DETAILED ACTION
Claims 1, 11, and 16 are amended. Claims 1-20 are pending in the application.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Examiner’s Notes
The Examiner cites particular sections in the references as applied to the claims below for the convenience of the applicant(s). Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested that, in preparing responses, the applicant(s) fully consider the references in their entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the Examiner.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the 

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1, 4-11, 13-16, and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Brooker et al. (US 2017/0012958 A1; hereinafter Brooker) in view of Xiao et al. (US 2018/0225135 A1; hereinafter Xiao).

With respect to claim 1, Brooker teaches: An apparatus comprising: 
a processing platform (see e.g. Brooker, Fig. 2: “Virtual Resource Provider 202”) comprising a plurality of processing devices (see e.g. Brooker, paragraph 44: “The virtual resource provider 202 may be implemented, at least in part, with server computers such as the Web server 106 and the application server 108 described above with reference to FIG. 1”; and Fig. 1) each comprising a processor coupled to a memory (see e.g. Brooker, paragraph 41: “Each server… typically will include a computer-readable medium storing instructions that, when executed by a processor of the server, allow the server to perform its intended functions”), the processing platform being configured to communicate with an infrastructure (see e.g. Brooker, Fig. 2: “Provisioned Computing Resources 216”, “Virtual Resources 218-220”; and paragraph 44: “virtual resource provider 202 may be implemented, at least in part, with server computers such as the Web server 106 and the application server 108 described above with reference to FIG. 1, and one or more data stores such as the data store 110 of FIG. 1, interconnected by a relatively high speed data network… server computers and/or data stores allocated to different virtual resource types 218-220 and to a control plane 222 of the virtual resource provider 202”) under management by the processing platform (see e.g. Brooker, paragraph 44: “The control plane 222 may include multiple user interfaces 224-226 that enable the clients 204-206 to interact with the virtual resource provider 202, including provisioning and interacting with the virtual resources 218-220, as well as setting policies with respect to the virtual resources 218-220”) over a network (see e.g. Brooker, paragraph 44: “interconnected by a relatively high speed data network”), the infrastructure under management comprising a plurality of infrastructure controllers (see e.g. Brooker, Fig. 2: “Virtual Resources 218-220”; and paragraph 43: “provisioned computing resources 216 may include multiple types of virtual resources 218-220”); 
the processing platform being configured to implement a master control plane (see e.g. Brooker, Fig. 2: “Control Plane 222”; and paragraph 47: “provide centralized policy management for the virtual resource provider 202”) and a plurality of messaging interfaces (see e.g. Brooker, Fig. 3: “Resource I/F 306-308”; paragraph 80: “each interface element 904-922 corresponds to a set of messages of a Web-based services protocol”; paragraph 81; and Fig. 9), each messaging interface having a … correspondence to a corresponding one of the plurality of infrastructure controllers of the infrastructure under management (see e.g. Brooker, paragraph 45: “there may be one of the resource interfaces 306-308 for each of the types of virtual resources 218-220”; paragraph 43; and Fig. 2), the master control plane being configured to communicate with each of the plurality of infrastructure controllers via the corresponding messaging interface of the processing platform (see e.g. Brooker, paragraph 45: “multiple resource interfaces 306-308 enabling user interaction with the virtual resources 218-220 (FIG. 2). For example, there may be one of the resource interfaces 306-308 for each of the types of virtual resources 218-220”; and paragraph 80: “Each interface element 904-922 defines a structured interaction with the provisioned resources 812-818 (FIG. 8) including a request to perform a set of actions with respect to at least one of the provisioned resources 812-818”), the plurality of infrastructure controllers each being configured to manage a corresponding one of a plurality of infrastructure components of the infrastructure under management (see e.g. Brooker, paragraph 43: “multiple types of virtual resources 218-220 such as virtual computing systems and clusters, virtual file system volumes, virtual private networks, data object stores, notification services”); and
the master control plane being configured to communicate an instruction to a given infrastructure controller of the plurality of infrastructure controllers via the corresponding messaging interface (see e.g. Brooker, paragraph 45: “multiple resource interfaces 306-308 enabling user interaction with the virtual resources 218-220”; paragraph 80: “Each interface element 904-922 defines a structured interaction with the provisioned resources 812-818 (FIG. 8) including a request to perform a set of actions with respect to at least one of the provisioned resources 812-818”; and Fig. 3, 9), the given infrastructure controller configured to modify the corresponding infrastructure component based at least in part on the communicated instruction (see e.g. Brooker, paragraph 80: “Each interface element 904-922 defines a structured interaction with the provisioned resources 812-818 (FIG. 8) including a request to perform a set of actions with respect to at least one of the provisioned resources 812-818”; paragraph 81: “utilize the configure resource interface element 904 to request a configuration and/or reconfiguration of one or more of the provisioned resources 812-818… utilize the update resource attribute(s) interface element 908 to request an update of one or more attributes of one or more of the provisioned resources 812-818”; and paragraph 82: “the activate resource functionality interface element 910 may be utilized to request an activation of that functionality… The delete resource attribute(s) interface element 912 may enable clients 204-206 (FIG. 2) to request a deletion and/or re-initialization of one or more attributes of one or more of the provisioned resources 812-818”).
Even though Brooker discloses a correspondence between virtual resources 218-220 (i.e. infrastructure controllers) and resource I/F 306-308 (i.e. messaging interfaces) (see e.g. Brooker, paragraph 45), Brooker does not explicitly disclose this correspondence being “one-to-one”.
However, Xiao teaches:
one-to-one (see e.g. Xiao, paragraph 58: “ascertain a physical communication interface the service instance is bound to, according to an one-to-one binding relationship between a service instance and a physical communication interface”)
Brooker and Xiao are analogous art because they are in the same field of endeavor: managing communications between communication interfaces and corresponding services. Therefore, it would have been obvious to one with ordinary skill in the art before the effective filing date of the claimed invention to modify Brooker with the teachings of Xiao. The motivation/suggestion would be to provide communication isolation (see e.g. Xiao, paragraph 58).

