Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
This Application claims priority to a Provisional Patent Application # 62/566,524, filed 10/02/2017.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 12/22/2021 and 02/08/2022 were filed after the mailing date of the Non-Final Office Action on 09/27/2021. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
DETAILED ACTION
This Office Action is in response to an amendment application received on 12/27/2021. In the amendment, applicant has amended claims 1-3, 5, 7-11, 14-15 and 19. Claims 4, 6, 12-13 and 16-18 remain original. Claim 20 has been added a new claims. No claim has been cancelled. 
For this Office Action, claims 1-20 have been received for consideration and have been examined. 
Response to Arguments
Claim Rejection under 35 U.S.C. § 103
Applicant's arguments filed 12/27/2021 have been fully considered but they are not persuasive. After review, applicant’s remarks have been summarized as follows:
First, the cited references do not disclose or suggest establishing a virtual network for a first entity to connect a set of external machines including first and second external machines operating respectively in first and second physical sites that are external sites outside of the multiple public cloud datacenters. The Office Action cites to Figure 14 of Jain, asserting that the first external machine is equivalent to a mobile device 1302, the second external machine is equivalent to a data compute node (DCN) server cluster 1325, and the virtual network is equivalent to a virtual private network (VPN) gateway and VPN virtual machine’s (VM’s) service module 1420. Office Action, page 13. However, Figure 14 of Jain clearly illustrates both the mobile device 1302 and the DCN server cluster 1325 in a first region. Additionally, the DCN server cluster is located inside the datacenter 1400. It is impossible to equate a mobile device inside a first region and a DCN cluster inside the first region and in a datacenter to be equivalent to first and second external machines operating in different first and second physical sites external to multiple public cloud datacenters. Moreover, the VPN VM’s service module 1420 cannot be equivalent to the virtual network because the VPN VM’s service module 1420 is not a virtual network of a first entity that connects first and second external machines operating in different physical sites outside of public cloud datacenters (Page # 8-9).
Second, the cited references do not disclose or suggest a firewall service machine that processes a data message as it traverses through the virtual network from the first external machine located in the first physical site to the second external machine located in the second physical site. The Office Action again cites Figure 14 of Jain, equating the firewall service machine deployed in the first public cloud datacenter to the VPN gateway services/operations deployed in the datacenter 1400. Office Action, page 15. However, the Office Action previously asserted that the VPN gateway and the VPN VM’s service module 1420 is equivalent to the claimed virtual network. Claim 1 recites that the firewall service machine processes a data message that traverses through the virtual network. It is impossible for Jain’s VPN gateway and VPN VM’s service module 1420 to be equivalent to both the virtual network and the firewall service machine, when they are clearly two different components of the claim. Moreover, Jain does not disclose or suggest that the VPN VM’s service module 1420 on the VPN gateway processes a data message that is forwarded by a virtual network from a first external machine located in a first physical site to a second external machine located in a second physical site (Page # 9).
Examiner’s Response
	Regarding remark # 1, examiner respectfully disagree with the Applicant that examiner is equating a mobile device inside a first region and a DCN cluster inside the first region and in a datacenter to be equivalent to first and second external machines operating in different first and second physical sites external to multiple public cloud datacenters. 
In this Office Action, examiner has clearly mapped that a first external machine is equivalent to mobile device 1 (1302) of Region 1 which is operating in a physically separate site/location and is ‘not part of’ data center 1400 as depicted in FIG. 14. Next, a second external machine is construed as “DCN cluster 1325” operating in datacenter 1400 which is also operating in a physically separate site/location and is ‘not part of’ Region 1 as shown in FIG. 14. Both devices are external machines operating and communicating through a virtual [logical] network established between Region 1 and Datacenter 1400 which are physically two separate sites.

    PNG
    media_image1.png
    627
    1030
    media_image1.png
    Greyscale

         Examiner is mindful that Jain does not explicitly discloses that the data message passes through first physical site and second physical site which are external sites outside of the “plurality of public cloud datacenters” and therefore examiner has relied upon Lee reference to teach the concept of the data message passes through first physical site and second physical site which are external sites outside of the “plurality of public cloud datacenters” (See Lee Col. 33; Line # 14-16; FIG. 19). 
Furthermore, regarding applicant’s assertion that in light of FIG. 14, Jain clearly illustrates both the mobile device 1302 and the DCN server cluster 1325 are in first region and therefore are not considered in two different sites, examiner respectfully disagree. As examiner has explained above, mobile device 1302 and DCN server cluster 1325 are depicted as two separate sites in FIG. 14 which are communicating through virtual [logical] network and therefore should not be considered as one physical site.
Regarding remark # 2, that cited references do not disclose or suggest a firewall service machine processes the data message as the data message traverses through the virtual network from the first external machine located in the first physical site to the second external machine located in the second physical site, examiner respectfully disagree. 
Secondary reference of Lee discloses a Cloud over IP (CoIP) system which discloses security components performing firewall services when client device send data packets which traverses through multiple cloud datacenters until it reaches server device (See Col. 34; Line # 34-45). 
