DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Response to Amendment
This office action is in reply to Applicant’s Response dated 07/29/2021. Claims 21-22, 28 and 34-35 are amended. Claims 1-20 are canceled. Claims 21-40 remain pending in the application.
	
Response to Arguments
In response to the Applicant’s argument (see page 9) with respect to the rejections under 35 U.S.C. 112(b), the rejection of claims 28-34 under 35 U.S.C. 112(b) has been withdrawn in view of the amendments made to the claims.

In response to the Applicant’s argument (see page 11), with respect to the rejection of claims 21, 18 and 35 under 35 U.S.C. 102(a)(1), the rejection of claims 21, 18 and 35 under 35 U.S.C. 102(a)(1) has been withdrawn in view of the amendments made to the claims. However, upon further consideration, a new ground of rejection under 35 U.S.C. 103 as being unpatentable over Xue et al. (U.S. PGPub 2011/0013637) in view of Backman et al. (U.S. PGPub 2005/0129001) is made in view of the amendments made to the claims.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 21-22, 24-26, 28-29, 31-36 and 38-40 are rejected under 35 U.S.C. 103 as being unpatentable over Xue et al. (U.S. PGPub 2011/0013637) in view of Backman et al. (U.S. PGPub 2005/0129001).

Regarding claims 21, 28 and 35, Xue teaches A method, comprising: performing, at one or more computing devices comprising one or more processors and memory: determining that secure network connectivity is to be established between a first premise outside a provider network and a second premise outside the provider network; (Xue, see fig. 4; see paragraphs 0091-0094 where a user1 (first premise) sends a logon 
However, Xue does not explicitly teach establishing (a) a first secure network channel comprising a first plurality of tunnels between the first premise and a first packet processing engine configured within the provider network, and
(b) a second secure network channel comprising a second plurality of tunnels between the second premise and a second packet processing engine configured within the provider network; and
causing a network packet generated at the first premise to be routed to the second premise via respective tunnels of the first and second plurality of tunnels of the first and second packet processing engines.
Backman teaches establishing (a) a first secure network channel comprising a first plurality of tunnels between the first premise and a first packet processing engine configured within the provider network, and (Backman, see figs. 4 and 9; see paragraphs 0047-0048 where traffic between two mobile stations MS#1 and MS#2, 
(b) a second secure network channel comprising a second plurality of tunnels between the second premise and a second packet processing engine configured within the provider network; and (Backman, see figs. 4 and 9; see paragraphs 0047-0048 where traffic between two mobile stations MS#1 and MS#2, belonging to the same corporate network (corporate network is outside of "Operator 2" (provider network)) as the router holding VRF#23...VRF#37 and VRF#42 are used in the GGSN ( operator or provider network) and VRF#23 is used in the router...The SGSN delivers the packet to the receiving mobile station. It should be noted that, a third mobile station not belonging to the corporate network would not use the tunnel shown in FIG. 3. Another parallel set of tunnels and forwarding tables would be set up; see paragraph 0033 where possible to let traffic in one direction belong to one VRF and traffic in the other direction belong to another VRF; see paragraphs 0010-0011 where IP Packets may be communicated between the respective IP interfaces over the respective VPN's…)

It would have been obvious to one of ordinary skill in the art, at the time the invention was filed, to combine Xue and Backman to provide the technique of establishing a first secure network channel comprising a first plurality of tunnels between the first premise and a first packet processing engine configured within the provider network and a second secure network channel comprising a second plurality of tunnels between the second premise and a second packet processing engine configured within the provider network and causing a network packet generated at the first premise to be routed to the second premise via respective tunnels of the first and second plurality of tunnels of the first and second packet processing engines of 

Regarding claim 22, Xue-Backman teaches wherein the first plurality of tunnels comprises at least one VPN (virtual private network) tunnel. (Xue, see fig. 4; see paragraphs 0091-0094 where a user1 (first premise) sends a logon and authentication request (first secure channel) to an SSL VPN gateway (first packet processing engine)...the SSL VPN gateway receives the logon and authentication request from the user1, performs logon and authentication processing for the user1; after the user1 passes the authentication, the SSL VPN gateway...; see paragraph 0111 where opposite PE router (second packet processing engine) forwards (second secure channel) the packet to the VPN resource server (second premise outside the provider network) and returns a response packet of the VPN resource server to the MPLS network...; see figs. 2 and 3: user1 and VPN resource servers are outside of the provider network (MPLS network); SSLVPN gateway and PE are within the provider network)

