diff --git a/mixer/adapter/model/v1beta1/infrastructure_backend.pb.go b/mixer/adapter/model/v1beta1/infrastructure_backend.pb.go
index 2ac30899c0..1e0dadb837 100644
--- a/mixer/adapter/model/v1beta1/infrastructure_backend.pb.go
+++ b/mixer/adapter/model/v1beta1/infrastructure_backend.pb.go
@@ -470,7 +470,7 @@ type InfrastructureBackendClient interface {
 	//
 	// Backend is allowed to return the same session id if given the same configuration block.
 	// This would happen when multiple instances of Mixer in a deployment all create sessions with the same configuration.
-	// Note that given individial instances of Mixer can call `CloseSession`, reusing `session_id` by the backend
+	// Note that given individual instances of Mixer can call `CloseSession`, reusing `session_id` by the backend
 	// assumes that the backend is doing reference counting.
 	//
 	// If the backend couldn't create a session for a specific handler configuration and
@@ -538,7 +538,7 @@ type InfrastructureBackendServer interface {
 	//
 	// Backend is allowed to return the same session id if given the same configuration block.
 	// This would happen when multiple instances of Mixer in a deployment all create sessions with the same configuration.
-	// Note that given individial instances of Mixer can call `CloseSession`, reusing `session_id` by the backend
+	// Note that given individual instances of Mixer can call `CloseSession`, reusing `session_id` by the backend
 	// assumes that the backend is doing reference counting.
 	//
 	// If the backend couldn't create a session for a specific handler configuration and
diff --git a/mixer/adapter/model/v1beta1/infrastructure_backend.proto b/mixer/adapter/model/v1beta1/infrastructure_backend.proto
index 0522d09c27..71839d26b9 100644
--- a/mixer/adapter/model/v1beta1/infrastructure_backend.proto
+++ b/mixer/adapter/model/v1beta1/infrastructure_backend.proto
@@ -31,7 +31,7 @@ import "google/rpc/status.proto";
 // out of process adapter.
 //
 // `InfrastructureBackend` allows Mixer and the backends to have a session based model. In a session based model, Mixer passes
-// the relevant configuration state to the backend only once and estabilshes a session using a session identifier.
+// the relevant configuration state to the backend only once and establishes a session using a session identifier.
 // All future communications between Mixer and the backend uses the session identifier which refers to the previously
 // passed in configuration data.
 //
@@ -59,7 +59,7 @@ service InfrastructureBackend {
     //
     // Backend is allowed to return the same session id if given the same configuration block.
     // This would happen when multiple instances of Mixer in a deployment all create sessions with the same configuration.
-    // Note that given individial instances of Mixer can call `CloseSession`, reusing `session_id` by the backend
+    // Note that given individual instances of Mixer can call `CloseSession`, reusing `session_id` by the backend
     // assumes that the backend is doing reference counting.
     //
     // If the backend couldn't create a session for a specific handler configuration and
diff --git a/mixer/adapter/model/v1beta1/istio.mixer.adapter.model.v1beta1.pb.html b/mixer/adapter/model/v1beta1/istio.mixer.adapter.model.v1beta1.pb.html
index d77945c0cc..8ab59eb324 100644
--- a/mixer/adapter/model/v1beta1/istio.mixer.adapter.model.v1beta1.pb.html
+++ b/mixer/adapter/model/v1beta1/istio.mixer.adapter.model.v1beta1.pb.html
@@ -15,7 +15,7 @@ <h3 id="InfrastructureBackend">InfrastructureBackend</h3>
 out of process adapter.</p>
 
 <p><code>InfrastructureBackend</code> allows Mixer and the backends to have a session based model. In a session based model, Mixer passes
-the relevant configuration state to the backend only once and estabilshes a session using a session identifier.
+the relevant configuration state to the backend only once and establishes a session using a session identifier.
 All future communications between Mixer and the backend uses the session identifier which refers to the previously
 passed in configuration data.</p>
 
@@ -46,7 +46,7 @@ <h3 id="InfrastructureBackend">InfrastructureBackend</h3>
 
 <p>Backend is allowed to return the same session id if given the same configuration block.
 This would happen when multiple instances of Mixer in a deployment all create sessions with the same configuration.
-Note that given individial instances of Mixer can call <code>CloseSession</code>, reusing <code>session_id</code> by the backend
+Note that given individual instances of Mixer can call <code>CloseSession</code>, reusing <code>session_id</code> by the backend
 assumes that the backend is doing reference counting.</p>
 
