Example policies to enforce mTLS between sidecar and egress gateway

egress-mtls-authz.yaml

# Example policies to enforce mTLS between sidecar and egress gateway, the connection between sidecar
# and egress gateway could be:
#   1. plaintext in (Istio) mTLS or
#   2. TLS in (Istio) mTLS;
# An AuthorizationPolicy is applied on egress gateway to enforce egress access control.
---
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: httpbin-org-ext
  namespace: default
spec:
  hosts:
  - httpbin.org
  ports:
  - number: 80
    name: http
    protocol: HTTP
  - number: 443
    name: tls
    protocol: TLS
  resolution: DNS
  location: MESH_EXTERNAL
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: direct-httpbin-org-through-egress-gateway
  namespace: default
spec:
  hosts:
  - httpbin.org
  gateways:
  - mesh
  - istio-system/egress-gateway
  http:
  - match:
    - gateways:
      - mesh
      port: 80
    route:
    - destination:
        host: istio-egressgateway.istio-system.svc.cluster.local
        subset: httpbin-org-egress-mTLS
        port:
          number: 80
  - match:
    - gateways:
      - istio-system/egress-gateway
      port: 80
    route:
    - destination:
        host: httpbin.org
        port:
          number: 80
      weight: 100
  tls:
  - match:
    - gateways:
      - mesh
      port: 443
      sniHosts:
      - httpbin.org
    route:
    - destination:
        host: istio-egressgateway.istio-system.svc.cluster.local
        subset: httpbin-org-egress-mTLS
        port:
          number: 443
  - match:
    - gateways:
      - istio-system/egress-gateway
      port: 443
      sniHosts:
      - httpbin.org
    route:
    - destination:
        host: httpbin.org
        port:
          number: 80
      weight: 100
  tcp:
  - match:
    - gateways:
      - istio-system/egress-gateway
      port: 443
    route:
    - destination:
        host: httpbin.org
        port:
          number: 443
      weight: 100
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: egress-gateway-httpbin-org
  namespace: default
spec:
  host: istio-egressgateway.istio-system.svc.cluster.local
  subsets:
  - name: httpbin-org-egress-mTLS
    trafficPolicy:
      loadBalancer:
        simple: ROUND_ROBIN
      tls:
        mode: ISTIO_MUTUAL
        sni: httpbin.org
---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: egress-gateway
  namespace: istio-system
spec:
  selector:
    istio: egressgateway
  servers:
  - port:
      number: 80
      name: https
      protocol: HTTPS
    hosts:
      - '*'
    tls:
      mode: ISTIO_MUTUAL
  - port:
      number: 443
      name: tls
      protocol: TLS
    hosts:
    - '*'
    tls:
      mode: ISTIO_MUTUAL
---
apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
  name: "egress"
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-egressgateway
  rules:
  # 1st rule for TLS in mTLS (port 8443), only source namespace/principal and sni can be used.
  - from:
    - source:
        namespaces:
        - "default"
    to:
    - operation:
        ports:
        - "8443"
    when:
    - key: connection.sni
      values:
      - "httpbin.org"
  # 2nd rule for plaintext in mTLS (port 8080), normal HTTP attriubtes can also be used.
  - from:
    - source:
        namespaces:
        - "default"
    to:
    - operation:
        paths:
        - "/headers"
        methods:
        - "GET"
        ports:
        - "8080"
---

This saved my day. Thank you very much!