diff --git a/content/en/boilerplates/gateway-api-experimental.md b/content/en/boilerplates/gateway-api-experimental.md
deleted file mode 100644
index 6856491ca9..0000000000
--- a/content/en/boilerplates/gateway-api-experimental.md
+++ /dev/null
@@ -1,18 +0,0 @@
----
----
-{{< tip >}}
-{{< boilerplate gateway-api-future >}}
-{{< boilerplate gateway-api-choose >}}
-{{< /tip >}}
-
-{{< warning >}}
-The following Gateway API instructions include features that are both
-[experimental](https://gateway-api.sigs.k8s.io/geps/overview/#status)
-and Istio specific. Before using the Gateway API instructions, make sure to
-install the **experimental version** of the Gateway API CRDs:
-
-{{< text syntax=bash snip_id=install_experimental_crds >}}
-$ kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd/experimental?ref={{< k8s_gateway_api_version >}}" | kubectl apply -f -
-{{< /text >}}
-
-{{< /warning >}}
diff --git a/content/en/boilerplates/gateway-api-gamma-support.md b/content/en/boilerplates/gateway-api-gamma-support.md
index 298fecf4a5..a545dcac52 100644
--- a/content/en/boilerplates/gateway-api-gamma-support.md
+++ b/content/en/boilerplates/gateway-api-gamma-support.md
@@ -6,11 +6,10 @@
 {{< /tip >}}
 
 {{< warning >}}
-Note that this document uses the Gateway API to configure internal mesh (east-west) traffic,
-i.e., not just ingress (north-south) traffic.
-Configuring internal mesh traffic is an
-[experimental feature](https://gateway-api.sigs.k8s.io/geps/overview/#status)
-of the Gateway API, currently under development.
+This document configures internal mesh (east-west) traffic
+that requires Gateway API features that are either
+[experimental](https://gateway-api.sigs.k8s.io/geps/overview/#status)
+or Istio specific.
 Before using the Gateway API instructions, make sure to:
 
 1) Install the **experimental version** of the Gateway API CRDs:
diff --git a/content/en/docs/tasks/traffic-management/egress/egress-control/index.md b/content/en/docs/tasks/traffic-management/egress/egress-control/index.md
index f6492b2d16..b8a4ed1bc4 100644
--- a/content/en/docs/tasks/traffic-management/egress/egress-control/index.md
+++ b/content/en/docs/tasks/traffic-management/egress/egress-control/index.md
@@ -257,7 +257,7 @@ Similar to inter-cluster requests, routing rules
 can also be configured for external services that are accessed using `ServiceEntry` configurations.
 In this example, you set a timeout rule on calls to the `httpbin.org` service.
 
-{{< boilerplate gateway-api-experimental >}}
+{{< boilerplate gateway-api-gamma-support >}}
 
 1)  From inside the pod being used as the test source, make a _curl_ request to the `/delay` endpoint of the
     httpbin.org external service:
diff --git a/content/en/docs/tasks/traffic-management/egress/egress-control/snips.sh b/content/en/docs/tasks/traffic-management/egress/egress-control/snips.sh
index f213ba1636..4f152aff22 100644
--- a/content/en/docs/tasks/traffic-management/egress/egress-control/snips.sh
+++ b/content/en/docs/tasks/traffic-management/egress/egress-control/snips.sh
@@ -19,7 +19,7 @@
 # WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
 #          docs/tasks/traffic-management/egress/egress-control/index.md
 ####################################################################################################
-source "content/en/boilerplates/snips/gateway-api-experimental.sh"
+source "content/en/boilerplates/snips/gateway-api-gamma-support.sh"
 
 snip_before_you_begin_1() {
 kubectl apply -f samples/sleep/sleep.yaml
diff --git a/content/en/docs/tasks/traffic-management/egress/egress-gateway/gtwapi_test.sh b/content/en/docs/tasks/traffic-management/egress/egress-gateway/gtwapi_test.sh
new file mode 100644
index 0000000000..ea31aad479
--- /dev/null
+++ b/content/en/docs/tasks/traffic-management/egress/egress-gateway/gtwapi_test.sh
@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+# shellcheck disable=SC1090,SC2154
+
+# Copyright Istio Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+source "tests/util/gateway-api.sh"
+install_gateway_api_crds
+
+# @setup profile=none
+istioctl install --set profile=minimal --set values.pilot.env.PILOT_ENABLE_ALPHA_GATEWAY_API=true --set meshConfig.accessLogFile=/dev/stdout -y
+_wait_for_deployment istio-system istiod
+
+source "content/en/docs/tasks/traffic-management/egress/egress-gateway/test.sh"
+
+# @cleanup
+snip_cleanup_http_gateway_2
+snip_cleanup_https_gateway_2
+snip_cleanup_network_policies_2
+snip_cleanup_1
+
+istioctl uninstall --purge -y
+kubectl delete ns istio-system
+remove_gateway_api_crds
diff --git a/content/en/docs/tasks/traffic-management/egress/egress-gateway/index.md b/content/en/docs/tasks/traffic-management/egress/egress-gateway/index.md
index a0c68a1159..eba2cd1732 100644
--- a/content/en/docs/tasks/traffic-management/egress/egress-gateway/index.md
+++ b/content/en/docs/tasks/traffic-management/egress/egress-gateway/index.md
@@ -37,20 +37,56 @@ on them cannot access the Internet. Defining an egress gateway, directing all th
 allocating public IPs to the egress gateway nodes allows the application nodes to access external services in a
 controlled way.
 
-{{< boilerplate before-you-begin-egress >}}
+{{< boilerplate gateway-api-gamma-support >}}
+
+## Before you begin
+
+*   Setup Istio by following the instructions in the [Installation guide](/docs/setup/).
+
+    {{< tip >}}
+    The egress gateway and access logging will be enabled if you install the `demo`
+    [configuration profile](/docs/setup/additional-setup/config-profiles/).
+    {{< /tip >}}
+
+*   Deploy the [sleep]({{< github_tree >}}/samples/sleep) sample app to use as a test source for sending requests.
+
+    {{< text bash >}}
+    $ kubectl apply -f @samples/sleep/sleep.yaml@
+    {{< /text >}}
+
+    {{< tip >}}
+    You can use any pod with `curl` installed as a test source.
+    {{< /tip >}}
+
+*   Set the `SOURCE_POD` environment variable to the name of your source pod:
+
+    {{< text bash >}}
+    $ export SOURCE_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
+    {{< /text >}}
+
+    {{< warning >}}
+    The instructions in this task create a destination rule for the egress gateway in the `default` namespace
+    and assume that the client, `SOURCE_POD`, is also running in the `default` namespace.
+    If not, the destination rule will not be found on the
+    [destination rule lookup path](/docs/ops/best-practices/traffic-management/#cross-namespace-configuration)
+    and the client requests will fail.
+    {{< /warning >}}
 
 *   [Enable Envoy’s access logging](/docs/tasks/observability/logs/access-log/#enable-envoy-s-access-logging)
+    if not already enabled. For example, using `istioctl`:
 
-{{< warning >}}
-The instructions in this task create a destination rule for the egress gateway in the `default` namespace
-and assume that the client, `SOURCE_POD`, is also running in the `default` namespace.
-If not, the destination rule will not be found on the
-[destination rule lookup path](/docs/ops/best-practices/traffic-management/#cross-namespace-configuration)
-and the client requests will fail.
-{{< /warning >}}
+    {{< text bask >}}
+    $ istioctl install <flags-you-used-to-install-Istio> --set meshConfig.accessLogFile=/dev/stdout
+    {{< /text >}}
 
 ## Deploy Istio egress gateway
 
+{{< tip >}}
+Egress gateways are [deployed automatically](/docs/tasks/traffic-management/ingress/gateway-api/#deployment-methods)
+when using Gateway API to configure them. You can skip this section if you are using the `Gateway API` instructions
+in the following sections.
+{{< /tip >}}
+
 1.  Check if the Istio egress gateway is deployed:
 
     {{< text bash >}}
@@ -135,80 +171,161 @@ First create a `ServiceEntry` to allow direct traffic to an external service.
 1.  Create an egress `Gateway` for _edition.cnn.com_, port 80, and a destination rule for
     traffic directed to the egress gateway.
 
