Understanding Consul Terminating Gateway

I am going through examples

I have a terminating gateway defined as

Kind = "terminating-gateway"
Name = "terminating-gateway"
Services = [
  Name = "search"

and my service config defined as:

  "Node": "google_node",
  "address": "www.google.com",
  "NodeMeta": {
    "external-node": "true",
    "external-probe": "true"
  "Service": {
    "ID": "search1",
    "Service": "search",
    "Port": 80
    "Name": "http-check",
    "status": "passing",
    "Definition": {
      "http": "https://www.google.com",
      "interval": "30s"

For My kubernetes deployment is defined as

apiVersion: apps/v1
kind: Deployment
  name: my-nginx
  #   annotations:
  #     'consul.hashicorp.com/connect-inject': 'true'
      run: my-nginx
  replicas: 1
        run: my-nginx
        'consul.hashicorp.com/connect-inject': 'true'
        'consul.hashicorp.com/connect-service-upstreams': 'search:1234'
      - name: my-nginx
        image: nginx
        - containerPort: 80

I understand that the upstream allows the pod to connect to the search service on port 1234 via the envoy sidecar. According to the examples I send an http requrest to port 1234 on localhost and set the Host header. This seems to allow me to reach out to any site. If I curl -kLvvv -H "Host: www.cnn.com" localhost:1234 from with they “my-nginx” container I get a response from CNN. curl -kLvvv -H Host: www.google.com" localhost:1234 returns data from google. I also see that its doing a TLS handshake even though the service was not configured with TLS. The documentation suggests that TLS must be set on the terminating gateway specifying a certificate.

* Expire in 149943 ms for 3 (transfer 0x5566583ebe00)
* Expire in 200 ms for 4 (transfer 0x5566583ebe00)
* Connected to www.cnn.com ( port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Fastly, Inc.; CN=turner-tls.map.fastly.net
*  start date: Dec 31 17:06:12 2020 GMT
*  expire date: May  6 20:11:42 2021 GMT
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign CloudSSL CA - SHA256 - G3

What is going on here?
What is the point of the Address field if I can reach anywhere through the service?