With respect to claim 4, Brooker as modified teaches: The apparatus of claim 1 wherein the master control plane is configured: 
to obtain information about a target state from a user of the processing platform (see e.g. Brooker, paragraph 44: “The control plane 222 may include multiple user interfaces 224-226 that enable the clients 204-206 to interact with the virtual resource provider 202, including provisioning and interacting with the virtual resources 218-220, as well as setting policies with respect to the virtual resources 218-220”; paragraph 57: “The condition(s) 414 element of the policy 402 may specify a set of conditions to be satisfied before the policy 402 is enforced…Condition parameter examples include environmental data such as calendar date and time of day, and request-associated data such as originating network address, originating geographical location, originating political and/or administrative division, and communication protocol employed”), the instruction being generated by the see e.g. Brooker, paragraph 57: “The condition(s) 414 element of the policy 402 may specify a set of conditions to be satisfied before the policy 402 is enforced”; and Fig. 3: “Policy Enforcement 316-318”).

With respect to claim 5, Brooker as modified teaches: The apparatus of claim 4 wherein the master control plane is configured to obtain from the given infrastructure controller, via the corresponding messaging interface, information about a current state of the corresponding infrastructure component (see e.g. Brooker, paragraph 57: “Condition parameters may include any suitable data available to the virtual resource provider 202 (FIG. 2). Condition parameter examples include environmental data such as calendar date and time of day, and request-associated data such as originating network address, originating geographical location, originating political and/or administrative division, and communication protocol employed”; and paragraph 64: “The decision data providers 512 may provide data required by policy enforcement components 316-318 (FIG. 3) to evaluate requests that are subject to policies”).

