Hi,
Apologies, initial error was 404 - I fixed that and I’m now getting 504 as the gateway is timing out.
Interestingly enough, I just took out the timeout and retries section from yaml and TLS origination works - I can curl from the container to the external service whilst addressing it over http.
It looks like the retries are causing a problem.
Regarding your second question on destination rules, you are right - I don’t need it. I’m new to ISTIO 
I only need it if I want to encrypt the outgoing traffic.
As soon as you take out the following configuration, the TLS origination starts working:
retries:
attempts: 10
perTryTimeout: 1s
retryOn: gateway-error,connect-failure,refused-stream,retriable-4xx,5xx