Security association management

What is claimed is: 1. A system, comprising: a virtual network endpoint node, including a memory coupled to a processor, wherein the virtual network endpoint node is configured to provide network connectivity to a virtual network which comprises a plurality of virtual machines created by a user, and wherein the virtual network endpoint node is configured to establish an encrypted communication channel over a public network; a management service, including a memory coupled to a processor, wherein the management service is configured to receive a plurality of create security association application programming interface (API) calls to create security associations for the virtual network endpoint node, each create security association API call containing configuration parameters defining a security association for the encrypted communication channel, the configuration parameters including an encryption key, a valid start time, and a valid end time; a provisioning service, including a memory coupled to a processor, wherein at or near the valid start time of one of the create security association API calls for the virtual network endpoint node, the provisioning service is configured to transmit the configuration parameters to the virtual network endpoint node for use in implementation of a security association for the encrypted communication channel; and wherein the provisioning service is configured to return an acknowledgment message indicative of a successful load of the security association on the virtual network endpoint node. 2. The system of claim 1 further comprising a database configured to store a plurality of records, wherein each record is configured to store, for a given security association, a security association identifier, the security association API call configuration parameters, and a corresponding status indicator for the security association. 3. The system of claim 2 , wherein: the management service is configured to store in the security association database configuration parameters for each of the plurality of create security association API calls for the virtual network endpoint node, wherein the valid start and end times for the respective security association are different between the plurality of create security association API calls. 4. The system of claim 1 , wherein responsive to the acknowledgment message, the provisioning service is configured to update a status indicator in a database record to indicate that the security association is in an active state. 5. The system of claim 1 , wherein the configuration parameters of the create security association API calls also include at least one of: a source internet protocol (IP) address, a destination IP address, an identifier of an encryption algorithm, an identifier of an authentication algorithm, an authentication key, a security parameter index, and a replay window size, wherein the valid start time in the configuration parameters indicates the time after which the encryption key is valid, the valid end time indicates the time after which the encryption key is invalid. 6. A system, comprising: an endpoint node, including a memory coupled to a processor, wherein the endpoint node is configured to establish an encrypted communication channel over a public network; a provisioning service, including a memory coupled to a processor, wherein the provisioning service is configured to retrieve configuration parameters from a database, the configuration parameters defining a security association for the encrypted communication channel, the configuration parameters including an encryption key and an identifier of an encryption algorithm, and wherein the provisioning service is configured to transmit the configuration parameters to the endpoint node for use in implementation of a security association for the encrypted communication channel; and a management service, including a memory coupled to a processor, wherein the management service is configured to store in the database configuration parameters for each of a plurality of create security association application programming interface (API) calls for the same endpoint node, wherein each of the plurality of create security association API calls contains valid start and end times for a respective security association, wherein the valid start and end times are different between the plurality of create security association API calls, and wherein, at or near the valid start time of each of the create security association API calls, the provisioning service is configured to load the configuration parameters for that create security association API call into the endpoint node. 7. The system of claim 6 , wherein the configuration parameters also include an identifier of an authentication algorithm, an authentication key, a security parameter index, the valid start time indicating the time after which the encryption key is valid, the valid end time indicating the time after which the encryption key is invalid, and a replay window size. 8. The system of claim 6 , further comprising a management service, including a memory coupled to a processor, wherein the management service is configured to: receive a create security association API call to create a security association for the endpoint node; and store the configuration parameters from the received create security association API call in the database. 9. The system of claim 6 , wherein the management service is configured to: receive a describe security association API call that includes a security association identifier as an input argument; access the database to retrieve the record corresponding to the security association identifier; and respond to the describe security association API call with a status identifier of the corresponding security association identifier. 10. The system of claim 6 , wherein the management service is configured to receive a delete security association API call that includes a security association identifier as an input argument and update the record in the database corresponding to the security association identifier to specify that the security association is to be deleted, and wherein the provisioning service is configured to respond to the update to the record by transmission of a message to the endpoint node to delete its security association. 11. The system of claim 6 , wherein the endpoint node comprises virtual network endpoint node configured to provide network connectivity to a virtual network, wherein the virtual network comprises a plurality of virtual machines. 12. The system of claim 6 , wherein each load of configuration parameters defining a security association into the endpoint node overwrites previously loaded security association configuration parameters. 13. The system of claim 6 , wherein the provisioning service is configured to return an acknowledgment message indicative of a successful load of the configuration parameters into the endpoint node, and wherein, responsive to the acknowledgment message, the provisioning service is configured to update a status indicator in the database to indicate that the security association is in an active state. 14. A computer-implemented method, comprising: receiving an application programming interface (API) call including configuration parameters that define a security association for a secure communication channel over a network, the configuration parameters including an identifier of a virtual network endpoint node to implement the secure communication channel, start time specifying when the security association is to be valid, and an end time; storing the configuration parame