Based on my knowledge you can create virtual service to do that
The reserved word mesh is used to imply all the sidecars in the mesh. When this field is omitted, the default gateway (mesh) will be used, which would apply the rule to all sidecars in the mesh. If a list of gateway names is provided, the rules will apply only to the gateways. To apply the rules to both gateways and sidecars, specify mesh as one of the gateway names.
You can check my another answer on stackoverflow, there is whole reproduction of someone problem where i made virtual service with a gateway to access(in a example just a curl) from outside, and if you want to make it only inside the mesh just delete this gateway and leave only mesh one, like in below example.
Specially the virtual service
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: nginxvirt
spec:
gateways:
- mesh #inside cluster
hosts:
- nginx.default.svc.cluster.local #inside cluster
http:
- name: match-myuid
match:
- uri:
prefix: /
rewrite:
uri: /
route:
- destination:
host: nginx.default.svc.cluster.local
port:
number: 80
And some external and internal tests
External
with additional gateway to allow external traffic
curl -v -H "host: nginx.com" loadbalancer_istio_ingress_gateway_ip/
HTTP/1.1 200 OK
without additional gateway to allow external traffic, just the mesh one
curl -v -H "host: nginx.com" loadbalancer_istio_ingress_gateway_ip/
HTTP/1.1 404 Not Found
Internal
Created some basic ubuntu pod for tests
kubectl exec -ti ubu1 -- /bin/bash
With mesh gateway
curl -v nginx/
HTTP/1.1 200 OK
Without mesh gateway
curl -v nginx/
HTTP/1.1 404 Not Found
Based on that you can use gateway "mesh" which will work only inside the mesh and won't allow external requests.
I can bring you pack of yamls to test if you want, if you wanna test it.
Let me know if that answer your question or you have any more questions.
