Identifying Contextual Relationships in a Cloud Network to Manage a Segmentation Policy

What is claimed is: 1 . A method for managing a network segmentation policy in a cloud computing environment, the method comprising: collecting cloud metadata associated with cloud resources, the cloud resources protected by a plurality of segmentation policies; determining relationships between different cloud resources associated with the segmentation policies based on the collected cloud metadata; visualizing the relationships on a Graphical User Interface (GUI); recording the determined relationships in a database; automatically configuring a network segmentation policy based on the determined relationships, the network segmentation policy causing network traffic between cloud resources to be allowed or denied; and performing one of allowing passage of network traffic or blocking network traffic to or from cloud resources based on the configured network segmentation policies. 2 . The method of claim 1 , wherein the determined relationships are represented as a graph, and the database is a graph database. 3 . The method of claim 1 , wherein the segmentation policies are enforced at a plurality of levels of control, a lowest level of control being enforced at a level associated with a resource, and a higher level of control being enforced on top of a previous level of control. 4 . The method of claim 3 , wherein the plurality of controls includes a first level associated with a resource directly, a second level associated with an associated subnet, and a third level associated with a virtual private cloud. 5 . The method of claim 4 , wherein configuring the network segmentation policy comprises: determining a control level at which the network segmentation policy is to be applied based on an associated resource; and configuring the network segmentation policy based on the determined level. 6 . The method of claim 4 , further comprising: responsive to determining that the associated resource is a virtual machine, determining that the control level is the first level; and configuring the network segmentation policy as a security group. 7 . The method of claim 4 , further comprising: responsive to determining that the associated resources include all resources in a subnet, determining that the control level is the second level; and configuring the network segmentation policy in one or more of a network access control list, a network security group, or a security list. 8 . The method of claim 4 , further comprising: responsive to determining that the associated resource include all resources in a virtual private cloud, determining that the control level is the second level; and configuring the network segmentation policy as a firewall. 9 . The method of claim 1 , further comprising: receiving a new security rule or a modification of an existing security rule indicating allow or deny network traffic from a first cloud resource to a second cloud resource; and configuring the network segmentation policy based on the received new security rule or modified security rule. 10 . The method of claim 1 , further comprising: tagging a resource with associated metadata. 11 . The method of claim 1 , further comprising: responsive to receiving a query associated with metadata of resource, outputting a network segmentation policy associated with the resource. 12 . The method of claim 1 , further comprising: identifying vulnerability in network configuration between two resources in the cloud computing environment based on the determined relationships; and configuring the network segmentation policy to mitigate the vulnerability. 13 . A non-transitory computer-readable medium having instructions encoded thereon that, when executed by one or more processors, cause the one or more processors to: collect cloud metadata associated with cloud resources, the cloud resources protected by a plurality of segmentation policies; determine relationships between different cloud resources associated with the segmentation policies based on the collected cloud metadata; record the determined relationships in a database; automatically configure a network segmentation policy based on the determined relationships, the network segmentation policy causing network traffic between cloud resources to be allowed or denied; and perform one of allowing passage of network traffic or blocking network traffic to or from cloud resources based on the configured network segmentation policies. 14 . The non-transitory computer-readable medium of claim 13 , wherein the determined relationships are represented as a graph, and the database is a graph database. 15 . The non-transitory computer-readable medium of claim 13 , wherein the segmentation policies are enforced at a plurality of levels of control, a lowest level of control is enforced at a level associated with a resource, and a higher level of control is enforced on top of a previous level of control. 16 . The non-transitory computer-readable medium of claim 15 , wherein the plurality of controls includes a first level associated directly with a resource, a second level associated with a subnet, and a third level associated with a virtual private cloud. 17 . The non-transitory computer-readable medium of claim 16 , configuring the network segmentation policy comprising: determining a control level at which the network segmentation policy is to be applied based on an associated resource; and configuring the network segmentation policy for the determined level. 18 . The non-transitory computer-readable medium of claim 16 , the instructions further causing the one or more processors to: responsive to determining that the associated resource is a virtual machine or a platform as a service (PaaS) resource, determine that the control level is the first level; and configure the network segmentation policy as a security group. 19 . The non-transitory computer-readable medium of claim 16 , the instructions further causing the one or more processors to: responsive to determining that the associated resources include all resources in a subnet, determine that the control level is the second level; and configure the network segmentation policy in one or more of a network access control list, a network security group, or a security list. 20 . A computer system, comprising: one or more processors; and a non-transitory computer-readable medium having instructions encoded thereon that, when executed by a processor, cause the one or more processors to: collect cloud metadata associated with cloud resources, the cloud resources protected by a plurality of segmentation policies; determine relationships between different cloud resources associated with the segmentation policies based on the collected cloud metadata; record the determined relationships in a database; automatically configure a network segmentation policy based on the determined relationships, the network segmentation policy causing network traffic between cloud resources to be allowed or denied; and perform one of allowing passage of network traffic or blocking network traffic to or from cloud resources based on the configured network segmentation policies.