Protecting against DDos is the job of a WAF.
A good way to solve this is with Cloud Armor, using Apigee X.
With Cloud Armor, you can configure rate limits at the network edge. Requests will be permitted only if they fall under the rate limit.
Apigee X runs in the Google cloud and inherently is protected against DDoS by the Google network Edge, even if you do not use Cloud Armor. Cloud Armor gives you additional flexibility in that you can configure your own custom rules to be enforced at that edge.
One final note: a DDoS attack by definition does not original from a single IP address. You asked “How to restrict IP within a period of time”. That’s not how DDoS protection works.