With respect to claim 6, Brooker as modified teaches: The apparatus of claim 5 wherein the master control plane is configured to determine whether the current state matches the target state (see e.g. Brooker, paragraph 58: “unless the specified set of conditions is satisfied”) and, responsive to determining that the current state does not match the target state, to communicate at least one further instruction to the given infrastructure controller via the corresponding messaging interface (see e.g. Brooker, paragraph 58: “the element modifiers 416-422 may indicate that the corresponding policy elements 408-414 specify exceptions. That is, that the policy 402 effect(s) 406 be enforced… unless the specified set of conditions is satisfied”), the given infrastructure controller configured to modify the corresponding infrastructure component based at least in part on the communicated at least one see e.g. Brooker, paragraph 58: “the policy 402 effect(s) 406 be enforced”; paragraph 53: “The effect(s) 406 element of the policy 402 may specify such policy effects. For example, a particular policy may permit one or more principals 408 to take one or more actions 410 with respect to one or more resources 412, while another policy may deny a set of actions 410 to a set of principals 408”; and Fig. 3: “Policy Enforcement 316-318”).

With respect to claim 7, Brooker as modified teaches: The apparatus of claim 1 wherein the plurality of infrastructure components comprise an infrastructure component associated with a physical portion of the infrastructure under management (see e.g. Brooker, paragraph 78: “Each virtual resource service 504-506 (FIG. 5) may be implemented with a collection of physical server computers and/or network elements”) and a plurality of virtual infrastructure components associated with respective virtual portions of the infrastructure under management (see e.g. Brooker, paragraph 43: “multiple types of virtual resources 218-220 such as virtual computing systems and clusters, virtual file system volumes, virtual private networks, data object stores, notification services”).

With respect to claim 8, Brooker as modified teaches: The apparatus of claim 7 wherein the plurality of infrastructure controllers comprise: 
an infrastructure controller that is configured to manage the infrastructure component associated with the physical portion of the infrastructure under management (see e.g. Brooker, paragraph 78: “Each virtual resource service 504-506 (FIG. 5) may be implemented with a collection of physical server computers and/or network elements”; and Fig. 5); and 
a plurality of additional infrastructure controllers that are configured to manage the plurality of virtual infrastructure components associated with the respective virtual portions of the infrastructure under management (see e.g. Brooker, paragraph 61: “Each virtual resource service 504, 506 may maintain a set of provisioned resources 520-522, 524-526 and incorporate a resource interface 528, 530. For example, each virtual resource service 504-506 may maintain one type of virtual resource 218-220 as described above with reference to FIG. 2”; and paragraph 43: “multiple types of virtual resources 218-220 such as virtual computing systems and clusters, virtual file system volumes, virtual private networks, data object stores, notification services”).

With respect to claim 9, Brooker as modified teaches: The apparatus of claim 1 wherein the management control plane is located at a geographically distinct location from the infrastructure under management (see e.g. Brooker, paragraph 44: “The virtual resource provider 202 may be implemented, at least in part, with server computers such as the Web server 106 and the application server 108 described above with reference to FIG. 1, and one or more data stores such as the data store 110 of FIG. 1, interconnected by a relatively high speed data network (not shown in FIG. 2)”; paragraph 60: “The virtual resource provider 202 may be implemented as a collection of networked services. FIG. 5 depicts aspects of an example virtual resource provider 502 implemented in accordance with at least one embodiment”; and Fig.1, 5).

