In addition to the DOS attack protection mentioned in @rudolph1024's answer it is now possible to enable a fully-featured firewall (still beta, recently released) to protect your GAE application.

From App Engine firewall:

The App Engine firewall enables you to control access to your App Engine app through a set of rules that can either allow or deny requests from the specified ranges of IP addresses.

Create a firewall to:

• Allow only traffic from within a specific network

  Ensure that only a certain range of IP addresses from specific networks can access your app. For example, create rules to allow only the range of IP addresses from within your company's private network during your app's testing phase. You can then create and modify your firewall rules to control the scope of access throughout your release process, allowing only certain organizations, either within your company or externally, to access your app as it makes it's way to public availability.

• Allow only traffic from a specific service

  Ensure that all the traffic to your App Engine app is first proxied through a specific service. For example, if you use a third-party Web Application Firewall (WAF) to proxy requests directed at your app, you can create firewall rules to deny all requests except those that are forwarded from your WAF.

• Block abusive IP addresses

  While Google Cloud Platform has many mechanisms in place to prevent the various attacks, you can use the App Engine firewall as another mechanism to block traffic to your app from IP addresses that present malicious intent.

  You should use the App Engine firewall as your primary option for shielding your app from denial of service attacks or similar forms of abuse. You can blacklist IP addresses or subnets so that requests routed from those addresses and subnets are denied before it reaches your App Engine app.

For details about creating rules and configuring your firewall, see Controlling App Access with Firewalls.

The firewall appears to be intended to replace the DOS protection. From Denial of service (DoS) protection service:

Tip: You should instead use the App Engine firewall for reliable protection as well as the improved features, access, and management through the Cloud Platform Console, gcloud command-line tool, and Admin API.

You still need to collect the IP ranges for the country in your particular case, to configure the firewall.

You can use the dos.yaml file to blacklist subnets. You create a dos.yaml file in the root directory of your application and then block IPs or entire subnets as specified here. Note that this file is limited to a maximum of 100 entries.

Once you have a list of country subnets which you wish to block (which you could obtain from a list like this or this), you can populate the dos.yaml file manually. Alternatively, you can use a script like this one to populate the file.