diff --git a/docs/root/start/sandboxes/tls-sni.rst b/docs/root/start/sandboxes/tls-sni.rst
index f9b0419773ff..fdd18d943102 100644
--- a/docs/root/start/sandboxes/tls-sni.rst
+++ b/docs/root/start/sandboxes/tls-sni.rst
@@ -14,7 +14,8 @@ TLS Server name indication (``SNI``)
 	Parse ``json`` output from the upstream echo servers.
 
 This example demonstrates an Envoy proxy that listens on multiple domains
-on the same ``IP`` address and provides separate ``TLS`` termination for each.
+on the same ``IP`` address and either provides separate ``TLS`` termination
+or proxies to an upstream ``TLS`` service for each.
 
 It also demonstrates Envoy acting as a client proxy connecting to upstream
 ``SNI`` services.
@@ -26,7 +27,7 @@ Step 1: Create keypairs for each of the domain endpoints
 
 Change directory to ``examples/tls-sni`` in the Envoy repository.
 
-The example creates three ``TLS`` endpoints and each will require their own
+The example creates two Envoy ``TLS`` endpoints and they will require their own
 keypairs.
 
 Create self-signed certificates for these endpoints as follows:
@@ -58,16 +59,6 @@ Create self-signed certificates for these endpoints as follows:
    writing new private key to 'certs/domain2.key.pem'
    -----
 
-   $ openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 \
-	    -subj "/C=US/ST=CA/O=MyExample, Inc./CN=domain3.example.com" \
-	    -keyout certs/domain3.key.pem \
-	    -out certs/domain3.crt.pem
-   Generating a RSA private key
-   .............+++++
-   ...................+++++
-   writing new private key to 'certs/domain3.key.pem'
-   -----
-
 .. warning::
 
    ``SNI`` does *not* validate that the certificates presented are correct for the domain, or that they
@@ -83,9 +74,10 @@ Step 2: Start the containers
 
 Build and start the containers.
 
-This starts three upstream ``HTTP`` containers each listening on the internal Docker network on port ``80``.
+This starts two upstream ``HTTP`` containers listening on the internal Docker network on port ``80``, and
+an upstream ``HTTPS`` service listening on internal port ``443``
 
-In front of these is an Envoy proxy that listens on https://localhost:10000 and servers three ``SNI`` routed
+In front of these is an Envoy proxy that listens on https://localhost:10000 and serves three ``SNI`` routed
 ``TLS`` domains:
 
 - ``domain1.example.com``
@@ -122,7 +114,7 @@ You can use curl to query the ``SNI``-routed ``HTTPS`` endpoints of the Envoy pr
 
 To do this you must explicitly tell curl to resolve the ``DNS`` for the endpoints correctly.
 
-Each endpoint should proxy to the respective ``http-upstream`` service.
+Each endpoint should proxy to the respective ``http-upstream`` or ``https-upstream`` service.
 
 .. code-block:: console
 
@@ -139,14 +131,15 @@ Each endpoint should proxy to the respective ``http-upstream`` service.
    $ curl -sk --resolve domain3.example.com:10000:127.0.0.1 \
 	 https://domain3.example.com:10000 \
 	| jq -r '.os.hostname'
-   http-upstream3
+   https-upstream3
 
 Step 3: Query the ``SNI`` endpoints via an Envoy proxy client
 *************************************************************
 
 Next, query the Envoy proxy client using the routed paths.
 
-These route via the ``SNI`` proxy endpoints to the respective ``http-upstream`` services.
+These route via the ``SNI`` proxy endpoints to the respective ``http-upstream`` or
+``https-upstream`` services.
 
 .. code-block:: console
 
@@ -160,7 +153,7 @@ These route via the ``SNI`` proxy endpoints to the respective ``http-upstream``
 
    $ curl -s http://localhost:20000/domain3 \
         | jq '.os.hostname'
-   http-upstream3
+   https-upstream3
 
 .. seealso::
 
diff --git a/examples/tls-sni/Dockerfile b/examples/tls-sni/Dockerfile
index 222cae922880..e7d9edb34d93 100644
--- a/examples/tls-sni/Dockerfile
+++ b/examples/tls-sni/Dockerfile
@@ -6,4 +6,4 @@ RUN chmod go+r /etc/envoy.yaml \
 	&& chmod go+x /certs \
 	&& chmod go+r /certs/*
 
-CMD ["/usr/local/bin/envoy", "-c /etc/envoy.yaml"]
+CMD ["/usr/local/bin/envoy", "-c", "/etc/envoy.yaml", "-l", "debug"]
diff --git a/examples/tls-sni/docker-compose.yaml b/examples/tls-sni/docker-compose.yaml
index b8065b30d9b9..0c5fbd4ac516 100644
--- a/examples/tls-sni/docker-compose.yaml
+++ b/examples/tls-sni/docker-compose.yaml
@@ -27,8 +27,8 @@ services:
     environment:
       - HTTPS_PORT=0
 
-  http-upstream3:
+  https-upstream3:
     image: mendhak/http-https-echo
-    hostname: http-upstream3
+    hostname: https-upstream3
     environment:
       - HTTP_PORT=0
diff --git a/examples/tls-sni/envoy.yaml b/examples/tls-sni/envoy.yaml
index b628a68a2c6d..cd6245e8209b 100644
--- a/examples/tls-sni/envoy.yaml
+++ b/examples/tls-sni/envoy.yaml
@@ -77,24 +77,11 @@ static_resources:
         server_names:
         - domain3.example.com
       filters:
-      - name: envoy.filters.network.http_connection_manager
+      - name: envoy.filters.network.tcp_proxy
         typed_config:
-          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
-          codec_type: auto
-          stat_prefix: ingress_http
-          route_config:
-            name: local_route
-            virtual_hosts:
-            - name: app
-              domains:
-              - "*"
-              routes:
-              - match:
-                  prefix: "/"
-                route:
-                  cluster: proxy-domain3
-          http_filters:
-          - name: envoy.filters.http.router
+          "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+          cluster: proxy-domain3
+          stat_prefix: ingress_domain3
 
   clusters:
   - name: proxy-domain1
@@ -136,5 +123,5 @@ static_resources:
         - endpoint:
             address:
               socket_address:
-                address: http-upstream3
+                address: https-upstream3
                 port_value: 443
diff --git a/examples/tls-sni/verify.sh b/examples/tls-sni/verify.sh
index 4251f62ec2ec..51451664e490 100755
--- a/examples/tls-sni/verify.sh
+++ b/examples/tls-sni/verify.sh
@@ -20,7 +20,7 @@ mkdir -p certs
 run_log "Create certificates for each of the services"
 create_self_signed_certs domain1
 create_self_signed_certs domain2
-create_self_signed_certs domain3
+# create_self_signed_certs domain3
 
 bring_up_example
 
@@ -37,7 +37,7 @@ curl -sk --resolve domain2.example.com:10000:127.0.0.1 \
 run_log "Query domain3 with curl and tls/sni"
 curl -sk --resolve domain3.example.com:10000:127.0.0.1 \
      https://domain3.example.com:10000 \
-    | jq '.os.hostname' | grep http-upstream3
+    | jq '.os.hostname' | grep https-upstream3
 
 run_log "Query domain1 via Envoy sni client"
 curl -s http://localhost:20000/domain1 \
@@ -49,4 +49,4 @@ curl -s http://localhost:20000/domain2 \
 
 run_log "Query domain3 via Envoy sni client"
 curl -s http://localhost:20000/domain3 \
-    | jq '.os.hostname' | grep http-upstream3
+    | jq '.os.hostname' | grep https-upstream3