diff --git a/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/index.md b/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/index.md
index 99abeb4f997d..b7c4f62f0f42 100644
--- a/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/index.md
+++ b/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/index.md
@@ -114,10 +114,9 @@ Both of these issues can be resolved by configuring Istio to perform TLS origina
 
 ## TLS origination for egress traffic
 
-1.  Redefine your `ServiceEntry` from the previous section to redirect HTTP requests to port 443
-    and add a `DestinationRule` to perform TLS origination:
+1.  Redefine your `ServiceEntry` from the previous section to redirect HTTP requests to port 443:
 
-    {{< text syntax=bash snip_id=apply_origination >}}
+    {{< text syntax=bash snip_id=apply_origination_serviceentry >}}
     $ kubectl apply -f - <<EOF
     apiVersion: networking.istio.io/v1
     kind: ServiceEntry
@@ -135,7 +134,17 @@ Both of these issues can be resolved by configuring Istio to perform TLS origina
         name: https-port
         protocol: HTTPS
       resolution: DNS
-    ---
+    EOF
+    {{< /text >}}
+
+1.  Add a policy to perform TLS origination:
+
+    {{< tabset category-name="tls-origination" >}}
+
+    {{< tab name="Istio API" category-value="istio-api" >}}
+
+    {{< text syntax=bash snip_id=apply_origination_destinationrule >}}
+    $ kubectl apply -f - <<EOF
     apiVersion: networking.istio.io/v1
     kind: DestinationRule
     metadata:
@@ -154,6 +163,35 @@ Both of these issues can be resolved by configuring Istio to perform TLS origina
     The above `DestinationRule` will perform TLS origination for HTTP requests on port 80 and the `ServiceEntry`
     will then redirect the requests on port 80 to target port 443.
 
+    {{< /tab >}}
+
+    {{< tab name="Gateway API" category-value="gateway-api" >}}
+
+    {{< text syntax=bash snip_id=apply_origination_backendtlspolicy >}}
+    $ kubectl apply -f - <<EOF
+    apiVersion: gateway.networking.k8s.io/v1
+    kind: BackendTLSPolicy
+    metadata:
+      name: edition-cnn-com
+    spec:
+      targetRefs:
+      - group: networking.istio.io
+        kind: ServiceEntry
+        name: edition-cnn-com
+        sectionName: http-port
+      validation:
+        hostname: edition.cnn.com
+        wellKnownCACertificates: System
+    EOF
+    {{< /text >}}
+
+    The above `BackendTLSPolicy` will perform TLS origination for HTTP requests on the `http` port and the `ServiceEntry`
+    will then redirect the requests on port 80 to target port 443.
+
+    {{< /tab >}}
+
+    {{< /tabset >}}
+
 1. Send an HTTP request to `http://edition.cnn.com/politics`, as in the previous section:
 
     {{< text syntax=bash snip_id=curl_origination_http >}}
@@ -198,11 +236,28 @@ topics and articles but does not prevent attackers from learning that `edition.c
 
 Remove the Istio configuration items you created:
 
+{{< tabset category-name="cleanup-tls-origination" >}}
+
+{{< tab name="Istio API" category-value="istio-api" >}}
+
 {{< text bash >}}
 $ kubectl delete serviceentry edition-cnn-com
 $ kubectl delete destinationrule edition-cnn-com
 {{< /text >}}
 
+{{< /tab >}}
+
+{{< tab name="Gateway API" category-value="gateway-api" >}}
+
+{{< text bash >}}
+$ kubectl delete serviceentry edition-cnn-com
+$ kubectl delete backendtlspolicy edition-cnn-com
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< /tabset >}}
+
 ## Mutual TLS origination for egress traffic
 
 This section describes how to configure a sidecar to perform TLS origination for an external service, this time using a
diff --git a/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/snips.sh b/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/snips.sh
index 26a8a1967c61..31d5cad19364 100644
--- a/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/snips.sh
+++ b/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/snips.sh
@@ -66,7 +66,7 @@ HTTP/2 200
 ...
 ENDSNIP
 
-snip_apply_origination() {
+snip_apply_origination_serviceentry() {
 kubectl apply -f - <<EOF
 apiVersion: networking.istio.io/v1
 kind: ServiceEntry
@@ -84,7 +84,11 @@ spec:
     name: https-port
     protocol: HTTPS
   resolution: DNS
----
+EOF
+}
+
+snip_apply_origination_destinationrule() {
+kubectl apply -f - <<EOF
 apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
@@ -100,6 +104,24 @@ spec:
 EOF
 }
 
+snip_apply_origination_backendtlspolicy() {
+kubectl apply -f - <<EOF
+apiVersion: gateway.networking.k8s.io/v1
+kind: BackendTLSPolicy
+metadata:
+  name: edition-cnn-com
+spec:
+  targetRefs:
+  - group: networking.istio.io
+    kind: ServiceEntry
+    name: edition-cnn-com
+    sectionName: http-port
+  validation:
+    hostname: edition.cnn.com
+    wellKnownCACertificates: System
+EOF
+}
+
 snip_curl_origination_http() {
 kubectl exec "${SOURCE_POD}" -c curl -- curl -sSL -o /dev/null -D - http://edition.cnn.com/politics
 }
@@ -123,6 +145,11 @@ kubectl delete serviceentry edition-cnn-com
 kubectl delete destinationrule edition-cnn-com
 }
 
+snip_cleanup_the_tls_origination_configuration_2() {
+kubectl delete serviceentry edition-cnn-com
+kubectl delete backendtlspolicy edition-cnn-com
+}
+
 snip_generate_client_and_server_certificates_and_keys_1() {
 openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout example.com.key -out example.com.crt
 }