RE: Imperva / Apple Private Relay issues

[Robert Schoneman via NANOG <nanog () nanog org>]

I've tested accessing one of our sites that uses Imperva WAF w/ DDOS protection enabled from an iPhone w/ Apple Private 
Relay turned on. I experienced no issues but only have that single test to go on.  

-----Original Message-----
From: NANOG <nanog-bounces+rschoneman=blumenthalarts.org () nanog org> On Behalf Of Lyndon Nerenberg (VE7TFX/VE6BBM)
Sent: Thursday, September 15, 2022 3:09 PM
To: nanog () nanog org
Subject: Imperva / Apple Private Relay issues

We have been receiving a steady stream of calls from customers complaining they cannot reach our websites when they 
have Apple's Private Relay enabled.

For those in the dark, Private Relay sends (only) Safari connections through an assortment of CDNs to anonymize the 
client's IP address.

What we are seeing is that, more often than not, connections to our public servers that route through Imperva's DDoS 
service do not go through.  When we look on the uplink interfaces on our firewalls, there is nothing from those 
addresses.  But connections to other hosts in the same cage, but which bypass Imperva, connect fine.

We've opened a ticket, but thus far Imperva's support team has been unhelpful.  What I'm wondering is if anyone else is 
seeing similar behaviour with their Imperva-protected hosts.  A quick way to test is to turn on Private Relay on an 
iPhone (System Preferences -> iCloud -> iCloud -> Private Relay) and then try connecting to a web service hosted behind 
Imperva's DDoS service.  For our servers, not all the connections fail, but a large percentage do, and it's definitely 
tied to the proxy address you get assigned (verified using whatismyip.com).  We are seeing failures on connections 
relayed through both Cloudflare and Akamai.  Apple could be using other CDNs as well, but those are the two we have 
specifically identified as having unusable addresses.

--lyndon