Setting up mTLS connection with external serviceEntry resource that does NOT run epoxy side car

Hi, I am using an Azure Kubernetes Service (AKS) clutter to run my application. One of our services runs on a virtual node [Virtual Node] ( wrapper around Azure container instance [ACI] ). Because of complications, we are avoiding running any istio resources on the virtual node (doesn’t support the side car proxies etc.). We are just treating it as an external service and registering it using a service entry. Our primary goals are to have this external service be restricted in what services it can access within the mesh and to use secure mTLS communication. How can we establish mTLS communication between our pods running within our istio mesh and this external service that is not running any istio resources. Where would I need to establish certs and tokens since this external service doesn’t have a proxy?

You can achieve one way mTLS between istio pods and VM. You can either use egress and specify cert as the secret or load the cert secret in individual pods

thanks for the response @Nataraj.medayhal. I was hoping to get mutual TLS set up between external service and pods inside the mesh (so not one way). I was thinking about setting up an envoy side car poxy in my external app to enable a tls endpoint. Would this work to establish mTLS between mesh services and the external service?