Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Introduction
This office action is in response to Applicant’s submission filed on 9/11/2020. Claims 1-16, 21-24 are allowed. Claim 17-20 are cancelled.  

Response to Arguments
Applicant’s arguments, see pages 9-11, filed on 9/11/2020, with respect to the rejection(s) of claims 1-20 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn.

Examiner’s Amendment
         An examiner’s amendment to the record appears below.  Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312.  To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
            Authorization for an examiner’s amendment was given in a telephone interview with Applicant’s attorney of record Mr. Adam C. Rehm (Reg. No. 54,797) on 12/31/2020.

The claims, which were filed on 9/11/2020, have been amended as follows: 


receiving, by a first virtual machine from a virtual switch via a secure access tunnel that includes a hop over the virtual switch, configuration information for establishing a second virtual machine as a second endpoint of a direct tunnel without the hop over the virtual switch, wherein the configuration information includes second security information of the second virtual machine, the virtual switch is a public cloud network gateway, and the first virtual machine is configured by the public cloud network gateway with a default rule to cause the first virtual machine to initially default to the secure access tunnel with the hop over the public cloud network gateway during initial deployment of the first virtual machine; 
sending, from the first virtual machine to the second virtual machine, a request to connect to the second virtual machine via the direct tunnel, wherein the request includes first security information of the first virtual machine and first authentication information of the first virtual machine derived from the second security information; 
receiving, by the first virtual machine from the second virtual machine, a reply that includes second authentication information of the second virtual machine derived from the first security information; 
establishing the first virtual machine as a first endpoint of the direct tunnel; 
sending first network traffic from the first virtual machine to the second virtual machine via the direct tunnel; and 
receiving second network traffic by the first virtual machine from the second virtual machine via the direct tunnel. 

 2. 	(Previously Presented)  The method of claim 1, further comprising: 
adding an entry to an egress forwarding policy table of the first virtual machine to forward network traffic via the secure access tunnel; and 
sending, from the first virtual machine via the secure access tunnel, an Address Resolution Protocol (ARP) request targeting the second virtual machine. 

 3. 	(Original)  The method of claim 1, further comprising: 
sending the configuration information from a cloud orchestrator to the virtual switch to cause the virtual switch to send the configuration information to the first virtual machine. 

 4. 	(Previously Presented)  The method of claim 3, wherein the cloud orchestrator includes a cloud manager and a hypervisor manager. 

 5. 	(Original)  The method of claim 1, further comprising: 
receiving, by the second virtual machine from the virtual switch, one or more security policies corresponding to the second virtual machine; 
receiving, by the second virtual machine from the first virtual machine, the request to connect to the second virtual machine via the direct tunnel; 
establishing the second virtual machine as the second endpoint of the direct tunnel; 
sending, from the second virtual machine to the first virtual machine, the reply that includes the second authentication information; 
receiving the first network traffic by the second virtual machine from the first virtual machine via the direct tunnel; and 
sending the second network traffic from the second virtual machine to the first virtual machine via the direct tunnel. 

 6. 	(Original)  The method of claim 5, further comprising:
adding one or more first entries to an ingress security policy table of the second virtual machine based at least in part on the one or more security policies; and 


 7. 	(Original)  The method of claim 5, wherein the one or more security policies, the request, and the reply are transceived via a control tunnel. 

 8. 	(Original)  The method of claim 1, further comprising: 
adding an entry to an egress forwarding policy table of the first virtual machine to forward network traffic destined for the second virtual machine via the direct tunnel. 

 9. 	(Original)  The method of claim 1, further comprising: 
installing a virtual machine agent onto the first virtual machine for establishing the direct tunnel. 

 10. 	(Original)  The method of claim 1, further comprising: 
applying a policy for establishing the direct tunnel. 

 11. 	(Original)  The method of claim 10, wherein the policy includes at least one of an on-demand policy, an application-driven policy, or a statistics-driven policy. 

 12. 	(Currently Amended)  A non-transitory computer-readable storage medium having stored therein instructions that, upon being executed by a processor, cause the processor to: 
send, by a virtual switch to a first virtual machine via a secure access tunnel that includes a hop over the virtual switch, configuration information for establishing a second virtual machine as an endpoint of a direct tunnel without the hop over the virtual switch, wherein the includes second security information corresponding to the second virtual machine, the virtual switch is a public cloud network gateway, and the first virtual machine is configured by the public cloud network gateway with a default rule to cause the first virtual machine to initially default to the secure access tunnel with the hop over the public cloud network gateway during initial deployment of the first virtual machine; 
send, from the virtual switch to the second virtual machine, one or more security policies corresponding to the second virtual machine; 
cause, by the virtual switch, the first virtual machine to send to the second virtual machine a request for connecting to the second virtual machine via the direct tunnel, wherein the request includes first authentication information of the first virtual machine derived from the second security information and first security information corresponding to the first virtual machine; 
cause, by the virtual switch, the second virtual machine to send to the first virtual machine a reply that includes second authentication information of the second virtual machine derived from the first security information; and 
establish the direct tunnel between the first virtual machine and the second virtual machine. 

 13. 	(Original)  The non-transitory computer-readable storage medium of claim 12, wherein the instructions upon being executed further cause the processor to: 
receive, by the virtual switch from the first virtual machine, an Address Resolution Protocol (ARP) request targeting the second virtual machine; and 
resolve, by the virtual switch, network address information of the second virtual machine, 
wherein the configuration information is sent as a part of an ARP reply that includes the network address information of the second virtual machine. 


receive, by the virtual switch from a cloud orchestrator, the configuration information for establishing the second virtual machine as the endpoint of the direct tunnel, 
wherein the cloud orchestrator includes a cloud manager and a hypervisor manager. 

