Notice of Pre-AIA  or AIA  Status
The present application, filed on or after February 07, 2020, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 01/19/2022 has been entered.
Claims 21-40 are pending and are being considered.
Claims 21, 29 and 36 have been amended.

Response to 103 
Applicants argument filled on 12/21/2021 have been fully considered and are partially persuasive. The applicant on page 9 of remarks argues that the cited references fails to teach the limitation 

A.	establish, using the exchanged routing information, one or more virtual private network (VPN) tunnels between the customer's external network and the one or more instances assigned to the virtual private gateway via the dedicated physical network link; 
B.	establish an additional BGP session via the one or more VPN tunnels to exchange routing information of one or more instances included in the customer's virtual network with the customer's external network;
teaches private communication channel 542 (i.e. VPN) between gateway 556 of client network 550 (i.e. external network) and virtual private network 560 of provider network 500 containing resource instances 518 and 524 (i.e. resource instance of virtual private gateway 562). Further teaches to establish a virtualized private network 560 for a client on provider network 500, one or more resource instances (e.g., VMs 524A and 524B and storage 518A and 518B) may be allocated to the virtualized private network 560.  See on [0065] teaches a client's virtualized private network 560 may be connected to a client network 550 via a private communications channel 542. A private communications channel 542 may, for example, be a tunnel implemented according to a network tunneling technology or some other peering connection over an intermediate network 540. A private communications channel 542 may be implemented over a direct, dedicated connection between virtualized private network 560 and client network 550. 
The rest of Applicant’s argument regarding second limitation (B) are moot in view of new grounds of rejection. The arguments do not apply to the current art being used.


                                               Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of 

Claims 21- 25, 30-33, 36 and 40 are rejected under 35 U.S.C. 103 as being unpatentable over SURYANARAYANAN et al (hereinafter SURYANARAYANAN) (US 20150339136) in view of Dondeti et al (hereinafter Dondeti) (US 75900074).

