I have one cloud function (firebase function) which is public accessible and I would like to rate limit this function with the help of Google Cloud Armor.
However this does not seem like a trivial task as I thought, I could not find much documentation on setting up something like this.
This document illustrate exactly what I need but does not provide any guidance to set this up for a cloud function.
When I try to add a Cloud Armor Policy in the GCP console I even can not add a target
I am on the Standard (not Managed Protection Plus) Plan but I think this should be fine.
Cloud Armor is a WAF, Web Application Firewall to filter the traffic at the Application level of the OSI layers. It's not a rate limiter or authentication layer.
For that you need to add an API management layer that allow you to authenticate and rate limit the API. API Gateway can do that, but only based on an API key. If the user doesn't use API key, it's a common pool that is rate limited and a spammer can create an unavailability of the service by consuming all the quotas everytime.
APIGee is the other solution, but it's entreprise grade (with an entreprise grade billing plan).
Or, if it's for protecting your money, you can limit the number of function instances thanks to the great answer of Kunal Deo.