Modern computer systems are frequently implemented as virtual computer systems operating collectively on one or more host computer systems. These virtual computer systems may utilize resources of host computer systems such as processors, memory, network interfaces, storage services, and other host computer system resources. These virtual computer systems may also include software applications configured to operate on the virtual computer systems, which may utilize these resources to perform functionality on behalf of users of the virtual computer systems. Virtual networks hosting virtual machine instances are often used to separate virtual machine instances from other virtual machine instances operating within the same computer system in order to increase security and reduce resource interdependencies. Applications or modules operating on such virtual machine instances are also often typically isolated from other applications or modules to increase security and reduce resource interdependencies.
Virtual networks hosting such virtual machine instances often provide mechanisms to further segment a virtual network to produce subnetworks, thus isolating virtual machine instances or isolating applications or parts of applications. One approach to this problem is to manually define the segmentation and to manually configure the routing rules for intercommunication between the instances, the applications, and/or the parts of the applications. However, in the case of a large or complex virtual computer system with many instances, applications, resources, virtual networks, and internal and/or external dependencies, such manual definition and configuration can be very complex and can require very detailed knowledge of the system. Failure to accurately define and configure the segmentation can lead to various issues, such as blocked communications and degraded user experience.