DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In communications filed on 01/29/2021.Claims 1-8, 14-22, and 28-29 are canceled. Claims 9-13, 23-27, 30, and 32 are amended. Claims 9-13, and 23-27, and 30-33 are pending in this examination.
 In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.   This examination is in response to US Patent Application No. 16/785,639.
   					
Examiner Note
Applicant is encouraged to schedule an interview with the examiner prior to the next communication to compact prosecution of the case.
Applicant’s amendment to claims 12 and 26 obviates previously raised claims objection for claims 12, and 26.

                                                 Double Patenting
With regard to the rejection of Claims 9-13, and 23-27, and 30-33 on the basis of non-statutory Double Patenting over Application No.US10, 567,347, Examiner will maintain the Double Patenting and Double Patenting rejection is held in obeyance.
  Response to Arguments
Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).  

Applicant's arguments filed 01/29/2021 have been fully considered but they are not persuasive:
Applicant submits on page 8 of remarks filed on 01/29/2021 regarding claim 9 that the cited references do not disclose or suggest “receiving, at a computing device in the datacenter, an encapsulated packet that has a payload and an encapsulating header, which stores a logical network identifier that identifies the logical network with which the packet is associated”.
Examiner respectfully disagrees with applicant argument for claim 9 filed on 01/29/2021 on page 8 of remarks. Banavalikar discloses this limitation as: [ ¶2, Overlay Virtual Networks (OVNs) use protocol headers that are encapsulated in packets on top of the original network packet to create location transparency], and [ ¶3,Protocols like VXLAN use User Datagram Protocol/Internet Protocol (UDP/IP) to encapsulate the original Ethernet packet for transmission over physical networks.  The original Ethernet packets are tunneled through the network from an originator to a nearest VXLAN gateway.  VXLAN gateways connect virtual networks to non-virtual networks (legacy networks having physical components).  Since VXLAN gateways understand (are capable of processing) VXLAN protocol and tunnels, they have the capability to identify the encapsulated packets], and   [¶72, Furthermore, the overlay tunnel-encapsulated packet 650 may comprise one or more virtual network identifiers (VN IDs) 616, such as VLAN tags, appended to an end of the outer UDP header 610, or in some other agreed upon location in the overlay tunnel protocol header 614.  The VLAN tag(s) may be in the form of IEEE 802.1q values, IEEE 802.1p values, or some other recognizable virtual network identifier known in the art and/or agreed upon during network initialization], and [¶¶7, 65, 87].
Examiner Note: It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to indicate from the paragraphs mentioned above from  Banavalikar application that  , Overlay Virtual Networks (OVNs) use protocol headers that are encapsulated in packets on top of the original network packet to create location transparency and the overlay tunnel-encapsulated packet 650 may comprise one or more virtual network identifiers (VN IDs) 616, such as VLAN tags.  Examiner maintain his rejection.

Applicant submits on page 8 of remarks filed on 01/29/2021 regarding claim 9 that the cited references do not disclose or suggest “a packet payload that includes (1) an encrypted portion that is encrypted by the host computer for the particular VPN connection with the VPN client, and (2) an unencrypted portion that is used to identify a destination address of the VPN client outside of the datacenter”.
Examiner respectfully disagrees with applicant argument for claim 9 filed on 01/29/2021 on page 8 of remarks. Abadi discloses this limitation as:[Col. 1 lines 33-42, as shown in FIG. 2, each data packet 130 transmitted through the network has a packet header 132(unencrypted portion of data packet) and a packet body 134(encrypted portion of data packet). Information typically found in the packet header 132 includes a network destination address 136 that indicates where the packet is being sent, source identification data 138 that indicates where the data packet 130 originated, a packet type value 140, an offset value 142 indicating the position of the boundary between the encrypted portion 143 of the data packet and the unencrypted portion of the data packet 130, and a buffer queue index (BQI) value 144.]
Examiner Note: Examiner request applicant to indicate the paragraph number in the specification to which indicates that the payload has an encrypted and unencrypted segment which the unencrypted segment has the destination address and not the packet itself. Examiner was unable to locate this limitation in the specification. Examiner interprets the limitation as a packet has a unencrypted header segment and payload encrypted segment.  Examiner maintain his rejection.

