diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml
index 0ce1203cfb..1d20a8f7f7 100644
--- a/man/systemd.socket.xml
+++ b/man/systemd.socket.xml
@@ -216,6 +216,14 @@
         <varname>BindIPv6Only=</varname> setting (see below).
         </para>
 
+        <para>If the address string is a string in the format
+        <literal>vsock:x:y</literal>, it is read as CID <literal>x</literal> on
+        a port <literal>y</literal> address in the
+        <constant>AF_VSOCK</constant> family.  The CID is a unique 32-bit
+        integer identifier in <constant>AF_VSOCK</constant> analogous to an IP
+        address.  Specifying the CID is optional, and may be set to the empty
+        string.</para>
+
         <para>Note that <constant>SOCK_SEQPACKET</constant> (i.e.
         <varname>ListenSequentialPacket=</varname>) is only available
         for <constant>AF_UNIX</constant> sockets.
diff --git a/src/core/service.c b/src/core/service.c
index dc7b685cd3..54074ff7bc 100644
--- a/src/core/service.c
+++ b/src/core/service.c
@@ -1292,7 +1292,7 @@ static int service_spawn(
                                 return r;
                 }
 
-                if (r == 0 && IN_SET(sa.sa.sa_family, AF_INET, AF_INET6)) {
+                if (r == 0 && IN_SET(sa.sa.sa_family, AF_INET, AF_INET6, AF_VSOCK)) {
                         _cleanup_free_ char *addr = NULL;
                         char *t;
                         unsigned port;
diff --git a/src/core/socket.c b/src/core/socket.c
index 521688bed5..c4ce88c5f4 100644
--- a/src/core/socket.c
+++ b/src/core/socket.c
@@ -485,12 +485,13 @@ static void peer_address_hash_func(const void *p, struct siphash *state) {
         const SocketPeer *s = p;
 
         assert(s);
-        assert(IN_SET(s->peer.sa.sa_family, AF_INET, AF_INET6));
 
         if (s->peer.sa.sa_family == AF_INET)
                 siphash24_compress(&s->peer.in.sin_addr, sizeof(s->peer.in.sin_addr), state);
         else if (s->peer.sa.sa_family == AF_INET6)
                 siphash24_compress(&s->peer.in6.sin6_addr, sizeof(s->peer.in6.sin6_addr), state);
+        else if (s->peer.sa.sa_family == AF_VSOCK)
+                siphash24_compress(&s->peer.vm.svm_cid, sizeof(s->peer.vm.svm_cid), state);
         else
                 assert_not_reached("Unknown address family.");
 }
@@ -508,6 +509,12 @@ static int peer_address_compare_func(const void *a, const void *b) {
                 return memcmp(&x->peer.in.sin_addr, &y->peer.in.sin_addr, sizeof(x->peer.in.sin_addr));
         case AF_INET6:
                 return memcmp(&x->peer.in6.sin6_addr, &y->peer.in6.sin6_addr, sizeof(x->peer.in6.sin6_addr));
+        case AF_VSOCK:
+                if (x->peer.vm.svm_cid < y->peer.vm.svm_cid)
+                        return -1;
+                if (x->peer.vm.svm_cid > y->peer.vm.svm_cid)
+                        return 1;
+                return 0;
         }
         assert_not_reached("Black sheep in the family!");
 }
@@ -594,7 +601,7 @@ int socket_acquire_peer(Socket *s, int fd, SocketPeer **p) {
         if (r < 0)
                 return log_error_errno(errno, "getpeername failed: %m");
 
-        if (!IN_SET(sa.peer.sa.sa_family, AF_INET, AF_INET6)) {
+        if (!IN_SET(sa.peer.sa.sa_family, AF_INET, AF_INET6, AF_VSOCK)) {
                 *p = NULL;
                 return 0;
         }
@@ -941,6 +948,16 @@ static int instance_from_socket(int fd, unsigned nr, char **instance) {
                 break;
         }
 
+        case AF_VSOCK:
+                if (asprintf(&r,
+                             "%u-%u:%u-%u:%u",
+                             nr,
+                             local.vm.svm_cid, local.vm.svm_port,
+                             remote.vm.svm_cid, remote.vm.svm_port) < 0)
+                        return -ENOMEM;
+
+                break;
+
         default:
                 assert_not_reached("Unhandled socket type.");
         }