Virtual service is not working as expected

I have one cluster with 3 pods and 3 services (first, second and third).

my services are:
aks-helloworld-first cluster ip:10.67.251.251 ,
aks-helloworld-sec cluster ip:10.67.248.67 ,
aks-helloworld-third cluster ip: 10.67.240.154.

the pods are:
aks-helloworld-first selector:app=helloworld-first
aks-helloworld-sec selector: app=helloworld-sec
aks-helloworld-third selector: app=helloworld-third

I added the following virtual service:

kind: VirtualService
metadata:
  name: aks-helloworld-first-route
spec:
  hosts:
  - aks-helloworld-first
  http:
  - match:
    - sourceLabels:
        app: helloworld-third
    route:
    - destination:
        host: aks-helloworld-first

I expected to be able to access to “first” only through “third”. But when trying to access to “first” through “second” I was able to do it as well.

i run kubectl exec to the “second” pod and run : curl -v http://10.67.251.251/
i was able to access the “first” pod

What am I missing?

Your configuration tells all the calls coming to third should be routed to first. If you will call service IP of third, you will see the call reaching first.

There is no rule or condition similar to this for second.

You need to use something like this to deny calls from swcond:

  - match:
    - sourceLabels:
        app: helloworld-second
    route:
    - destination:
        host: aks-helloworld-first
    fault:
      abort:
        percentage:
          value: 100
        httpStatus: 400

Even after doing this, I feel the way you are testing i.e. pod to pod communication, this will still happen but all the calls made to second that should go to first will be aborted.

I dont really see a use case in this. but this is how it can be achieved. though this will just make second useless in the environment.

You need to define Istio Role based authorization controls between the services in the Istio-Sevice mesh.
Please follow the below example.

i use this simple example in order to understand how to use the virtual service object.
actually what i need is to understand what is the best way to implement access policy between services in istio.
im not sure the virtual service is the right way to it.
i will be glad if you can explain in which cases i should use virtual services.
and what will be the best use in order to define access rules - i also tried to add “deny all” rule and add whitelist -but i didnt understand how to combine all

i installed istio on GKE - when trying to look for “clusterrbacconfigs” im getting this error:
the server doesn’t have a resource type “clusterrbacconfigs”.
i read that its part of istio since version 1.1 - i done understand why i dont see the “default” object in my environment.

probably you are using older version of Istio where the CRD was called “RbacConfig”. Please cross check.