diff --git a/cilium/grpc_subscription.cc b/cilium/grpc_subscription.cc
index 3ff91d520..5b716be12 100644
--- a/cilium/grpc_subscription.cc
+++ b/cilium/grpc_subscription.cc
@@ -125,8 +125,8 @@ subscribe(const std::string& type_url, const LocalInfo::LocalInfo& local_info,
           std::chrono::milliseconds init_fetch_timeout) {
   const envoy::config::core::v3::ApiConfigSource& api_config_source =
       cilium_xds_api_config.api_config_source();
-  Config::Utility::checkApiConfigSourceSubscriptionBackingCluster(cm.primaryClusters(),
-                                                                  api_config_source);
+  THROW_IF_NOT_OK(Config::Utility::checkApiConfigSourceSubscriptionBackingCluster(
+      cm.primaryClusters(), api_config_source));
 
   Config::SubscriptionStats stats = Config::Utility::generateStats(scope);
   Envoy::Config::SubscriptionOptions options;
@@ -134,15 +134,20 @@ subscribe(const std::string& type_url, const LocalInfo::LocalInfo& local_info,
   // No-op custom validators
   Envoy::Config::CustomConfigValidatorsPtr nop_config_validators =
       std::make_unique<NopConfigValidatorsImpl>();
+  auto factory_or_error = Config::Utility::factoryForGrpcApiConfigSource(
+      cm.grpcAsyncClientManager(), api_config_source, scope, true);
+  THROW_IF_STATUS_NOT_OK(factory_or_error, throw);
+
+  absl::StatusOr<Config::RateLimitSettings> rate_limit_settings_or_error =
+      Config::Utility::parseRateLimitSettings(api_config_source);
+  THROW_IF_STATUS_NOT_OK(rate_limit_settings_or_error, throw);
 
   Config::GrpcMuxContext grpc_mux_context{
-      Config::Utility::factoryForGrpcApiConfigSource(cm.grpcAsyncClientManager(), api_config_source,
-                                                     scope, true)
-          ->createUncachedRawAsyncClient(),
+      factory_or_error.value()->createUncachedRawAsyncClient(),
       /*dispatcher_=*/dispatcher,
       /*service_method_=*/sotwGrpcMethod(type_url),
       /*local_info_=*/local_info,
-      /*rate_limit_settings_=*/Config::Utility::parseRateLimitSettings(api_config_source),
+      /*rate_limit_settings_=*/rate_limit_settings_or_error.value(),
       /*scope_=*/scope,
       /*config_validators_=*/std::move(nop_config_validators),
       /*xds_resources_delegate_=*/absl::nullopt,
diff --git a/cilium/network_filter.cc b/cilium/network_filter.cc
index 505f3988f..132ed690b 100644
--- a/cilium/network_filter.cc
+++ b/cilium/network_filter.cc
@@ -25,8 +25,9 @@ namespace Configuration {
 class CiliumNetworkConfigFactory : public NamedNetworkFilterConfigFactory {
 public:
   // NamedNetworkFilterConfigFactory
-  Network::FilterFactoryCb createFilterFactoryFromProto(const Protobuf::Message& proto_config,
-                                                        FactoryContext& context) override {
+  absl::StatusOr<Network::FilterFactoryCb>
+  createFilterFactoryFromProto(const Protobuf::Message& proto_config,
+                               FactoryContext& context) override {
     auto config = std::make_shared<Filter::CiliumL3::Config>(
         MessageUtil::downcastAndValidate<const ::cilium::NetworkFilter&>(
             proto_config, context.messageValidationVisitor()),
diff --git a/cilium/network_policy.cc b/cilium/network_policy.cc
index 82607e579..40ca2a330 100644
--- a/cilium/network_policy.cc
+++ b/cilium/network_policy.cc
@@ -168,7 +168,8 @@ class HttpNetworkPolicyRule : public Logger::Loggable<Logger::Id::config> {
     ENVOY_LOG(trace, "Cilium L7 HttpNetworkPolicyRule():");
     headers_.reserve(rule.headers().size());
     for (const auto& header : rule.headers()) {
-      headers_.emplace_back(std::make_unique<Http::HeaderUtility::HeaderData>(header));
+      headers_.emplace_back(std::make_unique<Http::HeaderUtility::HeaderData>(
+          header, parent.transportFactoryContext().serverFactoryContext()));
       const auto& header_data = *headers_.back();
       ENVOY_LOG(trace, "Cilium L7 HttpNetworkPolicyRule(): HeaderData {}={}",
                 header_data.name_.get(),
@@ -284,9 +285,11 @@ class HttpNetworkPolicyRule : public Logger::Loggable<Logger::Id::config> {
 
