead of
-  // :ref:`timeout `, but limit the applied timeout
-  // to the maximum value specified here. If configured as 0, the maximum allowed timeout for
-  // gRPC requests is infinity. If not configured at all, the `grpc-timeout` header is not used
-  // and gRPC requests time out like any other requests using
-  // :ref:`timeout ` or its default.
-  // This can be used to prevent unexpected upstream request timeouts due to potentially long
-  // time gaps between gRPC request and response in gRPC streaming mode.
-  google.protobuf.Duration max_grpc_timeout = 23;
-
-  // If present, Envoy will adjust the timeout provided by the `grpc-timeout` header by subtracting
-  // the provided duration from the header. This is useful in allowing Envoy to set its global
-  // timeout to be less than that of the deadline imposed by the calling client, which makes it more
-  // likely that Envoy will handle the timeout instead of having the call canceled by the client.
-  // The offset will only be applied if the provided grpc_timeout is greater than the offset. This
-  // ensures that the offset will only ever decrease the timeout and never set it to 0 (meaning
-  // infinity).
-  google.protobuf.Duration grpc_timeout_offset = 28;
-
-  repeated UpgradeConfig upgrade_configs = 25;
-
-  InternalRedirectAction internal_redirect_action = 26;
-
-  // Indicates that the route has a hedge policy. Note that if this is set,
-  // it'll take precedence over the virtual host level hedge policy entirely
-  // (e.g.: policies are not merged, most internal one becomes the enforced policy).
-  HedgePolicy hedge_policy = 27;
-}
-
-// HTTP retry :ref:`architecture overview `.
-// [#comment:next free field: 10]
-message RetryPolicy {
-  message RetryPriority {
-    string name = 1 [(validate.rules).string = {min_bytes: 1}];
-
-    oneof config_type {
-      google.protobuf.Struct config = 2;
-
-      google.protobuf.Any typed_config = 3;
-    }
-  }
-
-  message RetryHostPredicate {
-    string name = 1 [(validate.rules).string = {min_bytes: 1}];
-
-    oneof config_type {
-      google.protobuf.Struct config = 2;
-
-      google.protobuf.Any typed_config = 3;
-    }
-  }
-
-  message RetryBackOff {
-    // Specifies the base interval between retries. This parameter is required and must be greater
-    // than zero. Values less than 1 ms are rounded up to 1 ms.
-    // See :ref:`config_http_filters_router_x-envoy-max-retries` for a discussion of Envoy's
-    // back-off algorithm.
-    google.protobuf.Duration base_interval = 1 [(validate.rules).duration = {
-      required: true
-      gt {}
-    }];
-
-    // Specifies the maximum interval between retries. This parameter is optional, but must be
-    // greater than or equal to the `base_interval` if set. The default is 10 times the
-    // `base_interval`. See :ref:`config_http_filters_router_x-envoy-max-retries` for a discussion
-    // of Envoy's back-off algorithm.
-    google.protobuf.Duration max_interval = 2 [(validate.rules).duration = {gt {}}];
-  }
-
-  // Specifies the conditions under which retry takes place. These are the same
-  // conditions documented for :ref:`config_http_filters_router_x-envoy-retry-on` and
-  // :ref:`config_http_filters_router_x-envoy-retry-grpc-on`.
-  string retry_on = 1;
-
-  // Specifies the allowed number of retries. This parameter is optional and
-  // defaults to 1. These are the same conditions documented for
-  // :ref:`config_http_filters_router_x-envoy-max-retries`.
-  google.protobuf.UInt32Value num_retries = 2;
-
-  // Specifies a non-zero upstream timeout per retry attempt. This parameter is optional. The
-  // same conditions documented for
-  // :ref:`config_http_filters_router_x-envoy-upstream-rq-per-try-timeout-ms` apply.
-  //
-  // .. note::
-  //
-  //   If left unspecified, Envoy will use the global
-  //   :ref:`route timeout ` for the request.
-  //   Consequently, when using a :ref:`5xx ` based
-  //   retry policy, a request that times out will not be retried as the total timeout budget
-  //   would have been exhausted.
-  google.protobuf.Duration per_try_timeout = 3;
-
-  // Specifies an implementation of a RetryPriority which is used to determine the
-  // distribution of load across priorities used for retries. Refer to
-  // :ref:`retry plugin configuration ` for more details.
-  RetryPriority retry_priority = 4;
-
-  // Specifies a collection of RetryHostPredicates that will be consulted when selecting a host
-  // for retries. If any of the predicates reject the host, host selection will be reattempted.
-  // Refer to :ref:`retry plugin configuration ` for more
-  // details.
-  repeated RetryHostPredicate retry_host_predicate = 5;
-
-  // The maximum number of times host selection will be reattempted before giving up, at which
-  // point the host that was last selected will be routed to. If unspecified, this will default to
-  // retrying once.
-  int64 host_selection_retry_max_attempts = 6;
-
-  // HTTP status codes that should trigger a retry in addition to those specified by retry_on.
-  repeated uint32 retriable_status_codes = 7;
-
-  // Specifies parameters that control retry back off. This parameter is optional, in which case the
-  // default base interval is 25 milliseconds or, if set, the current value of the
-  // `upstream.base_retry_backoff_ms` runtime parameter. The default maximum interval is 10 times
-  // the base interval. The documentation for :ref:`config_http_filters_router_x-envoy-max-retries`
-  // describes Envoy's back-off algorithm.
-  RetryBackOff retry_back_off = 8;
-
-  // HTTP response headers that trigger a retry if present in the response. A retry will be
-  // triggered if any of the header matches match the upstream response headers.
-  // The field is only consulted if 'retriable-headers' retry policy is active.
-  repeated HeaderMatcher retriable_headers = 9;
-
-  // HTTP headers which must be present in the request for retries to be attempted.
-  repeated HeaderMatcher retriable_request_headers = 10;
-}
-
-// HTTP request hedging :ref:`architecture overview `.
-message HedgePolicy {
-  // Specifies the number of initial requests that should be sent upstream.
-  // Must be at least 1.
-  // Defaults to 1.
-  // [#not-implemented-hide:]
-  google.protobuf.UInt32Value initial_requests = 1 [(validate.rules).uint32 = {gte: 1}];
-
-  // Specifies a probability that an additional upstream request should be sent
-  // on top of what is specified by initial_requests.
-  // Defaults to 0.
-  // [#not-implemented-hide:]
-  type.FractionalPercent additional_request_chance = 2;
-
-  // Indicates that a hedged request should be sent when the per-try timeout
-  // is hit. This will only occur if the retry policy also indicates that a
-  // timed out request should be retried.
-  // Once a timed out request is retried due to per try timeout, the router
-  // filter will ensure that it is not retried again even if the returned
-  // response headers would otherwise be retried according the specified
-  // :ref:`RetryPolicy `.
-  // Defaults to false.
-  bool hedge_on_per_try_timeout = 3;
-}
-
-message RedirectAction {
-  enum RedirectResponseCode {
-    // Moved Permanently HTTP Status Code - 301.
-    MOVED_PERMANENTLY = 0;
-
-    // Found HTTP Status Code - 302.
-    FOUND = 1;
-
-    // See Other HTTP Status Code - 303.
-    SEE_OTHER = 2;
-
-    // Temporary Redirect HTTP Status Code - 307.
-    TEMPORARY_REDIRECT = 3;
-
-    // Permanent Redirect HTTP Status Code - 308.
-    PERMANENT_REDIRECT = 4;
-  }
-
-  // When the scheme redirection take place, the following rules apply:
-  //  1. If the source URI scheme is `http` and the port is explicitly
-  //     set to `:80`, the port will be removed after the redirection
-  //  2. If the source URI scheme is `https` and the port is explicitly
-  //     set to `:443`, the port will be removed after the redirection
-  oneof scheme_rewrite_specifier {
-    // The scheme portion of the URL will be swapped with "https".
-    bool https_redirect = 4;
-
-    // The scheme portion of the URL will be swapped with this value.
-    string scheme_redirect = 7;
-  }
-
-  // The host portion of the URL will be swapped with this value.
-  string host_redirect = 1;
-
-  // The port value of the URL will be swapped with this value.
-  uint32 port_redirect = 8;
-
-  oneof path_rewrite_specifier {
-    // The path portion of the URL will be swapped with this value.
-    string path_redirect = 2;
-
-    // Indicates that during redirection, the matched prefix (or path)
-    // should be swapped with this value. This option allows redirect URLs be dynamically created
-    // based on the request.
-    //
-    // .. attention::
-    //
-    //   Pay attention to the use of trailing slashes as mentioned in
-    //   :ref:`RouteAction's prefix_rewrite `.
-    string prefix_rewrite = 5;
-  }
-
-  // The HTTP status code to use in the redirect response. The default response
-  // code is MOVED_PERMANENTLY (301).
-  RedirectResponseCode response_code = 3 [(validate.rules).enum = {defined_only: true}];
-
-  // Indicates that during redirection, the query portion of the URL will
-  // be removed. Default value is false.
-  bool strip_query = 6;
-}
-
-message DirectResponseAction {
-  // Specifies the HTTP response status to be returned.
-  uint32 status = 1 [(validate.rules).uint32 = {lt: 600 gte: 100}];
-
-  // Specifies the content of the response body. If this setting is omitted,
-  // no body is included in the generated response.
-  //
-  // .. note::
-  //
-  //   Headers can be specified using *response_headers_to_add* in the enclosing
-  //   :ref:`envoy_api_msg_route.Route`, :ref:`envoy_api_msg_RouteConfiguration` or
-  //   :ref:`envoy_api_msg_route.VirtualHost`.
-  core.DataSource body = 2;
-}
-
-message Decorator {
-  // The operation name associated with the request matched to this route. If tracing is
-  // enabled, this information will be used as the span name reported for this request.
-  //
-  // .. note::
-  //
-  //   For ingress (inbound) requests, or egress (outbound) responses, this value may be overridden
-  //   by the :ref:`x-envoy-decorator-operation
-  //   ` header.
-  string operation = 1 [(validate.rules).string = {min_bytes: 1}];
-}
-
-message Tracing {
-  // Target percentage of requests managed by this HTTP connection manager that will be force
-  // traced if the :ref:`x-client-trace-id `
-  // header is set. This field is a direct analog for the runtime variable
-  // 'tracing.client_sampling' in the :ref:`HTTP Connection Manager
-  // `.
-  // Default: 100%
-  type.FractionalPercent client_sampling = 1;
-
-  // Target percentage of requests managed by this HTTP connection manager that will be randomly
-  // selected for trace generation, if not requested by the client or not forced. This field is
-  // a direct analog for the runtime variable 'tracing.random_sampling' in the
-  // :ref:`HTTP Connection Manager `.
-  // Default: 100%
-  type.FractionalPercent random_sampling = 2;
-
-  // Target percentage of requests managed by this HTTP connection manager that will be traced
-  // after all other sampling checks have been applied (client-directed, force tracing, random
-  // sampling). This field functions as an upper limit on the total configured sampling rate. For
-  // instance, setting client_sampling to 100% but overall_sampling to 1% will result in only 1%
-  // of client requests with the appropriate headers to be force traced. This field is a direct
-  // analog for the runtime variable 'tracing.global_enabled' in the
-  // :ref:`HTTP Connection Manager `.
-  // Default: 100%
-  type.FractionalPercent overall_sampling = 3;
-}
-
-// A virtual cluster is a way of specifying a regex matching rule against
-// certain important endpoints such that statistics are generated explicitly for
-// the matched requests. The reason this is useful is that when doing
-// prefix/path matching Envoy does not always know what the application
-// considers to be an endpoint. Thus, it’s impossible for Envoy to generically
-// emit per endpoint statistics. However, often systems have highly critical
-// endpoints that they wish to get “perfect” statistics on. Virtual cluster
-// statistics are perfect in the sense that they are emitted on the downstream
-// side such that they include network level failures.
-//
-// Documentation for :ref:`virtual cluster statistics `.
-//
-// .. note::
-//
-//    Virtual clusters are a useful tool, but we do not recommend setting up a virtual cluster for
-//    every application endpoint. This is both not easily maintainable and as well the matching and
-//    statistics output are not free.
-message VirtualCluster {
-  // Specifies a regex pattern to use for matching requests. The entire path of the request
-  // must match the regex. The regex grammar used is defined `here
-  // `_.
-  //
-  // Examples:
-  //
-  // * The regex ``/rides/\d+`` matches the path */rides/0*
-  // * The regex ``/rides/\d+`` matches the path */rides/123*
-  // * The regex ``/rides/\d+`` does not match the path */rides/123/456*
-  //
-  // .. attention::
-  //   This field has been deprecated in favor of `headers` as it is not safe for use with
-  //   untrusted input in all cases.
-  string pattern = 1 [(validate.rules).string = {max_bytes: 1024}, deprecated = true];
-
-  // Specifies a list of header matchers to use for matching requests. Each specified header must
-  // match. The pseudo-headers `:path` and `:method` can be used to match the request path and
-  // method, respectively.
-  repeated HeaderMatcher headers = 4;
-
-  // Specifies the name of the virtual cluster. The virtual cluster name as well
-  // as the virtual host name are used when emitting statistics. The statistics are emitted by the
-  // router filter and are documented :ref:`here `.
-  string name = 2 [(validate.rules).string = {min_bytes: 1}];
-
-  // Optionally specifies the HTTP method to match on. For example GET, PUT,
-  // etc.
-  //
-  // .. attention::
-  //   This field has been deprecated in favor of `headers`.
-  core.RequestMethod method = 3 [deprecated = true];
-}
-
-// Global rate limiting :ref:`architecture overview `.
-message RateLimit {
-  message Action {
-    // The following descriptor entry is appended to the descriptor:
-    //
-    // .. code-block:: cpp
-    //
-    //   ("source_cluster", "")
-    //
-    //  is derived from the :option:`--service-cluster` option.
-    message SourceCluster {
-    }
-
-    // The following descriptor entry is appended to the descriptor:
-    //
-    // .. code-block:: cpp
-    //
-    //   ("destination_cluster", "")
-    //
-    // Once a request matches against a route table rule, a routed cluster is determined by one of
-    // the following :ref:`route table configuration `
-    // settings:
-    //
-    // * :ref:`cluster ` indicates the upstream cluster
-    //   to route to.
-    // * :ref:`weighted_clusters `
-    //   chooses a cluster randomly from a set of clusters with attributed weight.
-    // * :ref:`cluster_header ` indicates which
-    //   header in the request contains the target cluster.
-    message DestinationCluster {
-    }
-
-    // The following descriptor entry is appended when a header contains a key that matches the
-    // *header_name*:
-    //
-    // .. code-block:: cpp
-    //
-    //   ("", "")
-    message RequestHeaders {
-      // The header name to be queried from the request headers. The header’s
-      // value is used to populate the value of the descriptor entry for the
-      // descriptor_key.
-      string header_name = 1 [(validate.rules).string = {min_bytes: 1}];
-
-      // The key to use in the descriptor entry.
-      string descriptor_key = 2 [(validate.rules).string = {min_bytes: 1}];
-    }
-
-    // The following descriptor entry is appended to the descriptor and is populated using the
-    // trusted address from :ref:`x-forwarded-for `:
-    //
-    // .. code-block:: cpp
-    //
-    //   ("remote_address", "")
-    message RemoteAddress {
-    }
-
-    // The following descriptor entry is appended to the descriptor:
-    //
-    // .. code-block:: cpp
-    //
-    //   ("generic_key", "")
-    message GenericKey {
-      // The value to use in the descriptor entry.
-      string descriptor_value = 1 [(validate.rules).string = {min_bytes: 1}];
-    }
-
-    // The following descriptor entry is appended to the descriptor:
-    //
-    // .. code-block:: cpp
-    //
-    //   ("header_match", "")
-    message HeaderValueMatch {
-      // The value to use in the descriptor entry.
-      string descriptor_value = 1 [(validate.rules).string = {min_bytes: 1}];
-
-      // If set to true, the action will append a descriptor entry when the
-      // request matches the headers. If set to false, the action will append a
-      // descriptor entry when the request does not match the headers. The
-      // default value is true.
-      google.protobuf.BoolValue expect_match = 2;
-
-      // Specifies a set of headers that the rate limit action should match
-      // on. The action will check the request’s headers against all the
-      // specified headers in the config. A match will happen if all the
-      // headers in the config are present in the request with the same values
-      // (or based on presence if the value field is not in the config).
-      repeated HeaderMatcher headers = 3 [(validate.rules).repeated = {min_items: 1}];
-    }
-
-    oneof action_specifier {
-      option (validate.required) = true;
-
-      // Rate limit on source cluster.
-      SourceCluster source_cluster = 1;
-
-      // Rate limit on destination cluster.
-      DestinationCluster destination_cluster = 2;
-
-      // Rate limit on request headers.
-      RequestHeaders request_headers = 3;
-
-      // Rate limit on remote address.
-      RemoteAddress remote_address = 4;
-
-      // Rate limit on a generic key.
-      GenericKey generic_key = 5;
-
-      // Rate limit on the existence of request headers.
-      HeaderValueMatch header_value_match = 6;
-    }
-  }
-
-  // Refers to the stage set in the filter. The rate limit configuration only
-  // applies to filters with the same stage number. The default stage number is
-  // 0.
-  //
-  // .. note::
-  //
-  //   The filter supports a range of 0 - 10 inclusively for stage numbers.
-  google.protobuf.UInt32Value stage = 1 [(validate.rules).uint32 = {lte: 10}];
-
-  // The key to be set in runtime to disable this rate limit configuration.
-  string disable_key = 2;
-
-  // A list of actions that are to be applied for this rate limit configuration.
-  // Order matters as the actions are processed sequentially and the descriptor
-  // is composed by appending descriptor entries in that sequence. If an action
-  // cannot append a descriptor entry, no descriptor is generated for the
-  // configuration. See :ref:`composing actions
-  // ` for additional documentation.
-  repeated Action actions = 3 [(validate.rules).repeated = {min_items: 1}];
-}
-
-// .. attention::
-//
-//   Internally, Envoy always uses the HTTP/2 *:authority* header to represent the HTTP/1 *Host*
