diff --git a/content/en/docs/tasks/security/authorization/authz-tcp/index.md b/content/en/docs/tasks/security/authorization/authz-tcp/index.md
index ff3bd07641..597810a364 100644
--- a/content/en/docs/tasks/security/authorization/authz-tcp/index.md
+++ b/content/en/docs/tasks/security/authorization/authz-tcp/index.md
@@ -5,6 +5,7 @@ weight: 20
 keywords: [security,access-control,rbac,tcp,authorization]
 aliases:
     - /docs/tasks/security/authz-tcp/
+test: true
 ---
 
 This task shows you how to set up Istio authorization for TCP traffic in an Istio mesh.
@@ -35,13 +36,13 @@ Deploy the example namespace and workloads using the following command:
 using the following command:
 
     {{< text bash >}}
-    $ kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
+    $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
     hello port 9000
     connection succeeded
     {{< /text >}}
 
     {{< text bash >}}
-    $ kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
+    $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
     hello port 9001
     connection succeeded
     {{< /text >}}
@@ -52,8 +53,8 @@ defined in the Kubernetes service object of `tcp-echo`.
 Get the pod IP address and send the request with the following command:
 
     {{< text bash >}}
-    $ TCP_ECHO_IP=$(kubectl get pod $(kubectl get pod -l app=tcp-echo -n foo -o jsonpath={.items..metadata.name}) -n foo -o jsonpath={.status.podIP})
-    $ kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- sh -c "echo \"port 9002\" | nc $TCP_ECHO_IP 9002" | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
+    $ TCP_ECHO_IP=$(kubectl get pod "$(kubectl get pod -l app=tcp-echo -n foo -o jsonpath={.items..metadata.name})" -n foo -o jsonpath="{.status.podIP}")
+    $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c "echo \"port 9002\" | nc $TCP_ECHO_IP 9002" | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
     hello port 9002
     connection succeeded
     {{< /text >}}
@@ -89,7 +90,7 @@ Run the following command to apply the policy to allow requests to port 9000 and
 1. Verify that requests to port 9000 are allowed using the following command:
 
     {{< text bash >}}
-    $ kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
+    $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
     hello port 9000
     connection succeeded
     {{< /text >}}
@@ -97,7 +98,7 @@ Run the following command to apply the policy to allow requests to port 9000 and
 1. Verify that requests to port 9001 are allowed using the following command:
 
     {{< text bash >}}
-    $ kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
+    $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
     hello port 9001
     connection succeeded
     {{< /text >}}
@@ -107,7 +108,7 @@ policy which also applies to the pass through filter chain, even if the port is
 explicitly in the `tcp-echo` Kubernetes service object. Run the following command and verify the output:
 
     {{< text bash >}}
-    $ kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- sh -c "echo \"port 9002\" | nc $TCP_ECHO_IP 9002" | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
+    $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c "echo \"port 9002\" | nc $TCP_ECHO_IP 9002" | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
     connection rejected
     {{< /text >}}
 
@@ -139,7 +140,7 @@ The final result is that the request is rejected, because it does not match any
 Run the following command and verify the output:
 
     {{< text bash >}}
-    $ kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
+    $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
     connection rejected
     {{< /text >}}
 
@@ -147,7 +148,7 @@ Run the following command and verify the output:
 ALLOW rules. Run the following command and verify the output:
 
     {{< text bash >}}
-    $ kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
+    $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
     connection rejected
     {{< /text >}}
 
@@ -179,7 +180,7 @@ which causes Istio to ignore the entire rule. The final result is that only the
 field is used by Istio and the requests are denied because they match with the `ports`:
 
     {{< text bash >}}
-    $ kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
+    $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
     connection rejected
     {{< /text >}}
 
@@ -187,7 +188,7 @@ field is used by Istio and the requests are denied because they match with the `
 the `ports` in the DENY policy:
 
