diff --git a/internal/pkg/manifest/lb_web_svc_test.go b/internal/pkg/manifest/lb_web_svc_test.go
index 7e2d5fc1d4b..27f2b49153e 100644
--- a/internal/pkg/manifest/lb_web_svc_test.go
+++ b/internal/pkg/manifest/lb_web_svc_test.go
@@ -2641,6 +2641,9 @@ func TestLoadBalancedWebService_ExposedPorts(t *testing.T) {
 								TargetPort:      aws.Int(8083),
 								TargetContainer: aws.String("xray"),
 							},
+							{
+								Port: aws.String("8084/udp"),
+							},
 						},
 					},
 				},
@@ -2653,6 +2656,12 @@ func TestLoadBalancedWebService_ExposedPorts(t *testing.T) {
 						Protocol:             "tcp",
 						isDefinedByContainer: true,
 					},
+					{
+						Port:                 8084,
+						ContainerName:        "frontend",
+						Protocol:             "udp",
+						isDefinedByContainer: false,
+					},
 				},
 				"xray": {
 					{
diff --git a/internal/pkg/manifest/svc.go b/internal/pkg/manifest/svc.go
index 72b62285b9a..4ef0a1af508 100644
--- a/internal/pkg/manifest/svc.go
+++ b/internal/pkg/manifest/svc.go
@@ -500,7 +500,7 @@ func (cfg NetworkLoadBalancerListener) exposedPorts(exposedPorts []ExposedPort,
 	if cfg.IsEmpty() {
 		return nil, nil
 	}
-	nlbPort, _, err := ParsePortMapping(cfg.Port)
+	nlbPort, nlbProtocol, err := ParsePortMapping(cfg.Port)
 	if err != nil {
 		return nil, err
 	}
@@ -513,8 +513,16 @@ func (cfg NetworkLoadBalancerListener) exposedPorts(exposedPorts []ExposedPort,
 	if cfg.TargetPort != nil {
 		targetPort = uint16(aws.IntValue(cfg.TargetPort))
 	}
+	targetProtocol := TCP
+	if nlbProtocol != nil {
+		// Expose TCP port for TLS listeners.
+		if protocol := aws.StringValue(nlbProtocol); !strings.EqualFold(protocol, TLS) {
+			targetProtocol = protocol
+		}
+	}
+	targetProtocol = strings.ToLower(targetProtocol)
 	for _, exposedPort := range exposedPorts {
-		if targetPort == exposedPort.Port {
+		if targetPort == exposedPort.Port && targetProtocol == exposedPort.Protocol {
 			return nil, nil
 		}
 	}
@@ -522,10 +530,11 @@ func (cfg NetworkLoadBalancerListener) exposedPorts(exposedPorts []ExposedPort,
 	if cfg.TargetContainer != nil {
 		targetContainer = aws.StringValue(cfg.TargetContainer)
 	}
+
 	return []ExposedPort{
 		{
 			Port:          targetPort,
-			Protocol:      "tcp",
+			Protocol:      targetProtocol,
 			ContainerName: targetContainer,
 		},
 	}, nil
@@ -599,7 +608,7 @@ func (rr *RoutingRule) Target(exposedPorts ExposedPortsIndex) (targetContainer s
 	if rrTargetContainer == nil { // when target_container is nil
 		container, port := targetContainerFromTargetPort(exposedPorts, rrTargetPort)
 		targetPort = aws.StringValue(port)
-		//In general, containers aren't expected to be empty. But this condition is applied for extra safety.
+		// In general, containers aren't expected to be empty. But this condition is applied for extra safety.
 		if container != nil {
 			targetContainer = aws.StringValue(container)
 		}
@@ -690,7 +699,7 @@ func (listener NetworkLoadBalancerListener) Target(exposedPorts ExposedPortsInde
 	if listener.TargetContainer == nil { // when target_container is nil
 		container, port := targetContainerFromTargetPort(exposedPorts, uint16P(uint16(aws.IntValue(listener.TargetPort))))
 		targetPort = aws.StringValue(port)
-		//In general, containers aren't expected to be empty. But this condition is applied for extra safety.