Regarding Applicant’s remark that “it is impossible for Jain’s VPN gateway and VPN VM’s service module 1420 to be equivalent to both the virtual network and the firewall service machine, when they are clearly two different components of the claim”, Examiner find this remark flawed. Examiner has not mapped VPN gateway and VPN VM’s service module to be equivalent to both the virtual network and the firewall service machine. Examiner construes that VPN gateway 205 in FIG. 2 as performing firewall service operations which is deployed as VPN VM 1110 and Service Module 1420 in FIG. 14. Furthermore, claimed “virtual network” is interpreted as a logical network [which is a virtual network] which is an overlay network that is decoupled from the underlying physical topology (See Jain [0013-0014] [0152]). 
Based on above explanation and citations, rejection to the amended claims is maintained in combination of Jain and Lee references. 

Claim Objections
Claim 1 is objected to because of the following informalities:  
Claim 1 recites in fourth limitation “… the set of attributes including the virtual network identifier …”. There is no prior recitation of “a virtual network identifier” in the previous limitations.  Appropriate correction is required.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Jain et al., (US20170063794A1) in view of Lee et al., (US10348767B1), as evidenced by Williams et al (US20150188823).
Regarding claim 1, Jain discloses:
A method of processing a data message through a virtual network that is defined over a plurality of public cloud datacenters for a first entity (See [0007] & [0064] discloses a European company which is construed as “a first entity” attempts a VPN connection in the U.S. Also see [0139] discloses one company which is interpreted as “a first entity”), the method comprising: 
establishing the virtual network for the first entity to connect a set of external machines, including a first external machine (i.e., mobile device 1 (1302) in Region 1 which is physically ‘not part of’ data center 1400; See FIG. 14) operating in a first physical site (i.e., Region 1; See FIG. 14) and a second external machine (i.e., DCN cluster 1325 operating in data center 1400 which is physically ‘not part of’ Region 1 where mobile device 1 (1302) is communicating; See GIG. 14) operating in a second physical site (i.e., Datacenter 1400) (See FIG. 14; [0145] discloses a virtual network is established via an external [cloud] network between Mobile Device 1 [first external machine] located in physically separated Region 1 and DCN Cluster 1325 [second external machine] situated in physically separate Datacenter 1400), said establishing comprising 
configuring software routers (i.e., software forwarding elements 1130) executing on host computers with other computing machines that are deployed for other entities (Jain [0114] discloses host computer also executes one or more software forwarding elements (SFE) 1130, such as a software switch or a software router; [0121] discloses SFEs as one or more logical forwarding elements (e.g., logical switches or logical routers) with SFEs executing on other hosts in a multi-host environment. A logical forwarding element in some embodiments can span multiple hosts to connect VMs that execute on different hosts but belong to one logical network), 
connecting the software routers through tunnels (i.e., logical networks) ([0121] discloses SFEs as one or more logical forwarding elements (e.g., logical switches or logical routers) with SFEs executing on other hosts in a multi-host environment. A logical forwarding element in some embodiments can span multiple hosts to connect VMs that execute on different hosts but belong to one logical network), 
using tunnel encapsulating headers to encapsulate data messages forwarded through the virtual network ([0124] discloses tunnel encapsulation operations using attribute sets in the header of tunnels to forward data messages to other nodes), and 
storing an identifier in the encapsulating headers to identify the first entity for which the virtual network is deployed ([0078] discloses storing VPN tunnel identifier including record that identifies the data message identifiers for the data message; [0164] also discloses storing logical network identifiers); and 
at a firewall service machine (See FIG. 2; i.e. VPN gateway 205 performing firewall operations; Also see FIG. 14 where VPN gateway 205 deployed as VPN VM 1110 and Service Module 1420) that is deployed at a first public cloud datacenter (see FIG. 14; Datacenter 1400) as a service provided to data messages exchanged between the set of external machines as the data messages traverse through the virtual network ([0015] In some embodiments, the VPN gateway passes the RDM attribute set that it associated with a remote device's data messages to one or more network elements within the network so that these elements can perform one or more operations based on the RDM attribute set. Examples of such operations include the RDM-attribute based firewall operations, DNS operations, DNAT operations, and/or other middlebox or forwarding operations. In some embodiments, the VPN gateway passes the RDM attribute set that it associated with a remote device's data messages to one or more network elements within the network so that these elements can perform one or more operations based on the RDM attribute set. Examples of such operations include the RDM-attribute based firewall operations; [0028] FIG. 14 illustrates the VPN VM's service module performing an MDM-attribute based DNAT operation that re-routes the data messages of the second mobile device out of the datacenter to a DCN server cluster for second region mobile devices that access the datacenter DCN cluster in the first region), 
receiving a data message encapsulated (see [0009] i.e. receiving encapsulated packet from remote device) with an encapsulating header ([0009] In some embodiments, the VPN gateway (1) encapsulates packets sent from the internal network to the remote device with a tunnel header, and (2) decapsulates tunnel headers from the packets that it receives from the remote device before forwarding the packets to network elements in the internal network; [0015] the VPN gateway passes the RDM attribute set that it associated with a remote device's data messages to one or more network elements … the VPN gateway passes the RDM attribute set for a remote device to an internal forwarding element and/or middlebox element of the network through the tunnel header of the tunnel that connects the VPN gateway to that element); 