Regarding claim 21 SURYANARAYANAN teaches a system comprising (SURYANARAYANAN on [0016] teaches systems and methods for providing low latency connections);
a plurality of computing devices configured to implement instances within a provider network (SURYANARAYANAN Fig 1 block 100 and associated text on [0025] teaches a provider network 100 having resource instances 112 implemented on devices. See also on [0027] the provider network may include network devices. See also Fig 3 block 310 and text on [0041-0042] shows provider network 305 having plurality of computing devices 310 for implementing resource instances 314 and 322);
and one or more computing devices of the provider network configured to implement a connectivity manager configured to cause a virtual private gateway to be established for a virtual network of a customer of the provider network (SURYANARAYANAN on [0080-0081 and 0094-0096] teaches virtual computing resources instances that are configured as virtual desktop instances may be hosted on computing nodes in multiple data centers, gateway components of the workspace service (i.e. connectivity manager) (which may also be implemented by virtual computing resources) may be hosted on computing nodes. The service (i.e. connectivity manager) may automatically assign a gateway component (i.e. establishing virtual private gateway in view of Fig 5 block 562 of the reference application) for a particular client (i.e. client associated with client network. See Fig 5). When the client attempts to sign in to the workspace service, the service may provide an access gateway address that is hosted and may perform the mapping to that gateway component from the virtual desktop instance (i.e. assigning resource instance), the gateway components participate within a multi-tenant VPC that is managed by the workspace service. See also on [0020] teaches the gateway component may be selected automatically by a management component of the service (e.g., one operating within the VPC of the service), while in other embodiments a client portion of the service may select the gateway component. Once the connection between the virtual computing resource instance and the gateway component has been established by the service (and a connection is established between the client device and the gateway component), the service may begin a virtual desktop session on the virtual desktop session and initiate the communication of the interactive video stream for the session. See FIG. 5 block 560, 562 and text on [0067-0069] teaches virtual private gateway established for virtual private network 560 of provider network 500);
wherein to establish the virtual private gateway, the connectivity manager is configured to assign one or more of the instances to the virtual private gateway (SURYANARAYANAN on [0067-0069] teaches the private network may be subdivided into a subnet that includes resources (VMs 524A and storage 518A, in this example) reachable through private gateway 562 (i.e. resource instance assigned to private gateway), and a subnet that includes resources (VMs 524B and storage 518B, in this example) reachable through public gateway 564. To establish a virtualized private network 560 for a client on provider network 500, one or more resource instances (e.g., VMs 524A and 524B and storage 518A and 518B) may be allocated to the virtualized private network 560. See on [0080-0081 and 0094-0096] teaches virtual computing resources instances that are configured as virtual desktop instances may be hosted on computing nodes in multiple data centers, gateway components of the workspace service (i.e. connectivity manager) (which may also be implemented by virtual computing resources) may be hosted on computing nodes. The service (i.e. connectivity manager) may automatically assign a gateway component (i.e. establishing virtual private gateway in view of Fig 5 block 562 of the reference application) for a particular client (i.e. client associated with client network. See Fig 5). When the client attempts to sign in to the workspace service, the service may provide an access gateway address that is hosted and may perform the mapping to that gateway component from the virtual desktop instance (i.e. assigning resource instance), the gateway components participate within a multi-tenant VPC that is managed by the workspace service. See also on [0020] teaches the gateway component may be selected automatically by a management component of the service (e.g., one operating within the VPC of the service), while in other embodiments a client portion of the service may select the gateway component. Once the connection between the virtual computing resource instance and the gateway component has been established by the service (and a connection is established between the client device and the gateway component), the service may begin a virtual desktop session on the virtual desktop session and initiate the communication of the interactive video stream for the session);
wherein the one or more instances assigned to the virtual private gateway are configured to: establish a border gateway protocol (BGP) session to exchange routing information for the one or more instances assigned to the virtual private gateway with a network of the customer external to the provider network (SURYANARAYANAN Fig 1 and text on [0025-0028] teaches clients of network 150A (i.e. network external to provider network 100) obtain IP addresses (i.e. routing information in view of para [0030] of instant application) of resource instance. See on [0030] teaches some public IP addresses may be allocated to or obtained by clients of the provider network 100, a client may then assign their allocated public IP addresses to particular resource instances allocated to the client. See also Fig 4 block 424 (i.e. resource instance) block 400 (i.e. provider network) block 450 (i.e. external network) and text on [0056-0058] teaches an interior gateway protocol (IGP) may be used to exchange routing information within such a local network (i.e. network external to the provider network). The external gateway protocol (EGP) or border gateway protocol (BGP) is typically used for Internet routing between sources (i.e. sources refer to VM which is equivalent to resource instance) and destinations (i.e. computing system of local network which is equivalent to customer of client external to provider network) on the Internet);
wherein the BGP session is established via a dedicated physical network link established between the provider network and the external network of the customer (SURYANARAYANAN Fig 5 block 542, 550, 560 and text on [0067] teaches a private communications channel 542 (i.e. VPN tunnel) may be established between a private gateway 562 (i.e. resource storage 518A-B and VMS 524 assigned to gateway 562) at virtualized private network 560 and a gateway 556 at client network 550 (i.e. external network). see on [0065] teaches a client's virtualized private network 560 may be connected to a client network 550 via a private communications channel 542. A private communications channel 542 may, for example, be a tunnel implemented according to a network tunneling technology or some other peering connection over an intermediate network 540. A private communications channel 542 may be implemented over a direct, dedicated connection between virtualized private network 560 and client network 550);
 establish [[using the exchanged routing information]] one or more virtual private network (VPN) tunnels between the customer's external network and the one or more instances assigned to the virtual private gateway via the dedicated physical network link (SURYANARAYANAN Fig 5 block 542, 550, 560 and text on [0067] teaches a private communications channel 542 (i.e. VPN tunnel) may be established between a private gateway 562 (i.e. resource storage 518A-B and VMS 524 assigned to gateway 562) at virtualized private network 560 and a gateway 556 at client network 550 (i.e. external network). see on [0065] teaches a client's virtualized private network 560 may be connected to a client network 550 via a private communications channel 542. A private communications channel 542 may, for example, be a tunnel implemented according to a network tunneling technology or some other peering connection over an intermediate network 540. A private communications channel 542 may be implemented over a direct, dedicated connection between virtualized private network 560 and client network 550);
and  2enable [[encrypted]] communications to flow between the one or more instances included in the customer's virtual network and the customer's external network via the one or more VPN tunnels implemented via the dedicated physical network link (SURYANARAYANAN on [0069-0071] teaches one or more of the VMs 524 may be configured to access client network 550 over a private communications channel 542 through private gateway 562 (e.g., via a network interface that is configured for communication between the VM 524 and a client device 552) and handle routing of the packet to the respective endpoint, either via private communications channel 542, alternate communications channel 546, or intermediate network 540).
	Although SURYANARAYANAN teaches enabling communication between resource instance and customers external network and establishing VPN between customer external network and resource instance (Fig 5 para [0067]), but fails to explicitly teach enable encrypted communication between resource instance and customer external network, and  establish, using the exchanged routing information, one or more virtual private network (VPN) tunnels, however Dondeti from analogous art teaches establish, using the exchanged routing information, one or more virtual private network (VPN) tunnels [[between the customer's external network and the one or more instances assigned to the virtual private gateway via the dedicated physical network link]] (Dondeti on [Col 3 line 63-67] teaches once the routing information is passed to the VPN site, the new route information may be used by the VPN site to communicate directly with the other VPN site. See on [Col 10 line 10-15] teaches routing information to enable the VPN site to communicate with another VPN site on the VPN network (i.e. establishing VPN using the routing information));
establish an additional BGP session over the one or more VPN tunnels to exchange routing information of one or more instances included in the customer's virtual network with the customer's external (Dondeti Fig 4 block 12, 18 and associated text on [Col 10 line 50-67] teaches BGP session over VPN site 12 to exchange routing information R1, R2 of resource instance of network element to be passed to the VPN site 12 may be passed over a BGP peering session, the routing information may be combined with VPN information from the GCKS to specify how the communication should be formatted, encrypted, or encapsulated, to allow the data to pass over a VPN tunnel between the VPN sites 12, 12');
encrypted communication between resource instance and customer external network (Dondeti Fig 4 block 12, 18 and associated text on [Col 10 line 50-67] teaches BGP session over VPN site 12 to exchange routing information R1, R2 of resource instance of network element to be passed to the VPN site 12 may be passed over a BGP peering session, the routing information may be combined with VPN information from the GCKS to specify how the communication should be formatted, encrypted, or encapsulated, to allow the data to pass over a VPN tunnel between the VPN sites 12, 12').
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Dondeti into the teaching of SURYANARAYANAN by enabling encrypted communication and establishing BGP over VPN based on routing information. One would be motivated to do so in order to secure communication between VPN and network element (Dondeti on [Col 1 line 48-53]).

