How do Envoy Filter matches work?

I’m working with EnvoyFilters to set up rate limiting on a cluster.

I have the following config patch to add the rate limit service as a cluster:

    - applyTo: CLUSTER
          # kubernetes dns of your ratelimit service
          service: envoy-limitsvc.istio-system.svc.cluster.local
        operation: ADD
          name: rate_limit_cluster
          type: STRICT_DNS
          connect_timeout: 10s
          lb_policy: ROUND_ROBIN
          http2_protocol_options: {}
            # arbitrary  name
            cluster_name: rate_limit_cluster
              - lb_endpoints:
                  - endpoint:
                          # kubernetes dns of your ratelimit service
                          address: envoy-limitsvc.istio-system.svc.cluster.local
                          port_value: 42081

I’m trying to figure out exacly how the match is being used to change the cluster part of Envoy’s configuration. The docs don’t really give much details except basically saying “match is used to match.”

When I look at the cluster configuration for the ingress gateway pods, which have the rate_limit_cluster applied in their cluster configs, (using istioctl proxy-config cluster $POD.$NAMESPACE -o json), I don’t see anything with a field "service": "envoy-limitsvc.istio-system.svc.cluster.local". I do see that DNS name in fields like "outbound|443||envoy-limitsvc.istio-system.svc.cluster.local". However, I also see those fields in egress gateway pods, and yet they don’t have the rate_limit_cluster.

This leads me to believe that the match is occurring on Istio’s internal state, which can’t be introspected. So I’m wondering how these match rules work so I can fine tune them and fix them in case they break.