 class L7NetworkPolicyRule : public Logger::Loggable<Logger::Id::config> {
 public:
-  L7NetworkPolicyRule(const cilium::L7NetworkPolicyRule& rule) : name_(rule.name()) {
+  L7NetworkPolicyRule(const NetworkPolicyMap& parent, const cilium::L7NetworkPolicyRule& rule)
+      : name_(rule.name()) {
     for (const auto& matcher : rule.metadata_rule()) {
-      metadata_matchers_.emplace_back(matcher);
+      metadata_matchers_.emplace_back(matcher,
+                                      parent.transportFactoryContext().serverFactoryContext());
       matchers_.emplace_back(matcher);
     }
   }
@@ -353,10 +356,10 @@ class PortNetworkPolicyRule : public Logger::Loggable<Logger::Id::config> {
     if (l7_proto_.length() > 0 && rule.has_l7_rules()) {
       const auto& ruleset = rule.l7_rules();
       for (const auto& l7_rule : ruleset.l7_deny_rules()) {
-        l7_deny_rules_.emplace_back(l7_rule);
+        l7_deny_rules_.emplace_back(parent, l7_rule);
       }
       for (const auto& l7_rule : ruleset.l7_allow_rules()) {
-        l7_allow_rules_.emplace_back(l7_rule);
+        l7_allow_rules_.emplace_back(parent, l7_rule);
       }
     }
   }
diff --git a/cilium/network_policy.h b/cilium/network_policy.h
index f09d5e21a..7c114f9bf 100644
--- a/cilium/network_policy.h
+++ b/cilium/network_policy.h
@@ -13,7 +13,7 @@
 #include "source/common/init/target_impl.h"
 #include "source/common/init/watcher_impl.h"
 #include "source/common/protobuf/message_validator_impl.h"
-#include "source/extensions/transport_sockets/tls/context_config_impl.h"
+#include "source/common/tls/context_config_impl.h"
 #include "source/server/transport_socket_config_impl.h"
 
 #include "cilium/accesslog.h"
diff --git a/cilium/secret_watcher.cc b/cilium/secret_watcher.cc
index cee745e27..5fd08a592 100644
--- a/cilium/secret_watcher.cc
+++ b/cilium/secret_watcher.cc
@@ -45,7 +45,9 @@ void SecretWatcher::store() {
   const auto* secret = secret_provider_->secret();
   if (secret != nullptr) {
     Api::Api& api = parent_.transportFactoryContext().serverFactoryContext().api();
-    std::string* p = new std::string(Config::DataSource::read(secret->secret(), true, api));
+    auto string_or_error = Config::DataSource::read(secret->secret(), true, api);
+    THROW_IF_STATUS_NOT_OK(string_or_error, throw)
+    std::string* p = new std::string(string_or_error.value());
     std::string* old = ptr_.exchange(p, std::memory_order_release);
     if (old != nullptr) {
       // Delete old value after all threads have scheduled
@@ -125,7 +127,7 @@ DownstreamTLSContext::DownstreamTLSContext(const NetworkPolicyMap& parent,
       context_config, parent.transportFactoryContext());
   auto create_server_context = [this]() {
     ENVOY_LOG(debug, "Server secret is updated.");
-    auto ctx = manager_.createSslServerContext(scope_, *server_config_, server_names_);
+    auto ctx = manager_.createSslServerContext(scope_, *server_config_, server_names_, nullptr);
     {
       absl::WriterMutexLock l(&ssl_context_mutex_);
       std::swap(ctx, server_context_);
diff --git a/cilium/secret_watcher.h b/cilium/secret_watcher.h
index 2976707c7..dd4d3ad65 100644
--- a/cilium/secret_watcher.h
+++ b/cilium/secret_watcher.h
@@ -2,11 +2,10 @@
 
