Managed forwarding element executing in public cloud data compute node with different internal and external network addresses

We claim: 1. A method for a network controller that manages a logical network implemented in a datacenter comprising forwarding elements to which the network controller does not have access, the method comprising: identifying a data compute node, that operates on a host machine in the datacenter, to attach to the logical network, the data compute node having a network interface with a first network address provided by a management system of the datacenter, wherein the data compute node executes (i) a workload application and (ii) a managed forwarding element, wherein the host machine executes a forwarding element, to which the network controller does not have access, outside of the data compute node; and distributing configuration data for configuring the managed forwarding element to receive data packets sent from the workload application on the data compute node and perform network security and forwarding processing on the data packets, wherein the data packets sent by the workload application have a second network address as a source address when received by the managed forwarding element and are encapsulated by the managed forwarding element using the first network address provided by the management system of the datacenter before being transmitted from the data compute node to the forwarding element executing on the host machine to which the network controller does not have access. 2. The method of claim 1 , wherein the second network address is mapped to a logical port of a logical switch to which the data compute node is logically attached, wherein the logical switch is one of a plurality of logical forwarding elements of the logical network. 3. The method of claim 1 , wherein the managed forwarding element is a flow-based software forwarding element. 4. The method of claim 1 , wherein the managed forwarding element comprises a first bridge that connects via an internal port to the workload application and a second bridge that connects to the network interface of the data compute node, wherein the first bridge is configured to perform network security processing and logical forwarding on data packets sent to and from the workload application. 5. The method of claim 4 , wherein the logical forwarding comprises: applying forwarding rules for at least one logical switch to identify a logical egress port for each data packet; and applying forwarding rules for a logical router. 6. The method of claim 1 , wherein the managed forwarding element comprises a first bridge that connects via an internal port to the workload application and a second bridge that connects to the network interface of the data compute node, wherein the first bridge is configured to receive a data packet from the workload application, identify a logical egress port for the data packet, encapsulate the data packet and send the encapsulated data packet to a virtual tunnel endpoint (VTEP) of the second bridge. 7. The method of claim 6 , wherein the data packet is received from the workload application via a first network stack associated with the second network address, wherein the first network address is used as the source network address for an encapsulation header applied by the first bridge, wherein the encapsulated data packet is sent to the VTEP of the second bridge via a second network stack associated with the first network address. 8. The method of claim 6 , wherein the second bridge is configured to send incoming packets encapsulated with the first network address as a destination address to an overlay port of the first bridge via the VTEP, wherein the first bridge is configured to decapsulate the incoming packets received via the overlay port. 9. The method of claim 8 , wherein the incoming packets encapsulated with the first network address as a destination address are received by the data compute node from the forwarding element executing on the host machine to which the network controller does not have access. 10. The method of claim 1 , wherein the workload application is a first workload application and the data compute node is a first data compute node, wherein data packets sent by the workload application to a second workload application executing on a second data compute node in the datacenter are encapsulated and transmitted out of the data compute node network interface to the forwarding element executing on the host machine to which the network controller does not have access, wherein the forwarding element executing on the host machine to which the network controller does not have access is controlled by the datacenter management system, wherein the forwarding element controlled by the datacenter management system encapsulates the outgoing data packets a second time using a third network address associated with a physical network interface of a host machine on which the data compute node operates. 11. The method of claim 1 , wherein the network controller is a first network controller and the data compute node is a first data compute node, wherein identifying the first data compute node comprises receiving an attachment request from a second network controller operating on a second data compute node in the datacenter. 12. The method of claim 11 , wherein the attachment request is forwarded by the second network controller after receiving an attachment request from the first data compute node. 13. The method of claim 11 , wherein distributing the configuration data comprises distributing the configuration data to the second network controller, wherein the second network controller distributes the configuration data to the second data compute node. 14. A non-transitory machine readable medium storing a program which when executed by at least one processing unit implements a network controller that manages a logical network implemented in a datacenter comprising forwarding elements to which the network controller does not have access, the program comprising sets of instructions for: identifying a data compute node, that operates on a host machine in the datacenter, to attach to the logical network, the data compute node having a network interface with a first network address provided by a management system of the datacenter, wherein the data compute node executes (i) a workload application and (ii) a managed forwarding element, wherein the host machine executes a forwarding element, to which the network controller does not have access, outside of the data compute node; and distributing configuration data for configuring the managed forwarding element to receive data packets sent from the workload application on the data compute node and perform network security and forwarding processing on the data packets, wherein the data packets sent by the workload application have a second network address as a source address when received by the managed forwarding element and are encapsulated by the managed forwarding element using the first network address provided by the management system of the datacenter before being transmitted from the data compute node to the forwarding element executing on the host machine to which the network controller does not have access. 15. The non-transitory machine readable medium of claim 14 , wherein the managed forwarding element comprises a first bridge that connects via an internal port to the workload application and a second bridge that connects to the network interface of the data compute node. 16. The non-transitory machine readable medium of claim 15 , wherein the first bridge is configured to perform network security processing and logical forwarding on data packets sent to and from the wor