Edit: Apologies, I've edited my question to be more focused on one clear answerable question.
Dear all this may seem like an obvious question but I cant seem to find any clear answers on stack exchange or online.
My goal: I am an entrepreneur without any indepth knowledge of coding and have hired a developer to build my MVP using google firebase which hosts the back-end server for my website posting platform. I want to mitigate against DDOS attacks before I deploy the final version so that I protect myself against unintended usage costs.
My understanding:
After reading around, I built a diagram for myself of the various mitigations I could find online against DDOS. The way I understand it is below 
The first layer Is using cloudfare/cloudfront to block DDOS attacks from coming in (unathenticated users).
The second layer is having secure rules in firebase authentication against unauthenticated users & also having limit queries on the rules to avoid authenticated users from refreshing continuously and thus racking up a huge bill (see here answer here by MIke M on November 27th 2017 https://groups.google.com/g/firebase-talk/c/Kj9WmhjkFrQ)
The third layer is setting load balancing, quota limits and rate limits on the google cloud firebase functions.
I have no firebase functions: All the backend data is being stored in firebase realtime database. I checked my google cloud functions for this project and there aren’t any listed. However the website is functioning fine when I used test google accounts for authentication.
My Query
- Because my website doesn’t have any google cloud functions enabled does that mean that the mitigations against DDOS that use Google cloud are irrelevant? Specifically load balancing, quota limits and rate limits.
Appreciate your help with these.
J