-    {{< tip >}}
-    To direct multiple hosts through an egress gateway, you can include a list of hosts, or use `*` to match all, in the `Gateway`.
-    The `subset` field in the `DestinationRule` should be reused for the additional hosts.
-    {{< /tip >}}
+{{< tabset category-name="config-api" >}}
 
-    {{< text bash >}}
-    $ kubectl apply -f - <<EOF
-    apiVersion: networking.istio.io/v1alpha3
-    kind: Gateway
-    metadata:
-      name: istio-egressgateway
-    spec:
-      selector:
-        istio: egressgateway
-      servers:
-      - port:
-          number: 80
-          name: http
-          protocol: HTTP
-        hosts:
-        - edition.cnn.com
-    ---
-    apiVersion: networking.istio.io/v1alpha3
-    kind: DestinationRule
-    metadata:
-      name: egressgateway-for-cnn
-    spec:
-      host: istio-egressgateway.istio-system.svc.cluster.local
-      subsets:
-      - name: cnn
-    EOF
-    {{< /text >}}
+{{< tab name="Istio APIs" category-value="istio-apis" >}}
 
-1.  Define a `VirtualService` to direct traffic from the sidecars to the egress gateway and from the egress gateway
+{{< tip >}}
+To direct multiple hosts through an egress gateway, you can include a list of hosts, or use `*` to match all, in the `Gateway`.
+The `subset` field in the `DestinationRule` should be reused for the additional hosts.
+{{< /tip >}}
+
+{{< text bash >}}
+$ kubectl apply -f - <<EOF
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: istio-egressgateway
+spec:
+  selector:
+    istio: egressgateway
+  servers:
+  - port:
+      number: 80
+      name: http
+      protocol: HTTP
+    hosts:
+    - edition.cnn.com
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: egressgateway-for-cnn
+spec:
+  host: istio-egressgateway.istio-system.svc.cluster.local
+  subsets:
+  - name: cnn
+EOF
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< tab name="Gateway API" category-value="gateway-api" >}}
+
+{{< text bash >}}
+$ kubectl apply -f - <<EOF
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: cnn-egress-gateway
+  annotations:
+    networking.istio.io/service-type: ClusterIP
+spec:
+  gatewayClassName: istio
+  listeners:
+  - name: http
+    hostname: edition.cnn.com
+    port: 80
+    protocol: HTTP
+    allowedRoutes:
+      namespaces:
+        from: Same
+EOF
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< /tabset >}}
+
+4)  Configure route rules to direct traffic from the sidecars to the egress gateway and from the egress gateway
     to the external service:
 
-    {{< text bash >}}
-    $ kubectl apply -f - <<EOF
-    apiVersion: networking.istio.io/v1alpha3
-    kind: VirtualService
-    metadata:
-      name: direct-cnn-through-egress-gateway
-    spec:
-      hosts:
-      - edition.cnn.com
-      gateways:
-      - istio-egressgateway
-      - mesh
-      http:
-      - match:
-        - gateways:
-          - mesh
-          port: 80
-        route:
-        - destination:
-            host: istio-egressgateway.istio-system.svc.cluster.local
-            subset: cnn
-            port:
-              number: 80
-          weight: 100
-      - match:
-        - gateways:
-          - istio-egressgateway
-          port: 80
-        route:
-        - destination:
-            host: edition.cnn.com
-            port:
-              number: 80
-          weight: 100
-    EOF
-    {{< /text >}}
+{{< tabset category-name="config-api" >}}
 
-1.  Resend the HTTP request to [http://edition.cnn.com/politics](https://edition.cnn.com/politics).
+{{< tab name="Istio APIs" category-value="istio-apis" >}}
+
+{{< text bash >}}
+$ kubectl apply -f - <<EOF
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: direct-cnn-through-egress-gateway
+spec:
+  hosts:
+  - edition.cnn.com
+  gateways:
+  - istio-egressgateway
+  - mesh
+  http:
+  - match:
+    - gateways:
+      - mesh
+      port: 80
+    route:
+    - destination:
+        host: istio-egressgateway.istio-system.svc.cluster.local
+        subset: cnn
+        port:
+          number: 80
+      weight: 100
+  - match:
+    - gateways:
+      - istio-egressgateway
+      port: 80
+    route:
+    - destination:
+        host: edition.cnn.com
+        port:
+          number: 80
+      weight: 100
+EOF
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< tab name="Gateway API" category-value="gateway-api" >}}
+
+{{< text bash >}}
+$ kubectl apply -f - <<EOF
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: direct-cnn-to-egress-gateway
+spec:
+  parentRefs:
+  - kind: ServiceEntry
+    group: networking.istio.io
+    name: cnn
+  hostnames:
+  - edition.cnn.com
+  rules:
+  - backendRefs:
+    - name: cnn-egress-gateway-istio
+      port: 80
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: forward-cnn-from-egress-gateway
+spec:
+  parentRefs:
+  - name: cnn-egress-gateway
+  hostnames:
+  - edition.cnn.com
+  rules:
+  - backendRefs:
+    - kind: Hostname
+      group: networking.istio.io
+      name: edition.cnn.com
+      port: 80
+EOF
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< /tabset >}}
+
+5)  Resend the HTTP request to [http://edition.cnn.com/politics](https://edition.cnn.com/politics).
 
     {{< text bash >}}
     $ kubectl exec "$SOURCE_POD" -c sleep -- curl -sSL -o /dev/null -D - http://edition.cnn.com/politics
@@ -225,37 +342,81 @@ First create a `ServiceEntry` to allow direct traffic to an external service.
 
     The output should be the same as in the step 2.
 
-1.  Check the log of the `istio-egressgateway` pod for a line corresponding to our request.
-    If Istio is deployed in the `istio-system` namespace, the command to print the log is:
+6)  Check the log of the egress gateway pod for a line corresponding to our request.
 
-    {{< text bash >}}
-    $ kubectl logs -l istio=egressgateway -c istio-proxy -n istio-system | tail
-    {{< /text >}}
+{{< tabset category-name="config-api" >}}
 
-    You should see a line similar to the following:
+{{< tab name="Istio APIs" category-value="istio-apis" >}}
 
-    {{< text plain >}}
-    [2019-09-03T20:57:49.103Z] "GET /politics HTTP/2" 301 - "-" "-" 0 0 90 89 "10.244.2.10" "curl/7.64.0" "ea379962-9b5c-4431-ab66-f01994f5a5a5" "edition.cnn.com" "151.101.65.67:80" outbound|80||edition.cnn.com - 10.244.1.5:80 10.244.2.10:50482 edition.cnn.com -
-    {{< /text >}}
+If Istio is deployed in the `istio-system` namespace, the command to print the log is:
 
-    Note that you only redirected the traffic from port 80 to the egress gateway. The HTTPS traffic to port 443
-    went directly to _edition.cnn.com_.
+{{< text bash >}}
+$ kubectl logs -l istio=egressgateway -c istio-proxy -n istio-system | tail
+{{< /text >}}
+
+You should see a line similar to the following:
+
+{{< text plain >}}
+[2019-09-03T20:57:49.103Z] "GET /politics HTTP/2" 301 - "-" "-" 0 0 90 89 "10.244.2.10" "curl/7.64.0" "ea379962-9b5c-4431-ab66-f01994f5a5a5" "edition.cnn.com" "151.101.65.67:80" outbound|80||edition.cnn.com - 10.244.1.5:80 10.244.2.10:50482 edition.cnn.com -
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< tab name="Gateway API" category-value="gateway-api" >}}
+
+Access the log corresponding to the egress gateway using the Istio-generated pod label:
+
+{{< text bash >}}
+$ kubectl logs -l istio.io/gateway-name=cnn-egress-gateway -c istio-proxy | tail
+{{< /text >}}
+
+You should see a line similar to the following:
+
+{{< text plain >}}
+[2024-01-09T15:35:47.283Z] "GET /politics HTTP/1.1" 301 - via_upstream - "-" 0 0 2 2 "172.30.239.55" "curl/7.87.0-DEV" "6c01d65f-a157-97cd-8782-320a40026901" "edition.cnn.com" "151.101.195.5:80" outbound|80||edition.cnn.com 172.30.239.16:55636 172.30.239.16:80 172.30.239.55:59224 - default.forward-cnn-from-egress-gateway.0
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< /tabset >}}
+
+Note that you only redirected the HTTP traffic from port 80 through the egress gateway.
+The HTTPS traffic to port 443 went directly to _edition.cnn.com_.
 
