One problem that arises in the context of data centers that virtually or physically host large numbers of applications or systems for a set of diverse customers involves providing network isolation for the systems operated by or on behalf of each customer, so as to allow communications between those systems (if desired by the customer) while restricting undesired communications to those systems from other systems.