ZP Application Segment Configuration - Best practice?

Hello together,

i was wondering if there is a recommendation on how to configure Application Segments and Segment Groups. Currently im having a hard time to create a concept, which allows us to keep the management effort low and stay flexible for future adjustments, without it becoming a mess. I have the follwing problem:

For example, we run a service, let’s call it “creator”.
Now we have 20 servers which are required for the “creator” service to work, and which needs to get accessed by our developers for administrative tasks.
That means, that i would create an Application segment, that contains all those servers, and the required ports, like:


APPLICATION SEGMENT:
Domains:
creator-server1
creator-server2
creator-server3

Port
TCP 22
TCP 80
TCP 443

So far so good.

Two weeks later, we receive a request, that another grou of colleagues need access to only one of those servers, for a quick maintenance, via SSH.
So for example:


Domain:
creator-server1

Port
TCP 22

Now we run into our first problem, because i cant create another application segment which only holds this server with this single port.
The ZPA cloud doesn’t allow that, because the domain & port is already part of another Application.

O.k, not nice, but that should be solveable with segment groups i thought to myself.
So i started to create 1 Application segment for each server by “use”.

For example one app segment for HTTP/S and one for SSH:


APPLICATION SEGMENT HTTP/S:
Domains:
creator-server1
creator-server2
creator-server3

Ports
TCP 80
TCP 443

APPLICATION SEGMENT SSH:
Domains:
creator-server1
creator-server2
creator-server3

Ports
TCP 22

It’s no fun, but doable via API.
But wait a minute… if we do it like that, and create an app segment for each “use”, we will exceed the 2000 Application Limit of ZPA in no time.
We have a LOT of services / ressources. Also, if somebody does only need access via HTTP but not HTTPS, we run into the same issue again.

That’s the problem which gives me headaches for months now and i dont seem to be able to find a nice solution for it, which keeps the manual workload low, but also leaves space for adjustments, without the need to potentially rebuild a lot of applications.

I would be very happy for any suggestions!
Thank you in advance!

Hmm. Difficult question. To start with I have seen good results with splitting user access and admin access for servers (which is mostly RDP or SSH) in application segments if possible. It’s not 100% accurate but I see it doing what it should. You can get more granular if required, but only if.

Regarding your problem with a group of developers and one person. Is this true for every application or is it an exception? If it’s an exception you can split up that specific application segment as needed and recombine it in a segment group.

The good thing is that you can target segment groups and application.

The very interesting next thing is how you will build your access policies.