 ### Cleanup HTTP gateway
 
 Remove the previous definitions before proceeding to the next step:
 
+{{< tabset category-name="config-api" >}}
+
+{{< tab name="Istio APIs" category-value="istio-apis" >}}
+
 {{< text bash >}}
-$ kubectl delete gateway istio-egressgateway
 $ kubectl delete serviceentry cnn
+$ kubectl delete gateway istio-egressgateway
 $ kubectl delete virtualservice direct-cnn-through-egress-gateway
 $ kubectl delete destinationrule egressgateway-for-cnn
 {{< /text >}}
 
+{{< /tab >}}
+
+{{< tab name="Gateway API" category-value="gateway-api" >}}
+
+{{< text bash >}}
+$ kubectl delete serviceentry cnn
+$ kubectl delete gtw cnn-egress-gateway
+$ kubectl delete httproute direct-cnn-to-egress-gateway
+$ kubectl delete httproute forward-cnn-from-egress-gateway
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< /tabset >}}
+
 ## Egress gateway for HTTPS traffic
 
 In this section you direct HTTPS traffic (TLS originated by the application) through an egress gateway.
-You need to specify port 443 with protocol `TLS` in a corresponding `ServiceEntry`, an egress `Gateway` and a `VirtualService`.
+You need to specify port 443 with protocol `TLS` in a corresponding `ServiceEntry` and egress `Gateway`.
 
 1.  Define a `ServiceEntry` for `edition.cnn.com`:
 
@@ -289,78 +450,145 @@ You need to specify port 443 with protocol `TLS` in a corresponding `ServiceEntr
 1.  Create an egress `Gateway` for _edition.cnn.com_, a destination rule and a virtual service
     to direct the traffic through the egress gateway and from the egress gateway to the external service.
 
-    {{< tip >}}
-    To direct multiple hosts through an egress gateway, you can include a list of hosts, or use `*` to match all, in the `Gateway`.
-    The `subset` field in the `DestinationRule` should be reused for the additional hosts.
-    {{< /tip >}}
+{{< tabset category-name="config-api" >}}
 
-    {{< text bash >}}
-    $ kubectl apply -f - <<EOF
-    apiVersion: networking.istio.io/v1alpha3
-    kind: Gateway
-    metadata:
-      name: istio-egressgateway
-    spec:
-      selector:
-        istio: egressgateway
-      servers:
-      - port:
-          number: 443
-          name: tls
-          protocol: TLS
-        hosts:
-        - edition.cnn.com
-        tls:
-          mode: PASSTHROUGH
-    ---
-    apiVersion: networking.istio.io/v1alpha3
-    kind: DestinationRule
-    metadata:
-      name: egressgateway-for-cnn
-    spec:
-      host: istio-egressgateway.istio-system.svc.cluster.local
-      subsets:
-      - name: cnn
-    ---
-    apiVersion: networking.istio.io/v1alpha3
-    kind: VirtualService
-    metadata:
-      name: direct-cnn-through-egress-gateway
-    spec:
-      hosts:
-      - edition.cnn.com
-      gateways:
+{{< tab name="Istio APIs" category-value="istio-apis" >}}
+
+{{< tip >}}
+To direct multiple hosts through an egress gateway, you can include a list of hosts, or use `*` to match all, in the `Gateway`.
+The `subset` field in the `DestinationRule` should be reused for the additional hosts.
+{{< /tip >}}
+
+{{< text bash >}}
+$ kubectl apply -f - <<EOF
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: istio-egressgateway
+spec:
+  selector:
+    istio: egressgateway
+  servers:
+  - port:
+      number: 443
+      name: tls
+      protocol: TLS
+    hosts:
+    - edition.cnn.com
+    tls:
+      mode: PASSTHROUGH
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: egressgateway-for-cnn
+spec:
+  host: istio-egressgateway.istio-system.svc.cluster.local
+  subsets:
+  - name: cnn
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: direct-cnn-through-egress-gateway
+spec:
+  hosts:
+  - edition.cnn.com
+  gateways:
+  - mesh
+  - istio-egressgateway
+  tls:
+  - match:
+    - gateways:
       - mesh
+      port: 443
+      sniHosts:
+      - edition.cnn.com
+    route:
+    - destination:
+        host: istio-egressgateway.istio-system.svc.cluster.local
+        subset: cnn
+        port:
+          number: 443
+  - match:
+    - gateways:
       - istio-egressgateway
-      tls:
-      - match:
-        - gateways:
-          - mesh
-          port: 443
-          sniHosts:
-          - edition.cnn.com
-        route:
-        - destination:
-            host: istio-egressgateway.istio-system.svc.cluster.local
-            subset: cnn
-            port:
-              number: 443
-      - match:
-        - gateways:
-          - istio-egressgateway
-          port: 443
-          sniHosts:
-          - edition.cnn.com
-        route:
-        - destination:
-            host: edition.cnn.com
-            port:
-              number: 443
-          weight: 100
-    EOF
-    {{< /text >}}
+      port: 443
+      sniHosts:
+      - edition.cnn.com
+    route:
+    - destination:
+        host: edition.cnn.com
+        port:
+          number: 443
+      weight: 100
+EOF
+{{< /text >}}
 
-1.  Send an HTTPS request to [https://edition.cnn.com/politics](https://edition.cnn.com/politics).
+{{< /tab >}}
+
+{{< tab name="Gateway API" category-value="gateway-api" >}}
+
+{{< text bash >}}
+$ kubectl apply -f - <<EOF
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: cnn-egress-gateway
+  annotations:
+    networking.istio.io/service-type: ClusterIP
+spec:
+  gatewayClassName: istio
+  listeners:
+  - name: tls
+    hostname: edition.cnn.com
+    port: 443
+    protocol: TLS
+    tls:
+      mode: Passthrough
+    allowedRoutes:
+      namespaces:
+        from: Same
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: TLSRoute
+metadata:
+  name: direct-cnn-to-egress-gateway
+spec:
+  parentRefs:
+  - kind: ServiceEntry
+    group: networking.istio.io
+    name: cnn
+  hostnames:
+  - edition.cnn.com
+  rules:
+  - backendRefs:
+    - name: cnn-egress-gateway-istio
+      port: 443
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: TLSRoute
+metadata:
+  name: forward-cnn-from-egress-gateway
+spec:
+  parentRefs:
+  - name: cnn-egress-gateway
+  hostnames:
+  - edition.cnn.com
+  rules:
+  - backendRefs:
+    - kind: Hostname
+      group: networking.istio.io
+      name: edition.cnn.com
+      port: 443
+EOF
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< /tabset >}}
+
+4)  Send an HTTPS request to [https://edition.cnn.com/politics](https://edition.cnn.com/politics).
     The output should be the same as before.
 
     {{< text bash >}}
@@ -371,21 +599,50 @@ You need to specify port 443 with protocol `TLS` in a corresponding `ServiceEntr
     ...
     {{< /text >}}
 
-1.  Check the log of the egress gateway's proxy. If Istio is deployed in the `istio-system` namespace, the command to
-    print the log is:
+5)  Check the log of the egress gateway's proxy.
 