 <p>If the backend couldn&rsquo;t create a session for a specific handler configuration and
diff --git a/networking/v1alpha3/gateway.pb.go b/networking/v1alpha3/gateway.pb.go
index 37c3bcf532..3eeb4ff276 100644
--- a/networking/v1alpha3/gateway.pb.go
+++ b/networking/v1alpha3/gateway.pb.go
@@ -427,6 +427,12 @@ type Server_TLSOptions struct {
 	// Optional: If specified, only support the specified cipher list.
 	// Otherwise default to the default cipher list supported by Envoy.
 	CipherSuites []string `protobuf:"bytes,9,rep,name=cipher_suites,json=cipherSuites" json:"cipher_suites,omitempty"`
+	// Optional: If specified, the gateway controllers (with SDS enabled)
+	// use the specified name as the SDS secret config name to call the SDS
+	// server, to retrieve the key and certificates. Otherwise, the gateway
+	// controllers (with SDS enabled) use the first value in the hosts as
+	// the SDS secret config name to call the SDS server.
+	SdsName string `protobuf:"bytes,10,opt,name=sds_name,json=sdsName,proto3" json:"sds_name,omitempty"`
 }
 
 func (m *Server_TLSOptions) Reset()                    { *m = Server_TLSOptions{} }
@@ -497,6 +503,13 @@ func (m *Server_TLSOptions) GetCipherSuites() []string {
 	return nil
 }
 
+func (m *Server_TLSOptions) GetSdsName() string {
+	if m != nil {
+		return m.SdsName
+	}
+	return ""
+}
+
 // Port describes the properties of a specific port of a service.
 type Port struct {
 	// REQUIRED: A valid non-negative integer port number.
@@ -744,6 +757,12 @@ func (m *Server_TLSOptions) MarshalTo(dAtA []byte) (int, error) {
 			i += copy(dAtA[i:], s)
 		}
 	}
+	if len(m.SdsName) > 0 {
+		dAtA[i] = 0x52
+		i++
+		i = encodeVarintGateway(dAtA, i, uint64(len(m.SdsName)))
+		i += copy(dAtA[i:], m.SdsName)
+	}
 	return i, nil
 }
 
@@ -878,6 +897,10 @@ func (m *Server_TLSOptions) Size() (n int) {
 			n += 1 + l + sovGateway(uint64(l))
 		}
 	}
+	l = len(m.SdsName)
+	if l > 0 {
+		n += 1 + l + sovGateway(uint64(l))
+	}
 	return n
 }
 
@@ -1564,6 +1587,35 @@ func (m *Server_TLSOptions) Unmarshal(dAtA []byte) error {
 			}
 			m.CipherSuites = append(m.CipherSuites, string(dAtA[iNdEx:postIndex]))
 			iNdEx = postIndex
+		case 10:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SdsName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGateway
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.SdsName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGateway(dAtA[iNdEx:])
@@ -1820,47 +1872,48 @@ var (
 func init() { proto.RegisterFile("networking/v1alpha3/gateway.proto", fileDescriptorGateway) }
 