Applicant submits on page 9 of remarks filed on 01/29/2021 regarding claim 9  that the cited references do not disclose or suggest “replacing the encapsulating first outer header with the encapsulating second outer VPN header for the particular VPN connection, with the second outer header identifying the VPN client. The Office Action cites paragraph 40 of Cohn as describing a transmitting VPN endpoint attaching an additional header and a receiving VPN endpoint removing the additional header”.
Examiner respectfully disagrees with applicant argument for claim 9 filed on 01/29/2021 on page 8 of remarks. Cohen discloses this limitation as: [¶40, Two VPN endpoints operate in conjunction to implement a VPN tunnel.  A VPN endpoint on a transmission side of the VPN tunnel may be referred to as a "transmitting VPN endpoint." A VPN endpoint on a receiving side of the VPN tunnel may be referred to as a "receiving VPN endpoint." The transmitting VPN endpoint (such as a VPN endpoint associated with a client) encapsulates a data packet addressed to a destination host connected to the VPN.  The transmitting VPN endpoint attaches an additional header and/or additional tail to the data packet.  The encapsulated data packet is sent via the underlying public network (such as the Internet 104)… The receiving VPN endpoint (such as a VPN endpoint associated with the underlay network 110) receives the encapsulated data packet.  The receiving VPN endpoint removes the additional header and/or additional tail.  The receiving VPN endpoint inspects the original data packet to determine the destination host to which the data packet is addressed], and [¶67, the encap-decap NIC 214 forwards the data packets to the particular VPN endpoint by encapsulating the data packets using an additional header and/or additional tail. The additional header and/or additional tail includes an address of the particular VPN endpoint], and [¶¶36-41,132, overlay network, Internet gateway, VPN endpoint manager]. 

	Examiner Note: It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to indicate from the paragraphs mentioned above from Cohen application that at the receiving VPN gateway the header of the packet gets 

Applicant submits on page 9 of remarks filed on 01/29/2021 regarding claim 30  that the cited references do not disclose or suggest “The cited references do not disclose (1) identifying, at an edge gateway of a logical network, a destination address from an unencrypted portion of an encapsulated packet received by a VPN client, (2) replacing an outer VPN header with another encapsulating header that specifies the identified destination address, which is an address of a host computer executing a machine associated with the logical network, and (3) forwarding the packet with this new encapsulating header. As mentioned above, the cited references do not disclose replacing VPN headers for logical network headers or vice versa”.

	Examiner respectfully disagrees with applicant argument for claim 10 filed on 01/29/2021 on page 8 of remarks.

 Cohen discloses (1) identifying, at an edge gateway of a logical network [¶40, Two VPN endpoints operate in conjunction to implement a VPN tunnel.  A VPN endpoint on a transmission side of the VPN tunnel may be referred to as a "transmitting VPN endpoint." A VPN endpoint on a receiving side of the VPN tunnel may be referred to as a "receiving VPN endpoint." The transmitting VPN endpoint (such as a VPN endpoint associated with a client) encapsulates a data packet addressed to a destination host connected to the VPN.  The transmitting VPN endpoint attaches an additional header and/or additional tail to the data packet.  The encapsulated data packet is sent via the underlying public network (such as the Internet 104)… The receiving VPN endpoint (such as a VPN endpoint associated with the underlay network 110) receives the encapsulated data packet.  The receiving VPN endpoint removes the additional header and/or additional tail.  The receiving VPN endpoint inspects the original data packet to determine the destination host to which the data packet is addressed], and [¶67, the encap-decap NIC 214 forwards the data packets to the particular VPN endpoint by encapsulating the data packets using an additional header and/or additional tail. The additional 
header and/or additional tail includes an address of the particular VPN endpoint], and [¶¶36-41, 67, 132,143 overlay network, Internet gateway, VPN endpoint manager, clients and VPN endpoints]. 
Examiner Note: Banavalikar also discloses [¶3, Protocols like VXLAN use User Datagram Protocol/Internet Protocol (UDP/IP) to encapsulate the original Ethernet packet for transmission over physical networks.  The original Ethernet packets are tunneled through the network from an originator to a nearest VXLAN gateway.  VXLAN gateways connect virtual networks to non-virtual networks (legacy networks having physical components)].

