Forward to an external https service from virtual service

Hi guys, can you give some hints,
I need to forward traffic from a virtual service to an external servicethis is a use case example:

1. user ask for foo.example.com/foo/bar
2. virtual service forward traffic to www.google.com
3. browser show www.google.com

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: google
  namespace: default
spec:
  hosts:
  - www.google.com
  location: MESH_EXTERNAL
  ports:
  - name: https
    number: 443
    protocol: TLS
  resolution: DNS
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: settings-service-redirect-rules
spec:
  gateways:
  - default/default-gateway
  hosts:
  - foo.example.com
  http:
  - match:
    - uri:
        prefix: /foo/bar
    name: images
    rewrite:
      authority: www.google.com
      uri: /
    route:
    - destination:
        host: www.google.com
        port:
          number: 443

What I expect, browser show www.google.com
What I’m getting: http error 400, The plain HTTP request was sent to HTTPS port (edited)

Also I added this, but I still getting error 400, The plain HTTP request was sent to HTTPS port

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: google-dr
spec:
  host: www.google.com
  trafficPolicy:
    tls:
      mode: SIMPLE
      sni: www.google.com

But when I add a subset, I got 503

Hey framled, replace the protocol: TLS with HTTPS in the ServiceEntry. What’s your setting for meshConfig.outboundTrafficPolicy.mode? Is it REGISTRY_ONLY or ALLOW_ANY? Did you, and how define default-gateway in default namespace?

Hi @jorotg thansk for answer, is outbound traffic policy is REGISTRY_ONLY and default-gateway is in default namespace