Port translation for network segmentation

What is claimed is: 1. A computing apparatus comprising: one or more computer non-transitory readable storage media; a processing system communicatively coupled to the one or more non-transitory computer readable storage media; and program instructions stored on the one or more non-transitory computer readable storage media to provide a gateway service for a plurality of communication groups that, when read and executed by the processing system, direct the processing system to at least: identify a data packet received from a first computing system, wherein the data packet comprises a first destination port value; identify a group identifier within the data packet, wherein the group identifier is associated with a communication group of the plurality of communication groups; translate the first destination port value to a second destination port value based on the group identifier; replace the first destination port value with the second destination port value in the data packet; and forward the data packet with the second destination port value to a gateway associated with the communication group; wherein the data packet comprises an encrypted portion and a non-encrypted portion, wherein the non-encrypted portion comprises at least the first destination port and the group identifier, wherein the non-encrypted portion further includes supplemental decryption information to decrypt the encrypted portion of the data packet, wherein the supplemental decryption information comprises an encrypted portion length, a sequence number for the network packet, a keyed-hash message authentication code (HMAC), a peer identifier (peerID), an initialization vector (IV) and a seed. 2. The computing apparatus of claim 1 , wherein the program instructions further direct the processing system to execute a plurality of gateways each associated with a different communication group of the plurality of communication groups. 3. The computing apparatus of claim 1 , wherein the encrypted portion comprises a data payload for an application on the first computing system and private addressing information for an overlay network associated with the application. 4. The computing apparatus of claim 3 , wherein the private addressing information comprises a private destination internet protocol address associated with a destination application on a second computing system, and a destination port associated with the destination application. 5. The computing apparatus of claim 1 , wherein the program instructions further direct the processing system to: identify a second data packet received from a second computing system, wherein the second data packet comprises the first destination port value: identify a second group identifier within the second data packet, wherein the second group identifier is associated with a second communication group of the plurality of communication groups; translate the first destination port value to a third destination port value based on the group identifier; replace the first destination port value with the third destination port value in the second data packet; and forward the second data packet with the third destination port value to a second gateway associated with the communication group. 6. A method of operating a gateway service for a plurality of communication groups, the method comprising: identifying a data packet received from a first computing system, wherein the data packet comprises a first destination port value; identifying a group identifier within the data packet, wherein the group identifier is associated with a communication group of the plurality of communication groups; translating the first destination port value to a second destination port value based on the group identifier; replacing the first destination port value with the second destination port value in the data packet; and forwarding the data packet with the second destination port value to a gateway associated with the communication group; wherein the data packet comprises an encrypted portion and a non-encrypted portion, wherein the non-encrypted portion comprises at least the first destination port and the group identifier, wherein the non-encrypted portion further includes supplemental decryption information to decrypt the encrypted portion of the data packet, wherein the supplemental decryption information comprises an encrypted portion length, a sequence number for the network packet, a keyed-hash message authentication code (HMAC) peer identifier (peerID), an initialization vector (IV) and a seed. 7. The method of claim 6 , further comprising executing a plurality of gateways each associated with a different communication group of the plurality of communication groups. 8. The method of claim 6 , wherein the encrypted portion comprises a data payload for an application on the first computing system and private addressing information for an overlay network associated with the application. 9. The method of claim 8 , wherein the private addressing information comprises a private destination internet protocol address associated with a destination application on a second computing system, and a destination port associated with the destination application. 10. The method of claim 6 further comprising: identifying a second group identifier within the second data packet, wherein the second data packet comprises the first destination port value; identifying a second group identifier within the second data packet, wherein the second group identifier is associated with a second communication group of the plurality of communication groups; translating the first destination port value to a third destination port value based on the group identifier; replacing the first destination port value with the third destination port value in the second data packet; and forwarding the second data packet with the third destination port value to a second gateway associated with the communication group. 11. An apparatus comprising: one or more computer non-transitory readable storage media; and program instructions stored on the one or more non-transitory computer readable storage media to provide a gateway service for a plurality of communication groups that, when read and executed by a processing system, direct the processing system to at least: identify a data packet received from a first computing system, wherein the data packet comprises a first destination port value; identify a group identifier within the data packet, wherein the group identifier is associated with a communication group of the plurality of communication groups; translate the first destination port value to a second destination port value based on the group identifier; replace the first destination port value with the second destination port value in the data packet; and forward the data packet with the second destination port value to a gateway associated with the communication group; wherein the data packet comprises an encrypted portion and a non-encrypted portion, wherein the non-encrypted portion comprises at least the first destination port and the group identifier, wherein the non-encrypted portion further includes supplemental decryption information to decrypt the encrypted portion of the data packet, wherein the supplemental decryption information comprises an encrypted portion length, a sequence number for the network packet, a keyed-hash message authentication code (HMAC), a peer identifier (peerID), an initialization vector (IV) and a seed.