DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The Amendment filed 04/08/2022 has been received and considered.
Claims 1-21 are pending.
This action is Final.
Information Disclosure Statement
2.	The information disclosure statements (IDS) submitted on 04/06/2022 and 07/13/2022 have been considered. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, initialed and dated copies of the Applicant’s IDS forms 1449 filed on 04/06/2022 and 07/13/2022 are attached to this office action. 

Response to Arguments
3.	Applicant's arguments filed 04/08/2022 have been fully considered but they are moot in consideration of the newly cited reference below.
4. 	The rejections under 35 U.S.C. 101 are withdrawn based on the filed amendments. The filed amendments include a practical application for the distributed set of service rules used to process data messages associated with machines in an endpoint group. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



5.	Claims 1-11 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over US Pub No. US 2019/0384645 A1 to Palavalli, (hereinafter, “Palavalli”), as disclosed in IDS submitted on 09/09/2020, in view of US Pub. No. US 2017/0063782 A1 to Jain, (hereinafter, “Jain”).
As per claim 1, Palavalli teaches a method of specifying service rules for middlebox service nodes to perform in a set of one or more datacenters, the method comprising 
receiving an intent-based API (Application Programming Interface) request that specifies a set of one or more service policies by reference to one dynamic group of endpoint machines (Palavalli, para. [0025] “the policy input processor 120 is an API processor that handles input -policy API commands received through an API gateway of an SDDC management system to which the policy framework belongs, or through a user interface that the SDDC management system presents to administrators of the SDDC, the SDDC tenants, and/or SDDC networks. Through these API commands, the policy input processor 120 receives several policies and stores each of these policies in a storage that it uses to identify policies that match subsequently received requests.” And para.  [0026] “the received policies are expressed in a declarative format. FIG. 2 illustrates an example of a received policy 200. As further described below, this policy restricts access to destination machines in a destination group to http and https accesses. As shown in FIG. 2, a policy includes (1) a target 205 that specifies a set of one or more datacenter resources to which the policy applies, and (2) an expression 210 that specifies a constraint on operations on the target resource set.” And para. [0037] “The policy 200 illustrated in FIG. 2 restricts access to destination machines in a destination group to http and https accesses. Specifically, this policy specifies a constraint to be applied at an edge gateway of a tenant T's domain, as indicated by its path prefix 216.”); 
specifying, for each specified service policy, at least one service rule to implement the service policy, at least one specified service rule comprising a match criteria set defined by reference to the one dynamic group of endpoint machines (Palavalli, para. [0027] “The target of each policy in some embodiments includes (1) a type 212 of the target resource set, (2) a name 214 of the target resource set, and (3) a path prefix 216 that identifies the target resource set in the resource hierarchy of the datacenter. As shown, the policy path 216 in some embodiments is in a URL format to uniquely identify a resource or set of resources in a datacenter. In some embodiments, the type and path prefix attributes of the target 205 are used to determine whether a policy is applicable to (i.e., is associated with) an API request (i.e., whether the policy matches a set of attributes associated with the API request” and para. [0028] “The path prefix 216 for a policy is specified by reference to one or more resources in the resource hierarchy of the SDDC. In the examples illustrated in FIG. 2 and some of the other figures of this application, the resource hierarchy of the data center includes the following resources: tenant, domain, communication maps, and communication entries”); and
distributing, to the middlebox service nodes, a set of one or more specified service rules along with a list of member machines of the dynamic endpoint-machine group referred to by the specified service rules (Palavalli, para. [0026] “the received policies are expressed in a declarative format. FIG. 2 illustrates an example of a received policy 200. As further described below, this policy restricts access to destination machines in a destination group to http and https accesses. As shown in FIG. 2, a policy includes (1) a target 205 that specifies a set of one or more datacenter resources to which the policy applies, and (2) an expression 210 that specifies a constraint on operations on the target resource set.” And para. [0027] “The target of each policy in some embodiments includes (1) a type 212 of the target resource set, (2) a name 214 of the target resource set, and (3) a path prefix 216 that identifies the target resource set in the resource hierarchy of the datacenter. As shown, the policy path 216 in some embodiments is in a URL format to uniquely identify a resource or set of resources in a datacenter.”).
