Not really; those are exactly the sort of config settings you'd sensibly use to prevent someone from DDoSing your untrusted prototype-level infrastructure.
If your VMs are truly cheap, and you've ironed out the kinks from your proof-of-concept, you'd obviously set up your production system to run more than 16 of them.
Right, and who decides that a request coming from a customer ot an attacker? If the attacker can generate enough requests non of the customers have a chance to use your service. This is absolutely not the way to handle DDoS.
My point was that it's a sensible strategy for the demo of a technology that's still under development (like this project), where you don't actually have any "customers." In production, you'd let it scale unboundedly, and combine it with some sort of anti-DDoS technology like Cloudflare.
If your VMs are truly cheap, and you've ironed out the kinks from your proof-of-concept, you'd obviously set up your production system to run more than 16 of them.