DETAILED ACTION
1. 	This Non-Final Office Action is in response to application filed on 06/10/2020.  	Claims 1-18 are being considered on the merits. 	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Drawings
2. 	The drawings filed on 06/10/2020 are accepted. 
Information Disclosure Statement
3.	The information disclosure statements (IDS) submitted on 09/09/2020, 04/09/2021, 10/15/2021 and 11/12/2021 have been considered. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, initialed and dated copies of the Applicant’s IDS forms 1449 filed on 09/09/2020, 04/09/2021, 10/15/2021 and 11/12/2021 are attached to this office action. 
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


4.	Claims 1-18 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea, without significantly more. The claims recite a method including “specifying, for each specified service policy, at least one service rule to implement the service policy, at least one specified service rule comprising a match criteria set defined by reference to the one dynamic group of endpoint machines” and “distributing, to the middlebox service nodes, a set of one or more specified service rules along with a list of member machines of the dynamic endpoint-machine group referred to by the specified service rules.” This judicial exception is not integrated into a practical application because the steps of the method are analogous to collecting, storing and analyzing information. The claims do not 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



5.	Claims 1-12 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over US Pub No. US 2019/0384645 A1 to Palavalli, (hereinafter, “Palavalli”), as disclosed in IDS submitted on 09/09/2020, in view of US Pub. No. US 2020/0076685 A1 to Vaidya, (hereinafter, “Vaidya”).

As per claim 1, Palavalli teaches a method of specifying service rules for middlebox service nodes to perform in a set of one or more datacenters, the method comprising 
receiving an intent-based API (Application Programming Interface) request that specifies a set of one or more service policies by reference to one dynamic group of endpoint machines (Palavalli, para. [0025] “the policy input processor 120 is an API processor that handles input -policy API commands received through an API gateway of an SDDC management system to which the policy framework belongs, or through a user interface that the SDDC management system presents to administrators of the SDDC, the SDDC tenants, and/or SDDC networks. Through these API commands, the policy input processor 120 receives several policies and stores each of these policies in a storage that it uses to identify policies that match subsequently received requests.” And para.  [0026] “the received policies are expressed in a declarative format. FIG. 2 illustrates an example of a received policy 200. As further described below, this policy restricts access to destination machines in a destination group to http and https accesses. As shown in FIG. 2, a policy includes (1) a target 205 that specifies a set of one or more datacenter resources to which the policy applies, and (2) an expression 210 that specifies a constraint on operations on the target resource set.” And para. [0037] “The policy 200 illustrated in FIG. 2 restricts access to destination machines in a destination group to http and https accesses. Specifically, this policy specifies a constraint to be applied at an edge gateway of a tenant T's domain, as indicated by its path prefix 216.”); 
specifying, for each specified service policy, at least one service rule to implement the service policy, at least one specified service rule comprising a match criteria set defined by reference to the one dynamic group of endpoint machines (Palavalli, para. [0027] “The target of each policy in some embodiments includes (1) a type 212 of the target resource set, (2) a name 214 of the target resource set, and (3) a path prefix 216 that identifies the target resource set in the resource hierarchy of the datacenter. As shown, the policy path 216 in some embodiments is in a URL format to uniquely identify a resource or set of resources in a datacenter. In some embodiments, the type and path prefix attributes of the target 205 are used to determine whether a policy is applicable to (i.e., is associated with) an API request (i.e., whether the policy matches a set of attributes associated with the API request” and para. [0028] “The path prefix 216 for a policy is specified by reference to one or more resources in the resource hierarchy of the SDDC. In the examples illustrated in FIG. 2 and some of the other figures of this application, the resource hierarchy of the data center includes the following resources: tenant, domain, communication maps, and communication entries”); 
(Palavalli, para. [0026] “the received policies are expressed in a declarative format. FIG. 2 illustrates an example of a received policy 200. As further described below, this policy restricts access to destination machines in a destination group to http and https accesses. As shown in FIG. 2, a policy includes (1) a target 205 that specifies a set of one or more datacenter resources to which the policy applies, and (2) an expression 210 that specifies a constraint on operations on the target resource set.” And para. [0027] “The target of each policy in some embodiments includes (1) a type 212 of the target resource set, (2) a name 214 of the target resource set, and (3) a path prefix 216 that identifies the target resource set in the resource hierarchy of the datacenter. As shown, the policy path 216 in some embodiments is in a URL format to uniquely identify a resource or set of resources in a datacenter.”).
Palavalli teaches all the limitations of claim 1 above, however fails to explicitly teach but Vaidya teaches: 
a list of member machines of the dynamic endpoint-machine group referred to by the specified service rules (Vaidya, para. [0036] “Virtual routers 21 of servers 12 do contain per tenant state. They contain a separate forwarding table (a routing-instance) per virtual network. That forwarding table contains the IP prefixes (in the case of a layer 3 overlays) or the MAC addresses (in the case of layer 2 overlays) of the virtual machines or other virtual execution elements (e.g., pods of containers).” And para. [0065] “namespace specification data 27 for specifying a namespace includes a list of multiple virtual networks for the namespace, more particularly, for communications among virtual execution elements deployed to the namespace.” And para. [0066] “namespace specification data 27 specifies a list of multiple virtual networks that correspond to virtual networks configured by network controller 24 in network system 2. The virtual networks may be specified using any virtual network identifier, such as a name, UUID, or code.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Vaidya’s virtual execution elements into Palavalli’s policy constraint framework, with a motivation for orchestration and management of networking functions such as a Firewalls, Intrusion Detection or Preventions Systems (IDS/IPS), Deep Packet Inspection (DPI), caching, Wide Area Network (WAN) optimization, etc. in virtual machines, containers, or other virtual execution elements instead of on physical hardware appliances (Vaidya, para. [0144]). 