using a set of attributes associated with the received data message to identify a firewall rule that is applicable to the data message ([0063] Firewall rules are one example of rules that are defined in terms of MDM attribute sets in some embodiments. The VPN gateway 110, or its associated MBE 160, uses a data message's MDM attribute sets to identify a firewall rule that is applicable to the data message; [0106] Next, at 925, the process 900 uses the identified MDM attribute set and/or the flow identifier (e.g., the L2-L4 values) of the data message to identify a firewall rule in the rule storage 235), 
the set of attributes including the virtual network identifier stored in the encapsulating header of the received data message ([0088] Each segmentation rule in the logical segmentation rule storage 700 of FIG. 7 stores a logical network identifier (LNI) that associates a received mobile-device data message with a particular logical network that is implemented by the common shared network and compute resources of the datacenter. In some embodiments, the LNI includes a virtual network identifier (VNI)); and 
F271.10 (N714.10) (VMWR.P0160)performing a firewall action (i.e. firewall action (Allow or Deny)) specified by the identified firewall rule on the received data message ([0063] Firewall rules are one example of rules that are defined in terms of MDM attribute sets in some embodiments. The VPN gateway 110, or its associated MBE 160, uses a data message's MDM attribute sets to identify a firewall rule that is applicable to the data message, and then performs the action (allow, deny, redirect, redirect copy, etc.) specified by this rule on the data message), 
wherein the firewall action comprises one of (i) dropping the received data message when the firewall action specifies that the received data message should be dropped ([0063] The VPN gateway 110, or its associated MBE 160, uses a data message's MDM attribute sets to identify a firewall rule that is applicable to the data message, and then performs the action (allow, deny, redirect, redirect copy, etc.) specified by this rule on the data message; [0106] In some embodiments, the rule storage 235 has a catch-all rule that matches the data message flows that do not match any other rule in the rule storage. The process 900 then performs (at 930) the firewall action (Allow or Deny) of the rule identified at 925), and 
(ii) allowing the received data message to pass through the virtual network when the firewall action specifies that the received data message should be allowed to pass through ([0063] The VPN gateway 110, or its associated MBE 160, uses a data message's MDM attribute sets to identify a firewall rule that is applicable to the data message, and then performs the action (allow, deny, redirect, redirect copy, etc.) specified by this rule on the data message; [0106] In some embodiments, the rule storage 235 has a catch-all rule that matches the data message flows that do not match any other rule in the rule storage. The process 900 then performs (at 930) the firewall action (Allow or Deny) of the rule identified at 925).
Jain discloses that data messages are forwarded by one or more network elements of the network and traverses through the network between the first physical site to the second physical site to its destination using one datacenter.
Jain does not explicitly discloses that the data message passes through first physical site and second physical site which are external sites outside of the “plurality of public cloud datacenters”; and wherein a firewall service machine processes the data message as the data message traverses through the virtual network from the first external machine located in the first physical site to the second external machine located in the second physical site.
However, Lee discloses:
	the data message passes through first physical site (i.e., Client 1950) and second physical site (i.e., Server 1960) which are external sites outside of the “plurality of public cloud datacenters” (i.e., overlay network systems 1955 construed as multiple cloud datacenters; See FIG. 19) (Col. 33; Line # 14-16; FIG. 19 shows a block diagram of a Cloud over IP (CoIP) system 1905. The CoIP system may be referred to as a virtual overlay network platform; Col. 33, Line # 35-38; In this specific embodiment, the CoIP system is an L4 to L7 network service where session layer and transport layer protocols are utilized to establish L3 IP network connections across multiple cloud datacenters.
Examiner notes that FIG. 19 clearly depicts that data message from client device to the server device traversing through multiple public cloud datacenters);
wherein a firewall service machine processes the data message as the data message traverses through the virtual network from the first external machine located in the first physical site to the second external machine located in the second physical site (Col. 34; Line # 34-45; As shown in FIG. 19, in a specific embodiment, the CoIP system operates in a packet switched network according to a set of protocols implemented in a seven-layer protocol stack. The CoIP system includes various networking and security services, components, modules, or code components including but not limited to firewall 1910, load balancer 1915, transport Secure Socket Layer (SSL) encryption 1920, high-availability (HA) 1925, cloud over IP local area network (LAN) connections and wide area network (WAN) connections 1930, and security engines 1935. The functions are provided as layer 4 to layer 7 network services over the lower level (layer 1 to layer 3) network components).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Jain reference and consider the scenario where the target resource is in a geographically distant private network beyond the multiple cloud datacenters and thus traverse traffic would be tunneled over the multiple cloud datacenters (Williams: Figure 12, the target resource is no longer in the public cloud datacenter, but instead a private enterprise LAN, such as LAN B).  One would be motivated to do so in order to traverse existing Internet infrastructure to link two networked devices in geographically disparate private networks via VPN.  
