Until now, developers couldn't easily restrict access to their applications on the service to only a small set of IP addresses or address ranges for testing, for example. Instead, they had to hard-code a similar solution into their applications and - because those requests would still hit their applications in some form - even those rejected requests would still incur costs.
Now, they'll be able to use the Google Cloud Console, App Engine Admin API or even the gcloud command-line tool to set up access restrictions that block or allow specific IP addresses. Because the firewall obviously sits in front of the application, rejected requests never touch the application and App Engine never needs to spin up an idle resource only to then reject the request.
For the most part, there are no surprises in how the App Engine firewall works. You set your rules, order them by priority and you're good to go.
App Engine already offered a denial of service protection service that allowed developers to blacklist IP addresses and subnets, but with the launch of this new firewall into beta, Google recommends that developers use the App Engine firewall for protection.
App Engine was probably a bit ahead of its time. Because it forced developers into a completely new model, it never caught on while more traditional virtual machine-based services like AWS's EC2 thrived. Now, however, thanks to the popularity of containers, microservices and serverless platforms, the App Engine model doesn't feel quite as unusual anymore and chances are that we will see Google invest a bit more into the service again.