AuthorizationPolicy not working properly (DENY or ALLOW)

In EKS, I have an ALB Ingress with 2 application on the same Istio Gateway. For one of the applications I want to allow access (based on URL) only from specific subnets. Using Istio AuthorizationPolicy I can either block or allow everything but it won’t work with specific subnets.

For the code below, it allows any ranges outside the ones specified. In fact, if I specify any subnets smaller than /17 (such as /18, /19, etc) it does not work at all. Strange behaviour.

Now I’m thinking that the only way would be to create 2 Ingresses and use the ALB security groups to allow/deny traffic.

Any advice or any other way of doing this?

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: ingress-policy
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
  action: ALLOW
  rules:
  - from:
    - source:
       remoteIpBlocks: ["10.51.55.0/24", "10.0.0.0/16"]
    to:
    - operation:
        hosts:
        - app2.domain.com