I'm trying to use Istio in a K8s 1.6 cluster on AWS.

I have a Kafka pod/service running the old fashion way, with a "kafka-zk-broker-kafka.dev" service without IP, so the kafka-zk-broker-kafka.dev service (I'm in the dev namespace) resolve to the internal name of my 3 Kafka pods. This is working great.

~ # nslookup kafka-zk-broker-kafka.dev

Name:      kafka-zk-broker-kafka.dev
Address 1: 10.33.0.11 kafka-zk-kafka-0.kafka-zk-broker-kafka.dev.svc.cluster.local
Address 2: 10.38.96.16 kafka-zk-kafka-2.kafka-zk-broker-kafka.dev.svc.cluster.local
Address 3: 10.40.128.13 kafka-zk-kafka-1.kafka-zk-broker-kafka.dev.svc.cluster.local

I deployed a kafka producer application, using Istio sidecart as it is also exposing a gRPC port for internal uses. Deployment went fine, but my application can't connect to to the "kafka-broker" service. DNS resolution is OK, but I can't reach the service port (TCP:9092) using either kafka client or telnet.

What I understand is that, when the Istio (envoy) sidecart is deployed, everything out of the POD is going through the Envoy proxy... So the envoy proxy does not know how to reach regular services ?

Am I missing something ? is there a way to mix Istio/Envoy with regular k8s services ?