Palavalli teaches all the limitations of claim 1 above, however fails to explicitly teach but Jain teaches: 
a list of member machines of the dynamic endpoint-machine group referred to by the specified service rules, said middlebox service nodes using the distributed set of service rules to process data messages associated with the machines in the dynamic endpoint-machine group (Jain, para. [0159] “When it intercepts an initial data message from a mobile device, the service module retrieves the MDM attribute set associated with this data message from the MDM attribute data storage 240. In some embodiments, the service module retrieves the MDM attribute set by using the data message flow header values. The service module then uses this MDM attribute set to identify a LS (logical segmentation) rule in the MDM attribute rule storage 235 that has a rule identifier that matches the retrieved MDM attribute set.” And para. [0160] “illustrated in FIG. 18, each LS rule specifies a rule identifier that includes a tenant identifier. This rule also specifies an LNI to use for data messages from the mobile devices associated with the tenant identifier. Hence, as the retrieved MDM attribute set includes a tenant identifier in some embodiments, the service module uses the tenant identifier to identify an LS rule that specifies the LNI to use for the data messages from a mobile device of a particular tenant. The service module then inserts the identified LNI (e.g., LNI1 for data messages from mobile devices of tenant 1 and LNI2 for data messages from mobile devices of tenant 2) in a tunnel header of a tunnel that the VPN gateway 205 uses to forward the data message to a forwarding element or middlebox element associated with the logical network.” And para. [0162] “After identifying the LNI for a data message from a mobile device, the service module creates a record in its connection storage to store this LNI for subsequent data messages from the mobile device. In this record, the service module stores the data message flow attributes (e.g., header values) and/or the retrieved MDM attribute set so that it can later use this stored data to identify this record for subsequent data messages from the mobile device that have matching flow and/or MDM attributes. The connection store record allows the service module to quickly process subsequent messages from the mobile device that are part of the same flow.” And para. [0163] “Examples of other such MDM attributes include user identifier, group identifier, department identifier, the mobile device's jailbroken status, location identifier, etc. Different LS rules can specify different LNIs for the same tenant identifier, by also using any one of these other attributes (user identifier, group identifier, department identifier, the mobile device's jailbroken status, location identifier, etc.) in the rule identifiers of the LS rules.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Jain’s distributed VPN gateway into Palavalli’s policy constraint framework, with a motivation to define policies and/or rules for the network elements (e.g., service rules for middlebox elements, routing rules for routers, etc.) based on the received RDM attribute definition and the associated set of operators (Jain, para. [0008]). 
As per claim 2, the combination of Palavalli and Jain teach the method of claim 1, wherein the match criteria set comprises a group identifier that identifies the dynamic group of endpoint machines (Palavalli, para. [0027] “The target of each policy in some embodiments includes (1) a type 212 of the target resource set, (2) a name 214 of the target resource set, and (3) a path prefix 216 that identifies the target resource set in the resource hierarchy of the datacenter.” And para. [0028] “The path prefix 216 for a policy is specified by reference to one or more resources in the resource hierarchy of the SDDC. In the examples illustrated in FIG. 2 and some of the other figures of this application, the resource hierarchy of the data center includes the following resources: tenant, domain, communication maps, and communication entries. A communication map is a set of communication rules under a domain that are applicable to communication from/to VMs in the domain, while a communication entry is a single communication rule (e.g., firewall rule) under a communication map.” And para. [0030] “an example of a communication entry includes a tuple that includes the following information: identifier, name, description, source groups, destination groups, services, action, and scope.” And para. [0043] “the policy checking engine 115 compares a set of attributes of the selected request's resource with a policy's target to determine whether the policy is applicable to the resource. Specifically, to identify a policy that is applicable to the selected request's resource, the policy checking engine 115 compares one or more attributes of the selected request (e.g., the identifier of the request's associated resource) with one or more attributes specified in the target (e.g., path prefix and resource type) of each policy stored in the policy storage 105 to identify a policy with a matching attribute set (i.e., with an attribute set that matches the selected request's attribute set).”).
