diff --git a/Documentation/security.md b/Documentation/security.md
index 291829d0d..e0ef0d836 100644
--- a/Documentation/security.md
+++ b/Documentation/security.md
@@ -143,6 +143,14 @@ $ etcd -name infra2 -data-dir infra2 \
 
 The etcd members will form a cluster and all communication between members in the cluster will be encrypted and authenticated using the client certificates. You will see in the output of etcd that the addresses it connects to use HTTPS.
 
+## Notes For etcd Proxy
+
+etcd proxy terminates the TLS from its client if the connection is secure, and uses proxy's own key/cert specified in `--peer-key-file` and `--peer-cert-file` to communicate with etcd members.
+
+The proxy communicates with etcd members through both the `--advertise-client-urls` and `--advertise-peer-urls` of a given member. It forwards client requests to etcd members’ advertised client urls, and it syncs the initial cluster configuration through etcd members’ advertised peer urls.
+
+When client authentication is enabled for an etcd member, the administrator must ensure that the peer certificate specified in the proxy's `--peer-cert-file` option is valid for that authentication. The proxy's peer certificate must also be valid for peer authentication if peer authentication is enabled.
+
 ## Frequently Asked Questions
 
 ### My cluster is not working with peer tls configuration?