diff --git a/BUILD b/BUILD
index 8c608fde..3ac2738e 100644
--- a/BUILD
+++ b/BUILD
@@ -154,6 +154,7 @@ proto_library(
         "//envoy/data/tap/v3:pkg",
         "//envoy/extensions/access_loggers/file/v3:pkg",
         "//envoy/extensions/access_loggers/grpc/v3:pkg",
+        "//envoy/extensions/access_loggers/wasm/v3:pkg",
         "//envoy/extensions/clusters/aggregate/v3:pkg",
         "//envoy/extensions/clusters/dynamic_forward_proxy/v3:pkg",
         "//envoy/extensions/clusters/redis/v3:pkg",
@@ -195,6 +196,7 @@ proto_library(
         "//envoy/extensions/filters/http/router/v3:pkg",
         "//envoy/extensions/filters/http/squash/v3:pkg",
         "//envoy/extensions/filters/http/tap/v3:pkg",
+        "//envoy/extensions/filters/http/wasm/v3:pkg",
         "//envoy/extensions/filters/listener/http_inspector/v3:pkg",
         "//envoy/extensions/filters/listener/original_dst/v3:pkg",
         "//envoy/extensions/filters/listener/original_src/v3:pkg",
@@ -221,6 +223,7 @@ proto_library(
         "//envoy/extensions/filters/network/tcp_proxy/v3:pkg",
         "//envoy/extensions/filters/network/thrift_proxy/filters/ratelimit/v3:pkg",
         "//envoy/extensions/filters/network/thrift_proxy/v3:pkg",
+        "//envoy/extensions/filters/network/wasm/v3:pkg",
         "//envoy/extensions/filters/network/zookeeper_proxy/v3:pkg",
         "//envoy/extensions/filters/udp/dns_filter/v3alpha:pkg",
         "//envoy/extensions/filters/udp/udp_proxy/v3:pkg",
diff --git a/envoy/extensions/access_loggers/wasm/v3/BUILD b/envoy/extensions/access_loggers/wasm/v3/BUILD
new file mode 100644
index 00000000..8bad369e
--- /dev/null
+++ b/envoy/extensions/access_loggers/wasm/v3/BUILD
@@ -0,0 +1,12 @@
+# DO NOT EDIT. This file is generated by tools/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/extensions/wasm/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)
diff --git a/envoy/extensions/access_loggers/wasm/v3/wasm.proto b/envoy/extensions/access_loggers/wasm/v3/wasm.proto
new file mode 100644
index 00000000..cd9db590
--- /dev/null
+++ b/envoy/extensions/access_loggers/wasm/v3/wasm.proto
@@ -0,0 +1,20 @@
+syntax = "proto3";
+
+package envoy.extensions.access_loggers.wasm.v3;
+
+import "envoy/extensions/wasm/v3/wasm.proto";
+
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.access_loggers.wasm.v3";
+option java_outer_classname = "WasmProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [[#not-implemented-hide:]
+// Custom configuration for an :ref:`AccessLog <envoy_api_msg_config.accesslog.v3.AccessLog>`
+// that calls into a WASM VM.
+message WasmAccessLog {
+  envoy.extensions.wasm.v3.PluginConfig config = 1;
+}
diff --git a/envoy/extensions/filters/http/wasm/v3/BUILD b/envoy/extensions/filters/http/wasm/v3/BUILD
new file mode 100644
index 00000000..8bad369e
--- /dev/null
+++ b/envoy/extensions/filters/http/wasm/v3/BUILD
@@ -0,0 +1,12 @@
+# DO NOT EDIT. This file is generated by tools/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/extensions/wasm/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)
diff --git a/envoy/extensions/filters/http/wasm/v3/wasm.proto b/envoy/extensions/filters/http/wasm/v3/wasm.proto
new file mode 100644
index 00000000..a812992a
--- /dev/null
+++ b/envoy/extensions/filters/http/wasm/v3/wasm.proto
@@ -0,0 +1,20 @@
+syntax = "proto3";
+
+package envoy.extensions.filters.http.wasm.v3;
+
+import "envoy/extensions/wasm/v3/wasm.proto";
+
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.filters.http.wasm.v3";
+option java_outer_classname = "WasmProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [[#not-implemented-hide:]
+message Wasm {
+  // General Plugin configuration.
+  envoy.extensions.wasm.v3.PluginConfig config = 1;
+}
diff --git a/envoy/extensions/filters/network/wasm/v3/BUILD b/envoy/extensions/filters/network/wasm/v3/BUILD
new file mode 100644
index 00000000..8bad369e
--- /dev/null
+++ b/envoy/extensions/filters/network/wasm/v3/BUILD
@@ -0,0 +1,12 @@
+# DO NOT EDIT. This file is generated by tools/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/extensions/wasm/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)
diff --git a/envoy/extensions/filters/network/wasm/v3/wasm.proto b/envoy/extensions/filters/network/wasm/v3/wasm.proto
new file mode 100644
index 00000000..13158276
--- /dev/null
+++ b/envoy/extensions/filters/network/wasm/v3/wasm.proto
@@ -0,0 +1,20 @@
+syntax = "proto3";
+
+package envoy.extensions.filters.network.wasm.v3;
+
+import "envoy/extensions/wasm/v3/wasm.proto";
+
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.filters.network.wasm.v3";
+option java_outer_classname = "WasmProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [[#not-implemented-hide:]
+message Wasm {
+  // General Plugin configuration.
+  envoy.extensions.wasm.v3.PluginConfig config = 1;
+}
diff --git a/envoy/extensions/wasm/v3/wasm.proto b/envoy/extensions/wasm/v3/wasm.proto
index 73b7959c..26f45821 100644
--- a/envoy/extensions/wasm/v3/wasm.proto
+++ b/envoy/extensions/wasm/v3/wasm.proto
@@ -15,11 +15,11 @@ option java_outer_classname = "WasmProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
-// [#protodoc-title: Wasm service]
+// [#protodoc-title: Wasm]
 