 #include <string>
 
-#include "envoy/secret/secret_manager.h"
 #include "envoy/secret/secret_provider.h"
 
 #include "source/common/init/target_impl.h"
-#include "source/extensions/transport_sockets/tls/context_config_impl.h"
+#include "source/common/tls/context_config_impl.h"
 
 #include "cilium/network_policy.h"
 
diff --git a/cilium/tls_wrapper.cc b/cilium/tls_wrapper.cc
index bf1f6a617..05fb4ce4e 100644
--- a/cilium/tls_wrapper.cc
+++ b/cilium/tls_wrapper.cc
@@ -4,8 +4,8 @@
 
 #include "source/common/network/raw_buffer_socket.h"
 #include "source/common/protobuf/utility.h"
-#include "source/extensions/transport_sockets/tls/context_config_impl.h"
-#include "source/extensions/transport_sockets/tls/ssl_socket.h"
+#include "source/common/tls/context_config_impl.h"
+#include "source/common/tls/ssl_socket.h"
 
 #include "cilium/api/tls_wrapper.pb.h"
 #include "cilium/network_policy.h"
@@ -16,7 +16,7 @@ namespace Cilium {
 
 namespace {
 
-using SslSocketPtr = std::unique_ptr<Extensions::TransportSockets::Tls::SslSocket>;
+using SslSocketPtr = std::unique_ptr<Envoy::Extensions::TransportSockets::Tls::SslSocket>;
 
 constexpr absl::string_view NotReadyReason{"TLS error: Secret is not supplied by SDS"};
 
diff --git a/cilium/websocket.cc b/cilium/websocket.cc
index 4605b85e6..bc10036d0 100644
--- a/cilium/websocket.cc
+++ b/cilium/websocket.cc
@@ -57,7 +57,7 @@ class CiliumWebSocketServerConfigFactory
     : public Server::Configuration::NamedNetworkFilterConfigFactory {
 public:
   // NamedNetworkFilterConfigFactory
-  Network::FilterFactoryCb
+  absl::StatusOr<Network::FilterFactoryCb>
   createFilterFactoryFromProto(const Protobuf::Message& proto_config,
                                Server::Configuration::FactoryContext& context) override {
     auto config = std::make_shared<Cilium::WebSocket::Config>(
@@ -90,7 +90,7 @@ class CiliumWebSocketClientConfigFactory
     : public Server::Configuration::NamedNetworkFilterConfigFactory {
 public:
   // NamedNetworkFilterConfigFactory
-  Network::FilterFactoryCb
+  absl::StatusOr<Network::FilterFactoryCb>
   createFilterFactoryFromProto(const Protobuf::Message& proto_config,
                                Server::Configuration::FactoryContext& context) override {
     auto config = std::make_shared<Cilium::WebSocket::Config>(
diff --git a/tests/accesslog_server.cc b/tests/accesslog_server.cc
index 57cd27b77..7a2177d79 100644
--- a/tests/accesslog_server.cc
+++ b/tests/accesslog_server.cc
@@ -1,8 +1,6 @@
 #include "tests/accesslog_server.h"
 
 #include <errno.h>
-#include <stdlib.h>
-#include <sys/socket.h>
 #include <unistd.h>
 
 #include <string>
diff --git a/tests/bpf_metadata.cc b/tests/bpf_metadata.cc
index 855a56625..bfa825739 100644
--- a/tests/bpf_metadata.cc
+++ b/tests/bpf_metadata.cc
@@ -1,5 +1,7 @@
 #include "tests/bpf_metadata.h"
 
+#include "envoy/common/exception.h"
+
 #include "source/common/common/logger.h"
 #include "source/common/config/utility.h"
 #include "source/extensions/config_subscription/filesystem/filesystem_subscription_impl.h"
@@ -34,8 +36,8 @@ createHostMap(const std::string& config, Server::Configuration::ListenerFactoryC
         ENVOY_LOG_MISC(debug, "Loading Cilium Host Map from file \'{}\' instead of using gRPC",
                        path);
 
