External Traffic: meshConfig.outboundTrafficPolicy.mode necessary?

Hey everyone, in order to control requests to external services are we required to set meshConfig.outboundTrafficPolicy.mode to REGISTRY_ONLY or can we simply deploy a ServiceEntry, VirtualService, DestinationRule, etc. without touching the meshConfig?

(Sent this Slack, too; will update this post with the answer)

From Slack:

depends what you mean by “control”. If you mean “change the way pods talk to a few specific hosts” then you can get away with service entries, virtualservices, and destination rules. If you mean “prevent pods from talking to any host but the ones I specify” then you need REGISTRY_ONLY

… to enforce something like “all requests to foo.com must use TLS” you can do that while keeping the default outbound traffic policy mode.