-//   header. Thus, if attempting to match on *Host*, match on *:authority* instead.
-//
-// .. attention::
-//
-//   To route on HTTP method, use the special HTTP/2 *:method* header. This works for both
-//   HTTP/1 and HTTP/2 as Envoy normalizes headers. E.g.,
-//
-//   .. code-block:: json
-//
-//     {
-//       "name": ":method",
-//       "exact_match": "POST"
-//     }
-//
-// .. attention::
-//   In the absence of any header match specifier, match will default to :ref:`present_match
-//   `. i.e, a request that has the :ref:`name
-//   ` header will match, regardless of the header's
-//   value.
-//
-//  [#next-major-version: HeaderMatcher should be refactored to use StringMatcher.]
-message HeaderMatcher {
-  reserved 2, 3;
-
-  // Specifies the name of the header in the request.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
-
-  // Specifies how the header match will be performed to route the request.
-  oneof header_match_specifier {
-    // If specified, header match will be performed based on the value of the header.
-    string exact_match = 4;
-
-    // If specified, this regex string is a regular expression rule which implies the entire request
-    // header value must match the regex. The rule will not match if only a subsequence of the
-    // request header value matches the regex. The regex grammar used in the value field is defined
-    // `here `_.
-    //
-    // Examples:
-    //
-    // * The regex ``\d{3}`` matches the value *123*
-    // * The regex ``\d{3}`` does not match the value *1234*
-    // * The regex ``\d{3}`` does not match the value *123.456*
-    //
-    // .. attention::
-    //   This field has been deprecated in favor of `safe_regex_match` as it is not safe for use
-    //   with untrusted input in all cases.
-    string regex_match = 5 [(validate.rules).string = {max_bytes: 1024}, deprecated = true];
-
-    // If specified, this regex string is a regular expression rule which implies the entire request
-    // header value must match the regex. The rule will not match if only a subsequence of the
-    // request header value matches the regex.
-    type.matcher.RegexMatcher safe_regex_match = 11;
-
-    // If specified, header match will be performed based on range.
-    // The rule will match if the request header value is within this range.
-    // The entire request header value must represent an integer in base 10 notation: consisting of
-    // an optional plus or minus sign followed by a sequence of digits. The rule will not match if
-    // the header value does not represent an integer. Match will fail for empty values, floating
-    // point numbers or if only a subsequence of the header value is an integer.
-    //
-    // Examples:
-    //
-    // * For range [-10,0), route will match for header value -1, but not for 0, "somestring", 10.9,
-    //   "-1somestring"
-    type.Int64Range range_match = 6;
-
-    // If specified, header match will be performed based on whether the header is in the
-    // request.
-    bool present_match = 7;
-
-    // If specified, header match will be performed based on the prefix of the header value.
-    // Note: empty prefix is not allowed, please use present_match instead.
-    //
-    // Examples:
-    //
-    // * The prefix *abcd* matches the value *abcdxyz*, but not for *abcxyz*.
-    string prefix_match = 9 [(validate.rules).string = {min_bytes: 1}];
-
-    // If specified, header match will be performed based on the suffix of the header value.
-    // Note: empty suffix is not allowed, please use present_match instead.
-    //
-    // Examples:
-    //
-    // * The suffix *abcd* matches the value *xyzabcd*, but not for *xyzbcd*.
-    string suffix_match = 10 [(validate.rules).string = {min_bytes: 1}];
-  }
-
-  // If specified, the match result will be inverted before checking. Defaults to false.
-  //
-  // Examples:
-  //
-  // * The regex ``\d{3}`` does not match the value *1234*, so it will match when inverted.
-  // * The range [-10,0) will match the value -1, so it will not match when inverted.
-  bool invert_match = 8;
-}
-
-// Query parameter matching treats the query string of a request's :path header
-// as an ampersand-separated list of keys and/or key=value elements.
-message QueryParameterMatcher {
-  // Specifies the name of a key that must be present in the requested
-  // *path*'s query string.
-  string name = 1 [(validate.rules).string = {min_bytes: 1 max_bytes: 1024}];
-
-  // Specifies the value of the key. If the value is absent, a request
-  // that contains the key in its query string will match, whether the
-  // key appears with a value (e.g., "?debug=true") or not (e.g., "?debug")
-  //
-  // ..attention::
-  //   This field is deprecated. Use an `exact` match inside the `string_match` field.
-  string value = 3 [deprecated = true];
-
-  // Specifies whether the query parameter value is a regular expression.
-  // Defaults to false. The entire query parameter value (i.e., the part to
-  // the right of the equals sign in "key=value") must match the regex.
-  // E.g., the regex ``\d+$`` will match *123* but not *a123* or *123a*.
-  //
-  // ..attention::
-  //   This field is deprecated. Use a `safe_regex` match inside the `string_match` field.
-  google.protobuf.BoolValue regex = 4 [deprecated = true];
-
-  oneof query_parameter_match_specifier {
-    // Specifies whether a query parameter value should match against a string.
-    type.matcher.StringMatcher string_match = 5 [(validate.rules).message = {required: true}];
-
-    // Specifies whether a query parameter should be present.
-    bool present_match = 6;
-  }
-}
diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/route/route_components.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/route/route_components.proto
new file mode 100644
index 00000000000..f5e6bae79a3
--- /dev/null
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/route/route_components.proto
@@ -0,0 +1,1495 @@
+syntax = "proto3";
+
+package envoy.api.v2.route;
+
+import "envoy/api/v2/core/base.proto";
+import "envoy/type/matcher/regex.proto";
+import "envoy/type/matcher/string.proto";
+import "envoy/type/percent.proto";
+import "envoy/type/range.proto";
+import "envoy/type/tracing/v2/custom_tag.proto";
+
+import "google/protobuf/any.proto";
+import "google/protobuf/duration.proto";
+import "google/protobuf/struct.proto";
+import "google/protobuf/wrappers.proto";
+
+import "envoy/annotations/deprecation.proto";
+import "udpa/annotations/migrate.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.api.v2.route";
+option java_outer_classname = "RouteComponentsProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_migrate).move_to_package = "envoy.config.route.v3";
+
+// [#protodoc-title: HTTP route components]
+// * Routing :ref:`architecture overview `
+// * HTTP :ref:`router filter `
+
+// The top level element in the routing configuration is a virtual host. Each virtual host has
+// a logical name as well as a set of domains that get routed to it based on the incoming request's
+// host header. This allows a single listener to service multiple top level domain path trees. Once
+// a virtual host is selected based on the domain, the routes are processed in order to see which
+// upstream cluster to route to or whether to perform a redirect.
+// [#next-free-field: 19]
+message VirtualHost {
+  enum TlsRequirementType {
+    // No TLS requirement for the virtual host.
+    NONE = 0;
+
+    // External requests must use TLS. If a request is external and it is not
+    // using TLS, a 301 redirect will be sent telling the client to use HTTPS.
+    EXTERNAL_ONLY = 1;
+
+    // All requests must use TLS. If a request is not using TLS, a 301 redirect
+    // will be sent telling the client to use HTTPS.
+    ALL = 2;
+  }
+
+  reserved 9;
+
+  // The logical name of the virtual host. This is used when emitting certain
+  // statistics but is not relevant for routing.
+  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+
+  // A list of domains (host/authority header) that will be matched to this
+  // virtual host. Wildcard hosts are supported in the suffix or prefix form.
+  //
+  // Domain search order:
+  //  1. Exact domain names: ``www.foo.com``.
+  //  2. Suffix domain wildcards: ``*.foo.com`` or ``*-bar.foo.com``.
+  //  3. Prefix domain wildcards: ``foo.*`` or ``foo-*``.
+  //  4. Special wildcard ``*`` matching any domain.
+  //
+  // .. note::
+  //
+  //   The wildcard will not match the empty string.
+  //   e.g. ``*-bar.foo.com`` will match ``baz-bar.foo.com`` but not ``-bar.foo.com``.
+  //   The longest wildcards match first.
+  //   Only a single virtual host in the entire route configuration can match on ``*``. A domain
+  //   must be unique across all virtual hosts or the config will fail to load.
+  repeated string domains = 2 [(validate.rules).repeated = {min_items: 1}];
+
+  // The list of routes that will be matched, in order, for incoming requests.
+  // The first route that matches will be used.
+  repeated Route routes = 3;
+
+  // Specifies the type of TLS enforcement the virtual host expects. If this option is not
+  // specified, there is no TLS requirement for the virtual host.
+  TlsRequirementType require_tls = 4 [(validate.rules).enum = {defined_only: true}];
+
+  // A list of virtual clusters defined for this virtual host. Virtual clusters
+  // are used for additional statistics gathering.
+  repeated VirtualCluster virtual_clusters = 5;
+
+  // Specifies a set of rate limit configurations that will be applied to the
+  // virtual host.
+  repeated RateLimit rate_limits = 6;
+
+  // Specifies a list of HTTP headers that should be added to each request
+  // handled by this virtual host. Headers specified at this level are applied
+  // after headers from enclosed :ref:`envoy_api_msg_route.Route` and before headers from the
+  // enclosing :ref:`envoy_api_msg_RouteConfiguration`. For more information, including
+  // details on header value syntax, see the documentation on :ref:`custom request headers
+  // `.
+  repeated core.HeaderValueOption request_headers_to_add = 7
+      [(validate.rules).repeated = {max_items: 1000}];
+
+  // Specifies a list of HTTP headers that should be removed from each request
+  // handled by this virtual host.
+  repeated string request_headers_to_remove = 13;
+
+  // Specifies a list of HTTP headers that should be added to each response
+  // handled by this virtual host. Headers specified at this level are applied
+  // after headers from enclosed :ref:`envoy_api_msg_route.Route` and before headers from the
+  // enclosing :ref:`envoy_api_msg_RouteConfiguration`. For more information, including
+  // details on header value syntax, see the documentation on :ref:`custom request headers
+  // `.
+  repeated core.HeaderValueOption response_headers_to_add = 10
+      [(validate.rules).repeated = {max_items: 1000}];
+
+  // Specifies a list of HTTP headers that should be removed from each response
+  // handled by this virtual host.
+  repeated string response_headers_to_remove = 11;
+
+  // Indicates that the virtual host has a CORS policy.
+  CorsPolicy cors = 8;
+
+  // The per_filter_config field can be used to provide virtual host-specific
+  // configurations for filters. The key should match the filter name, such as
+  // *envoy.buffer* for the HTTP buffer filter. Use of this field is filter
+  // specific; see the :ref:`HTTP filter documentation `
+  // for if and how it is utilized.
+  map per_filter_config = 12 [deprecated = true];
+
+  // The per_filter_config field can be used to provide virtual host-specific
+  // configurations for filters. The key should match the filter name, such as
+  // *envoy.buffer* for the HTTP buffer filter. Use of this field is filter
+  // specific; see the :ref:`HTTP filter documentation `
+  // for if and how it is utilized.
+  map typed_per_filter_config = 15;
+
+  // Decides whether the :ref:`x-envoy-attempt-count
+  // ` header should be included
+  // in the upstream request. Setting this option will cause it to override any existing header
+  // value, so in the case of two Envoys on the request path with this option enabled, the upstream
+  // will see the attempt count as perceived by the second Envoy. Defaults to false.
+  // This header is unaffected by the
+  // :ref:`suppress_envoy_headers
+  // ` flag.
+  bool include_request_attempt_count = 14;
+
+  // Indicates the retry policy for all routes in this virtual host. Note that setting a
+  // route level entry will take precedence over this config and it'll be treated
+  // independently (e.g.: values are not inherited).
+  RetryPolicy retry_policy = 16;
+
+  // Indicates the hedge policy for all routes in this virtual host. Note that setting a
+  // route level entry will take precedence over this config and it'll be treated
+  // independently (e.g.: values are not inherited).
+  HedgePolicy hedge_policy = 17;
+
+  // The maximum bytes which will be buffered for retries and shadowing.
+  // If set and a route-specific limit is not set, the bytes actually buffered will be the minimum
+  // value of this and the listener per_connection_buffer_limit_bytes.
+  google.protobuf.UInt32Value per_request_buffer_limit_bytes = 18;
+}
+
+// A filter-defined action type.
+message FilterAction {
+  google.protobuf.Any action = 1;
+}
+
+// A route is both a specification of how to match a request as well as an indication of what to do
+// next (e.g., redirect, forward, rewrite, etc.).
+//
+// .. attention::
+//
+//   Envoy supports routing on HTTP method via :ref:`header matching
+//   `.
+// [#next-free-field: 18]
+message Route {
+  reserved 6;
+
+  // Name for the route.
+  string name = 14;
+
+  // Route matching parameters.
+  RouteMatch match = 1 [(validate.rules).message = {required: true}];
+
+  oneof action {
+    option (validate.required) = true;
+
+    // Route request to some upstream cluster.
+    RouteAction route = 2;
+
+    // Return a redirect.
+    RedirectAction redirect = 3;
+
+    // Return an arbitrary HTTP response directly, without proxying.
+    DirectResponseAction direct_response = 7;
+
+    // [#not-implemented-hide:]
+    // If true, a filter will define the action (e.g., it could dynamically generate the
+    // RouteAction).
+    FilterAction filter_action = 17;
+  }
+
+  // The Metadata field can be used to provide additional information
+  // about the route. It can be used for configuration, stats, and logging.
+  // The metadata should go under the filter namespace that will need it.
+  // For instance, if the metadata is intended for the Router filter,
+  // the filter name should be specified as *envoy.router*.
+  core.Metadata metadata = 4;
+
+  // Decorator for the matched route.
+  Decorator decorator = 5;
+
+  // The per_filter_config field can be used to provide route-specific
+  // configurations for filters. The key should match the filter name, such as
+  // *envoy.buffer* for the HTTP buffer filter. Use of this field is filter
+  // specific; see the :ref:`HTTP filter documentation ` for
+  // if and how it is utilized.
+  map per_filter_config = 8 [deprecated = true];
+
+  // The per_filter_config field can be used to provide route-specific
+  // configurations for filters. The key should match the filter name, such as
+  // *envoy.buffer* for the HTTP buffer filter. Use of this field is filter
+  // specific; see the :ref:`HTTP filter documentation ` for
+  // if and how it is utilized.
+  map typed_per_filter_config = 13;
+
+  // Specifies a set of headers that will be added to requests matching this
+  // route. Headers specified at this level are applied before headers from the
+  // enclosing :ref:`envoy_api_msg_route.VirtualHost` and
+  // :ref:`envoy_api_msg_RouteConfiguration`. For more information, including details on
+  // header value syntax, see the documentation on :ref:`custom request headers
+  // `.
+  repeated core.HeaderValueOption request_headers_to_add = 9
+      [(validate.rules).repeated = {max_items: 1000}];
+
+  // Specifies a list of HTTP headers that should be removed from each request
+  // matching this route.
+  repeated string request_headers_to_remove = 12;
+
+  // Specifies a set of headers that will be added to responses to requests
+  // matching this route. Headers specified at this level are applied before
+  // headers from the enclosing :ref:`envoy_api_msg_route.VirtualHost` and
+  // :ref:`envoy_api_msg_RouteConfiguration`. For more information, including
+  // details on header value syntax, see the documentation on
+  // :ref:`custom request headers `.
+  repeated core.HeaderValueOption response_headers_to_add = 10
+      [(validate.rules).repeated = {max_items: 1000}];
+
+  // Specifies a list of HTTP headers that should be removed from each response
+  // to requests matching this route.
+  repeated string response_headers_to_remove = 11;
+
+  // Presence of the object defines whether the connection manager's tracing configuration
+  // is overridden by this route specific instance.
+  Tracing tracing = 15;
+
+  // The maximum bytes which will be buffered for retries and shadowing.
+  // If set, the bytes actually buffered will be the minimum value of this and the
+  // listener per_connection_buffer_limit_bytes.
+  google.protobuf.UInt32Value per_request_buffer_limit_bytes = 16;
+}
+
+// Compared to the :ref:`cluster ` field that specifies a
+// single upstream cluster as the target of a request, the :ref:`weighted_clusters
+// ` option allows for specification of
+// multiple upstream clusters along with weights that indicate the percentage of
+// traffic to be forwarded to each cluster. The router selects an upstream cluster based on the
+// weights.
+message WeightedCluster {
+  // [#next-free-field: 11]
+  message ClusterWeight {
+    reserved 7;
+
+    // Name of the upstream cluster. The cluster must exist in the
+    // :ref:`cluster manager configuration `.
+    string name = 1 [(validate.rules).string = {min_bytes: 1}];
+
+    // An integer between 0 and :ref:`total_weight
+    // `. When a request matches the route,
+    // the choice of an upstream cluster is determined by its weight. The sum of weights across all
+    // entries in the clusters array must add up to the total_weight, which defaults to 100.
+    google.protobuf.UInt32Value weight = 2;
+
+    // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints in
+    // the upstream cluster with metadata matching what is set in this field will be considered for
+    // load balancing. Note that this will be merged with what's provided in
+    // :ref:`RouteAction.metadata_match `, with
+    // values here taking precedence. The filter name should be specified as *envoy.lb*.
+    core.Metadata metadata_match = 3;
+
+    // Specifies a list of headers to be added to requests when this cluster is selected
+    // through the enclosing :ref:`envoy_api_msg_route.RouteAction`.
+    // Headers specified at this level are applied before headers from the enclosing
+    // :ref:`envoy_api_msg_route.Route`, :ref:`envoy_api_msg_route.VirtualHost`, and
