I have a static website hosted in Firebase. I can attach a custom domain to it fine. I would like to restrict access to my site to a certain range of IPs.

I am aware that in GCP Google Cloud Armor can do this. But Cloud Armor only works with a Load Balancer and the load balancer routes traffic only to GCP VMs.(not to a Firebase hosted site)

In AWS, there is a Web Application Firewall that lets you do IP Filtering.

I see GCP has provided links to 3rd Party partners here: https://cloud.google.com/security/partners/

But my question is what is the best and easiest way to whitelist IPs for a static website hosted in Firebase?

Web sites on Firebase Hosting are accessible to everyone. There is no way to block certain users, or IP ranges, from accessing them

Because Firebase is PaaS service, there is no such thing like firewall. By Firebase launch checklist

There are only two kind of protection you can do:

Protect By Authenication

Add whitelisting for your domains to prevent unauthorized usage.

• Whitelist your production domain for browser API keys and client IDs in the Google Developer Console.
• Whitelist your production domain in the Auth tab of the Firebase console panel.

Protect your data

Because any client can connect to any Firebase, you must write security rules to secure your data.So according to this document Firebase security, it will show you how to secure your web by secure who can access database.

This blog Firebase Security & Rules is also a good reference to learn how to secure your Firebase.

Hope this will help you