In a logical network, multiple virtual computing instances (e.g., virtual machines (VMs), containers (e.g., Docker containers), data compute nodes, isolated user space instances, etc.) may be instantiated on one or more physical computing devices. Each virtual computing instance may execute one or more applications. The lifecycle of these virtual computing instances may be dynamic. For example, as needed by users of the logical network, a management server in the logical network can dynamically generate or deallocate virtual computing instances.
In certain aspects, each virtual computing instance running on a physical computing device (e.g., a host device) may be implemented by a hypervisor running on that host device. The hypervisor may further implement a firewall (e.g., in a logical switch) that implements security rules that define, for example, network destinations that applications executing in the virtual computing instance are allowed to communicate with, network destinations that are blocked from communicating with the virtual machine, and so on. Often, multiple security policies may exist and be applied to the virtual computing instances. For example, different security policies may apply to different virtual computing instances or different applications executing on the virtual computing instances. These security policies may be enforced as rules generated by a system administrator and applied to the appropriate virtual computing instances by the firewall.
Further, as new applications are introduced into the computing environment deployed for execution on virtual computing instances, or as new features are enabled in already deployed applications, additional security policies may be added to the computing environment to protect the new applications and/or application features. Because of the variations in the applications deployed in the computing environment and the policies applicable to each deployed application, a system administrator may not be able to predict the policies that are applied to different virtual machine instances.