Regarding claim 2, the combination of Jain and Lee discloses:
	The method of claim 1, wherein allowing the received data message comprises forwarding the received data message from the firewall service machine to a first forwarding element that is deployed in the first public cloud datacenter for the first forwarding element to forward the received data message to the second external machine (Jain: [0028] FIG. 14 illustrates the VPN VM's service module performing an MDM-attribute based DNAT operation that re-routes the data messages of the second mobile device out of the datacenter to a DCN server cluster for second region mobile devices that access the datacenter DCN cluster in the first region [0175] FIG. 21 illustrates the service module 2120 forwarding the data message (e.g., data packet) from the first mobile device 2102 to a standalone middlebox appliance 2150 along a tunnel 2140, while forwarding the data message from the second mobile device 2104 to a service module 2155 (that executes on a host 2160) along a tunnel 2145. This figure shows that the first mobile device's data message is received with one MDM attribute set in the header of the VPN tunnel 2112 but this data message is sent with another MDM attribute set to the middlebox 2150 in the header of tunnel 2140 & [0197-0199]).
Regarding claim 3, the combination of Jain and Lee discloses:
The method of claim 2, wherein the first forwarding element forwards the received data message to a second forwarding element that is deployed in a second public cloud datacenter for the second forwarding element to forward the received data message to the second external machine (Jain: [0028] FIG. 14 illustrates the VPN VM's service module performing an MDM-attribute based DNAT operation that re-routes the data messages of the second mobile device out of the datacenter to a DCN server cluster for second region mobile devices that access the datacenter DCN cluster in the first region [0175] FIG. 21 illustrates the service module 2120 forwarding the data message (e.g., data packet) from the first mobile device 2102 to a standalone middlebox appliance 2150 along a tunnel 2140, while forwarding the data message from the second mobile device 2104 to a service module 2155 (that executes on a host 2160) along a tunnel 2145. This figure shows that the first mobile device's data message is received with one MDM attribute set in the header of the VPN tunnel 2112 but this data message is sent with another MDM attribute set to the middlebox 2150 in the header of tunnel 2140 & [0197-0199]).
Regarding claim 4, the combination of Jain and Lee discloses:
The method of claim 3, wherein
for the received data message, the first forwarding element is an ingress forwarding element of the virtual network while the second forwarding element is an egress forwarding element of the virtual network, the ingress forwarding element being an initial forwarding element of the virtual network to process the received data message, and the egress forwarding element being a final forwarding element of the virtual network to process the received data message (Lee : Col. 35; Line # 26-34; To transmit the packet from a source system (e.g., client 1950) at one end of a network 1955 to a destination system (e.g., server 1960) at another end of the network, the packet is passed logically downward through the layers of a protocol stack 1965 at the source and then logically upward through the layers of a protocol stack 1970 at the destination. Each layer passes the packet to an adjacent upper or lower level layer depending on whether the packet is being sent or received; Col. 33; Line # 14-16; FIG. 19 shows a block diagram of a Cloud over IP (CoIP) system 1905. The CoIP system may be referred to as a virtual overlay network platform; Col. 33, Line # 35-38; In this specific embodiment, the CoIP system is an L4 to L7 network service where session layer and transport layer protocols are utilized to establish L3 IP network connections across multiple cloud datacenters).
Regarding claim 5, the combination of Jain and Lee discloses:
The method of claim 3, wherein
the first and second forwarding elements execute on software routers of the virtual network, the software routers executing on the host computers are machines deployed on host computers at the first and second public cloud datacenters, and each machine deployed on each host computer is one of a virtual machine or a container ([0016] the VPN gateway is implemented as a virtual machine that executes on a host computer along with one or more other virtual machines. In some of these embodiments, the VPN gateway's RDM-based processing operations (e.g., source network address translation, firewall operation, etc.) are performed by service modules that execute on the VPN VM's host computer, and that capture the remote-device data messages as the VPN VM decapsulates these messages and directs them to internal network elements of the network & [0054] These network elements perform their forwarding and service-process operations on data messages associated with (e.g., sent by or received for) the servers 135, MDM servers 120, network controllers 115, and VPN gateway set 110. The servers 135 perform compute and storage operations (e.g., execute applications, store files, etc.) that are accessible to one or more mobile devices 150 outside of the datacenter. In some embodiments, multiple servers 135 execute on a host computer. Examples of such servers include virtual machines and containers. In some of these embodiments, one or more network elements (e.g., forwarding elements, middlebox elements, VPN gateways) may also execute on such host computers).