 var fileDescriptorGateway = []byte{
-	// 657 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x54, 0xcb, 0x4e, 0xdb, 0x4c,
-	0x14, 0xc6, 0x49, 0xc8, 0xe5, 0x84, 0x10, 0x33, 0x42, 0xbf, 0xfc, 0xb3, 0xe0, 0x92, 0xaa, 0x2a,
-	0xad, 0x5a, 0x07, 0x92, 0x2e, 0x50, 0x91, 0x2a, 0xa5, 0x15, 0x22, 0x55, 0x03, 0x89, 0xec, 0x84,
-	0x45, 0x37, 0xd6, 0xc4, 0x19, 0xc8, 0x80, 0xe3, 0xb1, 0x66, 0x26, 0x81, 0x3c, 0x45, 0xdf, 0xa7,
-	0x4f, 0xd0, 0x65, 0xfb, 0x06, 0x15, 0x4f, 0x52, 0xcd, 0xd8, 0x21, 0xe9, 0x8d, 0x0a, 0x75, 0x77,
-	0xce, 0x77, 0xce, 0xf7, 0x9d, 0xdb, 0xd8, 0xb0, 0x13, 0x12, 0x79, 0xcd, 0xf8, 0x15, 0x0d, 0x2f,
-	0xaa, 0x93, 0x7d, 0x1c, 0x44, 0x43, 0x5c, 0xaf, 0x5e, 0x60, 0x49, 0xae, 0xf1, 0xd4, 0x8e, 0x38,
-	0x93, 0x0c, 0xfd, 0x4f, 0x85, 0xa4, 0xcc, 0x9e, 0x27, 0xda, 0xb3, 0xc4, 0xca, 0x57, 0x03, 0x72,
-	0xc7, 0x71, 0x32, 0x3a, 0x84, 0x9c, 0x20, 0x7c, 0x42, 0xb8, 0xb0, 0x8c, 0xed, 0xf4, 0x6e, 0xb1,
-	0xb6, 0x63, 0xff, 0x91, 0x68, 0xbb, 0x3a, 0xd3, 0x99, 0x31, 0x50, 0x0b, 0xf2, 0x82, 0x04, 0xc4,
-	0x97, 0x8c, 0x5b, 0x29, 0xcd, 0xde, 0xbb, 0x87, 0x9d, 0x94, 0xb4, 0xdd, 0x84, 0x72, 0x14, 0x4a,
-	0x3e, 0x75, 0xee, 0x14, 0x36, 0x0e, 0xa1, 0xf4, 0x43, 0x08, 0x99, 0x90, 0xbe, 0x22, 0x53, 0xcb,
-	0xd8, 0x36, 0x76, 0x0b, 0x8e, 0x32, 0xd1, 0x3a, 0x2c, 0x4f, 0x70, 0x30, 0x26, 0x56, 0x4a, 0x63,
-	0xb1, 0xf3, 0x2a, 0x75, 0x60, 0x54, 0x3e, 0xe6, 0x20, 0x1b, 0xb7, 0x87, 0xea, 0x90, 0x89, 0x18,
-	0x97, 0x9a, 0x57, 0xac, 0x6d, 0xdd, 0xd3, 0x51, 0x87, 0x71, 0xe9, 0xe8, 0x64, 0xa5, 0x3c, 0x64,
-	0x42, 0x0a, 0x3d, 0x47, 0xc1, 0x89, 0x1d, 0xf4, 0x1a, 0xd2, 0x32, 0x10, 0x56, 0x5a, 0x2b, 0x3d,
-	0xff, 0xeb, 0x66, 0xec, 0x6e, 0xcb, 0x6d, 0x47, 0x92, 0xb2, 0x50, 0x38, 0x8a, 0x88, 0x10, 0x64,
-	0xfa, 0x34, 0x1c, 0x58, 0x19, 0xdd, 0xae, 0xb6, 0xd1, 0x53, 0x30, 0x07, 0xe4, 0x1c, 0x8f, 0x03,
-	0xe9, 0x91, 0x70, 0x10, 0x31, 0x1a, 0x4a, 0x6b, 0x59, 0xc7, 0xcb, 0x09, 0x7e, 0x94, 0xc0, 0x1b,
-	0x9f, 0x96, 0x01, 0xe6, 0x92, 0xe8, 0x31, 0xac, 0x0e, 0xa5, 0x8c, 0x84, 0xc7, 0xc9, 0x80, 0x72,
-	0xe2, 0xc7, 0x23, 0xe6, 0x9d, 0x92, 0x46, 0x9d, 0x04, 0x44, 0x4d, 0xc8, 0x8c, 0xd8, 0x20, 0xde,
-	0xd1, 0x6a, 0xed, 0xe5, 0x43, 0xba, 0x56, 0xa6, 0xe2, 0x3a, 0x5a, 0x01, 0xbd, 0x00, 0x14, 0x9f,
-	0xda, 0xf3, 0x09, 0x97, 0xf4, 0x9c, 0xfa, 0x58, 0x12, 0xbd, 0x8d, 0x82, 0xb3, 0x16, 0x47, 0xde,
