ZTNA admin created a segment application pointing to the IP address of a load balancer VIP, that fronted multiple Web servers.

Adding entities or groups to the segment policy, users could successfully access the application.

The load balancer configuration was then modified so that multiple application domains could be accessed via the same load balancer VIP.

With this change, all users authorised to access the segment application could connect to ANY Web application fronted by the VIP which was not part of the requirements.

The ZTNA admin could have requested a separate VIP for each application, and added a separate segment application and policy to restrict access this way, but wanted to know whether there were any other options?

Cloud SWG.

ZTNA segment applications.

WSS Agent or ESA.

Load balancer fronting multiple domains on the same VIP.

Segment application defined by IP address.

Define the Segment application connection type as 'Custom domain (FQDN only)'.

With this setup, can can define the specific domains the users have access to, even if they share the same VIP load balancer IP address.

If ZTNA users are required to access multiple domains, then multiple segment applications / policies are needed.

This can apply to any application fronted by a load balancer and not just a web application.

Data inspection policies can also be applied to segment applications defined with a FQDN, which is not possible with IP based alternatives.