Prepare Your Network for iCloud Private Relay

iCloud Private Relay is a new internet privacy service offered as a part of an iCloud+ subscription that allows users on iOS 15, iPadOS 15, and macOS Monterey to connect to and browse the web more privately and securely. Private Relay protects users’ web browsing in Safari, DNS resolution queries, and insecure http app traffic. Internet connections set up through Private Relay use anonymous IP addresses that map to the region a user is in, without divulging the user’s exact location or identity. Learn how to provide the best possible experience for users of Private Relay on your network.

Overview

The iCloud Private Relay service uses an innovative multi-hop architecture in which your requests are sent through two separate internet relays operated by different entities. This way, no single party — including Apple — can view or collect the details of your browsing activity. Private Relay validates that the client connecting is an iPhone, iPad, or Mac, so you can be assured that connections are coming from an Apple device. The egress IP address also accurately represents the client’s coarse city-level location by default, allowing your network to receive relevant location information when attempting to enforce geo-based restrictions based on IP address. The client’s unique IP address is still masked, however, and only an anonymized address is shared with websites. These addresses are shared among groups of Private Relay users.

Optimize for Private Relay connections

iCloud Private Relay uses QUIC, a new standard transport protocol based on UDP. QUIC connections in Private Relay are set up using port 443 and TLS 1.3, so make sure your network and server are ready to handle these connections.

Learn how to manage QUIC connections on your network

Access IP geolocation feeds

If you run a web server, you can differentiate your content or restrict access based on the region of a client. Please reach out to your geo IP database provider to update your feeds with the latest mappings. You can also access our latest set of IP addresses and locations.

Access IP geolocation feeds

Validate client regions

All connections that use Private Relay validate that the client is an iPhone, iPad, or Mac. Private Relay prevents clients from pretending to be in a different country, so your server can use the country assigned to the IP address it sees to determine the client’s region. Most connections are also associated with the city closest to the client, allowing your content to remain relevant.

Allow for network traffic audits

Some enterprise or school networks might be required to audit all network traffic by policy, and your network can block access to Private Relay in these cases. The user will be alerted that they need to either disable Private Relay for your network or choose another network.

The fastest and most reliable way to alert users is to return a negative answer from your network’s DNS resolver, preventing DNS resolution for the following hostnames used by Private Relay traffic. Avoid causing DNS resolution timeouts or silently dropping IP packets sent to the Private Relay server, as this can lead to delays on client devices.

mask.icloud.com
mask-h2.icloud.com

Additional resources

Watch “Get ready for iCloud Private Relay”

Read “Protecting the User’s Privacy”

View discussions on the forums