DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Examiner Notes
	Examiner cites particular columns and line numbers in the references as applied to the claims below for the convenience of the applicant. Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested that, in preparing responses, the applicant fully consider the references in entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the examiner. 
Response to Arguments
	Applicant’s arguments regarding the rejections have been fully considered but are not persuasive.  Applicant argues that the claims are allowable because “at is assigned a first network address of addresses assigned to virtualization hosts at one or more data centers and (b) that indicates the first network address, wherein a destination address of the message is part of a second address range in use at the first premise external to the one or more data centers, the combination with embodiments of Liguori describes sending a command by an off-load device to a host device that is physically close enough to use PCle (e.g., the off-load device and the device are in a same, single data center).” (Applicant’s Remarks, Pg. 10).  Applicant further argues this point by stating “In Applicant’s claim, the message (addressed with a network address - not a memory address) is transmitted over a network from one of the data centers to a first extension resource group at a first premise *external* to the one or more data centers. Combination with Liguori is relied on by the Office. But the cited embodiments of Ligouri (the embodiments described as *entirely within* one of the service provider data centers — not data centers connected over a network to a first premise external to the data centers) is directed to an offload device connected via PCIe (a motherboard interface) to a local, but separate, physical computing device that runs the virtual machines requested via the offload device.” (Applicant’s Remarks, Pg. 11). Examiner respectfully disagrees. Ligouri teaches an offload device that is external to the one or more datacenters. (Abstract, The offload device can be a separate computing device that includes computing resources (e.g., processor and memory) separate from the computing resources of the physical computing device; Fig. 2b, Block 130; [0017], the offload device corresponds to an independent computing device that includes physical computing resources (e.g., processor and memory) separate from the physical computing resources associated with the physical computing device hosting the instantiated virtual machine instances; and [0038], the physical computing device 100 can be part of a network that includes multiple physical computing devices 100. One skilled in the relevant art will appreciate that the network is logical in nature and can encompass physical computing devices 100 from various geographic regions). Liguori also teaches the message (addressed with a network address - not a memory address) is transmitted over a network from one of the data centers to a first extension resource group. ([0033], The virtual machine monitor 110 can assign memory address ranges to virtual components within the memory allocated to virtual machine instances; and [0053], the virtual machine monitor 110 can assign ranges of memory addresses on the offload device to each virtual machine instance 120. For example, if there were 12 virtual machine instances 120 the virtual machine monitor 110 could assign separate ranges of memory addresses of the offload device 130 to each of the 12 virtual machine instances 120). Under the broadest reasonable interpretation a memory address can be interpreted to be a network address, particularly in light of the offload device being a separate device remote from the physical computing device.   Ligouri’s memory addresses are used in network communication. ([0067], The translation table can store the routing information used for routing the received I/O request to the identified virtual component 140. After the I/O request is received, the virtual machine monitor can look up the I/O request in the translation table and route the request to the memory address of the offload device 130 that is responsive to the I/O request; and [0068], the I/O request is routed to the identified virtual component 140B. The I/O request is sent from the physical computing device 100 over the interface to the offload device 130. At (4) the I/O request is received and resolved by the virtual component 140B. The virtual component 140B can resolve the request based on the information contained in the I/O request. The virtual component 140 can resolve the request based on the virtual function that is assigned to the memory address identified in the I/O request). This response is applicable to Applicant’s other arguments regarding memory addresses being interpreted as network addresses.
	Applicant also argues that the claims are allowable because “at least because Ligouri explicitly describes using the PCle interface bus between the offload device and the local physical machine, Ligouri does not describe transmitting a message addressed with a network address, to say nothing of a network address within a range used at a premise external to the data centers, and to say nothing of a message with two addresses — a message indicating [...] the *first* network address, wherein a *destination* address of the message is part of a second address range in use at the first premise.” (Applicant’s Remarks, Pg. 12). Examiner respectfully disagrees. Although Ligouri teaches a PCI interface as an example of a potential connection between the offload device and a physical computing device,  ([0017], the offload device can be connected to the physical computing device via an interconnect interface. The interconnect interface can be a high speed, high throughput, low latency interface such as a Peripheral Component Interconnect Express (PCIe) interface), Ligouri also teaches that the offload device can be external a physical device. (Abstract, The offload device can be a separate computing device that includes computing resources (e.g., processor and memory) separate from the computing resources of the physical computing device; Fig. 2b, Block 130; [0017], the offload device corresponds to an independent computing device that includes physical computing resources (e.g., processor and memory) separate from the physical computing resources associated with the physical computing device hosting the instantiated virtual machine instances; and [0038], the physical computing device 100 can be part of a network that includes multiple physical computing devices 100. One skilled in the relevant art will appreciate that the network is logical in nature and can encompass physical computing devices 100 from various geographic regions). This response is applicable to Applicant’s other arguments regarding a PCI interface.
In response to applicant's argument on page twelve of Applicant’s remarks that the examiner's conclusion of obviousness is based upon improper hindsight reasoning, it must be recognized that any judgment on obviousness is in a sense necessarily a reconstruction based upon hindsight reasoning.  But so long as it takes into account only knowledge which was within the level of ordinary skill at the time the claimed invention was made, and does not include knowledge gleaned only from the applicant's disclosure, such a reconstruction is proper.  See In re McLaughlin, 443 F.2d 1392, 170 USPQ 209 (CCPA 1971).

