diff --git a/api/XDS_PROTOCOL.md b/api/XDS_PROTOCOL.md
index 75f7d8f54e0ce..2401c15c9309f 100644
--- a/api/XDS_PROTOCOL.md
+++ b/api/XDS_PROTOCOL.md
@@ -45,6 +45,7 @@ correspondence between an xDS API and a resource type. That is:
 
 * [LDS: `envoy.api.v2.Listener`](envoy/api/v2/lds.proto)
 * [RDS: `envoy.api.v2.RouteConfiguration`](envoy/api/v2/rds.proto)
+* [VHDS: `envoy.api.v2.Vhds`](envoy/api/v2/rds.proto)
 * [CDS: `envoy.api.v2.Cluster`](envoy/api/v2/cds.proto)
 * [EDS: `envoy.api.v2.ClusterLoadAssignment`](envoy/api/v2/eds.proto)
 * [SDS: `envoy.api.v2.Auth.Secret`](envoy/api/v2/auth/cert.proto)
@@ -245,7 +246,8 @@ In general, to avoid traffic drop, sequencing of updates should follow a
 * CDS updates (if any) must always be pushed first.
 * EDS updates (if any) must arrive after CDS updates for the respective clusters.
 * LDS updates must arrive after corresponding CDS/EDS updates.
-* RDS updates related to the newly added listeners must arrive in the end.
+* RDS updates related to the newly added listeners must arrive after CDS/EDS/LDS updates.
+* VHDS updates (if any) related to the newly added RouteConfigurations must arrive after RDS updates.
 * Stale CDS clusters and related EDS endpoints (ones no longer being
   referenced) can then be removed.
 
diff --git a/api/envoy/api/v2/BUILD b/api/envoy/api/v2/BUILD
index f0327f8df8f9d..66efb5d30ec5e 100644
--- a/api/envoy/api/v2/BUILD
+++ b/api/envoy/api/v2/BUILD
@@ -129,6 +129,7 @@ api_proto_library_internal(
     deps = [
         ":discovery",
         "//envoy/api/v2/core:base",
+        "//envoy/api/v2/core:config_source",
         "//envoy/api/v2/route",
     ],
 )
@@ -139,6 +140,7 @@ api_go_grpc_library(
     deps = [
         ":discovery_go_proto",
         "//envoy/api/v2/core:base_go_proto",
+        "//envoy/api/v2/core:config_source_go_proto",
         "//envoy/api/v2/route:route_go_proto",
     ],
 )
diff --git a/api/envoy/api/v2/rds.proto b/api/envoy/api/v2/rds.proto
index d75b68af6791f..5dd58d62d9dc2 100644
--- a/api/envoy/api/v2/rds.proto
+++ b/api/envoy/api/v2/rds.proto
@@ -9,6 +9,7 @@ option java_package = "io.envoyproxy.envoy.api.v2";
 option java_generic_services = true;
 
 import "envoy/api/v2/core/base.proto";
+import "envoy/api/v2/core/config_source.proto";
 import "envoy/api/v2/discovery.proto";
 import "envoy/api/v2/route/route.proto";
 
@@ -44,7 +45,23 @@ service RouteDiscoveryService {
   }
 }
 
-// [#comment:next free field: 9]
+// Virtual Host Discovery Service (VHDS) is used to dynamically update the list of virtual hosts for
+// a given RouteConfiguration. If VHDS is configured a virtual host list update will be triggerred
+// during the processing of an HTTP request if a route for the request cannot be resolved. The
+// :ref:`resource_names_subscribe <envoy_api_msg_DeltaDiscoveryRequest.resource_names_subscribe>`
+// field contains a list of virtual host names or aliases to track. The contents of an alias would
+// be the contents of a *host* or *authority* header used to make an http request. An xDS server
+// will match an alias to a virtual host based on the content of :ref:`domains'
+// <envoy_api_msg_route.VirtualHost.domains>` field. The *resource_names_unsubscribe* field contains
+// a list of virtual host names that have been `unsubscribed
+// <https://github.com/envoyproxy/envoy/blob/master/api/XDS_PROTOCOL.md#unsubscribing-from-resources>`_
+// from the routing table associated with the RouteConfiguration.
+service VirtualHostDiscoveryService {
+  rpc DeltaVirtualHosts(stream DeltaDiscoveryRequest) returns (stream DeltaDiscoveryResponse) {
+  }
+}
+
+// [#comment:next free field: 10]
 message RouteConfiguration {
   // The name of the route configuration. For example, it might match
   // :ref:`route_config_name
@@ -55,6 +72,15 @@ message RouteConfiguration {
   // An array of virtual hosts that make up the route table.
   repeated route.VirtualHost virtual_hosts = 2 [(gogoproto.nullable) = false];
 
+  // An array of virtual hosts will be dynamically loaded via the VHDS API.
+  // Both *virtual_hosts* and *vhds* fields will be used when present. *virtual_hosts* can be used
+  // for a base routing table or for infrequently changing virtual hosts. *vhds* is used for
+  // on-demand discovery of virtual hosts. The contents of these two fields will be merged to
+  // generate a routing table for a given RouteConfiguration, with *vhds* derived configuration
+  // taking precedence.
+  // [#not-implemented-hide:]
+  Vhds vhds = 9;
+
   // Optionally specifies a list of HTTP headers that the connection manager
   // will consider to be internal only. If they are found on external requests they will be cleaned
   // prior to filter invocation. See :ref:`config_http_conn_man_headers_x-envoy-internal` for more
@@ -102,3 +128,10 @@ message RouteConfiguration {
   // using CDS with a static route table).
   google.protobuf.BoolValue validate_clusters = 7;
 }
+
+// [#not-implemented-hide:]
+message Vhds {
+  // Configuration source specifier for VHDS.
+  envoy.api.v2.core.ConfigSource config_source = 1
+      [(validate.rules).message.required = true, (gogoproto.nullable) = false];
+}
\ No newline at end of file
diff --git a/tools/spelling_dictionary.txt b/tools/spelling_dictionary.txt
index b94e12951480b..e4e858d3c43bd 100644
--- a/tools/spelling_dictionary.txt
+++ b/tools/spelling_dictionary.txt
@@ -254,6 +254,7 @@ UTF
 UUID
 UUIDs
 VH
+VHDS
 VLOG
 WKT
 WRR