Abadi discloses a destination address from an unencrypted portion of an encapsulated packet received by a VPN client[Col. 1 lines 33-42, as shown in FIG. 2, each data packet 130 transmitted through the network has a packet header 132(unencrypted portion of data packet) and a packet body 134(encrypted portion of data packet). Information typically found in the packet header 132 includes a network destination address 136 that indicates where the packet is being sent, source identification data 138 that indicates where the data packet 130 originated].

 replacing an outer VPN header with another encapsulating header that specifies the identified destination address, which is an address of a host computer executing a machine associated with the logical network, and (3) forwarding the packet with this new encapsulating header[¶40, Two VPN endpoints operate in conjunction to implement a VPN tunnel.  A VPN endpoint on a transmission side of the VPN tunnel may be referred to as a "transmitting VPN endpoint." A VPN endpoint on a receiving side of the VPN tunnel may be referred to as a "receiving VPN endpoint." The transmitting VPN endpoint (such as a VPN endpoint associated with a client) encapsulates a data packet addressed to a destination host connected to the VPN.  The transmitting VPN endpoint attaches an additional header and/or additional tail to the data packet.  The encapsulated data packet is sent via the underlying public network (such as the Internet 104)… The receiving VPN endpoint (such as a VPN endpoint associated with the underlay network 110) receives the encapsulated data packet.  The receiving VPN endpoint removes the additional header and/or additional tail.  The receiving VPN endpoint inspects the original data packet to determine the destination host to which the data packet is addressed], and [¶67, the encap-decap NIC 214 forwards the data packets to the particular VPN endpoint by encapsulating the data packets using an additional header and/or additional tail. The additional header and/or additional tail includes an address of the particular VPN endpoint], and [¶¶36-41,132, overlay network, Internet gateway, VPN endpoint manager]. 

Examiner Note: Banavalikar also discloses [[¶3, Protocols like VXLAN use User Datagram Protocol/Internet Protocol (UDP/IP) to encapsulate the original Ethernet packet for transmission over physical networks.  The original Ethernet packets are tunneled through the network from an originator to a nearest VXLAN gateway.  VXLAN gateways connect virtual networks to non-virtual networks (legacy networks having physical components], and  [¶7, a method for providing QoS to packets in an overlay virtual network (OVN) includes: receiving a packet on a source port, determining a virtual network associated with the source port, encapsulating the packet with at least one overlay tunnel header to form an overlay tunnel-encapsulated packet, storing QoS attributes with the at least one overlay tunnel header, the QoS attributes being determined at least in part by the virtual network, and sending the overlay tunnel-encapsulated packet via an overlay tunnel], and [¶65, Once the overlay tunnel-encapsulated packet arrives at the end of the tunnel (which may be a virtualized server, physical server, switch, router, or some other overlay-capable device known in the art), the outer header(s) of the overlay tunnel-encapsulated packet (along with any IEEE 802.1q header) is removed. Then, the destination vNIC port is looked up based on the destination MAC stored in the original packet. After the vNIC port for the DMAC is determined, the original packet is forwarded to the vNIC for delivery to its destination].