	Applicant also argues that the claims are allowable because “Applicant’s attorney has reviewed the latest office action and the reference and has been unable to determine what the message indicating the first virtual machine launch command and indicating the *first* network address, wherein a *destination® address of the message is part of a second address range in use at the first premise, wherein a target virtualization host is also assigned the first network address within a private network established at the first extension resource group could possibly be mapped to in either reference. Thus, because the Office Action has not adequately articulated what message in the reference is mapped to Applicant’s message indicating the first virtual machine launch command and indicating the *first* network address, wherein a *destination® address of the message is part of a second address range in use at the first premise.” (Applicant’s Remarks, Pg. 14). Examiner respectfully disagrees. As stated in the prior Office Action, Ligouri teaches a launch command and indicating the first and second network addresses. ([0047], The control plane manager can select a physical computing device from the remaining physical computing devices and sends a launch command to the offload device 130 or physical computing device with configuration instructions for launching the requested instance having a specific configuration; and [0053],  the virtual machine monitor can include a memory mapping unit that manages the mapping of virtual components 140 instantiated on the offload device 130 to the virtual machine instance 120. The virtual machine monitor 110 can assign the virtual components 140 to memory addresses of the offload device. The addresses mapped to each virtual component 140 are provided to the virtual machine instance 120 associated with virtual component 140. The virtual components 140 associated with same virtual machine instance 120 may not be sequentially arranged within the memory of the offload device. In some embodiments, the virtual machine monitor 110 can assign ranges of memory addresses on the offload device to each virtual machine instance 120. For example, if there were 12 virtual machine instances 120 the virtual machine monitor 110 could assign separate ranges of memory addresses of the offload device 130 to each of the 12 virtual machine instances 120). 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Ligouri et al. (United States Patent Publication 2016/0170785) in view of Kloberdans et al. (United States Patent 10,498,611)