As per claim 2, the combination of Palavalli and Vaidya teach the method of claim 1, wherein the match criteria set comprises a group identifier that identifies the dynamic group of endpoint machines (Palavalli, para. [0027] “The target of each policy in some embodiments includes (1) a type 212 of the target resource set, (2) a name 214 of the target resource set, and (3) a path prefix 216 that identifies the target resource set in the resource hierarchy of the datacenter.” And para. [0028] “The path prefix 216 for a policy is specified by reference to one or more resources in the resource hierarchy of the SDDC. In the examples illustrated in FIG. 2 and some of the other figures of this application, the resource hierarchy of the data center includes the following resources: tenant, domain, communication maps, and communication entries. A communication map is a set of communication rules under a domain that are applicable to communication from/to VMs in the domain, while a communication entry is a single communication rule (e.g., firewall rule) under a communication map.” And para. [0030] “an example of a communication entry includes a tuple that includes the following information: identifier, name, description, source groups, destination groups, services, action, and scope.” And para. [0043] “the policy checking engine 115 compares a set of attributes of the selected request's resource with a policy's target to determine whether the policy is applicable to the resource. Specifically, to identify a policy that is applicable to the selected request's resource, the policy checking engine 115 compares one or more attributes of the selected request (e.g., the identifier of the request's associated resource) with one or more attributes specified in the target (e.g., path prefix and resource type) of each policy stored in the policy storage 105 to identify a policy with a matching attribute set (i.e., with an attribute set that matches the selected request's attribute set).”).

As per claim 3, the combination of Palavalli and Vaidya teach the method of claim 2, wherein the list of members of the group comprises a set of one or more network addresses for each member machine in the group (Vaidya, para. [0036] “Virtual routers 21 of servers 12 do contain per tenant state. They contain a separate forwarding table (a routing-instance) per virtual network. That forwarding table contains the IP prefixes (in the case of a layer 3 overlays) or the MAC addresses (in the case of layer 2 overlays) of the virtual machines or other virtual execution elements (e.g., pods of containers).”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Vaidya’s virtual execution elements into Palavalli’s policy constraint framework, with a motivation for orchestration and management of networking functions (Vaidya, para. [0144]). 
As per claim 4, the combination of Palavalli and Vaidya teach the method of claim 3, wherein the middlebox service nodes compare network address attributes of data message flows that the service (Palavalli, para. [0027] “The target of each policy in some embodiments includes (1) a type 212 of the target resource set, (2) a name 214 of the target resource set, and (3) a path prefix 216 that identifies the target resource set in the resource hierarchy of the datacenter. As shown, the policy path 216 in some embodiments is in a URL format to uniquely identify a resource or set of resources in a datacenter. In some embodiments, the type and path prefix attributes of the target 205 are used to determine whether a policy is applicable to (i.e., is associated with) an API request (i.e., whether the policy matches a set of attributes associated with the API request).” And Vaidya, para. [0075] “Orchestrator 23 obtains virtual execution element specification data corresponding to a virtual execution element, wherein the virtual execution element specification data specifies a group of virtual networks (e.g., the secondary group of virtual networks). Orchestrator 23 may process virtual execution element specification data to generate configuration objects corresponding to the corresponding namespace, wherein the configuration objects include respective virtual network configuration objects for the multiple virtual networks specified for the virtual execution element.”).
 