Claim Rejections - 35 USC § 103

Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 9-13, 23-27, and  30-33, are rejected under 35 U.S.C. 103 as being unpatentable over US Patent Application No. 2015/0281099 to Banavalikar et al (“Banavalikar”) (filed in IDS02/10/2020)    in view of US Patent No. 201/0062992 issued to Cohn et al (“Cohn”) (filed in IDS02/10/2020)  and in view of US Patent No. 5,268,962 issued to Abadi et al (“Abadi”) (filed in IDS02/10/2020)  and further in view of US Patent No. 2015/0146733 issued to Haney(filed in IDS02/10/2020).
Regarding claim 9,  Banavalikar  discloses receiving, at a computing device in the datacenter, a packet comprising an encapsulating first outer header and a payload, the encapsulating first outer header storing a logical network identifier that identifies the logical network to which the packet is associated[ ¶2, Overlay Virtual Networks (OVNs) use protocol headers that are encapsulated in packets on top of the original network packet to create location transparency], and [ ¶3,Protocols like VXLAN use User Datagram Protocol/Internet Protocol (UDP/IP) to encapsulate the original Ethernet packet for transmission over physical networks.  The original Ethernet packets are tunneled through the network from an originator to a nearest VXLAN gateway.  VXLAN gateways connect virtual networks to non-virtual networks (legacy networks having physical components).  Since VXLAN gateways understand (are capable of processing) VXLAN protocol and tunnels, they have the capability to identify the encapsulated packets], and   [¶72, Furthermore, the overlay tunnel-encapsulated packet 650 may comprise one or more virtual network identifiers (VN IDs) 616, such as VLAN tags, appended to an end of the outer UDP header 610, or in some other agreed upon location in the overlay tunnel protocol header 614.  The VLAN tag(s) may be in the form of IEEE 802.1q values, IEEE 802.1p values, or some other recognizable virtual network identifier known in the art and/or agreed upon during network initialization], and [¶¶7, 65, 87].
Examiner Note: It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to indicate from the paragraphs mentioned above from  Banavalikar application that  , Overlay Virtual Networks (OVNs) use protocol headers that are encapsulated in packets on top of the original network packet to create location transparency and the overlay tunnel-encapsulated packet 650 may comprise one or more virtual network identifiers (VN IDs) 616, such as VLAN tags.
 Banavalikar does not explicitly disclose, however, Cohen discloses for facilitating virtual private network (VPN) connections, a method for forwarding a packet from a logical network that is defined over a physical network of a datacenter to a VPN client outside of the datacenter through a particular VPN connection between a host computer inside of the datacenter and the VPN client outside of the datacenter, the method comprising[¶40, Two VPN endpoints operate in conjunction to implement a VPN tunnel.  A VPN endpoint on a transmission side of the VPN tunnel may be referred to as a "transmitting VPN endpoint." A VPN endpoint on a receiving side of the VPN tunnel may be referred to as a "receiving VPN endpoint." The transmitting VPN endpoint (such as a VPN endpoint associated with a client) encapsulates a data packet addressed to a destination host connected to the VPN.  The transmitting VPN endpoint attaches an additional header and/or additional tail to the data packet.  The encapsulated data packet is sent via the underlying public network (such as the Internet 104)… The receiving VPN endpoint (such as a VPN endpoint associated with the underlay network 110) receives the encapsulated data packet.  The receiving VPN endpoint removes the additional header and/or additional tail.  The receiving VPN endpoint inspects the original data packet to determine the destination host to which the data packet is addressed], and [¶67, the encap-decap NIC 214 forwards the data packets to the particular VPN endpoint by encapsulating the data packets using an additional header and/or additional tail. The additional 
Header and/or additional tail includes an address of the particular VPN endpoint], and [¶¶36-41, 67, 132,143 overlay network, Internet gateway, VPN endpoint manager, clients and VPN endpoints]; and
