If you're on a network where you use deep HTTPS inspection you'll likely find some Google services do not operate correctly. I've found they don't like being inspected (I'm guessing Chrome / ChromeOS checks for a known certificate, and dislikes the SSL inspection MiTM cert) so here's a list of required exceptions. Chromebooks may also not allow a user to sign in for the first time, and installing Android apps from the Play store may also fail without these.
It took a lot of searching online and in my logs to find these, so hopefully they'll help you. Note - these may not all be needed but I sadly don't have time to pin point each one. I've listed some explicitly, despite them being included in wildcard domains.
This list is subject to change, without warning from Google.