diff --git a/third_party/envoy-gateway/external.yaml b/third_party/envoy-gateway/external.yaml
index 9f6d5b863..12c5cd716 100644
--- a/third_party/envoy-gateway/external.yaml
+++ b/third_party/envoy-gateway/external.yaml
@@ -42,3 +42,14 @@ spec:
     allowedRoutes:
       namespaces:
         from: All
+  # We've observed when adding and removing a listener on port 443 this
+  # causes the GKE LB to have downtime. By adding this tls listener
+  # we keep that LB port open.
+  - name: tls
+    port: 443
+    protocol: TLS
+    tls:
+      mode: Passthrough
+    allowedRoutes:
+      namespaces:
+        from: All
diff --git a/third_party/istio/300-gateway.yaml b/third_party/istio/300-gateway.yaml
index bfc9d7326..6d0885ef6 100644
--- a/third_party/istio/300-gateway.yaml
+++ b/third_party/istio/300-gateway.yaml
@@ -29,3 +29,14 @@ spec:
     allowedRoutes:
       namespaces:
         from: All
+  # We've observed when adding and removing a listener on port 443 this
+  # causes the GKE LB to have downtime. By adding this tls listener
+  # we keep that LB port open.
+  - name: tls
+    port: 443
+    protocol: TLS
+    tls:
+      mode: Passthrough
+    allowedRoutes:
+      namespaces:
+        from: All