I have an Istio mesh in primary-remote multi-cluster deployment.

I have successfully installed the Apigee Remote Service for Envoy on my control plane (primary) cluster. I deploy a service to a istio enabled namespace in that cluster, with the envoy filter for external auth. In that configuration everything work as it should. Communication to the service without an api key fails, and passes with an api key. I've successfully tested communication from a curl pod in the same cluster, different namespace. As well as a curl pod in a remote cluster in the mesh successfully.

Now when I delete that service then deploy it to a remote cluster in the mesh, with the envoy filter pointing to the Apigee Remote Service for Envoy and try to access it without an api key, it's successful. Any service deployed to a remote cluster seems to never contacts the Apigee Remote Service for Envoy running on the control plane cluster.