DETAILED ACTION
The final office action is responsive to the amendment filed on 06/29/2021. Claims 26-45 are pending; claims 26-45 are rejected.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 26-45 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-23 of U.S. Patent No. 10,298,720 B1 (P720). Although the claims at issue are not identical, they are not patentably distinct from each other.

Claim 26 of the Instant Application
Claim 7 of P720
A system, comprising:
(from claim 1)


(from claim 1)
a provider network comprising a host device implementing a plurality of virtual machines (VMs), wherein one or more of the VMs are configured as resource instances of a client of the provider network; wherein the host device includes a network management component implemented at 
least by one or more processors and memory and configured to process packets in packet flows between the provider network and the plurality of VMs on the host device, wherein the network management component is configured to:
provide an interface for defining rules for processing network traffic to or from a plurality of resource instances of a security group of the client that are hosted by one or more host devices of the provider network on behalf of the client, wherein the security group is a 
from claim 1)
receive a connection request for one of the resource instances of the client on the host device;  query a client rules service of the provider network to obtain a decision on the connection request;

(from claim 7)
wherein the resource instances of the client include resource instances within a security group of a private network 
of the client on the provider network, wherein a security group is a logical grouping of resource instances to which access is controlled according to security group rules, and wherein, to apply the client-defined rules to the packet flows between the provider network and the resource instances of the client, the network management component is configured to apply the client-defined rules to the security group, wherein the client-defined rules replace, modify, or extend provider network security group rules applied by the provider network processing.

(from claim 1)
receive, from the client rules service, client-defined rules for packet flows for the connection between the provider network and the resource instance of the client, wherein the rules are defined and provided by the client;  and
instantiate the at least one rule at the provider network service, wherein the at least one rule is made available for application, by at least one of the host devices, to the network traffic to or from at least one of the plurality of resource instance of the client.
(from claim 1)
apply the client-defined rules to the packet flows between the provider network and the resource instance of the client, wherein the client-defined rules replace, modify, or extend provider network processing applied by the same network management component to process other packet flows between the provider network and at least another of the plurality of VMs implemented on the host device.


Claims 26 of the instant application is anticipated by patent claim 7 in that claim 7 of the patent contains all the limitations of claim 26 of the instant application. Claim 26 

As to claims 27-45, claims 1-23 of P720 obviously disclose all the limitations of claims 27-45 of the instant application. Thus, claims 27-45 of the instant application are not patently distinct from the earlier patent claims and as such are unpatentable for obvious-type double patenting.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 26, 33, and 40 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent Application Publication 2014/0059226 A1 to Messerli et al. (hereinafter Messerli) in view of U.S. Patent Application Publication 2017/0078329 A1 to Hwang et al. (hereinafter Hwang) and U.S. Patent 8,595,262 B1 to Hayden (hereinafter Hayden).

