To what extent should I hide everything away in Consul Connect?

This is somewhat of a best practices question.

How far should I go with fully encapsulating a service within it’s bridge network?
The two specific situations I have are:

  • A service querying Vault (to get RabbitMq credentials).
  • A service connecting to MS SqlServer.

SqlServer and RMQ both sit outside my service mesh. Vault is registered in Consul (but I don’t think is Connect native?).
I have registered an agentless node and service for RMQ, and configured a terminating gateway for it, but I’m wondering if I should also be setting one up for SqlServer and Vault too?

Should I be using a terminating gateway for everything that my app wants to reach out to (overhead of managing the terminating gateways and consul registration of these external services)?
Or should I just connect from the service directly to the targets (overhead of managing and trusting their CA).

Thanks for your input