Regarding claims 24, 31 and 38, Xue-Backman teaches further comprising performing, at the one or more computing devices: establishing an isolated virtual network of the provider network to be used at least in part as a virtual private gateway; and (Xue, see fig. 4; see paragraphs 0091-0094 where a user1 (first premise) sends a logon and authentication request (first secure channel) to an SSL VPN gateway (first packet processing engine)...the SSL VPN gateway receives the logon and 
configuring at least the first packet processing engine within the isolated virtual network. (Xue, see fig. 4; see paragraphs 0091-0094 where a user1 (first premise) sends a logon and authentication request (first secure channel) to an SSL VPN gateway (first packet processing engine)...the SSL VPN gateway receives the logon and authentication request from the user1, performs logon and authentication processing for the user1; after the user1 passes the authentication, the SSL VPN gateway...; see paragraph 0111 where opposite PE router (second packet processing engine) forwards (second secure channel) the packet to the VPN resource server (second premise outside the provider network) and returns a response packet of the VPN resource server to the MPLS network...; see figs. 2 and 3: user1 and VPN resource servers are outside of the provider network (MPLS network); SSLVPN gateway and PE are within the provider network)

Regarding claims 25, 32 and 39, Xue-Backman teaches wherein the first packet processing engine is implemented at least in part at a compute instance configured at 

Regarding claims 26, 33 and 40, Xue-Backman teaches wherein the first packet processing engine comprises one or more of: (a) a BGP (Border Gateway Protocol) processing module, (b) an IPSec (Internet Protocol Security) processing module, (c) an IKE (Internet Key Exchange) processing module, (d) an SSL/TLS (Secure Sockets Layer/Transport Layer Security) processing module, (e) a GRE (Generic Routing Encapsulation) processing module or (f) a processing module for a custom routing protocol of a routing service of the provider network. (Xue, see fig. 4; see paragraphs 0091-0094 where a user1 (first premise) sends a logon and authentication request (first secure channel) to an SSL VPN gateway (first packet processing engine)...the SSL VPN gateway receives the logon and authentication request from the user1, performs logon and authentication processing for the user1; after the user1 passes the 

Regarding claims 29 and 36, Xue-Backman teaches wherein the first secure network tunnel comprises at least one VPN (virtual private network) tunnel. (Xue, see fig. 4; see paragraphs 0091-0094 where a user1 (first premise) sends a logon and authentication request (first secure channel) to an SSL VPN gateway (first packet processing engine)...the SSL VPN gateway receives the logon and authentication request from the user1, performs logon and authentication processing for the user1; after the user1 passes the authentication, the SSL VPN gateway...; see paragraph 0111 where opposite PE router (second packet processing engine) forwards (second secure channel) the packet to the VPN resource server (second premise outside the provider network) and returns a response packet of the VPN resource server to the MPLS network...; see figs. 2 and 3: user1 and VPN resource servers are outside of the provider network (MPLS network); SSLVPN gateway and PE are within the provider network)

Regarding claims 34, Xue-Backman teaches wherein the one or more computing devices include further instructions that upon execution on or across the one or more 
in response to a programmatic request from the client for connectivity between the first premise and the isolated virtual network, cause one or more packets originating at the first premise to be transmitted to the one or more compute instances via one or more packet processing engines, including the first packet processing engine. (Xue, see fig. 4; see paragraphs 0091-0094 where a user1 (first premise) sends a logon and authentication request (first secure channel) to an SSL VPN gateway (first packet processing engine)...the SSL VPN gateway receives the logon and authentication request from the user1, performs logon and authentication processing for the user1; after the user1 passes the authentication, the SSL VPN gateway...; see paragraph 0111 where opposite PE router (second packet processing engine) forwards (second secure 


Claims 23, 30 and 37 are rejected under 35 U.S.C. 103 as being unpatentable over Xue-Backman in view of Ueda et al. (U.S. PGPub 2006/0250951).