replacing the encapsulating first outer header of the packet with an encapsulating second outer VPN header for the particular VPN connection, the second outer VPN header specifying the identified network address of the VPN client as the destination address of the packet[¶40, Two VPN endpoints operate in conjunction to implement a VPN tunnel.  A VPN endpoint on a transmission side of the VPN tunnel may be referred to as a "transmitting VPN VPN endpoint attaches an additional header and/or additional tail to the data packet.  The encapsulated data packet is sent via the underlying public network (such as the Internet 104)… The receiving VPN endpoint (such as a VPN endpoint associated with the underlay network 110) receives the encapsulated data packet.  The receiving VPN endpoint removes the additional header and/or additional tail.  The receiving VPN endpoint inspects the original data packet to determine the destination host to which the data packet is addressed], and [¶67, the encap-decap NIC 214 forwards the data packets to the particular VPN endpoint by encapsulating the data packets using an additional header and/or additional tail. The additional 
header and/or additional tail includes an address of the particular VPN endpoint], and [¶¶36-41,132, overlay network, Internet gateway, VPN endpoint manager]. 
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Banavalikar with the teaching of Cohn in order to implement a virtual private network (VPN) which is a private network that extends across a public network, such as the Internet, in which the VPN endpoint manager inspects the data packets to determine whether the data packets are addressed to the Endpoint Pool Address.  The VPN endpoint manager identifies a destination address included in each data packet.  As an example, a destination address may be included in an outer header of a data packet.  The VPN endpoint manager detects data packets that identify the Endpoint Pool Address as the destination address [Cohn, ¶¶3, 71].
and the payload of the packet comprising an unencrypted portion and an encrypted portion that was encrypted by the host computer for the particular VPN connection with the VPN client [Col. 1 lines 33-42, as shown in FIG. 2, each data packet 130 transmitted through the network has a packet header 132(unencrypted portion of data packet) and a packet body 134(encrypted portion of data packet). Information typically found in the packet header 132 includes… an offset value 142 indicating the position of the boundary between the encrypted portion 143 of the data packet and the unencrypted portion of the data packet 130]; and N233 38
identifying, from said unencrypted portion of the encapsulated payload, a network address of the VPN client outside of the datacenter as a destination of the received packet [Col. 1 lines 33-42, as shown in FIG. 2, each data packet 130 transmitted through the network has a packet header 132(unencrypted portion of data packet) and a packet body 134(encrypted portion of data packet). Information typically found in the packet header 132 includes a network destination address 136 that indicates where the packet is being sent, source identification data 138 that indicates where the data packet 130 originated].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Banavalikar and Cohn with the teaching of Abadi in order to in order for a computer network in which a single host-to-host encryption/decryption key established for each pair of host computers is modified in a predefined fashion for each transmitted data packet so as to thwart attempts to change the destination information in data packets [Abadi, Col.1 lines 5-12].  