As per claim 1, Ligouri teaches the invention substantially as claimed including a system, comprising: 
	one or more computing devices of a virtualized computing service of a provider network, wherein the provider network comprises one or more data centers ([0001], data centers or data processing centers, herein generally referred to as a "data center," may include a number of interconnected computing systems to provide computing resources to users of the data center. The data centers may be private data centers operated on behalf of an organization or public data centers operated on behalf, or for the benefit of, the general public; and [0033], In some embodiments, the virtual components 140 can be provisioned and emulated using the computing resources (e.g., processor 132 and memory 134) of the offload device 130. For example, the offload device 130 can run one or more programs that simulate the functions of hardware components that would be typically found on a motherboard of a computer system), and wherein a first set of virtualization hosts of the virtualized computing service located at the one or more data centers are assigned respective network addresses within a first address range ([0033], The virtual machine monitor 110 can assign memory address ranges to virtual components within the memory allocated to virtual machine instances; and [0053], the virtual machine monitor 110 can assign ranges of memory addresses on the offload device to each virtual machine instance 120. For example, if there were 12 virtual machine instances 120 the virtual machine monitor 110 could assign separate ranges of memory addresses of the offload device 130 to each of the 12 virtual machine instances 120); 
	wherein the one or more computing devices comprise a processor and a memory storing (Abstract, The offload device can be a separate computing device that includes computing resources (e.g., processor and memory)) include instructions that upon execution on the processor cause the one or more computing devices to: 
		obtain, at a first outbound command communicator associated with a first extension resource group ([0018], control plane manager via a network interface integrated into the offload device or a management domain), a first virtual machine launch command ([0018], the offload device can be used to instantiate virtual machines on the physical computing device. For example, the offload device can receive a command from a control plane manager via a network interface integrated into the offload device or a management domain and instruct the virtual machine monitor to launch virtual machines), wherein the first outbound communicator ([0018], the offload device) is assigned a first network address within the first network address range ([0018], the offload device can receive a command from a control plane manager via a network interface integrated into the offload device or a management domain and instruct the virtual machine monitor to launch virtual machines. In addition, the virtual machine monitor can provide resource information regarding the physical computing to the control plane manager via the offload device…The control plane manager can provide instructions to the virtual machine monitor to instantiate virtual machine instances in the determined configuration and instruct the offload device to instantiate virtual components in the determined configuration. The virtual machine monitor can provide mapping of the instantiated virtual components on the offload device such that the virtual machine instances can recognize and communicate with the virtual components through the interface bus; and [0053], the virtual machine monitor can include a memory mapping unit that manages the mapping of virtual components 140 instantiated on the offload device 130 to the virtual machine instance 120. The virtual machine monitor 110 can assign the virtual components 140 to memory addresses of the offload device. The addresses mapped to each virtual component 140 are provided to the virtual machine instance 120 associated with virtual component 140. The virtual components 140 associated with same virtual machine instance 120 may not be sequentially arranged within the memory of the offload device. In some embodiments, the virtual machine monitor 110 can assign ranges of memory addresses on the offload device to each virtual machine instance 120), wherein the first extension resource group includes one or more virtualization hosts located at a first premise external to the one or more data centers (Abstract, The offload device can be a separate computing device that includes computing resources (e.g., processor and memory) separate from the computing resources of the physical computing device), wherein the first virtual machine launch command includes an indication of the first network address ([0018], The virtual machine monitor can provide mapping of the instantiated virtual components on the offload device such that the virtual machine instances can recognize and communicate with the virtual components through the interface bus; [0033], The virtual machine monitor 110 can assign memory address ranges to virtual components within the memory allocated to virtual machine instances; [0047], The control plane manager can select a physical computing device from the remaining physical computing devices and sends a launch command to the offload device 130 or physical computing device with configuration instructions for launching the requested instance having a specific configuration; and [0048], in some embodiments the configuration instructions can be sent to the offload device 130 or a manager running in Domain.degree. as part of an instance launch command); and 	
		transmit, [via a secure network channel] to the first extension resource group, a message indicating the first virtual machine launch command ([0018], the offload device can receive a command from a control plane manager via a network interface integrated into the offload device or a management domain and instruct the virtual machine monitor to launch virtual machines) and indicating the first network address ([0033], The virtual machine monitor 110 can assign memory address ranges to virtual components within the memory allocated to virtual machine instances; and [0047], The control plane manager can select a physical computing device from the remaining physical computing devices and sends a launch command to the offload device 130 or physical computing device with configuration instructions for launching the requested instance having a specific configuration), [wherein a destination address of the message is part of a second address range in use at the first premise], wherein a target virtualization host is also assigned the first network address within a private network  ([0053], the virtual machine monitor 110 can assign ranges of memory addresses on the offload device to each virtual machine instance 120. For example, if there were 12 virtual machine instances 120 the virtual machine monitor 110 could assign separate ranges of memory addresses of the offload device 130 to each of the 12 virtual machine instances 120) established at the first extension resource group ([0017], The offload device can be connected to the physical computing device via an interconnect interface), and wherein processing of the first virtual machine launch command at the target virtualization host results in an instantiation of a first virtual machine at the target virtualization host ([0047], The control plane manager can select a physical computing device from the remaining physical computing devices and sends a launch command to the offload device 130 or physical computing device with configuration instructions for launching the requested instance having a specific configuration).

	Liguori fails to specifically teach, transmit, via a secure network channel to the first extension resource group, a message indicating the first virtual machine launch command; and wherein a destination address of the message is part of a second address range in use at the first premise.
	However, Kloberdans teaches, transmit, via a secure network channel to the first extension resource group (Column 12, Lines, creating a corresponding microdomain on the home gateway 204 may automatically initiate creation of an encrypted home gateway tunnel between a user device group and the service provider network/data center 202 (e.g., the vCPE 210)), a message indicating the first virtual machine launch command (Column 10, Lines 37-40, If the selected service groups are not available as an existing template, the template master may forward a request to the service provider engineering and/or marketing entities to automatically create a new template; and Column 10, Lines 52-58, generating the configuration instructions may involve steps by network service components, such as an Authentication, Authorization and Accounting (AAA) server to mediate network access for the micro-domains, a Dynamic Host Configuration Protocol (DHCP) domain manager to assign a range of IP addresses to each micro-domain as a separate subnet, and others; and Column 12, Lines 58-61, support of the micro-domain architecture may be designed to incorporate future software trends and/or features, including virtualization on the service provider networks); and 
	wherein a destination address of the message is part of a second address range in use at the first premise (Column 2, Line 34, allocating a unique range of internet protocol (IP) addresses; and Column 2, Lines 48-53, the first IP address may be assigned as a tunnel end point at the home gateway, and the second IP address may be assigned as a tunnel end point at a virtual gateway on the network of the communications service provider).
	
