Either you use the Google Front End (I mean you require a Google Authentication: an account (people or people inside a Google group or a GSuite organization, or a service account) authorised to invoke the function on the project. And the filter is performed by Google and you don’t have to set up a proxy application

OR, you check the auth directly and here you need to filter by yourself. In serverless mode, it exists Cloud Endpoint but not really designed for DDoS attack, and soon another solutions that I can’t share today here (I’m under NDA).