Network management services in a virtual network

We claim: 1. A method comprising: receiving, at a service node of a grouping of two or more service nodes configured to operate in an active-active high availability configuration, a packet from a cloud gateway that is one of a plurality of cloud gateways of a software-defined wide area network (SD-WAN) configured to receive packet traffic from different datacenters or branch offices, wherein the service node operates a provider service router (T0-SR) and a plurality of tenant service routers (T1-SRs) that correspond to a plurality of different tenant segments; translating, at a particular T1-SR of the service node, a source address of the packet to a private address of the particular T1-SR, the private address that is configured to distinguish the particular T1-SR among the plurality of T1-SRs within the service node; translating, at a T0-SR of the service node, the private address of the particular T1-SR into a public address of the T0-SR, a corresponding service node in the grouping being configured to assume translation operations for processing of the packet in response to a failure event; and transmitting the packet through an uplink to an external network using the public address of the T0-SR as a source address. 2. The method of claim 1 , wherein the packet is from a first tenant segment and the T1-SR applies a security policy associated with the first tenant segment to the packet. 3. The method of claim 1 , further comprising: determining whether the packet is destined for a remote site or a local site; when the packet is destined for the local site, applying a security policy to the packet and returning a result to the cloud gateway. 4. The method of claim 1 , wherein the private address of the T1-SR is used to identify the particular T1-SR among the plurality of T1-SRs behind the T0-SR. 5. The method of claim 1 , wherein the cloud gateway is configured by an orchestrator of the SD-WAN and the service node is managed by a network virtualization management software. 6. The method of claim 1 , further comprising receiving a response packet at the public address of the T0-SR. 7. The method of claim 1 , wherein the transmitted packet is destined for a remote site of the SD-WAN. 8. The method of claim 1 , wherein the cloud gateway and the service node are hosted by machines located in a same point-of-presence. 9. A computing device comprising: a service node, of a grouping of two or more service nodes configured to operate in an active-active high availability configuration, configured to receive a packet from a cloud gateway that is one of a plurality of cloud gateways of a software-defined wide area network (SD-WAN) configured to receive packet traffic from different datacenters or branch offices, wherein the service node operates a provider service router (T0-SR) and a plurality of tenant service routers (T1-SRs) that correspond to a plurality of different tenant segments; a first T1-SR configured to translate a source address of the packet to a private address of the particular T1-SR, the private address that is configured to distinguish the particular T1-SR among the plurality of T1-SRs within the service node; a first T0-SR configured to translate the private address of the particular T1-SR into a public address of the T0-SR, a corresponding service node in the grouping being configured to assume translation operations for processing of the packet in response to a failure event; wherein the service node is further configured to transmit the packet through an uplink to an external network using the public address of the T0-SR as a source address. 10. The computing device of claim 9 , wherein the packet is from a first tenant segment and the T1-SR applies a security policy associated with the first tenant segment to the packet. 11. The computing device of claim 9 , wherein the plurality of actions further comprise: determining whether the packet is destined for a remote site or a local site; and when the packet is destined for the local site, applying a security policy to the packet and returning a result to the cloud gateway. 12. The computing device of claim 9 , wherein the private address of the T1-SR is used to identify the first T1-SR among the plurality of T1-SRs behind the T0-SR. 13. The computing device of claim 9 , wherein the cloud gateway is configured by an orchestrator of the SD-WAN and the service node is managed by a network virtualization management software. 14. The computing device of claim 9 , wherein the plurality of actions further comprise receiving a response packet at the public address of the T0-SR. 15. The computing device of claim 9 , wherein the transmitted packet is destined for a remote site of the SD-WAN. 16. The computing device of claim 9 , wherein the cloud gateway and the service node are hosted by machines located in a same point-of-presence. 17. A non-transitory machine-readable medium storing a program for execution by at least one hardware processing unit, the program comprising sets of instructions for: receiving, at a service node of a grouping of two or more service nodes configured to operate in an active-active high availability configuration, a packet from a cloud gateway that is one of a plurality of cloud gateways of a software-defined wide area network (SD-WAN) configured to receive packet traffic from different datacenters or branch offices, wherein the service node operates a provider service router (T0-SR) and a plurality of tenant service routers (T1-SRs) that correspond to a plurality of different tenant segments; translating, at a particular T1-SR of the service node, a source address of the packet to a private address of the particular T1-SR, the private address that is configured to distinguish the particular T1-SR among the plurality of T1-SRs within the service node; translating, at a T0-SR of the service node, the private address of the particular T1-SR into a public address of the T0-SR, a corresponding service node in the grouping being configured to assume translation operations for processing of the packet in response to a failure event; and transmitting the packet through an uplink to an external network using the public address of the T0-SR as a source address. 18. The non-transitory machine-readable medium of claim 17 , wherein the packet is from a first tenant segment and the T1-SR applies a security policy associated with the first tenant segment to the packet. 19. The non-transitory machine-readable medium of claim 17 , wherein the plurality of actions further comprise: determining whether the packet is destined for a remote site or a local site; and when the packet is destined for the local site, applying a security policy to the packet and returning a result to the cloud gateway. 20. The non-transitory machine-readable medium of claim 17 , wherein the private address of the T1-SR is used to identify the particular T1-SR among the plurality of T1-SRs behind the T0-SR.