A first encryption key associated with a first tenant is created. The first encryption key is configured in a host where a virtual machine associated with the first tenant is executing, the host including a network interface controller configured to have a virtual network interface function, the virtual network interface function executing on the host and being associated with the virtual machine of the first tenant. The virtual network interface function is caused to bind the first encryption key to the virtual machine of the first tenant. The virtual network interface function is caused to encrypt outgoing network traffic of the first tenant using the first encryption key. The virtual network interface function is caused to decrypt incoming network traffic for the first tenant using the first encryption key.