+    // :ref:`envoy_api_msg_RouteConfiguration`. For more information, including details on
+    // header value syntax, see the documentation on :ref:`custom request headers
+    // `.
+    repeated core.HeaderValueOption request_headers_to_add = 4
+        [(validate.rules).repeated = {max_items: 1000}];
+
+    // Specifies a list of HTTP headers that should be removed from each request when
+    // this cluster is selected through the enclosing :ref:`envoy_api_msg_route.RouteAction`.
+    repeated string request_headers_to_remove = 9;
+
+    // Specifies a list of headers to be added to responses when this cluster is selected
+    // through the enclosing :ref:`envoy_api_msg_route.RouteAction`.
+    // Headers specified at this level are applied before headers from the enclosing
+    // :ref:`envoy_api_msg_route.Route`, :ref:`envoy_api_msg_route.VirtualHost`, and
+    // :ref:`envoy_api_msg_RouteConfiguration`. For more information, including details on
+    // header value syntax, see the documentation on :ref:`custom request headers
+    // `.
+    repeated core.HeaderValueOption response_headers_to_add = 5
+        [(validate.rules).repeated = {max_items: 1000}];
+
+    // Specifies a list of headers to be removed from responses when this cluster is selected
+    // through the enclosing :ref:`envoy_api_msg_route.RouteAction`.
+    repeated string response_headers_to_remove = 6;
+
+    // The per_filter_config field can be used to provide weighted cluster-specific
+    // configurations for filters. The key should match the filter name, such as
+    // *envoy.buffer* for the HTTP buffer filter. Use of this field is filter
+    // specific; see the :ref:`HTTP filter documentation `
+    // for if and how it is utilized.
+    map per_filter_config = 8 [deprecated = true];
+
+    // The per_filter_config field can be used to provide weighted cluster-specific
+    // configurations for filters. The key should match the filter name, such as
+    // *envoy.buffer* for the HTTP buffer filter. Use of this field is filter
+    // specific; see the :ref:`HTTP filter documentation `
+    // for if and how it is utilized.
+    map typed_per_filter_config = 10;
+  }
+
+  // Specifies one or more upstream clusters associated with the route.
+  repeated ClusterWeight clusters = 1 [(validate.rules).repeated = {min_items: 1}];
+
+  // Specifies the total weight across all clusters. The sum of all cluster weights must equal this
+  // value, which must be greater than 0. Defaults to 100.
+  google.protobuf.UInt32Value total_weight = 3 [(validate.rules).uint32 = {gte: 1}];
+
+  // Specifies the runtime key prefix that should be used to construct the
+  // runtime keys associated with each cluster. When the *runtime_key_prefix* is
+  // specified, the router will look for weights associated with each upstream
+  // cluster under the key *runtime_key_prefix* + "." + *cluster[i].name* where
+  // *cluster[i]* denotes an entry in the clusters array field. If the runtime
+  // key for the cluster does not exist, the value specified in the
+  // configuration file will be used as the default weight. See the :ref:`runtime documentation
+  // ` for how key names map to the underlying implementation.
+  string runtime_key_prefix = 2;
+}
+
+// [#next-free-field: 12]
+message RouteMatch {
+  message GrpcRouteMatchOptions {
+  }
+
+  message TlsContextMatchOptions {
+    // If specified, the route will match against whether or not a certificate is presented.
+    // If not specified, certificate presentation status (true or false) will not be considered when route matching.
+    google.protobuf.BoolValue presented = 1;
+
+    // If specified, the route will match against whether or not a certificate is validated.
+    // If not specified, certificate validation status (true or false) will not be considered when route matching.
+    google.protobuf.BoolValue validated = 2;
+  }
+
+  reserved 5;
+
+  oneof path_specifier {
+    option (validate.required) = true;
+
+    // If specified, the route is a prefix rule meaning that the prefix must
+    // match the beginning of the *:path* header.
+    string prefix = 1;
+
+    // If specified, the route is an exact path rule meaning that the path must
+    // exactly match the *:path* header once the query string is removed.
+    string path = 2;
+
+    // If specified, the route is a regular expression rule meaning that the
+    // regex must match the *:path* header once the query string is removed. The entire path
+    // (without the query string) must match the regex. The rule will not match if only a
+    // subsequence of the *:path* header matches the regex. The regex grammar is defined `here
+    // `_.
+    //
+    // Examples:
+    //
+    // * The regex ``/b[io]t`` matches the path */bit*
+    // * The regex ``/b[io]t`` matches the path */bot*
+    // * The regex ``/b[io]t`` does not match the path */bite*
+    // * The regex ``/b[io]t`` does not match the path */bit/bot*
+    //
+    // .. attention::
+    //   This field has been deprecated in favor of `safe_regex` as it is not safe for use with
+    //   untrusted input in all cases.
+    string regex = 3 [
+      deprecated = true,
+      (validate.rules).string = {max_bytes: 1024},
+      (envoy.annotations.disallowed_by_default) = true
+    ];
+
+    // If specified, the route is a regular expression rule meaning that the
+    // regex must match the *:path* header once the query string is removed. The entire path
+    // (without the query string) must match the regex. The rule will not match if only a
+    // subsequence of the *:path* header matches the regex.
+    //
+    // [#next-major-version: In the v3 API we should redo how path specification works such
+    // that we utilize StringMatcher, and additionally have consistent options around whether we
+    // strip query strings, do a case sensitive match, etc. In the interim it will be too disruptive
+    // to deprecate the existing options. We should even consider whether we want to do away with
+    // path_specifier entirely and just rely on a set of header matchers which can already match
+    // on :path, etc. The issue with that is it is unclear how to generically deal with query string
+    // stripping. This needs more thought.]
+    type.matcher.RegexMatcher safe_regex = 10 [(validate.rules).message = {required: true}];
+  }
+
+  // Indicates that prefix/path matching should be case insensitive. The default
+  // is true.
+  google.protobuf.BoolValue case_sensitive = 4;
+
+  // Indicates that the route should additionally match on a runtime key. Every time the route
+  // is considered for a match, it must also fall under the percentage of matches indicated by
+  // this field. For some fraction N/D, a random number in the range [0,D) is selected. If the
+  // number is <= the value of the numerator N, or if the key is not present, the default
+  // value, the router continues to evaluate the remaining match criteria. A runtime_fraction
+  // route configuration can be used to roll out route changes in a gradual manner without full
+  // code/config deploys. Refer to the :ref:`traffic shifting
+  // ` docs for additional documentation.
+  //
+  // .. note::
+  //
+  //    Parsing this field is implemented such that the runtime key's data may be represented
+  //    as a FractionalPercent proto represented as JSON/YAML and may also be represented as an
+  //    integer with the assumption that the value is an integral percentage out of 100. For
+  //    instance, a runtime key lookup returning the value "42" would parse as a FractionalPercent
+  //    whose numerator is 42 and denominator is HUNDRED. This preserves legacy semantics.
+  core.RuntimeFractionalPercent runtime_fraction = 9;
+
+  // Specifies a set of headers that the route should match on. The router will
+  // check the request’s headers against all the specified headers in the route
+  // config. A match will happen if all the headers in the route are present in
+  // the request with the same values (or based on presence if the value field
+  // is not in the config).
+  repeated HeaderMatcher headers = 6;
+
+  // Specifies a set of URL query parameters on which the route should
+  // match. The router will check the query string from the *path* header
+  // against all the specified query parameters. If the number of specified
+  // query parameters is nonzero, they all must match the *path* header's
+  // query string for a match to occur.
+  repeated QueryParameterMatcher query_parameters = 7;
+
+  // If specified, only gRPC requests will be matched. The router will check
+  // that the content-type header has a application/grpc or one of the various
+  // application/grpc+ values.
+  GrpcRouteMatchOptions grpc = 8;
+
+  // If specified, the client tls context will be matched against the defined
+  // match options.
+  //
+  // [#next-major-version: unify with RBAC]
+  TlsContextMatchOptions tls_context = 11;
+}
+
+// [#next-free-field: 12]
+message CorsPolicy {
+  // Specifies the origins that will be allowed to do CORS requests.
+  //
+  // An origin is allowed if either allow_origin or allow_origin_regex match.
+  //
+  // .. attention::
+  //  This field has been deprecated in favor of `allow_origin_string_match`.
+  repeated string allow_origin = 1
+      [deprecated = true, (envoy.annotations.disallowed_by_default) = true];
+
+  // Specifies regex patterns that match allowed origins.
+  //
+  // An origin is allowed if either allow_origin or allow_origin_regex match.
+  //
+  // .. attention::
+  //   This field has been deprecated in favor of `allow_origin_string_match` as it is not safe for
+  //   use with untrusted input in all cases.
+  repeated string allow_origin_regex = 8
+      [deprecated = true, (validate.rules).repeated = {items {string {max_bytes: 1024}}}];
+
+  // Specifies string patterns that match allowed origins. An origin is allowed if any of the
+  // string matchers match.
+  repeated type.matcher.StringMatcher allow_origin_string_match = 11;
+
+  // Specifies the content for the *access-control-allow-methods* header.
+  string allow_methods = 2;
+
+  // Specifies the content for the *access-control-allow-headers* header.
+  string allow_headers = 3;
+
+  // Specifies the content for the *access-control-expose-headers* header.
+  string expose_headers = 4;
+
+  // Specifies the content for the *access-control-max-age* header.
+  string max_age = 5;
+
+  // Specifies whether the resource allows credentials.
+  google.protobuf.BoolValue allow_credentials = 6;
+
+  oneof enabled_specifier {
+    // Specifies if the CORS filter is enabled. Defaults to true. Only effective on route.
+    //
+    // .. attention::
+    //
+    //   **This field is deprecated**. Set the
+    //   :ref:`filter_enabled` field instead.
+    google.protobuf.BoolValue enabled = 7
+        [deprecated = true, (envoy.annotations.disallowed_by_default) = true];
+
+    // Specifies the % of requests for which the CORS filter is enabled.
+    //
+    // If neither ``enabled``, ``filter_enabled``, nor ``shadow_enabled`` are specified, the CORS
+    // filter will be enabled for 100% of the requests.
+    //
+    // If :ref:`runtime_key ` is
+    // specified, Envoy will lookup the runtime key to get the percentage of requests to filter.
+    core.RuntimeFractionalPercent filter_enabled = 9;
+  }
+
+  // Specifies the % of requests for which the CORS policies will be evaluated and tracked, but not
+  // enforced.
+  //
+  // This field is intended to be used when ``filter_enabled`` and ``enabled`` are off. One of those
+  // fields have to explicitly disable the filter in order for this setting to take effect.
+  //
+  // If :ref:`runtime_key ` is specified,
+  // Envoy will lookup the runtime key to get the percentage of requests for which it will evaluate
+  // and track the request's *Origin* to determine if it's valid but will not enforce any policies.
+  core.RuntimeFractionalPercent shadow_enabled = 10;
+}
+
+// [#next-free-field: 32]
+message RouteAction {
+  enum ClusterNotFoundResponseCode {
+    // HTTP status code - 503 Service Unavailable.
+    SERVICE_UNAVAILABLE = 0;
+
+    // HTTP status code - 404 Not Found.
+    NOT_FOUND = 1;
+  }
+
+  // Configures :ref:`internal redirect ` behavior.
+  enum InternalRedirectAction {
+    PASS_THROUGH_INTERNAL_REDIRECT = 0;
+    HANDLE_INTERNAL_REDIRECT = 1;
+  }
+
+  // The router is capable of shadowing traffic from one cluster to another. The current
+  // implementation is "fire and forget," meaning Envoy will not wait for the shadow cluster to
+  // respond before returning the response from the primary cluster. All normal statistics are
+  // collected for the shadow cluster making this feature useful for testing.
+  //
+  // During shadowing, the host/authority header is altered such that *-shadow* is appended. This is
+  // useful for logging. For example, *cluster1* becomes *cluster1-shadow*.
+  //
+  // .. note::
+  //
+  //   Shadowing will not be triggered if the primary cluster does not exist.
+  message RequestMirrorPolicy {
+    // Specifies the cluster that requests will be mirrored to. The cluster must
+    // exist in the cluster manager configuration.
+    string cluster = 1 [(validate.rules).string = {min_bytes: 1}];
+
+    // If not specified, all requests to the target cluster will be mirrored. If
+    // specified, Envoy will lookup the runtime key to get the % of requests to
+    // mirror. Valid values are from 0 to 10000, allowing for increments of
+    // 0.01% of requests to be mirrored. If the runtime key is specified in the
+    // configuration but not present in runtime, 0 is the default and thus 0% of
+    // requests will be mirrored.
+    //
+    // .. attention::
+    //
+    //   **This field is deprecated**. Set the
+    //   :ref:`runtime_fraction
+    //   `
+    //   field instead. Mirroring occurs if both this and
+    //   `
+    //   are not set.
+    string runtime_key = 2 [deprecated = true, (envoy.annotations.disallowed_by_default) = true];
+
+    // If not specified, all requests to the target cluster will be mirrored.
+    //
+    // If specified, this field takes precedence over the `runtime_key` field and requests must also
+    // fall under the percentage of matches indicated by this field.
+    //
+    // For some fraction N/D, a random number in the range [0,D) is selected. If the
+    // number is <= the value of the numerator N, or if the key is not present, the default
+    // value, the request will be mirrored.
+    core.RuntimeFractionalPercent runtime_fraction = 3;
+  }
+
+  // Specifies the route's hashing policy if the upstream cluster uses a hashing :ref:`load balancer
+  // `.
+  // [#next-free-field: 6]
+  message HashPolicy {
+    message Header {
+      // The name of the request header that will be used to obtain the hash
+      // key. If the request header is not present, no hash will be produced.
+      string header_name = 1 [(validate.rules).string = {min_bytes: 1}];
+    }
+
+    // Envoy supports two types of cookie affinity:
+    //
+    // 1. Passive. Envoy takes a cookie that's present in the cookies header and
+    //    hashes on its value.
+    //
+    // 2. Generated. Envoy generates and sets a cookie with an expiration (TTL)
+    //    on the first request from the client in its response to the client,
+    //    based on the endpoint the request gets sent to. The client then
+    //    presents this on the next and all subsequent requests. The hash of
+    //    this is sufficient to ensure these requests get sent to the same
+    //    endpoint. The cookie is generated by hashing the source and
+    //    destination ports and addresses so that multiple independent HTTP2
+    //    streams on the same connection will independently receive the same
+    //    cookie, even if they arrive at the Envoy simultaneously.
+    message Cookie {
+      // The name of the cookie that will be used to obtain the hash key. If the
+      // cookie is not present and ttl below is not set, no hash will be
+      // produced.
+      string name = 1 [(validate.rules).string = {min_bytes: 1}];
+
+      // If specified, a cookie with the TTL will be generated if the cookie is
+      // not present. If the TTL is present and zero, the generated cookie will
+      // be a session cookie.
+      google.protobuf.Duration ttl = 2;
+
+      // The name of the path for the cookie. If no path is specified here, no path
+      // will be set for the cookie.
+      string path = 3;
+    }
+
+    message ConnectionProperties {
+      // Hash on source IP address.
+      bool source_ip = 1;
+    }
+
+    message QueryParameter {
+      // The name of the URL query parameter that will be used to obtain the hash
+      // key. If the parameter is not present, no hash will be produced. Query
+      // parameter names are case-sensitive.
+      string name = 1 [(validate.rules).string = {min_bytes: 1}];
+    }
+
+    oneof policy_specifier {
+      option (validate.required) = true;
+
+      // Header hash policy.
+      Header header = 1;
+
+      // Cookie hash policy.
+      Cookie cookie = 2;
+
+      // Connection properties hash policy.
+      ConnectionProperties connection_properties = 3;
+
+      // Query parameter hash policy.
+      QueryParameter query_parameter = 5;
+    }
+
+    // The flag that short-circuits the hash computing. This field provides a
+    // 'fallback' style of configuration: "if a terminal policy doesn't work,
+    // fallback to rest of the policy list", it saves time when the terminal
+    // policy works.
+    //
+    // If true, and there is already a hash computed, ignore rest of the
+    // list of hash polices.
+    // For example, if the following hash methods are configured:
+    //
+    //  ========= ========
+    //  specifier terminal
+    //  ========= ========
+    //  Header A  true
+    //  Header B  false
+    //  Header C  false
+    //  ========= ========
+    //
+    // The generateHash process ends if policy "header A" generates a hash, as
+    // it's a terminal policy.
+    bool terminal = 4;
+  }
+
+  // Allows enabling and disabling upgrades on a per-route basis.
+  // This overrides any enabled/disabled upgrade filter chain specified in the
+  // HttpConnectionManager
+  // :ref:`upgrade_configs
+  // `
+  // but does not affect any custom filter chain specified there.
+  message UpgradeConfig {
+    // The case-insensitive name of this upgrade, e.g. "websocket".
+    // For each upgrade type present in upgrade_configs, requests with
+    // Upgrade: [upgrade_type] will be proxied upstream.
+    string upgrade_type = 1;
+
+    // Determines if upgrades are available on this route. Defaults to true.
+    google.protobuf.BoolValue enabled = 2;
+  }
+
+  reserved 12, 18, 19, 16, 22, 21;
+
+  oneof cluster_specifier {
+    option (validate.required) = true;
+
+    // Indicates the upstream cluster to which the request should be routed
+    // to.
+    string cluster = 1 [(validate.rules).string = {min_bytes: 1}];
+
+    // Envoy will determine the cluster to route to by reading the value of the
