Identity and access management-based access control in virtual networks

What is claimed is: 1. A provider network, comprising: a network substrate; one or more computing devices implementing an access control service configured to manage and evaluate policies on the provider network; and a plurality of host devices, wherein each host device implements one or more resource instances; wherein one or more of the host devices are each configured to: obtain a network packet from a resource instance on the respective host device; communicate with the access control service to determine whether the resource instance is or is not allowed to open a connection to a target indicated by the network packet according to an evaluation of a policy associated with the resource instance performed by the service; if the resource instance is allowed to open a connection to a target indicated by the network packet according to the policy, send one or more network packets from the resource instance to the target via an overlay network path over the network substrate; and if the resource instance is not allowed to open a connection to a target indicated by the network packet according to the policy, discard the network packet without sending the network packet to the target. 2. The provider network as recited in claim 1 , wherein the target is another resource instance on the provider network or an endpoint on another network. 3. The provider network as recited in claim 1 , wherein the resource instance and the target are both resource instances in a private network implementation of a particular client on the provider network. 4. The provider network as recited in claim 1 , wherein, to determine whether the resource instance is or is not allowed to open a connection to a target indicated by the network packet, the access control service is further configured to determine and evaluate a policy associated with the target, wherein the resource instance is only allowed to open a connection to the target if both the policy associated with the resource instance and the policy associated with the target allow the connection. 5. The provider network as recited in claim 1 , wherein the resource instances are implemented as virtual machines (VMs) on the host devices, wherein each host device includes a virtual machine monitor (VMM) that monitors a plurality of virtual machines (VMs) on the respective host device, and wherein the VMMs on the host devices perform said obtaining, said accessing, and said sending. 6. The provider network as recited in claim 1 , wherein, to evaluate the policy associated with the resource instance, the access control service is configured to: determine that the resource instance has assumed a role in a private network implementation of a particular client on the provider network; determine a policy associated with the role which the resource instance has assumed; and evaluate the policy associated with the role. 7. The provider network as recited in claim 1 , wherein, to send the one or more network packets from the resource instance to the target via an overlay network path over the network substrate, the host device is configured to: encapsulate the one or more network packets according to an encapsulation protocol to generate one or more encapsulation packets; and send the encapsulation packets onto the network substrate to be routed to the target according to routing information in the encapsulation packets. 8. The provider network as recited in claim 1 , further comprising one or more network devices configured to: communicate with an endpoint external to an overlay network implemented on the network substrate to establish an identity for the endpoint on the overlay network; access the access control service to determine that the endpoint is allowed to open a connection to a target resource instance via the overlay network according to an evaluation of a policy associated with the target resource instance; and in response to said determining, send one or more network packets from the endpoint to the target resource instance via an overlay network path over the network substrate. 9. A method, comprising: obtaining, by an encapsulation layer process implemented on a host device in a provider network, a network packet from one of one or more resource instances implemented on the host device, wherein the network packet is directed to a target endpoint; determining that the resource instance is identified as a principal according to an identity and access management environment on the provider network; determining that the principal is allowed to open a connection to the target endpoint according an evaluation of a policy associated with the principal; and in response to said determining that the principal is allowed to open a connection to the target endpoint: encapsulating one or more network packets from the resource instance and directed to the target endpoint according to an encapsulation protocol to generate one or more encapsulation packets; and sending the one or more encapsulation packets onto a network substrate of the provider network to be routed to the target endpoint according to routing information in the encapsulation packets. 10. The method as recited in claim 9 , wherein the target endpoint is another resource on the provider network or an endpoint on another network. 11. The method as recited in claim 9 , wherein the resource instance and the target endpoint are both resource instances in a private network implementation of a particular client on the provider network. 12. The method as recited in claim 9 , wherein said determining that the principal is allowed to open a connection to the target endpoint according an evaluation of a permission statement of a policy associated with the principal comprises: the encapsulation layer process sending a policy evaluation request to an access control service on the provider network; determining, by the access control service, the policy associated with the principal; evaluating, by the access control service, one or more permission statements in the policy associated with the principal to determine that the policy allows the principal to open connections to a resource associated with the target endpoint; and indicating to the encapsulation layer process that the principal is allowed to open connections to the target endpoint. 13. The method as recited in claim 12 , wherein the access control service further performs determining and evaluating a policy associated with the resource associated with the target endpoint, wherein the principal is only allowed to open a connection to the resource if both the policy associated with the principal and the policy associated with the resource allow the connection. 14. The method as recited in claim 12 , wherein each permission statement in the policy associated with the principal indicates one or more actions for which permission is to be allowed or denied, one or more resources to which the permission statement applies, and whether the indicated one or more actions are allowed or denied for the indicated one or more resources. 15. The method as recited in claim 9 , further comprising: obtaining, by the encapsulation layer process, another network packet from a resource instance identified as the principal according to the identity and access management environment, wherein the other network packet is directed to another target endpoint; determining that the principal is not allowed to open a connection to the other target endpoint according to an evaluation of a policy associated with the principal; and in response to said determining, discarding the other n