Connection to backend service in TLS FAILS with a 404, what did I get wrong?

Networking
1

Hello, I am trying to connect to a backend service which is serving in https, with always getting a 404. Here is my config:

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  labels:
    app: gateways
  name: gateway-xxx
  namespace: xxx
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - xxx-tst.example.net
    port:
      name: https
      number: 443
      protocol: HTTPS
    tls:
      mode: PASSTHROUGH

Here is my virtual service:

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: xxx-vs
  namespace:  xxx
spec:
  gateways:
  - gateway-xxx
  hosts:
  - xxx-tst.example.net
  tls:
  - match:
    - sniHosts:
      - xxx-tst.example.net
    route:
    - destination:
        host: xxx-infra-nonpr-http

Like I said, I always get a 404, but I can port forward to my service and acces correctly the application through TLS. I see no logs on the envoy.

If I change the GW and VS to receive http, and configure a destination rule on istio-system (where the ingressgatways exist) I do get the following logs:

':authority', 'xxx-tst.example.net'
':path', '/'
':method', 'GET'
'accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8'
'accept-encoding', 'gzip, deflate, br'
'accept-language', 'en-US,en;q=0.5'
'cache-control', 'no-cache'
'pragma', 'no-cache'
'sec-fetch-dest', 'document'
'sec-fetch-mode', 'navigate'
'sec-fetch-site', 'none'
'sec-fetch-user', '?1'
'upgrade-insecure-requests', '1'
'user-agent', 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0'
'x-forwarded-for', '192.168.0.2'
'x-forwarded-port', '443'
'x-forwarded-proto', 'https'
'connection', 'keep-alive'

2021-09-28T21:09:10.172816Z     debug   envoy http      [C254809][S2218427438913556473] request end stream
2021-09-28T21:09:10.172920Z     trace   envoy http      [C254809][S2218427438913556473] decode headers called: filter=0x556e05591110 status=0
2021-09-28T21:09:10.172932Z     trace   envoy http      [C254809][S2218427438913556473] decode headers called: filter=0x556e0e98bdc0 status=0
2021-09-28T21:09:10.172937Z     trace   envoy http      [C254809][S2218427438913556473] decode headers called: filter=0x556e03f76000 status=0
2021-09-28T21:09:10.172946Z     trace   envoy http      [C254809][S2218427438913556473] decode headers called: filter=0x556e052e4f50 status=0
2021-09-28T21:09:10.172952Z     debug   envoy router    [C254809][S2218427438913556473] no cluster match for URL '/'
2021-09-28T21:09:10.172959Z     debug   envoy http      [C254809][S2218427438913556473] Sending local reply with details route_not_found
2021-09-28T21:09:10.172974Z     trace   envoy http      [C254809][S2218427438913556473] encode headers called: filter=0x556e02db9960 status=0
2021-09-28T21:09:10.172978Z     trace   envoy http      [C254809][S2218427438913556473] encode headers called: filter=0x556e04fc5e30 status=0
2021-09-28T21:09:10.172981Z     trace   envoy http      [C254809][S2218427438913556473] encode headers called: filter=0x556e03843ab0 status=0
2021-09-28T21:09:10.172987Z     trace   envoy http      [C254809][S2218427438913556473] encode headers called: filter=0x556e0bcadab0 status=0
2021-09-28T21:09:10.173002Z     debug   envoy http      [C254809][S2218427438913556473] encoding headers via codec (end_stream=true):
':status', '404'
'date', 'Tue, 28 Sep 2021 21:09:09 GMT'
'server', 'istio-envoy'

What am I getting wrong?

Thanks y’all!