diff --git a/BUILD b/BUILD
index 02dbeaef..d4c2a4f5 100644
--- a/BUILD
+++ b/BUILD
@@ -175,6 +175,7 @@ proto_library(
         "//envoy/extensions/filters/http/fault/v3:pkg",
         "//envoy/extensions/filters/http/file_system_buffer/v3:pkg",
         "//envoy/extensions/filters/http/gcp_authn/v3:pkg",
+        "//envoy/extensions/filters/http/geoip/v3:pkg",
         "//envoy/extensions/filters/http/grpc_http1_bridge/v3:pkg",
         "//envoy/extensions/filters/http/grpc_http1_reverse_bridge/v3:pkg",
         "//envoy/extensions/filters/http/grpc_json_transcoder/v3:pkg",
diff --git a/envoy/extensions/filters/http/geoip/v3/BUILD b/envoy/extensions/filters/http/geoip/v3/BUILD
new file mode 100644
index 00000000..e9b556d6
--- /dev/null
+++ b/envoy/extensions/filters/http/geoip/v3/BUILD
@@ -0,0 +1,13 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/config/core/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+        "@com_github_cncf_udpa//xds/annotations/v3:pkg",
+    ],
+)
diff --git a/envoy/extensions/filters/http/geoip/v3/geoip.proto b/envoy/extensions/filters/http/geoip/v3/geoip.proto
new file mode 100644
index 00000000..a0135633
--- /dev/null
+++ b/envoy/extensions/filters/http/geoip/v3/geoip.proto
@@ -0,0 +1,90 @@
+syntax = "proto3";
+
+package envoy.extensions.filters.http.geoip.v3;
+
+import "envoy/config/core/v3/extension.proto";
+
+import "xds/annotations/v3/status.proto";
+
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.filters.http.geoip.v3";
+option java_outer_classname = "GeoipProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/geoip/v3;geoipv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+option (xds.annotations.v3.file_status).work_in_progress = true;
+
+// [#protodoc-title: Geoip]
+// Geoip :ref:`configuration overview <config_http_filters_geoip>`.
+// [#extension: envoy.filters.http.geoip]
+
+message Geoip {
+  // The set of geolocation headers to add to request. If any of the configured headers is present
+  // in the incoming request, it will be overridden by Geoip filter.
+  // [#next-free-field: 10]
+  message GeolocationHeadersToAdd {
+    // If set, the header will be used to populate the country ISO code associated with the IP address.
+    string country = 1
+        [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}];
+
+    // If set, the header will be used to populate the city associated with the IP address.
+    string city = 2
+        [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}];
+
+    // If set, the header will be used to populate the region ISO code associated with the IP address.
+    string region = 3
+        [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}];
+
+    // If set, the header will be used to populate the ASN associated with the IP address.
+    string asn = 4
+        [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}];
+
+    // If set, the IP address will be checked if it belongs to any type of anonymization network (e.g. VPN, public proxy etc)
+    // and header will be populated with the check result. Header value will be set to either "true" or "false" depending on the check result.
+    string is_anon = 5
+        [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}];
+
+    // If set, the IP address will be checked if it belongs to a VPN and header will be populated with the check result.
+    // Header value will be set to either "true" or "false" depending on the check result.
+    string anon_vpn = 6
+        [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}];
+
+    // If set, the IP address will be checked if it belongs to a hosting provider and header will be populated with the check result.
+    // Header value will be set to either "true" or "false" depending on the check result.
+    string anon_hosting = 7
+        [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}];
+
+    // If set, the IP address will be checked if it belongs to a TOR exit node and header will be populated with the check result.
+    // Header value will be set to either "true" or "false" depending on the check result.
+    string anon_tor = 8
+        [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}];
+
+    // If set, the IP address will be checked if it belongs to a public proxy and header will be populated with the check result.
+    // Header value will be set to either "true" or "false" depending on the check result.
+    string anon_proxy = 9
+        [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}];
+  }
+
+  message XffConfig {
+    // The number of additional ingress proxy hops from the right side of the
+    // :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header to trust when
+    // determining the origin client's IP address. The default is zero if this option
+    // is not specified. See the documentation for
+    // :ref:`config_http_conn_man_headers_x-forwarded-for` for more information.
+    uint32 xff_num_trusted_hops = 1;
+  }
+
+  // If set, the :ref:`xff_num_trusted_hops <envoy_v3_api_field_extensions.filters.http.geoip.v3.Geoip.XffConfig.xff_num_trusted_hops>` field will be used to determine
+  // trusted client address from `x-forwarded-for` header.
+  // Otherwise, the immediate downstream connection source address will be used.
+  // [#next-free-field: 2]
+  XffConfig xff_config = 1;
+
+  // Configuration for geolocation headers to add to request.
+  GeolocationHeadersToAdd geo_headers_to_add = 2 [(validate.rules).message = {required: true}];
+
+  // Geolocation provider specific configuration.
+  config.core.v3.TypedExtensionConfig provider = 3 [(validate.rules).message = {required: true}];
+}
diff --git a/versioning/BUILD b/versioning/BUILD
index d3e4117c..c31f8ea1 100644
--- a/versioning/BUILD
+++ b/versioning/BUILD
@@ -113,6 +113,7 @@ proto_library(
         "//envoy/extensions/filters/http/fault/v3:pkg",
         "//envoy/extensions/filters/http/file_system_buffer/v3:pkg",
         "//envoy/extensions/filters/http/gcp_authn/v3:pkg",
+        "//envoy/extensions/filters/http/geoip/v3:pkg",
         "//envoy/extensions/filters/http/grpc_http1_bridge/v3:pkg",
         "//envoy/extensions/filters/http/grpc_http1_reverse_bridge/v3:pkg",
         "//envoy/extensions/filters/http/grpc_json_transcoder/v3:pkg",