Regarding claim 22 the combination of SURYANARAYANAN and Dondeti teaches all the limitations of claim 21 above, SURYANARAYANAN further teaches wherein two instances are assigned to the virtual private gateway (SURYANARAYANAN Fig 5 block 560, 524A 518A and text on [0069] teaches the private network may be subdivided into a subnet that includes resources (VMs 524A and storage 518A, in this example) reachable through private gateway 562);
 (SURYANARAYANAN on [0036] teaches  client computing devices may access the virtual desktop instances during one or more remote computing sessions. see on [0084] teaches virtual desktop (workspace) instance 632 and one or more other computing and/or network storage resource instances 638 may operate (participate) within a virtual private cloud 630 on the physical resources of virtual computing services provider 610 on behalf of a client and may communicate with each other over a virtual private network (VPN). see on [0100] teaches a management component of the workspace service establishing a tunnel or pipe from the virtual desktop instance to the gateway component at the POP location over a virtual private network. See on [0063] teaches each application (and/or each virtual private network) (i.e. indicating more than one VPN) may have its own namespace);
Dondeti teaches enabling encrypted communication (Dondeti Fig 4 block 12, 18 and associated text on [Col 10 line 50-67] teaches BGP session over VPN site 12 to exchange routing information R1, R2 of resource instance of network element to be passed to the VPN site 12 may be passed over a BGP peering session, the routing information may be combined with VPN information from the GCKS to specify how the communication should be formatted, encrypted, or encapsulated, to allow the data to pass over a VPN tunnel between the VPN sites 12, 12').
establishing two VPN tunnel (Dondeti Fig 4 block 12, 18 and associated text on [Col 10 line 50-67] teaches two BGP session over two VPN tunnel).

 into the teaching of SURYANARAYANAN by enabling encrypted communication and establishing BGP over VPN based on routing information. One would be motivated to do so in order to secure communication between VPN and network element (Dondeti on [Col 1 line 48-53]).

