Canary deployment for ext_authz service

Hello, I am using ext_authz configured through EnvoyFilter, attached to ingress gateway. The external authz application is a pod running in the same K8s cluster.

ingressGW → authzApp

What I am trying to do is to make canary deployment of that authz application. But unfortunately, it seems that ingress gateway can’t provide it out of the box. I couldn’t find a way to configure any object and achieve that some of the authz requests will go to one or another version of authApp (during canary deployment)

What I think that could work is to have another proxy in between and have something like:

ingressGW → proxy → authzApp

Then I can create VirtualService for proxy and get the canary deployment of authzApp. But I am wondering if there is a way to achieve canary deployment of authzApp and still avoid deployment of proxy between ingressGW and authzApp.