Use an SSL based Load Balancer

This restricts you to either the HTTPs Global Load Balancer or SSL Proxy

Use a Cloud CDN

Cloud CDNs send requests all over the world to different PoPs. This mitigates DDoS attacks.

Do NOT use Public IPs on your Compute Engine VMs

It is straightforward to deploy instances without Public IPs - and still be able to access them via the Load balancer (or other front end).