DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The Information Disclosure Statement (IDS) submitted on 03/11/2020 and 11/10/2021 have been considered by the Examiner. The submission is in compliance with the provisions of 37 CFR 1.97. 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Wagner et al. (WO. 2016/126731 A1, hereinafter Wagner) in view of Hira et al. (US. Pub. No. 2018/0063086 A1, hereinafter Hira).
Regarding claim 1. 
           Wagner teaches a computer-implemented method for accessing user resources in a virtual private cloud (VPC) using a serverless function within a network architecture (the Examiner has interpreted the term “serverless function” based on ordinary and customary meaning: such meanings include “cloud computing”, “cloud function”, “cloud computing environment”, "program code” and/or “peer-to-peer network configuration” without applying a server or server to execute programs. Wagner teaches in Fig. 1 and ¶ [0015]-[0028] and ¶ [0054] how resources can be accessed within the user's virtual private cloud (VPC) or other network-based service in a secured manner. For instance, Wagner teaches in  Fig. 1, ¶ [0015]-[0028] typically purchased in the form of virtual computing resources, or virtual machine instances and virtual machine instances in the pool and can be designated to service user requests to execute program codes, the phrases "program code," "user code," and "cloud function" (i.e., serverless function) and further teaches in ¶ [0054] that certain users of the virtual compute system 110 may wish to execute certain program code on the virtual compute system 110 that still has the ability to communicate with the user's virtual private cloud. See also [0065] manage capabilities related to securely allowing containers to interact with one or more auxiliary services (e.g., via virtual private cloud ("VPC:") tunneling (i.e., accessing) or similar network communication)), the method comprising: instantiating a first warm application container for hosting the serverless function, the first warm application container including a runtime language library without function code of the serverless function (Wagner teaches in Fig. 1, ¶ [0018] and ¶ [0026] instantiating a warming pool 130A for hosting the cloud function, the warming pool of virtual machine instances have software components, e.g. libraries, loaded thereon, and wherein the user code is executed in containers, i.e. 
           in response to detecting a trigger event for triggering the serverless function: mounting the function code of the serverless function within the first warm application container (Wagner teaches in Fig. 1, ¶ [0031] in response to the user request a detecting event that has been registered to trigger automatic request generation For example, the user may have registered the user code (i.e., the claimed function code) with an auxiliary service 106 (i.e., user code or function code mounting) and specified that whenever a particular event occurs (e.g., a new file is uploaded), and further teaches in ¶ [0043]-[0044] that the worker manager 140 may have access to a list of instances in the warming pool 130A (e.g., including the number and type of instances), and further teaches that if there exists a particular virtual machine instance in the active pool 140A that has a container with the same user code loaded therein (e.g., code 156A-3 shown in the container 156A (i.e., first warm application container)), the worker manager 140 may assign the container to the request and cause the user code to be executed in the container. See also [0045]-[0050] how user code (i.e., the function code) is executed in a container); and  Wagner further teaches during execution of the function code from the first warm application container, routing VPC-addressed network packets associated with the serverless function to the VPC via the second interface (Wagner teaches in Fig. 1 and ¶ [0063]-[0080] inter-instance interface unit 188 (i.e., the claimed “the second interface”) that may be executed by the processing unit 190, the user interface unit 182 (i.e., the claimed “the first interface”), and auxiliary service and inter-instance the PAT gateway; and instantiating a virtual machine for hosting a Port Address Translation (PAT) gateway, wherein the PAT gateway includes a first interface to the VPC and a second interface to the first warm application container.
            However, Hira teaches the VPC the first interface within the PAT gateway (Hira teaches in ¶ [0071] about the gateway controller (i.e., the claimed PAT gateway) within the VPC. For example, the gateway controller that enables this extension, these various components within the VPC must be initially configured and so that the network administrator interact via user interface); and 
         instantiating a virtual machine for hosting a Port Address Translation (PAT) gateway, wherein the PAT gateway includes a first interface to the VPC and a second interface to the first warm application container (Hira teaches in ¶ [0095] and ¶ [0191]-[0193] how the system instantiating a virtual machine for hosting the PAT. For example, in ¶ [0095] teaches that within the VPC (virtual private cloud), the figure illustrates a first host machine 140 that hosts a VM 145 with a gateway controller 150 (i.e., the claimed “PAT or Port Address Translation” since the gateway controller 150 carry out the address translation process) and a set of additional host machines 155 that host VMs 160 with workload applications 165 and further teaches in ¶ [0191]-[0193] how numerous VPCs of different tenants within a datacenter is generally re-used the network address translation (NAT) and the actual translation to a public IP address might need to be performed by the cloud provider's internet gateway and all of these secondary IP addresses are then associated with the gateway's northbound interface (i.e., second interface)).


