Home
Cloud
Zscaler – ZPA App Connector Application Limit Design

Zscaler – ZPA App Connector Application Limit Design

Kerry Cordero
Cloud
6 min read

The Problem

You’re hitting the 6,000-application limit per App Connector because your current configuration sends all apps to every connector group using a single broad application segment AKA wildcards (*.corp.internal). This overloads each connector with unnecessary traffic.

Root Cause

The issue stems from the flat hierarchy:

  • Single Application SegmentSingle Segment GroupAll Connector Groups
  • Result: Every connector receives every app, even if it only needs a small subset.

Recommended Hierarchy

To avoid overloading connectors, follow this nested structure:

Applications → Application Segments → Segment Groups → Connector Groups → App Connectors

Current Setup (Problematic)

Component Configuration
Application Segment All Internal Apps
Domain *.corp.internal
Segment Group Internal Services Group
Connector Groups AWS_App_Connectors, Miami_App_Connectors, DR_App_Connectors

Issue: All connectors get 6,000+ apps, hitting the limit.

Solution: Segment Apps by Function & Location

Step 1: Create Specific Application Segments

Name Domain Purpose
WEB – Finance Apps *.finance.corp.internal Finance web apps
SQL – Production DBs *.sql.prod.corp.internal Production databases
RDP – Domain Controllers dc*.corp.internal Domain controller access
SSH – DevOps Jump Servers *.jump.devops.corp.internal DevOps SSH hosts

Step 2: Group Segments by Access Type

  • WEB Services Group → Finance web apps
  • SQL Services Group → Production databases
  • RDP Services Group → Domain controllers
  • SSH Services Group → DevOps jump hosts

Step 3: Map Segment Groups to Connector Groups

Segment Group Connector Group Expected App Count
WEB Services Group AWS_App_Connectors ~3,000
SQL Services Group Miami_App_Connectors ~1,500
RDP Services Group DR_App_Connectors ~1,200
SSH Services Group AWS_App_Connectors (Included in ~3,000)

Result: No connector exceeds the 6,000-app limit.

Before vs. After

Before

  • Single wildcard (*.corp.internal)
  • All connectors see 6,000+ apps
  • One Segment Group

After

  • Four logical segments (by protocol/team)
  • Each group sees only relevant apps (1,200–3,000)
  • Dedicated Segment Groups per access type

Key Takeaways

  • Granular segments reduce connector load
  • Logical grouping improves scalability
  • No more 6,000-app limit breaches


© 2025 cordero.me • All Rights Reserved