+// [[#not-implemented-hide:]
 // Configuration for a Wasm VM.
-// [#next-free-field: 6]
-// [#not-implemented-hide:] pending implementation.
+// [#next-free-field: 7]
 message VmConfig {
   // An ID which will be used along with a hash of the wasm code (or the name of the registered Null
   // VM plugin) to determine which VM will be used for the plugin. All plugins which use the same
@@ -44,21 +44,26 @@ message VmConfig {
   // Warning: this should only be enable for trusted sources as the precompiled code is not
   // verified.
   bool allow_precompiled = 5;
+
+  // If true and the code needs to be remotely fetched and it is not in the cache then NACK the configuration
+  // update and do a background fetch to fill the cache, otherwise fetch the code asynchronously and enter
+  // warming state.
+  bool nack_on_code_cache_miss = 6;
 }
 
+// [[#not-implemented-hide:]
 // Base Configuration for Wasm Plugins e.g. filters and services.
 // [#next-free-field: 6]
-// [#not-implemented-hide:] pending implementation.
 message PluginConfig {
   // A unique name for a filters/services in a VM for use in identifying the filter/service if
-  // multiple filters/services are handled by the same *vm_id* and *group_name* and for
+  // multiple filters/services are handled by the same *vm_id* and *root_id* and for
   // logging/debugging.
   string name = 1;
 
   // A unique ID for a set of filters/services in a VM which will share a RootContext and Contexts
   // if applicable (e.g. an Wasm HttpFilter and an Wasm AccessLog). If left blank, all
-  // filters/services with a blank group_name with the same *vm_id* will share Context(s).
-  string group_name = 2;
+  // filters/services with a blank root_id with the same *vm_id* will share Context(s).
+  string root_id = 2;
 
   // Configuration for finding or starting VM.
   oneof vm_config {
@@ -71,13 +76,19 @@ message PluginConfig {
   // `google.protobuf.Struct` is serialized as JSON before
   // passing it to the plugin. `google.protobuf.BytesValue` and
   // `google.protobuf.StringValue` are passed directly without the wrapper.
-  google.protobuf.Any configuration = 5;
+  google.protobuf.Any configuration = 4;
+
+  // If there is a fatal error on the VM (e.g. exception, abort(), on_start or on_configure return false),
+  // then all plugins associated with the VM will either fail closed (by default), e.g. by returning an HTTP 503 error,
+  // or fail open (if 'fail_open' is set to true) by bypassing the filter. Note: when on_start or on_configure return false
+  // during xDS updates the xDS configuration will be rejected and when on_start or on_configuration return false on initial
+  // startup the proxy will not start.
+  bool fail_open = 5;
 }
 
-// WasmService is configured as a built-in *envoy.wasm_service* :ref:`ServiceConfig
-// <envoy_api_msg_extensions.wasm.v3.WasmService>`. This opaque configuration will be used to
-// create a Wasm Service.
-// [#not-implemented-hide:] pending implementation.
+// [[#not-implemented-hide:]
+// WasmService is configured as a built-in *envoy.wasm_service* :ref:`WasmService
+// <config_wasm_service>` This opaque configuration will be used to create a Wasm Service.
 message WasmService {
   // General plugin configuration.
   PluginConfig config = 1;
diff --git a/versioning/BUILD b/versioning/BUILD
index 305f09df..950594d7 100644
--- a/versioning/BUILD
+++ b/versioning/BUILD
@@ -37,6 +37,7 @@ proto_library(
         "//envoy/data/tap/v3:pkg",
         "//envoy/extensions/access_loggers/file/v3:pkg",
         "//envoy/extensions/access_loggers/grpc/v3:pkg",
+        "//envoy/extensions/access_loggers/wasm/v3:pkg",
         "//envoy/extensions/clusters/aggregate/v3:pkg",
         "//envoy/extensions/clusters/dynamic_forward_proxy/v3:pkg",
         "//envoy/extensions/clusters/redis/v3:pkg",
@@ -78,6 +79,7 @@ proto_library(
         "//envoy/extensions/filters/http/router/v3:pkg",
         "//envoy/extensions/filters/http/squash/v3:pkg",
         "//envoy/extensions/filters/http/tap/v3:pkg",
+        "//envoy/extensions/filters/http/wasm/v3:pkg",
         "//envoy/extensions/filters/listener/http_inspector/v3:pkg",
         "//envoy/extensions/filters/listener/original_dst/v3:pkg",
         "//envoy/extensions/filters/listener/original_src/v3:pkg",
@@ -104,6 +106,7 @@ proto_library(
         "//envoy/extensions/filters/network/tcp_proxy/v3:pkg",
         "//envoy/extensions/filters/network/thrift_proxy/filters/ratelimit/v3:pkg",
         "//envoy/extensions/filters/network/thrift_proxy/v3:pkg",
+        "//envoy/extensions/filters/network/wasm/v3:pkg",
         "//envoy/extensions/filters/network/zookeeper_proxy/v3:pkg",
         "//envoy/extensions/filters/udp/dns_filter/v3alpha:pkg",
         "//envoy/extensions/filters/udp/udp_proxy/v3:pkg",