I am in catch 22 situation. I have to make few API's publicly available for my desktop application. To save cost I have to stick to SERVERLESS Azure functions.
To make it easier to understand lets assume I can only pay for 100 API calls per day. I know people will be able to figure out my Azure Function API and Key and there can be a malicious user who can bombard millions of requests which will have a huge impact on my bill.
So how to protect this situation that in no case I will be billed for more than 100 calls.
Some links told me to put it behind API management service and so I explored Azure API Management and Aws API gateway. AWS API gateway we can throttle as per our need and it issues 429 Too Many requests to the client BUT I READ somewhere that even if it sends 429 Too many request response, it will be counted as ONE VALID call and this way it will not solve my problem of only able to PAY for 100 calls. Even though API Management will not call my backed API as it will be throttled but it still will be billed against usage.
Can someone guide me how to solve this problem? So far I have tried Azure Functions, Azure API Management and AWS API Gateway.
To add further, I can only go for SERVERLESS, CONSUPTION PLAN to save my initial cost because other plans come at a fixed cost which I cant afford for now till I start getting customers.