-    {{< text bash >}}
-    $ kubectl logs -l istio=egressgateway -n istio-system
-    {{< /text >}}
+{{< tabset category-name="config-api" >}}
 
-    You should see a line similar to the following:
+{{< tab name="Istio APIs" category-value="istio-apis" >}}
 
-    {{< text plain >}}
-    [2019-01-02T11:46:46.981Z] "- - -" 0 - 627 1879689 44 - "-" "-" "-" "-" "151.101.129.67:443" outbound|443||edition.cnn.com 172.30.109.80:41122 172.30.109.80:443 172.30.109.112:59970 edition.cnn.com
-    {{< /text >}}
+If Istio is deployed in the `istio-system` namespace, the command to print the log is:
+
+{{< text bash >}}
+$ kubectl logs -l istio=egressgateway -n istio-system
+{{< /text >}}
+
+You should see a line similar to the following:
+
+{{< text plain >}}
+[2019-01-02T11:46:46.981Z] "- - -" 0 - 627 1879689 44 - "-" "-" "-" "-" "151.101.129.67:443" outbound|443||edition.cnn.com 172.30.109.80:41122 172.30.109.80:443 172.30.109.112:59970 edition.cnn.com
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< tab name="Gateway API" category-value="gateway-api" >}}
+
+Access the log corresponding to the egress gateway using the Istio-generated pod label:
+
+{{< text bash >}}
+$ kubectl logs -l istio.io/gateway-name=cnn-egress-gateway -c istio-proxy | tail
+{{< /text >}}
+
+You should see a line similar to the following:
+
+{{< text plain >}}
+[2024-01-11T21:09:42.835Z] "- - -" 0 - - - "-" 839 2504306 231 - "-" "-" "-" "-" "151.101.195.5:443" outbound|443||edition.cnn.com 172.30.239.8:34470 172.30.239.8:443 172.30.239.15:43956 edition.cnn.com -
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< /tabset >}}
 
 ### Cleanup HTTPS gateway
 
+{{< tabset category-name="config-api" >}}
+
+{{< tab name="Istio APIs" category-value="istio-apis" >}}
+
 {{< text bash >}}
 $ kubectl delete serviceentry cnn
 $ kubectl delete gateway istio-egressgateway
@@ -393,6 +650,21 @@ $ kubectl delete virtualservice direct-cnn-through-egress-gateway
 $ kubectl delete destinationrule egressgateway-for-cnn
 {{< /text >}}
 
+{{< /tab >}}
+
+{{< tab name="Gateway API" category-value="gateway-api" >}}
+
+{{< text bash >}}
+$ kubectl delete serviceentry cnn
+$ kubectl delete gtw cnn-egress-gateway
+$ kubectl delete tlsroute direct-cnn-to-egress-gateway
+$ kubectl delete tlsroute forward-cnn-from-egress-gateway
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< /tabset >}}
+
 ## Additional security considerations
 
 Note that defining an egress `Gateway` in Istio does not in itself provides any special treatment for the nodes
@@ -422,22 +694,22 @@ bypassing of the egress gateway. To test the network policy, you create a namesp
 the [sleep]({{< github_tree >}}/samples/sleep) sample to it, and then attempt to send requests to a gateway-secured
 external service.
 
-1.  Follow the steps in the
+1)  Follow the steps in the
     [Egress gateway for HTTPS traffic](#egress-gateway-for-https-traffic) section.
 
-1.  Create the `test-egress` namespace:
+2)  Create the `test-egress` namespace:
 
     {{< text bash >}}
     $ kubectl create namespace test-egress
     {{< /text >}}
 
-1.  Deploy the [sleep]({{< github_tree >}}/samples/sleep) sample to the `test-egress` namespace.
+3)  Deploy the [sleep]({{< github_tree >}}/samples/sleep) sample to the `test-egress` namespace.
 
     {{< text bash >}}
     $ kubectl apply -n test-egress -f @samples/sleep/sleep.yaml@
     {{< /text >}}
 
-1.  Check that the deployed pod has a single container with no Istio sidecar attached:
+4)  Check that the deployed pod has a single container with no Istio sidecar attached:
 
     {{< text bash >}}
     $ kubectl get pod "$(kubectl get pod -n test-egress -l app=sleep -o jsonpath={.items..metadata.name})" -n test-egress
@@ -445,7 +717,7 @@ external service.
     sleep-776b7bcdcd-z7mc4   1/1       Running   0          18m
     {{< /text >}}
 
-1.  Send an HTTPS request to [https://edition.cnn.com/politics](https://edition.cnn.com/politics) from the `sleep` pod in
+5)  Send an HTTPS request to [https://edition.cnn.com/politics](https://edition.cnn.com/politics) from the `sleep` pod in
     the `test-egress` namespace. The request will succeed since you did not define any restrictive policies yet.
 
     {{< text bash >}}
@@ -453,46 +725,38 @@ external service.
     200
     {{< /text >}}
 
-1.  Label the namespaces where the Istio components (the control plane and the gateways) run.
-    If you deployed the Istio components to `istio-system`, the command is:
+6)  Label the namespaces where the Istio control plane and egress gateway are running.
+    If you deployed Istio in the `istio-system` namespace, the command is:
 
-    {{< text bash >}}
-    $ kubectl label namespace istio-system istio=system
-    {{< /text >}}
+{{< tabset category-name="config-api" >}}
 
-1.  Label the `kube-system` namespace.
+{{< tab name="Istio APIs" category-value="istio-apis" >}}
+
+{{< text bash >}}
+$ kubectl label namespace istio-system istio=system
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< tab name="Gateway API" category-value="gateway-api" >}}
+
+{{< text bash >}}
+$ kubectl label namespace istio-system istio=system
+$ kubectl label namespace default gateway=true
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< /tabset >}}
+
+7)  Label the `kube-system` namespace.
 
     {{< text bash >}}
     $ kubectl label ns kube-system kube-system=true
     {{< /text >}}
 
-1.  Define a `NetworkPolicy` to limit the egress traffic from the `test-egress` namespace to traffic destined to
-    `istio-system`, and to the `kube-system` DNS service (port 53):
-
-    {{< text bash >}}
-    $ cat <<EOF | kubectl apply -n test-egress -f -
-    apiVersion: networking.k8s.io/v1
-    kind: NetworkPolicy
-    metadata:
-      name: allow-egress-to-istio-system-and-kube-dns
-    spec:
-      podSelector: {}
-      policyTypes:
-      - Egress
-      egress:
-      - to:
-        - namespaceSelector:
-            matchLabels:
-              kube-system: "true"
-        ports:
-        - protocol: UDP
-          port: 53
-      - to:
-        - namespaceSelector:
-            matchLabels:
-              istio: system
-    EOF
-    {{< /text >}}
+8)  Define a `NetworkPolicy` to limit the egress traffic from the `test-egress` namespace to traffic destined to
+    the control plane, gateway, and to the `kube-system` DNS service (port 53).
 
     {{< warning >}}
     [Network policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
@@ -501,10 +765,76 @@ external service.
     step.
     {{< /warning >}}
 
-1.  Resend the previous HTTPS request to [https://edition.cnn.com/politics](https://edition.cnn.com/politics). Now it
+{{< tabset category-name="config-api" >}}
+
+{{< tab name="Istio APIs" category-value="istio-apis" >}}
+
+{{< text bash >}}
+$ cat <<EOF | kubectl apply -n test-egress -f -
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-to-istio-system-and-kube-dns
+spec:
+  podSelector: {}
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kube-system: "true"
+    ports:
+    - protocol: UDP
+      port: 53
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          istio: system
+EOF
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< tab name="Gateway API" category-value="gateway-api" >}}
+
+{{< text bash >}}
+$ cat <<EOF | kubectl apply -n test-egress -f -
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-to-istio-system-and-kube-dns
+spec:
+  podSelector: {}
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kube-system: "true"
+    ports:
+    - protocol: UDP
+      port: 53
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          istio: system
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          gateway: "true"
+EOF
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< /tabset >}}
+
+9)  Resend the previous HTTPS request to [https://edition.cnn.com/politics](https://edition.cnn.com/politics). Now it
     should fail since the traffic is blocked by the network policy. Note that the `sleep` pod cannot bypass
-    `istio-egressgateway`. The only way it can access `edition.cnn.com` is by using an Istio sidecar proxy and by
-    directing the traffic to `istio-egressgateway`. This setting demonstrates that even if some malicious pod manages to
+    the egress gateway. The only way it can access `edition.cnn.com` is by using an Istio sidecar proxy and by
+    directing the traffic to the egress gateway. This setting demonstrates that even if some malicious pod manages to
     bypass its sidecar proxy, it will not be able to access external sites and will be blocked by the network policy.
 
