Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Introduction
This office action is in response to Applicant’s communication filed on 4/22/2021. Claims 1-20 are pending in the application and have been examined. Claims 1, 4, and 13 have been amended.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 4/24/2021 has been considered by the examiner.

Response to Arguments
Applicant’s arguments on 35 U.S.C 102/103:
Applicant’s arguments, see pages 13-16, filed on 4/22/2021, with respect to the rejection(s) of claims 1-20 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of Van Dussen et al. Publication No. US 2019/0253274 A1.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-2, 4-8, 10, 13-17 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Stickle et al. Publication No. US 2015/0089034 A1 (Stickle hereinafter) in view of Van Dussen et al. Publication No. US 2019/0253274 A1 (Dussen hereinafter) and Tillotson Patent No. US 9,942,787 B1 (Tillotson hereinafter).


Regarding claim 1,
Stickle teaches a computer-implemented method comprising:
obtaining, by a first service of a provider network), an identification of one or more substrate addressable devices included in an extension of the provider network (Para 0059 – Registration manager 180 of registration service receives a registration request, indicating that one or more resources located at the external data center are to be registered for control via the provider network's control interfaces, endpoints or other resources associated with the provider network control plane; and Para. 0070 – the information of resources are identified as: “LB3405A. domainname.com (IP address A.B.C.1)”, “LB3405B. domainname.com (IP address A.B.C.5)”, etc. 
based on the identification, initiating, by the first service, a launch of a plurality of compute instances within the provider network by a second service of the provider network, wherein the plurality of compute instances connect the provider network to the extension of the provider network via at least a third-party network (Para 0059 and Fig. 2 – based on identification of the resources from the request, virtual connection service establishes a secure control-plane virtual connection (such as a VPN connection) between the provider network and the resources; and Fig. 2 shows a secure control flow path 268 may , wherein the plurality of compute instances include:
a first compute instance to establish a secure tunnel to the extension of the provider network via the third-party network (Fig. 2 – a virtual private gateway 230 establishes a link 234 to the external network for flowing the control traffic; and Para 0046 - Encryption-based protocols such as TLS, SSL or IPSec may be used to secure the connections between the client-side control-plane modules and the provider network).
a second compute instance to proxy control plane traffic to a first substrate addressable device of the one or more substrate addressable devices (Para 0027 and Fig. 2 - a proxy server at the provider network may be used for the secure connections, e.g., control plane traffic between service administrative nodes of one or more provider network services and client-side resources may be routed through an intermediary proxy).
Stickle does not explicitly disclose:
wherein the extension of the provider network comprises provider resources.
wherein the second compute instance is to:
receive a first control plane message directed to the first substrate addressable device,
update a message state data store based at least in part on the first control plane message, and 
send a second control plane message to the first compute instance for transmission to the first substrate addressable device via the secure tunnel.

Dussen teaches: 
wherein the extension of the provider network comprises provider resources (Para 0042 – the extension of computing service provider networks 304(s) are computer networks for providing Internet-based computing in which computing resources may be dynamically provisioned and allocated to users on-demand, from a collection of resources available via the network. The computing resources can include any type of infrastructure resource, such as a computing, storage, and/or networking instance). 

Tillotson teaches wherein the second compute instance is to:
receive a first control plane message directed to the first substrate addressable device (Col 6, lines 10-40 and Fig. 2 – IPPE 220 of the virtual private gateway 222 receives un-encrypted message 217 directed to customer device 245). 
update a message state data store based at least in part on the first control plane message (Col 6, lines 10-40 and Fig. 2 – based on information on header of the received message, one or more metrics associated with the message may be stored by the intermediary at a persistent storage repository). 
send a second control plane message to the first compute instance for transmission to the first substrate addressable device via the secure tunnel (Col 6, lines 10-40 and Fig. 2 – after the one or more metrics associated with the message is stored, The outbound encrypted packet 218 corresponding to un-encrypted packet 217 may be generated at the IPPE in accordance with the appropriate encryption technique and sent on towards the customer device 245).
Stickle and Tillotson are analogous art because they are from a similar field of endeavor in the providing services at provider network techniques. Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Stickle to include the teachings of Tillotson. The motivation for doing so is to monitor virtual private network connection quality at a provider network in order to provide the best of virtual services to the clients.

