Firewall rules for application connectivity

We claim: 1. For a network management and control system that manages a virtual infrastructure deployed across a set of datacenters, a method comprising: receiving a definition of an application to be deployed in the virtual infrastructure, the application definition specifying a requirement that the application receive data traffic from sources external to the virtual infrastructure; based on the application definition: defining a first set of firewall rules for the application that indicate conditions for allowing data traffic from sources external to the virtual infrastructure; and specifying a new firewall rule that directs a network element, which enforces a second set of firewall rules for data traffic entering and exiting the virtual infrastructure, to examine the first set of firewall rules before the second set of firewall rules for any data traffic that is (i) from sources external to the virtual infrastructure and (ii) directed to the application. 2. The method of claim 1 , wherein the network element that enforces the second set of firewall rules is an edge device implementing a logical network gateway. 3. The method of claim 2 , wherein the edge device implements a centralized routing component of a tier-0 logical router, wherein the first set of firewall rules and the second set of firewall rules are associated with the centralized routing component. 4. The method of claim 1 , wherein the first set of firewall rules and the second set of firewall rules comprise distributed firewall rules. 5. The method of claim 1 , wherein the data traffic directed to the application comprises data traffic directed to a particular set of network addresses associated with the application. 6. The method of claim 1 , wherein the data traffic directed to the application comprises data traffic directed to a particular set of transport layer ports associated with the application. 7. The method of claim 1 , wherein the conditions for allowing data traffic from sources external to the virtual infrastructure comprises allowing any data traffic from sources external to the virtual infrastructure. 8. The method of claim 1 , wherein the conditions for allowing data traffic from sources external to the virtual infrastructure comprises allowing data traffic from a particular set of network addresses. 9. The method of claim 1 , wherein defining the first set of firewall rules comprises: defining a first firewall rule that allows data traffic meeting specified conditions for data traffic to the application from sources external to the virtual infrastructure; and defining a second firewall rule that denies data traffic directed to the application from sources external to the virtual infrastructure that does not meet the specified conditions. 10. The method of claim 1 further comprising, based on the application definition, defining a third set of firewall rules for allowing a first set of data compute nodes (DCNs) that implement the application to access a second set of DCNs in the virtual infrastructure. 11. The method of claim 10 , wherein the second set of DCNs do not implement the application but are accessible to a plurality of different applications implemented in the virtual infrastructure. 12. The method of claim 1 , wherein the second set of firewall rules are associated with a particular security zone in the virtual infrastructure for DCNs that receive data traffic from external sources. 13. The method of claim 1 , wherein the second set of firewall rules have a higher priority than the first set of firewall rules. 14. The method of claim 1 , wherein the new firewall rule directs the network element to skip the second set of firewall rules for any data traffic that is (i) from sources external to the virtual infrastructure and (ii) directed to the application. 15. A non-transitory machine-readable medium storing a network manager program which when executed by at least one processing unit manages a virtual infrastructure deployed across a set of datacenters, the network manager program comprising sets of instructions for: receiving a definition of an application to be deployed in the virtual infrastructure, the application definition specifying a requirement that the application receive data traffic from sources external to the virtual infrastructure; based on the application definition: defining a first set of firewall rules for the application that indicate conditions for allowing data traffic from sources external to the virtual infrastructure; and specifying a new firewall rule that directs a network element, which enforces a second set of firewall rules for data traffic entering and exiting the virtual infrastructure, to examine the first set of firewall rules before the second set of firewall rules for any data traffic that is (i) from sources external to the virtual infrastructure and (ii) directed to the application. 16. The non-transitory machine-readable medium of claim 15 , wherein: the network element that enforces the second set of firewall rules is an edge device implementing a centralized routing component of a tier-0 logical router; and the first set of firewall rules and the second set of firewall rules are associated with the centralized routing component. 17. The non-transitory machine-readable medium of claim 15 , wherein the conditions for allowing data traffic from sources external to the virtual infrastructure comprises allowing any data traffic from sources external to the virtual infrastructure. 18. The non-transitory machine-readable medium of claim 15 , wherein the conditions for allowing data traffic from sources external to the virtual infrastructure comprises allowing data traffic from a particular set of network addresses. 19. The non-transitory machine-readable medium of claim 15 , wherein the set of instructions for defining the first set of firewall rules comprises sets of instructions for: defining a first firewall rule that allows data traffic meeting specified conditions for data traffic to the application from sources external to the virtual infrastructure; and defining a second firewall rule that denies data traffic directed to the application from sources external to the virtual infrastructure that does not meet the specified conditions. 20. The non-transitory machine-readable medium of claim 15 , wherein the network manager program further comprises a set of instructions for, based on the application definition, defining a third set of firewall rules for allowing a first set of data compute nodes (DCNs) that implement the application to access a second set of DCNs in the virtual infrastructure. 21. The non-transitory machine-readable medium of claim 15 , wherein the new firewall rule directs the network element to skip the second set of firewall rules for any data traffic that is (i) from sources external to the virtual infrastructure and (ii) directed to the application.