Bind envoy sidecar task to a non public interface

By default all consul connect traffic is handled through an envoy sidecar task. The sidecar listen on somehow random port on the first public IP it can find on a hosting node. I would like to move it to a private interface or private IP attached to the public interface. There are three reasons:

  • my hosting provider has different billing costs depending on address which is used
  • adding another level of traffic isolation feels good
  • simplifies firewall rules

It seems that envoy sidecar ignores all the configs I could find (host_network, nomad advertise address, consul bind and client address).

Any hints?