-	0xce, 0x03, 0x68, 0x0b, 0x8a, 0x11, 0xa7, 0x13, 0x2c, 0x89, 0xa7, 0xee, 0x16, 0x0f, 0x0d, 0x09,
-	0xf4, 0x9e, 0x4c, 0xd1, 0x13, 0x28, 0xfb, 0x78, 0x51, 0x4b, 0x24, 0x93, 0xaf, 0xfa, 0x78, 0x41,
-	0x48, 0xa0, 0x67, 0xb0, 0x26, 0xc6, 0xfd, 0x4b, 0xe2, 0x4b, 0x0f, 0x07, 0xd2, 0x0b, 0xf1, 0x88,
-	0x08, 0x2b, 0xab, 0x2f, 0x53, 0x4e, 0x02, 0x8d, 0x40, 0x9e, 0x2a, 0x18, 0x5d, 0xc2, 0xfa, 0x88,
-	0x86, 0x9e, 0x7e, 0xf5, 0x3e, 0x0b, 0x3c, 0xf5, 0x32, 0x29, 0x0b, 0xad, 0x9c, 0x1e, 0xff, 0xe0,
-	0xa1, 0xe3, 0x77, 0x12, 0x1d, 0x07, 0x8d, 0x68, 0x38, 0x73, 0xce, 0x62, 0x4d, 0x5d, 0x0b, 0xdf,
-	0xfc, 0x5a, 0x2b, 0xff, 0xcf, 0xb5, 0xf0, 0xcd, 0xcf, 0xb5, 0x1e, 0x41, 0xc9, 0xa7, 0xd1, 0x90,
-	0x70, 0x4f, 0x8c, 0xa9, 0x5a, 0x55, 0x41, 0xcf, 0xbf, 0x12, 0x83, 0xae, 0xc6, 0x2a, 0x4d, 0xc8,
-	0x25, 0x27, 0x43, 0x65, 0x28, 0x76, 0x1a, 0xae, 0xdb, 0x6d, 0x3a, 0xed, 0xde, 0x71, 0xd3, 0x5c,
-	0x42, 0x00, 0x59, 0xf7, 0xdd, 0x49, 0xa7, 0x75, 0x64, 0x1a, 0xca, 0x3e, 0xe9, 0x75, 0x7b, 0x8d,
-	0x96, 0x99, 0x42, 0xeb, 0x60, 0x36, 0x7a, 0xdd, 0xb6, 0xb7, 0x98, 0x9d, 0xae, 0xb4, 0xa1, 0xb8,
-	0xd0, 0x11, 0x5a, 0x81, 0x7c, 0xb7, 0xe5, 0x7a, 0x2a, 0xd1, 0x5c, 0x42, 0x45, 0x5d, 0xe6, 0x6c,
-	0xdf, 0xdb, 0x33, 0x8d, 0xb9, 0xb3, 0x6f, 0xa6, 0xe6, 0x4e, 0xcd, 0x4c, 0xcf, 0x9d, 0xba, 0x99,
-	0xa9, 0x9c, 0x42, 0x46, 0x7d, 0x5f, 0xe8, 0x3f, 0xc8, 0x86, 0xe3, 0x51, 0x9f, 0x70, 0xfd, 0x5a,
-	0x4b, 0x4e, 0xe2, 0xa1, 0x0d, 0xc8, 0xcf, 0xf6, 0x98, 0x7c, 0xce, 0x77, 0xbe, 0xfa, 0x6e, 0xd4,
-	0xcd, 0x93, 0xa7, 0xa6, 0xed, 0x37, 0xf6, 0xe7, 0xdb, 0x4d, 0xe3, 0xcb, 0xed, 0xa6, 0xf1, 0xed,
-	0x76, 0xd3, 0xf8, 0xb0, 0x1d, 0xaf, 0x9a, 0xb2, 0x2a, 0x8e, 0x68, 0xf5, 0x37, 0xbf, 0xc3, 0x7e,
-	0x56, 0xab, 0xd5, 0xbf, 0x07, 0x00, 0x00, 0xff, 0xff, 0x3a, 0x88, 0xe5, 0x6d, 0x2c, 0x05, 0x00,
+	// 673 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x54, 0x4d, 0x4f, 0xdb, 0x4c,
+	0x10, 0xc6, 0x49, 0xc8, 0xc7, 0x84, 0x10, 0xb3, 0x42, 0xaf, 0x0c, 0x07, 0x3e, 0xf2, 0xea, 0xd5,
+	0x4b, 0xab, 0xd6, 0x81, 0xa4, 0x07, 0x54, 0xa4, 0x4a, 0x69, 0x85, 0x48, 0xd5, 0x40, 0x22, 0x3b,
+	0xe1, 0xd0, 0x8b, 0xb5, 0x71, 0x16, 0xb2, 0xe0, 0x78, 0xad, 0xdd, 0x4d, 0x20, 0x7f, 0xa9, 0xbf,
+	0xa4, 0xc7, 0xf6, 0xd0, 0x7b, 0xc5, 0x2f, 0xa9, 0x76, 0xed, 0x90, 0xf4, 0x8b, 0x0a, 0xf5, 0x36,
