CloudFlare explains how Apple’s iCloud Private Relay feature works

Apple’s partner for iCloud Private Relay lays out how this privacy feature in iOS 15 works to let you browse the internet more securely and privately.

Three iPhone screenshots showing the iCloud Private Relay entry in iCloud settings (left), a splash screen for the feature (middle) and the IP address location settings (right)

Tell me how iCloud Private Relay works

iCloud Private Relay is a privacy service from Apple that routes all traffic in Safari through a pair of separate internet relays, one operated by Apple and one operated by a third party, which prevents your ISP and other parties from seeing things such as websites you visit. Read: How to browse the web privately in Safari

Cloudflare, one of the third-parties Apple uses for iCloud Private Relay, has now published some interesting details regarding how iCloud Private Relay works. As explained in CloudFlare’s blog post, the feature leverages encryption and modern transport mechanisms to relay internet traffic.

  • The user’s original IP address is visible to the access network (e.g. the coffee shop you’re sitting in, or your home ISP) and the first relay (operated by Apple), but the server or website name is encrypted and not visible to either.
  • The first relay hands encrypted data to a second relay (e.g. Cloudflare) but is unable to see “inside” the traffic to Cloudflare.
  • Cloudflare-operated relays know only that it is receiving traffic from a Private Relay user, but not specifically who or their client IP address. Cloudflare relays then forward traffic on to the destination server.

Relaying traffic should slow down your web browsing speed, no?

According to Cloudflare, that’s not the case. Quite the opposite, iCloud Private Relay can “result in significant, measured decreases in page load time.” This means that “increased privacy does not come at the price of reduced performance.” Due to the system’s design, some features and websites may not always work as expected.

Can you illustrate how iCloud Private Relay works?

Say you open the iDownloadBlog website in Safari. With iCloud Private Relay turned on, encrypted traffic is sent from your iPhone to Apple’s servers. Apple then relays traffic through partner infrastructure before sending the original request to our website. This ensures that neither Apple nor an external partner has complete information about your IP addresses and the website you’re visiting.

A diagram provided by CloudFlare illustrating how Apple's privacy-enhancing iCloud Private Relay feature works
Connection metadata is split between two relays, labeled “Ingress Proxy” and “Egress Proxy” | Image credit: Cloudflare

System requirements for iCloud Private Relay

iCloud Private Relay is available on these devices:

  • iPhones using iOS 15 and later
  • iPads using iPadOS 15 and later
  • Macs using macOS Monterey 12 and later

iCloud Private Relay requires an iCloud+ subscription. To learn more about this feature, read the “iCloud Private Relay Overview” whitepaper on Apple’s website.