Banavalikar, Cohn and Abadi do not explicitly disclose, however, Haney discloses forwarding the packet with the encapsulating second outer VPN header to the VPN client outside of the datacenter [abstract. Firewalls are provided at each end of each private tunnel which recognize IP packets addressed to devices at the other end of the tunnel and encapsulate these packets in other IP packets which have a header which includes as the destination address, the IP address of the untrusted side of the firewall at the other end of the tunnel (public address], and  [¶36, with reference to FIG. 3, the VPN router 10A on the transmission side of the Internet 1 encrypts a plain text IP packet sent out from a client computer (transmission host) 5 in the first intranet 2. The VPN router 10A then transmits, to the IPsec tunnel 4A of the Internet 1, an encapsulated encrypted packet obtained by adding an IP header (tunnel IP header) addressed to the opposing VPN router 10B and an ESP header (encrypted header)], and [(][37, the VPN router 10B on the reception side of the IPsec tunnel 4A of the Internet 1 removes the tunnel IP header and the encrypted header from the received encapsulated encrypted packet to decrypt the packet and then relays the plain text IP packet to a client computer (reception host) 6 in the second intranet 3. The plain text IP packet includes an IP header, a TCP (Transmission Control Protocol) header, and payload data. The encapsulated plain text packet transmitted and received through the plain text tunnel 4B adopts a mode obtained by adding just the tunnel IP header to the plain text IP packet], and [Abstract, ¶40]. 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Banavalikar, Cohen and Abadi with the teaching of Haney in order for routers route packets of said wide area network along private tunnels through the internet comprised of high bandwidth, low hop-count data paths [Haney, abstract].
 wherein the VPN client decapsulates the packet and decrypts the encrypted portion of the payload of the packet [Abstract, The payload sections of these packets are the original IP 
 It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Banavalikar, Cohen, Abadi with the teaching of Haney in order to provide security and privacy to packets during its transport across the internet through the "private tunnel" Since the internet is a public facility, private and sensitive data transmitted over the internet is subject to snooping [Haney, ¶¶16, 22].
Regarding claim 10, Banavalikar discloses wherein said computing device is an edge node of the data center that comprises a plurality of host computers executing machines connected to the logical network [ see FIG.3, Virtual network A with VM 308s, and Virtual Network B with VM310s, ¶¶36,68].
Examiner note: Cohn also discloses this limitation as: [see FIG 6A-B and corresponding text for more detail], and [¶143, network resources (such as digital devices, virtual machines, application instances, and threads) corresponding to different tenants are isolated to tenant-specific overlay 
Regarding claim 11, Banavalikar discloses  wherein the received encapsulated packet is tunneled to the computing device from the  host computer, wherein the host computer and the computing device are tunnel endpoints of an overlay logical network[¶6, receive an overlay tunnel-encapsulated packet via an overlay tunnel, the overlay tunnel-encapsulated packet including at least one overlay tunnel header having Quality of Service (QoS) attributes stored therein and a packet, remove the QoS attributes from the at least one overlay tunnel header, decapsulate the packet from the overlay tunnel-encapsulated packet to remove the at least one overlay tunnel header, determine a destination port from the packet], and [¶2]; and
Regarding claim 12, Banavalikar, Cohen and Abadi do not explicitly disclose, however, Haney discloses wherein the computing device is a VPN gateway that negotiated with the VPN client for an encryption key that is used to encrypt the encrypted portion of the packet, wherein the encryption key is provided to the host computer for encrypting the packet [¶20, Data security is implemented by the use of conventional or custom firewall/VPN technology. At each customer site, a firewall/VPN device is configured to securely encrypt the payload of each AlterWAN packet to be sent through a "private tunnel" to the far end customer site where the payload is decrypted. Using conventional firewalls, the encryption method and the encryption keys used at both ends for transmissions in both directions are the same… the firewalls at both ends use the same encryption method and key or keys for encryption of packets at the source and decryption of them at the destination by predetermined configurations that are programmed into the firewalls], and [abstract, ¶41].

