Routing mesh traffic for application internally using public DNS

I have a number of services running within our mesh. They use an ingress-gateway to allow traffic in via an AWS Network Load Balancer.

Some of the services need to call one another but use the public DNS name rather than the internal svc.cluster.local address.

I’ve tried the following but this actually stops all access to the pods from internal and external endpoints.

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: service
spec:
  hosts:
  - service.example.com
  location: MESH_INTERNAL
  ports:
  - number: 443
    name: https
    protocol: HTTPS
  resolution: DNS
  workloadSelector:
    labels:
      istio: ingress

The VirtualService currently in place for the ingress gateway is:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: service
spec:
  gateways:
    - istio-ingress/gateway
  hosts:
    - service.example.com
  http:
    - match:
        - uri:
            prefix: /
      route:
        - destination:
            host: service.namespace.svc.cluster.local
            port:
              number: 80