Imperva / Apple Private Relay issues

Wed Sep 21 13:56:41 UTC 2022

I've tested accessing one of our sites that uses Imperva WAF w/ DDOS protection enabled from an iPhone w/ Apple Private Relay turned on. I experienced no issues but only have that single test to go on.  

-----Original Message-----
From: NANOG <nanog-bounces+rschoneman=blumenthalarts.org at nanog.org> On Behalf Of Lyndon Nerenberg (VE7TFX/VE6BBM)
Sent: Thursday, September 15, 2022 3:09 PM
To: nanog at nanog.org
Subject: Imperva / Apple Private Relay issues

We have been receiving a steady stream of calls from customers complaining they cannot reach our websites when they have Apple's Private Relay enabled.

For those in the dark, Private Relay sends (only) Safari connections through an assortment of CDNs to anonymize the client's IP address.

What we are seeing is that, more often than not, connections to our public servers that route through Imperva's DDoS service do not go through.  When we look on the uplink interfaces on our firewalls, there is nothing from those addresses.  But connections to other hosts in the same cage, but which bypass Imperva, connect fine.

We've opened a ticket, but thus far Imperva's support team has been unhelpful.  What I'm wondering is if anyone else is seeing similar behaviour with their Imperva-protected hosts.  A quick way to test is to turn on Private Relay on an iPhone (System Preferences -> iCloud -> iCloud -> Private Relay) and then try connecting to a web service hosted behind Imperva's DDoS service.  For our servers, not all the connections fail, but a large percentage do, and it's definitely tied to the proxy address you get assigned (verified using whatismyip.com).  We are seeing failures on connections relayed through both Cloudflare and Akamai.  Apple could be using other CDNs as well, but those are the two we have specifically identified as having unusable addresses.

--lyndon