Multi-tenant network virtualization infrastructure

We claim: 1. For a network management and control system that manages a virtual infrastructure deployed across a set of datacenters, a method comprising: based on input from a top-level user of the virtual infrastructure, (i) deploying a first logical network within the virtual infrastructure and (ii) defining a set of one or more second-level users of the virtual infrastructure, wherein the top-level user exposes entities of the first logical network to the set of second-level users via labels that provide information to the set of second-level users about the exposed entities of the first logical network without enabling the set of second-level users to view the configuration of the first logical network entities; and receiving input from a particular second-level user of the virtual infrastructure to define a second logical network and connect the second logical network to the first logical network, wherein the first and second logical networks use a same data model and wherein the set of second-level users is restricted from viewing configuration of the first logical network. 2. The method of claim 1 , wherein the top-level user is an administrator for a provider of the virtual infrastructure and the set of second-level users includes administrators for tenants of the virtual infrastructure. 3. The method of claim 2 , wherein the provider of the virtual infrastructure is an enterprise IT team and the tenants comprise different sections of a business of the enterprise. 4. The method of claim 1 , wherein the exposed entities comprise a logical router that provides connectivity to external networks, wherein the particular second-level user connects a logical router of the second logical network to the exposed logical router in order to provide connectivity to the external networks for data compute nodes (DCNs) of the second logical network. 5. The method of claim 4 , wherein the exposed entities comprise a particular virtual routing and forwarding (VRF) table of the logical router of the first logical network that provides connectivity to external networks. 6. The method of claim 1 , wherein the exposed entities comprise a security group, wherein the particular second-level user defines firewall rules for the second logical network using the security group such that the firewall rules apply to DCNs of the second logical network that belong to the security group. 7. The method of claim 1 , wherein the exposed entities comprise a physical infrastructure entity. 8. The method of claim 1 , wherein the top-level user is enabled to view and configure physical infrastructure entities that are hidden from the set of second-level users. 9. For a network management and control system that manages a virtual infrastructure deployed across a set of datacenters, a method comprising: based on input from a top-level user of the virtual infrastructure, (i) deploying a first logical network within the virtual infrastructure and (ii) defining a set of one or more second-level users of the virtual infrastructure; receiving input from a particular second-level user of the virtual infrastructure to define a second logical network and connect the second logical network to the first logical network, wherein the first and second logical networks use a same data model and wherein the set of second-level users is restricted from viewing configuration of the first logical network; and receiving input from the particular second-level user of the virtual infrastructure to create accounts for a set of one or more third-level users of the virtual infrastructure, wherein the set of third-level users of the virtual infrastructure is enabled to define logical networks that connect to one or more of the first and second logical networks. 10. The method of claim 9 , wherein the set of third-level users is restricted from viewing configurations for the first and second logical networks as well as the logical networks of other third-level users. 11. The method of claim 9 , wherein the logical networks defined by the set of third-level users uses the same data model as the first and second logical networks. 12. The method of claim 9 , wherein the second logical network is deployed within a first virtual cloud, wherein at least one of the third-level users defines a third logical network within a second virtual cloud. 13. The method of claim 12 , wherein the virtual clouds provide isolation from other logical networks within the virtual infrastructure. 14. For a network management and control system that manages a virtual infrastructure deployed across a set of datacenters, a method comprising: based on input from a top-level user of the virtual infrastructure, (i) deploying a first logical network within the virtual infrastructure and (ii) defining a set of one or more second-level users of the virtual infrastructure; and receiving input from a particular second-level user of the virtual infrastructure to define a second logical network and connect the second logical network to the first logical network, wherein the first and second logical networks use a same data model and wherein the set of second-level users is restricted from viewing configuration of the first logical network, wherein the top-level user is enabled to view and configure physical infrastructure entities that are hidden from the set of second-level users, wherein the logical network definitions are stored as policy trees, wherein the policy tree for the first logical network comprises physical infrastructure nodes defining the physical infrastructure of different sites, and wherein the policy tree for the second logical network is restricted from comprising any physical infrastructure nodes. 15. A non-transitory machine-readable medium storing a network manager program which when executed by at least one processing unit manages a virtual infrastructure deployed across a set of datacenters, the network manager program comprising sets of instructions for: based on input from a top-level user of the virtual infrastructure, (i) deploying a first logical network within the virtual infrastructure and (ii) defining a set of one or more second-level users of the virtual infrastructure, wherein the top-level user exposes entities of the first logical network to the set of second-level users via labels that provide information to the set of second-level users about the exposed entities of the first logical network without enabling the set of second-level users to view the configuration of the first logical network entities; and receiving input from a particular second-level user of the virtual infrastructure to define a second logical network and connect the second logical network to the first logical network, wherein the first and second logical networks use a same data model and wherein the set of second-level users is restricted from viewing configuration of the first logical network. 16. The non-transitory machine-readable medium of claim 15 , wherein the top-level user is an administrator for a provider of the virtual infrastructure and the set of second-level users includes administrators for tenants of the virtual infrastructure. 17. A non-transitory machine-readable medium storing a network manager program which when executed by at least one processing unit manages a virtual infrastructure deployed across a set of datacenters, the network manager program comprising sets of instructions for: based on input from a top-level user of the virtual infrastructure, (i) deploying a first logical network within the virtual infrastructure and (ii) definin