+    // HTTP header named by cluster_header from the request headers. If the
+    // header is not found or the referenced cluster does not exist, Envoy will
+    // return a 404 response.
+    //
+    // .. attention::
+    //
+    //   Internally, Envoy always uses the HTTP/2 *:authority* header to represent the HTTP/1
+    //   *Host* header. Thus, if attempting to match on *Host*, match on *:authority* instead.
+    string cluster_header = 2 [(validate.rules).string = {min_bytes: 1}];
+
+    // Multiple upstream clusters can be specified for a given route. The
+    // request is routed to one of the upstream clusters based on weights
+    // assigned to each cluster. See
+    // :ref:`traffic splitting `
+    // for additional documentation.
+    WeightedCluster weighted_clusters = 3;
+  }
+
+  // The HTTP status code to use when configured cluster is not found.
+  // The default response code is 503 Service Unavailable.
+  ClusterNotFoundResponseCode cluster_not_found_response_code = 20
+      [(validate.rules).enum = {defined_only: true}];
+
+  // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints
+  // in the upstream cluster with metadata matching what's set in this field will be considered
+  // for load balancing. If using :ref:`weighted_clusters
+  // `, metadata will be merged, with values
+  // provided there taking precedence. The filter name should be specified as *envoy.lb*.
+  core.Metadata metadata_match = 4;
+
+  // Indicates that during forwarding, the matched prefix (or path) should be
+  // swapped with this value. This option allows application URLs to be rooted
+  // at a different path from those exposed at the reverse proxy layer. The router filter will
+  // place the original path before rewrite into the :ref:`x-envoy-original-path
+  // ` header.
+  //
+  // .. attention::
+  //
+  //   Pay careful attention to the use of trailing slashes in the
+  //   :ref:`route's match ` prefix value.
+  //   Stripping a prefix from a path requires multiple Routes to handle all cases. For example,
+  //   rewriting */prefix* to */* and */prefix/etc* to */etc* cannot be done in a single
+  //   :ref:`Route `, as shown by the below config entries:
+  //
+  //   .. code-block:: yaml
+  //
+  //     - match:
+  //         prefix: "/prefix/"
+  //       route:
+  //         prefix_rewrite: "/"
+  //     - match:
+  //         prefix: "/prefix"
+  //       route:
+  //         prefix_rewrite: "/"
+  //
+  //   Having above entries in the config, requests to */prefix* will be stripped to */*, while
+  //   requests to */prefix/etc* will be stripped to */etc*.
+  string prefix_rewrite = 5;
+
+  oneof host_rewrite_specifier {
+    // Indicates that during forwarding, the host header will be swapped with
+    // this value.
+    string host_rewrite = 6 [(udpa.annotations.field_migrate).rename = "host_rewrite_literal"];
+
+    // Indicates that during forwarding, the host header will be swapped with
+    // the hostname of the upstream host chosen by the cluster manager. This
+    // option is applicable only when the destination cluster for a route is of
+    // type *strict_dns* or *logical_dns*. Setting this to true with other cluster
+    // types has no effect.
+    google.protobuf.BoolValue auto_host_rewrite = 7;
+
+    // Indicates that during forwarding, the host header will be swapped with the content of given
+    // downstream or :ref:`custom ` header.
+    // If header value is empty, host header is left intact.
+    //
+    // .. attention::
+    //
+    //   Pay attention to the potential security implications of using this option. Provided header
+    //   must come from trusted source.
+    string auto_host_rewrite_header = 29
+        [(udpa.annotations.field_migrate).rename = "host_rewrite_header"];
+  }
+
+  // Specifies the upstream timeout for the route. If not specified, the default is 15s. This
+  // spans between the point at which the entire downstream request (i.e. end-of-stream) has been
+  // processed and when the upstream response has been completely processed. A value of 0 will
+  // disable the route's timeout.
+  //
+  // .. note::
+  //
+  //   This timeout includes all retries. See also
+  //   :ref:`config_http_filters_router_x-envoy-upstream-rq-timeout-ms`,
+  //   :ref:`config_http_filters_router_x-envoy-upstream-rq-per-try-timeout-ms`, and the
+  //   :ref:`retry overview `.
+  google.protobuf.Duration timeout = 8;
+
+  // Specifies the idle timeout for the route. If not specified, there is no per-route idle timeout,
+  // although the connection manager wide :ref:`stream_idle_timeout
+  // `
+  // will still apply. A value of 0 will completely disable the route's idle timeout, even if a
+  // connection manager stream idle timeout is configured.
+  //
+  // The idle timeout is distinct to :ref:`timeout
+  // `, which provides an upper bound
+  // on the upstream response time; :ref:`idle_timeout
+  // ` instead bounds the amount
+  // of time the request's stream may be idle.
+  //
+  // After header decoding, the idle timeout will apply on downstream and
+  // upstream request events. Each time an encode/decode event for headers or
+  // data is processed for the stream, the timer will be reset. If the timeout
+  // fires, the stream is terminated with a 408 Request Timeout error code if no
+  // upstream response header has been received, otherwise a stream reset
+  // occurs.
+  google.protobuf.Duration idle_timeout = 24;
+
+  // Indicates that the route has a retry policy. Note that if this is set,
+  // it'll take precedence over the virtual host level retry policy entirely
+  // (e.g.: policies are not merged, most internal one becomes the enforced policy).
+  RetryPolicy retry_policy = 9;
+
+  // Indicates that the route has a request mirroring policy.
+  //
+  // .. attention::
+  //   This field has been deprecated in favor of `request_mirror_policies` which supports one or
+  //   more mirroring policies.
+  RequestMirrorPolicy request_mirror_policy = 10 [deprecated = true];
+
+  // Indicates that the route has request mirroring policies.
+  repeated RequestMirrorPolicy request_mirror_policies = 30;
+
+  // Optionally specifies the :ref:`routing priority `.
+  core.RoutingPriority priority = 11 [(validate.rules).enum = {defined_only: true}];
+
+  // Specifies a set of rate limit configurations that could be applied to the
+  // route.
+  repeated RateLimit rate_limits = 13;
+
+  // Specifies if the rate limit filter should include the virtual host rate
+  // limits. By default, if the route configured rate limits, the virtual host
+  // :ref:`rate_limits ` are not applied to the
+  // request.
+  google.protobuf.BoolValue include_vh_rate_limits = 14;
+
+  // Specifies a list of hash policies to use for ring hash load balancing. Each
+  // hash policy is evaluated individually and the combined result is used to
+  // route the request. The method of combination is deterministic such that
+  // identical lists of hash policies will produce the same hash. Since a hash
+  // policy examines specific parts of a request, it can fail to produce a hash
+  // (i.e. if the hashed header is not present). If (and only if) all configured
+  // hash policies fail to generate a hash, no hash will be produced for
+  // the route. In this case, the behavior is the same as if no hash policies
+  // were specified (i.e. the ring hash load balancer will choose a random
+  // backend). If a hash policy has the "terminal" attribute set to true, and
+  // there is already a hash generated, the hash is returned immediately,
+  // ignoring the rest of the hash policy list.
+  repeated HashPolicy hash_policy = 15;
+
+  // Indicates that the route has a CORS policy.
+  CorsPolicy cors = 17;
+
+  // If present, and the request is a gRPC request, use the
+  // `grpc-timeout header `_,
+  // or its default value (infinity) instead of
+  // :ref:`timeout `, but limit the applied timeout
+  // to the maximum value specified here. If configured as 0, the maximum allowed timeout for
+  // gRPC requests is infinity. If not configured at all, the `grpc-timeout` header is not used
+  // and gRPC requests time out like any other requests using
+  // :ref:`timeout ` or its default.
+  // This can be used to prevent unexpected upstream request timeouts due to potentially long
+  // time gaps between gRPC request and response in gRPC streaming mode.
+  google.protobuf.Duration max_grpc_timeout = 23;
+
+  // If present, Envoy will adjust the timeout provided by the `grpc-timeout` header by subtracting
+  // the provided duration from the header. This is useful in allowing Envoy to set its global
+  // timeout to be less than that of the deadline imposed by the calling client, which makes it more
+  // likely that Envoy will handle the timeout instead of having the call canceled by the client.
+  // The offset will only be applied if the provided grpc_timeout is greater than the offset. This
+  // ensures that the offset will only ever decrease the timeout and never set it to 0 (meaning
+  // infinity).
+  google.protobuf.Duration grpc_timeout_offset = 28;
+
+  repeated UpgradeConfig upgrade_configs = 25;
+
+  InternalRedirectAction internal_redirect_action = 26;
+
+  // An internal redirect is handled, iff the number of previous internal redirects that a
+  // downstream request has encountered is lower than this value, and
+  // :ref:`internal_redirect_action `
+  // is set to :ref:`HANDLE_INTERNAL_REDIRECT
+  // `
+  // In the case where a downstream request is bounced among multiple routes by internal redirect,
+  // the first route that hits this threshold, or has
+  // :ref:`internal_redirect_action `
+  // set to
+  // :ref:`PASS_THROUGH_INTERNAL_REDIRECT
+  // `
+  // will pass the redirect back to downstream.
+  //
+  // If not specified, at most one redirect will be followed.
+  google.protobuf.UInt32Value max_internal_redirects = 31;
+
+  // Indicates that the route has a hedge policy. Note that if this is set,
+  // it'll take precedence over the virtual host level hedge policy entirely
+  // (e.g.: policies are not merged, most internal one becomes the enforced policy).
+  HedgePolicy hedge_policy = 27;
+}
+
+// HTTP retry :ref:`architecture overview `.
+// [#next-free-field: 11]
+message RetryPolicy {
+  message RetryPriority {
+    string name = 1 [(validate.rules).string = {min_bytes: 1}];
+
+    oneof config_type {
+      google.protobuf.Struct config = 2 [deprecated = true];
+
+      google.protobuf.Any typed_config = 3;
+    }
+  }
+
+  message RetryHostPredicate {
+    string name = 1 [(validate.rules).string = {min_bytes: 1}];
+
+    oneof config_type {
+      google.protobuf.Struct config = 2 [deprecated = true];
+
+      google.protobuf.Any typed_config = 3;
+    }
+  }
+
+  message RetryBackOff {
+    // Specifies the base interval between retries. This parameter is required and must be greater
+    // than zero. Values less than 1 ms are rounded up to 1 ms.
+    // See :ref:`config_http_filters_router_x-envoy-max-retries` for a discussion of Envoy's
+    // back-off algorithm.
+    google.protobuf.Duration base_interval = 1 [(validate.rules).duration = {
+      required: true
+      gt {}
+    }];
+
+    // Specifies the maximum interval between retries. This parameter is optional, but must be
+    // greater than or equal to the `base_interval` if set. The default is 10 times the
+    // `base_interval`. See :ref:`config_http_filters_router_x-envoy-max-retries` for a discussion
+    // of Envoy's back-off algorithm.
+    google.protobuf.Duration max_interval = 2 [(validate.rules).duration = {gt {}}];
+  }
+
+  // Specifies the conditions under which retry takes place. These are the same
+  // conditions documented for :ref:`config_http_filters_router_x-envoy-retry-on` and
+  // :ref:`config_http_filters_router_x-envoy-retry-grpc-on`.
+  string retry_on = 1;
+
+  // Specifies the allowed number of retries. This parameter is optional and
+  // defaults to 1. These are the same conditions documented for
+  // :ref:`config_http_filters_router_x-envoy-max-retries`.
+  google.protobuf.UInt32Value num_retries = 2;
+
+  // Specifies a non-zero upstream timeout per retry attempt. This parameter is optional. The
+  // same conditions documented for
+  // :ref:`config_http_filters_router_x-envoy-upstream-rq-per-try-timeout-ms` apply.
+  //
+  // .. note::
+  //
+  //   If left unspecified, Envoy will use the global
+  //   :ref:`route timeout ` for the request.
+  //   Consequently, when using a :ref:`5xx ` based
+  //   retry policy, a request that times out will not be retried as the total timeout budget
+  //   would have been exhausted.
+  google.protobuf.Duration per_try_timeout = 3;
+
+  // Specifies an implementation of a RetryPriority which is used to determine the
+  // distribution of load across priorities used for retries. Refer to
+  // :ref:`retry plugin configuration ` for more details.
+  RetryPriority retry_priority = 4;
+
+  // Specifies a collection of RetryHostPredicates that will be consulted when selecting a host
+  // for retries. If any of the predicates reject the host, host selection will be reattempted.
+  // Refer to :ref:`retry plugin configuration ` for more
+  // details.
+  repeated RetryHostPredicate retry_host_predicate = 5;
+
+  // The maximum number of times host selection will be reattempted before giving up, at which
+  // point the host that was last selected will be routed to. If unspecified, this will default to
+  // retrying once.
+  int64 host_selection_retry_max_attempts = 6;
+
+  // HTTP status codes that should trigger a retry in addition to those specified by retry_on.
+  repeated uint32 retriable_status_codes = 7;
+
+  // Specifies parameters that control retry back off. This parameter is optional, in which case the
+  // default base interval is 25 milliseconds or, if set, the current value of the
+  // `upstream.base_retry_backoff_ms` runtime parameter. The default maximum interval is 10 times
+  // the base interval. The documentation for :ref:`config_http_filters_router_x-envoy-max-retries`
+  // describes Envoy's back-off algorithm.
+  RetryBackOff retry_back_off = 8;
+
+  // HTTP response headers that trigger a retry if present in the response. A retry will be
+  // triggered if any of the header matches match the upstream response headers.
+  // The field is only consulted if 'retriable-headers' retry policy is active.
+  repeated HeaderMatcher retriable_headers = 9;
+
+  // HTTP headers which must be present in the request for retries to be attempted.
+  repeated HeaderMatcher retriable_request_headers = 10;
+}
+
+// HTTP request hedging :ref:`architecture overview `.
+message HedgePolicy {
+  // Specifies the number of initial requests that should be sent upstream.
+  // Must be at least 1.
+  // Defaults to 1.
+  // [#not-implemented-hide:]
+  google.protobuf.UInt32Value initial_requests = 1 [(validate.rules).uint32 = {gte: 1}];
+
+  // Specifies a probability that an additional upstream request should be sent
+  // on top of what is specified by initial_requests.
+  // Defaults to 0.
+  // [#not-implemented-hide:]
+  type.FractionalPercent additional_request_chance = 2;
+
+  // Indicates that a hedged request should be sent when the per-try timeout
+  // is hit. This will only occur if the retry policy also indicates that a
+  // timed out request should be retried.
+  // Once a timed out request is retried due to per try timeout, the router
+  // filter will ensure that it is not retried again even if the returned
+  // response headers would otherwise be retried according the specified
+  // :ref:`RetryPolicy `.
+  // Defaults to false.
+  bool hedge_on_per_try_timeout = 3;
+}
+
+// [#next-free-field: 9]
+message RedirectAction {
+  enum RedirectResponseCode {
+    // Moved Permanently HTTP Status Code - 301.
+    MOVED_PERMANENTLY = 0;
+
+    // Found HTTP Status Code - 302.
+    FOUND = 1;
+
+    // See Other HTTP Status Code - 303.
+    SEE_OTHER = 2;
+
+    // Temporary Redirect HTTP Status Code - 307.
+    TEMPORARY_REDIRECT = 3;
+
+    // Permanent Redirect HTTP Status Code - 308.
+    PERMANENT_REDIRECT = 4;
+  }
+
+  // When the scheme redirection take place, the following rules apply:
+  //  1. If the source URI scheme is `http` and the port is explicitly
+  //     set to `:80`, the port will be removed after the redirection
+  //  2. If the source URI scheme is `https` and the port is explicitly
+  //     set to `:443`, the port will be removed after the redirection
+  oneof scheme_rewrite_specifier {
+    // The scheme portion of the URL will be swapped with "https".
+    bool https_redirect = 4;
+
+    // The scheme portion of the URL will be swapped with this value.
+    string scheme_redirect = 7;
+  }
+
+  // The host portion of the URL will be swapped with this value.
+  string host_redirect = 1;
+
+  // The port value of the URL will be swapped with this value.
+  uint32 port_redirect = 8;
+
+  oneof path_rewrite_specifier {
+    // The path portion of the URL will be swapped with this value.
+    string path_redirect = 2;
+
+    // Indicates that during redirection, the matched prefix (or path)
+    // should be swapped with this value. This option allows redirect URLs be dynamically created
+    // based on the request.
+    //
+    // .. attention::
+    //
+    //   Pay attention to the use of trailing slashes as mentioned in
+    //   :ref:`RouteAction's prefix_rewrite `.
+    string prefix_rewrite = 5;
+  }
+
+  // The HTTP status code to use in the redirect response. The default response
+  // code is MOVED_PERMANENTLY (301).
+  RedirectResponseCode response_code = 3 [(validate.rules).enum = {defined_only: true}];
+
+  // Indicates that during redirection, the query portion of the URL will
+  // be removed. Default value is false.
+  bool strip_query = 6;
+}
+
+message DirectResponseAction {
+  // Specifies the HTTP response status to be returned.
+  uint32 status = 1 [(validate.rules).uint32 = {lt: 600 gte: 100}];
+
+  // Specifies the content of the response body. If this setting is omitted,
+  // no body is included in the generated response.
+  //
+  // .. note::
+  //
+  //   Headers can be specified using *response_headers_to_add* in the enclosing
+  //   :ref:`envoy_api_msg_route.Route`, :ref:`envoy_api_msg_RouteConfiguration` or
+  //   :ref:`envoy_api_msg_route.VirtualHost`.
+  core.DataSource body = 2;
+}
+
+message Decorator {
+  // The operation name associated with the request matched to this route. If tracing is
+  // enabled, this information will be used as the span name reported for this request.
+  //
+  // .. note::
+  //
+  //   For ingress (inbound) requests, or egress (outbound) responses, this value may be overridden
+  //   by the :ref:`x-envoy-decorator-operation
+  //   ` header.
+  string operation = 1 [(validate.rules).string = {min_bytes: 1}];
+
+  // Whether the decorated details should be propagated to the other party. The default is true.
+  google.protobuf.BoolValue propagate = 2;
+}
+
+message Tracing {
+  // Target percentage of requests managed by this HTTP connection manager that will be force
