403 Forbidden incase differen domain names between ingress gateway and external Service

Hi Community Professor,
Would you please help advice on the domain names issues?

Question:
Incase domain names are same for ingress gateway and external Service, ISTIO ingress gateway + ServiceEntry to proxy request from external client to external backend service can works well. E.g. the Hosts value are same (e.g. data.sample.com) in all configuration file, include gateway and serviceEntry.
But in case the domain names are different between ingress gateway and external Service, it does not work, even though we follow up official non-existent external service sample +https://istio.io/v1.8/docs/reference/config/networking/service-entry/. Any advices on this scenario?

Background:
ISTIO acts as API Gateway for backend data service, which is outside of k8s/istio Cluster.
ISTIO ingress and ServiceEntry are involved. The data flow can be referenced as below architecture diagram. (here only Ingress gateway + serviceEntry involved in advance)

Architecture:

Ingress gateway Domain-Name: +data.sample.com
External Service Domain-Name: +www.baidu.com(sample)

Access Test:
$ kubectl port-forward svc/istio-ingress 8080:8080 -n istio-ingress
$ curl -v -H"Host:data.sample.com" “http://data.sample.com:8080/

*   Trying 192.168.209.77...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x556bc4267fb0)
* Connected to data.sample.com (192.168.209.77) port 8080 (#0)
> GET / HTTP/1.1
> Host:data.sample.com
> User-Agent: curl/7.64.0
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< server: envoy
< date: Fri, 21 Oct 2022 12:55:46 GMT
< content-length: 0
< content-type: text/plain; charset=utf-8
< x-envoy-upstream-service-time: 37
<
* Connection #0 to host data.sample.com left intact

$ kubectl logs -l istio=ingress -c istio-proxy -n istio-ingress
[2022-10-21T09:16:44.289Z] "GET / HTTP/1.1" 403 - via_upstream - "-" 0 0 34 34 "172.28.8.140" "curl/7.64.0" "5ea491d9-bc0f-4bef-adea-a6ecec97be97" "data.sample.com" "110.242.68.3:80" outbound|80||data.sample.com 172.28.8.131:36374 172.28.8.131:8080 172.28.8.140:59370 - -

YAML Configuration:
#Ingress

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: data-gateway2
spec:
  selector:
    istio: ingress  # use istio default controller
  servers:
  - port:
      number: 8080
      name: http
      protocol: HTTP 
    hosts: 
    - data.sample.com
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: data2
spec:
  hosts: 
  - data.sample.com
  gateways:
  - data-gateway2
  http: 
  - match:
    - uri:
        exact: /sample
    - uri:
        prefix: / 
    route: 
      - destination: 
          host: www.baidu.com
          port:
            number: 80 
    corsPolicy:
      allowOrigins:
      - regex: "http://.*" 
---
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
  name: mesh-default
  namespace: istio-ingress
spec:
  accessLogging:
    - providers:
        - name: envoy

#serviceEntry

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: data-se2
spec:
  hosts: 
  - www.baidu.com
  location: MESH_EXTERNAL
  ports:
    - number: 80
      name: http 
      protocol: HTTP 
  resolution: DNS
  # endpoints:
  #   - address: +www.baidu.com
  #     ports:
  #       http: 80

Per analysis, the authority should be rewrited before routing.
So it works after authority rewrite is configured in virtual service as below

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: data2
spec:
  hosts: 
  - data.sample.com
  gateways:
  - data-gateway2
  http: 
  - match:
    - uri:
        exact: /sample
    - uri:
        prefix: / 
    rewrite:         # key point for authority rewrite
      authority: www.baidu.com
    route: 
      - destination:
          host:

It was solved, and for your reference.