Assurance of security rules in a network

What is claimed is: 1 . A method comprising: creating a security compliance requirement for a network, the security compliance requirement comprising endpoint group (EPG) selectors, a traffic selector, and a communication operator, wherein the EPG selectors represent sets of EPGs, wherein the traffic selector comprises traffic parameters identifying traffic corresponding to the traffic selector, and wherein the communication operator defines a communication condition for traffic associated with the EPG selectors and the traffic selector; based on a plurality of distinct pairs of EPGs from the sets of EPGs, determining that respective EPGs in one or more distinct pairs of EPGs are associated with different network contexts in the network, each of the plurality of distinct pairs of EPGs comprising respective EPGs from the first EPG selectors; determining, for each of the one or more distinct pairs of EPGs, which of the different network contexts contains policies for traffic between the respective EPGs in the one or more distinct pairs of EPGs; for each distinct pair of EPGs, creating a first respective data structure representing the distinct pair of EPGs, the communication operator, and the traffic selector; when only a first one of the different network contexts is determined to contain policies for traffic between the respective EPGs in the one or more distinct pairs of EPGs: creating a second respective data structure representing a first portion of a logical model of the network, the first portion of the logical model containing policies associated with the first one of the different network contexts; and determining whether the first respective data structure is contained in the second respective data structure to yield a first containment check; when both of the different network contexts are determined to contain policies for traffic between the respective EPGs in the one or more distinct pairs of EPGs: creating the second respective data structure representing the first portion of the logical model and a third respective data structure representing a second portion of the logical model, the second portion of the logical model containing policies associated with a second one of the different network contexts; and determining whether the first respective data structure is contained in at least one of the second respective data structure and the third respective data structure to yield a second containment check; and determining whether policies for traffic between respective EPGs in the one or more distinct pairs of EPGs comply with the security compliance requirement based on at least one of the first containment check and the second containment check. 2 . The method of claim 1 , wherein the first respective data structure and at least one of the second respective data structure and the third respective data structure comprise at least one of binary decision diagrams (BDDs), reduced ordered binary decision diagrams (ROBDDs), and n-bit vectors, and wherein the different network contexts comprise at least one of virtual routing and forwarding (VRF) instances, private networks, and network domains. 3 . The method of claim 1 , wherein determining whether policies for traffic between the respective EPGs in the one or more distinct pairs of EPGs comply with the security compliance requirement comprises determining whether one or more of the policies satisfy, violate, or apply the security compliance requirement, the method further comprising: generating one or more compliance assurance events indicating whether the policies comply with the security compliance requirement. 4 . The method of claim 3 , wherein generating the one or more compliance assurance events comprises presenting a compliance result comprising at least one of: a first indication indicating whether the security compliance requirement is satisfied, violated, or not applied by one or more of the policies on the network; a second indication of a cause for the security compliance requirement being satisfied, violated, or not applied, wherein the second indication identifies at least one of a set of policy objects and one or more policies, the set of policy objects comprising at least one of a consumer EPG, a provider EPG, a contract, a filter, a tenant, a virtual routing and forwarding (VRF) object, a network context, and an application profile; and a third indication of at least one of an event severity, a number of security compliance issues, a compliance score, a security compliance issues count by category, and a compliance score by category, wherein the category comprises at least one of a type of security compliance requirement, a type of resource affected, and a policy object affected. 5 . The method of claim 1 , further comprising determining whether a state of the network complies with the security compliance requirement by: comparing one or more first data structures representing the security compliance requirement with one or more second data structures representing hardware policy entries configured on network devices in the network, the one or more first data structures and the one or more second data structures comprising at least one of binary decision diagrams (BDDs), reduced ordered binary decision diagrams (ROBDDs), and n-bit vectors; and based on the comparing, determining whether the hardware policy entries configured on the network devices in the network satisfy, violate, or apply the security compliance requirement. 6 . The method of claim 1 , wherein the network comprises a plurality of network fabrics, the method further comprising: creating, based on additional configuration data, additional security compliance requirements, the additional configuration data comprising respective EPG selectors, respective traffic selectors, and respective communication operators; grouping the additional security compliance requirements to yield a security compliance requirement set; associating the security compliance requirement set with a subset of the plurality of network fabrics; and determining whether respective policies associated with the subset of the plurality of network fabrics comply with the security compliance requirement set. 7 . The method of claim 1 , wherein determining which of the different network contexts contains policies for traffic between the respective EPGs in the one or more distinct pairs of EPGs is based on at least one of an indication of an identity of each of the respective EPGs and a role of each of the respective EPGs, wherein the role comprises at least one of a consumer role and a provider role, and wherein the indication of the identity comprises at least one of a tag, a label, and an identifier. 8 . The method of claim 7 , wherein the indication of the identity comprises the tag and determining which of the different network contexts contains policies for traffic between the respective EPGs in the one or more distinct pairs of EPGs is based on at least one of a value associated with the tag and a type of tag, wherein the type of tag comprises a global tag or a local tag, and wherein the value associated with the tag indicates at least one of the role or a scope of the tag, the scope comprising a global scope or a local scope depending on the value associated with the tag. 9 . The method of claim 8 , further comprising: determining that each EPG in a particular pair of EPGs from the one or more distinct pairs of EPGs is associated with at least one of the local scope and the provider role; and in response to determining that each EPG in the particular pair of EPGs from the one or more distinct pairs of EPGs is associated with at least one of the local scope and the provider role, determining