Universal Link Not Working – Apple Request Blocked by Firewall Due to Geographic Restriction

Thank you for your post and question. Regrettably, Apple’s range of IP addresses may change, so we request that you open the range to all IP addresses and user-agents. Blocking regionally will cause issues for users in different regions. Apple does not provide a list of IP addresses.

We put all that in this Tech Note TN3155: Debugging universal links | Apple Developer Documentation

Hope this helps, I know this is not the answer you probably wanted.

Albert Pascual
  Worldwide Developer Relations.

Hi Albert,

Thank you for your quick and detailed response — I really appreciate your time and clarification.

I completely understand from your explanation (and Tech Note TN3155) that Apple’s IP ranges are dynamic and that blocking traffic regionally can cause issues with Universal Links.

However, our app is intentionally available only in a specific country, and we’ve already enforced this restriction through App Store country availability settings as per our business requirements. In addition, our cybersecurity team does not allow opening our domain to regions outside of the targeted country for compliance and data-protection reasons.

Given these constraints, I’d like to know if there are any alternative approaches or recommendations Apple could suggest for Universal Link validation in such restricted environments.

Thank you again for your support and guidance.

Best regards,

Raguraman Asokan

Apologies for the extended delay. I comprehend the geographic restrictions, but your server should permit requests for the AASA file from any IP address and user agent. Without this capability, the AASA file cannot be downloaded and utilized.

Could you please provide a link to the file in question?

Without access to that file from your server, I am unable to identify any alternative methods to obtain access to the Universal Links.

Albert Pascual
  Worldwide Developer Relations.

Thank you for your response.

Here is the AASA file URL as requested: https://pre-api.tcc-ltd.sa/.well-known/apple-app-site-association

To clarify, I fully understand that using Developer Mode allows us to bypass the Apple CDN and test Universal Links internally, and in that scenario everything works correctly within our target country environment.

However, the issue arises when the app is distributed via the App Store. In production, Apple CDN servers located outside our target country attempt to fetch the AASA file, and since our firewall is configured to allow access only from within the target country, those external requests are blocked. This results in Universal Links not functioning for end users, even though they are located inside the allowed region.

Our goal is to ensure that Universal Links work for real users in our target country without relaxing our geographic firewall policy for external IPs.

Could you please advise if there are any recommended approaches or best practices for supporting Universal Links in scenarios where regional access restrictions are mandatory?

Thank you for your continued guidance.

Best regards,

Raguraman Asokan

Thanks for the reply and my apologies I keep not getting notifications on your update.

Our goal is to ensure that Universal Links work for real users in our target country without relaxing our geographic firewall policy for external IPs.

Regrettably, it is not feasible to achieve this. You will need to allow requests from individuals downloading the application from the App Store as well as Apple servers located in various geographic regions for that specific URL.

Albert Pascual
  Worldwide Developer Relations.