Regarding claim 2. 
          Wagner in view Hira teaches inserting a route entry in a network routing table in the first warm application container, the route entry modifying media access control (MAC) destination addresses of the VPC-addressed network packets to a MAC address of the second interface (Hira further teaches in ¶ [0168] how the routing table provided within the VPC. For example, by separating the routing table that provided by the cloud provider and attached to the northbound interface of the gateway points to the cloud provider's internet gateway as the default gateway and further teaches in ¶ [0180] how to identifying the destination IP addresses of MAC to forward or insert the route entry of the packet to the corresponding logical network destination located outside of the VPC within the same datacenter and also teaches in ¶ [0191]-[0193] how numerous VPCs of different tenants within a datacenter is generally re-used the network address translation (NAT) and the actual translation to a public IP address might need to be performed by the cloud provider's internet gateway and all of these secondary IP addresses are then associated with the gateway's northbound interface (i.e., second interface)) and further Wagner also teaches in Fig. 1 and ¶ [0043]-[0044] about the warm application if there exists a particular virtual machine instance in the active pool 140A that has a container with the same user code loaded therein (e.g., code 156A-3 shown in the container 156A (i.e., first warm application container)).

Regarding claim 3. 
              Hira further teaches wherein the route entry modifies the MAC destination addresses of the VPC-addressed network packets from a MAC address of the VPC or a MAC address of a virtual router coupled to the VPC to the MAC address of the second interface (Hira teaches in ¶ [0104]-[0105] how the gateway controller 150 calculates the configuration data within the VPC and the MFEs uses information so that they can properly forward packets to the workload application corresponding to the new logical port and a particular MFE 175 (managed forwarding element) uses this information to generate logical forwarding flow entries (i.e., specifying that packets addressed to the MAC address associated with the logical port are forwarded logically to that logical port, as well as egress mapping and physical forwarding (tunneling) flow entries (i.e., mapping the logical port to the physical destination and appending the encapsulation information to send packets to the other MFEs) for its MFE. Here: the claim lists features in the alternative. While the claim lists a number of optional limitations only one limitation from the list is required and needs to be met by the prior art. The Examiner has chosen MAC destination addresses of the VPC-addressed network packets from a MAC address of the VPC).


Regarding claim 4. 
          Wagner in view of Hira teaches wherein the first warm application container is within a first sub-network, the VPC is within a second sub-network, and the method further comprises: routing the VPC-addressed network packets from the first warm application container in the first sub-network to the virtual machine via the second interface (Hira further teaches in ¶ [0019] the VPC subnets (i.e., first sub-network) are typically private IP addresses that may be re-used by numerous VPCs of different tenants (and re-used at various different datacenters), network address translation (NAT) is generally used to modify the source IP address of outgoing packets (and, correspondingly, the destination IP address of incoming packets) from the internally-used private IP address to a public IP address and further Wagner teaches in Fig. 1 and ¶ [0043]-[0044] about the warm application in a particular virtual machine instance in the active pool 140A that has a container with the same user code loaded therein (e.g., code 156A-3 shown in the container 156A (i.e., first warm application container)).
             It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Hira by including the method of using VPCs subnet in a private IP address ([0019]) into one of the warm application in a particular virtual machine instance 

Regarding claim 5. 
        Hira further teaches routing the VPC-addressed network packets from the virtual machine to the VPC in the second sub-network via the first interface to the VPC (Hira teaches in ¶ [0004] network controllers and managed forwarding elements inside virtual machines (VMs) and forwarding rules for packets sent to and from those DCNs. The public datacenter(s) provide tenants with one or more isolated sets of resources to the VPC based on the defined virtual network with network subnets and routing tables and further teaches in ¶ [0009] an uplink interface (i.e., the claimed “first interface”) that receives packets from and sends packets to the external networks (via a cloud provider internet gateway), a VTEP (i.e., virtual tunnel endpoint) interface with an address on the local VPC subnet).
          It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Hira by including the method of using VPCs subnet and routing table with virtual tunnel endpoint interface on the VPC subnet ([0004] and [0009]) into Wagner invention. One would have been motivated to do so in order to enhance routing efficiency, network management control, and improving network security in an efficient manner.

