Prepare Your Network or Web Server for iCloud Private Relay

iCloud Private Relay is a new internet privacy service offered as a part of an iCloud+ subscription that allows users on iOS 15, iPadOS 15, and macOS Monterey to connect to and browse the web more privately and securely. Private Relay protects users’ web browsing in Safari, DNS resolution queries, and insecure http app traffic. Internet connections set up through Private Relay use anonymous IP addresses that map to the region a user is in, without divulging the user’s exact location or identity. Learn how to provide the best possible experience for users of Private Relay on your network.

Overview

The iCloud Private Relay service uses an innovative multi-hop architecture in which users’ requests are sent through two separate internet relays operated by different entities. This way, no single party — including Apple — can view or collect the details of users’ browsing activity. Private Relay validates that the client connecting is an iPhone, iPad, or Mac, so you can be assured that connections are coming from an Apple device. Private Relay replaces the user’s original IP address with one assigned from the range of IP addresses used by the service. The assigned relay IP address may be shared among more than one Private Relay user in the same area. The relay IP address presented to networks and web servers accurately represents the client’s coarse city-level location by default, allowing your network to receive relevant location information when attempting to enforce geo-based restrictions based on IP address.

Network Operators

Optimize for Private Relay connections

iCloud Private Relay uses QUIC, a new standard transport protocol based on UDP. QUIC connections in Private Relay are set up using port 443 and TLS 1.3, so make sure your network and server are ready to handle these connections.

Learn how to manage QUIC connections on your network

Allow for network traffic audits

Some enterprise or school networks might be required to audit all network traffic by policy, and your network can block access to Private Relay in these cases. The user will be alerted that they need to either disable Private Relay for your network or choose another network.

The fastest and most reliable way to alert users is to return a negative answer from your network’s DNS resolver, preventing DNS resolution for the following hostnames used by Private Relay traffic. Avoid causing DNS resolution timeouts or silently dropping IP packets sent to the Private Relay server, as this can lead to delays on client devices.

mask.icloud.com
mask-h2.icloud.com

Web Servers

Access IP geolocation feeds

If you run a web server, you can localize your content or restrict access based on the region of a client. Please reach out to your geo IP database provider to update your feeds with the latest mappings. Many geo IP database providers also annotate these addresses as “iCloud Private Relay,” so you can easily recognize them on your servers.

Private Relay preserves the region the user is in, so your server can trust the region assigned to the IP address it sees. By default, connections are also associated with the city closest to the client, allowing your content to remain relevant. You can also access our latest set of IP addresses and locations.

Access IP geolocation feeds

Trust Private Relay connections

All connections that use Private Relay validate that the client is an iPhone, iPad, or Mac and that the customer has a valid iCloud+ subscription. Private Relay enforces several anti-abuse and anti-fraud techniques, such as single-use authentication tokens and rate-limiting. This is designed to ensure only valid Apple devices and accounts in good standing are allowed to use Private Relay. Additionally, the relay IP address will remain stable during a browsing session from a device, to make sure you will see a consistent address while a user is interacting with your website.

Traditional fraud detection that relies solely on IP addresses might need to be updated to ensure legitimate users are not impacted. Consider treating these addresses like larger carrier grade NAT or enterprise IP addresses to better account for this type of traffic, since many Private Relay users may be assigned to a single relay IP address.

Additional resources