Fix inconsistencies on TLSRoute documentation

site-src/concepts/api-overview.md

@@ -117,8 +117,13 @@ modifying them in-flight.
 
 TLSRoute is for multiplexing TLS connections, discriminated via SNI. It's intended
 for where you want to use the SNI as the main routing method, and are not interested
-in properties of the higher-level protocols like HTTP.  The byte stream of the
-connection is proxied without any inspection to the backend.
+in properties of the higher-level protocols like HTTP. When using a `Passthrough` 
+TLS listener, the encrypted byte stream of the connection is proxied directly to 
+the backend destination (which is then responsible for decrypting the stream) 
+without any introspection beyond the TLS metadata. When using a `Terminate`
+TLS listener, encryption is terminated at the gateway to "unwrap" the connection,
+allowing traffic inspection and routing based on attributes of the inner request
+payload.
 
 #### TCPRoute and UDPRoute
 
@@ -157,7 +162,7 @@ to allow multiple Routes to share ports on the Listener.
 |------|---------|---------------------|-----------|-------|
 |HTTPRoute| Layer 7 | Anything in the HTTP Protocol | Terminated only | HTTP and HTTPS Routing|
 |TLSRoute| Somewhere between layer 4 and 7| SNI or other TLS properties| Passthrough or Terminated | Routing of TLS protocols including HTTPS where inspection of the HTTP stream is not required.|
-|TCPRoute| Layer 4| destination port | Passthrough or Terminated | Allows for forwarding of a TCP stream from the Listener to the Backends |
+|TCPRoute| Layer 4| destination port | Terminated | Allows for forwarding of a TCP stream from the Listener to the Backends |
 |UDPRoute| Layer 4| destination port | None | Allows for forwarding of a UDP stream from the Listener to the Backends. |
 |GRPCRoute| Layer 7 | Anything in the gRPC Protocol | Terminated only | gRPC Routing over HTTP/2 and HTTP/2 cleartext|
 

site-src/guides/tls.md

@@ -12,7 +12,7 @@ implementation(s) you're using with Gateway API.
 
 !!! info "Experimental Channel"
 
-    The `TLSRoute` and `BackendTLSPolicy` resources described below are currently only included in the
+    The `TLSRoute` resource described below is currently only included in the
     "Experimental" channel of Gateway API. For more information on release
     channels, refer to our [versioning guide](../concepts/versioning.md).
 
@@ -26,14 +26,15 @@ For Gateways, there are two connections involved:
 - **upstream**: This is the connection between the Gateway and backend resources
    specified by routes. These backend resources will usually be Services.
 
-With Gateway API, TLS configuration of downstream and
-upstream connections is managed independently.
+With Gateway API, TLS configuration of downstream and upstream connections is 
+managed independently.
 
 For downstream connections, depending on the Listener Protocol, different TLS modes and Route types are supported.
 
 | Listener Protocol | TLS Mode    | Route Type Supported |
 |-------------------|-------------|---------------------|
 | TLS               | Passthrough | TLSRoute            |
+| TLS               | Terminate   | TLSRoute (extended) |
 | TLS               | Terminate   | TCPRoute            |
 | HTTPS             | Terminate   | HTTPRoute           |
 | GRPC              | Terminate   | GRPCRoute           |
@@ -47,6 +48,9 @@ upstream TLS configuration. For `HTTPRoute`, the use of both `Terminate` TLS mod
 Using these together provides what is commonly known as a connection that is terminated and then re-encrypted at
 the Gateway.
 
+For `TLSRoute`, the use of `Terminate` means that the TLS termination happens on 
+the `Gateway` and the connection to the backend resumes as an unencrypted connection. 
+
 ## Downstream TLS
 
 Downstream TLS settings are configured using listeners at the Gateway level.