ISTIO on private cluster

So I am trying to install ISTIO in a private GKE cluster. There is hardly any documentation on this. The plan of action is thus and I am not sure if this is possible. Any suggestions is highly appreciated.

  1. Create a Internal Load Balancer with fixed IP address
  2. Create a GCP External Load Balancer , hook it up with the internal Istio ILB. GCP External LB would be protected by Cloud Armor etc. Do I need Natting to get this done?

I am in a quandry on the difference between the two when creating the istio script with Helm “internal” vs

are they the same?

Many thanks