	Liguori and Kloberdans are analogous because they are both related to managing virtual networks. Liguori teaches method of managing virtual machines across distributed networks (Abstract, the present application relates to systems and methods for the managing virtual machines instances using a physical computing device and an offload device. The offload device can be a separate computing device that includes computing resources (e.g., processor and memory) separate from the computing resources of the physical computing device. …The offload device can be used to offload virtualization and processing of virtual components from the physical computing device, thereby increasing the computing resources available to the virtual machine instances).  Kloberdans method of managing virtual networks (Abstract, The communications service provider may receive information identifying one or more service group selected by a subscriber of the communications service provider. The communications service provider may also identify pre-set configurations associated with each of the one or more selected service group, generate configuration instructions for a micro-domain corresponding to each of the one or more selected service group, and create the micro-domain in the home network for each of the one or more selected service group by applying the generated configuration instructions to network services of the communications service provider).  It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention that based on the combination, the Liguori’s virtual machine management method would modified with the Kloberdans’ mechanisms for managing virtual networks. One of ordinary skill in the art would also have recognized that applying the known technique of Kloberdans to the teachings of Liguori would have yielded predictable results and resulted in an improved system. Therefore, it would have been obvious to combine the teachings of Liguori and Kloberdans.

As per claim 2, Kloberdans teaches, wherein the secure network channel is established between the one or more data centers and the first extension resource group (Column 2, Lines 48-53, forming the secure tunnel between the tunnel end points may use a VxLAN encrypted tunneling protocol), and wherein the secure network channel comprises one or more of: (a) a VPN tunnel (Column 9, Lines 28-31, The home office service group may also be defined by pre-set configurations requiring use of a virtual private network (VPN) protocol to ensure data security and authentication) or (b) a dedicated physical link between the first premise and the provider network .

As per claim 3, Liguori teaches, wherein the one or more computing devices include further instructions that upon execution on a processor further cause the one or more computing devices to: 
	determine that a request to establish the first extension resource group has been submitted via a programmatic interface (Abstract, the offload device can be connected to the physical computing device via a interconnect interface; and [0048], configuration instructions can be sent to the offload device 130 or a manager running in Domain.degree. as part of an instance launch command. In this example, the control plan manager 150 may have selected the physical computing device 100 to host a virtual machine and sent a command to launch an instance to the physical computing device 100), wherein the first outbound command communicator is established in response to the request to establish the first extension resource group ([0047], the control plane manager 150 can receive a request to launch a new instance. Based on the request, the control plane manager 150 can filter out physical computing devices 100 that cannot host the instance, such as physical computing devices that are full, physical computing devices that do not have the necessary hardware, physical computing devices that are already hosting too many instances, or physical computing devices that do not meet the requirements for the new instance based on other reasons. The control plane manager can select a physical computing device from the remaining physical computing devices and sends a launch command to the offload device 130 or physical computing device with configuration instructions for launching the requested instance having a specific configuration).

As per claim 4, Kloberdans teaches, wherein the one or more computing devices include further instructions that upon execution on a processor further cause the one or more computing devices to: 
	instantiate the first outbound command communicator prior to determining that a request to establish the secure network channel is received (Column 2, Lines 37-44, determining, for each of the one or more selected service groups, whether to establish a secure tunnel for associated user device data based on the pre-set configurations, and obtaining a first and a second IP address from the allocated range of IP addresses and automatically creating a secure tunnel between the tunnel end points at the home gateway and the virtual gateway in response to determining to establish a secure tunnel for associated user device data for one or more selected service group).

As per claim 5, Kloberdans teaches, wherein the first outbound command communicator executes in a virtual machine on another virtualization host (Column 2, Lines 15-20, The home gateway 300 may communicate with, for example, one or more remote computing device 326 over the wireless connection 318 and/or the wired connection 322. In some embodiments, the remote computing device may be a server of a content or other service provider; and Column 23, Lines 24-30, the service network processor may implement a micro-domain corresponding to the service group within a virtual CPE in block 704. In some embodiments, the virtual CPE may be a portion of memory that is physically located on a server or other component in the service network, but that appears to the subscriber as being on the home gateway/subscriber's CPE), wherein the other virtualization host is assigned a second network address within the first address range (Column 2, Line 34, allocating a unique range of internet protocol (IP) addresses; Column 2, Line 46-53, In some embodiment systems, methods, and devices, the first IP address may be assigned as a tunnel end point at the home gateway, and the second IP address may be assigned as a tunnel end point at a virtual gateway on the network of the communications service provider. In some embodiment systems, methods, and devices, forming the secure tunnel between the tunnel end points may use a VxLAN encrypted tunneling protocol; and Column 16, Line 15-20, The home gateway 300 may communicate with, for example, one or more remote computing device 326 over the wireless connection 318 and/or the wired connection 322. In some embodiments, the remote computing device may be a server of a content or other service provider).