 15. 	(Original)  The non-transitory computer-readable storage medium of claim 14, wherein the configuration information, the one or more security policies, the request, and the reply are transceived via a control tunnel. 

 16. 	(Original)  The non-transitory computer-readable storage medium of claim 12, wherein the virtual switch is connected to a second virtual switch, the first virtual machine is directly connected to the virtual switch, and the second virtual machine is directly connected to the second virtual switch. 

 17. 	(Canceled)  

 18. 	(Canceled)

 19. 	(Canceled) 

 20. 	(Canceled)  

21.	(New)  A system comprising: 
one or more processors; and 

receive, by a first virtual machine from a virtual switch via a secure access tunnel that includes a hop over the virtual switch, configuration information for establishing a second virtual machine as a second endpoint of a direct tunnel without the hop over the virtual switch, wherein the configuration information includes second security information of the second virtual machine, the virtual switch is a public cloud network gateway, and the first virtual machine is configured by the public cloud network gateway with a default rule to cause the first virtual machine to initially default to the secure access tunnel with the hop over the public cloud network gateway during initial deployment of the first virtual machine; 
send, from the first virtual machine to the second virtual machine, a request to connect to the second virtual machine via the direct tunnel, wherein the request includes first security information of the first virtual machine and first authentication information of the first virtual machine derived from the second security information; 
receive, by the first virtual machine from the second virtual machine, a reply that includes second authentication information of the second virtual machine derived from the first security information; 
establish the first virtual machine as a first endpoint of the direct tunnel; 
send first network traffic from the first virtual machine to the second virtual machine via the direct tunnel; and 
receive second network traffic by the first virtual machine from the second virtual machine via the direct tunnel. 

22.	(New)   The system of claim 21, wherein the instructions upon being executed further cause the system to:

receive, by the second virtual machine from the first virtual machine, the request to connect to the second virtual machine via the direct tunnel; 
establish the second virtual machine as the second endpoint of the direct tunnel; 
send, from the second virtual machine to the first virtual machine, the reply that includes the second authentication information; 
receive the first network traffic by the second virtual machine from the first virtual machine via the direct tunnel; and 
send the second network traffic from the second virtual machine to the first virtual machine via the direct tunnel. 

23.	(New)   The system of claim 22, wherein the instructions upon being executed further cause the system to:
add one or more first entries to an ingress security policy table of the second virtual machine based at least in part on the one or more security policies; and 
add a second entry to an egress forwarding policy table of the second virtual machine to forward network traffic destined for the first virtual machine via the direct tunnel. 

24.	(New)   The system of claim 21, wherein the instructions upon being executed further cause the system to:
add an entry to an egress forwarding policy table of the first virtual machine to forward network traffic via the secure access tunnel; and 
send, from the first virtual machine via the secure access tunnel, an Address Resolution Protocol (ARP) request targeting the second virtual machine. 


Allowable Subject Matter
	Claims 1-16 and 21-24 are allowed. 

Reason for Allowance
The following is an examiner’s statement of reason for allowance:
Regarding independent claims 1, 12 and 21:
Radhakrishnan et al. Publication No. US 2013/0232491 A1 teaches
receiving, by a first virtual machine from a virtual switch via a tunnel (Para 0043 and Fig. 6 -), configuration information for establishing a second virtual machine as a second endpoint of a direct tunnel without the hop over the virtual switch (Para 0043), the configuration information including second security information of the second virtual machine (Para 0023-0024).

sending, from the first virtual machine to the second virtual machine, a request to connect to the second virtual machine via the direct tunnel (Para 0039), the request including first security information of the first virtual machine and first authentication information of the first virtual machine derived from the second security information (Para 0024)

receiving, by the first virtual machine from the second virtual machine (Para 0050), a reply that includes second authentication information of the second virtual machine derived from the first security information (Para 0024)

establishing the first virtual machine as a first endpoint of the direct tunnel (Para 0045)

sending first network traffic from the first virtual machine to the second virtual machine via the direct tunnel and receiving second network traffic by the first virtual machine from the second virtual machine via the direct tunnel (Para 0045)

Chang et al. Publication No. US 2013/0268643 A1 teaches
a secure access tunnel that includes a hop over the virtual switch (Para 0050 and Fig. 1)



Mestery et al. Publication No. US 2013/0268643 A1 teaches
the first virtual machine configured by the network gateway with a rule to cause the first virtual machine to initially to the access tunnel during initial deployment of the first virtual machine (Para 0040 and Fig. 5B-C)


However, the independent claims 1, 12 and 21 are allowable over prior arts of the following reasons. The prior arts of record do not fairly teach in whole or make obvious:
receiving, by a first virtual machine from a virtual switch via a secure access tunnel that includes a hop over the virtual switch, configuration information for establishing a second virtual machine as a second endpoint of a direct tunnel without the hop over the virtual switch, wherein the configuration information includes second security information of the second virtual machine, the virtual switch is a public cloud network gateway, and the first virtual machine is configured by the public cloud network gateway with a default rule to cause the first virtual machine to initially default to the secure access tunnel with the hop over the public cloud network gateway during initial deployment of the first virtual machine.

There are no prior art, whether singly or in combination, teach or suggest the above limitations together in conjunction with the other limitation of the independent claims. Therefore, these reasons put the claims in condition of allowance.
Dependent claims are allowable because they depend either directly or indirectly on the above independent claims. 
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DA T. TON whose telephone number is (571)272-9956.  The examiner can normally be reached on Mon-Fri (9am-5pm).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Oscar A. Louie can be reached on 571-270-1684.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/DA T TON/Acting Patent Examiner of Art Unit 2445                                                                                                                                                                                             
/YOUNES NAJI/Primary Examiner, Art Unit 2445