If you're on a network where you use deep HTTPS inspection you'll likely find some Google services do not operate correctly.  I've found they don't like being inspected (I'm guessing Chrome / ChromeOS checks for a known certificate, and dislikes the SSL inspection MiTM cert) so here's a list of required exceptions.  Chromebooks may also not allow a user to sign in for the first time, and installing Android apps from the Play store may also fail without these.

It took a lot of searching online and in my logs to find these, so hopefully they'll help you.  Note - these may not all be needed but I sadly don't have time to pin point each one.  I've listed some explicitly, despite them being included in wildcard domains.

  • *.ggpht.com
  • *.google.com
  • *.googleapis.com
  • *.googleusercontent.com
  • *.gstatic.com
  • *.gvt1.com
  • *.gvt2.com
  • android.clients.google.com
  • beacons.gcp.gvt2.com
  • notifications.google.com
  • phonedeviceverification-pa-prod.sandbox.googleapis.com
  • play.googleapis.com
  • update.googleapis.com

This list is subject to change, without warning from Google.