As per claim 3, the combination of Palavalli and Jain teach the method of claim 2, wherein the list of members of the group comprises a set of one or more network addresses for each member machine in the group (Jain, para. [0087] “The DNAT rules in the DNAT rule storage 500 store one or more candidate destination tuples (e.g., multiple sets of destination IP addresses and/or destination ports) for replacing the data message's destination tuple (e.g., the received data message's destination IP and/or destination port) during a DNAT operation. In the example illustrated in FIG. 5, each DNAT rule can also include a set of load balancing criteria that direct the rule processor to select one of the candidate destination tuples in a load balanced manner The DNS rules in the DNS rule storage 600 of FIG. 6 store a DNS server identifier (that identifies a DNS server) for data messages that have MDM attributes and flow attributes that match the rule identifier of a DNS rule.”).
As per claim 4, the combination of Palavalli and Jain teach the method of claim 3, wherein the middlebox service nodes compare network address attributes of data message flows that the service nodes process with the network addresses identified in the list of members for the member machines of the endpoint group to determine whether the data message flows match the service rules (Palavalli, para. [0027] “The target of each policy in some embodiments includes (1) a type 212 of the target resource set, (2) a name 214 of the target resource set, and (3) a path prefix 216 that identifies the target resource set in the resource hierarchy of the datacenter. As shown, the policy path 216 in some embodiments is in a URL format to uniquely identify a resource or set of resources in a datacenter. In some embodiments, the type and path prefix attributes of the target 205 are used to determine whether a policy is applicable to (i.e., is associated with) an API request (i.e., whether the policy matches a set of attributes associated with the API request).”).
As per claim 5, the combination of Palavalli and Jain teach the method of claim 3, wherein the set of network addresses for a member machine comprises a layer 3 address of a virtual interface associated with the member machine (Jain, para. [0194] “the source and destination tuples can be used to specify source and destination header values of data messages for which the firewall node processes the firewall rules. In other words, the firewall rule identifiers can be defined in terms of source and destination header values of data messages. For L3/L4 firewall rules, the source and destination header values can specified in terms of IP addresses and/or port values (e.g., TCP, UDP, or other L4 port values).”). 
As per claim 6, the combination of Palavalli and Jain teach the method of claim 3, wherein the set of network addresses for a member machine comprises a layer 3 address of a virtual interface associated with the member machine and a layer 4 port address used to reach the member machine (Jain, para. [0194] “the source and destination tuples can be used to specify source and destination header values of data messages for which the firewall node processes the firewall rules. In other words, the firewall rule identifiers can be defined in terms of source and destination header values of data messages. For L3/L4 firewall rules, the source and destination header values can specified in terms of IP addresses and/or port values (e.g., TCP, UDP, or other L4 port values).”). 
As per claim 7, the combination of Palavalli and Jain teach the method of claim 2, wherein the endpoint group identifier is used to define a source attribute of the match criteria set, the source attribute for comparing with the source network addresses of the data message flows processed by the middlebox service nodes (Palavalli, para. [0027] “The target of each policy in some embodiments includes (1) a type 212 of the target resource set, (2) a name 214 of the target resource set, and (3) a path prefix 216 that identifies the target resource set in the resource hierarchy of the datacenter. As shown, the policy path 216 in some embodiments is in a URL format to uniquely identify a resource or set of resources in a datacenter. In some embodiments, the type and path prefix attributes of the target 205 are used to determine whether a policy is applicable to (i.e., is associated with) an API request (i.e., whether the policy matches a set of attributes associated with the API request).”)
As per claim 8, the combination of Palavalli and Jain teach the method of claim 2, wherein the endpoint group identifier is used to define a destination attribute of the match criteria set, the destination attribute for comparing with the destination network addresses of the data message flows processed by the middlebox service nodes (Palavalli, para. [0037] “The policy 200 illustrated in FIG. 2 restricts access to destination machines in a destination group to http and https accesses. Specifically, this policy specifies a constraint to be applied at an edge gateway of a tenant T's domain, as indicated by its path prefix 216. This constraint specifies that when a message is addressed to a destination group VCENTER, the message (i.e., the access) should be allowed only when the message's protocol is http or https (i.e., when the access uses http or https protocols).”).
As per claim 9, the combination of Palavalli and Jain teach the method of claim 1, wherein the middlebox service nodes are firewall engines executing on host computers that execute the machines in the endpoint group (Palavalli, para. [0021] “examples of resources include service middlebox modules (e.g., service VMs or modules that perform middlebox service operations such as firewall operations, load balancing operations, network address translation operations, encryption operations, intrusion detection operations, intrusion prevention operations, etc.).”).
