Google Cloud Functions offers the service at a great affordable price but it has missing pieces like protecting from DDoS and Rate Limiting.

It's very tough to go public with out protecting the product from abuse as at some point down the line we may get unexpected volumes of requests leading to huge bills!

Solutions i'm aware but seems not effective

Cloud Endpoints : Can be used for rate limiting but the pricing part is way more higher than the cloud functions pricing. Instead of using Endpoints, it looks like it better to handle in cloud functions as endpoints have the same problems.

Cloud Armour : No friendly pricing plans and a starter.

Questions

• Is it fine if I add Cloud Flare to handle the DDoS attacks? Does it add any extra latency to the Rest API services?
• Does having a reverse proxy for rate limiting and DDoS shield work? At what level of traffic I need to upgrade the reverse proxy server (Nginx) to make sure its scalable? I know it beats the purpose of serverless functions as i'm limited by the reverse proxy performance but I don't see any other alternative If i go with this.

I would like to know what measures you guys follow to protect serverless functions from abuse.