Regarding claim 23 the combination of SURYANARAYANAN and Dondeti teaches all the limitations of claim 21 above, SURYANARAYANAN further teaches wherein the provider network is a cloud service provider network configured to provide cloud-based computing or cloud-based storage services (SURYANARAYANAN on [0073] teaches provider network implemented as cloud computing environment).
Regarding claim 24 the combination of SURYANARAYANAN and Dondeti teaches all the limitations of claim 23 above, SURYANARAYANAN further teaches wherein the cloud service provider network further comprises one or more computing devices configured to implement a virtualized computing-service, wherein the one or more instances included in the customer's virtual network are provided by the virtualized computing service (SURYANARAYANAN on [0018-0020, 0083-0084 and 0088] teaches gateway components and a management component of the virtual desktop service may interoperate with each other within a virtual private cloud of the virtual desktop service, and may communicate with each other over a virtual private network. Virtual desktop (workspace) instance 632 and one or more other computing and/or network storage resource instances 638 may operate (participate) within a virtual private cloud 630 on the physical resources of virtual computing services provider 610 on behalf of a client and may communicate with each other over a virtual private network (VPN).
25 the combination of SURYANARAYANAN and Dondeti teaches all the limitations of claim 21 above, SURYANARAYANAN further teaches wherein the customer's external network is located at the customer's premises (SURYANARAYANAN on [0016] client device hosted on client network is setting at end users office).
Regarding claim 29 SURYANARAYANAN teaches A method, comprising (SURYANARAYANAN on [0016] teaches systems and methods for providing low latency connections);
establishing a virtual private gateway for a customer's virtual network implemented within a provider network, wherein establishing the virtual private gateway comprises: assigning one or more instances within the provider network to the virtual private gateway (SURYANARAYANAN on [0080-0081 and 0094-0096] teaches virtual computing resources instances that are configured as virtual desktop instances may be hosted on computing nodes in multiple data centers, gateway components of the workspace service (i.e. connectivity manager) (which may also be implemented by virtual computing resources) may be hosted on computing nodes. The service (i.e. connectivity manager) may automatically assign a gateway component (i.e. establishing virtual private gateway in view of Fig 5 block 562 of the reference application) for a particular client (i.e. client associated with client network. See Fig 5). When the client attempts to sign in to the workspace service, the service may provide an access gateway address that is hosted and may perform the mapping to that gateway component from the virtual desktop instance (i.e. assigning resource instance), the gateway components participate within a multi-tenant VPC that is managed by the workspace service. See also on [0020] teaches the gateway component may be selected automatically by a management component of the service (e.g., one operating within the VPC of the service), while in other embodiments a client portion of the service may select the gateway component. Once the connection between the virtual computing resource instance and the gateway component has been established by the service (and a connection is established between the client device and the gateway component), the service may begin a virtual desktop session on the virtual desktop session and initiate the communication of the interactive video stream for the session. See FIG. 5 block 560, 562 and text on [0067-0069] teaches virtual private gateway established for virtual private network 560 of provider network 500);
establishing a broader gateway protocol (BGP) session to exchange routing information for the one or more instances assigned to the virtual private gateway with a network external to the provider network (SURYANARAYANAN Fig 1 and text on [0025-0028] teaches clients of network 150A (i.e. network external to provider network 100) obtain IP addresses (i.e. routing information in view of para [0030] of instant application) of resource instance. See on [0030] teaches some public IP addresses may be allocated to or obtained by clients of the provider network 100, a client may then assign their allocated public IP addresses to particular resource instances allocated to the client. See also Fig 4 block 424 (i.e. resource instance) block 400 (i.e. provider network) block 450 (i.e. external network) and text on [0056-0058] teaches an interior gateway protocol (IGP) may be used to exchange routing information within such a local network (i.e. network external to the provider network). The external gateway protocol (EGP) or border gateway protocol (BGP) is typically used for Internet routing between sources (i.e. sources refer to VM which is equivalent to resource instance) and destinations (i.e. computing system of local network which is equivalent to customer of client external to provider network) on the Internet);
wherein the BGP session is established via a dedicated physical network link established between the provider network and the external network (SURYANARAYANAN Fig 5 block 542, 550, 560 and text on [0067] teaches a private communications channel 542 (i.e. VPN tunnel) may be established between a private gateway 562 (i.e. resource storage 518A-B and VMS 524 assigned to gateway 562) at virtualized private network 560 and a gateway 556 at client network 550 (i.e. external network). see on [0065] teaches a client's virtualized private network 560 may be connected to a client network 550 via a private communications channel 542. A private communications channel 542 may, for example, be a tunnel implemented according to a network tunneling technology or some other peering connection over an intermediate network 540. A private communications channel 542 may be implemented over a direct, dedicated connection between virtualized private network 560 and client network 550);
establishing [[using the exchanged routing information]] one or more virtual private network (VPN) tunnels between the external network and the one or more instances assigned to the virtual private gateway via the dedicated physical network link (SURYANARAYANAN Fig 5 block 542, 550, 560 and text on [0067] teaches a private communications channel 542 (i.e. VPN tunnel) may be established between a private gateway 562 (i.e. resource storage 518A-B and VMS 524 assigned to gateway 562) at virtualized private network 560 and a gateway 556 at client network 550 (i.e. external network). see on [0065] teaches a client's virtualized private network 560 may be connected to a client network 550 via a private communications channel 542. A private communications channel 542 may, for example, be a tunnel implemented according to a network tunneling technology or some other peering connection over an intermediate network 540. A private communications channel 542 may be implemented over a direct, dedicated connection between virtualized private network 560 and client network 550);
