The customer is having 2-tier application where frontend and backend application pods are running in separate namespaces integrated with OSSM and having their respective virtual service for path "/" (frontend) and "/api" for backend. Both virtualservices use the same HTTP gateway where an edge route is manually created (IOR disabled).

The request to the backend fails with "403 - via_upstream" and we see CORS-related errors in developer tools over the web-browser.

The strange thing is that everything works fine with passthrough route but fails with edge route. The edge route is required because secure cookie flag is needed for security which gets implemented by router pods only in case of edge and re-encrypt route.

I will share the gateway, virtualservice details in private comments.