Describe how you would implement rate limiting at the API gateway level to protect backend services from denial-of-service issues.