What the Client Does
-
The end user’s browser only ever connects to
https://app1.cordero.me→ TCP 443. -
That’s the real traffic flow.
What the App Connector Health Check Does
-
The App Connector doesn’t know which ports the user actually uses.
-
It only looks at what you defined in the App Segment configuration.
-
If the app segment says
*.cordero.mewith all TCP/UDP ports (except 53), then each connector will try reachability checks on every one of those ports for every IP tied to that FQDN. -
That means tens of thousands of health check probes per cycle, even though the client only ever uses 443.
Why This Matters
-
Health checks are not user-driven — they’re configuration-driven.
-
The connector doesn’t “learn” that clients only use 443; it blindly follows the segment’s port list.
-
So, yes: with your wildcard + all ports segment, the connector is probing all ports, not just 443, which wastes capacity and stretches health-check cycles (leading to that 6,000+ check issue).
Best practice
-
Define only the ports that clients truly use in the app segment (e.g., just 443 for
app1.cordero.me). -
Let Access Policies govern who can use the app, not wide-open port definitions.