Set up a G Suite host name whitelist

When you are setting up G Suite, you need whitelist some host names so that the G Suite APIs work correctly. 


  • This information is subject to change without notice. 
  • For product-specific information about APIs, refer to the help center content for that product.

Step 1: Open connectivity ports

Open the following ports:

Port Purpose
TCP port 443 (HTTPS) Access the main URLs for authentication and API call
TCP port 80 (HTTP)

Allow CRL and OCSP checks (Step 4 below)


  • Depending on your setup and the application, you might need to enable additional rules.
  • If you're using a Microsoft® Windows® client, you might need to enable these rules on a per-application basis. Refer to your Microsoft documentation for details.

Step 2: Whitelist the URLs

Top-level URLs

Whitelist the following URLs for G Suite APIs:

Purpose URL

For more information, see Using OAuth 2.0 for Web Server Applications.
Main API entry point https://*
(where * is any string not containing a period)
Email In addition to the main API entry point:
Contacts and Global Address List (GAL)
G Suite Admin Settings API
Accounts and sign ins


Note: You might also want to whitelist which can be used to check the HTTP status code (204). 

Optional URLs for additional control

For additional control, you can whitelist the following URLs:

Purpose URL
Additional authentication URLs

You might not need all these URLs, depending on your setup.
Google Calendar API
Google Contacts API
Global Address List (GAL)
G Suite Admin SDK and then Domain Shared Contacts API
Gmail and then Gmail API
Google Drive APIs
Tasks API
G Suite Admin SDK and then Groups Migration API
G Suite Admin SDK and then Data Transfer API
G Suite Admin SDK and then Directory API
G Suite Admin SDK and then Reports API
Google Drive Activity API
Google Classroom API
G Suite Admin SDK and then Groups Settings API
G Suite Admin SDK and then Enterprise License Manager API
People API
Google+ API
Google Sheets API
Google Slides API

Step 3: Review Google IP address ranges

Review how to find Google IP address ranges. The Google IP addresses can be used by any of the Google URLs specified in step 2.

You can also test the connection from the G Suite Toolbox

Step 4: Allow checks

CRL check

A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date. These certificates should not be trusted.

CRLs are usually sent by an HTTP (not HTTPS) URL on the CA website. The CRL distribution points are visible in the certificate X509v3 details.

Here are the current CRL distribution points that are in use for Google services:


For details, see Google Internet Authority G2

OCSP check

The Online Certificate Status Protocol (OCSP) is an internet protocol used for obtaining the revocation status of an X.509 digital certificate.

Here are the current OCSP distribution points that are in use for Google services:


Related topics

Was this helpful?
How can we improve it?