     {{< text bash >}}
@@ -522,76 +852,140 @@ external service.
     connect to 151.101.65.67 port 443 failed: Connection timed out
     {{< /text >}}
 
-1.  Now inject an Istio sidecar proxy into the `sleep` pod in the `test-egress` namespace by first enabling
+10) Now inject an Istio sidecar proxy into the `sleep` pod in the `test-egress` namespace by first enabling
     automatic sidecar proxy injection in the `test-egress` namespace:
 
     {{< text bash >}}
     $ kubectl label namespace test-egress istio-injection=enabled
     {{< /text >}}
 
-1.  Then redeploy the `sleep` deployment:
+11) Then redeploy the `sleep` deployment:
 
     {{< text bash >}}
     $ kubectl delete deployment sleep -n test-egress
     $ kubectl apply -f @samples/sleep/sleep.yaml@ -n test-egress
     {{< /text >}}
 
-1.  Check that the deployed pod has two containers, including the Istio sidecar proxy (`istio-proxy`):
+12) Check that the deployed pod has two containers, including the Istio sidecar proxy (`istio-proxy`):
 
-    {{< text bash >}}
-    $ kubectl get pod "$(kubectl get pod -n test-egress -l app=sleep -o jsonpath={.items..metadata.name})" -n test-egress -o jsonpath='{.spec.containers[*].name}'
-    sleep istio-proxy
-    {{< /text >}}
+{{< tabset category-name="config-api" >}}
 
-1.  Create a similar destination rule as used for the `sleep` pod in the `default` namespace, to direct the `test-egress` namespace traffic through the egress gateway:
+{{< tab name="Istio APIs" category-value="istio-apis" >}}
 
-    {{< text bash >}}
-    $ kubectl apply -n test-egress -f - <<EOF
-    apiVersion: networking.istio.io/v1alpha3
-    kind: DestinationRule
-    metadata:
-      name: egressgateway-for-cnn
-    spec:
-      host: istio-egressgateway.istio-system.svc.cluster.local
-      subsets:
-      - name: cnn
-    EOF
-    {{< /text >}}
+{{< text bash >}}
+$ kubectl get pod "$(kubectl get pod -n test-egress -l app=sleep -o jsonpath={.items..metadata.name})" -n test-egress -o jsonpath='{.spec.containers[*].name}'
+sleep istio-proxy
+{{< /text >}}
 
-1.  Send an HTTPS request to [https://edition.cnn.com/politics](https://edition.cnn.com/politics). Now it should succeed
-    since the traffic flows to `istio-egressgateway` in the `istio-system` namespace, which is allowed by the
-    Network Policy you defined. `istio-egressgateway` forwards the traffic to `edition.cnn.com`.
+Before proceeding, you'll need to create a similar destination rule as the one used for the `sleep` pod in the `default` namespace,
+to direct the `test-egress` namespace traffic through the egress gateway:
+
+{{< text bash >}}
+$ kubectl apply -n test-egress -f - <<EOF
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: egressgateway-for-cnn
+spec:
+  host: istio-egressgateway.istio-system.svc.cluster.local
+  subsets:
+  - name: cnn
+EOF
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< tab name="Gateway API" category-value="gateway-api" >}}
+
+{{< text bash >}}
+$ kubectl get pod "$(kubectl get pod -n test-egress -l app=sleep -o jsonpath={.items..metadata.name})" -n test-egress -o jsonpath='{.spec.containers[*].name}'
+sleep istio-proxy
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< /tabset >}}
+
+13) Send an HTTPS request to [https://edition.cnn.com/politics](https://edition.cnn.com/politics). Now it should succeed
+    since the traffic flows to the egress gateway is allowed by the
+    Network Policy you defined. The gateway then forwards the traffic to `edition.cnn.com`.
 
     {{< text bash >}}
     $ kubectl exec "$(kubectl get pod -n test-egress -l app=sleep -o jsonpath={.items..metadata.name})" -n test-egress -c sleep -- curl -sS -o /dev/null -w "%{http_code}\n" https://edition.cnn.com/politics
     200
     {{< /text >}}
 
-1.  Check the log of the egress gateway's proxy. If Istio is deployed in the `istio-system` namespace, the command to
-    print the log is:
+14) Check the log of the egress gateway's proxy.
 
-    {{< text bash >}}
-    $ kubectl logs -l istio=egressgateway -n istio-system
-    {{< /text >}}
+{{< tabset category-name="config-api" >}}
 
-    You should see a line similar to the following:
+{{< tab name="Istio APIs" category-value="istio-apis" >}}
 
-    {{< text plain >}}
-    [2020-03-06T18:12:33.101Z] "- - -" 0 - "-" "-" 906 1352475 35 - "-" "-" "-" "-" "151.101.193.67:443" outbound|443||edition.cnn.com 172.30.223.53:39460 172.30.223.53:443 172.30.223.58:38138 edition.cnn.com -
-    {{< /text >}}
+If Istio is deployed in the `istio-system` namespace, the command to print the log is:
+
+{{< text bash >}}
+$ kubectl logs -l istio=egressgateway -n istio-system
+{{< /text >}}
+
+You should see a line similar to the following:
+
+{{< text plain >}}
+[2020-03-06T18:12:33.101Z] "- - -" 0 - "-" "-" 906 1352475 35 - "-" "-" "-" "-" "151.101.193.67:443" outbound|443||edition.cnn.com 172.30.223.53:39460 172.30.223.53:443 172.30.223.58:38138 edition.cnn.com -
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< tab name="Gateway API" category-value="gateway-api" >}}
+
+Access the log corresponding to the egress gateway using the Istio-generated pod label:
+
+{{< text bash >}}
+$ kubectl logs -l istio.io/gateway-name=cnn-egress-gateway -c istio-proxy | tail
+{{< /text >}}
+
+You should see a line similar to the following:
+
+{{< text plain >}}
+[2024-01-12T19:54:01.821Z] "- - -" 0 - - - "-" 839 2504837 46 - "-" "-" "-" "-" "151.101.67.5:443" outbound|443||edition.cnn.com 172.30.239.60:49850 172.30.239.60:443 172.30.239.21:36512 edition.cnn.com -
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< /tabset >}}
 
 ### Cleanup network policies
 
 1.  Delete the resources created in this section:
 
-    {{< text bash >}}
-    $ kubectl delete -f @samples/sleep/sleep.yaml@ -n test-egress
-    $ kubectl delete destinationrule egressgateway-for-cnn -n test-egress
-    $ kubectl delete networkpolicy allow-egress-to-istio-system-and-kube-dns -n test-egress
-    $ kubectl label namespace kube-system kube-system-
-    $ kubectl label namespace istio-system istio-
-    $ kubectl delete namespace test-egress
-    {{< /text >}}
+{{< tabset category-name="config-api" >}}
+
+{{< tab name="Istio APIs" category-value="istio-apis" >}}
+
+{{< text bash >}}
+$ kubectl delete -f @samples/sleep/sleep.yaml@ -n test-egress
+$ kubectl delete destinationrule egressgateway-for-cnn -n test-egress
+$ kubectl delete networkpolicy allow-egress-to-istio-system-and-kube-dns -n test-egress
+$ kubectl label namespace kube-system kube-system-
+$ kubectl label namespace istio-system istio-
+$ kubectl delete namespace test-egress
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< tab name="Gateway API" category-value="gateway-api" >}}
+
+{{< text bash >}}
+$ kubectl delete -f @samples/sleep/sleep.yaml@ -n test-egress
+$ kubectl delete networkpolicy allow-egress-to-istio-system-and-kube-dns -n test-egress
+$ kubectl label namespace kube-system kube-system-
+$ kubectl label namespace istio-system istio-
+$ kubectl label namespace default gateway-
+$ kubectl delete namespace test-egress
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< /tabset >}}
 