+  // traced if the :ref:`x-client-trace-id `
+  // header is set. This field is a direct analog for the runtime variable
+  // 'tracing.client_sampling' in the :ref:`HTTP Connection Manager
+  // `.
+  // Default: 100%
+  type.FractionalPercent client_sampling = 1;
+
+  // Target percentage of requests managed by this HTTP connection manager that will be randomly
+  // selected for trace generation, if not requested by the client or not forced. This field is
+  // a direct analog for the runtime variable 'tracing.random_sampling' in the
+  // :ref:`HTTP Connection Manager `.
+  // Default: 100%
+  type.FractionalPercent random_sampling = 2;
+
+  // Target percentage of requests managed by this HTTP connection manager that will be traced
+  // after all other sampling checks have been applied (client-directed, force tracing, random
+  // sampling). This field functions as an upper limit on the total configured sampling rate. For
+  // instance, setting client_sampling to 100% but overall_sampling to 1% will result in only 1%
+  // of client requests with the appropriate headers to be force traced. This field is a direct
+  // analog for the runtime variable 'tracing.global_enabled' in the
+  // :ref:`HTTP Connection Manager `.
+  // Default: 100%
+  type.FractionalPercent overall_sampling = 3;
+
+  // A list of custom tags with unique tag name to create tags for the active span.
+  // It will take effect after merging with the :ref:`corresponding configuration
+  // `
+  // configured in the HTTP connection manager. If two tags with the same name are configured
+  // each in the HTTP connection manager and the route level, the one configured here takes
+  // priority.
+  repeated type.tracing.v2.CustomTag custom_tags = 4;
+}
+
+// A virtual cluster is a way of specifying a regex matching rule against
+// certain important endpoints such that statistics are generated explicitly for
+// the matched requests. The reason this is useful is that when doing
+// prefix/path matching Envoy does not always know what the application
+// considers to be an endpoint. Thus, it’s impossible for Envoy to generically
+// emit per endpoint statistics. However, often systems have highly critical
+// endpoints that they wish to get “perfect” statistics on. Virtual cluster
+// statistics are perfect in the sense that they are emitted on the downstream
+// side such that they include network level failures.
+//
+// Documentation for :ref:`virtual cluster statistics `.
+//
+// .. note::
+//
+//    Virtual clusters are a useful tool, but we do not recommend setting up a virtual cluster for
+//    every application endpoint. This is both not easily maintainable and as well the matching and
+//    statistics output are not free.
+message VirtualCluster {
+  // Specifies a regex pattern to use for matching requests. The entire path of the request
+  // must match the regex. The regex grammar used is defined `here
+  // `_.
+  //
+  // Examples:
+  //
+  // * The regex ``/rides/\d+`` matches the path */rides/0*
+  // * The regex ``/rides/\d+`` matches the path */rides/123*
+  // * The regex ``/rides/\d+`` does not match the path */rides/123/456*
+  //
+  // .. attention::
+  //   This field has been deprecated in favor of `headers` as it is not safe for use with
+  //   untrusted input in all cases.
+  string pattern = 1 [
+    deprecated = true,
+    (validate.rules).string = {max_bytes: 1024},
+    (envoy.annotations.disallowed_by_default) = true
+  ];
+
+  // Specifies a list of header matchers to use for matching requests. Each specified header must
+  // match. The pseudo-headers `:path` and `:method` can be used to match the request path and
+  // method, respectively.
+  repeated HeaderMatcher headers = 4;
+
+  // Specifies the name of the virtual cluster. The virtual cluster name as well
+  // as the virtual host name are used when emitting statistics. The statistics are emitted by the
+  // router filter and are documented :ref:`here `.
+  string name = 2 [(validate.rules).string = {min_bytes: 1}];
+
+  // Optionally specifies the HTTP method to match on. For example GET, PUT,
+  // etc.
+  //
+  // .. attention::
+  //   This field has been deprecated in favor of `headers`.
+  core.RequestMethod method = 3
+      [deprecated = true, (envoy.annotations.disallowed_by_default) = true];
+}
+
+// Global rate limiting :ref:`architecture overview `.
+message RateLimit {
+  // [#next-free-field: 7]
+  message Action {
+    // The following descriptor entry is appended to the descriptor:
+    //
+    // .. code-block:: cpp
+    //
+    //   ("source_cluster", "")
+    //
+    //  is derived from the :option:`--service-cluster` option.
+    message SourceCluster {
+    }
+
+    // The following descriptor entry is appended to the descriptor:
+    //
+    // .. code-block:: cpp
+    //
+    //   ("destination_cluster", "")
+    //
+    // Once a request matches against a route table rule, a routed cluster is determined by one of
+    // the following :ref:`route table configuration `
+    // settings:
+    //
+    // * :ref:`cluster ` indicates the upstream cluster
+    //   to route to.
+    // * :ref:`weighted_clusters `
+    //   chooses a cluster randomly from a set of clusters with attributed weight.
+    // * :ref:`cluster_header ` indicates which
+    //   header in the request contains the target cluster.
+    message DestinationCluster {
+    }
+
+    // The following descriptor entry is appended when a header contains a key that matches the
+    // *header_name*:
+    //
+    // .. code-block:: cpp
+    //
+    //   ("", "")
+    message RequestHeaders {
+      // The header name to be queried from the request headers. The header’s
+      // value is used to populate the value of the descriptor entry for the
+      // descriptor_key.
+      string header_name = 1 [(validate.rules).string = {min_bytes: 1}];
+
+      // The key to use in the descriptor entry.
+      string descriptor_key = 2 [(validate.rules).string = {min_bytes: 1}];
+    }
+
+    // The following descriptor entry is appended to the descriptor and is populated using the
+    // trusted address from :ref:`x-forwarded-for `:
+    //
+    // .. code-block:: cpp
+    //
+    //   ("remote_address", "")
+    message RemoteAddress {
+    }
+
+    // The following descriptor entry is appended to the descriptor:
+    //
+    // .. code-block:: cpp
+    //
+    //   ("generic_key", "")
+    message GenericKey {
+      // The value to use in the descriptor entry.
+      string descriptor_value = 1 [(validate.rules).string = {min_bytes: 1}];
+    }
+
+    // The following descriptor entry is appended to the descriptor:
+    //
+    // .. code-block:: cpp
+    //
+    //   ("header_match", "")
+    message HeaderValueMatch {
+      // The value to use in the descriptor entry.
+      string descriptor_value = 1 [(validate.rules).string = {min_bytes: 1}];
+
+      // If set to true, the action will append a descriptor entry when the
+      // request matches the headers. If set to false, the action will append a
+      // descriptor entry when the request does not match the headers. The
+      // default value is true.
+      google.protobuf.BoolValue expect_match = 2;
+
+      // Specifies a set of headers that the rate limit action should match
+      // on. The action will check the request’s headers against all the
+      // specified headers in the config. A match will happen if all the
+      // headers in the config are present in the request with the same values
+      // (or based on presence if the value field is not in the config).
+      repeated HeaderMatcher headers = 3 [(validate.rules).repeated = {min_items: 1}];
+    }
+
+    oneof action_specifier {
+      option (validate.required) = true;
+
+      // Rate limit on source cluster.
+      SourceCluster source_cluster = 1;
+
+      // Rate limit on destination cluster.
+      DestinationCluster destination_cluster = 2;
+
+      // Rate limit on request headers.
+      RequestHeaders request_headers = 3;
+
+      // Rate limit on remote address.
+      RemoteAddress remote_address = 4;
+
+      // Rate limit on a generic key.
+      GenericKey generic_key = 5;
+
+      // Rate limit on the existence of request headers.
+      HeaderValueMatch header_value_match = 6;
+    }
+  }
+
+  // Refers to the stage set in the filter. The rate limit configuration only
+  // applies to filters with the same stage number. The default stage number is
+  // 0.
+  //
+  // .. note::
+  //
+  //   The filter supports a range of 0 - 10 inclusively for stage numbers.
+  google.protobuf.UInt32Value stage = 1 [(validate.rules).uint32 = {lte: 10}];
+
+  // The key to be set in runtime to disable this rate limit configuration.
+  string disable_key = 2;
+
+  // A list of actions that are to be applied for this rate limit configuration.
+  // Order matters as the actions are processed sequentially and the descriptor
+  // is composed by appending descriptor entries in that sequence. If an action
+  // cannot append a descriptor entry, no descriptor is generated for the
+  // configuration. See :ref:`composing actions
+  // ` for additional documentation.
+  repeated Action actions = 3 [(validate.rules).repeated = {min_items: 1}];
+}
+
+// .. attention::
+//
+//   Internally, Envoy always uses the HTTP/2 *:authority* header to represent the HTTP/1 *Host*
+//   header. Thus, if attempting to match on *Host*, match on *:authority* instead.
+//
+// .. attention::
+//
+//   To route on HTTP method, use the special HTTP/2 *:method* header. This works for both
+//   HTTP/1 and HTTP/2 as Envoy normalizes headers. E.g.,
+//
+//   .. code-block:: json
+//
+//     {
+//       "name": ":method",
+//       "exact_match": "POST"
+//     }
+//
+// .. attention::
+//   In the absence of any header match specifier, match will default to :ref:`present_match
+//   `. i.e, a request that has the :ref:`name
+//   ` header will match, regardless of the header's
+//   value.
+//
+//  [#next-major-version: HeaderMatcher should be refactored to use StringMatcher.]
+// [#next-free-field: 12]
+message HeaderMatcher {
+  reserved 2, 3;
+
+  // Specifies the name of the header in the request.
+  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+
+  // Specifies how the header match will be performed to route the request.
+  oneof header_match_specifier {
+    // If specified, header match will be performed based on the value of the header.
+    string exact_match = 4;
+
+    // If specified, this regex string is a regular expression rule which implies the entire request
+    // header value must match the regex. The rule will not match if only a subsequence of the
+    // request header value matches the regex. The regex grammar used in the value field is defined
+    // `here `_.
+    //
+    // Examples:
+    //
+    // * The regex ``\d{3}`` matches the value *123*
+    // * The regex ``\d{3}`` does not match the value *1234*
+    // * The regex ``\d{3}`` does not match the value *123.456*
+    //
+    // .. attention::
+    //   This field has been deprecated in favor of `safe_regex_match` as it is not safe for use
+    //   with untrusted input in all cases.
+    string regex_match = 5 [
+      deprecated = true,
+      (validate.rules).string = {max_bytes: 1024},
+      (envoy.annotations.disallowed_by_default) = true
+    ];
+
+    // If specified, this regex string is a regular expression rule which implies the entire request
+    // header value must match the regex. The rule will not match if only a subsequence of the
+    // request header value matches the regex.
+    type.matcher.RegexMatcher safe_regex_match = 11;
+
+    // If specified, header match will be performed based on range.
+    // The rule will match if the request header value is within this range.
+    // The entire request header value must represent an integer in base 10 notation: consisting of
+    // an optional plus or minus sign followed by a sequence of digits. The rule will not match if
+    // the header value does not represent an integer. Match will fail for empty values, floating
+    // point numbers or if only a subsequence of the header value is an integer.
+    //
+    // Examples:
+    //
+    // * For range [-10,0), route will match for header value -1, but not for 0, "somestring", 10.9,
+    //   "-1somestring"
+    type.Int64Range range_match = 6;
+
+    // If specified, header match will be performed based on whether the header is in the
+    // request.
+    bool present_match = 7;
+
+    // If specified, header match will be performed based on the prefix of the header value.
+    // Note: empty prefix is not allowed, please use present_match instead.
+    //
+    // Examples:
+    //
+    // * The prefix *abcd* matches the value *abcdxyz*, but not for *abcxyz*.
+    string prefix_match = 9 [(validate.rules).string = {min_bytes: 1}];
+
+    // If specified, header match will be performed based on the suffix of the header value.
+    // Note: empty suffix is not allowed, please use present_match instead.
+    //
+    // Examples:
+    //
+    // * The suffix *abcd* matches the value *xyzabcd*, but not for *xyzbcd*.
+    string suffix_match = 10 [(validate.rules).string = {min_bytes: 1}];
+  }
+
+  // If specified, the match result will be inverted before checking. Defaults to false.
+  //
+  // Examples:
+  //
+  // * The regex ``\d{3}`` does not match the value *1234*, so it will match when inverted.
+  // * The range [-10,0) will match the value -1, so it will not match when inverted.
+  bool invert_match = 8;
+}
+
+// Query parameter matching treats the query string of a request's :path header
+// as an ampersand-separated list of keys and/or key=value elements.
+// [#next-free-field: 7]
+message QueryParameterMatcher {
+  // Specifies the name of a key that must be present in the requested
+  // *path*'s query string.
+  string name = 1 [(validate.rules).string = {min_bytes: 1 max_bytes: 1024}];
+
+  // Specifies the value of the key. If the value is absent, a request
+  // that contains the key in its query string will match, whether the
+  // key appears with a value (e.g., "?debug=true") or not (e.g., "?debug")
+  //
+  // ..attention::
+  //   This field is deprecated. Use an `exact` match inside the `string_match` field.
+  string value = 3 [deprecated = true, (envoy.annotations.disallowed_by_default) = true];
+
+  // Specifies whether the query parameter value is a regular expression.
+  // Defaults to false. The entire query parameter value (i.e., the part to
+  // the right of the equals sign in "key=value") must match the regex.
+  // E.g., the regex ``\d+$`` will match *123* but not *a123* or *123a*.
+  //
+  // ..attention::
+  //   This field is deprecated. Use a `safe_regex` match inside the `string_match` field.
+  google.protobuf.BoolValue regex = 4
+      [deprecated = true, (envoy.annotations.disallowed_by_default) = true];
+
+  oneof query_parameter_match_specifier {
+    // Specifies whether a query parameter value should match against a string.
+    type.matcher.StringMatcher string_match = 5 [(validate.rules).message = {required: true}];
+
+    // Specifies whether a query parameter should be present.
+    bool present_match = 6;
+  }
+}
diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/scoped_route.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/scoped_route.proto
new file mode 100644
index 00000000000..43f81cf9202
--- /dev/null
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/scoped_route.proto
@@ -0,0 +1,107 @@
+syntax = "proto3";
+
+package envoy.api.v2;
+
+import "udpa/annotations/migrate.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.api.v2";
+option java_outer_classname = "ScopedRouteProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_migrate).move_to_package = "envoy.config.route.v3";
+
+// [#protodoc-title: HTTP scoped routing configuration]
+// * Routing :ref:`architecture overview `
+
+// Specifies a routing scope, which associates a
+// :ref:`Key` to a
+// :ref:`envoy_api_msg_RouteConfiguration` (identified by its resource name).
+//
+// The HTTP connection manager builds up a table consisting of these Key to
+// RouteConfiguration mappings, and looks up the RouteConfiguration to use per
+// request according to the algorithm specified in the
+// :ref:`scope_key_builder`
+// assigned to the HttpConnectionManager.
+//
+// For example, with the following configurations (in YAML):
+//
+// HttpConnectionManager config:
+//
+// .. code::
+//
+//   ...
+//   scoped_routes:
+//     name: foo-scoped-routes
+//     scope_key_builder:
+//       fragments:
+//         - header_value_extractor:
+//             name: X-Route-Selector
+//             element_separator: ,
+//             element:
+//               separator: =
+//               key: vip
+//
+// ScopedRouteConfiguration resources (specified statically via
+// :ref:`scoped_route_configurations_list`
+// or obtained dynamically via SRDS):
+//
+// .. code::
+//
+//  (1)
+//   name: route-scope1
+//   route_configuration_name: route-config1
+//   key:
+//      fragments:
+//        - string_key: 172.10.10.20
+//
+//  (2)
+//   name: route-scope2
+//   route_configuration_name: route-config2
+//   key:
+//     fragments:
+//       - string_key: 172.20.20.30
+//
+// A request from a client such as:
+//
+// .. code::
+//
+//     GET / HTTP/1.1
+//     Host: foo.com
+//     X-Route-Selector: vip=172.10.10.20
+//
+// would result in the routing table defined by the `route-config1`
+// RouteConfiguration being assigned to the HTTP request/stream.
+//
+message ScopedRouteConfiguration {
+  // Specifies a key which is matched against the output of the
+  // :ref:`scope_key_builder`
+  // specified in the HttpConnectionManager. The matching is done per HTTP
+  // request and is dependent on the order of the fragments contained in the
+  // Key.
+  message Key {
+    message Fragment {
+      oneof type {
+        option (validate.required) = true;
+
+        // A string to match against.
+        string string_key = 1;
+      }
+    }
+
+    // The ordered set of fragments to match against. The order must match the
+    // fragments in the corresponding
+    // :ref:`scope_key_builder`.
+    repeated Fragment fragments = 1 [(validate.rules).repeated = {min_items: 1}];
+  }
+
+  // The name assigned to the routing scope.
+  string name = 1 [(validate.rules).string = {min_bytes: 1}];
+
+  // The resource name to use for a :ref:`envoy_api_msg_DiscoveryRequest` to an
+  // RDS server to fetch the :ref:`envoy_api_msg_RouteConfiguration` associated
+  // with this scope.
+  string route_configuration_name = 2 [(validate.rules).string = {min_bytes: 1}];
+
+  // The key to match against.
+  Key key = 3 [(validate.rules).message = {required: true}];
+}
diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/srds.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/srds.proto
index 224ae070774..f874307d7e1 100644
--- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/srds.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/srds.proto
@@ -2,20 +2,24 @@ syntax = "proto3";
 
