Routing mesh traffic for application internally using public DNS

There are a few similar questions already but none with any answers that I can see…

I have a number of services running within our mesh. They use an ingress-gateway to allow traffic in via an AWS Network Load Balancer.

Some of the services need to call one another but use the public DNS name rather than the internal svc.cluster.local address.

I’ve tried the following but this actually stops all access to the pods from internal and external endpoints.

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: service
spec:
  hosts:
  - service.example.com
  location: MESH_INTERNAL
  ports:
  - number: 443
    name: https
    protocol: HTTPS
  resolution: DNS
  workloadSelector:
    labels:
      istio: ingress

The VirtualService currently in place for the ingress gateway is:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: service
spec:
  gateways:
    - istio-ingress/gateway
  hosts:
    - service.example.com
  http:
    - match:
        - uri:
            prefix: /
      route:
        - destination:
            host: service.namespace.svc.cluster.local
            port:
              number: 80