     {{< text bash >}}
-    $ kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
+    $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
     hello port 9001
     connection succeeded
     {{< /text >}}
diff --git a/content/en/docs/tasks/security/authorization/authz-tcp/snips.sh b/content/en/docs/tasks/security/authorization/authz-tcp/snips.sh
new file mode 100644
index 0000000000..3c7ccd667d
--- /dev/null
+++ b/content/en/docs/tasks/security/authorization/authz-tcp/snips.sh
@@ -0,0 +1,177 @@
+#!/bin/bash
+# shellcheck disable=SC2034,SC2153,SC2155
+
+# Copyright Istio Authors. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+####################################################################################################
+# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
+#          docs/tasks/security/authorization/authz-tcp/index.md
+####################################################################################################
+
+snip_before_you_begin_1() {
+kubectl create ns foo
+kubectl apply -f <(istioctl kube-inject -f samples/tcp-echo/tcp-echo.yaml) -n foo
+kubectl apply -f <(istioctl kube-inject -f samples/sleep/sleep.yaml) -n foo
+}
+
+snip_before_you_begin_2() {
+kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
+}
+
+! read -r -d '' snip_before_you_begin_2_out <<\ENDSNIP
+hello port 9000
+connection succeeded
+ENDSNIP
+
+snip_before_you_begin_3() {
+kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
+}
+
+! read -r -d '' snip_before_you_begin_3_out <<\ENDSNIP
+hello port 9001
+connection succeeded
+ENDSNIP
+
+snip_before_you_begin_4() {
+TCP_ECHO_IP=$(kubectl get pod "$(kubectl get pod -l app=tcp-echo -n foo -o jsonpath={.items..metadata.name})" -n foo -o jsonpath="{.status.podIP}")
+kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c "echo \"port 9002\" | nc $TCP_ECHO_IP 9002" | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
+}
+
+! read -r -d '' snip_before_you_begin_4_out <<\ENDSNIP
+hello port 9002
+connection succeeded
+ENDSNIP
+
+snip_configure_access_control_for_a_tcp_workload_1() {
+kubectl apply -f - <<EOF
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: tcp-policy
+  namespace: foo
+spec:
+  selector:
+    matchLabels:
+      app: tcp-echo
+  action: ALLOW
+  rules:
+  - to:
+    - operation:
+       ports: ["9000", "9001"]
+EOF
+}
+
+snip_configure_access_control_for_a_tcp_workload_2() {
+kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
+}
+
+! read -r -d '' snip_configure_access_control_for_a_tcp_workload_2_out <<\ENDSNIP
+hello port 9000
+connection succeeded
+ENDSNIP
+
+snip_configure_access_control_for_a_tcp_workload_3() {
+kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
+}
+
+! read -r -d '' snip_configure_access_control_for_a_tcp_workload_3_out <<\ENDSNIP
+hello port 9001
+connection succeeded
+ENDSNIP
+
+snip_configure_access_control_for_a_tcp_workload_4() {
+kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c "echo \"port 9002\" | nc $TCP_ECHO_IP 9002" | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
+}
+