As to claims 26, 33, and 40, Messerli teaches a system, method, and one or more non-transitory computer-accessible storage media (hereinafter CRM) (cloud computing system 110, Messerli, [0032]), comprising:
one or more computing devices (information processing system 210, Messerli, [0042]-[0043]) of a provider network comprising respective processors and memory to implement a provider network service (The information processing system 210 may include any or all of the following: (a) a processor 212 for executing and otherwise processing instructions, (b) one or more network interfaces 214 (e.g., circuitry) for communicating between the processor 212 and other devices, those other devices possibly located across the network 205; (c) a memory device 216 (e.g., FLASH memory, a random access memory (RAM) device or a read-only memory (ROM) device for storing information (e.g., instructions executed by processor 212 and data operated upon by processor 212 in response to such instructions), Messerli, [0042]-[0043]), wherein the provider network service is configured to, for individual clients of one or more clients of the provider network:
Messerli does not explicitly disclose provide an interface for defining rules for processing network traffic to or from a plurality of resource instances of the client.
Hwang discloses provide an interface for defining rules for processing network traffic to or from one or more resource instances of a client (A computer system 102 such as a cloud management stack receives a request from a user 104 for provisioning of a server with one or more fire wall rules.  The computer system 102 sends the firewall rules to an ODM 106 for validation.  The ODM 106, for example, runs on one or more hardware processors operatively coupled with one or more storage devices that store firewall rules, e.g., in a database table.  Responsive to receiving the request for firewall rule validation, the ODM 106 checks the firewall rules against the existing ODM rules table and determines whether to approve or deny the firewall rule, Hwang, Para. 0033-0041, 0070)
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to use user provided rules and validate these rules as taught by Hwang to modify the method, method, and CRM of Messerli in order to validate rules and learn rules to validate and invalidate automatically.
Messerli-Hwang discloses wherein the resource instances are hosted by one or more host devices of the provider network on behalf of the client (A corresponding operating environment 234 would use the built-in threading, processing, and code loading capabilities to load and run code.  Adding, removing, or modifying a logical container 232 may or may not also involve adding, removing, or modifying an associated operating environment 234.  For ease of explanation below, these operating environments will be described in terms of an embodiment as "Virtual Machines," or "VMs," but this is simply one implementation among the options listed above, Messerli, [0048]-[0050]).
Messerli-Hwang does not explicitly disclose a plurality of resource instances of a security group of the client, wherein the security group is a logical grouping of the plurality of the resource instances of the client.
Hayden discloses a plurality of resource instances of a security group of a client (some instances such as 1130A, 1130B and 1130C are shown as belonging to an auto-scaling group 132.  The auto-scaling group 132 may represent a collection of resource instances allocated to a client (such as client 148) that desires automated provisioning (and/or decommissioning) of resources in response to specified threshold conditions being reached, Hayden, Col. 7, Line 45 – Col. 8, Line 16), wherein the security group is a logical grouping of the plurality of the resource instances of the client (Instances 1130 may also belong to security groups, such as security group 136, which is shown as including all eight instances of rack 126A.  Various security settings, such as the Transmission Control Protocol (TCP) ports that are open for incoming or outgoing traffic, may be shared by instances that belong to a given security group.  It is noted that although for clarity the auto-scaling group 132, load balancer group 134.  and security group 136 are shown as including only instances of rack 126A, in general such groups may include instances that may be resident on other hosts at other racks, rooms, data centers and the like.  Furthermore, a given instance 1130 may also belong to multiple logical groupings or resource classes not illustrated in FIG. 1, Hayden, Col. 7, Line 45 – Col. 8, Line 16).
Note Messerli, Hwang, and Hayden are in the field of cloud computing services  and Messerli-Hwang discloses server and virtual machines, it would have been obvious to one having ordinary skill in the art before the effective filing date of the Hayden to modify the method, method, and CRM of Messerli-Hwang in order to make different types of resource identifications more efficient and effective.
Messerli-Hwang-Hayden discloses
receive, by the provider network service according to the interface, input from the client defining at least one rule for processing network traffic to or from at least one of the resource instances of the security group (When a packet arrives at edge router 402, the virtual router 406 identifies it as being logically addressed to a particular operating environment associated with the user and routes it to flow to the defined user router 426 instantiated for the customer by way of the physical interface 423 and possibly other virtual routers 426 along the way.  When the packet arrives at user router 426, the tenant-defined rules and filters are applied to the packet and the flow is stopped, edited, or redirected accordingly, Messerli, Para. 0074-0075, 0068-0072, Fig. 4. In view of Hwang, Para. 0033-0041 and Hayden, Col. 7, Line 45 – Col. 8, Line 16); and
instantiate the at least one rule at the provider network service, wherein the at least one rule is made available for application, by at least one of the host devices, to the network traffic to or from the at least one resource instance of the client (When a packet arrives at edge router 402, the virtual router 406 identifies it as being logically addressed to a particular operating environment associated with the user and routes it to flow to the defined user router 426 instantiated for the customer by way of the physical interface 423 and possibly other virtual routers 426 along the way.  When the packet arrives at user router 426, the tenant-defined rules and filters are applied to the packet and the flow is stopped, edited, or redirected accordingly, Messerli, Para. 0074-0075, 0068-0072, Fig. 4).

Allowable Subject Matter
Claims 27-32, 34-39, 41-45 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Note: the rejection on the ground of nonstatutory double patenting must be obviated in order to allow the case.

Response to Arguments
Applicant’s arguments with respect to claim(s) 26-45 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to RUOLEI ZONG whose telephone number is (571)270-7522.  The examiner can normally be reached on Monday-Friday 9:00AM-5:30PM IFP.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Wing F Chan can be reached on (571)272-7493.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private 






/RUOLEI ZONG/Primary Examiner, Art Unit 2441                                                                                                                                                                                                        7/20/2021