+		// In general, containers aren't expected to be empty. But this condition is applied for extra safety.
 		if container != nil {
 			targetContainer = aws.StringValue(container)
 		}
diff --git a/internal/pkg/manifest/validate.go b/internal/pkg/manifest/validate.go
index c28ce540149..0260cbc5a59 100644
--- a/internal/pkg/manifest/validate.go
+++ b/internal/pkg/manifest/validate.go
@@ -63,7 +63,7 @@ var (
 
 	essentialContainerDependsOnValidStatuses = []string{dependsOnStart, dependsOnHealthy}
 	dependsOnValidStatuses                   = []string{dependsOnStart, dependsOnComplete, dependsOnSuccess, dependsOnHealthy}
-	nlbValidProtocols                        = []string{TCP, TLS}
+	nlbValidProtocols                        = []string{TCP, udp, TLS}
 	validContainerProtocols                  = []string{TCP, udp}
 	tracingValidVendors                      = []string{awsXRAY}
 	ecsRollingUpdateStrategies               = []string{ECSDefaultRollingUpdateStrategy, ECSRecreateRollingUpdateStrategy}
diff --git a/internal/pkg/manifest/validate_test.go b/internal/pkg/manifest/validate_test.go
index 8f65baa539d..a6162b5de96 100644
--- a/internal/pkg/manifest/validate_test.go
+++ b/internal/pkg/manifest/validate_test.go
@@ -1809,7 +1809,7 @@ func TestNetworkLoadBalancerConfiguration_validate(t *testing.T) {
 				},
 			},
 			wantedErrorMsgPrefix: `validate "nlb": `,
-			wantedError:          fmt.Errorf(`validate "port": invalid protocol tps; valid protocols include TCP and TLS`),
+			wantedError:          fmt.Errorf(`validate "port": invalid protocol tps; valid protocols include TCP, UDP and TLS`),
 		},
 		"fail if protocol is not recognized in additional listeners": {
 			nlb: NetworkLoadBalancerConfiguration{
@@ -1823,7 +1823,7 @@ func TestNetworkLoadBalancerConfiguration_validate(t *testing.T) {
 				},
 			},
 			wantedErrorMsgPrefix: `validate "nlb": `,
-			wantedError:          fmt.Errorf(`validate "additional_listeners[0]": validate "port": invalid protocol tps; valid protocols include TCP and TLS`),
+			wantedError:          fmt.Errorf(`validate "additional_listeners[0]": validate "port": invalid protocol tps; valid protocols include TCP, UDP and TLS`),
 		},
 		"success if tcp": {
 			nlb: NetworkLoadBalancerConfiguration{
@@ -1832,15 +1832,14 @@ func TestNetworkLoadBalancerConfiguration_validate(t *testing.T) {
 				},
 			},
 		},
-		"error if udp": {
+		"success if udp": {
 			nlb: NetworkLoadBalancerConfiguration{
 				Listener: NetworkLoadBalancerListener{
 					Port: aws.String("161/udp"),
 				},
 			},
-			wantedError: fmt.Errorf(`validate "port": invalid protocol udp; valid protocols include TCP and TLS`),
 		},
-		"error if udp in additional listeners": {
+		"success if udp in additional listeners": {
 			nlb: NetworkLoadBalancerConfiguration{
 				Listener: NetworkLoadBalancerListener{
 					Port: aws.String("161/tcp"),
@@ -1851,7 +1850,6 @@ func TestNetworkLoadBalancerConfiguration_validate(t *testing.T) {
 					},
 				},
 			},
-			wantedError: fmt.Errorf(`validate "additional_listeners[0]": validate "port": invalid protocol udp; valid protocols include TCP and TLS`),
 		},
 		"error if additional listeners are defined before main listener": {
 			nlb: NetworkLoadBalancerConfiguration{
@@ -1888,7 +1886,7 @@ func TestNetworkLoadBalancerConfiguration_validate(t *testing.T) {
 					Port: aws.String("443/TCP_udp"),
 				},
 			},