and enabling [[encrypted]] communications to flow between the one or more instances included in the customer's virtual network and the external network via the one or more VPN tunnels implemented via the dedicated physical network link (SURYANARAYANAN on [0069-0071] teaches one or more of the VMs 524 may be configured to access client network 550 over a private communications channel 542 through private gateway 562 (e.g., via a network interface that is configured for communication between the VM 524 and a client device 552) and handle routing of the packet to the respective endpoint, either via private communications channel 542, alternate communications channel 546, or intermediate network 540).
	Although SURYANARAYANAN teaches enabling communication between resource instance and customers external network and establishing VPN between customer external network and resource instance (Fig 5 para [0067]), but fails to explicitly teach enable encrypted communication between resource instance and customer external network, and  establish, using the exchanged routing information, one or more virtual private network (VPN) tunnels, however Dondeti from analogous art teaches establish, using the exchanged routing information, one or more virtual private network (VPN) tunnels [[between the customer's external network and the one or more instances assigned to the virtual private gateway via the dedicated physical network link]] (Dondeti on [Col 3 line 63-67] teaches once the routing information is passed to the VPN site, the new route information may be used by the VPN site to communicate directly with the other VPN site. See on [Col 10 line 10-15] teaches routing information to enable the VPN site to communicate with another VPN site on the VPN network (i.e. establishing VPN using the routing information));
establish an additional BGP session over the one or more VPN tunnels to exchange routing information of one or more instances included in the customer's virtual network with the customer's external network (Dondeti Fig 4 block 12, 18 and associated text on [Col 10 line 50-67] teaches BGP session over VPN site 12 to exchange routing information R1, R2 of resource instance of network element to be passed to the VPN site 12 may be passed over a BGP peering session, the routing information may be combined with VPN information from the GCKS to specify how the communication should be formatted, encrypted, or encapsulated, to allow the data to pass over a VPN tunnel between the VPN sites 12, 12');
encrypted communication between resource instance and customer external network (Dondeti Fig 4 block 12, 18 and associated text on [Col 10 line 50-67] teaches BGP session over VPN site 12 to exchange routing information R1, R2 of resource instance of network element to be passed to the VPN site 12 may be passed over a BGP peering session, the routing information may be combined with VPN information from the GCKS to specify how the communication should be formatted, encrypted, or encapsulated, to allow the data to pass over a VPN tunnel between the VPN sites 12, 12'.)
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Dondeti into the teaching of SURYANARAYANAN by enabling encrypted communication and establishing BGP over VPN based on routing information. One would be motivated to do so in order to secure communication between VPN and network element (Dondeti on [Col 1 line 48-53]).
Regarding claim 30 the combination of SURYANARAYANAN and Dondeti teaches all the limitations of claim 29 above, SURYANARAYANAN further teaches wherein the customer's virtual network is associated with a particular subnet established for the customer's virtual network (SURYANARAYANAN Fig 5 and text on [0069] teaches virtualized private network 560 may be, but is not necessarily, subdivided into two or more subnets (not shown). For example, in implementations that include both a private gateway 562 and a public gateway 564, the private network may be subdivided into a subnet that includes resources (VMs 524A and storage 518A, in this example) reachable through private gateway 562, and a subnet that includes resources (VMs 524B and storage 518B, in this example) reachable through public gateway 564).
Regarding claim 31 the combination of SURYANARAYANAN and Dondeti teaches all the limitations of claim 30 above, SURYANARAYANAN further teaches wherein the one or more instances assigned to the virtual private gateway have addresses outside of the subnet of the customer's virtual network (SURYANARAYANAN Fig 5 and text on [0069-0070] teaches virtualized private network 560 may be, but is not necessarily, subdivided into two or more subnets (not shown). For example, in implementations that include both a private gateway 562 and a public gateway 564, the private network may be subdivided into a subnet that includes resources (VMs 524A and storage 518A, in this example) reachable through private gateway 562, and a subnet that includes resources (VMs 524B and storage 518B, in this example) reachable through public gateway 564. The client may assign particular client public IP addresses to particular resource instances in virtualized private network 560. A network entity 544 on intermediate network 540 may then send traffic to a public IP address published by the client; the traffic is routed, by the provider network 500, to the associated resource instance).
Regarding claim 32 the combination of SURYANARAYANAN and Dondeti teaches all the limitations of claim 31 above, SURYANARAYANAN further teaches wherein said assigning one or more instances to the virtual private gateway comprises assigning two different instances to the virtual private gateway with addresses outside of the subnet of the customer's virtual network (SURYANARAYANAN Fig 5 and text on [0069-0070] teaches virtualized private network 560 may be, but is not necessarily, subdivided into two or more subnets (not shown). For example, in implementations that include both a private gateway 562 and a public gateway 564, the private network may be subdivided into a subnet that includes resources (VMs 524A and storage 518A, in this example) (i.e. two different instances) reachable through private gateway 562, and a subnet that includes resources (VMs 524B and storage 518B, in this example) reachable through public gateway 564. The client may assign particular client public IP addresses to particular resource instances in virtualized private network 560. A network entity 544 on intermediate network 540 may then send traffic to a public IP address published by the client; the traffic is routed, by the provider network 500, to the associated resource instance).
Regarding claim 33 the combination of SURYANARAYANAN and Dondeti teaches all the limitations of claim 32 above, SURYANARAYANAN further teaches wherein said establishing one or more (SURYANARAYANAN Fig 5 block 542, 550, 560 and text on [0067] teaches a private communications channel 542 (i.e. VPN tunnel) may be established between a private gateway 562 (i.e. resource storage 518A-B and VMS 524 assigned to gateway 562) at virtualized private network 560 and a gateway 556 at client network 550 (i.e. external network). see on [0065] teaches a client's virtualized private network 560 may be connected to a client network 550 via a private communications channel 542. A private communications channel 542 may, for example, be a tunnel implemented according to a network tunneling technology or some other peering connection over an intermediate network 540. A private communications channel 542 may be implemented over a direct, dedicated connection between virtualized private network 560 and client network 550).
Dondeti teaches establishing two VPN tunnel (Dondeti Fig 4 block 12, 18 and associated text on [Col 10 line 50-67] teaches two BGP session over two VPN tunnel).

Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Dondeti into the teaching of SURYANARAYANAN by enabling encrypted communication and establishing BGP over VPN based on routing information. One would be motivated to do so in order to secure communication between VPN and network element (Dondeti on [Col 1 line 48-53]).
Regarding claim 36 ne or more non-transitory, computer-readable storage media, storing program instructions, that when executed on or across one or more computing devices, cause the one or more computing devices to (SURYANARAYANAN on [0012 and 0117] teaches  a general-purpose computer system that includes or is configured to access a non-transitory computer-accessible (e.g., computer-readable) media);
 assign one or more instances within a provider network to a virtual private gateway that is to be established for a virtual network of a customer of the provider network, wherein the customer's virtual network is implemented within the provider network (SURYANARAYANAN on [0067-0069] teaches the private network may be subdivided into a subnet that includes resources (VMs 524A and storage 518A, in this example) reachable through private gateway 562 (i.e. resource instance assigned to private gateway), and a subnet that includes resources (VMs 524B and storage 518B, in this example) reachable through public gateway 564. To establish a virtualized private network 560 for a client on provider network 500, one or more resource instances (e.g., VMs 524A and 524B and storage 518A and 518B) may be allocated to the virtualized private network 560. See on [0080-0081 and 0094-0096] teaches virtual computing resources instances that are configured as virtual desktop instances may be hosted on computing nodes in multiple data centers, gateway components of the workspace service (i.e. connectivity manager) (which may also be implemented by virtual computing resources) may be hosted on computing nodes. The service (i.e. connectivity manager) may automatically assign a gateway component (i.e. establishing virtual private gateway in view of Fig 5 block 562 of the reference application) for a particular client (i.e. client associated with client network. See Fig 5). When the client attempts to sign in to the workspace service, the service may provide an access gateway address that is hosted and may perform the mapping to that gateway component from the virtual desktop instance (i.e. assigning resource instance), the gateway components participate within a multi-tenant VPC that is managed by the workspace service. See also on [0020] teaches the gateway component may be selected automatically by a management component of the service (e.g., one operating within the VPC of the service), while in other embodiments a client portion of the service may select the gateway component. Once the connection between the virtual computing resource instance and the gateway component has been established by the service (and a connection is established between the client device and the gateway component), the service may begin a virtual desktop session on the virtual desktop session and initiate the communication of the interactive video stream for the session);
 establish a BGP session to exchange routing information for the one or more instances assigned to the virtual private gateway with a network external 5to the provider network (SURYANARAYANAN Fig 1 and text on [0025-0028] teaches clients of network 150A (i.e. network external to provider network 100) obtain IP addresses (i.e. routing information in view of para [0030] of instant application) of resource instance. See on [0030] teaches some public IP addresses may be allocated to or obtained by clients of the provider network 100, a client may then assign their allocated public IP addresses to particular resource instances allocated to the client. See also Fig 4 block 424 (i.e. resource instance) block 400 (i.e. provider network) block 450 (i.e. external network) and text on [0056-0058] teaches an interior gateway protocol (IGP) may be used to exchange routing information within such a local network (i.e. network external to the provider network). The external gateway protocol (EGP) or border gateway protocol (BGP) is typically used for Internet routing between sources (i.e. sources refer to VM which is equivalent to resource instance) and destinations (i.e. computing system of local network which is equivalent to customer of client external to provider network) on the Internet);
 wherein the BGP session is established via a dedicated physical network link established between the provider network and the external network (SURYANARAYANAN Fig 5 block 542, 550, 560 and text on [0067] teaches a private communications channel 542 (i.e. VPN tunnel) may be established between a private gateway 562 (i.e. resource storage 518A-B and VMS 524 assigned to gateway 562) at virtualized private network 560 and a gateway 556 at client network 550 (i.e. external network). see on [0065] teaches a client's virtualized private network 560 may be connected to a client network 550 via a private communications channel 542. A private communications channel 542 may, for example, be a tunnel implemented according to a network tunneling technology or some other peering connection over an intermediate network 540. A private communications channel 542 may be implemented over a direct, dedicated connection between virtualized private network 560 and client network 550);
 establish [[using the exchanged routing information]] one or more virtual private network (VPN) tunnels between the external network and the one or more instances assigned to the virtual private gateway via the dedicated physical network link (SURYANARAYANAN Fig 5 block 542, 550, 560 and text on [0067] teaches a private communications channel 542 (i.e. VPN tunnel) may be established between a private gateway 562 (i.e. resource storage 518A-B and VMS 524 assigned to gateway 562) at virtualized private network 560 and a gateway 556 at client network 550 (i.e. external network). see on [0065] teaches a client's virtualized private network 560 may be connected to a client network 550 via a private communications channel 542. A private communications channel 542 may, for example, be a tunnel implemented according to a network tunneling technology or some other peering connection over an intermediate network 540. A private communications channel 542 may be implemented over a direct, dedicated connection between virtualized private network 560 and client network 550);
and enable [[encrypted]] communications to flow between the one or more instances included in the customer's virtual network and the external network via the one or more VPN tunnels implemented via the dedicated physical network link (SURYANARAYANAN on [0069-0071] teaches one or more of the VMs 524 may be configured to access client network 550 over a private communications channel 542 through private gateway 562 (e.g., via a network interface that is configured for communication between the VM 524 and a client device 552) and handle routing of the packet to the respective endpoint, either via private communications channel 542, alternate communications channel 546, or intermediate network 540).
(Dondeti on [Col 3 line 63-67] teaches once the routing information is passed to the VPN site, the new route information may be used by the VPN site to communicate directly with the other VPN site. See on [Col 10 line 10-15] teaches routing information to enable the VPN site to communicate with another VPN site on the VPN network (i.e. establishing VPN using the routing information));
establish an additional BGP session over the one or more VPN tunnels to exchange routing information of one or more instances included in the customer's virtual network with the customer's external network (Dondeti Fig 4 block 12, 18 and associated text on [Col 10 line 50-67] teaches BGP session over VPN site 12 to exchange routing information R1, R2 of resource instance of network element to be passed to the VPN site 12 may be passed over a BGP peering session, the routing information may be combined with VPN information from the GCKS to specify how the communication should be formatted, encrypted, or encapsulated, to allow the data to pass over a VPN tunnel between the VPN sites 12, 12');
encrypted communication between resource instance and customer external network (Dondeti Fig 4 block 12, 18 and associated text on [Col 10 line 50-67] teaches BGP session over VPN site 12 to exchange routing information R1, R2 of resource instance of network element to be passed to the VPN site 12 may be passed over a BGP peering session, the routing information may be combined with VPN information from the GCKS to specify how the communication should be formatted, encrypted, or encapsulated, to allow the data to pass over a VPN tunnel between the VPN sites 12, 12'.)
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Dondeti into the teaching of SURYANARAYANAN by enabling encrypted communication and establishing BGP over VPN based on routing information. One would be motivated to do so in order to secure communication between VPN and network element (Dondeti on [Col 1 line 48-53]).
Regarding claim 40 the combination of SURYANARAYANAN and Dondeti teaches all the limitations of claim 36 above, SURYANARAYANAN further teaches wherein the routing information of the one or more instances included in the customer's virtual network comprise private routing information not reachable via public Internet (SURYANARAYANAN on [0022] teaches each VM may be provided with one or more private IP addresses (i.e. private routing information). See on [0025] teaches private IP addresses 116 may be associated with the resource instances 112; the private IP addresses are the internal network addresses of the resource instances 112 on the provider network 100. See on [0027] teaches private IP addresses are only routable within the provider network).