+! read -r -d '' snip_configure_access_control_for_a_tcp_workload_4_out <<\ENDSNIP
+connection rejected
+ENDSNIP
+
+snip_configure_access_control_for_a_tcp_workload_5() {
+kubectl apply -f - <<EOF
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: tcp-policy
+  namespace: foo
+spec:
+  selector:
+    matchLabels:
+      app: tcp-echo
+  action: ALLOW
+  rules:
+  - to:
+    - operation:
+        methods: ["GET"]
+        ports: ["9000"]
+EOF
+}
+
+snip_configure_access_control_for_a_tcp_workload_6() {
+kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
+}
+
+! read -r -d '' snip_configure_access_control_for_a_tcp_workload_6_out <<\ENDSNIP
+connection rejected
+ENDSNIP
+
+snip_configure_access_control_for_a_tcp_workload_7() {
+kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
+}
+
+! read -r -d '' snip_configure_access_control_for_a_tcp_workload_7_out <<\ENDSNIP
+connection rejected
+ENDSNIP
+
+snip_configure_access_control_for_a_tcp_workload_8() {
+kubectl apply -f - <<EOF
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: tcp-policy
+  namespace: foo
+spec:
+  selector:
+    matchLabels:
+      app: tcp-echo
+  action: DENY
+  rules:
+  - to:
+    - operation:
+        methods: ["GET"]
+        ports: ["9000"]
+EOF
+}
+
+snip_configure_access_control_for_a_tcp_workload_9() {
+kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
+}
+
+! read -r -d '' snip_configure_access_control_for_a_tcp_workload_9_out <<\ENDSNIP
+connection rejected
+ENDSNIP
+
+snip_configure_access_control_for_a_tcp_workload_10() {
+kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
+}
+
+! read -r -d '' snip_configure_access_control_for_a_tcp_workload_10_out <<\ENDSNIP
+hello port 9001
+connection succeeded
+ENDSNIP
+
+snip_clean_up_1() {
+kubectl delete namespace foo
+}
diff --git a/go.sum b/go.sum
index affe5a71d0..a2d03b151a 100644
--- a/go.sum
+++ b/go.sum
@@ -1098,6 +1098,23 @@ istio.io/gogo-genproto v0.0.0-20200326154102-997c228eecef h1:jVlVwrFW1LIm9XyPnvt
 istio.io/gogo-genproto v0.0.0-20200326154102-997c228eecef/go.mod h1:OzpAts7jljZceG4Vqi5/zXy/pOg1b209T3jb7Nv5wIs=
 istio.io/istio v0.0.0-20200426091446-f7c106d20f70 h1:vrX1MRemIyXXowr7I9ljgKQfYVUwr9/HZMZkODDwElo=
 istio.io/istio v0.0.0-20200426091446-f7c106d20f70/go.mod h1:6lzLEVtt9HdwJ2I65BXidYfVFnCy+nUdPn7EFVss94g=
+istio.io/istio v0.0.0-20200211190130-fb23733979fe h1:GwjDnzgsOBM6y8fKuuoGYKyOhYOtwTA7ZbXloScPaKA=
+istio.io/istio v0.0.0-20200211190130-fb23733979fe/go.mod h1:wKE9Xss4ktHDdf3U+IzDRoQjhJJyhnObuCxTyNxm1Xk=
+istio.io/istio v0.0.0-20200219230945-34ee61d95048 h1:3tv6JUn3gVcF/XdRb0tKCL84mGTxou6NxhvH7BQ83KA=
+istio.io/istio v0.0.0-20200219230945-34ee61d95048/go.mod h1:+l6TTXlWyn+jycoK5K1T3YO379mEZgd9307u0R8N+Nc=
+istio.io/istio v0.0.0-20200304151407-a11761a19432 h1:uCuVbV8QSt50YugqJWhat82Bx6jUXUQEme1Xy+QfVDw=
+istio.io/istio v0.0.0-20200304151407-a11761a19432/go.mod h1:x0U/KPVWuw52Yo91asmKduaZwAP6jJ8xQkyxBKnsVcM=
+istio.io/istio v0.0.0-20200314140522-cbeb7a9d4e9f h1:S2hGCPQXyazSxhr++JJhjcs35E46wRnojIPVmJI/89U=
+istio.io/istio v0.0.0-20200314140522-cbeb7a9d4e9f/go.mod h1:x/D9l78LqWTJZoXdroQ2bHAHKtBvJJkTVXUJfGdl2Xw=
