DETAILED ACTION
Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-7, 9, 10, 12-16, 18 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Moroski et al (US 2018/0173561, hereinafter Moroski), in view of Ye et al (US 9,954,763, hereinafter Ye), in view of Shang et al (US 2020/0351235, hereinafter Shang), in view of Thakadu et al (US 2014/0237594, hereinafter Thakadu) and in view of Ranjan et al (US 2019/0278700, hereinafter Ranjan).

Regarding claim 1, Moroski discloses a computer-implemented method comprising: receiving, at an interface (gateway 184, Fig. 1, routes incoming and outgoing traffic, Para [0026]), in a provider network, a first packet including a first control plane message payload and a first destination address (cloud provider receives request via API calls, Para [0024]), wherein the extension of the provider network is in communication with the provider network via at least a third-party network and comprising provider hardware resources deployed at a customer specified location (hybrid cloud system controls traffic between on premise resources and the cloud provider via external network, Para [0020], hardware resources of cloud system can be distributed across multiple data centers in different locations, Para [0021], deploy and transfer VMs between cloud 150 and on premise 102, Para [0019]); sending the first control plane message payload to the first device via a first secure tunnel through the third-party network (routing traffic using VPN connectivity between on premise gateway and cloud provider gateway to VMs, Para [0026]); 		but does not disclose virtual network address associated with the interface in the provider network, wherein a virtual network address associated with the interface in the provider network matches a substrate address associated with the first device in the extension of the provider network and the destination address matches the substrate address and the virtual network address.  Ye discloses a virtual interface or virtual gateway is established, C: 5 R: 57-58, configured for use with private/virtual addresses, C: 6 R: 31-32 and the VPG routes traffic between the IVN and the customer with appropriate routing table entries, Fig. 6.  Shang discloses a gateway can store a mapping relationship between a virtual network address and an actual network address, the gateway will receive a packet, looks up the actual address in the table that matches the virtual address and then forward packet to the destination device, Para [0089].  Further nothing prevents the actual address from being mapped to an identical virtual address in the table.  In view of the combination, VMs are deployed on-site (via Moroski) and a virtual gateway is setup (via Ye) that handles routing to and from the IVN (or VMs) on site and the gateway uses the virtual to actual address mapping table (via Shang). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to utilize the techniques taught by Ye in order to provide greater network isolation and control to customers and utilize Shang in order to improve inter-operability and communication between different virtual clouds;		and does not disclose updating a message state data store based on at least a portion of the first control plane message payload to indicate a state of communications between the provider network and the first device in the extension of the provider network.  Thakadu discloses an API sandbox receiving API calls and making a copy of the API names and parameters, Para [0016] such as source and destination address and storing the data for a time, then releasing and storing new data, Para [0017].  It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to utilize the techniques taught by Thakadu in order to implement an intrusion system to prevent attacks and malware;								and does not disclose determining that at least a portion of the first control plane message payload conforms to an application programming interface provided by the first device.  Ranjan determining, by interceptor software, if a request conforms to the API standards and protocols, Para [0019].  It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to utilize the techniques taught by Ranjan in order to efficiently filter requests by determining if the received requests are valid or not and discarding the invalid requests.												
Regarding claim 3, Moroski discloses the computer-implemented method of claim 1, further comprising: receiving, in the provider network, a second packet having a data plane message payload and the first destination address, wherein the first destination address matches the virtual network address of the provider network and the substrate address of the first device in the extension of the provider network; and sending the data plane message payload to the first device via a second secure tunnel through the third-party network (same forwarding method as claim 1 except with a data message, which would be an obvious variation to one with ordinary skill in the art).
Regarding claim 4, Moroski discloses a computer-implemented method comprising: receiving, at an interface (gateway 184, Fig. 1, routes incoming and outgoing traffic, Para [0026]), in a provider network, a first message of a first type and having a first destination address (cloud provider receives request via API calls, Para [0024]), wherein the extension of the provider network is in communication with the provider network via at least a third-party network and comprising provider hardware resources deployed at a customer specified location (hybrid cloud system controls traffic between on premise resources and the cloud provider via external network, Para [0020], hardware resources of cloud system can be distributed across multiple data centers in different locations, Para [0021], deploy and transfer VMs between cloud 150 and on premise 102, Para [0019]); and sending a first payload of the first message to the first device via a first secure tunnel through the third-party network (routing traffic using VPN connectivity between on premise gateway and cloud provider gateway to VMs, Para [0026]);				but does not disclose virtual network address associated with the interface in the provider network, wherein a virtual network address associated with the interface in the provider network matches a substrate address associated with the first device in the extension of the provider network and the destination address matches the substrate address and the virtual network address.  Ye a virtual interface or virtual gateway is established, C: 5 R: 57-58, configured for use with private/virtual addresses, C: 6 R: 31-32 and the VPG routes traffic between the IVN and the customer with appropriate routing table entries, Fig. 6.  Shang discloses a gateway can store a mapping relationship between a virtual network address and an actual network address, the gateway will receive a packet, looks up the actual address in the table that matches the virtual address and then forward packet to the destination device, Para [0089].  Further nothing prevents the actual address from being mapped to an identical virtual address in the table.  In view of the combination, VMs are deployed on-site (via Moroski) and a virtual gateway is setup (via Ye) that handles routing to and from the IVN (or VMs) on site and the gateway uses the virtual to actual address mapping table (via Shang);					and does not disclose updating a message state data store based on at least a portion of the first message to indicate a state of communications between the provider network and the first device in the extension of the provider network. Thakadu discloses an API sandbox receiving API calls and making a copy of the API names and parameters, Para [0016] such as source and destination address, Para [0017].  
Regarding claims 5 and 14, Moroski discloses the computer-implemented method/system of claim 4/13, but not further comprising: receiving, in the provider network, a second packet from the first device via the first secure tunnel, wherein the second packet includes a second control plane message payload; determining that the second control plane message payload is not permitted to enter the provider network; and discarding the second control plane message payload.  Ranjan discloses determining, by interceptor software, if a request conforms to the API standards and protocols and discarding the request if it does not, Para [0019].
Regarding claims 6 and 15, Moroski discloses the computer-implemented method/system of claim 4/13, wherein the first message includes a first source address associated with a second device in the provider network, the method further comprising: receiving, in the provider network, a second message of the first type from the first device via the first secure tunnel, the second message having a second destination address that matches the first source address; determining that a second payload of the second message matches an expected response to the first payload of the first a response to the API request can be sent back to user, Para [0023], where this obvious to one with ordinary skill to send an appropriate response where the source address of the request becomes the destination address in the response.
Regarding claims 7 and 16, Moroski discloses the computer-implemented method/system of claim 6/15: but not wherein the first payload includes a call to an application programming interface (API) of the first device; and wherein the updating the message state data store includes storing the first source address, the first destination address, and an indication of the call to the API.  Thakadu discloses API sandbox receiving an API call and making a copy of the API names and parameters, Para [0016] such as source and destination address, Para [0017].  
Regarding claims 9 and 18, Moroski discloses the computer-implemented method/system of claim 4/13, but not explicitly further comprising: receiving, in the provider network, a second message of a second type and having the first destination address, the second message including a second payload that includes an identifier of a first compute instance hosted by the first device; and sending the second payload to the first device via a second secure tunnel through the third-party network (same forwarding method as claim 1 with second message, where it is well known the payload can have address and/or identifying information of the destination device).
Regarding claims 10 and 19, Moroski discloses the computer-implemented method/system of claim 9/18, but not explicitly wherein the second payload further includes an identifier of a second compute instance hosted by hosted by a second device of the provider network, wherein the second compute instance originated at least a portion of the second payload (It is well known the payload can have address and/or identifying information of the source device).
Regarding claim 12, Moroski discloses the computer-implemented method of claim 4, but not explicitly wherein the first secure tunnel is one of a plurality of secure tunnels between the provider network and the extension of the provider network (multiple VPN tunnels is a well-known in the art technique to one with ordinary skill).
Regarding claim 13, Moroski discloses a system (Fig. 1) comprising: a first one or more computing devices of a provider network (virtual machines, Fig. 1); a second one or more computing devices of hybrid cloud system controls traffic between on premise resources and the cloud provider via external network, Para [0020], hardware resources of cloud system can be distributed across multiple data centers in different locations, Para [0021], deploy and transfer VMs between cloud 150 and on premise 102, Para [0019]); and send a first payload of the first message to the first device via a first secure tunnel through the third-party network (routing traffic using VPN connectivity between on premise gateway and cloud provider gateway to VMs, Para [0026]); wherein the first one or more computing devices include instructions that upon execution on a processor cause the first one or more computing devices to: receive, at an interface (gateway 184, Fig. 1, routes incoming and outgoing traffic, Para [0026]), in the provider network, a first message of a first type and having a first destination address (cloud provider receives request via API calls, Para [0024]); 		but does not disclose virtual network address associated with the interface in the provider network, wherein a virtual network address associated with the interface in the provider network matches a substrate address associated with the first device in the extension of the provider network and the destination address matches the substrate address and the virtual network address.  Ye discloses a virtual interface or virtual gateway is established, C: 5 R: 57-58, configured for use with private/virtual addresses, C: 6 R: 31-32 and the VPG routes traffic between the IVN and the customer with appropriate routing table entries, Fig. 6.  Shang discloses a gateway can store a mapping relationship between a virtual network address and an actual network address, the gateway will receive a packet, looks up the actual address in the table that matches the virtual address and then forward packet to the destination device, Para [0089].  Further nothing prevents the actual address from being mapped to an identical virtual address in the table.  In view of the combination, VMs are deployed on-site (via Moroski) and a virtual gateway is setup (via Ye) that handles routing to and from the IVN (or VMs) on site and the gateway uses the virtual to actual address mapping table (via Shang);					and does not disclose updating a message state data store based on at least a portion of the first an API sandbox receiving API calls and making a copy of the API names and parameters, Para [0016] such as source and destination address, Para [0017].  


