Tag-based cross-region segment management

What is claimed is: 1. A system comprising: a plurality of gateway nodes, wherein individual gateway nodes of the plurality of gateway nodes are configured to route network traffic associated with a corresponding region-based autonomous system of a plurality of region-based autonomous systems of a provider network; and a control server comprising one or more processors and executable instructions, wherein the control server is programmed to at least: obtain policy data for a virtual private cloud-based wide area network, wherein the policy data specifies that the virtual private cloud-based wide area network is to be implemented using at least a first region-based autonomous system and a second region-based autonomous system of the provider network; establish a first segment of the virtual private cloud-based wide area network using at least a first gateway node in the first region-based autonomous system and a second gateway node in the second region-based autonomous system, wherein at least one routing policy of the first segment is established based on the policy data, wherein at least a first portion of traffic in the first segment is to be isolated from at least a second portion of traffic in a second segment of the virtual private cloud-based wide area network, and wherein both the first portion of traffic and the second portion of traffic transit the first region-based autonomous system and the second region-based autonomous system; determine, based on a tag associated with a first isolated network of the provider network, to enable communications between the first isolated network and a second isolated network over the first segment, wherein the policy data specifies that isolated networks associated with the tag are to be enabled to communicate over the first segment, and wherein the first isolated network comprises one of: a virtual private cloud, a virtual private network, a software-defined wide area network, or a direct connection to a client on-premise network; and enable communications between the first isolated network and the second isolated network over the first segment. 2. The system of claim 1 , wherein the routing policy of the first segment relates to at least one of: preventing communication between isolated networks of the first segment, limiting the first segment to a subset of the plurality of region-based autonomous systems, or a filter to be applied to routes of the provider network accessible from within the first segment. 3. The system of claim 1 , wherein the control server is further programmed to at least: determine, based on the policy data, that enabling communications of the first isolated network over the first segment requires acceptance of an administrator of the virtual private cloud-based wide area network; and receive acceptance data representing acceptance of the administrator, wherein the control server determines to enable communications of the first isolated network over the first segment in response to receiving the acceptance data. 4. The system of claim 1 , wherein the first gateway node is configured to route packets associated with the first segment using a first route table associated with the first segment, and wherein the first gateway node is configured to route packets associated with the second segment using a second route table different from the first route table. 5. A computer-implemented method comprising: under control of a computing system of a cloud provider network, the computing system comprising memory and one or more computer processors configured to execute specific instructions: obtaining policy data associated with a private network implemented at least partly within the cloud provider network; determining, based on the policy data, a subset of a plurality of geographic regions of the cloud provider network in which a first segment is to be established, wherein the subset of the plurality of geographic regions comprises fewer than all of the plurality of geographic regions; establishing, based on the policy data, the first segment within the private network using at least a first gateway node in a first geographic region of the subset of the plurality of geographic regions, wherein at least a first portion of traffic associated with the first segment is to be isolated from at least a second portion of traffic associated with a second segment of the private network; obtaining attachment metadata indicating an isolated network of the cloud provider network is associated with the first segment; and enabling the isolated network to communicate over the first segment, wherein the policy data specifies that isolated networks associated with the attachment metadata are to be enabled to communicate over the first segment. 6. The computer-implemented method of claim 5 , wherein establishing the first segment comprises configuring, based on the policy data, a second gateway node in a second geographic region of the plurality of geographic regions to isolate at least a third portion of traffic associated with the first segment from at least a fourth portion of traffic associated with a different segment of the private network. 7. The computer-implemented method of claim 5 , further comprising: determining that the policy data indicates acceptance is required to enable the isolated network to communicate over the first segment; and receiving acceptance data representing approval to enable the isolated network to communicate over the first segment, wherein the isolated network is enabled to communicate over the first segment in response to receiving the acceptance data. 8. The computer-implemented method of claim 5 , further comprising: determining, based on the policy data, that isolated networks enabled to communicate over the first segment are prohibited from communicating with each other over the first segment; and preventing the isolated network from communicating with a second isolated network associated with the first segment. 9. The computer-implemented method of claim 8 , further comprising: enabling, based on the policy data, communications between the isolated network and a shared resource segment; and enabling, based on the policy data, communications between the second isolated network and the shared resource segment. 10. The computer-implemented method of claim 8 , further comprising generating a graphical user interface comprising: a first display object representing the first segment; a second display object representing the second segment; a third display object representing an attachment of the isolated network to the first segment; and a fourth display object representing a path shared between the first segment and the second segment. 11. The computer-implemented method of claim 5 , further comprising determining, based on the policy data, a second subset of the plurality of geographic regions in which the second segment is to be established, wherein the second subset of the plurality of geographic regions is different than the subset of the plurality of geographic regions. 12. The computer-implemented method of claim 5 , further comprising determining, based on the policy data, to deny sharing of a route from the second segment with the first segment. 13. The computer-implemented method of claim 5 , further comprising determining, based on the policy data, to permit sharing of a route from the second segment with the first segment. 14. A system comprising: computer-readable memory storing executable instructions; and one or more processors in communication with the computer-readable memory and programmed by the executable instructio