Virtual network verification service

What is claimed is: 1. A computer system including a processor coupled to a memory, the memory including instructions for a virtual network verification service that upon execution causes the system to: receive a query about a virtual network of a plurality of virtual networks from a particular client of a plurality of clients via a client device, wherein the query is expressed as a constraint problem, wherein the virtual network is instantiated for the particular client in a provider network and includes virtual machines, and wherein the provider network hosts the plurality of virtual networks for respective clients of the plurality of clients on a substrate network of the provider network; obtain rules for the particular client's virtual network, wherein one or more different rules apply to different individual ones of the plurality of virtual networks; encode the rules for the particular client's virtual network according to a declarative logic programming language to generate encoded virtual networking rules for the particular client's virtual network; and in response to the query: obtain descriptive information for the particular client's virtual network; encode the descriptive information for the particular client's virtual network according to the declarative logic programming language to generate an encoded description of the particular client's virtual network; resolve the query for the encoded description of the particular client's virtual network according to the encoded virtual networking rules using a constraint solver program, wherein the constraint solver program is configured to resolve constraint problems according to the declarative logic programming language and according to the encoded virtual networking rules; and provide results of the query resolution about the particular client's virtual network to the client device. 2. The system as recited in claim 1 , wherein the memory further comprises instructions that upon execution cause the system to obtain the descriptive information from an application program interface of the provider network. 3. The system as recited in claim 1 , wherein, the instructions that upon execution cause the system to obtain the descriptive information further comprise instructions that upon execution cause the system to: receive permission from the particular client to obtain the descriptive information for the particular client's virtual network from one or more provider network services; and obtain the descriptive information for the particular client's virtual network on the provider network from the one or more provider network services. 4. The system as recited in claim 1 , wherein the descriptive information comprises one or more of information identifying instances of networking primitives that are implemented in the particular client's virtual network, descriptions of the virtual machines in the particular client's virtual network, descriptions of relationships among the virtual machines in the particular client's virtual network, or descriptions of interfaces to entities external to the particular client's virtual network. 5. The system as recited in claim 1 , wherein the virtual networking rules for the particular client's virtual network include one or more of rules that encode virtual networking semantics and logic for networking primitives implemented in the particular client's virtual network, rules that encode one or more networking security standards, or client-defined rules that encode the client's networking requirements. 6. The system as recited in claim 1 , wherein the queries are posed to verify that paths between virtual machines in the particular client's virtual network and other virtual machines in the particular client's virtual network are open, to verify that paths between virtual machines in the particular client's virtual network and one or more entities external to the particular client's virtual network are open, or to verify that virtual machines in the particular client's virtual network are not accessible by entities that should not have access to the virtual machines. 7. The system as recited in claim 1 , wherein the results include one or more of a textual representation of the results of the query resolution about the particular client's virtual network or a graphical representation of the results of the query resolution about the particular client's virtual network. 8. A method, comprising: performing, by a virtual network verification service implemented by one or more devices on a provider network: receiving a query about a client's virtual network on the provider network, wherein the query expresses a constraint problem, and wherein the provider network hosts a plurality of virtual networks for respective clients of a plurality of clients; obtain rules for the client's virtual network, wherein one or more different rules apply to different individual ones of the plurality of virtual networks; encode the rules for the client's virtual network according to a declarative logic programming language to generate encoded virtual networking rules for the client's virtual network; obtaining descriptive information for the client's virtual network; encoding the descriptive information for the client's virtual network according to the declarative logic programming language to generate an encoded description of the client's virtual network; resolving the query for the encoded description of the client's virtual network according to the encoded virtual networking rules using a constraint solver engine; and providing results of the query resolution about the client's virtual network to the client. 9. The method as recited in claim 8 , wherein the descriptive information is obtained from the client. 10. The method as recited in claim 8 , wherein obtaining the descriptive information comprises: obtaining permission from the client to get the descriptive information for the client's virtual network from one or more provider network services; and obtaining the descriptive information for the client's virtual network on the provider network from the one or more provider network services. 11. The method as recited in claim 8 , wherein the descriptive information comprises one or more of information identifying instances of networking primitives that are implemented in the client's virtual network, descriptions of virtual machines in the client's virtual network, descriptions of relationships among the virtual machines in the client's virtual network, or descriptions of interfaces to entities external to the client's virtual network. 12. The method as recited in claim 8 , wherein the virtual networking rules for the client's virtual network include one or more of rules that encode virtual networking semantics and logic for networking primitives implemented in the client's virtual network, rules that encode one or more networking security standards, or client-defined rules that encode the client's networking requirements. 13. The method as recited in claim 8 , further comprising receiving the rules for the client's virtual network from the client, wherein the rules for the client's virtual network include rules that specify best practices for virtual networks as defined by the client, and wherein the query is posed to verify that the client's virtual network conforms to the best practices. 14. The method as recited in claim 8 , wherein the query is posed to verify that a path between a virtual machine in the client's virtual network and another virtual machine in the client's virtual network is open, to verify that a path between a virtual machine in the c