Cloudflare with my API


I would like to ask you what is the best way protect against HTTP flood my API?
I know Rate Limit is good but it not prevents bots from different IPs.
WAF is good for this? It will not harm the real users?

Thanks for your answer.