DETAILED ACTION
Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3 are rejected under 35 U.S.C. 103 as being unpatentable over Moroski et al (US 2018/0173561, hereinafter Moroski), in view of ITO (US 2017/0054680, hereinafter ITO), in view of Thakadu et al (US 2014/0237594, hereinafter Thakadu), in view of Ranjan et al (US 2019/0278700, hereinafter Ranjan) and in view of Leung (US 2006/0253555, hereinafter Leung).

Regarding claim 1, Moroski discloses a computer-implemented method comprising: receiving, in a provider network, a first packet including a first control plane message payload and a first destination address (cloud provider receives request via API calls, Para [0024]), wherein the extension of the provider network is in communication with the provider network via at least a third-party network (hybrid cloud system controls traffic between on premise resources and the cloud provider via external network, Para [0020], hardware resources of cloud system can be distributed across multiple data centers in different locations, Para [0021]); sending the first control plane message payload to the first device via a first secure tunnel through the third-party network (routing traffic using VPN connectivity between on premise gateway and cloud provider gateway to VMs, Para [0026]); 											but does not disclose wherein the first destination address matches a virtual network address of associating virtual and physical information (e.g. address) is known in the art, Para [0006], the physical MAC address can be the same as a virtual MAC address, Para [0048], it is obvious to one with ordinary skill the virtual address can match other addresses: physical, MAC, IP, etc. It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to utilize the techniques taught by ITO in order to autonomously transition to a state in which communication is possible by automatically correcting communication port settings;											and does not disclose updating a message state data store based on at least a portion of the first control plane message payload.  Thakadu discloses an API sandbox receiving API calls and making a copy of the API names and parameters, Para [0016] such as source and destination address and storing the data for a time, then releasing and storing new data, Para [0017].  It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to utilize the techniques taught by Thakadu in order to implement an intrusion system to prevent attacks and malware;										and does not disclose determining that at least a portion of the first control plane message payload conforms to an application programming interface provided by the first device.  Ranjan discloses determining, by interceptor software, if a request conforms to the API standards and protocols, Para [0019].  It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to utilize the techniques taught by Ranjan in order to efficiently filter requests by determining if the received requests are valid or not and discarding the invalid requests;													and is not explicit a virtual network address is associated with an interface.  Leung discloses a virtual address is an address bound to a virtual interface, Para [0022]
Regarding claim 2, 5 and 14, Moroski discloses the computer-implemented method/system of claim 1/4/13, but not further comprising: receiving, in the provider network, a second packet from the first device via the first secure tunnel, wherein the second packet includes a second control plane message payload; determining that the second control plane message payload is not permitted to enter the provider network; and discarding the second control plane message payload.  Ranjan discloses determining, by interceptor software, if a request conforms to the API standards and protocols and discarding the request if it does not, Para [0019].
Regarding claim 3, Moroski discloses the computer-implemented method of claim 1, further comprising: receiving, in the provider network, a second packet having a data plane message payload and the first destination address, wherein the first destination address matches the virtual network address of the provider network and the substrate address of the first device in the extension of the provider network; and sending the data plane message payload to the first device via a second secure tunnel through the third-party network (same forwarding method as claim 1 except with a data message, which would be an obvious variation to one with ordinary skill in the art).

Claims 4-7, 9-16 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Moroski, in view of ITO, in view of Thakadu and in view of Ranjan.