With respect to claim 10, Brooker as modified teaches: The apparatus of claim 1 wherein the master control plane is configured: 
to generate a message (see e.g. Brooker, paragraph 80: “each interface element 904-922 corresponds to a set of messages of a Web-based services protocol”) based at least in part on: 
the instruction (see e.g. Brooker, paragraph 45: “multiple resource interfaces 306-308 enabling user interaction with the virtual resources 218-220”; paragraph 80: “Each interface element 904-922 defines a structured interaction with the provisioned resources 812-818 (FIG. 8) including a request to perform a set of actions with respect to at least one of the provisioned resources 812-818”; and Fig. 3, 9), 
a digital signature generated based at least in part on the instruction (see e.g. Brooker, paragraph 24: “credentials includes a unique identifier string for a set of one or more virtual machine instances. Other types of credentials may also be used, such as keys for one or more public key cryptography authentication and/or other processes. Credentials may also encode metadata about associated computing resources. For instance, using the example of a virtual machine instance, credentials may encode an identifier of an owner of the instance, software installed on the instance, a machine image used to instantiate the instance, an operating system of the instance, one or more software licenses attached to the instance's machine image, an Internet protocol (IP) or other identifier of the instance, and/or other information”; and paragraph 30: “cryptographic credentials that authenticate and/or authorize the policy and/or an associated user”), and 
a timestamp generated in conjunction with a creation of the instruction (see e.g. Brooker, paragraph 32: “regulatory classifications associated with the request, date and time”; and paragraph 67); and 
to encrypt the message (see e.g. Brooker, paragraph 24: “credentials may also be used, such as keys for one or more public key cryptography authentication”; paragraph 30: “cryptographic credentials that authenticate and/or authorize the policy and/or an associated user”; and paragraph 96), 
wherein communicating the instruction to the given infrastructure controller via the corresponding messaging interface comprises communicating the encrypted message to the given infrastructure controller via the corresponding messaging interface (see e.g. Brooker, paragraph 30: “cryptographic credentials that authenticate and/or authorize the policy and/or an associated user”; and paragraph 49: “The verification mode component 320 may be further configured to process requests for verification mode tokens (e.g., cryptographic tokens), and to authenticate such tokens”).

With respect to claims 11 and 13-15: Claims 11 and 13-15 are directed to a method corresponding to the active functions implemented by the apparatus disclosed in claims 1, 4, and 7-9; please see the rejections directed to claims 1, 4, 7-9 above which also cover the features of the method recited in claims 11 and 13-15.

With respect to claims 16 and 18-20: Claims 16 and 18-20 are directed to a computer program product comprising a non-transitory processor-readable storage medium having stored therein program code of one or more software programs, wherein the program code when executed by at least one processing platform comprising a plurality of processing devices, causes the processing platform to perform functions corresponding to the active functions implemented by processing platform of the apparatus disclosed in claims 1, 4, and 7-9; please see the rejections directed to claims 1, 4, 7-9 above which also cover the features of the method recited in claims 16 and 18-20. Note that, Brooker also discloses a computer-readable medium storing instructions configured to implement functions (see e.g. Brooker, paragraph 41) corresponding to the functionality of the apparatus disclosed in claims 1, 4, and 7-9.

Claims 2, 3, 12, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Brooker in view of Xiao as applied to claims 1, 11, and 16 above, and further in view of Guerrero et al. (US 2005/0147095 A1; hereinafter Guerrero).

With respect to claim 2, Brooker as modified teaches: The apparatus of claim 1 
Brooker does not explicitly disclose outbound and inbound queues.
However, Guerrero teaches:
wherein each messaging interface comprises an outbound queue and an inbound queue (see e.g. Guerrero, paragraph 18: “a receive queue when referenced with respect to incoming packets and as a transmit queue when referenced with respect to outgoing packets”; paragraph 16; and Fig. 1), the instruction to the given infrastructure controller being communicated via the outbound queue of the corresponding messaging interface (see e.g. Guerrero, paragraph 18: “a transmit queue when referenced with respect to outgoing packets”).
Brooker and Guerrero are analogous art because they are in the same field of endeavor: managing communications associated with a central/master control plane. Therefore, it would have been obvious to one with ordinary skill in the art before the effective filing date of the claimed invention to modify Brooker with the teachings of Guerrero. The motivation/suggestion would be to improve message communications.

With respect to claim 3, Brooker as modified teaches: The apparatus of claim 2 wherein the master control plane is configured to receive a response to the instruction from the given infrastructure controller (see e.g. Brooker, paragraph 81: “utilize the read resource attribute(s) interface element 906 to request a read or view of one or more attributes of one or more of the provisioned resources 812-818. For example, the read resource attribute(s) interface element 906 may enable clients 204-206 to obtain copies of specified data objects from specified data object stores”)
Brooker does not but Guerrero teaches:
via the inbound queue of the corresponding messaging interface (see e.g. Guerrero, paragraph 18: “a receive queue when referenced with respect to incoming packets”).
Brooker and Guerrero are analogous art because they are in the same field of endeavor: managing communications associated with a central/master control plane. Therefore, it would have been obvious to one with ordinary skill in the art before the effective filing date of the claimed invention to modify Brooker with the teachings of Guerrero. The motivation/suggestion would be to improve message communications.

