Is it possible to default to deny all traffic?

I’m new to Istio so I’m sorry if this is a dumb question but I saw it posted elsewhere without any answer.

I would have assumed that I could set up a default to deny all traffic in a namespace and then whitelist the traffic that I want to allow. But, it seems that DENY policies are evaluated before ALLOW policies as per the documentation here:

So, how can I achieve a default to deny any traffic that doesn’t have an explicit ALLOW policy?

If you want to by default deny all outbound traffic, you can use outbound traffic policy.

For inbound traffic, I think you need some kind of firewall to protect your cluster.

The cluster is already protected from inbound traffic. I’m talking about a default to deny all traffic between internal services.

My reading of the documentation is that as long as you define one “Allow” authorization policy that applies to a namespace then requests that aren’t matched by an allow policy are denied.