diff --git a/agent/structs/config_entry_gateways.go b/agent/structs/config_entry_gateways.go
index 91a35bd32..d7eb97a73 100644
--- a/agent/structs/config_entry_gateways.go
+++ b/agent/structs/config_entry_gateways.go
@@ -171,7 +171,7 @@ func (e *IngressGatewayConfigEntry) Validate() error {
 					return fmt.Errorf("Hosts must be unique within a specific listener (listener on port %d)", listener.Port)
 				}
 				declaredHosts[h] = true
-				if err := validateHost(h); err != nil {
+				if err := validateHost(e.TLS.Enabled, h); err != nil {
 					return err
 				}
 			}
@@ -181,7 +181,16 @@ func (e *IngressGatewayConfigEntry) Validate() error {
 	return nil
 }
 
-func validateHost(host string) error {
+func validateHost(tlsEnabled bool, host string) error {
+	// Special case '*' so that non-TLS ingress gateways can use it. This allows
+	// an easy demo/testing experience.
+	if host == "*" {
+		if tlsEnabled {
+			return fmt.Errorf("Host '*' is not allowed when TLS is enabled, all hosts must be valid DNS records to add as a DNSSAN")
+		}
+		return nil
+	}
+
 	wildcardPrefix := "*."
 	if _, ok := dns.IsDomainName(host); !ok {
 		return fmt.Errorf("Host %q must be a valid DNS hostname", host)
@@ -191,10 +200,6 @@ func validateHost(host string) error {
 		return fmt.Errorf("Host %q is not valid, a wildcard specifier is only allowed as the leftmost label", host)
 	}
 
-	if host == "*" {
-		return fmt.Errorf("Host '*' is not allowed, wildcards can only be used as a prefix/suffix")
-	}
-
 	return nil
 }
 
diff --git a/agent/structs/config_entry_gateways_test.go b/agent/structs/config_entry_gateways_test.go
index f7031943c..24fdc50d4 100644
--- a/agent/structs/config_entry_gateways_test.go
+++ b/agent/structs/config_entry_gateways_test.go
@@ -392,6 +392,48 @@ func TestIngressConfigEntry_Validate(t *testing.T) {
 			},
 			expectErr: `Host "*-test.example.com" is not valid, a wildcard specifier is only allowed as the leftmost label`,
 		},
+		{
+			name: "wildcard specifier is allowed for hosts when TLS is disabled",
+			entry: IngressGatewayConfigEntry{
+				Kind: "ingress-gateway",
+				Name: "ingress-web",
+				Listeners: []IngressListener{
+					{
+						Port:     1111,
+						Protocol: "http",
+						Services: []IngressService{
+							{
+								Name:  "db",
+								Hosts: []string{"*"},
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "wildcard specifier is not allowed for hosts when TLS is enabled",
+			entry: IngressGatewayConfigEntry{
+				Kind: "ingress-gateway",
+				Name: "ingress-web",
+				TLS: GatewayTLSConfig{
+					Enabled: true,
+				},
+				Listeners: []IngressListener{
+					{
+						Port:     1111,
+						Protocol: "http",
+						Services: []IngressService{
+							{
+								Name:  "db",
+								Hosts: []string{"*"},
+							},
+						},
+					},
+				},
+			},
+			expectErr: `Host '*' is not allowed when TLS is enabled, all hosts must be valid DNS records to add as a DNSSAN`,
+		},
 	}
 
 	for _, test := range cases {