Allowable Subject Matter
Claims 2, 8, 11, 17 and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.


Response to Arguments
Applicant's arguments filed 9/23/2021 have been fully considered but they are not persuasive.  Applicant amends the limitations and argues the references do not disclose the amended limitations.  Applicant argues the references do not disclose the limitation, where the extension of the provider network comprises provider hardware resources deployed at a customer-specified location.  Applicant argues the on premise data center in Moroski does not comprise provider hardware resources.  Para [0021] states provider hardware resources can be distributed across different data centers in different locations but Applicant argues Fig. 1 does not show this, instead the hardware resources are contained in the cloud computing system.  											In response, Applicant appears to try to equate the on premise datacenter as being the claimed extension of the provider network from the claim.  This is incorrect, the on premise datacenter is equated to being the customer network or customer specified location from the claim.  Moroski discloses the hardware resource can be distributed to any data center in any location and does not state that is has to be in a provider data center.  Applicant argues Fig. 1 does not explicitly show this embodiment, which is irrelevant, as Fig.1 is not going to display every possible embodiment described in the specification but one embodiment.  The description in Moroski already states the hardware can be distributed to any data .


Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KEVIN CUNNINGHAM whose telephone number is (571) 272-1765.  The examiner can normally be reached Monday through Thursday 7:30-18:00 (EST).

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov.  Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).  If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.  
/KEVIN M CUNNINGHAM/Primary Examiner, Art Unit 2461