Zscaler – ZPA App Connector Application Limit Design

What’s the Problem?

You’re hitting the 6,000 application limit per App Connector because your configuration sends all apps to all connector groups using one broad application segment. This causes overload on each connector.

Setup Overview (Before)

Single Application Segment

Name: All Internal Apps
Domain: *.corp.internal
Segment Group: Internal Services Group
Connector Groups:
- AWS_App_Connectors
- Miami_App_Connectors
- DR_App_Connectors

Issue: Every connector gets all apps — even if they only need a small portion — resulting in hitting the 6,000-app limit.

How to Fix It

Step 1: Create Specific Application Segments

WEB – Finance Apps: *.finance.corp.internal
SQL – Production Databases: *.sql.prod.corp.internal
RDP – Domain Controllers: dc*.corp.internal
SSH – DevOps Jump Servers: *.jump.devops.corp.internal

Step 2: Create Segment Groups

WEB Services Group → for web-based finance applications
SQL Services Group → for production databases
RDP Services Group → for domain controller access
SSH Services Group → for DevOps jump hosts

Step 3: Map to App Connector Groups by Location

WEB Services Group → AWS_App_Connectors
SQL Services Group → Miami_App_Connectors
RDP Services Group → DR_App_Connectors
SSH Services Group → AWS_App_Connectors

App Distribution After Change

Connector Group	Assigned Segment Group	# of Apps Seen
AWS_App_Connectors	WEB, SSH	~3,000 apps
Miami_App_Connectors	SQL	~1,500 apps
DR_App_Connectors	RDP	~1,200 apps

ZPA Portal Configuration Preview

Application Segments

Name	Domains	Segment Group
WEB – Finance Apps	*.finance.corp.internal	WEB Services Group
SQL – Production Databases	*.sql.prod.corp.internal	SQL Services Group
RDP – Domain Controllers	dc*.corp.internal	RDP Services Group
SSH – DevOps Jump Servers	*.jump.devops.corp.internal	SSH Services Group

Segment Groups

Name	Mapped Connector Groups
WEB Services Group	AWS_App_Connectors
SQL Services Group	Miami_App_Connectors
RDP Services Group	DR_App_Connectors
SSH Services Group	AWS_App_Connectors

Summary

Before	After
One wildcard: *.corp.internal	Four logical segments by protocol and team
All connectors see 6,000+ apps	Each connector group sees only relevant apps (1,000–3,000)
Single Segment Group	Separate Segment Groups by access type