Deploying and configuring different virtual networks for different workloads

We claim: 1. A method of deploying and connecting machines in a set of one or more datacenters, the method comprising: deploying a guest cluster comprising a plurality of Kubernetes Pods; deploying a supervisor cluster comprising a plurality virtual machines (VMs) including at least one particular VM that performs management plane operations for the plurality of Kubernetes Pods of the guest cluster; defining a first private network with a first subnet in the datacenter set to connect the VMs in the supervisor cluster; defining a second private network with a second subnet in the datacenter set to connect the Kubernetes Pods; and configuring routers of the first and second private networks to advertise their subnets to at least one gateway router of the datacenter set for the gateway router to advertise the first subnet of the first private network to the second private network and to advertise the second subnet of the second private network to the first private network, wherein said advertising by the gateway router allows machines in one private network to forward data messages to machines in a different private network, said data messages including management-plane data messages sent by the particular VM, which is in the supervisor cluster and is connected to the first private network, to Kubernetes Pods that are in the guest cluster and are connected to the second network. 2. The method of claim 1 , wherein the data messages are for debug operations performed by a VM in the supervisor cluster on Pods in the guest cluster. 3. The method of claim 1 further comprising configuring the gateway router with a default rule that prevents the gateway from advertising the first and second subnets to an external network outside of the datacenter set. 4. The method of claim 3 further comprising deploying and configuring at least one gateway router for the guest cluster and a gateway router for the supervisor cluster, wherein the gateway routers of the guest cluster and the supervisor cluster advertise the first and second subnets to the gateway router of the datacenter set. 5. The method of claim 1 further comprising defining a first firewall rule to drop ingress traffic to the VMs; defining a second firewall rule to allow ingress traffic to each particular VM from other VMs in a same sub-network as the particular VM, the second firewall rule having a higher priority than the first firewall rule; and distributing the first and second firewall rules to distributed firewall engines for each of the VMs. 6. The method of claim 1 further comprising defining a firewall rule to allow ingress traffic to each particular VM in a set of VMs from a load balanced network address associated with a downlink port of the gateway that is used for forwarding data messages for a load-balanced operation performed by the set of VMs. 7. The method of claim 1 further comprising: deploying a gateway router for the guest cluster (GC); defining a default first firewall rule to reject ingress traffic at the GC gateway router; defining a second firewall rule to allow ingress traffic at the GC gateway router from an IP address used to source network address translate (SNAT) IP addresses in the first subnet, the second firewall rule having a higher priority than the first firewall rule; and distributing the first and second firewall rules to GC gateway router. 8. The method of claim 1 further comprising: deploying a gateway router for the guest cluster (GC); defining a default first firewall rule to reject ingress traffic at the GC gateway router; defining a second firewall rule to allow ingress traffic at the GC gateway router that is addressed to a load balanced service IP of the guest cluster, the second firewall rule having a higher priority than the first firewall rule; and distributing the first and second firewall rules to GC gateway router. 9. A non-transitory machine readable medium storing a program for connecting machines in a set of one or more datacenters, the program for execution by at least one processing unit, the program comprising sets of instructions for: defining a supervisor cluster comprising a plurality virtual machines (VMs); defining a first private network with a first subnet in the datacenter set to connect the VMs in the supervisor cluster; defining a guest cluster comprising a plurality of Kubernetes Pods; defining a second private network with a second subnet in the datacenter set to connect the Kubernetes Pods; and configuring routers of the first and second private networks to advertise their subnets to at least one gateway router of the datacenter set for the gateway router to advertise the first subnet of the first private network to the second private network and to advertise the second subnet of the second private network to the first private network, wherein the advertising by the gateway router allows machines in one private network to forward data messages to machines in the other private network, wherein the data messages are for management plane operations performed by a VM in the supervisor cluster for Pods in the guest cluster. 10. The non-transitory machine readable medium of claim 9 , wherein the data messages are for debug operations performed by a VM in the supervisor cluster on Pods in the guest cluster. 11. The non-transitory machine readable medium of claim 9 , wherein the program further comprises a set of instructions for configuring the gateway router with a default rule that prevents the gateway from advertising the first and second subnets to an external network outside of the datacenter set. 12. The non-transitory machine readable medium of claim 11 , wherein the program further comprises a set of instructions for deploying and configuring at least one gateway router for the guest cluster and a gateway router for the supervisor cluster, wherein the gateway routers of the guest cluster and the supervisor cluster advertise the first and second subnets to the gateway router of the datacenter set. 13. The non-transitory machine readable medium of claim 9 , wherein each gateway router is a logical router implemented by a plurality of physical routers. 14. The non-transitory machine readable medium of claim 9 , wherein the program further comprises sets of instructions for: defining a first firewall rule to drop ingress traffic to the VMs; defining a second firewall rule to allow ingress traffic to each particular VM from other VMs in a same sub-network as the particular VM, the second firewall rule having a higher priority than the first firewall rule; and distributing the first and second firewall rules to distributed firewall engines for each of the VMs. 15. The non-transitory machine readable medium of claim 9 , wherein the program further comprises a set of instructions for defining a firewall rule to allow ingress traffic to each particular VM in a set of VMs from a load balanced network address associated with a downlink port of the gateway that is used for forwarding data messages for a load-balanced operation performed by the set of VMs. 16. The non-transitory machine readable medium of claim 9 , wherein the program further comprises sets of instructions for: deploying a gateway router for the guest cluster (GC); defining a default first firewall rule to reject ingress traffic at the GC gateway router; defining a second firewall rule to allow ingress traffic at the GC gateway router from an IP address used to source network address translate (SNAT) IP addresses in the first subnet, the second firewall rule having a higher priority than th