As per claim 5, the combination of Palavalli and Vaidya teach the method of claim 3, wherein the set of network addresses for a member machine comprises a layer 3 address of a virtual interface associated with the member machine (Vaidya, para. [0036] “Virtual routers 21 of servers 12 do contain per tenant state. They contain a separate forwarding table (a routing-instance) per virtual network. That forwarding table contains the IP prefixes (in the case of a layer 3 overlays) or the MAC addresses (in the case of layer 2 overlays) of the virtual machines or other virtual execution elements (e.g., pods of containers).”).
(Vaidya, para. [0144]). 
As per claim 6, the combination of Palavalli and Vaidya teach the method of claim 3, wherein the set of network addresses for a member machine comprises a layer 3 address of a virtual interface associated with the member machine and a layer 4 port address used to reach the member machine (Vaidya, para. [0041] “Each of servers 12 may host one or more virtual execution elements each having at least one virtual network endpoint for one or more virtual networks configured in the physical network…For example, a virtual network endpoint may be a virtual machine, a set of one or more containers (e.g., a pod), or another other virtual execution element(s), such as a layer 3 endpoint for a virtual network.” And para. [0094] “Each of virtual network interfaces 26 may represent a virtual ethernet ("veth") pair, where each end of the pair is a separate device (e.g., a Linux/Unix device), with one end of the pair assigned to pod 22A and one end of the pair assigned to virtual router 21A. The veth pair or an end of a veth pair are sometimes referred to as "ports". Each of virtual network interfaces 26 may alternatively represent a macvlan network with media access control (MAC) addresses assigned to the pod 22A and to the virtual router 21A for communications between containers of pod 22A and virtual router 21A. Each of virtual network interfaces 26 may alternatively represent a different type of interface between virtual router 21A or other network virtualization entity and virtual network endpoints. Virtual network interfaces 26 may alternatively be referred to as virtual machine interfaces (VMIs), pod interfaces, container network interfaces, tap interfaces, veth interfaces, or simply network interfaces (in specific contexts), for instance.”).
(Vaidya, para. [0144]). 
As per claim 7, the combination of Palavalli and Vaidya teach the method of claim 2, wherein the endpoint group identifier is used to define a source attribute of the match criteria set, the source attribute for comparing with the source network addresses of the data message flows processed by the middlebox service nodes (Palavalli, para. [0027] “The target of each policy in some embodiments includes (1) a type 212 of the target resource set, (2) a name 214 of the target resource set, and (3) a path prefix 216 that identifies the target resource set in the resource hierarchy of the datacenter. As shown, the policy path 216 in some embodiments is in a URL format to uniquely identify a resource or set of resources in a datacenter. In some embodiments, the type and path prefix attributes of the target 205 are used to determine whether a policy is applicable to (i.e., is associated with) an API request (i.e., whether the policy matches a set of attributes associated with the API request).”)

As per claim 8, the combination of Palavalli and Vaidya teach the method of claim 2, wherein the endpoint group identifier is used to define a destination attribute of the match criteria set, the destination attribute for comparing with the destination network addresses of the data message flows processed by the middlebox service nodes (Palavalli, para. [0037] “The policy 200 illustrated in FIG. 2 restricts access to destination machines in a destination group to http and https accesses. Specifically, this policy specifies a constraint to be applied at an edge gateway of a tenant T's domain, as indicated by its path prefix 216. This constraint specifies that when a message is addressed to a destination group VCENTER, the message (i.e., the access) should be allowed only when the message's protocol is http or https (i.e., when the access uses http or https protocols).”).