As per claim 6, Liguori teaches the invention substantially as claimed including a method comprising: 
	performing, by one or more computing devices of a provider network: 
		receiving, at a control plane of a computing service of the provider network, a request to establish a compute instance ([0047], the control plane manager 150 can receive a request to launch a new instance. Based on the request, the control plane manager 150 can filter out physical computing devices 100 that cannot host the instance, such as physical computing devices that are full, physical computing devices that do not have the necessary hardware, physical computing devices that are already hosting too many instances, or physical computing devices that do not meet the requirements for the new instance based on other reasons. The control plane manager can select a physical computing device from the remaining physical computing devices and sends a launch command to the offload device 130 or physical computing device with configuration instructions for launching the requested instance having a specific configuration); 
		obtaining, at a first outbound command communicator of the provider network, an indication that a first compute instance is to be established at a target host in response to the request ([0047], The control plane manager can select a physical computing device from the remaining physical computing devices and sends a launch command to the offload device 130 or physical computing device with configuration instructions for launching the requested instance having a specific configuration), wherein the target host is part of a first extension resource group of the provider network located at a client premise ([0047], [0047], the control plane manager 150 can receive a request to launch a new instance. Based on the request, the control plane manager 150 can filter out physical computing devices 100 that cannot host the instance, such as physical computing devices that are full, physical computing devices that do not have the necessary hardware, physical computing devices that are already hosting too many instances, or physical computing devices that do not meet the requirements for the new instance based on other reasons. The control plane manager can select a physical computing device from the remaining physical computing devices), wherein a first network address is associated with the target host at the control plane ([0018], The control plane manager can provide instructions to the virtual machine monitor to instantiate virtual machine instances in the determined configuration and instruct the offload device to instantiate virtual components in the determined configuration. The virtual machine monitor can provide mapping of the instantiated virtual components on the offload device such that the virtual machine instances can recognize and communicate with the virtual components through the interface bus), and wherein the first outbound command communicator is assigned at least the first network address ([0033], The virtual machine monitor 110 can assign memory address ranges to virtual components within the memory allocated to virtual machine instances; [0047], The control plane manager can select a physical computing device from the remaining physical computing devices and sends a launch command to the offload device 130 or physical computing device with configuration instructions for launching the requested instance having a specific configuration; and [0048], in some embodiments the configuration instructions can be sent to the offload device 130 or a manager running in Domain.degree. as part of an instance launch command); 
		transmitting a [message indicating a second network address as a destination, wherein the second network address is part of a first network established at the client premise], wherein the message comprises a command to establish the first compute instance at the target host ([0047], The control plane manager can select a physical computing device from the remaining physical computing devices and sends a launch command to the offload device 130 or physical computing device with configuration instructions for launching the requested instance having a specific configuration; and [0048], in some embodiments the configuration instructions can be sent to the offload device 130 or a manager running in Domain.degree. as part of an instance launch command), [wherein the first network address is assigned to the target host within a second network established at the client premise], and wherein processing of the command at the target host results in establishment of the first compute instance ([0018], the offload device can be used to instantiate virtual machines on the physical computing device. For example, the offload device can receive a command from a control plane manager via a network interface integrated into the offload device or a management domain and instruct the virtual machine monitor to launch virtual machines).

	Liguori fails to specifically teach, transmitting a message indicating a second network address as a destination, wherein the second network address is part of a first network established at the client premise; and wherein the first network address is assigned to the target host within a second network established at the client premise.
	However, Kloberdans teaches, transmitting a message indicating a second network address as a destination (Column 2, Line 34, allocating a unique range of internet protocol (IP) addresses; and Column 2, Lines 48-53, the second IP address may be assigned as a tunnel end point at a virtual gateway on the network of the communications service provider. In some embodiment systems, methods, and devices, forming the secure tunnel between the tunnel end points may use a VxLAN encrypted tunneling protocol; and Column 8, Lines 27-38, Functions of the access gateway 112 may include, but are not limited to, forwarding data and control signals to network components as user data packet), wherein the second network address is part of a first network established at the client premise (Column 2, Lines 28-34, generating the configuration instructions for each micro-domain corresponding to each of the one or more selected service group may include generating and assigning a unique pre-shared key (PSK), setting parameters to establish a distinct virtual local area network (VLAN) identifier, and allocating a unique range of internet protocol (IP) addresses); and wherein the first network address is assigned to the target host within a second network established at the client premise (Column 2, Lines 28-34, generating the configuration instructions for each micro-domain corresponding to each of the one or more selected service group may include generating and assigning a unique pre-shared key (PSK), setting parameters to establish a distinct virtual local area network (VLAN) identifier, and allocating a unique range of internet protocol (IP) addresses).
	