+	0xf3, 0xcc, 0xcc, 0x33, 0x33, 0xcf, 0xac, 0x0d, 0xbb, 0x21, 0x91, 0x37, 0x8c, 0x5f, 0xd3, 0xf0,
+	0xb2, 0x3a, 0x39, 0xc0, 0x41, 0x34, 0xc4, 0xf5, 0xea, 0x25, 0x96, 0xe4, 0x06, 0x4f, 0xed, 0x88,
+	0x33, 0xc9, 0xd0, 0x06, 0x15, 0x92, 0x32, 0x7b, 0x9e, 0x68, 0xcf, 0x12, 0x2b, 0x9f, 0x0d, 0xc8,
+	0x9d, 0xc4, 0xc9, 0xe8, 0x08, 0x72, 0x82, 0xf0, 0x09, 0xe1, 0xc2, 0x32, 0x76, 0xd2, 0x7b, 0xc5,
+	0xda, 0xae, 0xfd, 0xdb, 0x42, 0xdb, 0xd5, 0x99, 0xce, 0xac, 0x02, 0xb5, 0x20, 0x2f, 0x48, 0x40,
+	0x7c, 0xc9, 0xb8, 0x95, 0xd2, 0xd5, 0xfb, 0x0f, 0x54, 0x27, 0x2d, 0x6d, 0x37, 0x29, 0x39, 0x0e,
+	0x25, 0x9f, 0x3a, 0xf7, 0x0c, 0x9b, 0x47, 0x50, 0xfa, 0x2e, 0x84, 0x4c, 0x48, 0x5f, 0x93, 0xa9,
+	0x65, 0xec, 0x18, 0x7b, 0x05, 0x47, 0x99, 0x68, 0x1d, 0x96, 0x27, 0x38, 0x18, 0x13, 0x2b, 0xa5,
+	0xb1, 0xd8, 0x79, 0x99, 0x3a, 0x34, 0x2a, 0x1f, 0x72, 0x90, 0x8d, 0xc7, 0x43, 0x75, 0xc8, 0x44,
+	0x8c, 0x4b, 0x5d, 0x57, 0xac, 0x6d, 0x3f, 0x30, 0x51, 0x87, 0x71, 0xe9, 0xe8, 0x64, 0xc5, 0x3c,
+	0x64, 0x42, 0x0a, 0xbd, 0x47, 0xc1, 0x89, 0x1d, 0xf4, 0x0a, 0xd2, 0x32, 0x10, 0x56, 0x5a, 0x33,
+	0x3d, 0xfb, 0xa3, 0x32, 0x76, 0xb7, 0xe5, 0xb6, 0x23, 0x49, 0x59, 0x28, 0x1c, 0x55, 0x88, 0x10,
+	0x64, 0xfa, 0x34, 0x1c, 0x58, 0x19, 0x3d, 0xae, 0xb6, 0xd1, 0x13, 0x30, 0x07, 0xe4, 0x02, 0x8f,
+	0x03, 0xe9, 0x91, 0x70, 0x10, 0x31, 0x1a, 0x4a, 0x6b, 0x59, 0xc7, 0xcb, 0x09, 0x7e, 0x9c, 0xc0,
+	0x9b, 0x5f, 0x96, 0x01, 0xe6, 0x94, 0xe8, 0x3f, 0x58, 0x1d, 0x4a, 0x19, 0x09, 0x8f, 0x93, 0x01,
+	0xe5, 0xc4, 0x8f, 0x57, 0xcc, 0x3b, 0x25, 0x8d, 0x3a, 0x09, 0x88, 0x9a, 0x90, 0x19, 0xb1, 0x41,
+	0xac, 0xd1, 0x6a, 0xed, 0xc5, 0x63, 0xa6, 0x56, 0xa6, 0xaa, 0x75, 0x34, 0x03, 0x7a, 0x0e, 0x28,
+	0x3e, 0xb5, 0xe7, 0x13, 0x2e, 0xe9, 0x05, 0xf5, 0xb1, 0x24, 0x5a, 0x8d, 0x82, 0xb3, 0x16, 0x47,
+	0xde, 0xcc, 0x03, 0x68, 0x1b, 0x8a, 0x11, 0xa7, 0x13, 0x2c, 0x89, 0xa7, 0xee, 0x16, 0x2f, 0x0d,
+	0x09, 0xf4, 0x8e, 0x4c, 0xd1, 0xff, 0x50, 0xf6, 0xf1, 0x22, 0x97, 0x48, 0x36, 0x5f, 0xf5, 0xf1,
+	0x02, 0x91, 0x40, 0x4f, 0x61, 0x4d, 0x8c, 0xfb, 0x57, 0xc4, 0x97, 0x1e, 0x0e, 0xa4, 0x17, 0xe2,
+	0x11, 0x11, 0x56, 0x56, 0x5f, 0xa6, 0x9c, 0x04, 0x1a, 0x81, 0x3c, 0x53, 0x30, 0xba, 0x82, 0xf5,
+	0x11, 0x0d, 0x3d, 0xfd, 0xea, 0x7d, 0x16, 0x78, 0xea, 0x65, 0x52, 0x16, 0x5a, 0x39, 0xbd, 0xfe,
