Script to generate a current list of CIDR ranges covering public Google APIs and services, such as Bigtable, Pub/Sub and Cloud Storage. IPv4 addresses are extracted from TXT record _spf.google.com as outlined by Google Cloud Platform VPC documentation.
The DNS record is walked recursively, following include: directives - although at time of writing (September 2018) the SPF rules only run two records deep. For simplicity DNS queries are performed by calls to dig.
Practical uses for this list:
- Define route tables allowing GCP instances without public IP addresses access to the Internet via a NAT gateway plus optimized Google API access through private VPC access.
- Firewall rules to allow only instance egress to Google APIs.
$ ./googleapicidrlist.py
108.177.8.0/21
108.177.96.0/19
130.211.0.0/22
172.217.0.0/19
...Tests via test/googleapicidrlist.py.