Regarding claims 23, 30 and 37, Xue-Backman teaches all the features of claims 21, 28 and 35. However, Xue-Backman does not explicitly teach further comprising performing, at the one or more computing devices: configuring the first packet processing engine as a primary packet processing engine of a group of packet processing engines assigned to process packets of the first premise, wherein the group comprises a third packet processing engine configured as a secondary packet processing engine of the group;
subsequent to a detection of a failure associated with the primary packet processing engine, causing one or more packets originating at the first premise to be routed to the second premise via the third packet processing engine.
Ueda teaches  further comprising performing, at the one or more computing devices: configuring the first packet processing engine as a primary packet processing engine of a group of packet processing engines assigned to process packets of the first premise, wherein the group comprises a third packet processing engine configured as a secondary packet processing engine of the group; (Ueda, see figs. 1, 3-4 and 13; see 
subsequent to a detection of a failure associated with the primary packet processing engine, causing one or more packets originating at the first premise to be routed to the second premise via the third packet processing engine. (Ueda, see figs. 1, 3-4 and 13; see paragraph 0085 where connected to the network NW#F via another router device 20 (F) adjacent to the router device 20 (D)…; see paragraph 0086 where the failure X is notified to the router device 20 (D), the path change request is sent from the router device 20 (D) to the path change processing section 200 of the adjacent router device 20 (F) by the conventional function (step SIV)...)
It would have been obvious to one of ordinary skill in the art, at the time the invention was filed, to combine Xue-Backman and Ueda to provide the technique of performing, at the one or more computing devices: configuring the first packet processing engine as a primary packet processing engine of a group of packet processing engines assigned to process packets of the first premise, wherein the group comprises a third packet processing engine configured as a secondary packet processing engine of the group and subsequent to a detection of a failure associated with the primary packet processing engine, causing one or more packets originating at the first premise to be routed to the second premise via the third packet processing .

Claim 27 is rejected under 35 U.S.C. 103 as being unpatentable over Xue-Backman in view of Dropps et al. (U.S. Patent 9,172,602).

Regarding claim 27, Xue-Backman teaches all the features of claim 21. However, Xue-Backman does not explicitly teach wherein the first packet processing engine is implemented at least in part using a first resource with a first performance capability rating, the method further comprising, performing at the one or more computing devices:
configuring, in response to a determination that a particular metric associated with the first packet processing engine satisfies a criterion, a replacement packet processing engine for the first packet processing engine, wherein the replacement packet processing engine is implemented at least in part using a different resource with a different performance capability rating.
Dropps teaches wherein the first packet processing engine is implemented at least in part using a first resource with a first performance capability rating, the method further comprising, performing at the one or more computing devices: (Dropps, see fig. 8; see col. 10, lines 25-39 where module obtaining capabilities of the link partner network device 300, 302 and then matching the capabilities of the switch 120 and the network device 300, 302. Once the processor 224 or other module matches the capabilities of the link partners, the processor 224 or other module then selects the highest priority of matching capabilities. Both the switch port and the link partners are 
configuring, in response to a determination that a particular metric associated with the first packet processing engine satisfies a criterion, a replacement packet processing engine for the first packet processing engine, wherein the replacement packet processing engine is implemented at least in part using a different resource with a different performance capability rating. (Dropps, see fig. 8; see col. 10, lines 25-39 where module obtaining capabilities of the link partner network device 300, 302 and then matching the capabilities of the switch 120 and the network device 300, 302. Once the processor 224 or other module matches the capabilities of the link partners, the processor 224 or other module then selects the highest priority of matching capabilities. Both the switch port and the link partners are performing the same process of selecting the highest priority of matching capabilities. Both ends of each link arrive at the same port configurations as they are both using the same or similar algorithm as defined by IEEE Clause 73 Auto-Negotiation...)
It would have been obvious to one of ordinary skill in the art, at the time the invention was filed, to combine Xue-Backman and Dropps to provide the technique of the first packet processing engine is implemented at least in part using a first resource with a first performance capability rating and configuring, in response to a determination that a particular metric associated with the first packet processing engine satisfies a criterion, a replacement packet processing engine for the first packet processing engine, wherein the replacement packet processing engine is implemented at least in part using .

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MENG VANG whose telephone number is (571)270-7023. The examiner can normally be reached Monday - Friday 8:30 AM - 4:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, NICHOLAS TAYLOR can be reached on (571) 272-3889. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MENG VANG/Primary Examiner, Art Unit 2457