+	0xe1, 0x63, 0xd7, 0xef, 0x24, 0x3c, 0x0e, 0x1a, 0xd1, 0x70, 0xe6, 0x9c, 0xc7, 0x9c, 0xba, 0x17,
+	0xbe, 0xfd, 0xb9, 0x57, 0xfe, 0xaf, 0x7b, 0xe1, 0xdb, 0x1f, 0x7b, 0xfd, 0x0b, 0x25, 0x9f, 0x46,
+	0x43, 0xc2, 0x3d, 0x31, 0xa6, 0x4a, 0xaa, 0x82, 0xde, 0x7f, 0x25, 0x06, 0x5d, 0x8d, 0xa1, 0x0d,
+	0xc8, 0x8b, 0x81, 0xd0, 0x02, 0x59, 0xa0, 0xa5, 0xcc, 0x89, 0x81, 0x50, 0xc2, 0x54, 0x9a, 0x90,
+	0x4b, 0xae, 0x89, 0xca, 0x50, 0xec, 0x34, 0x5c, 0xb7, 0xdb, 0x74, 0xda, 0xbd, 0x93, 0xa6, 0xb9,
+	0x84, 0x00, 0xb2, 0xee, 0xdb, 0xd3, 0x4e, 0xeb, 0xd8, 0x34, 0x94, 0x7d, 0xda, 0xeb, 0xf6, 0x1a,
+	0x2d, 0x33, 0x85, 0xd6, 0xc1, 0x6c, 0xf4, 0xba, 0x6d, 0x6f, 0x31, 0x3b, 0x5d, 0x69, 0x43, 0x71,
+	0x61, 0x58, 0xb4, 0x02, 0xf9, 0x6e, 0xcb, 0xf5, 0x54, 0xa2, 0xb9, 0x84, 0x8a, 0xba, 0xcd, 0xf9,
+	0x81, 0xb7, 0x6f, 0x1a, 0x73, 0xe7, 0xc0, 0x4c, 0xcd, 0x9d, 0x9a, 0x99, 0x9e, 0x3b, 0x75, 0x33,
+	0x53, 0x39, 0x83, 0x8c, 0xfa, 0xf4, 0xd0, 0x3f, 0x90, 0x0d, 0xc7, 0xa3, 0x3e, 0xe1, 0xfa, 0x21,
+	0x97, 0x9c, 0xc4, 0x43, 0x9b, 0x90, 0x9f, 0x49, 0x9c, 0x7c, 0xe9, 0xf7, 0xbe, 0xfa, 0xa4, 0xf4,
+	0xb6, 0xf1, 0x2b, 0xd4, 0xf6, 0x6b, 0xfb, 0xe3, 0xdd, 0x96, 0xf1, 0xe9, 0x6e, 0xcb, 0xf8, 0x7a,
+	0xb7, 0x65, 0xbc, 0xdf, 0x89, 0xaf, 0x40, 0x59, 0x15, 0x47, 0xb4, 0xfa, 0x8b, 0x3f, 0x65, 0x3f,
+	0xab, 0xd9, 0xea, 0xdf, 0x02, 0x00, 0x00, 0xff, 0xff, 0x20, 0x65, 0xa6, 0x2f, 0x47, 0x05, 0x00,
 	0x00,
 }
diff --git a/networking/v1alpha3/gateway.proto b/networking/v1alpha3/gateway.proto
index 0cfb8bcefc..ad9f22791b 100644
--- a/networking/v1alpha3/gateway.proto
+++ b/networking/v1alpha3/gateway.proto
@@ -335,6 +335,13 @@ message Server {
     // Optional: If specified, only support the specified cipher list.
     // Otherwise default to the default cipher list supported by Envoy.
     repeated string cipher_suites = 9;
+
+    // Optional: If specified, the gateway controllers (with SDS enabled)
+    // use the specified name as the SDS secret config name to call the SDS
+    // server, to retrieve the key and certificates. Otherwise, the gateway
+    // controllers (with SDS enabled) use the first value in the hosts as
+    // the SDS secret config name to call the SDS server.
+    string sds_name = 10;
   }
 