As per claim 9, the combination of Palavalli and Vaidya teach the method of claim 1, wherein the middlebox service nodes are firewall engines executing on host computers that execute the machines in the endpoint group (Palavalli, para. [0021] “examples of resources include service middlebox modules (e.g., service VMs or modules that perform middlebox service operations such as firewall operations, load balancing operations, network address translation operations, encryption operations, intrusion detection operations, intrusion prevention operations, etc.).” ).

As per claim 10, the combination of Palavalli and Vaidya teach the method of claim 1, wherein the middlebox service nodes are firewall engines executing on host computers that execute machines that are sources of the data message flows processed by the firewall engines (Palavalli, para. [0030] “communication maps in some embodiments include (1) distributed firewalls (firewall machines implemented on host computers with compute node VMs and/or containers), (2) edge firewall appliances or machines operating at north/south boundary of physical or logical networks, and (3) inserted service modules executing on host computers to provide other middlebox service operations for compute node VMs and/or containers executing on the host computers. In some embodiments, an example of a communication entry includes a tuple that includes the following information: identifier, name, description, source groups, destination groups, services, action, and scope.”).

As per claim 11, the combination of Palavalli and Vaidya teach the method of claim 1, wherein the middlebox service nodes are firewall engines used to process data message flows entering or exiting a first network from or to a second network (Palavalli, para. [0030] “communication maps in some embodiments include (1) distributed firewalls (firewall machines implemented on host computers with compute node VMs and/or containers), (2) edge firewall appliances or machines operating at north/south boundary of physical or logical networks, and (3) inserted service modules executing on host computers to provide other middlebox service operations for compute node VMs and/or containers executing on the host computers. In some embodiments, an example of a communication entry includes a tuple that includes the following information: identifier, name, description, source groups, destination groups, services, action, and scope.” And para. [0039] “FIG. 5 illustrates another example of a policy. This policy 500 specifies that any communication rule that is specified can only specify an Allow action at the edge gateways. This policy would prevent the administrators from defining rules that reject data messages at the edge gateways. This policy is used as a default firewall policy in a whitelisting (do not allow any communication unless opened with explicit firewall rule) approach that only allows administrators to specify firewall rules at the edge gateway that opens connections.”).
As per claim 12, the combination of Palavalli and Vaidya teach the method of claim 1 further comprising receiving a Custom Resource Definition (CRD) that defines a security policy as a resource in the datacenter set (Vaidya, para. [0069] “The above example specifies the four virtual networks using Kubernetes network (CustomResourceDefinition) Objects to conform the virtual network specifications to the Kubernetes Custom Resource Definition De-facto Standard, which specifies requirements and procedures for attaching Kubernetes pods to one or more virtual or physical networks, including requirements for plugins using the Container Network Interface (CNI) to attach pod networks.”); 
wherein the API request refers to the CRD in defining the set of firewall service policies and the service rules are firewall rules (Vaidya, para. [0070] “Orchestrator 23 may process namespace specification data 27 to generate configuration objects corresponding to the corresponding namespace, wherein the configuration objects include respective virtual network configuration objects for the multiple virtual networks specified for the namespace. In examples where orchestrator 23 implements respective cluster masters for one or more Kubernetes clusters, a namespace represents a virtual cluster within a Kubernetes cluster.” And Palavalli, para. [0025] “the policy input processor 120 is an API processor that handles input -policy API commands received through an API gateway of an SDDC management system to which the policy framework belongs, or through a user interface that the SDDC management system presents to administrators of the SDDC, the SDDC tenants, and/or SDDC networks. Through these API commands, the policy input processor 120 receives several policies and stores each of these policies in a storage that it uses to identify policies that match subsequently received requests.” And para. [0026] “the received policies are expressed in a declarative format. FIG. 2 illustrates an example of a received policy 200. As further described below, this policy restricts access to destination machines in a destination group to http and https accesses.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Vaidya’s virtual execution elements into Palavalli’s policy constraint framework, with a motivation for orchestration and management of networking functions such as a Firewalls, Intrusion Detection or Preventions Systems (IDS/IPS), Deep Packet Inspection (DPI), caching, Wide Area Network (WAN) optimization, etc. in virtual machines, (Vaidya, para. [0144]). 
As per claim 18, the combination of Palavalli and Vaidya teach the method of claim 1, wherein the endpoint group includes machines in at least two different sub-networks of a logical network that is defined in the datacenter set to connect a plurality of machines including the endpoint machine group (Palavalli, para.  [0026] “the received policies are expressed in a declarative format. FIG. 2 illustrates an example of a received policy 200. As further described below, this policy restricts access to destination machines in a destination group to http and https accesses. As shown in FIG. 2, a policy includes (1) a target 205 that specifies a set of one or more datacenter resources to which the policy applies, and (2) an expression 210 that specifies a constraint on operations on the target resource set.” And para. [0037] “The policy 200 illustrated in FIG. 2 restricts access to destination machines in a destination group to http and https accesses. Specifically, this policy specifies a constraint to be applied at an edge gateway of a tenant T's domain, as indicated by its path prefix 216.” And para. [0041] “the request processor 125 initially parses (at 605) the received hierarchical API into a set of one or more requests for one or more SD resources in the SDDC. In some embodiments, the received API might not only include different requests for different resources, but also might include multiple requests for the one SD resource. The received API can in some embodiments just include multiple different requests for one SD resource. Each request specifies one operation to be performed on a resource in some embodiments, while in other embodiments a request can specify multiple operations to be performed on a resource.”).

