The "per server" approach only works if the server IP corresponds to a single host. If the IP actually is served by multiple hosts, then multiple healthcheck connections could be served by different instances (with different maintenance times). I think in the general case, each HTTP/2 connection needs this healthcheck.
We do healthchecking per server IP for load balancing purposes as well, but sometimes the the server IP is actually another proxy tier with many hosts (we do L4 load balancing as well).
So, I think for the reverse proxy healthchecking approach to work in general, you need to do it per connection.
At any rate, I don't think this approach can be made to work for forward proxy.
________________________________
From: Jeff Pinner [jpinner@twitter.com]
Sent: Monday, April 21, 2014 5:52 PM
To: Daniel Sommermann
Cc: Martin Thomson; William Chan (³ÂÖDzý); HTTP Working Group
Subject: Re: GOAWAY and proxies (#458)
For each server (not each connection), we periodically heathcheck the server at some interval. The server when failing healthchecks, must disallow new connections and allow old connections to drain gracefully. It must only send GOAWAY frames for session level errors. The reverse proxy is responsible for loadbalancing between new and existing connections and for deciding when a connection becomes unusable (for example we consider it draining when half of the available stream IDs have been used).