You can combine firewall rules (based on source & destination IP addresses, ports and protocols) into groups (also known as “security groups” in cloud jargon) and apply those groups into your servers. If you make any changes to these rules, your changes will propagate to all of your servers instantly. Also, the denied traffic won’t even show up to your servers’ network interfaces.
Take snapshots of on-demand images of VMs and volumes, enable backups for automatic weekly VM images, and upload custom images to create VMs with other operating systems or pre-packaged libraries. All these aspects will help you roll back to an original server configuration if need be.