In addition to the DOS attack protection mentioned in @rudolph1024's answer it is now possible to enable a fully-featured firewall (still beta, recently released) to protect your GAE application.
From App Engine firewall:
The App Engine firewall enables you to control access to your App
Engine app through a set of rules that can either allow or deny
requests from the specified ranges of IP addresses.
Create a firewall to:
Allow only traffic from within a specific network
Ensure that only a certain range of IP addresses from specific networks can access your app. For example, create rules to allow only
the range of IP addresses from within your company's private network
during your app's testing phase. You can then create and modify your
firewall rules to control the scope of access throughout your release
process, allowing only certain organizations, either within your
company or externally, to access your app as it makes it's way to
public availability.
Allow only traffic from a specific service
Ensure that all the traffic to your App Engine app is first proxied through a specific service. For example, if you use a
third-party Web Application Firewall (WAF) to proxy requests directed
at your app, you can create firewall rules to deny all requests except
those that are forwarded from your WAF.
Block abusive IP addresses
While Google Cloud Platform has many mechanisms in place to prevent the various attacks, you can use the App Engine firewall as
another mechanism to block traffic to your app from IP addresses that
present malicious intent.
You should use the App Engine firewall as your primary option for
shielding your app from denial of service attacks or similar forms of
abuse. You can blacklist IP addresses or subnets so that requests
routed from those addresses and subnets are denied before it reaches
your App Engine app.
For details about creating rules and configuring your firewall, see
Controlling App Access with Firewalls.
The firewall appears to be intended to replace the DOS protection. From Denial of service (DoS) protection service:
Tip: You should instead use the App Engine firewall for reliable protection as well as the improved features, access, and
management through the Cloud Platform Console, gcloud command-line
tool, and Admin API.
You still need to collect the IP ranges for the country in your particular case, to configure the firewall.