Forwarding port on 127.0.0.1 to external

I’m trying to forward TCP traffic from a local port on 127.0.0.1 to an external service, adapting the MySQL example in Istio / Sidecar (4th/5th examples).

I have the following:

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: external-svc
  namespace: istio-test
spec:
  hosts:
  - foo.example.com
  ports:
  - number: 10799
    name: test-tcp
    protocol: TCP
  location: MESH_EXTERNAL
  resolution: DNS
---
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: test-sidecar
  namespace: istio-test
spec:
  workloadSelector:
    labels:
      app: test-app
  ingress:
  egress:
  - port:
      number: 10799
      protocol: TCP
      name: egresstest
    captureMode: NONE
    bind: 127.0.0.1
    hosts:
    - "*/foo.example.com"

However, when trying to hit http://127.0.0.1:10799 the connection is established, but then dropped by Istio (I get “Recv failure: Connection reset by peer” from curl). Looking at the debug logs for the istio-proxy handling the request, I see an error about the Envoy cluster not existing:

2021-09-21T22:26:30.019199Z	debug	envoy filter	[C49] new tcp proxy session
2021-09-21T22:26:30.019282Z	debug	envoy filter	[C49] Cluster not found outbound|10799||foo.example.com
2021-09-21T22:26:30.019288Z	debug	envoy connection	[C49] closing data_to_write=0 type=1
2021-09-21T22:26:30.019292Z	debug	envoy connection	[C49] closing socket: 1

Turns out this works fine in Istio 1.10.4, but not 1.11.2, so it seems to be a bug or some other breaking change that isn’t clear: Unable to forward to external service via captureMode:NONE in v1.11 · Issue #35314 · istio/istio · GitHub