Claims 26-28, 34, 35 and 37 are rejected under 35 U.S.C. 103 as being unpatentable over SURYANARAYANAN et al (hereinafter SURYANARAYANAN) (US 20150339136) in view of Dondeti et al (hereinafter Dondeti) (US 75900074) and further in view of Schroeder (US 8443435).

Regarding claim 26 the combination of SURYANARAYANAN and Dondeti teaches all the limitations of claim 25 above, the combination fails to explicitly teach wherein a customer device at the (Schroeder on [Col 56-67] teaches a VPN handler of a client device is described that provides VPN connectivity by automatically creating multiple split VPN tunnels that provide direct access to different VPN concentrators of the enterprise based on specific resources requested by the client device).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Schroeder into the combined teaching of SURYANARAYANAN and Dondeti by customers device function as VPN. One would be motivated to do so in order to provide secure access to those resources associated within provider network (Schroeder on [Col 1 line 55-65]).

Regarding claim 27 the combination of SURYANARAYANAN and Dondeti teaches all the limitations of claim 21 above, the combination fails to explicitly teach the one or more VPN tunnels are implemented in accordance with an IPSec protocol, however Schroeder teaches wherein the one or more VPN tunnels are implemented in accordance with an IPSec protocol (Schroeder on [Col 4 line 25-35] teaches a secure data connection conforming to a security scheme, such as Secure Sockets Layer (SSL) or Internet Protocol Security ( IPSec) protocols. See on [Col 7 line 25-35] teaches VPN handler 5 and VPN concentrator 18A may use the Internet Key Exchange (IKE) protocol to negotiate secure data connection 15 as an IPSec tunnel. In this case, a field defined by the IKE protocol, such as the vendor ID field).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Schroeder into the combined teaching of SURYANARAYANAN and Dondeti by enabling encrypted communication between client devices and resource instances based on IPSec (Schroeder on [Col 1 line 55-65]).

Regarding claim 28 the combination of SURYANARAYANAN and Dondeti teaches all the limitations of claim 21 above, the combination fails to explicitly teach wherein the one or more VPN tunnels are implemented in accordance with an IKE (Internet Key Exchange) protocol, however  Schroeder teaches wherein the one or more VPN tunnels are implemented in accordance with an IKE (Internet Key Exchange) protocol (Schroeder on [Col 7 line 25-35] teaches VPN handler 5 and VPN concentrator 18A may use the Internet Key Exchange (IKE) protocol to negotiate secure data connection 15 as an IPSec tunnel. In this case, a field defined by the IKE protocol, such as the vendor ID field).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Schroeder into the combined teaching of SURYANARAYANAN and Dondeti by enabling encrypted communication between client devices and resource instances based on IPSec protocol and IKE. One would be motivated to do so in order to provide secure access to those resources associated within provider network (Schroeder on [Col 1 line 55-65]).

