Network-level access control management for the cloud

What is claimed is: 1. A method comprising: obtaining, at a cloud access manager executing on at least one hardware processor, input regarding access control for at least one application deployed on a plurality of virtual machine instances in a cloud computing environment; with said cloud access manager executing on said at least one hardware processor, dividing said plurality of virtual machine instances into at least first and second access zones in accordance with said input; registering, with a cloud access manager registrar located in said cloud computing environment, internet protocol addresses of external clients as seen from said cloud computing environment, at least some of said registered internet protocol addresses comprising public internet protocol addresses assigned to said clients via network address translation; carrying out session traversal utility for network address translation to determine said public internet protocol addresses assigned to said clients via said network address translation; with said cloud access manager executing on said at least one hardware processor, controlling, based on said registered internet protocol addresses: access of said external clients to said plurality of virtual machine instances; and access of said plurality of virtual machine instances to each other; in accordance with said access zones, such that: those of said virtual machine instances in a same given one of said access zones have access to each other; said external clients are permitted a first level of access to those of said virtual machine instances in said first access zone, according to a first policy; and said external clients are permitted a second level of access, different than said first level of access, to those of said virtual machine instances in said second access zone, according to a second policy. 2. The method of claim 1 , wherein said obtaining comprises obtaining from an application administrator via a graphical user interface. 3. The method of claim 1 , wherein said obtaining comprises obtaining from a workload management application. 4. The method of claim 1 , wherein, in said obtaining, dividing, and controlling steps, said at least one hardware processor, on which said cloud access manager executes, comprises at least one hardware processor of said cloud computing environment. 5. The method of claim 1 , wherein, in said obtaining, dividing, and controlling steps, said at least one hardware processor, on which said cloud access manager executes, comprises at least one hardware processor of a secured location remote from said cloud computing environment. 6. The method of claim 1 , wherein said controlling step is implemented via access keys. 7. The method of claim 1 , further comprising providing at least one of said first and second access zones with a zone gateway, wherein said external clients are only permitted to access those of said virtual machine instances in said at least one of said first and second access zones having said zone gateway via said zone gateway. 8. The method of claim 7 , further comprising grouping at least some of said external clients into a set and providing said set with a client-side gateway, wherein said external clients in said set are only permitted to access said plurality of virtual machine instances via said client-side gateway. 9. A computer program product comprising a computer readable storage medium having program instructions embodied therewith, the program instructions being executable by a processor to cause the processor to: obtain input regarding access control for at least one application deployed on a plurality of virtual machine instances in a cloud computing environment; divide said plurality of virtual machine instances into at least first and second access zones in accordance with said input; register internet protocol addresses of external clients as seen from said cloud computing environment, at least some of said registered internet protocol addresses comprising public internet protocol addresses assigned to said clients via network address translation; carry out session traversal utility for network address translation to determine said public internet protocol addresses assigned to said clients via said network address translation; control, based on said registered internet protocol addresses: access of said external clients to said plurality of virtual machine instances; and access of said plurality of virtual machine instances to each other; in accordance with said access zones, such that: those of said virtual machine instances in a same given one of said access zones have access to each other; said external clients are permitted a first level of access to those of said virtual machine instances in said first access zone, according to a first policy; and said external clients are permitted a second level of access, different than said first level of access, to those of said virtual machine instances in said second access zone, according to a second policy. 10. The computer program product of claim 9 , wherein said obtaining comprises obtaining from an application administrator via a graphical user interface. 11. The computer program product of claim 9 , wherein said obtaining comprises obtaining from a workload management application. 12. The computer program product of claim 9 , wherein, in said obtaining, dividing, and controlling steps, said at least one hardware processor, on which said cloud access manager executes, comprises at least one hardware processor of said cloud computing environment. 13. The computer program product of claim 9 , wherein, in said obtaining, dividing, and controlling steps, said at least one hardware processor, on which said cloud access manager executes, comprises at least one hardware processor of a secured location remote from said cloud computing environment. 14. The computer program product of claim 9 , wherein said controlling step is implemented via access keys. 15. The computer program product of claim 9 , further comprising providing at least one of said first and second access zones with a zone gateway, wherein said external clients are only permitted to access those of said virtual machine instances in said at least one of said first and second access zones having said zone gateway via said zone gateway. 16. The computer program product of claim 15 , further comprising grouping at least some of said external clients into a set and providing said set with a client-side gateway, wherein said external clients in said set are only permitted to access said plurality of virtual machine instances via said client-side gateway. 17. An apparatus comprising: a memory; and at least one processor, coupled to said memory, and operative to: obtain input regarding access control for at least one application deployed on a plurality of virtual machine instances in a cloud computing environment; divide said plurality of virtual machine instances into at least first and second access zones in accordance with said input; register internet protocol addresses of external clients as seen from said cloud computing environment, at least some of said registered internet protocol addresses comprising public internet protocol addresses assigned to said clients via network address translation; carry out session traversal utility for network address translation to determine said public internet protocol addresses assigned to said clients via said network address translation; control, based on said registered internet protocol addresses: access of