Best way to enable DDoS protection on many individual GCP compute instances without load balancing?

I've been scouring through the Google Cloud Armor docs for information about DDoS protection of a GCP compute VM instance. From what I've found, Google Cloud Armor Managed Protection provides traditional DDoS protection (perhaps layer 3 and layer 4), and it must be attached to a load balancer. Additionally, Google Cloud Armor Adaptive Protection provides layer 7 protection via machine-learning-based anomaly detection in network traffic, and it must be applied via a Google Cloud Armor security policy which in-turn must be attached to a load balancer.

But load balancers are associated with an instance group rather than a single VM instance, and they're intended for autoscaling instances (e.g. based on an instance template), rather than for a single VM instance. I'm running several independent stateful server applications (each in their own VM instance) in which autoscaling is not really an option.

I could define a one-instance instance group (i.e. with autoscaling rules set to spawn exactly 1 instance). However, I have multiple individual VM instances that I want DDoS protection on, so I'd need an instance group for each one of these, and a load balancer for each instance group. This would get very expensive very quickly.

A more practical option would be to set up a single auto-scaled instance group attached to a load balancer to simply serve as a reverse proxy for all of the other servers, which are accessed internally within a common VPC. That reverse proxy could be attached to a load balancer and provided DDoS protection as the single point of entry.

But it seems strange to me that load balancing is required for DDoS protection on GCP to begin with. After all, AWS shield does not require a load balancer to take effect. Am I missing something?

Edit:

I'm building a hosting platform for various specific targeted applications. Each client will either have their own VM instance or share a VM instance with one or two other clients. Most of the targeted applications are not web apps, but rather just TCP/UDP-enabled applications (some of them are game servers, for instance). They're stateful applications, and more importantly they tend to require sustaining all connections in a single instance simultaneously, so scaling beyond a single instance is generally not viable. Additionally, GCP load balancer pricing implements a large base price for the first five forwarding rules, and so having each instance behind its own load balancer is not much of an option. For some of these applications, DoS attacks are of particular concern.

Google Cloud Platform provides a number of features to defend against DDoS attacks. You can use these in conjunction with the below mentioned best practices and other measures tailored to your requirements to make your GCP deployment resilient to DDoS attacks.

Reduce the attack surface for your GCE deployment

○ Provision your own isolated and secure piece of the Google Cloud with Google Cloud Virtual Network.​

○ Isolate and secure your deployment using subnetworks and networks, firewall rules, tags and Identity and Access Management (IAM).

○ Open access to ports and protocols that you need using firewall rules and/or p​rotocol forwarding.​

○ GCP provides anti-spoofing protection for the private network (IP addresses) by default.

○ GCP automatically provides isolation between virtual networks.

Isolate your internal traffic from the external world

○ Deploy instances without public IPs unless necessary.

○ You can set up a NAT gateway or SSH bastion to limit the number of instances that are exposed to the internet.

Deploy third-party DDoS protection solutions

○ In order to meet your specific needs of protection for DDoS attack prevention/mitigation, consider purchasing specialized third-party DDoS protection solutions to protect against such attacks.

○ You can also deploy DDoS solutions available via G​oogle Cloud Launcher.

I left you the reference Best Practices for DDoS Protection and Mitigation on Google Cloud Platform