As per claim 7, Liguori teaches, wherein the first compute instance comprises a virtual machine ([0018], the offload device can be used to instantiate virtual machines on the physical computing device; and [0047], The control plane manager can select a physical computing device from the remaining physical computing devices and sends a launch command to the offload device 130 or physical computing device with configuration instructions for launching the requested instance having a specific configuration).

As per claim 8, Liguori teaches, further comprising performing, by the one or more computing devices of the provider network: 
	providing, via a programmatic interface, an indication of a set of virtual machine categories supported at hosts within the provider network ([0047], the control plane manager 150 can receive a request to launch a new instance. Based on the request, the control plane manager 150 can filter out physical computing devices 100 that cannot host the instance…The control plane manager can select a physical computing device from the remaining physical computing devices and sends a launch command to the offload device 130 or physical computing device with configuration instructions for launching the requested instance having a specific configuration), wherein the first virtual machine belongs to a particular virtual machine category of the set ([0047], The control plane manager can select a physical computing device from the remaining physical computing devices and sends a launch command to the offload device 130 or physical computing device with configuration instructions for launching the requested instance having a specific configuration).

As per claim 9, Liguori-Kloberdans fails to specifically teach , wherein the indication, obtained at the first outbound command communicator, that the first compute instance is to be established comprises a first security artifact, further comprising performing, by the one or more computing devices of the provider network: including, in the message transmitted to the second address, a second security artifact, wherein the second security artifact is generated at the first outbound command communicator.  However, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include these steps because Kloberdans teaches authentication between network components (Column 9, Lines 27-31, The home office service group may also be defined by pre-set configurations requiring use of a virtual private network (VPN) protocol to ensure data security and authentication; Column 10, Lines 52-56, generating the configuration instructions may involve steps by network service components, such as an Authentication, Authorization and Accounting (AAA) server to mediate network access for the micro-domains).

As per claim 10, Ligouri teaches, further comprising performing, by the one or more computing devices of the provider network: 
	programmatically attaching the first outbound command communicator to a first virtual network interface and a second virtual network interface ([0017], the offload device can be connected to the physical computing device via an interconnect interface. The interconnect interface can be a high speed, high throughput, low latency interface such as a Peripheral Component Interconnect Express (PCIe) interface. The offload device can be used to control the virtual machine monitor and emulate certain virtual components associated with the instantiated virtual machine instances), wherein the first virtual network interface is used to obtain, from the control plane, the indication that the first compute instance is to be established ([0047], the control plane manager 150 can receive a request to launch a new instance. Based on the request, the control plane manager 150 can filter out physical computing devices 100 that cannot host the instance, such as physical computing devices that are full, physical computing devices that do not have the necessary hardware, physical computing devices that are already hosting too many instances, or physical computing devices that do not meet the requirements for the new instance based on other reasons. The control plane manager can select a physical computing device from the remaining physical computing devices and sends a launch command to the offload device 130 or physical computing device with configuration instructions for launching the requested instance having a specific configuration), [and wherein the second virtual network interface is used to access a secure network channel on which the message is transmitted to the first extension resource group].
	
	Ligouri fails to specifically teach, wherein the second virtual network interface is used to access a secure network channel on which the message is transmitted to the first extension resource group.
	However, Kloberdans teaches, wherein the second virtual network interface is used to access a secure network channel on which the message is transmitted to the first extension resource group (Column 2, Lines 48-53, forming the secure tunnel between the tunnel end points may use a VxLAN encrypted tunneling protocol).
	The same motivation used in the rejection of claim 1 is applicable to the instant claim.

As per claim 11, this claim is similar to claim 2 and is rejected for the same reasons.

As per claim 12, Ligouri teaches, wherein the first outbound command communicator is implemented at least in part using a virtual machine ([0018], the offload device can be used to instantiate virtual machines on the physical computing device; and [0047], The control plane manager can select a physical computing device from the remaining physical computing devices and sends a launch command to the offload device 130 or physical computing device with configuration instructions for launching the requested instance having a specific configuration).

As per claim 13, Ligouri teaches, wherein the first extension resource group is established on behalf of a first client of a computing service of the provider network ([0001], data centers or data processing centers, herein generally referred to as a "data center," may include a number of interconnected computing systems to provide computing resources to users of the data center. The data centers may be private data centers operated on behalf of an organization or public data centers operated on behalf, or for the benefit of, the general public), wherein the outbound command communicator is configured within a first isolated virtual network of the computing service ([0060], The virtual machine instances can be fully isolated from other virtual machine instances 120. The virtual machine monitor 110 provisions the logical virtualized resources that are associated with the underlying physical resources to each virtual machine instance, such as a VM processor 102 and VM memory 104. The virtual machine monitor 110 can also provision storage resources that are included locally on the physical computing device 100, on the offload device 130, or that are accessible via network), wherein the first isolated virtual network comprises at least a second outbound command communicator established to communicate with a second extension resource group established on behalf of a second client of the computing service ([0023], management of the virtual instances can further include the management of interaction between the virtual machine instances and the offload device 130 In the illustrated embodiment, the physical computing device 100 includes two instantiated, or hosted, virtual machine instances 120, virtual machine instance "A" and virtual machine instance "B").

