Network traffic data in virtualized environments

What is claimed is: 1. A computer implemented method for collecting data in a virtualized computing environment, said method comprising: under the control of one or more computer systems configured with executable instructions, providing, by a host computing device operated by a service provider, a virtual machine instance associated with a customer, wherein the virtual machine instance is hosted on a virtualization layer of the host computing device and the virtualization layer comprises a hypervisor operating in combination with a privileged domain; collecting, by an agent in the virtualization layer, network traffic data on the host computing device, the network traffic data including at least one record for each defined flow of network packets transmitted to or from the virtual machine instance on the host computing device; inspecting one or more of the network packets for a new source IP address and destination IP address combination; determining whether a new flow of network packets has begun, based on the inspection; adding service provider information to the collected network traffic data, the service provider information including session termination information related to a reason for termination of the defined flow of the network packets executed on the host computing device; and sending the network traffic data from the host computing device to a network data collector that is external with respect to the host computing device. 2. The computer implemented method of claim 1 , further comprising: filtering the network traffic data based at least in part on the customer to produce a subset of the network traffic data related to one or more virtual machine instances owned by the customer; and providing the subset of the network traffic data for access by the customer by presenting the subset of the network traffic data as having been collected on a router device. 3. The computer implemented method of claim 1 , further comprising: analyzing the network traffic data exported to the network data collector by executing one or more queries based at least in part on the network traffic data. 4. The computer implemented method of claim 3 , wherein analyzing the network traffic data further comprises: identifying, based on results of the one or more queries, at least one of: a resource that has been configured incorrectly, or a malicious user. 5. A computer implemented method, comprising: under the control of one or more computer systems configured with executable instructions, provisioning a virtual machine on a host computing device, the virtual machine associated with an account, wherein the virtual machine is hosted on a virtualization layer of the host computing device and the virtualization layer comprises a hypervisor operating in combination with a privileged domain; collecting, by an agent in the virtualization layer, network traffic data related to one or more sequences of network packets transmitted on the host computing device, the network traffic data including at least information associated with a reason for termination of one or more sequences of the one or more sequences of network packets transmitted on the host computing device; inspecting one or more of the network packets for a new source IP address and destination IP address combination; determining whether a new flow of network packets has begun, based on the inspection; and providing at least a portion of the generated network traffic data to a user. 6. The computer implemented method of claim 5 , wherein the host computing device is operated by a service provider and wherein the account is an account of a customer of the service provider. 7. The computer implemented method of claim 5 , further comprising: storing the generated network traffic data on the host computing device; and periodically exporting the stored network traffic data from the host computing device to a network data collector that is external with respect to the host computing device. 8. The computer implemented method of claim 7 , further comprising: executing one or more queries on the network traffic data in response to receiving at least one application programming interface (API) call over a network from a user. 9. The computer implemented method of claim 5 , wherein generating the network traffic data further comprises: generating information identifying a reason for terminating one or more sequences of network packets. 10. The computer implemented method of claim 9 , further comprising: adding to the network traffic data, information indicating at least one of: a normal session termination, a denial based at least in part on a policy of a service provider, a denial based at least in part on a security policy of a customer account, a throttling by abuse mitigation, or a throttling by denial of service (DOS) mitigation. 11. The computer implemented method of claim 5 , further comprising: filtering the network traffic data based at least in part on the customer to produce a subset of the network traffic data related to one or more virtual machines of the customer; and exposing the subset of the network traffic data to the customer by presenting the subset of the network traffic data in a format that corresponds to the format used by network router devices to store the network traffic data. 12. The computer implemented method of claim 11 , wherein presenting the subset of the network traffic data in the format that corresponds to the format used by network router devices further comprises: recording the identifier for the virtual machine in the ingress port field or the egress port field of a network flow record. 13. The computer implemented method of claim 5 , wherein generating the network traffic data further comprises: generating information identifying a virtual interface identifier, a virtual network of the customer account, a security group associated with the customer account, or one or more latency statistics. 14. A computer implemented method, comprising: under the control of one or more computer systems configured with executable instructions, collecting a plurality of network flow records for virtual machines from one or more host computing devices, wherein each host computing device hosts one or more virtual machines on a respective virtualization layer associated with the host computing device and an agent in the respective virtualization layer of the host computing device collects the plurality of network flow records for the host computing device, wherein the virtualization layer comprises a hypervisor operating in combination with a privileged domain, and wherein the virtual machines are associated with a customer, and each network flow record is for a sequence of network packets transmitted to or from the one or more host computing devices and contains information associated with a reason for termination of the sequence of network packets; inspecting one or more of the network packets for a new source IP address and destination IP address combination; determining whether a new flow of network packets has begun, based on the inspection; and providing at least a portion of information from the network flow records for access to the customer. 15. The computer implemented method of claim 14 , wherein providing at least the portion of the information from the network flow records further comprises: providing the network flow records in a format that corresponds to the format used by network router devices to generate network flow records. 16. The computer implemented method of claim 14 , furth