I am currently running two containers on Cloud Run for my web app (React and Nodejs). I have been looking into how to prevent my apps from DDOS. Any suggestion?
Most GCP services sit behind Google Front End which mitigates and absorbs many Layer 4 and below attacks, such as SYN floods, IP fragment floods, port exhaustion, etc. I believe it's also the case for Cloud Run but don't have information to confirm that. You can enable HTTP(S) Load Balancing or SSL proxy Load Balancing as it provides this mechanism.
Regarding payments due to increased treffic, best way to solve that is to set API rate-limiting and Resource Quotas
If possible you should isolate your internal traffic from the external world.