For an internal hack project a few weeks back, I spiked using Tailscale (which sits on Wireguard) to create a private network mesh that joined AWS and Azure -- this has the nice property of being a cloud agnostic solution. No need to poke holes in the ingress to expose anything. The Tailscale k8s operator / MagicDNS makes exposing services cross-cluster dead simple. Headscale is a similar DIY approach. Submariner makes similar promises but haven't gotten a chance to use it yet.