 1.  Follow the steps in the [Cleanup HTTPS gateway](#cleanup-https-gateway) section.
 
diff --git a/content/en/docs/tasks/traffic-management/egress/egress-gateway/snips.sh b/content/en/docs/tasks/traffic-management/egress/egress-gateway/snips.sh
index 810e8b0758..90e275760c 100644
--- a/content/en/docs/tasks/traffic-management/egress/egress-gateway/snips.sh
+++ b/content/en/docs/tasks/traffic-management/egress/egress-gateway/snips.sh
@@ -19,7 +19,19 @@
 # WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
 #          docs/tasks/traffic-management/egress/egress-gateway/index.md
 ####################################################################################################
-source "content/en/boilerplates/snips/before-you-begin-egress.sh"
+source "content/en/boilerplates/snips/gateway-api-gamma-support.sh"
+
+snip_before_you_begin_1() {
+kubectl apply -f samples/sleep/sleep.yaml
+}
+
+snip_before_you_begin_2() {
+export SOURCE_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
+}
+
+! read -r -d '' snip_before_you_begin_3 <<\ENDSNIP
+$ istioctl install --set values.pilot.env.PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING=true <flags-you-used-to-install-Istio> --set meshConfig.accessLogFile=/dev/stdout
+ENDSNIP
 
 snip_deploy_istio_egress_gateway_1() {
 kubectl get pod -l istio=egressgateway -n istio-system
@@ -99,6 +111,27 @@ EOF
 
 snip_egress_gateway_for_http_traffic_4() {
 kubectl apply -f - <<EOF
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: cnn-egress-gateway
+  annotations:
+    networking.istio.io/service-type: ClusterIP
+spec:
+  gatewayClassName: istio
+  listeners:
+  - name: http
+    hostname: edition.cnn.com
+    port: 80
+    protocol: HTTP
+    allowedRoutes:
+      namespaces:
+        from: Same
+EOF
+}
+
+snip_egress_gateway_for_http_traffic_5() {
+kubectl apply -f - <<EOF
 apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -134,11 +167,47 @@ spec:
 EOF
 }
 
-snip_egress_gateway_for_http_traffic_5() {
+snip_egress_gateway_for_http_traffic_6() {
+kubectl apply -f - <<EOF
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: direct-cnn-to-egress-gateway
+spec:
+  parentRefs:
+  - kind: ServiceEntry
+    group: networking.istio.io
+    name: cnn
+  hostnames:
+  - edition.cnn.com
+  rules:
+  - backendRefs:
+    - name: cnn-egress-gateway-istio
+      port: 80
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: forward-cnn-from-egress-gateway
+spec:
+  parentRefs:
+  - name: cnn-egress-gateway
+  hostnames:
+  - edition.cnn.com
+  rules:
+  - backendRefs:
+    - kind: Hostname
+      group: networking.istio.io
+      name: edition.cnn.com
+      port: 80
+EOF
+}
+
+snip_egress_gateway_for_http_traffic_7() {
 kubectl exec "$SOURCE_POD" -c sleep -- curl -sSL -o /dev/null -D - http://edition.cnn.com/politics
 }
 
-! read -r -d '' snip_egress_gateway_for_http_traffic_5_out <<\ENDSNIP
+! read -r -d '' snip_egress_gateway_for_http_traffic_7_out <<\ENDSNIP
 ...
 HTTP/1.1 301 Moved Permanently
 ...
@@ -150,21 +219,36 @@ Content-Type: text/html; charset=utf-8
 ...
 ENDSNIP
 
-snip_egress_gateway_for_http_traffic_6() {
+snip_egress_gateway_for_http_traffic_8() {
 kubectl logs -l istio=egressgateway -c istio-proxy -n istio-system | tail
 }
 
-! read -r -d '' snip_egress_gateway_for_http_traffic_7 <<\ENDSNIP
+! read -r -d '' snip_egress_gateway_for_http_traffic_9 <<\ENDSNIP
 [2019-09-03T20:57:49.103Z] "GET /politics HTTP/2" 301 - "-" "-" 0 0 90 89 "10.244.2.10" "curl/7.64.0" "ea379962-9b5c-4431-ab66-f01994f5a5a5" "edition.cnn.com" "151.101.65.67:80" outbound|80||edition.cnn.com - 10.244.1.5:80 10.244.2.10:50482 edition.cnn.com -
 ENDSNIP
 
+snip_egress_gateway_for_http_traffic_10() {
+kubectl logs -l istio.io/gateway-name=cnn-egress-gateway -c istio-proxy | tail
+}
+
+! read -r -d '' snip_egress_gateway_for_http_traffic_11 <<\ENDSNIP
+[2024-01-09T15:35:47.283Z] "GET /politics HTTP/1.1" 301 - via_upstream - "-" 0 0 2 2 "172.30.239.55" "curl/7.87.0-DEV" "6c01d65f-a157-97cd-8782-320a40026901" "edition.cnn.com" "151.101.195.5:80" outbound|80||edition.cnn.com 172.30.239.16:55636 172.30.239.16:80 172.30.239.55:59224 - default.forward-cnn-from-egress-gateway.0
+ENDSNIP
+
 snip_cleanup_http_gateway_1() {
-kubectl delete gateway istio-egressgateway
 kubectl delete serviceentry cnn
+kubectl delete gateway istio-egressgateway
 kubectl delete virtualservice direct-cnn-through-egress-gateway
 kubectl delete destinationrule egressgateway-for-cnn
 }
 
+snip_cleanup_http_gateway_2() {
+kubectl delete serviceentry cnn
+kubectl delete gtw cnn-egress-gateway
+kubectl delete httproute direct-cnn-to-egress-gateway
+kubectl delete httproute forward-cnn-from-egress-gateway
+}
+
 snip_egress_gateway_for_https_traffic_1() {
 kubectl apply -f - <<EOF
 apiVersion: networking.istio.io/v1alpha3
@@ -260,24 +344,87 @@ EOF
 }
 
 snip_egress_gateway_for_https_traffic_4() {
+kubectl apply -f - <<EOF
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: cnn-egress-gateway
+  annotations:
+    networking.istio.io/service-type: ClusterIP
+spec:
+  gatewayClassName: istio
+  listeners:
+  - name: tls
+    hostname: edition.cnn.com
+    port: 443
+    protocol: TLS
+    tls:
+      mode: Passthrough
+    allowedRoutes:
+      namespaces:
+        from: Same
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: TLSRoute
+metadata:
+  name: direct-cnn-to-egress-gateway
+spec:
+  parentRefs:
+  - kind: ServiceEntry
+    group: networking.istio.io
+    name: cnn
+  hostnames:
+  - edition.cnn.com
+  rules:
+  - backendRefs:
+    - name: cnn-egress-gateway-istio
+      port: 443
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: TLSRoute
+metadata:
+  name: forward-cnn-from-egress-gateway
+spec:
+  parentRefs:
+  - name: cnn-egress-gateway
+  hostnames:
+  - edition.cnn.com
+  rules:
+  - backendRefs:
+    - kind: Hostname
+      group: networking.istio.io
+      name: edition.cnn.com
+      port: 443
+EOF
+}
+
+snip_egress_gateway_for_https_traffic_5() {
 kubectl exec "$SOURCE_POD" -c sleep -- curl -sSL -o /dev/null -D - https://edition.cnn.com/politics
 }
 
-! read -r -d '' snip_egress_gateway_for_https_traffic_4_out <<\ENDSNIP
+! read -r -d '' snip_egress_gateway_for_https_traffic_5_out <<\ENDSNIP
 ...
 HTTP/2 200
 Content-Type: text/html; charset=utf-8
 ...
 ENDSNIP
 
-snip_egress_gateway_for_https_traffic_5() {
+snip_egress_gateway_for_https_traffic_6() {
 kubectl logs -l istio=egressgateway -n istio-system
 }
 