Regarding claim 6, the combination of Jain and Lee discloses:
The method of claim 3, wherein
for the received data message, the first forwarding element is an ingress forwarding element of the virtual network and the second forwarding element is an intermediate forwarding element of the virtual network, the ingress forwarding element being an initial forwarding element of the virtual network to process the received data message, while the intermediate forwarding element being a forwarding element of the virtual network that forwards the received data message to a third forwarding element in a third public cloud datacenter over which the virtual network is defined (Lee : Col. 35; Line # 26-34; To transmit the packet from a source system (e.g., client 1950) at one end of a network 1955 to a destination system (e.g., server 1960) at another end of the network, the packet is passed logically downward through the layers of a protocol stack 1965 at the source and then logically upward through the layers of a protocol stack 1970 at the destination. Each layer passes the packet to an adjacent upper or lower level layer depending on whether the packet is being sent or received; Col. 33; Line # 14-16; FIG. 19 shows a block diagram of a Cloud over IP (CoIP) system 1905. The CoIP system may be referred to as a virtual overlay network platform; Col. 33, Line # 35-38; In this specific embodiment, the CoIP system is an L4 to L7 network service where session layer and transport layer protocols are utilized to establish L3 IP network connections across multiple cloud datacenters). 
Regarding claim 7, the combination of Jain and Lee discloses:
The method of claim 1, wherein
allowing the received data message comprises forwarding the received data message from the firewall service machine to a first forwarding element that is deployed in the first public cloud datacenter for the first forwarding element to forward the data message to a public network to forward the data message to the second external machine, and the first forwarding element is an egress forwarding element of the virtual network through which the received data message leaves the virtual network (Jain: [0102] FIG. 9 illustrates a firewall process 900 that the rule processor 220 performs in some embodiments. This process examines mobile device data messages that the VPN processor 210 passes to the internal network 105. As mentioned above, the rule processor 220 is a filter module of a VPN tunnel processing VM in some embodiments, and it captures these data messages on the egress path from the VM (e.g., from the VPN VM's VNIC or its associated SFE port) & [0132-1033]).
Regarding claim 8, the combination of Jain and Lee discloses:
The method of claim 7 further comprising receiving the data message at the first forwarding element from a second forwarding element, wherein the first and second forwarding elements execute on MFNs of the virtual network, and for the received data message, the second forwarding element is one of an ingress forwarding element of the virtual network or an intermediate forwarding element of the virtual network ([0112] Each VPN VM 1110 pairs with one or more service modules 1120 to implement a VPN gateway, like the VPN gateway 205; [0121] the SFE 1130 is a software switch, while in other embodiments it is a software router or a combined software switch/router. The SFE 1130 in some embodiments implements one or more logical forwarding elements (e.g., logical switches or logical routers) with SFEs executing on other hosts in a multi-host environment. A logical forwarding element in some embodiments can span multiple hosts to connect VMs that execute on different hosts but belong to one logical network. In other words, different logical forwarding elements can be defined to specify different logical networks for different users, and each logical forwarding element can be defined by multiple SFEs on multiple hosts & [0132-0133]).
Regarding claim 9, the combination of Jain and Lee discloses:
The method of claim 1, wherein the first and second external machines are machines in two private datacenters (Lee : Col. 35; Line # 26-34; To transmit the packet from a source system (e.g., client 1950) at one end of a network 1955 to a destination system (e.g., server 1960) at another end of the network, the packet is passed logically downward through the layers of a protocol stack 1965 at the source and then logically upward through the layers of a protocol stack 1970 at the destination. Each layer passes the packet to an adjacent upper or lower level layer depending on whether the packet is being sent or received; Col. 33; Line # 14-16; FIG. 19 shows a block diagram of a Cloud over IP (CoIP) system 1905. The CoIP system may be referred to as a virtual overlay network platform; Col. 33, Line # 35-38; In this specific embodiment, the CoIP system is an L4 to L7 network service where session layer and transport layer protocols are utilized to establish L3 IP network connections across multiple cloud datacenters).
Regarding claim 10, the combination of Jain and Lee discloses:
The method of claim 1, wherein the first machine is a machine in an office while the second external machine is a machine in a private datacenter (Lee : Col. 35; Line # 26-34; To transmit the packet from a source system (e.g., client 1950) at one end of a network 1955 to a destination system (e.g., server 1960) at another end of the network, the packet is passed logically downward through the layers of a protocol stack 1965 at the source and then logically upward through the layers of a protocol stack 1970 at the destination. Each layer passes the packet to an adjacent upper or lower level layer depending on whether the packet is being sent or received; Col. 33; Line # 14-16; FIG. 19 shows a block diagram of a Cloud over IP (CoIP) system 1905. The CoIP system may be referred to as a virtual overlay network platform; Col. 33, Line # 35-38; In this specific embodiment, the CoIP system is an L4 to L7 network service where session layer and transport layer protocols are utilized to establish L3 IP network connections across multiple cloud datacenters).
