If using Istio mTLS in ambient mode with Istio L7 HTTP policy controls, traffic between ambient workloads will be encrypted and tunneled in and out of the pods by Istio over port 15008. In this scenario, Cilium NetworkPolicy will still apply to the encrypted and tunneled L4 traffic entering and leaving the Istio-managed pods, but Cilium will have no visibility into the actual source and destination of that tunneled and encrypted L4 traffic, or any L7 information.
Summary
Cilium+Istio Ambient ModeでHTTPレベル(L7)のmetricsが収集されない問題
https://docs.cilium.io/en/latest/network/servicemesh/istio/#istio-configuration
結局 Ciliumと同居するとL7レベルのトラフィックを可視化できなさそうです。