Network security policies typically are implemented using methods such as Access Control Lists (ACLs) that depend on identifying target hosts by network characteristics, such as Internet Protocol (IP) addresses. In a virtualized environment, virtual machines may be created and moved dynamically, and network security policies are added/changed/deleted to match a particular virtual machine's current role and network characteristics as defined by the owner of the virtual machine. Some virtualized environments allow users to configure custom tags to provide information about virtual machines, but the values of the tags are typically only accessible through the management platform of the virtual machines. Other virtualized environments allow a security gateway to retrieve a limited set of fixed attributes of virtual machines, but do not allow the virtual machines to define custom attributes.