-! read -r -d '' snip_egress_gateway_for_https_traffic_6 <<\ENDSNIP
+! read -r -d '' snip_egress_gateway_for_https_traffic_7 <<\ENDSNIP
 [2019-01-02T11:46:46.981Z] "- - -" 0 - 627 1879689 44 - "-" "-" "-" "-" "151.101.129.67:443" outbound|443||edition.cnn.com 172.30.109.80:41122 172.30.109.80:443 172.30.109.112:59970 edition.cnn.com
 ENDSNIP
 
+snip_egress_gateway_for_https_traffic_8() {
+kubectl logs -l istio.io/gateway-name=cnn-egress-gateway -c istio-proxy | tail
+}
+
+! read -r -d '' snip_egress_gateway_for_https_traffic_9 <<\ENDSNIP
+[2024-01-11T21:09:42.835Z] "- - -" 0 - - - "-" 839 2504306 231 - "-" "-" "-" "-" "151.101.195.5:443" outbound|443||edition.cnn.com 172.30.239.8:34470 172.30.239.8:443 172.30.239.15:43956 edition.cnn.com -
+ENDSNIP
+
 snip_cleanup_https_gateway_1() {
 kubectl delete serviceentry cnn
 kubectl delete gateway istio-egressgateway
@@ -285,6 +432,13 @@ kubectl delete virtualservice direct-cnn-through-egress-gateway
 kubectl delete destinationrule egressgateway-for-cnn
 }
 
+snip_cleanup_https_gateway_2() {
+kubectl delete serviceentry cnn
+kubectl delete gtw cnn-egress-gateway
+kubectl delete tlsroute direct-cnn-to-egress-gateway
+kubectl delete tlsroute forward-cnn-from-egress-gateway
+}
+
 snip_apply_kubernetes_network_policies_1() {
 kubectl create namespace test-egress
 }
@@ -315,10 +469,15 @@ kubectl label namespace istio-system istio=system
 }
 
 snip_apply_kubernetes_network_policies_6() {
-kubectl label ns kube-system kube-system=true
+kubectl label namespace istio-system istio=system
+kubectl label namespace default gateway=true
 }
 
 snip_apply_kubernetes_network_policies_7() {
+kubectl label ns kube-system kube-system=true
+}
+
+snip_apply_kubernetes_network_policies_8() {
 cat <<EOF | kubectl apply -n test-egress -f -
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -343,11 +502,40 @@ spec:
 EOF
 }
 
-snip_apply_kubernetes_network_policies_8() {
+snip_apply_kubernetes_network_policies_9() {
+cat <<EOF | kubectl apply -n test-egress -f -
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-to-istio-system-and-kube-dns
+spec:
+  podSelector: {}
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kube-system: "true"
+    ports:
+    - protocol: UDP
+      port: 53
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          istio: system
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          gateway: "true"
+EOF
+}
+
+snip_apply_kubernetes_network_policies_10() {
 kubectl exec "$(kubectl get pod -n test-egress -l app=sleep -o jsonpath={.items..metadata.name})" -n test-egress -c sleep -- curl -v -sS https://edition.cnn.com/politics
 }
 
-! read -r -d '' snip_apply_kubernetes_network_policies_8_out <<\ENDSNIP
+! read -r -d '' snip_apply_kubernetes_network_policies_10_out <<\ENDSNIP
 Hostname was NOT found in DNS cache
   Trying 151.101.65.67...
   Trying 2a04:4e42:200::323...
@@ -361,24 +549,24 @@ Immediate connect fail for 2a04:4e42::323: Cannot assign requested address
 connect to 151.101.65.67 port 443 failed: Connection timed out
 ENDSNIP
 
-snip_apply_kubernetes_network_policies_9() {
+snip_apply_kubernetes_network_policies_11() {
 kubectl label namespace test-egress istio-injection=enabled
 }
 
-snip_apply_kubernetes_network_policies_10() {
+snip_apply_kubernetes_network_policies_12() {
 kubectl delete deployment sleep -n test-egress
 kubectl apply -f samples/sleep/sleep.yaml -n test-egress
 }
 
-snip_apply_kubernetes_network_policies_11() {
+snip_apply_kubernetes_network_policies_13() {
 kubectl get pod "$(kubectl get pod -n test-egress -l app=sleep -o jsonpath={.items..metadata.name})" -n test-egress -o jsonpath='{.spec.containers[*].name}'
 }
 
-! read -r -d '' snip_apply_kubernetes_network_policies_11_out <<\ENDSNIP
+! read -r -d '' snip_apply_kubernetes_network_policies_13_out <<\ENDSNIP
 sleep istio-proxy
 ENDSNIP
 
-snip_apply_kubernetes_network_policies_12() {
+snip_apply_kubernetes_network_policies_14() {
 kubectl apply -n test-egress -f - <<EOF
 apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
@@ -391,22 +579,38 @@ spec:
 EOF
 }
 
-snip_apply_kubernetes_network_policies_13() {
+snip_apply_kubernetes_network_policies_15() {
+kubectl get pod "$(kubectl get pod -n test-egress -l app=sleep -o jsonpath={.items..metadata.name})" -n test-egress -o jsonpath='{.spec.containers[*].name}'
+}
+
+! read -r -d '' snip_apply_kubernetes_network_policies_15_out <<\ENDSNIP
+sleep istio-proxy
+ENDSNIP
+
+snip_apply_kubernetes_network_policies_16() {
 kubectl exec "$(kubectl get pod -n test-egress -l app=sleep -o jsonpath={.items..metadata.name})" -n test-egress -c sleep -- curl -sS -o /dev/null -w "%{http_code}\n" https://edition.cnn.com/politics
 }
 
-! read -r -d '' snip_apply_kubernetes_network_policies_13_out <<\ENDSNIP
+! read -r -d '' snip_apply_kubernetes_network_policies_16_out <<\ENDSNIP
 200
 ENDSNIP
 
-snip_apply_kubernetes_network_policies_14() {
+snip_apply_kubernetes_network_policies_17() {
 kubectl logs -l istio=egressgateway -n istio-system
 }
 
-! read -r -d '' snip_apply_kubernetes_network_policies_15 <<\ENDSNIP
+! read -r -d '' snip_apply_kubernetes_network_policies_18 <<\ENDSNIP
 [2020-03-06T18:12:33.101Z] "- - -" 0 - "-" "-" 906 1352475 35 - "-" "-" "-" "-" "151.101.193.67:443" outbound|443||edition.cnn.com 172.30.223.53:39460 172.30.223.53:443 172.30.223.58:38138 edition.cnn.com -
 ENDSNIP
 
+snip_apply_kubernetes_network_policies_19() {
+kubectl logs -l istio.io/gateway-name=cnn-egress-gateway -c istio-proxy | tail
+}
+
+! read -r -d '' snip_apply_kubernetes_network_policies_20 <<\ENDSNIP
+[2024-01-12T19:54:01.821Z] "- - -" 0 - - - "-" 839 2504837 46 - "-" "-" "-" "-" "151.101.67.5:443" outbound|443||edition.cnn.com 172.30.239.60:49850 172.30.239.60:443 172.30.239.21:36512 edition.cnn.com -
+ENDSNIP
+
 snip_cleanup_network_policies_1() {
 kubectl delete -f samples/sleep/sleep.yaml -n test-egress
 kubectl delete destinationrule egressgateway-for-cnn -n test-egress
@@ -416,6 +620,15 @@ kubectl label namespace istio-system istio-
 kubectl delete namespace test-egress
 }
 
+snip_cleanup_network_policies_2() {
+kubectl delete -f samples/sleep/sleep.yaml -n test-egress
+kubectl delete networkpolicy allow-egress-to-istio-system-and-kube-dns -n test-egress
+kubectl label namespace kube-system kube-system-
+kubectl label namespace istio-system istio-
+kubectl label namespace default gateway-
+kubectl delete namespace test-egress
+}
+
 snip_troubleshooting_1() {
 kubectl exec -i -n istio-system "$(kubectl get pod -l istio=egressgateway -n istio-system -o jsonpath='{.items[0].metadata.name}')"  -- cat /etc/certs/cert-chain.pem | openssl x509 -text -noout  | grep 'Subject Alternative Name' -A 1
 }
diff --git a/content/en/docs/tasks/traffic-management/egress/egress-gateway/test.sh b/content/en/docs/tasks/traffic-management/egress/egress-gateway/test.sh
index 7f73f05616..beae53b869 100644
--- a/content/en/docs/tasks/traffic-management/egress/egress-gateway/test.sh
+++ b/content/en/docs/tasks/traffic-management/egress/egress-gateway/test.sh
@@ -21,6 +21,8 @@ set -e
 set -u
 set -o pipefail
 