As per claim 14, Kloberdans teaches, wherein the first extension resource group is established on behalf of a first client of a computing service of the provider network (Column 9, Lines 1-8, the device type, service parameters, and pre-set configurations for the various service groups may be stored on a server or data center associated with the service provider network. The term "data center" as used herein may refer to the physical and/or hardware-based resources ( e.g., a group of networked servers) used for data storage and processing, network operations, and/or network management for the service provider network), the method further comprising performing, by the one or more computing devices: 
	assigning, to the first compute instance, a network address from a first network address range of an isolated virtual network established within the provider network on behalf of the client (Column 2, Lines 28-34, generating the configuration instructions for each micro-domain corresponding to each of the one or more selected service group may include generating and assigning a unique pre-shared key (PSK), setting parameters to establish a distinct virtual local area network (VLAN) identifier, and allocating a unique range of internet protocol (IP) addresses).

As per claim 15, Kloberdans teaches, wherein the request to establish the first compute instance is received via a first network path associated with a public application programming interface of a computing service of the provider network (Column 18, Lines 33-39, The service provider network/data center 408 may be connected to at least one other network(s) 410, which may be a private network or a public network, such as the internet. In this manner, the user device group(s) 404 may establish communications with content provider(s), additional services, and/or remote computing devices (e.g., other users).), and wherein the message is transmitted to the second network address via a second network path (Column 9, Lines 50-53, the micro-domain corresponding to a service group for which third party service management is required may be created on the home gateway 402, as described above; and Column 12, Lines 3-5, the service network processor may form the home gateway tunnel between the tunnel end points using the obtained IP addresses from block 710).

As per claim 16, Ligouri teaches the invention substantially as claimed including a system, comprising: 
	one or more computing devices of a service provider environment wherein the one or more computing devices comprise at least one processor and memory (Abstract, The offload device can be a separate computing device that includes computing resources (e.g., processor and memory) storing instructions that upon execution on the processor cause the one or more computing devices to implement:
	a control plane executing on one or more computing devices of a service provider environment ([0018], control plane manager via a network interface integrated into the offload device or a management domain); and 
	an outbound command communicator coupled to a first network of the service provider environment ([0018], control plane manager via a network interface integrated into the offload device or a management domain), wherein the first network uses a first range of network addresses ([0033], The virtual machine monitor 110 can assign memory address ranges to virtual components within the memory allocated to virtual machine instances; and [0053], the virtual machine monitor 110 can assign ranges of memory addresses on the offload device to each virtual machine instance 120. For example, if there were 12 virtual machine instances 120 the virtual machine monitor 110 could assign separate ranges of memory addresses of the offload device 130 to each of the 12 virtual machine instances 120), wherein the outbound command communicator is assigned a first network address in the first range of network addresses ([0033], The virtual machine monitor 110 can assign memory address ranges to virtual components within the memory allocated to virtual machine instances; and [0053], the virtual machine monitor 110 can assign ranges of memory addresses on the offload device to each virtual machine instance 120. For example, if there were 12 virtual machine instances 120 the virtual machine monitor 110 could assign separate ranges of memory addresses of the offload device 130 to each of the 12 virtual machine instances 120), and 
	wherein the first network of the service provider environment includes a plurality of servers configured to host compute instances ([0045], The control plane manager 150 can determine the configuration of the allocation of the virtual machine instances on the physical computing devices and virtual components on the offload devices); wherein the control plane is configured to: 
		send a message including a request to launch a first a compute instance to the first network address ([0018], The control plane manager can provide instructions to the virtual machine monitor to instantiate virtual machine instances in the determined configuration and instruct the offload device to instantiate virtual components in the determined configuration); and 
	wherein the outbound command communicator is configured to: 
		receive the first message ([0018], the offload device can be used to instantiate virtual machines on the physical computing device. For example, the offload device can receive a command from a control plane manager via a network interface integrated into the offload device or a management domain and instruct the virtual machine monitor to launch virtual machines); and 
	send a second message [to a device assigned a second network address], wherein the second message includes at least a portion of the request to launch the first compute instance ([0018], The control plane manager can provide instructions to the virtual machine monitor to instantiate virtual machine instances in the determined configuration and instruct the offload device to instantiate virtual components in the determined configuration; and [0045], The control plane manager 150 can determine the configuration of the allocation of the virtual machine instances on the physical computing devices and virtual components on the offload devices), [wherein the second network address is part of a second network established at a customer data center], wherein the device is configured to send the second message to a target server coupled to a third network established within the customer data center ([0001], The data centers may be private data centers operated on behalf of an organization; and [0033], The virtual machine monitor 110 can assign memory address ranges to virtual components within the memory allocated to virtual machine instances; and [0053], the virtual machine monitor 110 can assign ranges of memory addresses on the offload device to each virtual machine instance 120. For example, if there were 12 virtual machine instances 120 the virtual machine monitor 110 could assign separate ranges of memory addresses of the offload device 130 to each of the 12 virtual machine instances 120) established at the first extension resource group ([0017], The offload device can be connected to the physical computing device via an interconnect interface), [wherein the third network uses at least a portion of the first range of network addresses], and wherein the target server is assigned the first network address ([0001], The data centers may be private data centers operated on behalf of an organization; and [0033], The virtual machine monitor 110 can assign memory address ranges to virtual components within the memory allocated to virtual machine instances; and [0053], the virtual machine monitor 110 can assign ranges of memory addresses on the offload device to each virtual machine instance 120. For example, if there were 12 virtual machine instances 120 the virtual machine monitor 110 could assign separate ranges of memory addresses of the offload device 130 to each of the 12 virtual machine instances 120).