Regarding claim 2, the computer-implemented method of claim 1,
Stickle does not explicitly disclose
monitoring, by the first service, an actual state of the plurality of compute instances. 
determining, by the first service, that a third compute instance of the plurality of compute instances is causing the actual state of the plurality of compute instances to not match a desired state of the plurality of compute instances, wherein the desired state of the plurality of compute instances is based at least in part on the identification.
initiating, by the first service, the launch of a fourth compute instance by the second service, wherein the fourth compute instance is to replace the third compute instance.
sending an identification of the fourth compute instance to at least one of the plurality of compute instances other than the third compute instance.

Tillotson teaches wherein the second compute instance is to:
monitoring, by the first service, an actual state of the plurality of compute instances; determining, by the first service, that a third compute instance of the plurality of compute instances is causing the actual state of the plurality of compute instances to not match a desired state of the plurality of compute instances, wherein the desired state of the plurality of compute instances is based at least in part on the identification; initiating, by the first service, the launch of a fourth compute instance by the second service, wherein the fourth compute instance is to replace the third compute instance; and sending an identification of the fourth compute instance to at least one of the plurality of compute instances other than the third compute instance. (Col 10, lines 49-58 - a health monitoring service of the provider network may monitor the actual state of IPPEs. In response to a determination that a failure may have occurred at the primary IPPE (e.g., that a probability of a failure at the primary IPPE is above a threshold), the health monitoring service of the provider network may rapidly initiate a transition of the secondary IPPE to a primary role, so all the traffic is flowed via the second IPPE).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Stickle to include the teachings of Tillotson. The motivation for doing so is to monitor virtual private network connection quality at a provider network in order to provide the best of virtual services to the clients.

Regarding claim 4,
Stickle teaches a computer-implemented method comprising:
obtaining, by a first service of a provider network, an identification of one or more substrate addressable devices included in an extension of the provider network (Para 0059 – Registration manager 180 of registration service receives a registration request, indicating that one or more resources located at the external data center are to be registered for control via the provider network's control interfaces, endpoints or other resources associated with the provider network control plane; and Para. 0070 – the information of resources are identified as: “LB3405A. domainname.com (IP address A.B.C.1)”, “LB3405B. domainname.com (IP address A.B.C.5)”, etc. 
based on the identification, initiating a launch of one or more compute instances within the provider network, the one or more compute instances to connect the provider network to the extension of the provider network across at least a third-party network (Para 0059 and Fig. 2 – based on identification of the resources from the request, virtual connection service establishes a secure control-plane virtual connection (such as a VPN connection) between the provider network and the resources; and Fig. 2 shows a secure control flow path 268 may be established between the control plane nodes 205 located within the provider network 101 and the control-plane modules installed at the registered resources within the external network)
Stickle does not explicitly disclose:
wherein the extension of the provider network comprises provider resources.
wherein the second compute instance is to:
receive a first control plane message directed to the first substrate addressable device,
update a message state data store based at least in part on the first control plane message, and 
send a second control plane message to the first compute instance for transmission to the first substrate addressable device via the secure tunnel.

Dussen teaches: 
wherein the extension of the provider network comprises provider resources (Para 0042 – the extension of computing service provider networks 304(s) are computer networks for providing Internet-based computing in which computing resources may be dynamically provisioned and allocated to users on-demand, from a collection of resources available via the network. The computing resources can include any type of infrastructure resource, such as a computing, storage, and/or networking instance). 

Tillotson teaches
receive a first control plane message directed to the first substrate addressable device (Col 6, lines 10-40 and Fig. 2 – IPPE 220 of the virtual private gateway 222 receives un-encrypted message 217 directed to customer device 245). 
update a message state data store based at least in part on the first control plane message (Col 6, lines 10-40 and Fig. 2 – based on information on header of the received message, one or more metrics associated with the message may be stored by the intermediary at a persistent storage repository). 
send a second control plane message to the first compute instance for transmission to the first substrate addressable device via the secure tunnel (Col 6, lines 10-40 and Fig. 2 – after the one or more metrics associated with the message is stored, The outbound encrypted packet 218 corresponding to un-encrypted packet 217 may be generated at the IPPE in accordance with the appropriate encryption technique and sent on towards the customer device 245).
Stickle and Tillotson are analogous art because they are from a similar field of endeavor in the providing services at provider network techniques. Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Stickle to include the teachings of Tillotson. The motivation for doing so is to monitor virtual private network connection quality at a provider network in order to provide the best of virtual services to the clients.

