Cloud workload import into SD-WAN policy

What is claimed is: 1 . A computer-implemented method of dynamically applying a policy based on tag attributes, comprising: receiving, by a network controller, information about an instance of a cloud workload instantiated at a cloud provider, wherein the cloud workload is associated with a tag attribute, and wherein a pre-existing security policy prevents a device associated with the tag attribute from accessing the instance of the cloud workload; in response to a need for the device to access the cloud workload, querying, by the network controller, the cloud provider for at least one IP address of the device associated with the tag attribute; learning, by the network controller, the at least one IP address associated with the tag attribute; associating, by the network controller, a modified security policy with the at least one IP address associated with the tag attribute; propagating, by the network controller, the modified security policy to at least one edge router for implementation, wherein the modified security policy enables the device with the at least one IP address to access the instance of the cloud workload; and receiving, by the network controller, a report and outputting an updated one or more tag attributes. 2 . The computer-implemented method of claim 1 , further comprising: maintaining a table mapping IP addresses with the tag attributes. 3 . The computer-implemented method of claim 1 , further comprising: enforcing, by the at least one edge router, the security policy to network traffic destined for the cloud workload associated with the tag attribute. 4 . The computer-implemented method of claim 2 , further comprising: adding a second IP address associated with the cloud workload to the table mapping IP addresses with the tag attributes as a second instance of the cloud workload is instantiated, wherein the second IP address is associated with the security policy associated with the tag attribute. 5 . The computer-implemented method of claim 1 , wherein the propagating the security policy to the at least one edge router for implementation further comprises: synchronizing the at least one edge router with the network controller to enforce the security policy on at least one IP address associated with the tag attribute, whereby the at least one edge router can implement the security policy for traffic associated with a destination IP address matching the at least one IP address associated with the tag attribute. 6 . The computer-implemented method of claim 1 , wherein the network controller is an SD-WAN controller including a management plane and a control plane. 7 . The computer-implemented method of claim 1 , wherein the tag attributes are highly customizable tags generated by a network administrator. 8 . The computer-implemented method of claim 1 , wherein the cloud workload is not associated with one or more tag attributes, the method further comprising: assigning a tag attribute of the one or more tag attributes to the cloud workload. 9 . The computer-implemented method of claim 1 , wherein the cloud workload is located at a public cloud and the network controller is part of an enterprise network. 10 . The computer-implemented method of claim 1 , wherein the security policy applies to traffic going from a branch of an enterprise network to the instance of the cloud workload in a public cloud. 11 . The computer-implemented method of claim 1 , wherein the security policy applies to traffic going from a first cloud network to an instance of the cloud workload in a public cloud. 12 . The computer-implemented method of claim 1 , wherein the security policy applies to traffic coming from the instance of the cloud workload in a public cloud to a branch of an enterprise network. 13 . The computer-implemented method of claim 1 , wherein the instance of the cloud workload can be located in an enterprise cloud or a public cloud, and the instance of the cloud workload can be tagged as located in the enterprise cloud or the public cloud, wherein the security policy of the at least one IP address associated with the tag attribute provides for differentiated treatment of traffic depending on whether the instance of the cloud workload is located in the enterprise cloud or the public cloud. 14 . The computer-implemented method of claim 1 , wherein the report is of cloud workload traffic. 15 . The computer-implemented method of claim 14 , further comprising: providing, by the network controller, reporting and log statuses to provide cloud analytics regarding a security posture of an enterprise network. 16 . A computing apparatus comprising: a processor; and a memory storing instructions that, when executed by the processor, configure the apparatus to: receive, by a network controller, information about an instance of a cloud workload instantiated at a cloud provider, wherein the cloud workload is associated with a tag attribute and wherein a pre-existing security policy prevents a device associated with the tag attribute from accessing the instance of the cloud workload; in response to a need for the device to access the cloud workload, query, by the network controller, the cloud provider for at least one IP address of the device associated with the tag attribute; learn, by the network controller, the at least one IP address associated with the tag attribute; associate, by the network controller, a modified security policy with the at least one IP address associated with the tag attribute; and propagate, by the network controller, the modified security policy to at least one edge router for implementation, wherein the modified security policy enables the device with the at least one IP address to access the instance of the cloud workload. 17 . The computing apparatus of claim 16 , wherein the instructions further configure the apparatus to: maintain a table mapping IP addresses with the tag attributes, wherein the IP addresses associated with the tag attributes can change as the instances of the cloud workload are instantiated and terminated. 18 . The computing apparatus of claim 17 , wherein the instructions further configure the apparatus to: add a second IP address associated with the cloud workload to the table mapping IP addresses with the tag attributes as a second instance of the cloud workload is instantiated, wherein the second IP address is associated with the security policy associated with the tag attribute. 19 . The computing apparatus of claim 16 , wherein the instructions further configure the apparatus to: enforce, by the at least one edge router, the security policy to network traffic destined for the cloud workload associated with the tag attribute. 20 . A non-transitory computer-readable storage medium, the computer-readable storage medium including instructions that when executed by a computer, cause the computer to: receive, by a network controller, information about an instance of a cloud workload instantiated at a cloud provider, wherein the cloud workload is associated with a tag attribute, and wherein a pre-existing security policy prevents a device associated with the tag attribute from accessing the instance of the cloud workload; in response to a need for the device to access the cloud workload, query, by the network controller, the cloud provider for at least one IP address of the device associated with the tag attribute; learn, by the network controller, the at least one IP address associated with the tag attri