Regarding claim 4, Moroski discloses a computer-implemented method comprising: receiving, in a provider network, a first message of a first type and having a first destination address (cloud provider receives request via API calls, Para [0024]), wherein the extension of the provider network is in communication with the provider network via at least a third-party network (hybrid cloud system controls traffic between on premise resources and the cloud provider via external network, Para [0020], hardware resources of cloud system can be distributed across multiple data centers in different locations, Para [0021]); and sending a first payload of the first message to the first device via a first secure tunnel through the third-party network (routing traffic using VPN connectivity between on premise gateway and cloud provider gateway to VMs, Para [0026]);										 associating virtual and physical information (e.g. address) is known in the art, Para [0006], the physical MAC address can be the same as a virtual MAC address, Para [0048], it is obvious to one with ordinary skill the virtual address can match other addresses: physical, MAC, IP, etc.  Thakadu discloses an API sandbox receiving API calls and making a copy of the API names and parameters, Para [0016] such as source and destination address, Para [0017].  
Regarding claims 6 and 15, Moroski discloses the computer-implemented method/system of claim 4/13, wherein the first message includes a first source address associated with a second device in the provider network, the method further comprising: receiving, in the provider network, a second message of the first type from the first device via the first secure tunnel, the second message having a second destination address that matches the first source address; determining that a second payload of the second message matches an expected response to the first payload of the first message; and sending the second payload of the second message to the second device.  Ranjan discloses a response to the API request can be sent back to user, Para [0023], where this obvious to one with ordinary skill to send an appropriate response where the source address of the request becomes the destination address in the response.
Regarding claims 7 and 16, Moroski discloses the computer-implemented method/system of claim 6/15: but not wherein the first payload includes a call to an application programming interface (API) of the first device; and wherein the updating the message state data store includes storing the first source address, the first destination address, and an indication of the call to the API.  Thakadu discloses API sandbox receiving an API call and making a copy of the API names and parameters, Para [0016] such as source and destination address, Para [0017].  
Regarding claims 9 and 18, Moroski discloses the computer-implemented method/system of claim 4/13, but not explicitly further comprising: receiving, in the provider network, a second message of a second type and having the first destination address, the second message including a second same forwarding method as claim 1 with second message, where it is well known the payload can have address and/or identifying information of the destination device).
Regarding claims 10 and 19, Moroski discloses the computer-implemented method/system of claim 9/18, but not explicitly wherein the second payload further includes an identifier of a second compute instance hosted by hosted by a second device of the provider network, wherein the second compute instance originated at least a portion of the second payload (It is well known the payload can have address and/or identifying information of the source device).
Regarding claims 11 and 20, Moroski discloses the computer-implemented method/system of claim 10/19, wherein the first compute instance and the second compute instance operate within an isolated virtual network that spans the provider network and the extension of the provider network (isolated internal network, Para [0026] and hardware resources of cloud provider in different locations, Para [0021]).
Regarding claim 12, Moroski discloses the computer-implemented method of claim 4, but not explicitly wherein the first secure tunnel is one of a plurality of secure tunnels between the provider network and the extension of the provider network (multiple VPN tunnels is a well-known in the art technique to one with ordinary skill).
Regarding claim 13, Moroski discloses a system (Fig. 1) comprising: a first one or more computing devices of a provider network (virtual machines, Fig. 1); a second one or more computing devices of an extension of the provider network, wherein the extension of the provider network is in communication with the provider network via at least a third-party network (hybrid cloud system controls traffic between on premise resources and the cloud provider via external network, Para [0020], hardware resources of cloud system can be distributed across multiple data centers in different locations, Para [0021]); and send a first payload of the first message to the first device via a first secure tunnel through the third-party network (routing traffic using VPN connectivity between on premise gateway and cloud provider gateway to VMs, Para [0026]); wherein the first one or more computing devices include instructions that upon execution on a cloud provider receives request via API calls, Para [0024]);										but does not disclose wherein the first destination address is associated with a virtual network address of the provider network and an address of a first device of the second one or more computing devices nor update a message state data store based on at least a portion of the first message.  ITO discloses associating virtual and physical information (e.g. address) is known in the art, Para [0006], the physical MAC address can be the same as a virtual MAC address, Para [0048], it is obvious to one with ordinary skill the virtual address can match other addresses: physical, MAC, IP, etc.  Thakadu discloses an API sandbox receiving API calls and making a copy of the API names and parameters, Para [0016] such as source and destination address, Para [0017].  

Claims 8 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Moroski, in view of ITO, in view of Thakadu, in view of Ranjan and in view of Kahn et al (US 2008/0313474, hereinafter Kahn).

Regarding claims 8 and 17, Moroski discloses the computer-implemented method/system of claim 4/13, but not wherein at least a portion of the first message is encrypted with a first key, the method further comprising: decrypting the portion of the first message with the first key to generate a decrypted payload; and encrypting the decrypted payload with a second key to generate at least a portion of the first payload.  Kahn discloses encrypting using a first encryption key, decrypting using first encryption key and re-encrypting using a second encryption key, claim 28, where limitation of encrypting, decrypting and re-encrypting is obvious to one with ordinary skill in the art.  It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to utilize the techniques taught by Kahn in order to enhance security by using encryption.  

Response to Arguments
Applicant's arguments filed 10/23/2020 have been fully considered but they are not persuasive.  Applicant argues the references do not disclose the limitation, wherein the first destination address is associated with a virtual network address of the provider network and an address of a first device in an extension of the provider network.  The ITO references discloses the physical and virtual MAC addresses can be the same and it is obvious to one of ordinary skill a virtual IP address could also match a physical IP address.  The Applicant argues both the virtual and physical MAC address in ITO are associated with the same port and therefore do not disclose the limitation.							In response, the limitation states the first destination address is associated with a virtual network address of the provider network and an address of a first device in an extension of the provider network.  The packet is transmitted to a first device, therefore the first destination address is the address of the first device, as that is how packet addressing works (unless the claim states otherwise, in this case it does not).  The address of the first device is the destination address in the packet and stating these “two” address are associated is confusing as it is really one address.  The other feature of the limitation is that the destination address is (vaguely) associated with a virtual network address.  ITO discloses associating logical (i.e. virtual) information and physical information with one another is a known technique, Para [0006], in this case associating an address with a virtual address.  ITO further states the physical and virtual address can be identical to each other, Para [0048] and Applicant’s specification states VNA match the SAD address (identical address), Para [0037].  The claim does not even state the virtual network address is used for anything.  The provider network and extension of the provider network are disclosed by the Moroski reference and ITO discloses virtual address can be associated with a physical address.  		Applicant argues over another limitation of updating a message state data store based on at least a portion of the first message which was disclosed by the Thakadu reference.  Applicant argues Thakadu is concerned with detecting API-level intrusions and there is no teaching the API sandbox operates as a message state data store.   											In response, the Examiner just interprets the limitation as updating a database, table or memory that stores message information.  A “message state data store” is an unusual term where the Applicant is being their own lexicographer.  The data expiry unit in Thakadu may store API call names and API call .   

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KEVIN CUNNINGHAM whose telephone number is (571) 272-1765.  The examiner can normally be reached Monday through Thursday 7:30-18:00 (EST).
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Huy Vu can be reached on (571) 272-3155.  The fax number for the organization where this application or proceeding is assigned is 571-273-8300.  
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov.  Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).  If you would like assistance from a USPTO Customer Service Representative 
/KEVIN M CUNNINGHAM/Primary Examiner, Art Unit 2461