How to block access with ACLs + multiport?

Hi. I followed the guide from Secure Consul and Registered Services on Kubernetes | Consul - HashiCorp Learn, and was testing out multi-port through How does Consul Service Mesh Work on Kubernetes? | Consul by HashiCorp, but though I can restrict mesh traffic through the tunnel via localhost, traffic directly to the port still works just fine.

From the static-client,

$ curl localhost:1234
curl: (7) Failed to connect to localhost port 1234 after 0 ms: Connection refused
/ $ curl localhost:2234
curl: (7) Failed to connect to localhost port 2234 after 0 ms: Connection refused
/ $ export NS=${NS:-"default"}
/ $ curl web.$NS.svc.cluster.local
"hello world"
/ $ curl web-admin.$NS.svc.cluster.local
"hello world from 9090"

I wrote this up as Connections bypass ACL security in multi-port · Issue #1606 · hashicorp/consul-k8s · GitHub

I found out that this is a limitation with the multi-port issue, that a service cannot be secured through the service mesh, thus defeating the whole purpose of the service mesh. The security is shifted left, to where the service must restrict traffic, such as to localhost only.

This introduces a challenge when integrating an ingress controller or API gateway, which will then need to talk to the service mesh through upstream tunnel via localhost from the endpoint into the K8S cluster. Consul API Gateway is a non-solution currently if you wish to use gRPC as that is not currently supported, so I am at a loss as to what solution can fully integrate to Consul Service Mesh when multiple ports are required for gRPC and HTTP.