Regarding claim 11, the combination of Jain and Lee discloses:
The method of claim 1, wherein the first external machine is a remote user machine that is outside of a private network of an office or datacenter, while the second external machine is a machine in a private network of a private datacenter or an office (Lee: Col. 35; Line # 26-34; To transmit the packet from a source system (e.g., client 1950) at one end of a network 1955 to a destination system (e.g., server 1960) at another end of the network, the packet is passed logically downward through the layers of a protocol stack 1965 at the source and then logically upward through the layers of a protocol stack 1970 at the destination. Each layer passes the packet to an adjacent upper or lower level layer depending on whether the packet is being sent or received; Col. 33; Line # 14-16; FIG. 19 shows a block diagram of a Cloud over IP (CoIP) system 1905. The CoIP system may be referred to as a virtual overlay network platform; Col. 33, Line # 35-38; In this specific embodiment, the CoIP system is an L4 to L7 network service where session layer and transport layer protocols are utilized to establish L3 IP network connections across multiple cloud datacenters).
Regarding claim 12, the combination of Jain and Lee discloses:
The method of claim 1, wherein the set of attributes comprises a set of header values in the data message header (Jain: [0006] In some embodiments, the firewall devices enforce firewall rules that can be defined in terms of RDM attribute sets, as well as other message header values (e.g., L2-L7 header values); [0007] the network elements are other middlebox elements that enforce other middlebox service rules that can be defined by reference to RDM attribute sets associated with received remote-device data messages. For example, the network elements of some embodiments perform DNS (Domain Name System) operations for a data message flow (i.e., a set of data messages having the same packet header values) based on the RDM attribute set associated with the data message flow. In some embodiments, the network elements perform DNAT (destination network address translation) operations based on the RDM attribute sets of data messages, in order to route the data messages to their destinations).
Regarding claim 13, the combination of Jain and Lee discloses:
The method of claim 12, wherein the set of header values comprise at least one layer 2, layer 3 or layer 4 value (Jain: [0060] the rule identifiers (for identifying matching rules) of the rules are not only defined by reference to MDM attribute values but also by the flow identifier values (e.g., the L2-L4 header values, or L2-L7 header values) of the data message flows).
Regarding claim 14, the combination of Jain and Lee discloses:
The method of claim 1, wherein
the first entity is a particular tenant of a multi-tenant virtual network system, and the set of attributes comprises a tenant identifier that the system associated with  the particular tenant (Jain: [0210] The rule configurator 2605 also configures the service rules at the direction of automated provisioning module 2635 that directs the rule configurator 2605 to specify these rules as part of the provisioning of a physical or logical network. For instance, when the controller 115 is part of a network control system that manages logical networks in a multi-user (e.g., multi-tenant) hosted environment, the provisioning module 2635 in some embodiments directs the configurator 2605 to specify at least some of the service rules when a logical network is being specified for one user (e.g., for one tenant) and/or when a new VM is being provisioned on a host).
Regarding claim 15, the combination of Jain and Lee discloses:
The method of claim 1, wherein the set of attributes comprises a location identifier associated with the physical sites at which the first external machine or the second external machine resides are located (Jain: [0165] Examples of other such MDM attributes include user identifier, group identifier, department identifier, the mobile device's jailbroken status, location identifier, etc.).
Regarding claim 16, the combination of Jain and Lee discloses:
The method of claim 1, wherein using a set of attributes comprises comparing the set of attributes associated with the data message to rule identifiers of a plurality of firewall rules stored in a firewall rule storage to identify a firewall rule that has a rule identifier that matches the set of attributes (Jain: [0085] FIGS. 3-7 illustrate examples of different service rule storages for different service actions. Specifically, FIG. 3 illustrates an SNAT rule storage 300, FIG. 4 illustrates a firewall rule storage 400, FIG. 5 illustrates a DNAT rule storage 500, FIG. 6 illustrates an DNS rule storage 600, and FIG. 7 illustrates a logical segmentation rule storage 700. As shown, each of the rules in these rules storages includes a rule identifier that can be defined in some embodiments based on an MDM attribute set and/or a flow attribute set (e.g., L2-L4 packet header values). For a data message with a particular MDM attribute set, the rule processor can try to identify a rule in any of these rule storages 300-700 by comparing the data message's MDM attribute set and/or header values with the rule identifiers of the rules; [0094] Each flow's record also specifies a flow identifier (e.g., the flow's five tuple identifier). In some embodiments, the process 800 determines whether the connection storage contains a record for the received data message's flow by comparing the data message's flow identifier (e.g., five tuple identifier) with the flow identifiers of the records stored in this storage, in order to identify a record with a flow identifier that matches the data message's flow identifier).
Regarding claim 17, the combination of Jain and Lee discloses:
The method of claim 16, wherein 
the firewall rules have an associated priority, and when two firewall rules have rule identifiers that match the set of attributes associated with the data message, the firewall rule with a higher priority is identified as the matching firewall rule over the firewall rule with lower priority (Jain: [0252] some embodiments perform the rule matching in the order of the rule priorities, so that when a higher priority rule matches the MDM attribute set, the rule check can be stopped without checking the lower priority rules).