As per claim 10, the combination of Palavalli and Jain teach the method of claim 1, wherein the middlebox service nodes are firewall engines executing on host computers that execute machines that are sources of the data message flows processed by the firewall engines (Palavalli, para. [0030] “communication maps in some embodiments include (1) distributed firewalls (firewall machines implemented on host computers with compute node VMs and/or containers), (2) edge firewall appliances or machines operating at north/south boundary of physical or logical networks, and (3) inserted service modules executing on host computers to provide other middlebox service operations for compute node VMs and/or containers executing on the host computers. In some embodiments, an example of a communication entry includes a tuple that includes the following information: identifier, name, description, source groups, destination groups, services, action, and scope.”).
As per claim 11, the combination of Palavalli and Jain teach the method of claim 1, wherein the middlebox service nodes are firewall engines used to process data message flows entering or exiting a first network from or to a second network (Palavalli, para. [0030] “communication maps in some embodiments include (1) distributed firewalls (firewall machines implemented on host computers with compute node VMs and/or containers), (2) edge firewall appliances or machines operating at north/south boundary of physical or logical networks, and (3) inserted service modules executing on host computers to provide other middlebox service operations for compute node VMs and/or containers executing on the host computers. In some embodiments, an example of a communication entry includes a tuple that includes the following information: identifier, name, description, source groups, destination groups, services, action, and scope.” And para. [0039] “FIG. 5 illustrates another example of a policy. This policy 500 specifies that any communication rule that is specified can only specify an Allow action at the edge gateways. This policy would prevent the administrators from defining rules that reject data messages at the edge gateways. This policy is used as a default firewall policy in a whitelisting (do not allow any communication unless opened with explicit firewall rule) approach that only allows administrators to specify firewall rules at the edge gateway that opens connections.”).
As per claim 18, the combination of Palavalli and Jain teach the method of claim 1, wherein the endpoint group includes machines in at least two different sub-networks of a logical network that is defined in the datacenter set to connect a plurality of machines including the endpoint machine group (Palavalli, para.  [0026] “the received policies are expressed in a declarative format. FIG. 2 illustrates an example of a received policy 200. As further described below, this policy restricts access to destination machines in a destination group to http and https accesses. As shown in FIG. 2, a policy includes (1) a target 205 that specifies a set of one or more datacenter resources to which the policy applies, and (2) an expression 210 that specifies a constraint on operations on the target resource set.” And para. [0037] “The policy 200 illustrated in FIG. 2 restricts access to destination machines in a destination group to http and https accesses. Specifically, this policy specifies a constraint to be applied at an edge gateway of a tenant T's domain, as indicated by its path prefix 216.” And para. [0041] “the request processor 125 initially parses (at 605) the received hierarchical API into a set of one or more requests for one or more SD resources in the SDDC. In some embodiments, the received API might not only include different requests for different resources, but also might include multiple requests for the one SD resource. The received API can in some embodiments just include multiple different requests for one SD resource. Each request specifies one operation to be performed on a resource in some embodiments, while in other embodiments a request can specify multiple operations to be performed on a resource.”).
6.	Claims 12 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Palavalli in view of Jain, as disclosed above, in further view of US Pub No. US 2020/0076685 A1 to Vaidya, (hereinafter, “Vaidya”).
