Understanding how Service Entry, Virtual Service, Destination Rule works on outbound connections?

I want to set up an outbound connection like below
The external service requires mTLS, but the client should not worry about it. I want the istio’s envoy proxy to take care of automatically upgrading the connection from HTTP to HTTPS.

client (http) -----> envoy proxy (sidecar upgrades to mTLS) -----> external service (outside mesh)

Documents suggest that first I have to create a Service Entry for the external service and then create Virtual Service, Destination rules. Unfortunately, I am not able to put everything together and have a few questions:

  1. What the protocol of the service entry should be? Is it HTTP or HTTPS? The client is going to make an HTTP call, but the actual service itself is HTTPS and hence the confusion.
  2. Client certs – can I mount it in the sidecar proxy container using Istio’s annotations or do I need to deploy an egress proxy container for this use case? Can it be achieved without an egress proxy container?
  3. Will the outbound connections get double encrypted? since all the connections in the mesh are secured by Istio by default.
  4. How does the Istio know where to look for the certs (I mean in which envoy proxy container) when the certs path are defined in the destination rule. Especially when the egress gateway also exists in the path.

Any clarification on these would be really helpful.


I have a few of these set up for regular TLS origination, where the client connects over http on port 80 and the external service is running on port 443. I think you could set up mTLS just by changing the TLS section at the bottom.

 apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
   name: janrain
   namespace: prod
   - www.janraincapture.com
   - number: 80
     name: http-port
     protocol: HTTP
     targetPort: 443 
   - number: 443 
     name: https-port
     protocol: HTTPS
   resolution: DNS 
   location: MESH_EXTERNAL
 apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
   name: janrain
   namespace: prod
  host: www.janraincapture.com
    - port:
        number: 80
        mode: SIMPLE
        sni: www.janraincapture.com