 package envoy.api.v2;
 
-option java_outer_classname = "SrdsProto";
-option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.api.v2";
-option java_generic_services = true;
-
 import "envoy/api/v2/discovery.proto";
 
 import "google/api/annotations.proto";
 
-import "validate/validate.proto";
+import "envoy/annotations/resource.proto";
+import "udpa/annotations/migrate.proto";
 
-// [#protodoc-title: HTTP scoped routing configuration]
+import public "envoy/api/v2/scoped_route.proto";
+
+option java_package = "io.envoyproxy.envoy.api.v2";
+option java_outer_classname = "SrdsProto";
+option java_multiple_files = true;
+option java_generic_services = true;
+option (udpa.annotations.file_migrate).move_to_package = "envoy.service.route.v3";
+
+// [#protodoc-title: SRDS]
 // * Routing :ref:`architecture overview `
-//
+
 // The Scoped Routes Discovery Service (SRDS) API distributes
 // :ref:`ScopedRouteConfiguration`
 // resources. Each ScopedRouteConfiguration resource represents a "routing
@@ -24,6 +28,8 @@ import "validate/validate.proto";
 // :ref:`RouteConfiguration` message) to each
 // HTTP request.
 service ScopedRoutesDiscoveryService {
+  option (envoy.annotations.resource).type = "envoy.api.v2.ScopedRouteConfiguration";
+
   rpc StreamScopedRoutes(stream DiscoveryRequest) returns (stream DiscoveryResponse) {
   }
 
@@ -31,103 +37,12 @@ service ScopedRoutesDiscoveryService {
   }
 
   rpc FetchScopedRoutes(DiscoveryRequest) returns (DiscoveryResponse) {
-    option (google.api.http) = {
-      post: "/v2/discovery:scoped-routes"
-      body: "*"
-    };
+    option (google.api.http).post = "/v2/discovery:scoped-routes";
+    option (google.api.http).body = "*";
   }
 }
 
-// Specifies a routing scope, which associates a
-// :ref:`Key` to a
-// :ref:`envoy_api_msg_RouteConfiguration` (identified by its resource name).
-//
-// The HTTP connection manager builds up a table consisting of these Key to
-// RouteConfiguration mappings, and looks up the RouteConfiguration to use per
-// request according to the algorithm specified in the
-// :ref:`scope_key_builder`
-// assigned to the HttpConnectionManager.
-//
-// For example, with the following configurations (in YAML):
-//
-// HttpConnectionManager config:
-//
-// .. code::
-//
-//   ...
-//   scoped_routes:
-//     name: foo-scoped-routes
-//     scope_key_builder:
-//       fragments:
-//         - header_value_extractor:
-//             name: X-Route-Selector
-//             element_separator: ,
-//             element:
-//               separator: =
-//               key: vip
-//
-// ScopedRouteConfiguration resources (specified statically via
-// :ref:`scoped_route_configurations_list`
-// or obtained dynamically via SRDS):
-//
-// .. code::
-//
-//  (1)
-//   name: route-scope1
-//   route_configuration_name: route-config1
-//   key:
-//      fragments:
-//        - string_key: 172.10.10.20
-//
-//  (2)
-//   name: route-scope2
-//   route_configuration_name: route-config2
-//   key:
-//     fragments:
-//       - string_key: 172.20.20.30
-//
-// A request from a client such as:
-//
-// .. code::
-//
-//     GET / HTTP/1.1
-//     Host: foo.com
-//     X-Route-Selector: vip=172.10.10.20
-//
-// would result in the routing table defined by the `route-config1`
-// RouteConfiguration being assigned to the HTTP request/stream.
-//
-// [#comment:next free field: 4]
-message ScopedRouteConfiguration {
-  // Specifies a key which is matched against the output of the
-  // :ref:`scope_key_builder`
-  // specified in the HttpConnectionManager. The matching is done per HTTP
-  // request and is dependent on the order of the fragments contained in the
-  // Key.
-  message Key {
-    message Fragment {
-      oneof type {
-        option (validate.required) = true;
-
-        // A string to match against.
-        string string_key = 1;
-      }
-    }
-
-    // The ordered set of fragments to match against. The order must match the
-    // fragments in the corresponding
-    // :ref:`scope_key_builder`.
-    repeated Fragment fragments = 1 [(validate.rules).repeated = {min_items: 1}];
-  }
-
-  // The name assigned to the routing scope.
-  string name = 1 [(validate.rules).string = {min_bytes: 1}];
-
-  // The resource name to use for a :ref:`envoy_api_msg_DiscoveryRequest` to an
-  // RDS server to fetch the :ref:`envoy_api_msg_RouteConfiguration` associated
-  // with this scope.
-  string route_configuration_name = 2 [(validate.rules).string = {min_bytes: 1}];
-
-  // The key to match against.
-  Key key = 3 [(validate.rules).message = {required: true}];
+// [#not-implemented-hide:] Not configuration. Workaround c++ protobuf issue with importing
+// services: https://github.com/google/protobuf/issues/4221 and protoxform to upgrade the file.
+message SrdsDummy {
 }
diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/filter/accesslog/v2/accesslog.proto b/xds/third_party/envoy/src/main/proto/envoy/config/filter/accesslog/v2/accesslog.proto
index 8810e050e95..8a525dee910 100644
--- a/xds/third_party/envoy/src/main/proto/envoy/config/filter/accesslog/v2/accesslog.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/filter/accesslog/v2/accesslog.proto
@@ -2,28 +2,30 @@ syntax = "proto3";
 
 package envoy.config.filter.accesslog.v2;
 
-option java_outer_classname = "AccesslogProto";
-option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.config.filter.accesslog.v2";
-
 import "envoy/api/v2/core/base.proto";
-import "envoy/api/v2/route/route.proto";
+import "envoy/api/v2/route/route_components.proto";
 import "envoy/type/percent.proto";
 
 import "google/protobuf/any.proto";
 import "google/protobuf/struct.proto";
 
+import "udpa/annotations/migrate.proto";
 import "validate/validate.proto";
 
+option java_package = "io.envoyproxy.envoy.config.filter.accesslog.v2";
+option java_outer_classname = "AccesslogProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_migrate).move_to_package = "envoy.config.accesslog.v3";
+
 // [#protodoc-title: Common access log types]
 
 message AccessLog {
   // The name of the access log implementation to instantiate. The name must
   // match a statically registered access log. Current built-in loggers include:
   //
-  // #. "envoy.file_access_log"
-  // #. "envoy.http_grpc_access_log"
-  // #. "envoy.tcp_grpc_access_log"
+  // #. "envoy.access_loggers.file"
+  // #. "envoy.access_loggers.http_grpc"
+  // #. "envoy.access_loggers.tcp_grpc"
   string name = 1;
 