Regarding claim 6.  
             Wagner teaches receiving configuration information for configuring the serverless function (Wagner teaches in ¶ [0074] that the virtual compute system 110 receives program code (i.e., one of serverless function) and the configuration data for interfacing with an auxiliary service. For example, the user, such as the developer of the program code (i.e., serverless function), may provide associated 
           in response to determining, based on the configuration information, that the serverless function is to access the VPC (Wagner teaches in ¶ [0074] when the program code (i.e., serverless function) is executed by the virtual compute system the network address and login credential may be used to connect or "tunnel" (i.e., the claimed term “access”) to the auxiliary service. As an example, the user may wish to configure program code (i.e., serverless function) to tunnel (i.e., access) to an auxiliary service, such as a virtual private cloud (VPC)): 
        instantiating the virtual machine (Wagner teaches in [Abstract] and ¶ [0006] how the virtual machine instantiating can be performed by the system by receiving a request to execute a program code and allocate computing resources for executing the program code on one of the virtual machine instances and then the virtual machine instance type configurations are often contained within a device image, which includes static data containing the software (e.g., the OS and applications together with their configuration and data files, etc.) that the virtual machine will run once started. This process indicates that the instantiating of virtual machine);
         attaching within the virtual machine, the second interface to the first warm application container (Wagner teaches in Fig. 1, ¶ [0043]-[0044]  and ¶ [0063] about the warm application in a particular virtual machine instance in the active pool 140A that has a container with the same user code loaded therein (e.g., code 156A-3 shown in the container 156A (i.e., first warm application container and further the inter-instance interface unit 188 (i.e., the second interface) provide and manage capabilities related to securely allowing containers to interact with one or more auxiliary services); and 
         attaching within the virtual machine, the first interface to the VPC (Wagner teaches in ¶ [0063] inter-instance interface unit 188 provide and manage capabilities related to securely allowing containers to interact the user interface unit 182 (i.e., the first interface) may include a program code security 
Regarding claim 7. 
        Wagner in view Hira teaches wherein the virtual machine is coupled to the VPC via a network switch, and wherein the method further comprises: inserting a route entry in a network routing table in the network switch, the route entry modifying media access control (MAC) destination address of the VPC-addressed network packets to a MAC address associated with the second interface (Hira further teaches in ¶ [0168] how the routing table provided within the VPC. For example, by separating the routing table provided by the cloud provider and attached to the northbound interface (i.e., the second interface) of the gateway points to the cloud provider's internet gateway as the default gateway and further teaches in ¶ [0180] about the destination IP addresses of MAC which the packet corresponds to a logical network destination located outside of the VPC and outside of a peered VPC in the same datacenter and further Wagner teaches in ¶ [0035] the warming pool manager 130 communicates with an auxiliary virtual machine instance service (e.g., the instance provisioning service 109 of FIG. 1) to create and add new instances to the warming pool 130A and the virtual compute system 1 10 may comprise one or more logical knobs or switches for controlling (e.g., increasing or decreasing) the available capacity in the warming pool 130A).
          It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Hira by including a method of modifying and providing a routing table in PVC and a method of identifying the destination MAC address to send the packet ([0168], [0180]) into the teachings of Wagner invention. One would have been motivated to do so since this method allows the network control system administrator to set encryption and/or integrity rules for packets. These rules define to which packets the rule will be applied and the encryption and/or integrity 
Regarding claim 8. 
            Wagner in view of Hira teaches receiving via the second interface of the PAT gateway (Hira teaches in ¶ [0009] the gateway DCN includes three network interfaces: an uplink interface that receives packets from and sends packets to the external networks (via a cloud provider internet gateway)), the VPC- addressed network packets associated with the serverless function running in the 3486009258US04 / 4368.290US1first warm application container and VPC-addressed network packets associated with a serverless function running in a second warm application container (Wagner further teaches in Fig. 1 and ¶ [0043]-[0044] about the warm application in a particular virtual machine instance in the active pool 140A that has a container with the same user code loaded therein (e.g., code 156A-3 shown in the container 156A (i.e., first warm application container) and also teaches in ¶ [0018] that the program codes (i.e., serverless function) can be executed in isolated containers (i.e., a second warm application container) that are created on the virtual machine instances and Hira further teaches in ¶ [0095] the VPC, the figure illustrates a first host machine 140 that hosts a VM 145 with a gateway controller 150 (i.e., the claimed “PAT or Port Address Translation” since the gateway controller 150 carryout the address translation process) and a set of additional host machines 155 that host VMs 160 with workload applications 165 and further teaches in ¶ [0191]-[0193] how numerous VPCs of different tenants within a datacenter is generally re-used the network address translation (NAT) and the actual translation to a public IP address might need to be performed by the cloud provider's internet gateway).
          It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Hira by including a gateway controller which can carry out the address translation in numerous VPCs (virtual private cloud) ([0095], [0191]-[0193]) into the teachings of Wagner invention. One would have been motivated to do so since this method enables 

