The egress gateway feature is partially incompatible with L7 policies: traffic will not be forwarded to a gateway if there's an L7 policy selecting the same endpoint selected by an egress gateway policy.

The specific problem is that the egress gateway logic to forward traffic to a gateway lives currently in bpf_lxc, right after the L7 proxy redirection, so if a packet is redirected to the L7 proxy (and then reinjected back into the stack), egress gateway will be completely skipped.

One way to fix this would be to move the egress gateway logic from bpf_lxc to bpf_host, but this is currently not a viable option as the agent is not yet able to dynamically load bpf_host on new network devices. This in turn would be a problem in environments such as EKS, where new ENIs are dynamically allocated to accommodate additional pod IPs.