When a workload is running on the Control Plane cloud platform IP Addresses and CIDR blocks configured for the external firewall of a workload are ignored if they are in any private address ranges. When running in a BYOK location these internal address ranges are allowed and can be used to directly access internal resources in your data center.
When this tag is added to a workload the inbound and outbound sidecar is completely disabled. this can be useful in situations where proxying can confuse clients that are expecting direct IP communication without any NAT.