diff --git a/src/docs/deploy/exposing-your-app.md b/src/docs/deploy/exposing-your-app.md
index dfb67ade9..f4601dab0 100644
--- a/src/docs/deploy/exposing-your-app.md
+++ b/src/docs/deploy/exposing-your-app.md
@@ -23,6 +23,7 @@ width={1396} height={628} quality={80} />
 One or more custom domains can be added to a Railway service (tied to a specific environment).
 
 Here's how it works:
+
 1. Navigate to the Settings tab of your desired service
 2. Add a custom domain and type in the name (wildcard domains are supported)
 3. Add the `CNAME` records to the DNS settings for your domain
@@ -38,10 +39,12 @@ width={1338} height={808} quality={80} />
 worldwide. Freenom is not allowed, and not supported.
 
 ## Wildcard Domains
+
 There are a few important things to know when using Wildcard Domains:
+
 1. Ensure that the CNAME record for authorize.railwaydns.net is not proxied by your provider (eg: Cloudflare). This is required for the verification process to work.
-3. Wildcards can be used for any subdomain level (eg: `*.yourdomain.com` or  `*.subdomain.yourdomain.com`).
-4. You cannot nest wildcards (eg: \*.\*.yourdomain.com).
+2. Wildcards can be used for any subdomain level (eg: `*.yourdomain.com` or `*.subdomain.yourdomain.com`).
+3. You cannot nest wildcards (eg: \*.\*.yourdomain.com).
 
 <Image
 src="https://res.cloudinary.com/railway/image/upload/v1679693511/wildcard_domains_zdguqs.png"
@@ -49,9 +52,21 @@ alt="Screenshot of Wildcard Domain"
 layout="responsive"
 width={1048} height={842} quality={80} />
 
-In order to use Wildcard Domains, you must add two CNAME records, one for the wildcard domain, and one for the _acme-challenge. The _acme-challenge CNAME is required for Railway to issue the SSL Certificate for your domain.
+In order to use Wildcard Domains, you must add two CNAME records, one for the wildcard domain, and one for the \_acme-challenge. The \_acme-challenge CNAME is required for Railway to issue the SSL Certificate for your domain.
+
+**NOTE:** If you're using Cloudflare, it is important that the \_acme-challenge record has Cloudflare proxying disabled (no orange cloud).
+
+## TCP Proxying
+
+<PriorityBoardingBanner />
 
-**NOTE:** If you're using Cloudflare, it is important that the _acme-challenge record has Cloudflare proxying disabled (no orange cloud). 
+You can proxy TCP traffic to your service by creating a TCP proxy in the service settings. Enter the port that you want traffic proxied to, Railway will generate a domain and port for you to use. All traffic sent to `domain:port` will be proxied to your service. This is useful for services that don't support HTTP, such as databases.
+
+<Image
+src="https://res.cloudinary.com/railway/image/upload/v1694217808/docs/screenshot-2023-09-08-20.02.55_hhxn0a.png"
+alt="Screenshot of TCP proxy configuration"
+layout="responsive"
+width={700} height={225} quality={100} />
 
 ## Private Networks
 
@@ -76,6 +91,7 @@ layout="responsive"
 width={1205} height={901} quality={80} />
 
 If proxying is not enabled, Cloudflare will not associate the domain with your Railway project with the following error:
+
 ```
 ERR_TOO_MANY_REDIRECTS
 ```
@@ -87,6 +103,7 @@ Also note that if proxying is enabled, you can NOT use a domain deeper than a fi
 Some domain registrars don't fully support CNAME records. As a result - when you add an `@` record for a CNAME, the domain registrar will create an invalid `A` record.
 
 Registrars that are known to not fully support CNAME records for the root domain include:
+
 - Freenom
 - GoDaddy
 - Ionos
diff --git a/src/docs/reference/private-networking.md b/src/docs/reference/private-networking.md
index 97976bd27..892cdf8c8 100644
--- a/src/docs/reference/private-networking.md
+++ b/src/docs/reference/private-networking.md
@@ -45,6 +45,7 @@ Requests to replica DNS service address will be round robin'd between all replic
 ## Caveats
 
 During the feature development process we found a few caveats that you should be aware of:
+
 - Railway databases are not accessible via the private network, we are moving towards a system where DBs are services with volumes attached.
 - You will need to establish a wireguard tunnel to external services if you wish to vendor requests in your application.
 - You will need to bind to a IPv6 port to receive traffic on the private network.
@@ -52,9 +53,10 @@ During the feature development process we found a few caveats that you should be
 - Private networks take 100ms to initialize on deploy, we ask that you set initial requests on a retry loop.
 - We don't support IPv4 private networking
 - Alpine-based images may not work with our internal DNS due to how it performs
-resolution. See the section below for a workaround.
+  resolution. See the section below for a workaround.
 
 ## Workaround for Alpine-based images
+
 During private networking initialization (the period under 100ms), dns resolution is handled via a fallback DNS server 8.8.8.8 in the container DNS config.
 However, in Alpine-based images, due to how DNS resolution is handled, if that public DNS server's response is faster than the private networking DNS, it causes private resolution to fail.