Some embodiments provide a method for a network management and control system that manages a virtual infrastructure deployed across a set of datacenters. The method receives a definition of an application to be deployed in the virtual infrastructure. The application definition specifies a requirement that the application receive data traffic from sources external to the virtual infrastructure. Based on the application definition, the method defines a first set of firewall rules for the application that indicate conditions for allowing data traffic from sources external to the virtual infrastructure. For an existing second set of higher-level firewall rules for data traffic entering and exiting the virtual infrastructure, the method specifies a new firewall rule that directs a network element implementing the sets of firewall rules to apply the first set of firewall rules to any data traffic that is from sources external to the virtual infrastructure and directed to the application.