s 13-17 are rejected under 35 U.S.C. 103 as being unpatentable over Palavalli in view of Vaidya, as disclosed above, in further view of US Pub No. US 2017/0005986 A1 to Bansal, (hereinafter, “Bansal”), as disclosed in IDS submitted on 09/09/2020.

As per claim 13, the combination of Palavalli and Vaidya teach the method of claim 12, however fail to explicitly teach but Bansal teaches: wherein the API request comprises an appliedTo parameter that identifies a set of firewall enforcement nodes in a network to apply the firewall rules defined pursuant to the firewall service policies (Bansal, para. [0055] “In this schema, the AppliedTo object list under firewall rule allows a user to choose various enforcement points like distribute firewalls (e.g., formed by the host firewall engines), perimeter firewall devices, application level gateways, etc.” and para. [0063] “The AppliedTo tuple of each firewall rule allows a set of firewall enforcement points in the network to be defined for the rule. Examples of such enforcement points include host-level firewall engines and perimeter firewall devices. Like the source, destination and service data tuples, the AppliedTo tuple in some embodiments can be defined in terms of high or low level constructs, as the firewall management console's backend engine resolves the high level constructs to lower level constructs. In some embodiments, firewall rules for deep-packet inspecting firewall devices can be specified through the tab 416, as further described below.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bansal’s firewall rule management into Vaidya’s virtual execution elements and Palavalli’s policy constraint framework, with a motivation to provide robust controls for granularly defining the enforcement points at which the firewall rule sets are applied (Bansal, para. [0005]). 
As per claim 14, the combination of Palavalli, Vaidya and Bansal teach the method of claim 13, wherein the appliedTo parameter is defined through a set of selectors, at least one selector specifying a type of network element that is associated with a particular label (Bansal, para. [0064] “FIG. 5 illustrates a window 500 that the console 400 presents in some embodiments after the user selects (e.g., clicks on) the AppliedTo field of a firewall rule. This window has (1) one set of controls for searching for constructs in the datacenter and (2) another set of controls for selecting the searched constructs as enforcement points for the AppliedTo tuple (i.e., as enforcement points for the firewall rule). The first set of controls include drop-down control 505 for selecting a type of object in the datacenter, search window 515 for displaying the objects retrieved through the controls 505 and 510, and a filter field 510 for searching for one or more objects in the search window 515. The second set of controls includes a selection window 520 that lists objects added to the AppliedTo tuple, and selection and de -selection controls 525 and 530 that add objects to and remove objects from the selection window 520. Objects are added to this window 520 from the search window 515. The second set of controls also includes a filter field 535 for searching for one or more objects in the selection window 520.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bansal’s firewall rule management into Vaidya’s virtual execution elements and Palavalli’s policy constraint framework, with a motivation to provide robust controls for granularly defining the enforcement points at which the firewall rule sets are applied (Bansal, para. [0005]). 
As per claim 15, the combination of Palavalli, Vaidya and Bansal teach the method of claim 14, wherein the set of selectors including one or more of a virtual interface selector, a Pod selector, and a service selector (Bansal, para. [0068] “FIG. 6 illustrates the firewall management console after the deep packet firewall tab 416 has been selected. This figure shows two operational stages 602 and 604 of the console after the selection of the DP firewall tab 416. As shown by these stages, the rule section 420 displays the firewall rules that are associated with DP-inspection firewall appliances in the datacenter. Like the general and Ethernet based firewall rules, each DP-inspection firewall rule can be defined in terms of a rule number, rule name, source tuple, destination tuple, service tuple, action tuple, and AppliedTo tuple. Again, like the general and Ethernet based firewall rules, the source, destination, service, and AppliedTo tuples can be defined in terms of high- or low-level constructs in some embodiments.”)
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bansal’s firewall rule management into Vaidya’s virtual execution elements and Palavalli’s policy constraint framework, with a motivation to provide robust controls for granularly defining the enforcement points at which the firewall rule sets are applied (Bansal, para. [0005]). 