   // Filter which is used to determine if the access log needs to be written.
@@ -32,19 +34,20 @@ message AccessLog {
   // Custom configuration that depends on the access log being instantiated. Built-in
   // configurations include:
   //
-  // #. "envoy.file_access_log": :ref:`FileAccessLog
+  // #. "envoy.access_loggers.file": :ref:`FileAccessLog
   //    `
-  // #. "envoy.http_grpc_access_log": :ref:`HttpGrpcAccessLogConfig
+  // #. "envoy.access_loggers.http_grpc": :ref:`HttpGrpcAccessLogConfig
   //    `
-  // #. "envoy.tcp_grpc_access_log": :ref:`TcpGrpcAccessLogConfig
+  // #. "envoy.access_loggers.tcp_grpc": :ref:`TcpGrpcAccessLogConfig
   //    `
   oneof config_type {
-    google.protobuf.Struct config = 3;
+    google.protobuf.Struct config = 3 [deprecated = true];
 
     google.protobuf.Any typed_config = 4;
   }
 }
 
+// [#next-free-field: 12]
 message AccessLogFilter {
   oneof filter_specifier {
     option (validate.required) = true;
@@ -199,6 +202,7 @@ message ResponseFlagFilter {
         in: "URX"
         in: "SI"
         in: "IH"
+        in: "DPE"
       }
     }
   }];
@@ -243,7 +247,7 @@ message ExtensionFilter {
 
   // Custom configuration that depends on the filter being instantiated.
   oneof config_type {
-    google.protobuf.Struct config = 2;
+    google.protobuf.Struct config = 2 [deprecated = true];
 
     google.protobuf.Any typed_config = 3;
   }
diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto b/xds/third_party/envoy/src/main/proto/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto
index efdfb4be939..13dc6ffaec1 100644
--- a/xds/third_party/envoy/src/main/proto/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto
@@ -2,28 +2,34 @@ syntax = "proto3";
 
 package envoy.config.filter.network.http_connection_manager.v2;
 
-option java_outer_classname = "HttpConnectionManagerProto";
-option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.config.filter.network.http_connection_manager.v2";
-
 import "envoy/api/v2/core/config_source.proto";
 import "envoy/api/v2/core/protocol.proto";
-import "envoy/api/v2/rds.proto";
-import "envoy/api/v2/srds.proto";
+import "envoy/api/v2/route.proto";
+import "envoy/api/v2/scoped_route.proto";
 import "envoy/config/filter/accesslog/v2/accesslog.proto";
 import "envoy/type/percent.proto";
+import "envoy/type/tracing/v2/custom_tag.proto";
 
 import "google/protobuf/any.proto";
 import "google/protobuf/duration.proto";
 import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";
 
+import "envoy/annotations/deprecation.proto";
+import "udpa/annotations/migrate.proto";
 import "validate/validate.proto";
 
+option java_package = "io.envoyproxy.envoy.config.filter.network.http_connection_manager.v2";
+option java_outer_classname = "HttpConnectionManagerProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_migrate).move_to_package =
+    "envoy.extensions.filters.network.http_connection_manager.v3";
+
 // [#protodoc-title: HTTP connection manager]
 // HTTP connection manager :ref:`configuration overview `.
+// [#extension: envoy.filters.network.http_connection_manager]
 
-// [#comment:next free field: 35]
+// [#next-free-field: 36]
 message HttpConnectionManager {
   enum CodecType {
     // For every new connection, the connection manager will determine which
@@ -40,6 +46,11 @@ message HttpConnectionManager {
     // (Envoy does not require HTTP/2 to take place over TLS or to use ALPN.
     // Prior knowledge is allowed).
     HTTP2 = 2;
+
+    // [#not-implemented-hide:] QUIC implementation is not production ready yet. Use this enum with
+    // caution to prevent accidental execution of QUIC code. I.e. `!= HTTP2` is no longer sufficient
+    // to distinguish HTTP1 and HTTP2 traffic.
+    HTTP3 = 3;
   }
 
   enum ServerHeaderTransformation {
@@ -78,6 +89,7 @@ message HttpConnectionManager {
     ALWAYS_FORWARD_ONLY = 4;
   }
 
+  // [#next-free-field: 9]
   message Tracing {
     enum OperationName {
       // The HTTP listener is used for ingress/incoming requests.
@@ -93,13 +105,20 @@ message HttpConnectionManager {
     //
     // .. attention::
     //  This field has been deprecated in favor of `traffic_direction`.
-    OperationName operation_name = 1
-        [(validate.rules).enum = {defined_only: true}, deprecated = true];
+    OperationName operation_name = 1 [
+      deprecated = true,
+      (validate.rules).enum = {defined_only: true},
+      (envoy.annotations.disallowed_by_default) = true
+    ];
 
     // A list of header names used to create tags for the active span. The header name is used to
     // populate the tag name, and the header value is used to populate the tag value. The tag is
     // created if the specified header name is present in the request's headers.
-    repeated string request_headers_for_tags = 2;
+    //
+    // .. attention::
+    //  This field has been deprecated in favor of :ref:`custom_tags
+    //  `.
+    repeated string request_headers_for_tags = 2 [deprecated = true];
 
     // Target percentage of requests managed by this HTTP connection manager that will be force
     // traced if the :ref:`x-client-trace-id `
@@ -134,6 +153,9 @@ message HttpConnectionManager {
     // truncate lengthy request paths to meet the needs of a tracing backend.
     // Default: 256
     google.protobuf.UInt32Value max_path_tag_length = 7;
+
+    // A list of custom tags with unique tag name to create tags for the active span.
+    repeated type.tracing.v2.CustomTag custom_tags = 8;
   }
 
   message InternalAddressConfig {
@@ -141,7 +163,7 @@ message HttpConnectionManager {
     bool unix_sockets = 1;
   }
 
-  // [#comment:next free field: 7]
+  // [#next-free-field: 7]
   message SetCurrentClientCertDetails {
     reserved 2;
 
@@ -239,6 +261,10 @@ message HttpConnectionManager {
   // `.
   Tracing tracing = 7;
 
+  // Additional settings for HTTP requests handled by the connection manager. These will be
+  // applicable to both HTTP1 and HTTP2 requests.
+  api.v2.core.HttpProtocolOptions common_http_protocol_options = 35;
+
   // Additional HTTP/1 settings that are passed to the HTTP/1 codec.
   api.v2.core.Http1ProtocolOptions http_protocol_options = 8;
 
@@ -267,10 +293,12 @@ message HttpConnectionManager {
   // idle timeout is defined as the period in which there are no active
   // requests. If not set, there is no idle timeout. When the idle timeout is
   // reached the connection will be closed. If the connection is an HTTP/2
-  // connection a drain sequence will occur prior to closing the connection. See
-  // :ref:`drain_timeout
-  // `.
-  google.protobuf.Duration idle_timeout = 11;
+  // connection a drain sequence will occur prior to closing the connection.
+  // This field is deprecated. Use :ref:`idle_timeout
+  // `
+  // instead.
+  google.protobuf.Duration idle_timeout = 11
+      [deprecated = true, (envoy.annotations.disallowed_by_default) = true];
 
   // The stream idle timeout for connections managed by the connection manager.
   // If not specified, this defaults to 5 minutes. The default value was selected
@@ -340,7 +368,7 @@ message HttpConnectionManager {
   // .. NOTE::
   //    To be useful in avoiding the race condition described above, this timeout must be set
   //    to *at least* +<100ms to account for
-  //    a reasonsable "worst" case processing time for a full iteration of Envoy's event loop>.
+  //    a reasonable "worst" case processing time for a full iteration of Envoy's event loop>.
   //
   // .. WARNING::
   //    A value of 0 will completely disable delayed close processing. When disabled, the downstream
@@ -475,6 +503,7 @@ message ScopedRouteConfigurationsList {
       [(validate.rules).repeated = {min_items: 1}];
 }
 
+// [#next-free-field: 6]
 message ScopedRoutes {
   // Specifies the mechanism for constructing "scope keys" based on HTTP request attributes. These
   // keys are matched against a set of :ref:`Key`
@@ -547,7 +576,9 @@ message ScopedRoutes {
       }
     }
 
-    // The final scope key consists of the ordered union of these fragments.
+    // The final(built) scope key consists of the ordered union of these fragments, which are compared in order with the
+    // fragments of a :ref:`ScopedRouteConfiguration`.
+    // A missing fragment during comparison will make the key invalid, i.e., the computed key doesn't match any key.
     repeated FragmentBuilder fragments = 1 [(validate.rules).repeated = {min_items: 1}];
   }
 
@@ -597,7 +628,7 @@ message HttpFilter {
   // Filter specific configuration which depends on the filter being instantiated. See the supported
   // filters for further documentation.
   oneof config_type {
-    google.protobuf.Struct config = 2;
+    google.protobuf.Struct config = 2 [deprecated = true];
 
     google.protobuf.Any typed_config = 4;
   }
diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/listener/v2/api_listener.proto b/xds/third_party/envoy/src/main/proto/envoy/config/listener/v2/api_listener.proto
index 0c2253596e4..3f974cad9e6 100644
--- a/xds/third_party/envoy/src/main/proto/envoy/config/listener/v2/api_listener.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/listener/v2/api_listener.proto
@@ -2,19 +2,23 @@ syntax = "proto3";
 
 package envoy.config.listener.v2;
 
+import "google/protobuf/any.proto";
+
+import "udpa/annotations/migrate.proto";
+
+option java_package = "io.envoyproxy.envoy.config.listener.v2";
 option java_outer_classname = "ApiListenerProto";
 option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.config.listener.v2";
+option (udpa.annotations.file_migrate).move_to_package = "envoy.config.listener.v3";
 
-import "google/protobuf/any.proto";
+// [#protodoc-title: API listener]
 
-// [#not-implemented-hide:]
 // Describes a type of API listener, which is used in non-proxy clients. The type of API
 // exposed to the non-proxy application depends on the type of API listener.
 message ApiListener {
   // The type in this field determines the type of API listener. At present, the following
   // types are supported:
-  //   envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager (HTTP)
+  // envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager (HTTP)
   // [#next-major-version: In the v3 API, replace this Any field with a oneof containing the
   // specific config message for each type of API listener. We could not do this in v2 because
   // it would have caused circular dependencies for go protos: lds.proto depends on this file,
diff --git a/xds/third_party/envoy/src/main/proto/envoy/service/discovery/v2/ads.proto b/xds/third_party/envoy/src/main/proto/envoy/service/discovery/v2/ads.proto
index 63b129069ed..01759e5f1b3 100644
--- a/xds/third_party/envoy/src/main/proto/envoy/service/discovery/v2/ads.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/service/discovery/v2/ads.proto
@@ -2,12 +2,14 @@ syntax = "proto3";
 
 package envoy.service.discovery.v2;
 
+import "envoy/api/v2/discovery.proto";
+
+option java_package = "io.envoyproxy.envoy.service.discovery.v2";
 option java_outer_classname = "AdsProto";
 option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.service.discovery.v2";
 option java_generic_services = true;
 
-import "envoy/api/v2/discovery.proto";
+// [#protodoc-title: Aggregated Discovery Service (ADS)]
 
 // [#not-implemented-hide:] Discovery services for endpoints, clusters, routes,
 // and listeners are retained in the package `envoy.api.v2` for backwards
diff --git a/xds/third_party/envoy/src/main/proto/envoy/service/discovery/v2/sds.proto b/xds/third_party/envoy/src/main/proto/envoy/service/discovery/v2/sds.proto
index 7e9ae261a36..6a131ad413b 100644
--- a/xds/third_party/envoy/src/main/proto/envoy/service/discovery/v2/sds.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/service/discovery/v2/sds.proto
@@ -2,32 +2,38 @@ syntax = "proto3";
 
 package envoy.service.discovery.v2;
 
-option java_outer_classname = "SdsProto";
-option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.service.discovery.v2";
-
 import "envoy/api/v2/discovery.proto";
 
 import "google/api/annotations.proto";
 
-// [#not-implemented-hide:] Not configuration. Workaround c++ protobuf issue with importing
-// services: https://github.com/google/protobuf/issues/4221
-message SdsDummy {
-}
+import "envoy/annotations/resource.proto";
+import "udpa/annotations/migrate.proto";
+
+option java_package = "io.envoyproxy.envoy.service.discovery.v2";
+option java_outer_classname = "SdsProto";
+option java_multiple_files = true;
+option java_generic_services = true;
+option (udpa.annotations.file_migrate).move_to_package = "envoy.service.secret.v3";
+
+// [#protodoc-title: Secret Discovery Service (SDS)]
 
 service SecretDiscoveryService {
-  rpc DeltaSecrets(stream envoy.api.v2.DeltaDiscoveryRequest)
-      returns (stream envoy.api.v2.DeltaDiscoveryResponse) {
+  option (envoy.annotations.resource).type = "envoy.api.v2.auth.Secret";
+
+  rpc DeltaSecrets(stream api.v2.DeltaDiscoveryRequest)
+      returns (stream api.v2.DeltaDiscoveryResponse) {
   }
 
-  rpc StreamSecrets(stream envoy.api.v2.DiscoveryRequest)
-      returns (stream envoy.api.v2.DiscoveryResponse) {
+  rpc StreamSecrets(stream api.v2.DiscoveryRequest) returns (stream api.v2.DiscoveryResponse) {
   }
 
-  rpc FetchSecrets(envoy.api.v2.DiscoveryRequest) returns (envoy.api.v2.DiscoveryResponse) {
-    option (google.api.http) = {
-      post: "/v2/discovery:secrets"
-      body: "*"
-    };
+  rpc FetchSecrets(api.v2.DiscoveryRequest) returns (api.v2.DiscoveryResponse) {
+    option (google.api.http).post = "/v2/discovery:secrets";
+    option (google.api.http).body = "*";
   }
 }
+
+// [#not-implemented-hide:] Not configuration. Workaround c++ protobuf issue with importing
+// services: https://github.com/google/protobuf/issues/4221
+message SdsDummy {
+}
diff --git a/xds/third_party/envoy/src/main/proto/envoy/service/load_stats/v2/lrs.proto b/xds/third_party/envoy/src/main/proto/envoy/service/load_stats/v2/lrs.proto
index d7029db0b5e..a82d703de8c 100644
--- a/xds/third_party/envoy/src/main/proto/envoy/service/load_stats/v2/lrs.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/service/load_stats/v2/lrs.proto
@@ -2,11 +2,6 @@ syntax = "proto3";
 
 package envoy.service.load_stats.v2;
 
-option java_outer_classname = "LrsProto";
-option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.service.load_stats.v2";
-option java_generic_services = true;
-
 import "envoy/api/v2/core/base.proto";
 import "envoy/api/v2/endpoint/load_report.proto";
 
@@ -14,6 +9,11 @@ import "google/protobuf/duration.proto";
 
 import "validate/validate.proto";
 
+option java_package = "io.envoyproxy.envoy.service.load_stats.v2";
+option java_outer_classname = "LrsProto";
+option java_multiple_files = true;
+option java_generic_services = true;
+
 // [#protodoc-title: Load reporting service]
 
 service LoadReportingService {
@@ -53,10 +53,10 @@ service LoadReportingService {
 // [#not-implemented-hide:] Not configuration. TBD how to doc proto APIs.
 message LoadStatsRequest {
   // Node identifier for Envoy instance.
-  envoy.api.v2.core.Node node = 1;
+  api.v2.core.Node node = 1;
 
   // A list of load stats to report.
-  repeated envoy.api.v2.endpoint.ClusterStats cluster_stats = 2;
+  repeated api.v2.endpoint.ClusterStats cluster_stats = 2;
 }
 