Regarding claim 9. 
            Wagner in view of Hira teaches modifying a source Internet Protocol (IP) address of the VPC-addressed network packets originating from the first warm application container to a source IP address of the PAT gateway associated with a first port (Wagner teaches in Fig. 1 and ¶ [0043]-[0044] about the warm application in a particular virtual machine instance in the active pool 140A that has a container with the same user code loaded therein (e.g., code 156A-3 shown in the container 156A (i.e., first warm application container and Hira further teaches in ¶ [0078] network address translation (NAT) is generally used to modify the source IP address of outgoing packets (correspondingly, destination IP address of incoming packets) from the internally-used private IP address to a public IP address and further teaches in ¶ [0215] that the NAT used for sending the packet to the logical port (i.e., the claimed  “a first port”), and thus translates the source IP address from A to N according to its NAT configuration); 
       modifying a source IP address of the VPC-addressed network packets originating from the second warm application container to a source IP address of the PAT gateway associated with a second port (Hira teaches in ¶ [0078] network address translation (NAT) is generally used to modify the source IP address of outgoing packets (correspondingly, destination IP address of incoming packets) from the internally-used private IP address to a public IP address and further teaches in ¶ [0206] that the NAT used for processing to translate the secondary IP address B1 into the new destination address A and, the gateway data-path 2140 performs logical network processing to identify that the destination address A maps to a logical switch port (i.e., the claimed “a secondary port”) located at the MFE 2120, and thus encapsulates the translated packet using its own southbound interface as the source IP and 
             forwarding the VPC-addressed network packets originating from the first and second warm application containers to the VPC via the first interface of the PAT gateway (while Wagner teaches in Fig. 1 and ¶ [0043]-[0044] and ¶ [0018] about the first and the second warm applications in a particular virtual machine instance Hira further teaches in ¶ [0104] the gateway controller 150 (i.e., the claimed “PAT or Port Address Translation” since the gateway controller 150 carryout the address translation process) and calculates the span of this configuration data as the MFEs within the VPC to which all of the additional logical ports on the same logical switch connect. These MFEs need the information so that they can properly forward packets to the workload application corresponding to the new logical port and further teaches in [0206] that the public cloud uses cloud forwarding element 2140 removes the underlay encapsulation and sends this packet 2210 to the uplink interface (i.e., via first interface) of the gateway).
          It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Hira by including different ports in gateway controller 150 (i.e., PAT) ([0215] and [0206]]) into the teachings of Wagner invention. One would have been motivated to do so since this method provides deeper insight into network traffic by allowing you to analyze actual traffic content, including payload, and is targeted for use-cases when user needs to analyze the actual packets to determine the root cause a performance issue, reverse-engineer a sophisticated network attack, or detect and stop insider abuse or compromised workloads.
Regarding claims 10 and 19.
Claims 10 and 19 incorporate substantively all the limitation of claim 1 in a system and a non-transitory computer readable storage form and are rejected under the same rationale. Furthermore, regarding the 
Regarding claim 11.
Claim 11 incorporates substantively all the limitation of claim 2 in a system form and is rejected under the same rationale.
Regarding claim 12.
Claim 12 incorporates substantively all the limitation of claim 3 in a system form and is rejected under the same rationale.
Regarding claim 13.
Claim 13 incorporates substantively all the limitation of claim 4 in a system form and is rejected under the same rationale.
Regarding claim 14.
Claim 14 incorporates substantively all the limitation of claim 5 in a system form and is rejected under the same rationale. 
Regarding claim 15.
Claim 15 incorporates substantively all the limitation of claim 6 in a system form and is rejected under the same rationale. 
Regarding claim 16.
Claim 16 incorporates substantively all the limitation of claim 7 in a system form and is rejected under the same rationale. 
Regarding claim 17.
Claim 17 incorporates substantively all the limitation of claim 8 in a system form and is rejected under the same rationale.
Regarding claim 18.

                Regarding claim 20.
Claim 20 incorporates substantively all the limitations of claims 8 and 9 in a system form and is rejected under the same rationale.
Conclusion
  Any inquiry concerning this communication or earlier communications from the examiner should be directed to BERHANU SHITAYEWOLDETSADIK whose telephone number is (571)270-7142. The examiner can normally be reached M-F.
 Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
 If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Emmanuel Moise can be reached on 5712723865. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.