As per claim 12, the combination of Palavalli and Jain teach the method of claim 1, however fail to explicitly teach but Vaidya teaches: further comprising receiving a Custom Resource Definition (CRD) that defines a security policy as a resource in the datacenter set (Vaidya, para. [0052] “Namespaces may enable one Kubernetes cluster to be used by multiple users, teams of users, or a single user with multiple applications. Additionally, each user, team of users, or application may be isolated within a namespace from every other user of the cluster. Consequently, each user of a Kubernetes cluster within a namespace operates as if it were the sole user of the Kubernetes cluster. The techniques of this disclosure include an ability to associate multiple virtual networks with a single namespace. As such, a user within the respective namespace has the ability to access each virtual network of the virtual networks that is associated with the namespace, including virtual execution elements that serve as virtual network endpoints of the group of virtual networks.” And para. [0053] “The virtualized computing infrastructure managed by orchestrator 23 and network controller 24 may communicate according to one of several modes or ne. In default mode, all pods can communicate with all other pods without using network address translation (NAT). Network controller 23 creates a virtual network that is shared by all namespaces, from which service and pod IP addresses are allocated. All pods in all namespaces that are spawned in a cluster are able to communicate with one another. The IP addresses for all of the pods are allocated from a pod subnet that is configured in the orchestrator 23.” And para. [0069] “The above example specifies the four virtual networks using Kubernetes network (CustomResourceDefinition) Objects to conform the virtual network specifications to the Kubernetes Custom Resource Definition De-facto Standard, which specifies requirements and procedures for attaching Kubernetes pods to one or more virtual or physical networks, including requirements for plugins using the Container Network Interface (CNI) to attach pod networks.” And para. [0070] “Orchestrator 23 may process namespace specification data 27 to generate configuration objects corresponding to the corresponding namespace, wherein the configuration objects include respective virtual network configuration objects for the multiple virtual networks specified for the namespace. In examples where orchestrator 23 implements respective cluster masters for one or more Kubernetes clusters, a namespace represents a virtual cluster within a Kubernetes cluster.”);
wherein the API request refers to the CRD in defining the set of firewall service policies and the service rules are firewall rules (Vaidya, para. [0144] “Network controller 324 may provide network function virtualization (NFV) to networks, such as business edge networks, broadband subscriber management edge networks, and mobile edge networks. NFV involves orchestration and management of networking functions such as a Firewalls, Intrusion Detection or Preventions Systems (IDS/IPS), Deep Packet Inspection (DPI), caching, Wide Area Network (WAN) optimization, etc. in virtual machines, containers, or other virtual execution elements instead of on physical hardware appliances. The main drivers for virtualization of the networking services in this market are time to market and cost optimization.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Vaidya’s virtual execution elements into Jain’s distributed VPN gateway and Palavalli’s policy constraint framework, with a motivation for orchestration and management of networking functions such as a Firewalls, Intrusion Detection or Preventions Systems (IDS/IPS), Deep Packet Inspection (DPI), caching, Wide Area Network (WAN) optimization, etc. in virtual machines, containers, or other virtual execution elements instead of on physical hardware appliances (Vaidya, para. [0144]).

As per claim 19, the combination of Palavalli and Jain teach the method of claim 1, however fail to explicitly teach but Vaidya teaches: wherein said API refers to a first Custom Resource Definition (CRD) that defines a dynamic endpoint group as a resource in the datacenter set (Vaidya, para. [0052] “Namespaces may enable one Kubernetes cluster to be used by multiple users, teams of users, or a single user with multiple applications. Additionally, each user, team of users, or application may be isolated within a namespace from every other user of the cluster. Consequently, each user of a Kubernetes cluster within a namespace operates as if it were the sole user of the Kubernetes cluster. The techniques of this disclosure include an ability to associate multiple virtual networks with a single namespace. As such, a user within the respective namespace has the ability to access each virtual network of the virtual networks that is associated with the namespace, including virtual execution elements that serve as virtual network endpoints of the group of virtual networks.” And para. [0053] “The virtualized computing infrastructure managed by orchestrator 23 and network controller 24 may communicate according to one of several modes or ne. In default mode, all pods can communicate with all other pods without using network address translation (NAT). Network controller 23 creates a virtual network that is shared by all namespaces, from which service and pod IP addresses are allocated. All pods in all namespaces that are spawned in a cluster are able to communicate with one another. The IP addresses for all of the pods are allocated from a pod subnet that is configured in the orchestrator 23.” And para. [0069] “The above example specifies the four virtual networks using Kubernetes network (CustomResourceDefinition) Objects to conform the virtual network specifications to the Kubernetes Custom Resource Definition De-facto Standard, which specifies requirements and procedures for attaching Kubernetes pods to one or more virtual or physical networks, including requirements for plugins using the Container Network Interface (CNI) to attach pod networks.” And para. [0070] “Orchestrator 23 may process namespace specification data 27 to generate configuration objects corresponding to the corresponding namespace, wherein the configuration objects include respective virtual network configuration objects for the multiple virtual networks specified for the namespace. In examples where orchestrator 23 implements respective cluster masters for one or more Kubernetes clusters, a namespace represents a virtual cluster within a Kubernetes cluster.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Vaidya’s virtual execution elements into Jain’s distributed VPN gateway and Palavalli’s policy constraint framework, with a motivation for orchestration and management of networking functions such as a Firewalls, Intrusion Detection or Preventions Systems (IDS/IPS), Deep Packet Inspection (DPI), caching, Wide Area Network (WAN) optimization, etc. in virtual machines, containers, or other virtual execution elements instead of on physical hardware appliances (Vaidya, para. [0144]).
