diff --git a/api/v1alpha1/connection_types.go b/api/v1alpha1/connection_types.go
index 424b179b218..999cfcc4144 100644
--- a/api/v1alpha1/connection_types.go
+++ b/api/v1alpha1/connection_types.go
@@ -5,7 +5,10 @@
 
 package v1alpha1
 
-import gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+import (
+	"k8s.io/apimachinery/pkg/api/resource"
+	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+)
 
 // Connection allows users to configure connection-level settings
 type Connection struct {
@@ -13,6 +16,14 @@ type Connection struct {
 	//
 	// +optional
 	ConnectionLimit *ConnectionLimit `json:"connectionLimit,omitempty"`
+	// BufferLimit provides configuration for the maximum buffer size in bytes for each incoming connection.
+	// For example, 20Mi, 1Gi, 256Ki etc.
+	// Note that when the suffix is not provided, the value is interpreted as bytes.
+	// Default: 32768 bytes.
+	//
+	// +kubebuilder:validation:XValidation:rule="type(self) == string ? self.matches(r\"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\") : type(self) == int",message="bufferLimit must be of the format \"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\""
+	// +optional
+	BufferLimit *resource.Quantity `json:"bufferLimit,omitempty"`
 }
 
 type ConnectionLimit struct {
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index cd6b92df8e4..f81d32af368 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -581,6 +581,11 @@ func (in *Connection) DeepCopyInto(out *Connection) {
 		*out = new(ConnectionLimit)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.BufferLimit != nil {
+		in, out := &in.BufferLimit, &out.BufferLimit
+		x := (*in).DeepCopy()
+		*out = &x
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Connection.
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
index fb90c27071f..c702479d2ad 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
@@ -94,6 +94,20 @@ spec:
               connection:
                 description: Connection includes client connection settings.
                 properties:
+                  bufferLimit:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: 'BufferLimit provides configuration for the maximum
+                      buffer size in bytes for each incoming connection. For example,
+                      20Mi, 1Gi, 256Ki etc. Note that when the suffix is not provided,
+                      the value is interpreted as bytes. Default: 32768 bytes.'
+                    pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                    x-kubernetes-int-or-string: true
+                    x-kubernetes-validations:
+                    - message: bufferLimit must be of the format "^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$"
+                      rule: 'type(self) == string ? self.matches(r"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$")
+                        : type(self) == int'
                   connectionLimit:
                     description: ConnectionLimit defines limits related to connections
                     properties:
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
index 10143e0579b..dbba1bce3b7 100644
--- a/site/content/en/latest/api/extension_types.md
+++ b/site/content/en/latest/api/extension_types.md
@@ -386,6 +386,7 @@ _Appears in:_
 | Field | Type | Required | Description |
 | ---   | ---  | ---      | ---         |
 | `connectionLimit` | _[ConnectionLimit](#connectionlimit)_ |  false  | ConnectionLimit defines limits related to connections |
+| `bufferLimit` | _[Quantity](#quantity)_ |  false  | BufferLimit provides configuration for the maximum buffer size in bytes for each incoming connection. For example, 20Mi, 1Gi, 256Ki etc. Note that when the suffix is not provided, the value is interpreted as bytes. Default: 32768 bytes. |
 
 
 #### ConnectionLimit
diff --git a/test/cel-validation/clienttrafficpolicy_test.go b/test/cel-validation/clienttrafficpolicy_test.go
index 84e1a98177e..55e1926ae60 100644
--- a/test/cel-validation/clienttrafficpolicy_test.go
+++ b/test/cel-validation/clienttrafficpolicy_test.go
@@ -11,6 +11,7 @@ package celvalidation
 import (
 	"context"
 	"fmt"
+	"k8s.io/apimachinery/pkg/api/resource"
 	"strings"
 	"testing"
 	"time"
@@ -263,6 +264,26 @@ func TestClientTrafficPolicyTarget(t *testing.T) {
 			},
 			wantErrors: []string{},
 		},
+		{
+			desc: "invalid bufferLimit format",
+			mutate: func(ctp *egv1a1.ClientTrafficPolicy) {
+				ctp.Spec = egv1a1.ClientTrafficPolicySpec{
+					TargetRef: gwapiv1a2.PolicyTargetReferenceWithSectionName{
+						PolicyTargetReference: gwapiv1a2.PolicyTargetReference{
+							Group: gwapiv1a2.Group("gateway.networking.k8s.io"),
+							Kind:  gwapiv1a2.Kind("Gateway"),
+							Name:  gwapiv1a2.ObjectName("eg"),
+						},
+					},
+					Connection: &egv1a1.Connection{
+						BufferLimit: ptr.To(resource.MustParse("15m")),
+					},
+				}
+			},
+			wantErrors: []string{
+				"spec.connection.bufferLimit: Invalid value: \"\": bufferLimit must be of the format \"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\"",
+			},
+		},
 	}
 
 	for _, tc := range cases {