1. In Data Power there is an option to delay error messages which is used to prevent attackers from using error messages to discover the plaintext data. When enabled, the appliance will manipulate error messages to avoid revealing internal cryptographic states.

Apigee Edge does not have an out of the box feature to delay error messages, or any messages. I read up a little on the delay-errors feature of datapower and here's what I think:

• It is possible to add a randomized or standard delay to a response from Apigee Edge, via a custom Java callout or a python script. This would prevent the remote timing attack.
• It is also possible in Apigee Edge to introduce customized error messages or responses, and even to randomize those.

2. When utilizing the each-ip aggregate addressing policy the system organizes the counts per address by the addresses most recently used. When too many distinct counts have been observed, the Addresses not seen in the longest time are discarded. Maximum Distinct Sources parameter specifies how many distinct addresses are tracked.

Can we configure Maximum Distinct Sources from a particular IP ?

I think the "Maximum Distinct Sources" is the maximum number of IP addresses to track. It's not the "maximum (anything) from a particular IP". I think what you want is to be able to restrict (rate limit) the number of inbound calls from each particular IP address. And the answer to that is YES, Apigee Edge has a flexible rate limiting capability that can be applied on a per-IP address basis. You do not need to set "Maximum Distinct Sources" in Apigee Edge in order to get this kind of rate limiting.

3. How to configure frontend timeout?

https://docs.apigee.com/private-cloud/v4.18.01/configure-router-timeout