   // Set of TLS related options that govern the server's behavior. Use
diff --git a/networking/v1alpha3/istio.networking.v1alpha3.pb.html b/networking/v1alpha3/istio.networking.v1alpha3.pb.html
index 12fa35db47..3076ae350c 100644
--- a/networking/v1alpha3/istio.networking.v1alpha3.pb.html
+++ b/networking/v1alpha3/istio.networking.v1alpha3.pb.html
@@ -3033,6 +3033,18 @@ <h2 id="Server-TLSOptions">Server.TLSOptions</h2>
 <p>Optional: If specified, only support the specified cipher list.
 Otherwise default to the default cipher list supported by Envoy.</p>
 
+</td>
+</tr>
+<tr id="Server-TLSOptions-sds_name">
+<td><code>sdsName</code></td>
+<td><code>string</code></td>
+<td>
+<p>Optional: If specified, the gateway controllers (with SDS enabled)
+use the specified name as the SDS secret config name to call the SDS
+server, to retrieve the key and certificates. Otherwise, the gateway
+controllers (with SDS enabled) use the first value in the hosts as
+the SDS secret config name to call the SDS server.</p>
+
 </td>
 </tr>
 </tbody>
diff --git a/proto.lock b/proto.lock
index 0f0232352c..8ec68701a8 100644
--- a/proto.lock
+++ b/proto.lock
@@ -3302,6 +3302,11 @@
                     "name": "cipher_suites",
                     "type": "string",
                     "is_repeated": true
+                  },
+                  {
+                    "id": 10,
+                    "name": "sds_name",
+                    "type": "string"
                   }
                 ]
               }
diff --git a/python/istio_api/networking/v1alpha3/gateway_pb2.py b/python/istio_api/networking/v1alpha3/gateway_pb2.py
index 991c4f8169..77c9a04a9d 100644
--- a/python/istio_api/networking/v1alpha3/gateway_pb2.py
+++ b/python/istio_api/networking/v1alpha3/gateway_pb2.py
@@ -19,7 +19,7 @@
   name='networking/v1alpha3/gateway.proto',
   package='istio.networking.v1alpha3',
   syntax='proto3',
-  serialized_pb=_b('\n!networking/v1alpha3/gateway.proto\x12\x19istio.networking.v1alpha3\"\xb2\x01\n\x07Gateway\x12\x32\n\x07servers\x18\x01 \x03(\x0b\x32!.istio.networking.v1alpha3.Server\x12\x42\n\x08selector\x18\x02 \x03(\x0b\x32\x30.istio.networking.v1alpha3.Gateway.SelectorEntry\x1a/\n\rSelectorEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"\xdb\x05\n\x06Server\x12-\n\x04port\x18\x01 \x01(\x0b\x32\x1f.istio.networking.v1alpha3.Port\x12\x0c\n\x04\x62ind\x18\x04 \x01(\t\x12\r\n\x05hosts\x18\x02 \x03(\t\x12\x39\n\x03tls\x18\x03 \x01(\x0b\x32,.istio.networking.v1alpha3.Server.TLSOptions\x12\x18\n\x10\x64\x65\x66\x61ult_endpoint\x18\x05 \x01(\t\x1a\xaf\x04\n\nTLSOptions\x12\x16\n\x0ehttps_redirect\x18\x01 \x01(\x08\x12\x42\n\x04mode\x18\x02 \x01(\x0e\x32\x34.istio.networking.v1alpha3.Server.TLSOptions.TLSmode\x12\x1a\n\x12server_certificate\x18\x03 \x01(\t\x12\x13\n\x0bprivate_key\x18\x04 \x01(\t\x12\x17\n\x0f\x63\x61_certificates\x18\x05 \x01(\t\x12\x19\n\x11subject_alt_names\x18\x06 \x03(\t\x12V\n\x14min_protocol_version\x18\x07 \x01(\x0e\x32\x38.istio.networking.v1alpha3.Server.TLSOptions.TLSProtocol\x12V\n\x14max_protocol_version\x18\x08 \x01(\x0e\x32\x38.istio.networking.v1alpha3.Server.TLSOptions.TLSProtocol\x12\x15\n\rcipher_suites\x18\t \x03(\t\"H\n\x07TLSmode\x12\x0f\n\x0bPASSTHROUGH\x10\x00\x12\n\n\x06SIMPLE\x10\x01\x12\n\n\x06MUTUAL\x10\x02\x12\x14\n\x10\x41UTO_PASSTHROUGH\x10\x03\"O\n\x0bTLSProtocol\x12\x0c\n\x08TLS_AUTO\x10\x00\x12\x0b\n\x07TLSV1_0\x10\x01\x12\x0b\n\x07TLSV1_1\x10\x02\x12\x0b\n\x07TLSV1_2\x10\x03\x12\x0b\n\x07TLSV1_3\x10\x04\"6\n\x04Port\x12\x0e\n\x06number\x18\x01 \x01(\r\x12\x10\n\x08protocol\x18\x02 \x01(\t\x12\x0c\n\x04name\x18\x03 \x01(\tB\"Z istio.io/api/networking/v1alpha3b\x06proto3')
+  serialized_pb=_b('\n!networking/v1alpha3/gateway.proto\x12\x19istio.networking.v1alpha3\"\xb2\x01\n\x07Gateway\x12\x32\n\x07servers\x18\x01 \x03(\x0b\x32!.istio.networking.v1alpha3.Server\x12\x42\n\x08selector\x18\x02 \x03(\x0b\x32\x30.istio.networking.v1alpha3.Gateway.SelectorEntry\x1a/\n\rSelectorEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"\xed\x05\n\x06Server\x12-\n\x04port\x18\x01 \x01(\x0b\x32\x1f.istio.networking.v1alpha3.Port\x12\x0c\n\x04\x62ind\x18\x04 \x01(\t\x12\r\n\x05hosts\x18\x02 \x03(\t\x12\x39\n\x03tls\x18\x03 \x01(\x0b\x32,.istio.networking.v1alpha3.Server.TLSOptions\x12\x18\n\x10\x64\x65\x66\x61ult_endpoint\x18\x05 \x01(\t\x1a\xc1\x04\n\nTLSOptions\x12\x16\n\x0ehttps_redirect\x18\x01 \x01(\x08\x12\x42\n\x04mode\x18\x02 \x01(\x0e\x32\x34.istio.networking.v1alpha3.Server.TLSOptions.TLSmode\x12\x1a\n\x12server_certificate\x18\x03 \x01(\t\x12\x13\n\x0bprivate_key\x18\x04 \x01(\t\x12\x17\n\x0f\x63\x61_certificates\x18\x05 \x01(\t\x12\x19\n\x11subject_alt_names\x18\x06 \x03(\t\x12V\n\x14min_protocol_version\x18\x07 \x01(\x0e\x32\x38.istio.networking.v1alpha3.Server.TLSOptions.TLSProtocol\x12V\n\x14max_protocol_version\x18\x08 \x01(\x0e\x32\x38.istio.networking.v1alpha3.Server.TLSOptions.TLSProtocol\x12\x15\n\rcipher_suites\x18\t \x03(\t\x12\x10\n\x08sds_name\x18\n \x01(\t\"H\n\x07TLSmode\x12\x0f\n\x0bPASSTHROUGH\x10\x00\x12\n\n\x06SIMPLE\x10\x01\x12\n\n\x06MUTUAL\x10\x02\x12\x14\n\x10\x41UTO_PASSTHROUGH\x10\x03\"O\n\x0bTLSProtocol\x12\x0c\n\x08TLS_AUTO\x10\x00\x12\x0b\n\x07TLSV1_0\x10\x01\x12\x0b\n\x07TLSV1_1\x10\x02\x12\x0b\n\x07TLSV1_2\x10\x03\x12\x0b\n\x07TLSV1_3\x10\x04\"6\n\x04Port\x12\x0e\n\x06number\x18\x01 \x01(\r\x12\x10\n\x08protocol\x18\x02 \x01(\t\x12\x0c\n\x04name\x18\x03 \x01(\tB\"Z istio.io/api/networking/v1alpha3b\x06proto3')
 )
 