-			wantedError: fmt.Errorf(`validate "port": invalid protocol TCP_udp; valid protocols include TCP and TLS`),
+			wantedError: fmt.Errorf(`validate "port": invalid protocol TCP_udp; valid protocols include TCP, UDP and TLS`),
 		},
 		"error if tcp_udp in additional listeners": {
 			nlb: NetworkLoadBalancerConfiguration{
@@ -1901,7 +1899,7 @@ func TestNetworkLoadBalancerConfiguration_validate(t *testing.T) {
 					},
 				},
 			},
-			wantedError: fmt.Errorf(`validate "additional_listeners[0]": validate "port": invalid protocol TCP_udp; valid protocols include TCP and TLS`),
+			wantedError: fmt.Errorf(`validate "additional_listeners[0]": validate "port": invalid protocol TCP_udp; valid protocols include TCP, UDP and TLS`),
 		},
 		"error if hosted zone is set": {
 			nlb: NetworkLoadBalancerConfiguration{
diff --git a/site/content/docs/include/nlb-additionallisteners.en.md b/site/content/docs/include/nlb-additionallisteners.en.md
index a09ef06dee1..018a87d8a2b 100644
--- a/site/content/docs/include/nlb-additionallisteners.en.md
+++ b/site/content/docs/include/nlb-additionallisteners.en.md
@@ -2,7 +2,7 @@
     <span class="parent-field">nlb.additional_listeners.</span><a id="nlb-additional-listeners-port" href="#nlb-additional-listeners-port" class="field">`port`</a> <span class="type">String</span>  
     Required. The additional port and protocol for the Network Load Balancer to listen on.
     
-    Accepted protocols include `tcp` and `tls`. If the protocol is not specified, `tcp` is used by default.
+    Accepted protocols include `tcp`, `udp` and `tls`. If the protocol is not specified, `tcp` is used by default.
     
     <span class="parent-field">nlb.additional_listeners.</span><a id="nlb-additional-listeners-healthcheck" href="#nlb-additional-listeners-healthcheck" class="field">`healthcheck`</a> <span class="type">Map</span>  
     Specify the health check configuration for your additional listener on the Network Load Balancer.
diff --git a/site/content/docs/include/nlb.en.md b/site/content/docs/include/nlb.en.md
index f952590d3bb..650337e1764 100644
--- a/site/content/docs/include/nlb.en.md
+++ b/site/content/docs/include/nlb.en.md
@@ -9,7 +9,7 @@ at least one of Application Load Balancer and Network Load Balancer must be enab
 <span class="parent-field">nlb.</span><a id="nlb-port" href="#nlb-port" class="field">`port`</a> <span class="type">String</span>  
 Required. The port and protocol for the Network Load Balancer to listen on. 
 
-Accepted protocols include `tcp` and `tls`. If the protocol is not specified, `tcp` is used by default. For example:
+Accepted protocols include `tcp`, `udp` and `tls`. If the protocol is not specified, `tcp` is used by default. For example:
 ```yaml
 nlb:
   port: 80
diff --git a/site/content/docs/manifest/lb-web-service.ja.md b/site/content/docs/manifest/lb-web-service.ja.md
index 62095c47e49..008ac2da21e 100644
--- a/site/content/docs/manifest/lb-web-service.ja.md
+++ b/site/content/docs/manifest/lb-web-service.ja.md
@@ -241,7 +241,7 @@
 
         nlb:
           port: 8080/tcp              # Traffic on port 8080/tcp is forwarded to the main container, on port 8080.
-          additional_rules:  
+          additional_listeners:  
             - port: 8084/tcp          # Traffic on port 8084/tcp is forwarded to the main container, on port 8084.
             - port: 8085/tcp          # Traffic on port 8085/tcp is forwarded to the sidecar "envoy", on port 3000.
               target_port: 3000