A customer is deploying a 3-tier internal web application on Google Cloud Platform (GCP). Their internal compliance mandates that end-user access is permitted only for traffic originating from a specific, approved CIDR block. The customer is willing to accept the risk of having only SYN flood DDoS protection and intends to use GCP's native capability for this.

Which GCP product should be used to fulfill these requirements?