 
@@ -49,8 +49,8 @@
   ],
   containing_type=None,
   options=None,
-  serialized_start=824,
-  serialized_end=896,
+  serialized_start=842,
+  serialized_end=914,
 )
 _sym_db.RegisterEnumDescriptor(_SERVER_TLSOPTIONS_TLSMODE)
 
@@ -83,8 +83,8 @@
   ],
   containing_type=None,
   options=None,
-  serialized_start=898,
-  serialized_end=977,
+  serialized_start=916,
+  serialized_end=995,
 )
 _sym_db.RegisterEnumDescriptor(_SERVER_TLSOPTIONS_TLSPROTOCOL)
 
@@ -234,6 +234,13 @@
       message_type=None, enum_type=None, containing_type=None,
       is_extension=False, extension_scope=None,
       options=None, file=DESCRIPTOR),
+    _descriptor.FieldDescriptor(
+      name='sds_name', full_name='istio.networking.v1alpha3.Server.TLSOptions.sds_name', index=9,
+      number=10, type=9, cpp_type=9, label=1,
+      has_default_value=False, default_value=_b("").decode('utf-8'),
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      options=None, file=DESCRIPTOR),
   ],
   extensions=[
   ],
@@ -249,7 +256,7 @@
   oneofs=[
   ],
   serialized_start=418,
-  serialized_end=977,
+  serialized_end=995,
 )
 
 _SERVER = _descriptor.Descriptor(
@@ -307,7 +314,7 @@
   oneofs=[
   ],
   serialized_start=246,
-  serialized_end=977,
+  serialized_end=995,
 )
 
 
@@ -351,8 +358,8 @@
   extension_ranges=[],
   oneofs=[
   ],
-  serialized_start=979,
-  serialized_end=1033,
+  serialized_start=997,
+  serialized_end=1051,
 )
 
 _GATEWAY_SELECTORENTRY.containing_type = _GATEWAY