Outbound IP Addresses for App Engine services

Outbound services, such as the URL Fetch, Sockets and Mail APIs, make use of a large pool of IP addresses. The IP address ranges in this pool are subject to routine changes. In fact, two sequential API calls from the same application may appear to originate from two different IP addresses.

To find the current ranges of IP addresses that App Engine uses for outbound traffic, do the following:

  1. In a command shell, enter the following command:
    nslookup -q=TXT _cloud-netblocks.googleusercontent.com 8.8.8.8

    The response contains all of the current _cloud-netblocks for App Engine. For example:

    Non-authoritative answer:
    _cloud-netblocks.googleusercontent.com  text = "v=spf1 include:_cloud-netblocks1.googleusercontent.com include:_cloud-netblocks2.googleusercontent.com include:_cloud-netblocks3.googleusercontent.com include:_cloud-netblocks4.googleusercontent.com include:_cloud-netblocks5.googleusercontent.com ?all"

    These results are not static. When you enter the command, you may see more or fewer netblocks than the example above.

  2. For each netblock listed in the response, enter the following query:
    nslookup -q=TXT netblock-name 8.8.8.8

    For example, if the previous query returned five netblocks, you would make the following five queries:

    nslookup -q=TXT _cloud-netblocks1.googleusercontent.com 8.8.8.8
    nslookup -q=TXT _cloud-netblocks2.googleusercontent.com 8.8.8.8
    nslookup -q=TXT _cloud-netblocks3.googleusercontent.com 8.8.8.8
    nslookup -q=TXT _cloud-netblocks4.googleusercontent.com 8.8.8.8
    nslookup -q=TXT _cloud-netblocks5.googleusercontent.com 8.8.8.8

Each query of a specific netblock returns an IP range that you can use for App Engine outgoing traffic. For example, the query of _cloud-netblocks1 above could return the following:

Non-authoritative answer:
_cloud-netblocks1.googleusercontent.com text = "v=spf1 include:_cloud-netblocks6.googleusercontent.com include:_cloud-netblocks7.googleusercontent.com ip6:2600:1900::/35 ip4:8.34.208.0/20 ip4:8.35.192.0/21 ip4:8.35.200.0/23 ip4:23.236.48.0/20 ip4:23.251.128.0/19 ip4:34.64.0.0/11 ip4:34.96.0.0/14 ?all"

From this example, we see that both the 8.34.208.0/20 and 8.35.192.0/21 IP ranges can be used for App Engine traffic. Other queries for any additional netblocks may return additional IP ranges.

Note that using static IP address filtering is not considered a safe and effective means of protection. For example, an attacker could set up a malicious App Engine app which could share the same IP address range as your application. Instead, we suggest that you take a defense in depth approach using OAuth and Certs.