Route internal public FQDN requests to internal service

My internal service needs to access another internal service using the public FQDN. Can this be configured to not leave the cluster? On the current virtual service, I am specifying the ingress gateway and the “mesh” gateway. Curl requests seem to be traversing public address space and hitting the ingress gateway instead of going to the service directly.

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: service
  labels:
    app: service
spec:
  gateways:
  - istio-system/service-gateway
  - mesh
  hosts:
  - service.example.com
  exportTo:
    - "*"
  http:
  - route:
    - destination:
        host: service.ns.svc.cluster.local
        port:
          number: 1234

Can internal requests to ‘service.example.com’ stay internal?

this works for me:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: virtual-service-adaptativamente-test
  namespace: istio-system
spec:
  hosts:
  - "example.com"
  gateways:
  - gateway-name
  http:
  - match:
    - uri:
        exact: /grafana
    - uri:
        prefix: /grafana/
    rewrite:
      uri: "/"
    route:
    - destination:
        host: grafana.istio-system.svc.cluster.local
        port:
          number: 3000

If I use a similar virtual service, I believe traffic is leaving the cluster (external load balancer) and coming back in.