How does a datacenter protect itself from IP change by the hosted servers?

Public cloud providers usually use some form of Port Security to protect against this.

This means that only traffic with the allocated IP + MAC address pair(s) will be allowed onto the network.

For virtualized servers, this security is usually applied on the physical host (i.e. the one hosting the virtualized server).

For bare-metal hosting, this security may be applied to the physical switch(es).

For reference, consider OpenStack's anti-spoofing implementation: https://www.packetflow.co.uk/openstack-neutron-port-security-explained/