Prepare your network or web server for iCloud Private Relay

iCloud Private Relay is an internet privacy service offered as a part of an iCloud+ subscription that allows users on iOS 15, iPadOS 15, and macOS Monterey and later to connect to and browse the web more privately and securely. Private Relay protects users’ web browsing in Safari, DNS resolution queries, and insecure http app traffic. Internet connections set up through Private Relay use anonymous IP addresses that map to the region a user is in, without divulging the user’s exact location or identity. Learn how to provide the best possible experience for users of Private Relay on your network or website.

Overview

iCloud Private Relay uses an innovative multi-hop architecture in which users’ requests are sent through two separate internet relays operated by different entities. This way, no single party — including Apple — can view or collect the details of users’ browsing activity. Private Relay validates that the client connecting is an iPhone, iPad, or Mac, so you can be assured that connections are coming from an Apple device. Private Relay replaces the user’s original IP address with one assigned from the range of IP addresses used by the service. The assigned relay IP address may be shared among more than one Private Relay user in the same area. The relay IP address presented to networks and web servers accurately represents the client’s coarse city-level location by default, allowing your network to receive relevant location information when attempting to enforce geo-based restrictions based on IP address.

Learn how Private Relay protects users’ privacy on the internet

Network Operators

Optimize for Private Relay connections

iCloud Private Relay uses QUIC, a new standard transport protocol based on UDP. QUIC connections in Private Relay are set up using port 443 and TLS 1.3, so make sure your network and server are ready to handle these connections.

Learn how to manage QUIC connections on your network

Allow for network traffic audits

Some enterprise or school networks might be required to audit all network traffic by policy, and your network can block access to Private Relay in these cases. The user will be alerted that they need to either disable Private Relay for your network or choose another network.

The fastest and most reliable way to alert users is to return either a "no error no answer" response or an NXDOMAIN response from your network’s DNS resolver, preventing DNS resolution for the following hostnames used by Private Relay traffic. Avoid causing DNS resolution timeouts or silently dropping IP packets sent to the Private Relay server, as this can lead to delays on client devices.

mask.icloud.com
mask-h2.icloud.com

Web servers

Access IP geolocation feeds

If you run a web server, you can localize your content or restrict access based on the region of a client. Please reach out to your geo IP database provider to update your feeds with the latest mappings or you can access our latest set of IP addresses and locations directly.

Private Relay preserves the region the user is in, so your server can trust the region assigned to the IP address it sees. By default, connections are also associated with the city closest to the client, allowing your content to remain relevant.

Access IP geolocation feeds

Trust Private Relay connections

All connections that use Private Relay validate that the client is an iPhone, iPad, or Mac and that the customer has a valid iCloud+ subscription. Private Relay enforces several anti-abuse and anti-fraud techniques, such as single-use authentication tokens and rate limiting. This is designed to ensure that only valid Apple devices and accounts in good standing are allowed to use Private Relay. Additionally, the relay IP address will remain stable during a browsing session while a user is interacting with your website.

Traditional fraud detection that relies on IP addresses might need to be adjusted to ensure legitimate users aren’t impacted. Your server can recognize traffic from Private Relay by using the above list of Private Relay IP addresses or by checking how it’s categorized by your geo IP database provider. Most providers annotate the IP addresses’ Organization field as “iCloud Private Relay”, so you can recognize them on your servers. Other relevant fields may include: “is_relay”, “is_hosting”, “privacy_service”, or “privacy_proxy”. Understanding these fields and adjusting your server’s logic to take them into account is a first step toward supporting Private Relay users. Consider treating these addresses like larger carrier-grade NAT or enterprise IP addresses to better account for this type of traffic, since many Private Relay users may be assigned to a single relay IP address.

IP addresses are often used in systems to prevent traffic from overloading servers. Common mitigations include CAPTCHAs or blocking traffic altogether. Every Apple device running iOS 16, iPadOS 16, or macOS Monterey and later supports Private Access Tokens, which provide an alternative that protects your servers while giving legitimate users a friction-free experience. Built on the Privacy Pass standard, Private Access Tokens help servers identify HTTP requests from legitimate devices and users without compromising their identity or personal information. This can help websites improve user experience and respect user privacy, while helping to protect their servers from abuse.

Learn more about Automatic Verification

Learn more about how to adopt Private Access Tokens

Apply to become a Private Access Token issuer via Apple Business Register

Additional resources