Honestly, I am not sure if this is possible already, but there is this scenario, that I seem to not be able to go through.

So, we have a cluster with Istio, and I need one of the services to have certain restrictions within the mesh as well, and to talk to one external endpoint. Through Sidecar object, I should be able to set the restrictions internally, but I don't know how to restrict to one external endpoint.

I can set the external endpoint in the Sidecar object as well, but I have to create a ServiceEntry anyways, in which case all the services can talk to that external endpoint.

It seems that what I need is to set a ServiceEntry for one specific service, but this is not possible. Is there any other way to achieve this?

I tried through AuthorizationPolicy, as someone suggested in SO, but it didn't work. Actually I was not able to get neither ALLOW nor DENY to work under no circumstances. I am wondering if to make AuthorizationPolicy to work, if I need to enable any admission controller. Doesn't seem to be the case.