+istio.io/istio v0.0.0-20200328131501-9875a1e76d32 h1:GTLGb3lRaHxBHeH6DRBmDbhb+jjzsqb/RmdUW6wxenw=
+istio.io/istio v0.0.0-20200328131501-9875a1e76d32/go.mod h1:fbwgWDgaH9l/skqVwZGDF3lKVdgPtGK94AJvieGErMI=
+istio.io/istio v0.0.0-20200414023437-1d3b136325a5 h1:HmvGD1G71F97wwvzZGkcjk8C13IqddC91Et7mcoy36s=
+istio.io/istio v0.0.0-20200414023437-1d3b136325a5/go.mod h1:d+q9YJfgZ+rooB9fE+ETY8GdRmNf6OaY5VP7J22MpYc=
+istio.io/istio v0.0.0-20200427205204-768f5033f84f h1:fD3LKAsUKN6z0P2s6mq2MEqnkU63/MSbhmRAsdTMPmk=
+istio.io/pkg v0.0.0-20200131182711-9ba13e0e34bb h1:ZEOEfPpz4ooW3lhX5qi+XA6dTO1Mb72EFaRniUb6Mvc=
+istio.io/pkg v0.0.0-20200131182711-9ba13e0e34bb/go.mod h1:pwGaxLUDLobzL/WvWV94z72LvBbB1dr2UUUyPuasfIU=
+istio.io/pkg v0.0.0-20200227125209-63966175aa01 h1:aiO57C3tGvBUWKMu1WrM5lUn3cC7ZIgR8YOUXaVPeoQ=
+istio.io/pkg v0.0.0-20200227125209-63966175aa01/go.mod h1:pwGaxLUDLobzL/WvWV94z72LvBbB1dr2UUUyPuasfIU=
 istio.io/pkg v0.0.0-20200327214633-ce134a9bd104 h1:8xwo9P7aXQrQnzE0km5A8iYElUY067ZUlwJZMnsRtCI=
 istio.io/pkg v0.0.0-20200327214633-ce134a9bd104/go.mod h1:pwGaxLUDLobzL/WvWV94z72LvBbB1dr2UUUyPuasfIU=
 k8s.io/api v0.0.0-20190918155943-95b840bb6a1f/go.mod h1:uWuOHnjmNrtQomJrvEBg0c0HRNyQ+8KTEERVsK0PW48=
diff --git a/tests/security/authz_tcp/authz_tcp_test.go b/tests/security/authz_tcp/authz_tcp_test.go
new file mode 100644
index 0000000000..e5c169e9c9
--- /dev/null
+++ b/tests/security/authz_tcp/authz_tcp_test.go
@@ -0,0 +1,54 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package authztcp
+
+import (
+	"testing"
+
+	"istio.io/istio/pkg/test/framework"
+
+	"istio.io/istio.io/pkg/test/istioio"
+)
+
+//https://istio.io/docs/tasks/security/authorization/authz-tcp/
+//https://github.com/istio/istio.io/blob/release-1.5/content/en/docs/tasks/security/authorization/authz-tcp/index.md
+func TestAuthzTCP(t *testing.T) {
+	framework.
+		NewTest(t).
+		Run(istioio.NewBuilder("tasks__security___authz_tcp").
+			Add(istioio.Script{
+				Input: istioio.Inline{
+					FileName: "create_ns_foo_with_tcpecho_sleep.sh",
+					Value: `
+source ${REPO_ROOT}/content/en/docs/tasks/security/authorization/authz-tcp/snips.sh
+snip_before_you_begin_1`,
+				},
+			}).
+			Add(istioio.MultiPodWait("foo")).
+			Add(istioio.Script{
+				Input: istioio.Path("scripts/authz_tcp.txt"),
+			}).
+
+			// Cleanup.
+			Defer(istioio.Script{
+				Input: istioio.Inline{
+					FileName: "cleanup.sh",
+					Value: `
+source ${REPO_ROOT}/content/en/docs/tasks/security/authorization/authz-tcp/snips.sh
+snip_clean_up_1`,
+				},
+			}).
+			Build())
+}
diff --git a/tests/security/authz_tcp/main_test.go b/tests/security/authz_tcp/main_test.go
new file mode 100644
index 0000000000..3055c0c27c
--- /dev/null
+++ b/tests/security/authz_tcp/main_test.go
@@ -0,0 +1,34 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package authztcp
+
+import (
+	"testing"
+
+	"istio.io/istio/pkg/test/framework"
+	"istio.io/istio/pkg/test/framework/components/istio"
+	"istio.io/istio/pkg/test/framework/resource/environment"
+)
+
+var (
+	ist istio.Instance
+)
+
+func TestMain(m *testing.M) {
