Direct Egress TLS for TCP

I am trying to configure Egress TLS for TCP without an Egress gateway.
More precisely I want to use a ‘non secure’ traffic on some IP using a non secure port in my application and configure istio to upgrade this to a secure traffic on the same IP but on a secure port (think of LDAP/389 and LDAPS/636).

I do something like that:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: my-service-entry
spec:
  hosts:
  - my.host
  addresses:
  - IP/32
  ports:
  - number: PORT
    name: tcp
    protocol: TCP
  - number: PORT_SECURE
    name: tcp-secure
    protocol: TCP
  location: MESH_EXTERNAL
  resolution: NONE
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: my-virtual-service
spec:
  hosts:
  - my.host
  tcp:
  - match:
    - port: PORT
    route:
    - destination:
        host: my.host
        subset: tls-origination
        port:
          number: PORT_SECURE
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: my-destination-rule
spec:
  host: my.host
  subsets:
  - name: tls-origination
    trafficPolicy:
      portLevelSettings:
      - port:
          number: PORT_SECURE
        tls:
          mode: SIMPLE

When I send traffic to PORT I do see that the traffic is ‘upgraded’ to TLS but the outgoing port is still PORT and not then PORT_SECURE.
I am probably doing something wrong. Any idea?

Note that if I do not create the VirtualService and use the PORT_SECURE from my application, but still sending non TLS traffic, then it works.

Ideally I would like my application to not have to know that TLS is used and thus use the non secure port.
Note that for external incoming traffic, I can configure a gateway/virtual service that will terminate TLS and map the port.

Forgot to mention that I am using istio 1.5.5

Did some more tests and if I create a DNS entry for my external service IP and use ‘resolution: DNS’ in my ServiceEntry then it works.

I suppose this is a bug.