Regarding claim 5, the computer-implemented method of claim 4,
Stickle does not explicitly disclose
wherein the first control plane message includes an identifier of a source of the first control plane message and a call to an application programming interface (API) of the first substrate addressable device.
wherein the updating the message state data store includes storing the identifier of the source and an indication of the call to the API.
Tillotson teaches
wherein the first control plane message includes an identifier of a source of the first control plane message and a call to an application programming interface (API) of the first substrate addressable device; and wherein the updating the message state data store includes storing the identifier of the source and an indication of the call to the API (Col 4, lines 59-67 – a set of programmatic interfaces (e.g., APIs) may be implemented by the provider network to enable customers to utilize VPN-related features of the provider network. Such interfaces may be used to indicate client preferences regarding monitoring of VPN traffic, to submit queries regarding VPN traffic and/or to receive summarized/aggregated VPN performance metrics initially obtained at the intermediary devices such as IPPEs; and Col 11 lines 20-51 - based on information on header of the received message, one or more metrics and metadata associated with the message may be stored by the intermediary at a persistent storage repository, wherein the stored metadata may include source and destination address). 
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Stickle to include the teachings of Tillotson. The motivation for doing so is to monitor virtual private network connection quality at a provider network in order to provide the best of virtual services to the clients.

Regarding claim 6, the computer-implemented method of claim 4,
Stickle does not explicitly disclose
attaching a virtual network address to at least one compute instance of the one or more compute instances, wherein the virtual network address matches a substrate address of the first substrate addressable device of the one or more substrate addressable devices.
Tillotson teaches
attaching a virtual network address to at least one compute instance of the one or more compute instances, wherein the virtual network address matches a substrate address of the first substrate addressable device of the one or more substrate addressable devices (Col 10 lines 13-17 - IP addresses of the IPPEs 110A and 110B which are designated as VPN endpoints within the provider network). 
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Stickle to include the teachings of Tillotson. The motivation for doing so is to monitor virtual private network connection quality at a provider network in order to provide the best of virtual services to the clients.

Regarding claim 7, the computer-implemented method of claim 4,
Stickle does not explicitly disclose
sending, by the first service to a workflow execution service of the provider network, a request to execute a workflow that includes an operation to launch at least one compute instance of the one or more compute instances.
executing, by a workflow executor managed by the workflow execution service, the workflow.
Tillotson teaches
sending, by the first service to a workflow execution service of the provider network, a request to execute a workflow that includes an operation to launch at least one compute instance of the one or more compute instances; and executing, by a workflow executor managed by the workflow execution service, the workflow (Col 5, line 20-30 – connectivity-related control-plane components may transmit instance launch requests specifying various characteristics of the instances required (e.g., the instance types or performance capabilities) for the VPG to the virtual computing service using the virtual computing service's API, so a plurality of compute instances may be launched within the VPG-IVN). 
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Stickle to include the teachings of Tillotson. The motivation for doing so is to monitor virtual private network 

Regarding claim 8, the computer-implemented method of claim 4,
Stickle does not explicitly disclose
monitoring an actual state of the one or more compute instances.
determining that a third compute instance of the one or more compute instances is causing the actual state of the one or more compute instances to not match a desired state of the one or more compute instances, wherein the desired state of the one or more compute instances is based at least in part on the identification.
generating a schedule that identifies one or more operations to modify at least one compute instance of the one or more compute instances to reconcile a difference between the actual state and the desired state.
Tillotson teaches
monitoring an actual state of the one or more compute instances; determining that a third compute instance of the one or more compute instances is causing the actual state of the one or more compute instances to not match a desired state of the one or more compute instances, wherein the desired state of the one or more compute instances is based at least in part on the identification; and generating a schedule that identifies one or more operations to modify at least one compute instance of the one or more compute instances to reconcile a difference between the actual state and the desired state (Col 10, lines 49-58 - a health monitoring service of the provider network may monitor the actual state of IPPEs. In response to a determination that a failure may have occurred at the primary IPPE (e.g., that a probability of a failure at the primary IPPE is above a threshold), the health monitoring service of the provider network may rapidly initiate a transition of the secondary IPPE to a primary role, so all the traffic is flowed via the second IPPE). 
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Stickle to include the teachings of Tillotson. The motivation for doing so is to monitor virtual private network connection quality at a provider network in order to provide the best of virtual services to the clients.