+	framework.NewSuite("authz_tcp", m).
+		SetupOnEnv(environment.Kube, istio.Setup(&ist, nil)).
+		RequireEnvironment(environment.Kube).
+		Run()
+}
diff --git a/tests/security/authz_tcp/scripts/authz_tcp.txt b/tests/security/authz_tcp/scripts/authz_tcp.txt
new file mode 100644
index 0000000000..8eb2bfb66d
--- /dev/null
+++ b/tests/security/authz_tcp/scripts/authz_tcp.txt
@@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+
+# Copyright Istio Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+set -u
+set -o pipefail
+
+source ${REPO_ROOT}/content/en/docs/tasks/security/authorization/authz-tcp/snips.sh
+
+export TCP_ECHO_IP=$(kubectl get pod $(kubectl get pod -l app=tcp-echo -n foo -o jsonpath={.items..metadata.name}) -n foo -o jsonpath={.status.podIP})
+
+# When strict-mode mTLS is enabled, only ports defined as a service are
+# protected by mTLS.  As part of this test, we connect to port 9002, which was
+# not configured as a service, so the connection fails and breaks the test.
+#
+# To make this test reliable, we remove any peer authentication that may have
+# stuck around from a previous test.
+kubectl delete peerauthentication --all-namespaces --all
+
+out=$(snip_before_you_begin_2 2>&1)
+_verify_same "$out" "$snip_before_you_begin_2_out" "snip_before_you_begin_2"
+
+out=$(snip_before_you_begin_3 2>&1)
+_verify_same "$out" "$snip_before_you_begin_3_out" "snip_before_you_begin_3"
+
+out=$(snip_before_you_begin_4 2>&1)
+_verify_same "$out" "$snip_before_you_begin_4_out" "snip_before_you_begin_4"
+
+snip_configure_access_control_for_a_tcp_workload_1
+
+out=$(snip_configure_access_control_for_a_tcp_workload_2 2>&1)
+_verify_same "$out" "$snip_configure_access_control_for_a_tcp_workload_2_out" "snip_configure_access_control_for_a_tcp_workload_2"
+
+out=$(snip_configure_access_control_for_a_tcp_workload_3 2>&1)
+_verify_same "$out" "$snip_configure_access_control_for_a_tcp_workload_3_out" "snip_configure_access_control_for_a_tcp_workload_3"
+
+out=$(snip_configure_access_control_for_a_tcp_workload_4 2>&1)
+_verify_same "$out" "$snip_configure_access_control_for_a_tcp_workload_4_out" "snip_configure_access_control_for_a_tcp_workload_4"
+
+snip_configure_access_control_for_a_tcp_workload_5
+
+out=$(snip_configure_access_control_for_a_tcp_workload_6 2>&1)
+_verify_same "$out" "$snip_configure_access_control_for_a_tcp_workload_6_out" "snip_configure_access_control_for_a_tcp_workload_6"
+
+out=$(snip_configure_access_control_for_a_tcp_workload_7 2>&1)
+_verify_same "$out" "$snip_configure_access_control_for_a_tcp_workload_7_out" "snip_configure_access_control_for_a_tcp_workload_7"
+
+snip_configure_access_control_for_a_tcp_workload_8
+
+out=$(snip_configure_access_control_for_a_tcp_workload_9 2>&1)
+_verify_same "$out" "$snip_configure_access_control_for_a_tcp_workload_9_out" "snip_configure_access_control_for_a_tcp_workload_9"
+
+out=$(snip_configure_access_control_for_a_tcp_workload_10 2>&1)
+_verify_same "$out" "$snip_configure_access_control_for_a_tcp_workload_10_out" "snip_configure_access_control_for_a_tcp_workload_10"