As per claim 16, the combination of Palavalli, Vaidya and Bansal teach the method of claim 13, wherein the set of firewall enforcement nodes comprise firewall enforcement nodes that are part of different sub-networks of a logical network that is defined in the datacenter set to connect a plurality of machines including the endpoint machine group (Vaidya, para. [0163] “for a two tier application with a frontend and a database backed, the frontend pod can be configured as a virtual network endpoint for virtual network A (corresponding to VRF 222A) and the database pod can be configured as a virtual network endpoint for virtual network B (corresponding to VRF 222B). A containerized firewall may be deployed as the container 229A instance of pod 202A. Virtual network interface 212A is an interface for virtual network A, and virtual network interface 212B is an interface for virtual network B. Packets received at virtual network interface 212A from the frontend pod may be processed by the containerized firewall and output via virtual network interface 212B over virtual network B to the backend database pod.” And Bansal, para. [0051] “Once the desired user configuration data is persisted in the persistence data storage, the publisher 330 builds smaller rule sets for the various enforcement points in the network. To build these smaller rule sets, the publisher 330 uses the AppliedTo parameters of the specified rules. After building the smaller rule sets, the publisher distributes the rule sets to their respective enforcement points. In case of a port-linked firewall engines, the publisher sends the rule sets to the firewall agents 350 that execute on the host computing devices over a message bus. For network perimeter firewall nodes, the publisher distributes the firewall rule sets to the control plane of respective perimeter nodes through firewall agents 345 on these nodes. For third party solution (e.g., firewall appliances or proxy based application gateways), the publisher distributes the firewall rule sets through other interfaces, such as a NetX controller 340.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bansal’s firewall rule management into Vaidya’s virtual execution elements and Palavalli’s policy constraint framework, with a motivation to provide robust controls for granularly defining the enforcement points at which the firewall rule sets are applied (Bansal, para. [0005]). 
As per claim 17, the combination of Palavalli and Vaidya teach the method of claim 12, however fail to explicitly teach but Bansal teaches: wherein the service policy set comprises at least one service policy used to define at least one firewall rule to control data message flow between two different sub- networks of a logical network that is defined in the datacenter set to connect a plurality of machines including the endpoint machine group (Bansal, para. [0045] “This rule specifies that it needs to be enforced at all perimeter firewall nodes 110 and all port-level firewall engine 142 that are associated with the VMs of the administrator's network. This rule indicates that packets that are sent from source port Y of source IP X to destination port B of destination IP A, should be dropped. After receiving this rule, the network controller set 120 converts this rule into several rules that it distributes to the firewall rule tables of the port-level firewall engines 142 and perimeter node firewalls 110. When only one logical network can send packets from source IP X to destination IP A, the controller set 120 only generates firewall rules for port-level firewall engines that enforce firewall rules for the particular logical network.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bansal’s firewall rule management into Vaidya’s virtual execution elements and Palavalli’s policy constraint framework, with a motivation to provide robust controls for granularly defining the enforcement points at which the firewall rule sets are applied (Bansal, para. [0005]). 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US 20190042518 A1 – Platform interface layer and protocol.
US 20140129690 A1 – Custom resources in a resource stack.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZOHA P TAFAGHODI whose telephone number is (571)272-5199.  The examiner can normally be reached on 9AM-5PM EST M-F.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s acting supervisor, Kristine Kincaid can be reached on (571) 272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ZOHA PIYADEHGHIBI TAFAGHODI/Examiner, Art Unit 2437           

/KRISTINE L KINCAID/Supervisory Patent Examiner, Art Unit 2437