Regarding claim 10, the computer-implemented method of claim 8,
Stickle does not explicitly disclose
wherein the one or more operations identified in the schedule include: a first operation to launch of a fourth compute instance to replace the third compute instance; and a second operation to send an identification of the fourth compute instance to at least one of the one or more compute instances other than the third compute instance.
Tillotson teaches
wherein the one or more operations identified in the schedule include: a first operation to launch of a fourth compute instance to replace the third compute instance; and a second operation to send an identification of the fourth compute instance to at least one of the one or more compute instances other than the third compute instance (Col 10, lines 49-58 - In response to a determination that a failure may have occurred at the primary IPPE, the health monitoring service of the provider network may rapidly initiate a transition of the secondary IPPE to a primary role, so all the traffic is flowed via the second IPPE). 
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Stickle to include the teachings of Tillotson. The motivation for doing so is to monitor virtual private network connection quality at a provider network in order to provide the best of virtual services to the clients.

Regarding claim 13,
Stickle teaches a system comprising:
a first one or more electronic devices of an instance management service of a provider network (Fig. 2 – customer compute instances of Client C1’s IVN 221).
a second one or more electronic devices of an extension management service of a provider network (Fig. 2 – a plurality of node 212-215), the extension management service including instructions that upon execution cause the extension management service to:
obtain an identification of one or more substrate addressable devices included in an extension of the provider network (Para 0059 – Registration 
based on the identification, initiate a launch of one or more compute instances within the provider network via the instance management service, the one or more compute instances to connect the provider network to the extension of the provider network across at least a third-party network (Para 0059 and Fig. 2 – based on identification of the resources from the request, virtual connection service establishes a secure control-plane virtual connection (such as a VPN connection) between the provider network and the resources; and Fig. 2 shows a secure control flow path 268 may be established between the control plane nodes 205 located within the provider network 101 and the control-plane modules installed at the registered resources within the external network)
Stickle does not explicitly disclose:
wherein the extension of the provider network comprises provider resources.
wherein the second compute instance is to:
receive a first control plane message directed to a first substrate addressable device of the one or more substrate addressable devices,
update a message state data store based at least in part on the first control plane message, and 
send a second control plane message to the first substrate addressable device via a secure tunnel.

Dussen teaches: 
wherein the extension of the provider network comprises provider resources (Para 0042 – the extension of computing service provider networks 304(s) are computer networks for providing Internet-based computing in which computing resources may be dynamically provisioned and allocated to users on-demand, from a collection of resources available via the network. The computing resources can include any type of infrastructure resource, such as a computing, storage, and/or networking instance). 
Stickle and Dussen are analogous art because they are from a similar field of endeavor in the providing services at provider network techniques. Therefore, it would 
Tillotson teaches the one or more compute instances to:
receive a first control plane message directed to a first substrate addressable device of the one or more substrate addressable devices (Col 6, lines 10-40 and Fig. 2 – IPPE 220 of the virtual private gateway 222 receives un-encrypted message 217 directed to customer device 245). 
update a message state data store based at least in part on the first control plane message (Col 6, lines 10-40 and Fig. 2 – based on information on header of the received message, one or more metrics associated with the message may be stored by the intermediary at a persistent storage repository). 
send a second control plane message to the first substrate addressable device via a secure tunnel (Col 6, lines 10-40 and Fig. 2 – after the one or more metrics associated with the message is stored, The outbound encrypted packet 218 corresponding to un-encrypted packet 217 may be generated at the IPPE in accordance with the appropriate encryption technique and sent on towards the customer device 245).
Stickle and Tillotson are analogous art because they are from a similar field of endeavor in the providing services at provider network techniques. Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Stickle to include the teachings of Tillotson. The motivation for doing so is to monitor virtual private network connection quality at a provider network in order to provide the best of virtual services to the clients.