With respect to claim 12: Claim 12 is directed to a method corresponding to the active functions implemented by the apparatus disclosed in claims 2-3; please see the rejections directed to claims 2-3 above which also cover the features of the method recited in claim 12.

With respect to claim 17: Claim 17 is directed to a computer program product configured to implement functions corresponding to the active functions implemented by the apparatus disclosed in claims 2-3; please see the rejections directed to claims 2-3 above which also cover the features of the product recited in claim 17.

Response to Arguments
Applicant’s arguments with respect to the limitation “one-to-one” recited in claims 1, 11, and 16  have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Applicant's arguments filed 11/09/2020 have been fully considered but they are not persuasive. In detail:

one of a plurality of infrastructure controllers residing on an infrastructure under management” (see Remarks, pages 12-13).
	However, note that Brooker does disclose each of the resource interfaces 306-308 (i.e. each of the messaging interfaces) corresponding to virtual resources 218-220 (i.e. the infrastructure controllers) based on the type of the virtual resources (see e.g. Brooker, paragraph 45: “there may be one of the resource interfaces 306-308 for each of the types of virtual resources 218-220”). More specifically, a resource interface enables user interactions with corresponding virtual resources (see e.g. Brooker, paragraph 45: “”).
As a specific example, Fig. 5 shows resource interface 528 having a correspondence to a virtual resource 520 of the virtual resources 520-526 (see e.g. Brooker, paragraph 61: “maintain a set of provisioned resources 520-522, 524-526 and incorporate a resource interface 528, 530… maintain one type of virtual resource 218-220 as described above with reference to FIG. 2, and incorporate a corresponding one of the resource interfaces 306-308 described above with reference to FIG. 3”; Fig. 5).
That is, Brooker discloses a resource interface (i.e. a messaging interface) having a correspondence to a corresponding virtual resource (i.e. an infrastructure controller) of a plurality of virtual resources (albeit not being “one-to-one”). 
Consequently, Brooker teaches the limitation “each messaging interface having a … correspondence to a corresponding one of the plurality of infrastructure controllers of the infrastructure under management” as recited in claim 1. For more details, please see the corresponding rejection above.

(2)	Regarding claim 1, applicant argues that Booker fails to teach the limitation “the processing platform being configured to communicate with an infrastructure under management by the processing platform over a network” as recited (Remarks, page 13).
	However, note that Brooker discloses a Virtual Resource Provider 202 (i.e. a processing platform) comprising web servers, application servers, and data stores that provide provisioned computing resources 216 (i.e. an infrastructure) communicating with each other over a network (see e.g. Brooker, paragraph 44: “The virtual resource provider 202 may be implemented, at least in part, with server computers such as the Web server 106 and the application server 108 described above with reference to FIG. 1, and one or more data stores such as the data store 110 of FIG. 1, interconnected by a relatively high speed data network (not shown in FIG. 2). The server computers and/or data store(s) implementing the virtual resource provider 202 may include different types and/or configurations of server computers and/or data stores allocated to different virtual resource types 218-220 and to a control plane 222 of the virtual resource provider 202”).
	As an example, Fig. 5 shows a network 516 for the virtual resource provider 502 (i.e. the processing platform) wherein servers and data stores are in communication with provisioned Virtual Resource Services 504-506 (i.e. the infrastructure) (see e.g. Brooker, paragraphs 60-61; and Fig. 5).
	Consequently, Brooker teaches the limitation “the processing platform being configured to communicate with an infrastructure under management by the processing platform over a network” as recited in claim 1. For more details, please see the corresponding rejection above.

CONCLUSION
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
U.S. Patent No. 10,338,945 B2 hereinafter Xiao et al.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Umut Onat whose telephone number is (571)270-1735.  The examiner can normally be reached on M-Th 9:00-7:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Dennis Chow can be reached on (571) 272-7767.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained 






/UMUT ONAT/Primary Examiner, Art Unit 2194