Network virtualization infrastructure with divided user responsibilities

We claim: 1. A method for a network management and control system that manages one or more logical networks, the method comprising: from a provider first user of the network management and control system, receiving a definition of a first set of one or more security zones for a logical network, each security zone definition comprising a set of security rules for data compute nodes (DCNs) assigned to the security zone, wherein the provider first user defines a plurality of tenant users of the network management and control system; from a tenant second user of the network management and control system that is one of the plurality of tenant users defined by the provider first user and that manages networking and security configurations for at least a portion of the logical network, receiving a definition of a second set of security zones for the logical network; from an application developer third user of the network management and control system, receiving a definition of an application to be deployed in the logical network, the application definition specifying a set of security requirements for the application; and based on the specified set of security requirements, assigning DCNs implementing the application to one or more of the security zones of the first and second sets of security zones for the logical network. 2. The method of claim 1 , wherein: a first security zone comprises rules that allow connections between DCNs in the first security zone and endpoints outside of the logical network; and a second security zone does not allow connections between DCNs in the second security zone and endpoints outside of the logical network. 3. The method of claim 2 , wherein only DCNs assigned to the first security zone are allowed to connect to endpoints outside of the logical network. 4. The method of claim 2 , wherein the second security zone comprises rules that allow connections between DCNs in the first security zone and DCNs in the second security zone. 5. The method of claim 1 , wherein the logical network spans at least two virtual clouds, wherein DCNs in a first virtual cloud are not allowed to communicate with DCNs in a second virtual cloud until the DCNs are assigned to particular security zones. 6. The method of claim 5 , wherein a first DCN in the first virtual cloud assigned to a first security zone communicates with a second DCN in the second virtual cloud assigned to a second security zone. 7. The method of claim 6 , wherein the first DCN belongs to a particular tier of the application and the second DCN does not belong to any application. 8. The method of claim 1 , wherein the definition of the application comprises at least two application tiers. 9. The method of claim 8 , wherein DCNs belonging to a first application tier are assigned to a first security zone and DCNs belonging to a second application tier are assigned to a second security zone. 10. The method of claim 9 , wherein: the first application tier is a web tier that receives communications from external devices and the second application tier is a database tier that is restricted from receiving communications from external devices; DCNs assigned to the first security zone are allowed to receive ingress connections from Internet sources and DCNs assigned to the second security zone are only allowed to receive ingress connections from DCNs assigned to the first security zone. 11. The method of claim 1 , wherein the sets of security rules defining the security zones are implemented through firewall rules applied by network elements managed by the network management and control system. 12. The method of claim 1 , wherein the application developer third user is not granted access to the networking and security configurations for the logical network. 13. The method of claim 1 , wherein the first set of security zones is defined for a plurality of logical networks managed by the plurality of tenant users including the tenant second user. 14. A non-transitory machine-readable medium storing a network manager program which when executed by at least one processing unit manages one or more logical networks, the network manager program comprising sets of instructions for: from a provider first user of the network management and control system, receiving a definition of a first set of one or more security zones for a logical network, each security zone definition comprising a set of security rules for data compute nodes (DCNs) assigned to the security zone, wherein the provider first user defines a plurality of tenant users of the network management and control system; from a tenant second user of the network management and control system that is one of the plurality of tenant users defined by the provider first user and that manages networking and security configurations for at least a portion of the logical network, receiving a definition of a second set of security zones for the logical network; from an application developer third user of the network management and control system, receiving a definition of an application to be deployed in the logical network, the application definition specifying a set of security requirements for the application; and based on the specified set of security requirements, assigning DCNs implementing the application to one or more of the security zones of the first and second sets of security zones for the logical network. 15. The non-transitory machine-readable medium of claim 14 , wherein: a first security zone comprises rules that allow connections between DCNs in the first security zone and endpoints outside of the logical network; and a second security zone does not allow connections between DCNs in the second security zone and endpoints outside of the logical network. 16. The non-transitory machine-readable medium of claim 15 , wherein: only DCNs assigned to the first security zone are allowed to connect to endpoints outside of the logical network; and the second security zone comprises rules that allow connections between DCNs in the first security zone and DCNs in the second security zone. 17. The non-transitory machine-readable medium of claim 14 , wherein the logical network spans at least two virtual clouds, wherein DCNs in a first virtual cloud are not allowed to communicate with DCNs in a second virtual cloud until the DCNs are assigned to particular security zones. 18. The non-transitory machine-readable medium of claim 14 , wherein: the definition of the application comprises at least a web tier that receives communications from external devices and a database tier that is restricted from receiving communications from external devices; DCNs belonging to the web tier are assigned to a first security zone and DCNs belonging to the database tier are assigned to a second security zone; and DCNs assigned to the first security zone are allowed to receive ingress connections from Internet sources and DCNs assigned to the second security zone are only allowed to receive ingress connections from DCNs assigned to the first security zone. 19. The non-transitory machine-readable medium of claim 14 , wherein the sets of security rules defining the security zones are implemented through firewall rules applied by network elements managed by the network management and control system. 20. The non-transitory machine-readable medium of claim 14 , wherein the application developer third user is not granted access to the networking and security configurations for the logical network.