End-to-end policy enforcement in the presence of a traffic midpoint device

What is claimed is: 1 . A method of generating function-level instructions for a provider managed server of a plurality of managed servers according to a communication policy that comprises a set of one or more rules, the method comprising: identifying a traffic midpoint device through which the provider managed server of the plurality of managed servers provides a service to a user device; determining a relevant rule from the set of rules that specifies the service and that is applicable to communication between the provider managed server and the user device; generating, based on the relevant rule, a backend rule that specifies the service and that is applicable to communication between the provider managed server and the traffic midpoint device; generating, based on the backend rule, a backend function-level instruction including a reference to an actor-set authorized to communicate with the provider managed server to use the service, the actor-set including the traffic midpoint device and excluding the user device; and sending the backend function-level instruction to the provider managed server to configure the provider managed server to enforce the backend rule on communication with the actor-set including the traffic midpoint device. 2 . The method of claim 1 , wherein determining the relevant rule from the set of rules comprises: obtaining a provider label set describing high-level characteristics of the provider managed server, the provider label set specifying dimensions and the provider managed server's value for each dimension; obtaining a user label set describing high-level characteristics of the user device, the user label set specifying dimensions and the user device's value for each dimension; and selecting the relevant rule from the set of rules in response to the relevant rule having a provided-by portion applicable to the provider label set and a used-by portion applicable to the user label set. 3 . The method of claim 2 , wherein generating the backend rule comprises: obtaining a midpoint label set describing high-level characteristics of the traffic midpoint device, the midpoint label set specifying dimensions and the traffic midpoint device's value for each dimension; generating the backend rule specifying the service, the provided-by portion of the relevant rule, and a used-by portion specifying the midpoint label set. 4 . The method of claim 3 , wherein the provider label set specifies a role dimension and the provider managed server's value for the role dimension, wherein obtaining the midpoint label set comprises: in response to identifying the traffic midpoint device, assigning the traffic midpoint device a label specifying a value for the role dimension equal to the provider managed server's value for the role dimension; and modifying the provider managed server's value for the role dimension to indicate that the provider managed server is a layer removed from the user device relative to the traffic midpoint device's value for the role dimension. 5 . The method of claim 1 , wherein sending the backend function-level instruction to the provider managed server comprises: obtaining a midpoint label set describing high-level characteristics of the traffic midpoint device, the midpoint label set specifying dimensions and the traffic midpoint device's value for each dimension; generating the actor-set referenced by the backend function-level instruction by enumerating devices having label sets with values matching the traffic midpoint device's values for each dimension of the midpoint label set; and sending the backend function-level instruction and a list of devices in the referenced actor-set to the provider managed server. 6 . The method of claim 5 , wherein sending the backend function-level instruction further comprises: identifying a change in an additional label set assigned to an additional traffic midpoint device; in response to identifying the change in the additional label set, determining that the additional label set matches the midpoint label set of the traffic midpoint device; updating the actor-set referenced by the backend function-level instruction to include the additional traffic midpoint device; and sending an updated list of devices in the referenced actor-set to the provider managed server. 7 . The method of claim 1 , wherein the user device is a user managed server, and wherein sending the backend function-level instruction further comprises: generating, based on the relevant rule, a frontend rule that specifies the service and that is applicable to communication between the user managed server and the traffic midpoint device; generating, based on the frontend rule, a frontend function-level instruction including a reference to an actor-set authorized to communicate with the user managed server to provide the service, the actor-set including the traffic midpoint device and excluding the provider managed server; and sending the frontend function-level instruction to the user managed server to configure the user managed server to enforce the frontend rule on communication with the traffic midpoint device. 8 . The method of claim 7 , wherein generating the frontend function-level instruction comprises: obtaining a configuration of the traffic midpoint device, the configuration indicating an effect of the traffic midpoint device on an apparent source network address of communication from the traffic midpoint device to the user managed server; determining an expected network address of communication to the user managed server when the user managed server uses the service based on the effect of the traffic midpoint device on the apparent source network address of communication from the traffic midpoint device to the user managed server; and generating the frontend function-level instruction to specify the expected network address. 9 . The method of claim 1 , wherein sending the function-level instruction comprises: obtaining a security configuration of the traffic midpoint device, the security configuration identifying actors allowed to communicate with the traffic midpoint device; and instructing the traffic midpoint device to modify its security configuration based on the backend rule to allow the traffic device to communicate with the provider managed server. 10 . A non-transitory, computer-readable storage medium storing instructions executable by one or more processors to perform steps for generating function-level instructions for a provider managed server included in a plurality of managed servers according to a security policy that comprises a set of one or more rules, the steps comprising: identifying a traffic midpoint device through which the provider managed server of the plurality of managed servers provides a service to a user device; determining a relevant rule from the set of rules that specifies the service and that is applicable to communication between the provider managed server and the user device; generating, based on the relevant rule, a backend rule that specifies the service and that is applicable to communication between the provider managed server and the traffic midpoint device; generating, based on the backend rule, a backend function-level instruction including a reference to an actor-set authorized to communicate with the provider managed server to use the service, the actor-set including the traffic midpoint device and excluding the user device; and sending the backend function-level instruction to the provider managed server to configure the provider managed server to enforce the backend rule on communication with the actor-set including the traffic midpoint device.