Regarding claim 18, the combination of Jain and Lee discloses:
The method of claim 1, wherein the public cloud datacenters comprise a plurality of multi-tenant public cloud datacenters (Jain: [210] The rule configurator 2605 also configures the service rules at the direction of automated provisioning module 2635 that directs the rule configurator 2605 to specify these rules as part of the provisioning of a physical or logical network. For instance, when the controller 115 is part of a network control system that manages logical networks in a multi-user (e.g., multi-tenant) hosted environment, the provisioning module 2635 in some embodiments directs the configurator 2605 to specify at least some of the service rules when a logical network is being specified for one user (e.g., for one tenant) and/or when a new VM is being provisioned on a host).
Regarding claim 19, the combination of Jain and Lee discloses:
The method of claim 1, wherein the firewall service machine processes the data message as the data message is forwarded by the virtual network from the first machine located in the first physical site to the second machine located in the second physical site (Jain: [0113] In some embodiments, the datacenter 1100 is a private datacenter of an enterprise and all its tenants belong to one entity (e.g., one corporation). In other embodiments, the datacenter is a public datacenter used by many different unrelated tenants; [0114] Each host computer 1105 also executes one or more software forwarding elements 1130, such as a software switch or a software router).
Regarding claim 20, Jain discloses:
A non-transitory machine readable medium storing a program for execution by at least one processing unit for processing a data message through a virtual network that is defined over a plurality of public cloud datacenters for a first entity, the program comprising sets of instructions for:
establishing the virtual network for the first entity to connect a set of external machines, including a first external machine (i.e., mobile device 1 (1302) in Region 1 which is physically ‘not part of’ data center 1400; See FIG. 14) operating in a first physical site (i.e., Region 1; See FIG. 14) and a second external machine (i.e., DCN cluster 1325 operating in data center 1400 which is physically ‘not part of’ Region 1 where mobile device 1 (1302) is communicating; See GIG. 14) operating in a second physical site (i.e., Datacenter 1400) (See FIG. 14; [0145] discloses a virtual network is established via an external [cloud] network between Mobile Device 1 [first external machine] located in physically separated Region 1 and DCN Cluster 1325 [second external machine] situated in physically separate Datacenter 1400), said establishing comprising 
configuring software routers (i.e., software forwarding elements 1130) executing on host computers with other computing machines that are deployed for other entities (Jain [0114] discloses host computer also executes one or more software forwarding elements (SFE) 1130, such as a software switch or a software router; [0121] discloses SFEs as one or more logical forwarding elements (e.g., logical switches or logical routers) with SFEs executing on other hosts in a multi-host environment. A logical forwarding element in some embodiments can span multiple hosts to connect VMs that execute on different hosts but belong to one logical network), 
connecting the software routers through tunnels (i.e., logical networks) ([0121] discloses SFEs as one or more logical forwarding elements (e.g., logical switches or logical routers) with SFEs executing on other hosts in a multi-host environment. A logical forwarding element in some embodiments can span multiple hosts to connect VMs that execute on different hosts but belong to one logical network), 
using tunnel encapsulating headers to encapsulate data messages forwarded through the virtual network ([0124] discloses tunnel encapsulation operations using attribute sets in the header of tunnels to forward data messages to other nodes), and 
at a firewall service machine (See FIG. 2; i.e. VPN gateway 205 performing firewall operations; Also see FIG. 14 where VPN gateway 205 deployed as VPN VM 1110 and Service Module 1420) that is deployed at a first public cloud datacenter (see FIG. 14; Datacenter 1400) as a service provided to data messages exchanged between the set of external machines as the data messages traverse through the virtual network ([0015] In some embodiments, the VPN gateway passes the RDM attribute set that it associated with a remote device's data messages to one or more network elements within the network so that these elements can perform one or more operations based on the RDM attribute set. Examples of such operations include the RDM-attribute based firewall operations, DNS operations, DNAT operations, and/or other middlebox or forwarding operations. In some embodiments, the VPN gateway passes the RDM attribute set that it associated with a remote device's data messages to one or more network elements within the network so that these elements can perform one or more operations based on the RDM attribute set. Examples of such operations include the RDM-attribute based firewall operations; [0028] FIG. 14 illustrates the VPN VM's service module performing an MDM-attribute based DNAT operation that re-routes the data messages of the second mobile device out of the datacenter to a DCN server cluster for second region mobile devices that access the datacenter DCN cluster in the first region), 
receiving a data message encapsulated (see [0009] i.e. receiving encapsulated packet from remote device) with an encapsulating header ([0009] In some embodiments, the VPN gateway (1) encapsulates packets sent from the internal network to the remote device with a tunnel header, and (2) decapsulates tunnel headers from the packets that it receives from the remote device before forwarding the packets to network elements in the internal network; [0015] the VPN gateway passes the RDM attribute set that it associated with a remote device's data messages to one or more network elements … the VPN gateway passes the RDM attribute set for a remote device to an internal forwarding element and/or middlebox element of the network through the tunnel header of the tunnel that connects the VPN gateway to that element); 
