To ensure end-user access is only allowed if the traffic originates from a specific known good CIDR and to utilize GCP's native SYN flood protection, you can use the following product:

VPC Firewall Rules: By configuring VPC firewall rules, you can control traffic to and from your instances based on IP address, protocol, and port. You can set rules to only allow traffic from a specific CIDR block, ensuring that only authorized traffic can reach your application.

Additionally, Google Cloud Platform provides built-in protections against SYN flood attacks, which are a type of DDoS attack. These protections are part of the underlying infrastructure and do not require additional configuration.

Using VPC firewall rules will help you comply with the internal requirement of allowing access only from a specific CIDR and provide the necessary SYN flood DDoS protection.

References

Google Cloud VPC Firewall Rules

Google Cloud DDoS Protection