-        Envoy::Config::Utility::checkFilesystemSubscriptionBackingPath(
-            path, context.serverFactoryContext().api());
+        THROW_IF_NOT_OK(Envoy::Config::Utility::checkFilesystemSubscriptionBackingPath(
+            path, context.serverFactoryContext().api()));
         Envoy::Config::SubscriptionStats stats =
             Envoy::Config::Utility::generateStats(context.scope());
         auto map = std::make_shared<Cilium::PolicyHostMap>(context.serverFactoryContext());
@@ -61,8 +63,8 @@ createPolicyMap(const std::string& config,
             auto& sds_config = sds_pair.second;
             std::string sds_path = TestEnvironment::writeStringToFileForTest(
                 fmt::sprintf("secret-%s.yaml", name), sds_config);
-            Envoy::Config::Utility::checkFilesystemSubscriptionBackingPath(
-                sds_path, context.serverFactoryContext().api());
+            THROW_IF_NOT_OK(Envoy::Config::Utility::checkFilesystemSubscriptionBackingPath(
+                sds_path, context.serverFactoryContext().api()));
           }
           Cilium::setSDSConfigFunc(
               [](const std::string& name) -> envoy::config::core::v3::ConfigSource {
@@ -82,8 +84,8 @@ createPolicyMap(const std::string& config,
                        "Loading Cilium Network Policy from file \'{}\' instead "
                        "of using gRPC",
                        policy_path);
-        Envoy::Config::Utility::checkFilesystemSubscriptionBackingPath(
-            policy_path, context.serverFactoryContext().api());
+        THROW_IF_NOT_OK(Envoy::Config::Utility::checkFilesystemSubscriptionBackingPath(
+            policy_path, context.serverFactoryContext().api()));
         Envoy::Config::SubscriptionStats stats =
             Envoy::Config::Utility::generateStats(context.scope());
         auto map = std::make_shared<Cilium::NetworkPolicyMap>(context);
diff --git a/tests/bpf_metadata.h b/tests/bpf_metadata.h
index 325549cdc..da1335d36 100644
--- a/tests/bpf_metadata.h
+++ b/tests/bpf_metadata.h
@@ -4,10 +4,8 @@
 #include <string>
 
 #include "envoy/network/address.h"
-#include "envoy/network/filter.h"
 #include "envoy/network/listen_socket.h"
 #include "envoy/server/factory_context.h"
-#include "envoy/server/filter_config.h"
 
 #include "cilium/bpf_metadata.h"
 #include "cilium/host_map.h"
diff --git a/tests/cilium_http_upstream_integration_test.cc b/tests/cilium_http_upstream_integration_test.cc
index 1e7fe5f5d..3df79239a 100644
--- a/tests/cilium_http_upstream_integration_test.cc
+++ b/tests/cilium_http_upstream_integration_test.cc
@@ -1,6 +1,5 @@
 #include "source/common/config/decoded_resource_impl.h"
 #include "source/common/network/address_impl.h"
-#include "source/common/protobuf/protobuf.h"
 #include "source/common/thread_local/thread_local_impl.h"
 
 #include "cilium/secret_watcher.h"
diff --git a/tests/cilium_tls_http_integration_test.cc b/tests/cilium_tls_http_integration_test.cc
index b6d04edd4..ea51931a3 100644
--- a/tests/cilium_tls_http_integration_test.cc
+++ b/tests/cilium_tls_http_integration_test.cc
@@ -1,5 +1,5 @@
-#include "source/extensions/transport_sockets/tls/context_config_impl.h"
-#include "source/extensions/transport_sockets/tls/ssl_socket.h"
+#include "source/common/tls/context_config_impl.h"
+#include "source/common/tls/ssl_socket.h"
 
 #include "test/integration/ssl_utility.h"
 
diff --git a/tests/cilium_tls_integration.cc b/tests/cilium_tls_integration.cc
index 525f769d5..f0d7685b4 100644
--- a/tests/cilium_tls_integration.cc
+++ b/tests/cilium_tls_integration.cc
@@ -3,9 +3,8 @@
 #include "envoy/api/api.h"
 #include "envoy/network/transport_socket.h"
 
-#include "source/common/protobuf/utility.h"
-#include "source/extensions/transport_sockets/tls/context_config_impl.h"
-#include "source/extensions/transport_sockets/tls/ssl_socket.h"
+#include "source/common/tls/context_config_impl.h"
+#include "source/common/tls/ssl_socket.h"
 
