I have setup a simple API on API Gateway and restricted access to it via API Keys. Now, if a user calls the API with a missing/invalid key, would that count towards billing (https://cloud.google.com/api-gateway/pricing)?
In the console dashboards, I can see unauthenticated requests showing up in 4xx errors and overall request count, so it looks like they are being counted towards billing. If so, how can I protect my API against attacks where a malicious user bombards unauthenticated requests to increase my bill?
On the other hand, if they are not counted, how can I view my current billed usage (like which pricing tier: 0-2M, 2M-1B, 1B+ I am in). In Billing reports, it just shows the cost which is 0 right now.