Regarding claim 34 the combination of SURYANARAYANAN and Dondeti teaches all the limitations of claim 33 above, the combination fails to explicitly teach wherein the two VPN tunnels encrypt network traffic in accordance with an IPSec protocol, however Schroeder teaches wherein the two VPN tunnels encrypt network traffic in accordance with an IPSec protocol (Schroeder on [Col 4 line 25-35] teaches a secure data connection conforming to a security scheme, such as Secure Sockets Layer (SSL) or Internet Protocol Security ( IPSec) protocols. See on [Col 7 line 25-35] teaches VPN handler 5 and VPN concentrator 18A may use the Internet Key Exchange (IKE) protocol to negotiate secure data connection 15 as an IPSec tunnel. In this case, a field defined by the IKE protocol, such as the vendor ID field).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Schroeder into the combined teaching of SURYANARAYANAN and Dondeti by enabling encrypted communication between client devices and resource instances based on IPSec protocol and IKE. One would be motivated to do so in order to provide secure access to those resources associated within provider network (Schroeder on [Col 1 line 55-65]).
Regarding claim 35 the combination of SURYANARAYANAN and Dondeti teaches all the limitations of claim 33 above, the combination fails to explicitly teach wherein the two VPN tunnels encrypt network traffic in accordance with an IKE (Internet Key Exchange) protocol, however Schroeder teaches wherein the two VPN tunnels encrypt network traffic in accordance with an IKE (Internet Key Exchange) protocol (Schroeder on [Col 4 line 25-35] teaches a secure data connection conforming to a security scheme, such as Secure Sockets Layer (SSL) or Internet Protocol Security ( IPSec) protocols. See on [Col 7 line 25-35] teaches VPN handler 5 and VPN concentrator 18A may use the Internet Key Exchange (IKE) protocol to negotiate secure data connection 15 as an IPSec tunnel. In this case, a field defined by the IKE protocol, such as the vendor ID field).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Schroeder into the combined teaching of SURYANARAYANAN and Dondeti by enabling encrypted communication between client devices and resource instances based on IPSec protocol and IKE. One would be motivated to do so in order to provide secure access to those resources associated within provider network (Schroeder on [Col 1 line 55-65]).

Regarding claim 37 the combination of SURYANARAYANAN and Dondeti teaches all the limitations of claim 36 above, the combination fails to explicitly teach wherein the one or more VPN  teaches wherein the one or more VPN tunnels are configured to encrypt network traffic in accordance with: an IPSec protocol; or an IKE (Internet Key Exchange) protocol (Schroeder on [Col 4 line 25-35] teaches a secure data connection conforming to a security scheme, such as Secure Sockets Layer (SSL) or Internet Protocol Security ( IPSec) protocols. See on [Col 7 line 25-35] teaches VPN handler 5 and VPN concentrator 18A may use the Internet Key Exchange (IKE) protocol to negotiate secure data connection 15 as an IPSec tunnel. In this case, a field defined by the IKE protocol, such as the vendor ID field).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Schroeder into the combined teaching of SURYANARAYANAN and Dondeti by enabling encrypted communication between client devices and resource instances based on IPSec protocol and IKE. One would be motivated to do so in order to provide secure access to those resources associated within provider network (Schroeder on [Col 1 line 55-65]).

Claim 38 is rejected under 35 U.S.C. 103 as being unpatentable over SURYANARAYANAN et al (hereinafter SURYANARAYANAN) (US 20150339136) in view of Dondeti et al (hereinafter Dondeti) (US 75900074) and further in view of Meyer et al (hereinafter Meyer) (US 20170060420).

Regarding claim 38 the combination of SURYANARAYANAN and Dondeti teaches all the limitations of claim 36 above, the combination fails to explicitly teach wherein prior to establishing the BGP session, the program instructions further cause the one or more processors to: initiate a protocol processing engine at a first one of the one or more instances; and initiate an additional protocol processing engine at a second one of the one or more instances, however Meyer from analogous art teaches  wherein prior to establishing the BGP session, the program instructions further cause the one (Meyer on [0020-0021, 0061, 0096, 0105 and 0116] teaches imitating different processing engine for different resource instances).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Meyer into the combined teaching of SURYANARAYANAN and Dondeti by imitating different processing engine for different resources. One would be motivated to do so in order to provide improve performance of a computing system in which computing resources communicate (Meyer on [0028]).

Claim 39 is rejected under 35 U.S.C. 103 as being unpatentable over SURYANARAYANAN et al (hereinafter SURYANARAYANAN) (US 20150339136) in view of Dondeti et al (hereinafter Dondeti) (US 75900074) in view of Meyer et al (hereinafter Meyer) (US 20170060420) and further in view of Schroeder (US 8443435).

Regarding claim 39 the combination of SURYANARAYANAN, Dondeti and Meyer teaches all the limitations of claim 38 above, the combination fails to explicitly teach wherein the first and second protocol processing engines comprise an IPSec processing module or an IKE (Internet Key Exchange) processing module, Schroeder teaches wherein the first and second protocol processing engines comprise an IPSec processing module or an IKE (Internet Key Exchange) processing module (Schroeder on [Col 4 line 20-35] teaches to access resources 14A within enterprise network 10, client device 4 establishes a secure data connection 15 to VPN concentrator 18A. A secure data connection conforming to a security scheme, such as Secure Sockets Layer (SSL) or Internet Protocol Security ( IPSec) protocols).
 into the combined teaching of SURYANARAYANAN, Dondeti and Meyer by enabling encrypted communication between client devices and resource instances based on IPSec protocol and IKE. One would be motivated to do so in order to provide secure access to those resources associated within provider network (Schroeder on [Col 1 line 55-65]).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOEEN KHAN whose telephone number is (571)272-3522.  The examiner can normally be reached on 7AM-5PM EST M-TH Alternate Fridays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/MOEEN KHAN/Examiner, Art Unit 2436                                                                                                                                                                                                        
/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436