 #include "test/integration/server.h"
 #include "test/mocks/server/transport_socket_factory_context.h"
diff --git a/tests/cilium_tls_tcp_integration_test.cc b/tests/cilium_tls_tcp_integration_test.cc
index afe66f2d5..561f5f27d 100644
--- a/tests/cilium_tls_tcp_integration_test.cc
+++ b/tests/cilium_tls_tcp_integration_test.cc
@@ -1,5 +1,5 @@
-#include "source/extensions/transport_sockets/tls/context_config_impl.h"
-#include "source/extensions/transport_sockets/tls/ssl_socket.h"
+#include "source/common/tls/context_config_impl.h"
+#include "source/common/tls/ssl_socket.h"
 
 #include "test/integration/ssl_utility.h"
 
diff --git a/tests/cilium_websocket_codec_integration_test.cc b/tests/cilium_websocket_codec_integration_test.cc
index c0ae4cd71..2d5cb6522 100644
--- a/tests/cilium_websocket_codec_integration_test.cc
+++ b/tests/cilium_websocket_codec_integration_test.cc
@@ -1,5 +1,4 @@
 #include "test/integration/integration.h"
-#include "test/integration/utility.h"
 #include "test/test_common/environment.h"
 
 #include "tests/cilium_tcp_integration.h"
diff --git a/tests/health_check_sink_server.cc b/tests/health_check_sink_server.cc
index dc65ce75e..2312c5cbd 100644
--- a/tests/health_check_sink_server.cc
+++ b/tests/health_check_sink_server.cc
@@ -8,11 +8,6 @@
 
 #include <string>
 
-#include "source/common/common/lock_guard.h"
-#include "source/common/common/utility.h"
-
-#include "test/test_common/thread_factory_for_test.h"
-
 namespace Envoy {
 
 HealthCheckSinkServer::HealthCheckSinkServer(const std::string path)
diff --git a/tests/health_check_sink_test.cc b/tests/health_check_sink_test.cc
index a4ce903f4..d76b46245 100644
--- a/tests/health_check_sink_test.cc
+++ b/tests/health_check_sink_test.cc
@@ -6,7 +6,6 @@
 #include "test/mocks/access_log/mocks.h"
 #include "test/mocks/event/mocks.h"
 #include "test/mocks/server/health_checker_factory_context.h"
-#include "test/mocks/stats/mocks.h"
 #include "test/test_common/utility.h"
 
 #include "cilium/api/health_check_sink.pb.h"
diff --git a/tests/metadata_config_test.cc b/tests/metadata_config_test.cc
index ef912a10e..68c5bd422 100644
--- a/tests/metadata_config_test.cc
+++ b/tests/metadata_config_test.cc
@@ -36,8 +36,9 @@ class MetadataConfigTest : public testing::Test {
         .WillByDefault(Invoke([]() -> Filesystem::Watcher* {
           auto watcher = new Filesystem::MockWatcher();
           EXPECT_CALL(*watcher, addWatch(_, Filesystem::Watcher::Events::MovedTo, _))
-              .WillOnce(
-                  Invoke([](absl::string_view, uint32_t, Filesystem::Watcher::OnChangedCb) {}));
+              .WillOnce(Invoke([](absl::string_view, uint32_t, Filesystem::Watcher::OnChangedCb) {
+                return absl::OkStatus();
+              }));
           Mock::AllowLeak(watcher);
           return watcher;
         }));
diff --git a/tests/uds_server.cc b/tests/uds_server.cc
index d7b52f972..2bc9dac77 100644
--- a/tests/uds_server.cc
+++ b/tests/uds_server.cc
@@ -1,7 +1,6 @@
 #include "tests/uds_server.h"
 
 #include <errno.h>
-#include <stdlib.h>
 #include <sys/socket.h>
 #include <sys/un.h>
 #include <unistd.h>
diff --git a/tests/uds_server.h b/tests/uds_server.h
index 1b4ec96ad..327b110dc 100644
--- a/tests/uds_server.h
+++ b/tests/uds_server.h
@@ -3,7 +3,6 @@
 #include <atomic>
 #include <chrono>
 #include <string>
-#include <vector>
 
 #include "source/common/common/logger.h"
 #include "source/common/common/thread.h"