+GATEWAY_API="${GATEWAY_API:-false}"
+
 source "tests/util/samples.sh"
 
 # Make sure default namespace is injected
@@ -36,23 +38,37 @@ snip_egress_gateway_for_http_traffic_1
 # Verify curl to cnn
 _verify_contains snip_egress_gateway_for_http_traffic_2 "HTTP/2 200"
 
-# Create Gateway
-snip_egress_gateway_for_http_traffic_3
-_wait_for_istio gateway default istio-egressgateway
-_wait_for_istio destinationrule default egressgateway-for-cnn
+# Create Gateway and Routes
+if [ "$GATEWAY_API" == "true" ]; then
+    snip_egress_gateway_for_http_traffic_4
+    snip_egress_gateway_for_http_traffic_6
+    _wait_for_gateway default cnn-egress-gateway
+    sleep 30 # TODO: remove this delay once we can reliably detect route rules have propogated
+else
+    snip_egress_gateway_for_http_traffic_3
+    _wait_for_istio gateway default istio-egressgateway
+    _wait_for_istio destinationrule default egressgateway-for-cnn
 
-# Create VS
-snip_egress_gateway_for_http_traffic_4
-_wait_for_istio virtualservice default direct-cnn-through-egress-gateway
+    snip_egress_gateway_for_http_traffic_5
+    _wait_for_istio virtualservice default direct-cnn-through-egress-gateway
+fi
 
 # Verify successful curl
-_verify_contains snip_egress_gateway_for_http_traffic_5 "HTTP/2 200"
+_verify_contains snip_egress_gateway_for_http_traffic_7 "HTTP/2 200"
 
 # Verify routing through gateway
-_verify_contains snip_egress_gateway_for_http_traffic_6 "GET /politics HTTP/2"
+if [ "$GATEWAY_API" == "true" ]; then
+    _verify_contains snip_egress_gateway_for_http_traffic_10 "outbound|80||edition.cnn.com"
+else
+    _verify_contains snip_egress_gateway_for_http_traffic_8 "outbound|80||edition.cnn.com"
+fi
 
 # cleanup http task
-snip_cleanup_http_gateway_1
+if [ "$GATEWAY_API" == "true" ]; then
+    snip_cleanup_http_gateway_2
+else
+    snip_cleanup_http_gateway_1
+fi
 
 # ServiceEntry for HTTPS
 snip_egress_gateway_for_https_traffic_1
@@ -60,20 +76,34 @@ snip_egress_gateway_for_https_traffic_1
 # Try and verify curl
 _verify_contains snip_egress_gateway_for_https_traffic_2 "HTTP/2 200"
 
-# Gateway Passthrough dr and vs
-snip_egress_gateway_for_https_traffic_3
-_wait_for_istio gateway default istio-egressgateway
-_wait_for_istio destinationrule default egressgateway-for-cnn
-_wait_for_istio virtualservice default direct-cnn-through-egress-gateway
+# Gateway Passthrough and routes
+if [ "$GATEWAY_API" == "true" ]; then
+    snip_egress_gateway_for_https_traffic_4
+    _wait_for_gateway default cnn-egress-gateway
+    sleep 30 # TODO: remove this delay once we can reliably detect route rules have propogated
+else
+    snip_egress_gateway_for_https_traffic_3
+    _wait_for_istio gateway default istio-egressgateway
+    _wait_for_istio destinationrule default egressgateway-for-cnn
+    _wait_for_istio virtualservice default direct-cnn-through-egress-gateway
+fi
 
 # Verify successful curl
-_verify_contains snip_egress_gateway_for_https_traffic_4 "HTTP/2 200"
+_verify_contains snip_egress_gateway_for_https_traffic_5 "HTTP/2 200"
 
 # Verify gateway routing
-_verify_contains snip_egress_gateway_for_https_traffic_5 "outbound|443||edition.cnn.com"
+if [ "$GATEWAY_API" == "true" ]; then
+    _verify_contains snip_egress_gateway_for_https_traffic_8 "outbound|443||edition.cnn.com"
+else
+    _verify_contains snip_egress_gateway_for_https_traffic_6 "outbound|443||edition.cnn.com"
+fi
 
 # cleanup https
-snip_cleanup_https_gateway_1
+#if [ "$GATEWAY_API" == "true" ]; then
+#    snip_cleanup_https_gateway_2
+#else
+#    snip_cleanup_https_gateway_1
+#fi
 
 ### Kubernetes netowkring policy test
 
@@ -87,39 +117,58 @@ snip_apply_kubernetes_network_policies_2
 _verify_contains snip_apply_kubernetes_network_policies_4 "200"
 
 # label
-snip_apply_kubernetes_network_policies_5
-snip_apply_kubernetes_network_policies_6
-
-# Apply kubernetes network policy
+if [ "$GATEWAY_API" == "true" ]; then
+    snip_apply_kubernetes_network_policies_6
+else
+    snip_apply_kubernetes_network_policies_5
+fi
 snip_apply_kubernetes_network_policies_7
 
+# Apply kubernetes network policy
+if [ "$GATEWAY_API" == "true" ]; then
+    snip_apply_kubernetes_network_policies_9
+else
+    snip_apply_kubernetes_network_policies_8
+fi
+
 # Verify failure
-#_verify_contains snip_apply_kubernetes_network_policies_8 "port 443 failed: Connection timed out"
+#_verify_contains snip_apply_kubernetes_network_policies_10 "port 443 failed: Connection timed out"
 # TODO: ^^^ this check fails as the test cluster doesn't have a network plugin
 # installed which can enforce network policies.
 
 # Enable sidecar injection
-snip_apply_kubernetes_network_policies_9
+snip_apply_kubernetes_network_policies_11
 
 # Delete older sleep and reapply
-snip_apply_kubernetes_network_policies_10
+snip_apply_kubernetes_network_policies_12
 _wait_for_deployment test-egress sleep
 
-# verify containers
-_verify_contains snip_apply_kubernetes_network_policies_11 "sleep istio-proxy"
+if [ "$GATEWAY_API" == "true" ]; then
+    # verify containers
+    _verify_contains snip_apply_kubernetes_network_policies_15 "sleep istio-proxy"
+else
+    # verify containers
+    _verify_contains snip_apply_kubernetes_network_policies_13 "sleep istio-proxy"
 
-# configure DR
-snip_apply_kubernetes_network_policies_12
-_wait_for_istio destinationrule test-egress egressgateway-for-cnn
+    # configure DR
+    snip_apply_kubernetes_network_policies_14
+    _wait_for_istio destinationrule test-egress egressgateway-for-cnn
+fi
 
 # Verify 200 response
-_verify_contains snip_apply_kubernetes_network_policies_13 "200"
+_verify_contains snip_apply_kubernetes_network_policies_16 "200"
 
 # Verify routing through gateway
-_verify_contains snip_apply_kubernetes_network_policies_14 "outbound|443||edition.cnn.com"
+if [ "$GATEWAY_API" == "true" ]; then
+    _verify_contains snip_apply_kubernetes_network_policies_19 "outbound|443||edition.cnn.com"
+else
+    _verify_contains snip_apply_kubernetes_network_policies_17 "outbound|443||edition.cnn.com"
+fi
 
 # @cleanup
-snip_cleanup_http_gateway_1
-snip_cleanup_https_gateway_1
-snip_cleanup_network_policies_1
-snip_cleanup_1
+if [ "$GATEWAY_API" != "true" ]; then
+    snip_cleanup_http_gateway_1
+    snip_cleanup_https_gateway_1
+    snip_cleanup_network_policies_1
+    snip_cleanup_1
+fi