Can a Gateway inside a mesh communicate with workloads outside the mesh?

Is it possible to reach workloads outside the mesh (i.e. without sidecar) from a gateway that is in a mesh?

We have istio gateways working without mesh enabled, as soon as we enable the mesh, gateways are only able to communicate with workloads within a mesh too.

It doesn’t work anymore for workloads without a side car, after enabling the mesh
I’ve listed the scenarios with diagrams below:

So Scenario 1, gateways without mesh enabled works

Scenario 2, gateway with istio mesh enabled, and workload with proxy side-car, works

Scenario 3 (does not work): Gateway with an istio mesh enabled, is unable to communicate with workloads that don’t have a sidecar.
Is it possible to tell the gateway to not use mTLS for these sidecars? We have disabling mTLS using PeerAuthentication and DesitnationRules, but those seem to configure on the destination/workload level, where we don’t have a sidecar/mtls anyway.

Screenshot 2022-11-07 at 16.29.30899×456 33.6 KB

Is it possible to make scenario 3 work somehow?

Can you elaborate on how you “enable the mesh”? Examples of your relevant Istio resources would be helpful.

By specifying a meshId and network name and enable sidecar injection for some of our workloads.
More precisely, we enabled mTLS now with a custom certificate, before that ingress gateway with workloads without a sidecar worked fine.

We got “Scenario 3” to work now by creating a ServiceEntry object for that workload, but since outboundTrafficPolicy is set to ALLOW_ANY by default, shouldn’t it work without a ServiceEntry too? We get a 503 without a ServiceEntry.

I don’t think so meshid or networkid makes a difference. I am using these values and ingress traffic works for me without any issues.