shutting down gcloud service in case of DDos attacks

my company has a small and nice product on google could (using public webapp, functions and storage).

it's been hours I'm searching for a solution like a kill switch for services in case of any threat or attack on any of services. I've found that we can define max instances for each cloud function which is somehow cool and prevents too many threats.

but the main problem is the cloud storage. files on buckets are public and I don't know which solution is better to restrict download requests to bucket. one of them is that we create a new function (with max instance defined) and stream download requests from there to webapp. in this case bucket can be private. but after some cost estimations (an streaming function will be involved in each download) apeared that it may cost a lot, since the product has a map with custom tiles and webapp requests around 16 image files at once on init.

after thinking about different solution the only way I can see to prevent DDos attacks is to monitor the usage and shutdown services (specially storage service) at once to have time to track the issue and fix it.

but google cloud doesn't offer anything like this. at least I can't find it. something that brings the whole project (or part of it) to maintenance mode and rejects all requests. I can add a config for each function execution or storage download and turn it off whenever I want. but I think still google cloud counts those requests and bills my boss.

is there anybody who knows a good solution. scenarios in my mind are like:

1. multiple IPs try to download request files in bucket continuosly and (~200 dn/s) for hours
2. multiple IPs try to invoke functions but just to keep instances live and intrupt real users connections

I'm wondering if there is anyway (instead of custom way) to restrict each ip to have max 2000 requests per day.

Google has mechanisms in place to protect its cloud infrastructure and its production services. The Google cloud infrastructure itself does have an additional layer of DDoS protection which it uses to defend against large scale attacks.You can take different approaches to serve non-public content from GCS to your end-users.

One of them is using Google Cloud Armor for DDoS defense.Google Cloud Armor is deeply connected to the Global Load Balancing infrastructure which allows it to inspect incoming traffic and recognize and dissipate incoming DDoS attacks.

To enable DDoS protection on your project, you can enable managed protection on The GCP UI, under Cloud Armor. Please refer to this documentation for more details on DDoS mitigation on Cloud Armor.

Secondly, here are some additional steps you can take to prevent denial of service attacks on cloud storage: try to isolate your internal traffic from external data, you can enable the DDoS protection by enabling the Proxy based Load Balancing, secure the deployment using network fire rules and Identity access management, protect the Google cloud storage. I would also recommend you to have a look at the documentation on Retention policies and retention policy locks.

Also to check the feature to have restrictions on each ip to have certain requests per day, checkout this useful documentation and have a look at this blog on How Google has proven protected the layer 7 DDos attack for more information.