Network configuration analysis and management

What is claimed is: 1. A system comprising: a cloud provider network comprising a plurality of compute nodes and a plurality of gateway nodes, wherein the plurality of gateway nodes are configured to route network traffic between the plurality of compute nodes; and one or more computing devices programmed by executable instructions to at least: obtain policy data regarding a virtual private cloud-based wide area network to be deployed on the cloud provider network and segmented into at least a first segment and a second segment, wherein the virtual private cloud-based wide area network connects two or more client on-premise networks to each other via the cloud provider network, and wherein at least a first portion of traffic in the first segment is to be isolated from at least a second portion of traffic in the second segment; determine, using the policy data, a plurality of implementation operations to be performed to deploy the virtual private cloud-based wide area network; deploy the virtual private cloud-based wide area network in the cloud provider network using the plurality of implementation operations; generate a model of the virtual private cloud-based wide area network as deployed in the cloud provider network; generate a set of routing criteria for the virtual private cloud-based wide area network using the policy data and a set of translation rules that specifies how the policy data is to be translated into the routing criteria; determine the routing criteria indicates bi-directional communication is permitted over a network path between a first endpoint in the first segment and a second endpoint in the second segment, wherein the network path is determined without causing data to be transmitted within the virtual private cloud-based wide area network; determine the model indicates bi-directional communication is not to be permitted over the network path in the virtual private cloud-based wide area network as deployed in the cloud provider network; and based on the routing criteria indicating bi-directional communication is permitted over the network path and the model indicating bi-directional communication is not to be permitted over the network path, generate output indicating bi-directional communication is not permitted over the network path in the virtual private cloud-based wide area network. 2. The system of claim 1 , the one or more computing devices are programmed by further executable instructions to: evaluate at least a first portion of the model using a first evaluation engine configured to evaluate routing criteria within isolated networks, wherein a first endpoint of the virtual private cloud-based wide area network is in a first isolated network of a first region of the cloud provider network; evaluate at least a second portion of the model using a second evaluation engine configured to evaluate cross-region routing criteria; and evaluate at least a third portion of the model using the first evaluation engine, wherein a second endpoint of the virtual private cloud-based wide area network is in a second isolated network of a second region of the cloud provider network. 3. The system of claim 1 , wherein to generate the output, the one or more computing devices are programmed by further executable instructions to use a second set of translation rules. 4. The system of claim 1 , wherein to generate the model, the one or more computing devices are programmed by further executable instructions to determine, based on the policy data, a subset of regions of a plurality of regions of the cloud provider network, wherein each region of the subset of regions includes at least one object of the virtual private cloud-based wide area network. 5. A computer-implemented method comprising: under control of a computing system of a cloud provider network, the computing system comprising memory and one or more computer processors configured to execute specific instructions: obtaining a model of a private network implemented within the cloud provider network, wherein the model is based at least on a set of routing criteria implemented to route traffic of the private network, and wherein the set of routing criteria are derived from first policy data associated with the private network; obtaining query data representing a first endpoint within the private network and a second endpoint within the private network; determining, using the model, one or more routing criteria affecting communication between the first endpoint and the second endpoint; and translating the one or more routing criteria into second policy data associated with the private network. 6. The computer-implemented method of claim 5 , further comprising deploying the private network as a virtual private cloud-based wide area network connecting two or more client on-premise networks to each other via the cloud provider network. 7. The computer-implemented method of claim 5 , wherein determining, using the model, the one or more routing criteria affecting communication between the first endpoint and the second endpoint comprises determining one or more routing criteria preventing communication between the first endpoint and the second endpoint. 8. The computer-implemented method of claim 5 , wherein determining, using the model, the one or more routing criteria affecting communication between the first endpoint and the second endpoint comprises determining one or more routing criteria allowing communication between the first endpoint and the second endpoint. 9. The computer-implemented method of claim 5 , further comprising: obtaining the first policy data from an administrator computing device; translating the first policy data into a set of implementation operations to implement the private network within the cloud provider network, wherein the set of implementation operations includes one or more implementation operations to implement the set of routing criteria; and performing the set of implementation operations to implement the private network within the cloud provider network. 10. The computer-implemented method of claim 9 , wherein performing the set of implementation operations comprises at least one of: creating a route table of a gateway node of the cloud provider network, or modifying the route table of the gateway node. 11. The computer-implemented method of claim 9 , further comprising generating metadata associated with a first routing criterion of the set of routing criteria, wherein the metadata represents a first portion of the first policy data that the first routing criterion is to implement. 12. The computer-implemented method of claim 11 , wherein translating the one or more routing criteria into the second policy data comprises identifying the first portion of the first policy data based at least on the metadata associated with the first routing criterion, wherein the second policy data comprises the first portion of the first policy data. 13. The computer-implemented method of claim 5 , wherein determining the one or more routing criteria comprises determining at least one of: a routing rule, a routing table, a security access rule, or a firewall rule. 14. The computer-implemented method of claim 5 , further comprising generating the model based at least on the set of routing criteria, wherein the model is generated without causing data to be transmitted from the first endpoint. 15. The computer-implemented method of claim 5 , wherein determining the one or more routing criteria comprises: evaluating at least a first portion of the model using a first evaluation engine configured to evaluate routing criteria