For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel
encryption method for encrypting the
data messages sent by the GVMs. The method initially receives a data message to send for a GVM executing on the host. The method then determines whether it should encrypt the data message based on a set of one or more
encryption rules. When the process determines that it should encrypt the received data message, it encrypts the data message and forwards the encrypted data message to its destination; otherwise, the method just forwards the received data message unencrypted to its destination. In some embodiments, the host encrypts differently the
data messages for different GVMs that execute on the host. When two different GVMs are part of two different logical
overlay networks that are implemented on common network fabric, the method in some embodiments encrypts the
data messages exchanged between the GVMs of one
logical network differently than the data messages exchanged between the GVMs of another
logical network. In some embodiments, the method can also encrypt different types of data messages from the same GVM differently. Also, in some embodiments, the method can dynamically enforce
encryption rules in response to dynamically detected events, such as
malware infections.