diff --git a/envoy/ssl/connection.h b/envoy/ssl/connection.h
index 3d364b1fd5d3b..c71eed8e056b0 100644
--- a/envoy/ssl/connection.h
+++ b/envoy/ssl/connection.h
@@ -251,6 +251,18 @@ class ConnectionInfo {
    **/
   virtual std::string ciphersuiteString() const PURE;
 
+  /**
+   * @return uint16_t the OpenSSL id of the group that was used for the key agreement of the
+   *         established TLS connection. Returns 0 if there is no group.
+   **/
+  virtual uint16_t tlsGroupId() const PURE;
+
+  /**
+   * @return std::string the OpenSSL name of the group that was used for the key agreement of the
+   *         established TLS connection. Returns "" if there is no group.
+   **/
+  virtual std::string tlsGroupString() const PURE;
+
   /**
    * @return std::string the TLS version (e.g., TLSv1.2, TLSv1.3) used in the established TLS
    *         connection.
diff --git a/source/common/formatter/stream_info_formatter.cc b/source/common/formatter/stream_info_formatter.cc
index 09f3c6ce56a9d..67397bcfb7a90 100644
--- a/source/common/formatter/stream_info_formatter.cc
+++ b/source/common/formatter/stream_info_formatter.cc
@@ -1646,6 +1646,15 @@ const StreamInfoFormatterProviderLookupTable& getKnownStreamInfoFormatterProvide
                                        return connection_info.ciphersuiteString();
                                      });
                                }}},
+                             {"UPSTREAM_TLS_GROUP",
+                              {CommandSyntaxChecker::COMMAND_ONLY,
+                               [](absl::string_view, absl::optional<size_t>) {
+                                 return std::make_unique<
+                                     StreamInfoUpstreamSslConnectionInfoFormatterProvider>(
+                                     [](const Ssl::ConnectionInfo& connection_info) {
+                                       return connection_info.tlsGroupString();
+                                     });
+                               }}},
                              {"UPSTREAM_TLS_VERSION",
                               {CommandSyntaxChecker::COMMAND_ONLY,
                                [](absl::string_view, absl::optional<size_t>) {
@@ -2088,6 +2097,15 @@ const StreamInfoFormatterProviderLookupTable& getKnownStreamInfoFormatterProvide
                                        return connection_info.ciphersuiteString();
                                      });
                                }}},
+                             {"DOWNSTREAM_TLS_GROUP",
+                              {CommandSyntaxChecker::COMMAND_ONLY,
+                               [](absl::string_view, absl::optional<size_t>) {
+                                 return std::make_unique<
+                                     StreamInfoSslConnectionInfoFormatterProvider>(
+                                     [](const Ssl::ConnectionInfo& connection_info) {
+                                       return connection_info.tlsGroupString();
+                                     });
+                               }}},
                              {"DOWNSTREAM_TLS_VERSION",
                               {CommandSyntaxChecker::COMMAND_ONLY,
                                [](absl::string_view, absl::optional<size_t>) {
diff --git a/source/common/tls/connection_info_impl_base.cc b/source/common/tls/connection_info_impl_base.cc
index a05794f4248ca..43cf10e3e91af 100644
--- a/source/common/tls/connection_info_impl_base.cc
+++ b/source/common/tls/connection_info_impl_base.cc
@@ -351,6 +351,17 @@ std::string ConnectionInfoImplBase::ciphersuiteString() const {
   return SSL_CIPHER_get_name(cipher);
 }
 
+uint16_t ConnectionInfoImplBase::tlsGroupId() const { return SSL_get_group_id(ssl()); }
+
+std::string ConnectionInfoImplBase::tlsGroupString() const {
+  const char* group = SSL_get_group_name(tlsGroupId());
+  if (group == nullptr) {
+    return {};
+  }
+
+  return group;
+}
+
 const std::string& ConnectionInfoImplBase::tlsVersion() const {
   return getCachedValueOrCreate<std::string>(
       CachedValueTag::TlsVersion, [](SSL* ssl) { return std::string(SSL_get_version(ssl)); });
diff --git a/source/common/tls/connection_info_impl_base.h b/source/common/tls/connection_info_impl_base.h
index 42218958772e2..64b12436bc66b 100644
--- a/source/common/tls/connection_info_impl_base.h
+++ b/source/common/tls/connection_info_impl_base.h
@@ -54,6 +54,8 @@ class ConnectionInfoImplBase : public Ssl::ConnectionInfo {
   const std::string& sessionId() const override;
   uint16_t ciphersuiteId() const override;
   std::string ciphersuiteString() const override;
+  uint16_t tlsGroupId() const override;
+  std::string tlsGroupString() const override;
   const std::string& tlsVersion() const override;
   const std::string& alpn() const override;
   const std::string& sni() const override;
diff --git a/test/mocks/ssl/mocks.h b/test/mocks/ssl/mocks.h
index 5eea5bbdc7f2f..652df0858929c 100644
--- a/test/mocks/ssl/mocks.h
+++ b/test/mocks/ssl/mocks.h
@@ -79,6 +79,8 @@ class MockConnectionInfo : public ConnectionInfo {
   MOCK_METHOD(const std::string&, sessionId, (), (const));
   MOCK_METHOD(uint16_t, ciphersuiteId, (), (const));
   MOCK_METHOD(std::string, ciphersuiteString, (), (const));
+  MOCK_METHOD(uint16_t, tlsGroupId, (), (const));
+  MOCK_METHOD(std::string, tlsGroupString, (), (const));
   MOCK_METHOD(const std::string&, tlsVersion, (), (const));
   MOCK_METHOD(const std::string&, alpn, (), (const));
   MOCK_METHOD(const std::string&, sni, (), (const));