using a set of attributes associated with the received data message to identify a firewall rule that is applicable to the data message ([0063] Firewall rules are one example of rules that are defined in terms of MDM attribute sets in some embodiments. The VPN gateway 110, or its associated MBE 160, uses a data message's MDM attribute sets to identify a firewall rule that is applicable to the data message; [0106] Next, at 925, the process 900 uses the identified MDM attribute set and/or the flow identifier (e.g., the L2-L4 values) of the data message to identify a firewall rule in the rule storage 235), 
the set of attributes including the virtual network identifier stored in the encapsulating header of the received data message ([0088] Each segmentation rule in the logical segmentation rule storage 700 of FIG. 7 stores a logical network identifier (LNI) that associates a received mobile-device data message with a particular logical network that is implemented by the common shared network and compute resources of the datacenter. In some embodiments, the LNI includes a virtual network identifier (VNI)); and 
F271.10 (N714.10) (VMWR.P0160)performing a firewall action (i.e. firewall action (Allow or Deny)) specified by the identified firewall rule on the received data message ([0063] Firewall rules are one example of rules that are defined in terms of MDM attribute sets in some embodiments. The VPN gateway 110, or its associated MBE 160, uses a data message's MDM attribute sets to identify a firewall rule that is applicable to the data message, and then performs the action (allow, deny, redirect, redirect copy, etc.) specified by this rule on the data message), 
wherein the firewall action comprises one of (i) dropping the received data message when the firewall action specifies that the received data message should be dropped ([0063] The VPN gateway 110, or its associated MBE 160, uses a data message's MDM attribute sets to identify a firewall rule that is applicable to the data message, and then performs the action (allow, deny, redirect, redirect copy, etc.) specified by this rule on the data message; [0106] In some embodiments, the rule storage 235 has a catch-all rule that matches the data message flows that do not match any other rule in the rule storage. The process 900 then performs (at 930) the firewall action (Allow or Deny) of the rule identified at 925), and 
(ii) allowing the received data message to pass through the virtual network when the firewall action specifies that the received data message should be allowed to pass through ([0063] The VPN gateway 110, or its associated MBE 160, uses a data message's MDM attribute sets to identify a firewall rule that is applicable to the data message, and then performs the action (allow, deny, redirect, redirect copy, etc.) specified by this rule on the data message; [0106] In some embodiments, the rule storage 235 has a catch-all rule that matches the data message flows that do not match any other rule in the rule storage. The process 900 then performs (at 930) the firewall action (Allow or Deny) of the rule identified at 925).
Jain discloses that data messages are forwarded by one or more network elements of the network and traverses through the network between the first physical site to the second physical site to its destination using one datacenter.
Jain does not explicitly discloses that the data message passes through first physical site and second physical site which are external sites outside of the “plurality of public cloud datacenters”; and wherein a firewall service machine processes the data message as the data message traverses through the virtual network from the first external machine located in the first physical site to the second external machine located in the second physical site.
However, Lee discloses:
	the data message passes through first physical site (i.e., Client 1950) and second physical site (i.e., Server 1960) which are external sites outside of the “plurality of public cloud datacenters” (i.e., overlay network systems 1955 construed as multiple cloud datacenters; See FIG. 19) (Col. 33; Line # 14-16; FIG. 19 shows a block diagram of a Cloud over IP (CoIP) system 1905. The CoIP system may be referred to as a virtual overlay network platform; Col. 33, Line # 35-38; In this specific embodiment, the CoIP system is an L4 to L7 network service where session layer and transport layer protocols are utilized to establish L3 IP network connections across multiple cloud datacenters.
Examiner notes that FIG. 19 clearly depicts that data message from client device to the server device traversing through multiple public cloud datacenters);
wherein a firewall service machine processes the data message as the data message traverses through the virtual network from the first external machine located in the first physical site to the second external machine located in the second physical site (Col. 34; Line # 34-45; As shown in FIG. 19, in a specific embodiment, the CoIP system operates in a packet switched network according to a set of protocols implemented in a seven-layer protocol stack. The CoIP system includes various networking and security services, components, modules, or code components including but not limited to firewall 1910, load balancer 1915, transport Secure Socket Layer (SSL) encryption 1920, high-availability (HA) 1925, cloud over IP local area network (LAN) connections and wide area network (WAN) connections 1930, and security engines 1935. The functions are provided as layer 4 to layer 7 network services over the lower level (layer 1 to layer 3) network components).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Jain reference and consider the scenario where the target resource is in a geographically distant private network beyond the multiple cloud datacenters and thus traverse traffic would be tunneled over the multiple cloud datacenters (Williams: Figure 12, the target resource is no longer in the public cloud datacenter, but instead a private enterprise LAN, such as LAN B).  One would be motivated to do so in order to traverse existing Internet infrastructure to link two networked devices in geographically disparate private networks via VPN.  


Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018. The examiner can normally be reached 8:30 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffery L. Nickerson can be reached on 469-295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        

/S.M.A./             Patent Examiner, Art Unit 2432