Istio-proxy sidecar - redirect request to external upstream on different port

Hey there,

I have a legacy app that I’m deploying in a k8s environment with Istio.
The application makes non-TLS TCP requests to several external (different k8s cluster) services. Is the following scenario possible to accomplish with either Istio / Envoy filters, or any other way?

Application → plain txt request to external.example.com:1234 → Istio intercepts request on port 1234 → Initiates TLS connection to external.example.com:6666 and adds SNI header specific for the port 1234 request.

The reason for this specific flow is that it needs to be repeatable, for other ports/SNI headers. Example of a second request:

Application → plain txt request to external.example.com:5678 → Istio intercepts request on port 5678 → Initiates TLS connection to external.example.com:6666 and adds SNI header specific for the port 5678 request.

The 6666 listener at the external location is a different proxy that performs routing based on the SNI headers.

If anyone did something similar, or can point me in the right direction, much appreciated!
Thank you!