	Ligouri fails to specifically teach, send a second message to a device assigned a second network address; wherein the second network address is part of a second network established at a customer data center; and wherein the third network uses at least a portion of the first range of network addresses.
	However, Kloberdans teaches, send a second message to a device assigned a second network address (Column 2, Line 34, allocating a unique range of internet protocol (IP) addresses; Column 2, Line 46-53, In some embodiment systems, methods, and devices, the first IP address may be assigned as a tunnel end point at the home gateway, and the second IP address may be assigned as a tunnel end point at a virtual gateway on the network of the communications service provider. In some embodiment systems, methods, and devices, forming the secure tunnel between the tunnel end points may use a VxLAN encrypted tunneling protocol; and Column 16, Line 15-20, The home gateway 300 may communicate with, for example, one or more remote computing device 326 over the wireless connection 318 and/or the wired connection 322. In some embodiments, the remote computing device may be a server of a content or other service provider); 
	wherein the second network address is part of a second network established at a customer data center (Column 2, Line 34, allocating a unique range of internet protocol (IP) addresses); and 
	wherein the third network uses at least a portion of the first range of network addresses (Column 2, Line 34, allocating a unique range of internet protocol (IP) addresses).

 As per claim 17, this claim is similar to claim 2 and is rejected for the same reasons.

As per claim 18, Ligouri teaches, wherein the first compute instance comprises a bare-metal compute instance ([0060], the virtual machine instances can be fully isolated from other virtual machine instances 120. The virtual machine monitor 110 provisions the logical virtualized resources that are associated with the underlying physical resources to each virtual machine instance, such as a VM processor 102 and VM memory 104. The virtual machine monitor 110 can also provision storage resources that are included locally on the physical computing device 100, on the offload device 130, or that are accessible via network).

As per claim 19, Ligouri-Kloberdan’s fails to specifically teach, wherein the outbound command communicator is further configured to: include, in the second message sent to the second network address, a first security object that can be authenticated by the target server. However, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include these steps because Kloberdans teaches authentication between network components (Column 9, Lines 27-31, The home office service group may also be defined by pre-set configurations requiring use of a virtual private network (VPN) protocol to ensure data security and authentication; Column 10, Lines 52-56, generating the configuration instructions may involve steps by network service components, such as an Authentication, Authorization and Accounting (AAA) server to mediate network access for the micro-domains).

As per claim 20, Kloberdans teaches, wherein the device assigned the second network address is coupled to both the second and the third network (Column 18, Lines 33-39, The service provider network/data center 408 may be connected to at least one other network(s) 410, which may be a private network or a public network, such as the internet. In this manner, the user device group(s) 404 may establish communications with content provider(s), additional services, and/or remote computing devices (e.g., other users).; and Column 24, Lines 3-5, the service network processor may form the home gateway tunnel between the tunnel end points using the obtained IP addresses from block 710), and wherein the device is further configured to: 
	cause a destination of the second message to be the first network address (Column 24, Lines 3-5, the service network processor may form the home gateway tunnel between the tunnel end points using the obtained IP addresses from block 710); and 
	send the second message to the target server (Column 24, Lines 3-5, the service network processor may form the home gateway tunnel between the tunnel end points using the obtained IP addresses from block 710).
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MELISSA A HEADLY whose telephone number is (571)272-1972. The examiner can normally be reached Monday- Friday 9-5:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lewis Bullock can be reached on 571-272-3759. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/LEWIS A BULLOCK  JR/Supervisory Patent Examiner, Art Unit 2199                                                                                                                                                                                                        
MELISSA A. HEADLY
Examiner
Art Unit 2199