diff --git a/agent/grpc/public/services/peerstream/stream_test.go b/agent/grpc/public/services/peerstream/stream_test.go
index 7366f42134..8bf644c5bd 100644
--- a/agent/grpc/public/services/peerstream/stream_test.go
+++ b/agent/grpc/public/services/peerstream/stream_test.go
@@ -720,6 +720,7 @@ func TestStreamResources_Server_ServiceUpdates(t *testing.T) {
 				require.Equal(t, "tcp", pm.Protocol)
 				spiffeIDs := []string{
 					"spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/mysql",
+					"spiffe://11111111-2222-3333-4444-555555555555.consul/gateway/mesh/dc/dc1",
 				}
 				require.Equal(t, spiffeIDs, pm.SpiffeID)
 			},
diff --git a/agent/grpc/public/services/peerstream/subscription_manager.go b/agent/grpc/public/services/peerstream/subscription_manager.go
index 70813e845a..65fd914e34 100644
--- a/agent/grpc/public/services/peerstream/subscription_manager.go
+++ b/agent/grpc/public/services/peerstream/subscription_manager.go
@@ -558,6 +558,12 @@ func createDiscoChainHealth(
 			trustDomain,
 		)
 
+		gwSpiffeID := connect.SpiffeIDMeshGateway{
+			Host:       trustDomain,
+			Partition:  sn.PartitionOrDefault(),
+			Datacenter: datacenter,
+		}
+
 		// Create common peer meta.
 		//
 		// TODO(peering): should this be replicated by service and not by instance?
@@ -565,19 +571,14 @@ func createDiscoChainHealth(
 			SNI: []string{sni},
 			SpiffeID: []string{
 				mainSpiffeIDString,
+				// Always include the gateway id here to facilitate error-free
+				// L4/L7 upgrade/downgrade scenarios.
+				gwSpiffeID.URI().String(),
 			},
 			Protocol: info.Protocol,
 		}
 
-		if structs.IsProtocolHTTPLike(info.Protocol) {
-			gwSpiffeID := connect.SpiffeIDMeshGateway{
-				Host:       trustDomain,
-				Partition:  sn.PartitionOrDefault(),
-				Datacenter: datacenter,
-			}
-
-			peerMeta.SpiffeID = append(peerMeta.SpiffeID, gwSpiffeID.URI().String())
-		} else {
+		if !structs.IsProtocolHTTPLike(info.Protocol) {
 			for _, target := range info.TCPTargets {
 				targetSpiffeID := connect.SpiffeIDService{
 					Host:       trustDomain,
diff --git a/agent/grpc/public/services/peerstream/subscription_manager_test.go b/agent/grpc/public/services/peerstream/subscription_manager_test.go
index 82b1a7e5f1..cd12b2c221 100644
--- a/agent/grpc/public/services/peerstream/subscription_manager_test.go
+++ b/agent/grpc/public/services/peerstream/subscription_manager_test.go
@@ -275,6 +275,7 @@ func TestSubscriptionManager_RegisterDeregister(t *testing.T) {
 								},
 								SpiffeID: []string{
 									"spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/mysql",
+									"spiffe://11111111-2222-3333-4444-555555555555.consul/gateway/mesh/dc/dc1",
 									"spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/failover",
 								},
 								Protocol: "tcp",
@@ -335,6 +336,7 @@ func TestSubscriptionManager_RegisterDeregister(t *testing.T) {
 								},
 								SpiffeID: []string{
 									"spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/mysql",
+									"spiffe://11111111-2222-3333-4444-555555555555.consul/gateway/mesh/dc/dc1",
 								},
 								Protocol: "tcp",
 							},