Issue with Application Access Policies with private Services

Hello there,

I have just recently setup Zero Trust for my private applications. I added said applications in Zero Trust and created block policies, which (for now) should just block anyone except me. Since these are private services, I can only choose between IP and SNI. Most of my services run via a reverse proxy, so I have multiple subdomains pointing to the same device:

service1(.)example(.)com →
service2(.)example(.)com →

Now I want to only allow access to service1 but block access to service2. So I set it up like this:

Application 1:

Application URL (SNI) = service1(.)example(.)com
Type: Private Net
Policies: Allow for my email, block everything else

Application 2:

Application URL (SNI) = service2(.)example(.)com
Type: Private Net
Policies: block everything

Now accounts that are not me cant access either of the services, which is exactly what I want -

but once I use my account, I can still access service2(.)example(.)com as well as service1.
I am a bit lost as to why this is the case. Unfortunately I cant filter by IP, since its always the same destination ip… Any help/explanation is highly appreciated!

What does block everything entail in your policy?

Only the default “SNI is service1(.)example(.)com”. So no additions. This works well for Applications with an IP

What details are provided in the Gateway activity logs for those requests?

So it actually does sometimes block it. Heres what I have noticed:

The initial allowed connection is most likely DNS, so that is fine.

The blocked one is the request made to service2(.)example(.)com and this actually prevented me from accessing the page (no blocked page, just didnt load).

I then tried to connect to service1, which worked as expected.

Afterwards I tried to connect to service2 again. This time it worked. So the most recent allowed connection in the picture is actually to service2.

It seems the policy gets bypassed after connecting to a service that shares the same ip…?

If you review the details of that request what policy ID did it match?

I ran another test since I could not be sure, the allowed ones all showed to be service1. Sorry for the confusion, i went through all of the requests and marked their policy and SNI.

According to cloudflare, all requests to service2 have been blocked by the policy (in my original post, thats Application 2).

Now interestingly, the request I marked yellow, which is shown as blocked, was not actually blocked. I could reach the service and also make changes (so its not some cached version my browser shows me). But again, this only worked after making a request to service1. The blocked request at 15:49:52 did actually get blocked.

I’d see if you can create a reliable set of reproduction steps… ideally with a network capture and open a support ticket.

It is pretty reproducable, however as a Free Plan User it seems I cannot create Support Tickets… Im going to assume theres no staff checking out the community questions?