Scrubbed internet protocol domain for enhanced cloud security

The invention claimed is: 1. A system comprising: a processor; and a memory that stores computer-executable instructions that, in response to execution by the processor, cause the processor to perform operations comprising: assigning a publicly routable internet protocol address to an application executed by at least a portion of a computing resource of a host compute node of a datacenter to expose the application to devices external to the datacenter via an internet connection provided by a network hosted by a communications service provider, wherein the datacenter provides a plurality of virtual machines via at least the host compute node, monitoring traffic flows to the application during an observation time period, wherein the traffic flows include probe traffic flows that attempt to reach the application, generating, based on the traffic flows monitored, a distributed scrubbing scheme to construct a scrubbed internet protocol domain such that detected probe traffic flows are prevented from reaching the plurality of virtual machines provided by the datacenter, wherein the distributed scrubbing scheme designates a plurality of network devices along a network path between the network and the datacenter as scrubbing points, and instantiating, on each of the plurality of network devices designated as a scrubbing point, an instance of a scrubbing client comprising filtering rules indicating which traffic flows are permitted to be routed to a target destination and further comprising a scrubbing sequence, wherein the scrubbing sequence instructs the scrubbing points that a detected probe traffic flow is to be scrubbed from the network path at a particular scrubbing point of the scrubbing points while other scrubbing points of the scrubbing points are instructed to allow the detected probe traffic flow to be routed to a next scrubbing point. 2. The system of claim 1 , wherein the scrubbing points include at least one of a carrier-grade router, an access router, a virtual router, or a cloud gateway. 3. The system of claim 1 , wherein the operations further comprise instructing network devices of the network hosted by the communications service provider to automatically allow the traffic flows to be routed to the application during the observation time period. 4. The system of claim 1 , wherein the operations further comprise withdrawing the application from being exposed to devices external to the datacenter via the internet connection in response to the observation time period elapsing. 5. The system of claim 1 , wherein the scrubbed internet protocol domain includes a plurality of publicly routable internet protocol addresses that can be advertised via the internet connection while being protected from the detected probe traffic flows. 6. The system of claim 1 , wherein the distributed scrubbing scheme further provides instructions to purge, by each scrubbing point, inactive filtering rules of the filtering rules. 7. A method comprising: assigning, by a system executing a processor, a publicly routable internet protocol address to an application executed by at least a portion of a computing resource of a host compute node of a datacenter to expose the application to devices external to the datacenter via an internet connection provided by a network hosted by a communications service provider, wherein the datacenter provides a plurality of virtual machines via at least the host compute node: monitoring, by the processor, traffic flows to the application during an observation time period, wherein the traffic flows include probe traffic flows that attempt to reach the application; generating, by the processor, based on the traffic flows monitored, a distributed scrubbing scheme to construct a scrubbed internet protocol domain such that detected probe traffic flows are prevented from reaching the plurality of virtual machines provided by the datacenter, wherein the distributed scrubbing scheme designates a plurality of network devices along a network path between the network and the datacenter as scrubbing points; and instantiating, by the processor, on each of the plurality of network devices designated as a scrubbing point, an instance of a scrubbing client comprising filtering rules indicating which traffic flows are permitted to be routed to a target destination and further comprising a scrubbing sequence, wherein the scrubbing sequence instructs the scrubbing points that a detected probe traffic flow is to be scrubbed from the network path at a particular scrubbing point of the scrubbing points while other scrubbing points of the scrubbing points are instructed to allow the detected probe traffic flow to be routed to a next scrubbing point. 8. The method of claim 7 , wherein the scrubbing points include at least one of a carrier-grade router, an access router, a virtual router, or a cloud gateway. 9. The method of claim 7 , further comprising instructing network devices of the network hosted by the communications service provider to automatically allow the traffic flows to be routed to the application during the observation time period. 10. The method of claim 7 , further comprising withdrawing, by the processor, the application from being exposed to devices external to the datacenter via the internet connection in response to the observation time period elapsing. 11. The method of claim 7 , wherein the scrubbed internet protocol domain includes a plurality of publicly routable internet protocol addresses that can be advertised via the internet connection while being protected from the detected probe traffic flows. 12. The method of claim 7 , further comprising wherein the distributed scrubbing scheme further provides instructions to purge, by each scrubbing point, inactive filtering rules of the filtering rules. 13. A computer storage medium having computer-executable instructions stored thereon that, in response to execution by a processor, cause the processor to perform operations comprising: assigning a publicly routable internet protocol address to an application executed by at least a portion of a computing resource of a host compute node of a datacenter to expose the application to devices external to the datacenter via an internet connection provided by a network hosted by a communications service provider, wherein the datacenter provides a plurality of virtual machines via at least the host compute node; monitoring traffic flows to the application during an observation time period, wherein the traffic flows include probe traffic flows that attempt to reach the application; generating, based on the traffic flows monitored, a distributed scrubbing scheme to construct a scrubbed internet protocol domain such that detected probe traffic flows are prevented from reaching the plurality of virtual machines provided by the datacenter, wherein the distributed scrubbing scheme designates a plurality of network devices along a network path between the network and the datacenter as scrubbing points; and instantiating, on each of the plurality of network devices designated as a scrubbing point, an instance of a scrubbing client comprising filtering rules indicating which traffic flows are permitted to be routed to a target destination and further comprising a scrubbing sequence, wherein the scrubbing sequence instructs the scrubbing points that a detected probe traffic flow is to be scrubbed from the network path at a particular scrubbing point of the scrubbing points while other scrubbing points of the scrubbing points are instructed to allow the detected probe traffic flow to be routed to a next scrubbing point. 14. The computer storage medi