Regarding claim 13, Banavalikar , Abadi and Haney do not explicitly disclose, however, Cohen discloses discloses further comprising removing encapsulation of the overlay logical network from the packet before attaching outer header Cohen discloses for facilitating virtual private network (VPN) connections, a method for forwarding a packet from a logical network that is defined over a physical network of a datacenter to a VPN client outside of the datacenter through a particular VPN connection between a host computer inside of the datacenter and the VPN client outside of the datacenter, the method comprising[¶40, Two VPN endpoints operate in conjunction to implement a VPN tunnel.  A VPN endpoint on a transmission side of the VPN tunnel may be referred to as a "transmitting VPN endpoint." A VPN endpoint on a receiving side of the VPN tunnel may be referred to as a "receiving VPN endpoint." The transmitting VPN endpoint (such as a VPN endpoint associated with a client) encapsulates a data packet addressed to a destination host connected to the VPN.  The transmitting VPN endpoint attaches an additional header and/or additional tail to the data packet.  The encapsulated data packet is sent via the underlying public network (such as the Internet 104)… The receiving VPN endpoint (such as a VPN endpoint associated with the underlay network 110) receives the encapsulated data packet.  The receiving VPN endpoint removes the additional header and/or additional tail.  The receiving VPN endpoint inspects the original data packet to determine the destination host to which the data packet is addressed], and [¶67, the 
Header and/or additional tail includes an address of the particular VPN endpoint], and [¶¶36-41, 67, 132,143 overlay network, Internet gateway, VPN endpoint manager, clients and VPN endpoints].
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Banavalikar, Abadi, and Haney with the teaching of Cohn in order to implement a virtual private network (VPN) which is a private network that extends across a public network, such as the Internet, in which the VPN endpoint manager inspects the data packets to determine whether the data packets are addressed to the Endpoint Pool Address.  The VPN endpoint manager identifies a destination address included in each data packet.  As an example, a destination address may be included in an outer header of a data packet.  The VPN endpoint manager detects data packets that identify the Endpoint Pool Address as the destination address [Cohn, ¶¶3, 71].
Regarding claim 23, this claim is interpreted and rejected for the same rational set forth in claim 1.  
Regarding claim 24, this claim is interpreted and rejected for the same rational set forth in claim 10.  
Regarding claim 25, this claim is interpreted and rejected for the same rational set forth in claim 11.  
Regarding claim 26, this claim is interpreted and rejected for the same rational set forth in claim 12.