Regarding claim 14, the system of claim 4,
Claim 14 is analyzed and interpreted as a system of claim 5.


Regarding claim 15, the system of claim 4,
Claim 15 is analyzed and interpreted as a system of claim 6.


Regarding claim 16, the system of claim 4,
Claim 16 is analyzed and interpreted as a system of claim 7.


Regarding claim 17, the system of claim 4,
Claim 17 is analyzed and interpreted as a system of claim 8.


Regarding claim 19, the system of claim 17,
Claim 19 is analyzed and interpreted as a system of claim 10.



Claims 3, 11 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Stickle in view of Dussen and Tillotson, and further in view of Sorenson, III et al. Patent No. US 8,793,343 B1 (Sorenson hereinafter).

Regarding claim 3, the computer-implemented method of claim 1,
Stickle does not explicitly disclose
receiving, from the extension of the provider network, a public key associated with a control plane traffic tunnel endpoint of the extension.
sending the public key to a third compute instance of the plurality of compute instances, the third compute instance serving as a control plane traffic tunnel endpoint of the provider network.
Sorenson teaches
receiving, from the extension of the provider network, a public key associated with a control plane traffic tunnel endpoint of the extension; and  sending the public key to a third compute instance of the plurality of compute instances, the third compute instance serving as a control plane traffic tunnel endpoint of the provider network (Col 29, line 1-6 and Fig. 18 – The gateway 84 then publishes the public key and the metadata to gateway control 70 in order to create secured connection for communication. As showed by Fig. 18, the gateway control 70 includes a plurality of gateway control servers74A-C, wherein one of these gateway control server is connected to the storage gateway 84, so this server may receive and store the public key from the gateway control 70 in order to secure communicate with the storage gateway 84). 


Regarding claim 11, the computer-implemented method of claim 4,
Claim 11 is analyzed and interpreted as claim 3.


Regarding claim 20, the system of claim 13,
Claim 20 is analyzed and interpreted as a system of claim 3.



Claims 9, 12 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Stickle in view of Dussen and Tillotson, and further in view of Shevade et al. Patent No. US 9,813,379 B1 (Shevade hereinafter).

Regarding claim 9, the computer-implemented method of claim 8,
Stickle does not explicitly disclose
wherein the monitoring the actual state of the one or more compute instances includes at least one of sending a request for a response to a first compute instance of the one or more compute instances or receiving a message from the first compute instance of the one or more compute instances.
Shevade teaches
wherein the monitoring the actual state of the one or more compute instances includes at least one of sending a request for a response to a first compute instance of the one or more compute instances or receiving a message from the first compute instance of the one or more compute instances (Col 8, line 5-20 – a health monitoring service (HMS) may be implemented at a provider network to ensure that potential problems with VPN connectivity are dealt with promptly and effectively. Front-end nodes of the HMS may collect health status metrics for monitored resources using a variety of 
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Stickle to include the teachings of Shevade. The motivation for doing so is to implement virtual private gateways using compute instances at a provider network.

Regarding claim 12, the computer-implemented method of claim 4,
Stickle does not explicitly disclose
replacing a first compute instance of the one or more compute instances with a newly launched instance.
Shevade teaches
replacing a first compute instance of the one or more compute instances with a newly launched instance (Col 8, line 40-45 – If the resource whose failure probability exceeded the threshold is found to be experiencing longer term problems, the problematic resource may be taken offline and replaced by a new resource (e.g., a new instance and/or a new instance host)). 
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Stickle to include the teachings of Shevade. The motivation for doing so is to implement virtual private gateways using compute instances at a provider network.

Regarding claim 18, the system of claim 13,
Claim 18 is analyzed and interpreted as a system of claim 9.





- 29 -DOCS 123144-014UT1/2670836.1

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DA T. TON whose telephone number is (571)272-9956.  The examiner can normally be reached on Mon-Fri (9am-5pm).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Oscar A. Louie can be reached on 571-270-1684.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.





/DA T TON/Acting Patent Examiner of Art Unit 2445                                                                                                                                                                                                        

/YOUNES NAJI/Primary Examiner, Art Unit 2445