diff --git a/envoy/extensions/clusters/dynamic_forward_proxy/v3/BUILD b/envoy/extensions/clusters/dynamic_forward_proxy/v3/BUILD
index 05f25a2f..00ebd40c 100644
--- a/envoy/extensions/clusters/dynamic_forward_proxy/v3/BUILD
+++ b/envoy/extensions/clusters/dynamic_forward_proxy/v3/BUILD
@@ -6,6 +6,8 @@ licenses(["notice"])  # Apache 2
 
 api_proto_package(
     deps = [
+        "//envoy/config/cluster/v3:pkg",
+        "//envoy/config/core/v3:pkg",
         "//envoy/extensions/common/dynamic_forward_proxy/v3:pkg",
         "@com_github_cncf_udpa//udpa/annotations:pkg",
     ],
diff --git a/envoy/extensions/clusters/dynamic_forward_proxy/v3/cluster.proto b/envoy/extensions/clusters/dynamic_forward_proxy/v3/cluster.proto
index 9c711ae1..8cb7183f 100644
--- a/envoy/extensions/clusters/dynamic_forward_proxy/v3/cluster.proto
+++ b/envoy/extensions/clusters/dynamic_forward_proxy/v3/cluster.proto
@@ -2,8 +2,13 @@ syntax = "proto3";
 
 package envoy.extensions.clusters.dynamic_forward_proxy.v3;
 
+import "envoy/config/cluster/v3/cluster.proto";
+import "envoy/config/core/v3/address.proto";
 import "envoy/extensions/common/dynamic_forward_proxy/v3/dns_cache.proto";
 
+import "google/protobuf/duration.proto";
+import "google/protobuf/wrappers.proto";
+
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
@@ -23,11 +28,27 @@ message ClusterConfig {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.cluster.dynamic_forward_proxy.v2alpha.ClusterConfig";
 
-  // The DNS cache configuration that the cluster will attach to. Note this configuration must
-  // match that of associated :ref:`dynamic forward proxy HTTP filter configuration
-  // <envoy_v3_api_field_extensions.filters.http.dynamic_forward_proxy.v3.FilterConfig.dns_cache_config>`.
-  common.dynamic_forward_proxy.v3.DnsCacheConfig dns_cache_config = 1
-      [(validate.rules).message = {required: true}];
+  oneof cluster_implementation_specifier {
+    // The DNS cache configuration that the cluster will attach to. Note this configuration must
+    // match that of associated :ref:`dynamic forward proxy HTTP filter configuration
+    // <envoy_v3_api_field_extensions.filters.http.dynamic_forward_proxy.v3.FilterConfig.dns_cache_config>`.
+    common.dynamic_forward_proxy.v3.DnsCacheConfig dns_cache_config = 1;
+
+    // Configuration for sub clusters, when this configuration is enabled,
+    // Envoy will create an independent sub cluster dynamically for each host:port.
+    // Most of the configuration of a sub cluster is inherited from the current cluster,
+    // i.e. health_checks, dns_resolvers and etc.
+    // And the load_assignment will be set to the only one endpoint, host:port.
+    //
+    // Compared to the dns_cache_config, it has the following advantages:
+    //
+    // 1. sub clusters will be created with the STRICT_DNS DiscoveryType,
+    //    so that Envoy will use all of the IPs resolved from the host.
+    //
+    // 2. each sub cluster is full featured cluster, with lb_policy and health check and etc enabled.
+    //
+    SubClustersConfig sub_clusters_config = 4;
+  }
 
   // If true allow the cluster configuration to disable the auto_sni and auto_san_validation options
   // in the :ref:`cluster's upstream_http_protocol_options
@@ -54,3 +75,22 @@ message ClusterConfig {
   //
   bool allow_coalesced_connections = 3;
 }
+
+// Configuration for sub clusters. Hard code STRICT_DNS cluster type now.
+message SubClustersConfig {
+  // The :ref:`load balancer type <arch_overview_load_balancing_types>` to use
+  // when picking a host in a sub cluster. Note that CLUSTER_PROVIDED is not allowed here.
+  config.cluster.v3.Cluster.LbPolicy lb_policy = 1 [(validate.rules).enum = {defined_only: true}];
+
+  // The maximum number of sub clusters that the DFP cluster will hold. If not specified defaults to 1024.
+  google.protobuf.UInt32Value max_sub_clusters = 2 [(validate.rules).uint32 = {gt: 0}];
+
+  // The TTL for sub clusters that are unused. Sub clusters that have not been used in the configured time
+  // interval will be purged. If not specified defaults to 5m.
+  google.protobuf.Duration sub_cluster_ttl = 3 [(validate.rules).duration = {gt {}}];
+
+  // Sub clusters that should be created & warmed upon creation. This might provide a
+  // performance improvement, in the form of cache hits, for sub clusters that are going to be
+  // warmed during steady state and are known at config load time.
+  repeated config.core.v3.SocketAddress preresolve_clusters = 4;
+}
diff --git a/envoy/extensions/filters/http/dynamic_forward_proxy/v3/dynamic_forward_proxy.proto b/envoy/extensions/filters/http/dynamic_forward_proxy/v3/dynamic_forward_proxy.proto
index 50bbea62..1ef5e024 100644
--- a/envoy/extensions/filters/http/dynamic_forward_proxy/v3/dynamic_forward_proxy.proto
+++ b/envoy/extensions/filters/http/dynamic_forward_proxy/v3/dynamic_forward_proxy.proto
@@ -4,6 +4,8 @@ package envoy.extensions.filters.http.dynamic_forward_proxy.v3;
 
 import "envoy/extensions/common/dynamic_forward_proxy/v3/dns_cache.proto";
 
+import "google/protobuf/duration.proto";
+
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
@@ -23,11 +25,16 @@ message FilterConfig {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.http.dynamic_forward_proxy.v2alpha.FilterConfig";
 
-  // The DNS cache configuration that the filter will attach to. Note this configuration must
-  // match that of associated :ref:`dynamic forward proxy cluster configuration
-  // <envoy_v3_api_field_extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig.dns_cache_config>`.
-  common.dynamic_forward_proxy.v3.DnsCacheConfig dns_cache_config = 1
-      [(validate.rules).message = {required: true}];
+  oneof implementation_specifier {
+    // The DNS cache configuration that the filter will attach to. Note this configuration must
+    // match that of associated :ref:`dynamic forward proxy cluster configuration
+    // <envoy_v3_api_field_extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig.dns_cache_config>`.
+    common.dynamic_forward_proxy.v3.DnsCacheConfig dns_cache_config = 1;
+
+    // The configuration that the filter will use, when the related dynamic forward proxy cluster enabled
+    // sub clusters.
+    SubClusterConfig sub_cluster_config = 3;
+  }
 
   // When this flag is set, the filter will add the resolved upstream address in the filter
   // state. The state should be saved with key
@@ -69,3 +76,8 @@ message PerRouteConfig {
     string host_rewrite_header = 2;
   }
 }
+
+message SubClusterConfig {
+  // The timeout used for sub cluster initialization. Defaults to 5s if not set.
+  google.protobuf.Duration cluster_init_timeout = 3 [(validate.rules).duration = {gt {}}];
+}