In early 2025, Cloudflare mitigated a 5.6Tbps DDoS Attack.

https://www.infosecurity-magazine.com/news/cloudflare-mitigates-record/

Your server, exposed to the internet via your home, office, colo, or datacenter, cannot handle DDoS attacks, period.

First, if the destination is unavailable for any reason, i.e. because the web server is overloaded, the firewall cannot handle the load, your anti-ddos hardware falls over, the 1Gbps isp circuit is saturated, the ISP black holes your IPs somewhere upstream trying to keep the rest of their infrastructure online, your site is down, they win, you lost.

The only way to defend against a modern DDoS attack is by only exposing your server via a cloud hosted service, such as Google, AWS, Cloudflare, Akamai, F5 Silverline (now XC), etc. Purpose built, globally distributed infrastructure designed to detect and block the attacks at the SOURCE which prevents the destination server, or supporting infrastructure, from the attack.

If you allow Cloudflare to host your DNS, you get access to their entire free-teir level of products, to include DDoS, WAF, and even their Zero-Trust capabilities. (For up to 50 users, I think?!)

You can either (a) point Cloudflare at your servers external IP, and configure your firewall rule to ONLY permit traffic from Cloudflare, or (b) install the cloudflared (tunnel agent) on your server, or within your infrastructure, and have Clourflare forward all traffic from them to your internal server over the tunnel. In this scenario, you eliminate the need for your server to be exposed to the internet. No inbound NAT, no inbound firewall rules. No attack surface.

Also, if someone has been targeting you, they already know IP addresses that land on your infrastructure, even if they can no longer target your web server (API server), they can still easily target and overload your infrastructure, which will result in an outage because Cloudflare (or whomever) wont be able to get traffic to you.