Regarding claim 27, this claim is interpreted and rejected for the same rational set forth in claim 13.  
Regarding claim 30,  the subject matter of independent claim 30 contains the corresponding features as the method of claims 9-13, and 21-22 expressed respectively in analogous terms disclosed by combination of Banavalikar ,Cohn  and  Abadi applications  and additionally the features disclosed in 30: Haney discloses wherein and forwarding the encapsulated packet along a tunnel to the particular host computer for the host computer to decrypt the packet using a key negotiated by the edge node and to provide the packet to a machine executing on the host computer[¶20, Data security is implemented by the use of conventional or custom firewall/VPN technology. At each customer site, a firewall/VPN device is configured to securely encrypt the payload of each AlterWAN packet to be sent through a "private tunnel" to the far end customer site where the payload is decrypted. Using conventional firewalls, the encryption method and the encryption keys used at both ends for transmissions in both directions are the same… the firewalls at both ends use the same encryption method and key or keys for encryption of packets at the source and decryption of them at the destination by predetermined configurations that are programmed into the firewalls], and [abstract, ¶41].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Banavalikar, Cohn, and Abadi with the teaching of Haney in order to provide security and privacy to packets during its transport across the internet through the "private tunnel" Since the internet is a public facility, private and sensitive data transmitted over the internet is subject to snooping [Haney, ¶¶16, 22].
Regarding claim 31, Banavalikar discloses wherein each of the host computers in the set of host computers is a tunnel endpoint of the logical network for receiving tunnel encapsulated packets from the edge node for the logical network [see FIG.3, Non-Virtual Networks, Gateway (314), Virtual network A with VMs 308, and Virtual Network B with VMs 310 and corresponding text for more detail, ¶¶36, 68, overlay tunnel-encapsulated packet].
Examiner Note: Cohn also discloses this limitation as: [see FIG 6A-B and corresponding text for more detail, ¶37, Communications between nodes of an internal network are transmitted via tunnels through the underlay network 110.  Tunneling is performed through encapsulation and de-capsulation].
Regarding claim 32, Banavalikar disclose wherein the logical network is a first logical network, and the edge node is an edge node for a plurality of logical networks, the method further comprising: identifying the first logical network from the identified destination address[ see FIG.3, Non-Virtual Networks, Gateway(314),  Virtual network A with VMs 308, and Virtual Network B with VMs 310 and corresponding text for more detail]; and
storing in the encapsulated packet a logical network identifier for the first logical network before forwarding the encapsulated packet to the particular host computer [Abstract, method includes receiving a packet on a source port, determining a virtual network associated with the source port, encapsulating the packet with at least one overlay tunnel header to form an overlay packet, storing QoS attributes with the at least one overlay tunnel header, the QoS attributes being determined in part by the virtual network, and sending the overlay packet via an overlay tunnel, and [¶6].
Regarding claim 33, Banavalikar, Cohn, and Abadi do not explicitly disclose, however, Haney discloses wherein the unencrypted portion identifies a public address of the gateway [abstract, Firewalls are provided at each end of each private tunnel which recognize IP packets addressed to devices at the other end of the tunnel and encapsulate these packets in other IP packets which have a header which includes as the destination address, the IP address of the untrusted side of the firewall at the other end of the tunnel (public address], and [¶36, with reference to FIG. 3, the VPN router 10A on the transmission side of the Internet 1 encrypts a plain text IP packet sent out from a client computer (transmission host) 5 in the first intranet 2. The VPN router 10A then transmits, to the IPsec tunnel 4A of the Internet 1, an encapsulated encrypted packet obtained by adding an IP header (tunnel IP header) addressed to the opposing VPN router 10B and an ESP header (encrypted header)], and [¶37, the VPN router 10B on the reception side of the IPsec tunnel 4A of the Internet 1 removes the tunnel IP header and the encrypted header from the received encapsulated encrypted packet to decrypt the packet and then relays the plain text IP packet to a client computer (reception host) 6 in the second intranet 3. The plain text IP packet includes an IP header, a TCP (Transmission Control Protocol) header, and payload data. The encapsulated plain text packet transmitted and received through the plain text tunnel 4B adopts a mode obtained by adding just the tunnel IP header to the plain text IP packet], and [Abstract].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Banavalikar, Cohen, and Abadi with the teaching of Haney in order for routers route packets of said wide area network along private tunnels through the internet comprised of high bandwidth, low hop-count data paths [Haney, abstract].
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Li(US2015/0003458) [ see FIG.3, Data center, VPN sites, PE-IV device, overlay].
QU(2013/0266019)[ VPN gateway or VXLAN server].
Swartz(2011/0314274)
Gabrielson(US8,583,913)[ (24), The payload may also be fully encrypted or have only a portion of the payload encrypted].
Divakar( US2015/0026459)[ see claim 12, encryption at least one region in the payload].
Huynh (US8, 837,491) [VPN, overlay network].
PAI(2016/0241515)[VXLAN gateway, EVPN ]
Collyer (US7, 165,175) [17, 19, 20, encrypted payload, unencrypted header].
Sridhar (US2017/0170989) [Abstract, VXLAN gateway].
Williams (US2015/0188943) [Abstract, see FIG 9, private network (VPN)-as-a-service, overlay network]. 
Zhang (2015/0009992) [Abstract, ¶¶9, 21-23, 34, 45, VXLAN gateway, VXLAN header, VXLAN encapsulated data].

Applicants are encouraged to take advantage of the After Final Consideration Pilot 2.0 (AFCP 2.0) which authorizes non-production time for consideration of responses filed after a final rejection. The purpose of the pilot is to compact prosecution of the case. The request must include 1) A signed AFCP request form (PTO/SB/434 or equivalent) that includes a statement that applicant is requesting consideration under the AFCP; 2) An amendment to at least one independent claim that does not broaden the scope of the independent claim in any aspect; and 3) A statement that applicant is willing and available to participate in any interview initiated by the examiner concerning the present response.  In the limited amount of non-production time if the examiner’s consideration of a proper AFCP 2.0 request and response does not result in a determination that all pending claims are in condition for allowance, the examiner will request an interview with the applicant to discuss the response. For more info, please visit http://www.uspto.gov/patent/initiatives/after-final-consideration-pilot-20

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
                                                                                                                                                                                                 Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAHRIAR ZARRINEH whose telephone number is (571)272-1207.  The examiner can normally be reached on Monday-Friday, 8:30am-5:30pm.Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/SHAHRIAR ZARRINEH/Examiner, Art Unit 2497