 // The management server sends envoy a LoadStatsResponse with all clusters it
@@ -64,7 +64,7 @@ message LoadStatsRequest {
 // [#not-implemented-hide:] Not configuration. TBD how to doc proto APIs.
 message LoadStatsResponse {
   // Clusters to report stats for.
-  repeated string clusters = 1 [(validate.rules).repeated .min_items = 1];
+  repeated string clusters = 1 [(validate.rules).repeated = {min_items: 1}];
 
   // The minimum interval of time to collect stats over. This is only a minimum for two reasons:
   // 1. There may be some delay from when the timer fires until stats sampling occurs.
diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/http.proto b/xds/third_party/envoy/src/main/proto/envoy/type/http.proto
new file mode 100644
index 00000000000..12160c6354a
--- /dev/null
+++ b/xds/third_party/envoy/src/main/proto/envoy/type/http.proto
@@ -0,0 +1,20 @@
+syntax = "proto3";
+
+package envoy.type;
+
+option java_package = "io.envoyproxy.envoy.type";
+option java_outer_classname = "HttpProto";
+option java_multiple_files = true;
+
+// [#protodoc-title: HTTP]
+
+enum CodecClientType {
+  HTTP1 = 0;
+
+  HTTP2 = 1;
+
+  // [#not-implemented-hide:] QUIC implementation is not production ready yet. Use this enum with
+  // caution to prevent accidental execution of QUIC code. I.e. `!= HTTP2` is no longer sufficient
+  // to distinguish HTTP1 and HTTP2 traffic.
+  HTTP3 = 2;
+}
diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/regex.proto b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/regex.proto
index 98819364d9e..2dd5bbe047c 100644
--- a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/regex.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/regex.proto
@@ -2,15 +2,15 @@ syntax = "proto3";
 
 package envoy.type.matcher;
 
-option java_outer_classname = "RegexProto";
-option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.type.matcher";
-
 import "google/protobuf/wrappers.proto";
 
 import "validate/validate.proto";
 
-// [#protodoc-title: RegexMatcher]
+option java_package = "io.envoyproxy.envoy.type.matcher";
+option java_outer_classname = "RegexProto";
+option java_multiple_files = true;
+
+// [#protodoc-title: Regex matcher]
 
 // A regex matcher designed for safety when used with untrusted input.
 message RegexMatcher {
diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/string.proto b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/string.proto
index f926af343fd..2cbfc247649 100644
--- a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/string.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/string.proto
@@ -2,17 +2,19 @@ syntax = "proto3";
 
 package envoy.type.matcher;
 
-option java_outer_classname = "StringProto";
-option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.type.matcher";
-
 import "envoy/type/matcher/regex.proto";
 
+import "envoy/annotations/deprecation.proto";
 import "validate/validate.proto";
 
-// [#protodoc-title: StringMatcher]
+option java_package = "io.envoyproxy.envoy.type.matcher";
+option java_outer_classname = "StringProto";
+option java_multiple_files = true;
+
+// [#protodoc-title: String matcher]
 
 // Specifies the way to match a string.
+// [#next-free-field: 7]
 message StringMatcher {
   oneof match_pattern {
     option (validate.required) = true;
@@ -53,11 +55,20 @@ message StringMatcher {
     // .. attention::
     //   This field has been deprecated in favor of `safe_regex` as it is not safe for use with
     //   untrusted input in all cases.
-    string regex = 4 [(validate.rules).string = {max_bytes: 1024}, deprecated = true];
+    string regex = 4 [
+      deprecated = true,
+      (validate.rules).string = {max_bytes: 1024},
+      (envoy.annotations.disallowed_by_default) = true
+    ];
 
     // The input string must match the regular expression specified here.
     RegexMatcher safe_regex = 5 [(validate.rules).message = {required: true}];
   }
+
+  // If true, indicates the exact/prefix/suffix matching should be case insensitive. This has no
+  // effect for the safe_regex match.
+  // For example, the matcher *data* will match both input string *Data* and *data* if set to true.
+  bool ignore_case = 6;
 }
 
 // Specifies a list of ways to match a string.
diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/metadata/v2/metadata.proto b/xds/third_party/envoy/src/main/proto/envoy/type/metadata/v2/metadata.proto
new file mode 100644
index 00000000000..67653519ba9
--- /dev/null
+++ b/xds/third_party/envoy/src/main/proto/envoy/type/metadata/v2/metadata.proto
@@ -0,0 +1,97 @@
+syntax = "proto3";
+
+package envoy.type.metadata.v2;
+
+import "udpa/annotations/migrate.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.type.metadata.v2";
+option java_outer_classname = "MetadataProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_migrate).move_to_package = "envoy.type.metadata.v3";
+
+// [#protodoc-title: Metadata]
+
+// MetadataKey provides a general interface using `key` and `path` to retrieve value from
+// :ref:`Metadata `.
+//
+// For example, for the following Metadata:
+//
+// .. code-block:: yaml
+//
+//    filter_metadata:
+//      envoy.xxx:
+//        prop:
+//          foo: bar
+//          xyz:
+//            hello: envoy
+//
+// The following MetadataKey will retrieve a string value "bar" from the Metadata.
+//
+// .. code-block:: yaml
+//
+//    key: envoy.xxx
+//    path:
+//    - key: prop
+//    - key: foo
+//
+message MetadataKey {
+  // Specifies the segment in a path to retrieve value from Metadata.
+  // Currently it is only supported to specify the key, i.e. field name, as one segment of a path.
+  message PathSegment {
+    oneof segment {
+      option (validate.required) = true;
+
+      // If specified, use the key to retrieve the value in a Struct.
+      string key = 1 [(validate.rules).string = {min_bytes: 1}];
+    }
+  }
+
+  // The key name of Metadata to retrieve the Struct from the metadata.
+  // Typically, it represents a builtin subsystem or custom extension.
+  string key = 1 [(validate.rules).string = {min_bytes: 1}];
+
+  // The path to retrieve the Value from the Struct. It can be a prefix or a full path,
+  // e.g. ``[prop, xyz]`` for a struct or ``[prop, foo]`` for a string in the example,
+  // which depends on the particular scenario.
+  //
+  // Note: Due to that only the key type segment is supported, the path can not specify a list
+  // unless the list is the last segment.
+  repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}];
+}
+
+// Describes what kind of metadata.
+message MetadataKind {
+  // Represents dynamic metadata associated with the request.
+  message Request {
+  }
+
+  // Represents metadata from :ref:`the route`.
+  message Route {
+  }
+
+  // Represents metadata from :ref:`the upstream cluster`.
+  message Cluster {
+  }
+
+  // Represents metadata from :ref:`the upstream
+  // host`.
+  message Host {
+  }
+
+  oneof kind {
+    option (validate.required) = true;
+
+    // Request kind of metadata.
+    Request request = 1;
+
+    // Route kind of metadata.
+    Route route = 2;
+
+    // Cluster kind of metadata.
+    Cluster cluster = 3;
+
+    // Host kind of metadata.
+    Host host = 4;
+  }
+}
diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/percent.proto b/xds/third_party/envoy/src/main/proto/envoy/type/percent.proto
index 6d0868fd0ed..3420342dee2 100644
--- a/xds/third_party/envoy/src/main/proto/envoy/type/percent.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/type/percent.proto
@@ -2,11 +2,11 @@ syntax = "proto3";
 
 package envoy.type;
 
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.type";
 option java_outer_classname = "PercentProto";
 option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.type";
-
-import "validate/validate.proto";
 
 // [#protodoc-title: Percent]
 
diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/range.proto b/xds/third_party/envoy/src/main/proto/envoy/type/range.proto
index f31cf32f07c..e550ca19bfc 100644
--- a/xds/third_party/envoy/src/main/proto/envoy/type/range.proto
+++ b/xds/third_party/envoy/src/main/proto/envoy/type/range.proto
@@ -2,9 +2,9 @@ syntax = "proto3";
 
 package envoy.type;
 
+option java_package = "io.envoyproxy.envoy.type";
 option java_outer_classname = "RangeProto";
 option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.type";
 
 // [#protodoc-title: Range]
 
@@ -18,6 +18,16 @@ message Int64Range {
   int64 end = 2;
 }
 
+// Specifies the int32 start and end of the range using half-open interval semantics [start,
+// end).
+message Int32Range {
+  // start of the range (inclusive)
+  int32 start = 1;
+
+  // end of the range (exclusive)
+  int32 end = 2;
+}
+
 // Specifies the double start and end of the range using half-open interval semantics [start,
 // end).
 message DoubleRange {
diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/semantic_version.proto b/xds/third_party/envoy/src/main/proto/envoy/type/semantic_version.proto
new file mode 100644
index 00000000000..a7dbf7ebd6e
--- /dev/null
+++ b/xds/third_party/envoy/src/main/proto/envoy/type/semantic_version.proto
@@ -0,0 +1,20 @@
+syntax = "proto3";
+
+package envoy.type;
+
+option java_package = "io.envoyproxy.envoy.type";
+option java_outer_classname = "SemanticVersionProto";
+option java_multiple_files = true;
+
+// [#protodoc-title: Semantic Version]
+
+// Envoy uses SemVer (https://semver.org/). Major/minor versions indicate
+// expected behaviors and APIs, the patch version field is used only
+// for security fixes and can be generally ignored.
+message SemanticVersion {
+  uint32 major_number = 1;
+
+  uint32 minor_number = 2;
+
+  uint32 patch = 3;
+}
diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/tracing/v2/custom_tag.proto b/xds/third_party/envoy/src/main/proto/envoy/type/tracing/v2/custom_tag.proto
new file mode 100644
index 00000000000..683a5c53677
--- /dev/null
+++ b/xds/third_party/envoy/src/main/proto/envoy/type/tracing/v2/custom_tag.proto
@@ -0,0 +1,83 @@
+syntax = "proto3";
+
+package envoy.type.tracing.v2;
+
+import "envoy/type/metadata/v2/metadata.proto";
+
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.type.tracing.v2";
+option java_outer_classname = "CustomTagProto";
+option java_multiple_files = true;
+
+// [#protodoc-title: Custom Tag]
+
+// Describes custom tags for the active span.
+// [#next-free-field: 6]
+message CustomTag {
+  // Literal type custom tag with static value for the tag value.
+  message Literal {
+    // Static literal value to populate the tag value.
+    string value = 1 [(validate.rules).string = {min_bytes: 1}];
+  }
+
+  // Environment type custom tag with environment name and default value.
+  message Environment {
+    // Environment variable name to obtain the value to populate the tag value.
+    string name = 1 [(validate.rules).string = {min_bytes: 1}];
+
+    // When the environment variable is not found,
+    // the tag value will be populated with this default value if specified,
+    // otherwise no tag will be populated.
+    string default_value = 2;
+  }
+
+  // Header type custom tag with header name and default value.
+  message Header {
+    // Header name to obtain the value to populate the tag value.
+    string name = 1 [(validate.rules).string = {min_bytes: 1}];
+
+    // When the header does not exist,
+    // the tag value will be populated with this default value if specified,
+    // otherwise no tag will be populated.
+    string default_value = 2;
+  }
+
+  // Metadata type custom tag using
+  // :ref:`MetadataKey ` to retrieve the protobuf value
+  // from :ref:`Metadata `, and populate the tag value with
+  // `the canonical JSON `_
+  // representation of it.
+  message Metadata {
+    // Specify what kind of metadata to obtain tag value from.
+    metadata.v2.MetadataKind kind = 1;
+
+    // Metadata key to define the path to retrieve the tag value.
+    metadata.v2.MetadataKey metadata_key = 2;
+
+    // When no valid metadata is found,
+    // the tag value would be populated with this default value if specified,
+    // otherwise no tag would be populated.
+    string default_value = 3;
+  }
+
+  // Used to populate the tag name.
+  string tag = 1 [(validate.rules).string = {min_bytes: 1}];
+
+  // Used to specify what kind of custom tag.
+  oneof type {
+    option (validate.required) = true;
+
+    // A literal custom tag.
+    Literal literal = 2;
+
+    // An environment custom tag.
+    Environment environment = 3;
+
+    // A request header custom tag.
+    Header request_header = 4;
+
+    // A custom tag to obtain tag value from the metadata.
+    Metadata metadata = 5;
+  }
+}
diff --git a/xds/third_party/udpa/import.sh b/xds/third_party/udpa/import.sh
index 0cd18d3dbf1..68d577ebc2d 100755
--- a/xds/third_party/udpa/import.sh
+++ b/xds/third_party/udpa/import.sh
@@ -18,12 +18,14 @@
 set -e
 BRANCH=master
 # import VERSION from one of the google internal CLs
-VERSION=94324803a497c8f76dbc78df393ef629d3a9f3c3
+VERSION=edbea6a78f6d1ba34edc69c53a396b1d88d59651
 GIT_REPO="https://github.com/cncf/udpa.git"
 GIT_BASE_DIR=udpa
 SOURCE_PROTO_BASE_DIR=udpa
 TARGET_PROTO_BASE_DIR=src/main/proto
 FILES=(
+udpa/annotations/migrate.proto
+udpa/annotations/sensitive.proto
 udpa/data/orca/v1/orca_load_report.proto
 udpa/service/orca/v1/orca.proto
 )
diff --git a/xds/third_party/udpa/src/main/proto/udpa/annotations/migrate.proto b/xds/third_party/udpa/src/main/proto/udpa/annotations/migrate.proto
new file mode 100644
index 00000000000..1c42a6404dc
--- /dev/null
+++ b/xds/third_party/udpa/src/main/proto/udpa/annotations/migrate.proto
@@ -0,0 +1,49 @@
+syntax = "proto3";
+
+package udpa.annotations;
+
+import "google/protobuf/descriptor.proto";
+
+// Magic number in this file derived from top 28bit of SHA256 digest of
+// "udpa.annotation.migrate".
+
+extend google.protobuf.MessageOptions {
+  MigrateAnnotation message_migrate = 171962766;
+}
+
+extend google.protobuf.FieldOptions {
+  FieldMigrateAnnotation field_migrate = 171962766;
+}
+
+extend google.protobuf.EnumOptions {
+  MigrateAnnotation enum_migrate = 171962766;
+}
+
+extend google.protobuf.EnumValueOptions {
+  MigrateAnnotation enum_value_migrate = 171962766;
+}
+
+extend google.protobuf.FileOptions {
+  FileMigrateAnnotation file_migrate = 171962766;
+}
+
+message MigrateAnnotation {
+  // Rename the message/enum/enum value in next version.
+  string rename = 1;
+}
+
+message FieldMigrateAnnotation {
+  // Rename the field in next version.
+  string rename = 1;
+
+  // Add the field to a named oneof in next version. If this already exists, the
+  // field will join its siblings under the oneof, otherwise a new oneof will be
+  // created with the given name.
+  string oneof_promotion = 2;
+}
+
+message FileMigrateAnnotation {
+  // Move all types in the file to another package, this implies changing proto
+  // file path.
+  string move_to_package = 2;
+}
diff --git a/xds/third_party/udpa/src/main/proto/udpa/annotations/sensitive.proto b/xds/third_party/udpa/src/main/proto/udpa/annotations/sensitive.proto
new file mode 100644
index 00000000000..8dc921f24b5
--- /dev/null
+++ b/xds/third_party/udpa/src/main/proto/udpa/annotations/sensitive.proto
@@ -0,0 +1,14 @@
+syntax = "proto3";
+
+package udpa.annotations;
+
+import "google/protobuf/descriptor.proto";
+
+extend google.protobuf.FieldOptions {
+  // Magic number is the 28 most significant bits in the sha256sum of "udpa.annotations.sensitive".
+  // When set to true, `sensitive` indicates that this field contains sensitive data, such as
+  // personally identifiable information, passwords, or private keys, and should be redacted for
+  // display by tools aware of this annotation. Note that that this has no effect on standard
+  // Protobuf functions such as `TextFormat::PrintToString`.
+  bool sensitive = 76569463;
+}