As per claim 20, the combination of Palavalli and Jain teach the method of claim 19, wherein said API refers to a second CRD that defines a security policy as a resource in the datacenter set (Vaidya, para. [0052] “Namespaces may enable one Kubernetes cluster to be used by multiple users, teams of users, or a single user with multiple applications. Additionally, each user, team of users, or application may be isolated within a namespace from every other user of the cluster. Consequently, each user of a Kubernetes cluster within a namespace operates as if it were the sole user of the Kubernetes cluster. The techniques of this disclosure include an ability to associate multiple virtual networks with a single namespace. As such, a user within the respective namespace has the ability to access each virtual network of the virtual networks that is associated with the namespace, including virtual execution elements that serve as virtual network endpoints of the group of virtual networks.” And para. [0053] “The virtualized computing infrastructure managed by orchestrator 23 and network controller 24 may communicate according to one of several modes or ne. In default mode, all pods can communicate with all other pods without using network address translation (NAT). Network controller 23 creates a virtual network that is shared by all namespaces, from which service and pod IP addresses are allocated. All pods in all namespaces that are spawned in a cluster are able to communicate with one another. The IP addresses for all of the pods are allocated from a pod subnet that is configured in the orchestrator 23.” And para. [0069] “The above example specifies the four virtual networks using Kubernetes network (CustomResourceDefinition) Objects to conform the virtual network specifications to the Kubernetes Custom Resource Definition De-facto Standard, which specifies requirements and procedures for attaching Kubernetes pods to one or more virtual or physical networks, including requirements for plugins using the Container Network Interface (CNI) to attach pod networks.” And para. [0070] “Orchestrator 23 may process namespace specification data 27 to generate configuration objects corresponding to the corresponding namespace, wherein the configuration objects include respective virtual network configuration objects for the multiple virtual networks specified for the namespace. In examples where orchestrator 23 implements respective cluster masters for one or more Kubernetes clusters, a namespace represents a virtual cluster within a Kubernetes cluster.”), 
said service policies comprising firewall policies for processing data messages associated with the dynamic group of endpoint machines (Vaidya, para. [0144] “Network controller 324 may provide network function virtualization (NFV) to networks, such as business edge networks, broadband subscriber management edge networks, and mobile edge networks. NFV involves orchestration and management of networking functions such as a Firewalls, Intrusion Detection or Preventions Systems (IDS/IPS), Deep Packet Inspection (DPI), caching, Wide Area Network (WAN) optimization, etc. in virtual machines, containers, or other virtual execution elements instead of on physical hardware appliances. The main drivers for virtualization of the networking services in this market are time to market and cost optimization.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Vaidya’s virtual execution elements into Jain’s distributed VPN gateway and Palavalli’s policy constraint framework, with a motivation for orchestration and management of networking functions such as a Firewalls, Intrusion Detection or Preventions Systems (IDS/IPS), Deep Packet Inspection (DPI), caching, Wide Area Network (WAN) optimization, etc. in virtual machines, containers, or other virtual execution elements instead of on physical hardware appliances (Vaidya, para. [0144]).
Allowable Subject Matter
7.	Claims 13-17 and 21 are allowed.
The following is an examiner’s statement of reasons for allowance: The claims are allowed over the prior art of record in combination with the Applicant’s arguments and amendments of 04/08/2022. After further search and consideration, the prior arts of record either taken alone or in combination neither anticipates nor renders obvious the claimed subject matter of the instant application that is taken as a whole including the particular features incorporated in each independent claims. 
The prior art Palavalli (US 2019/0384645) of record discloses a policy constraint framework for a software defined datacenter. The prior art Jain (US 2017/0063782) of record discloses a distributed VPN gateway for processing remote device management using attribute-based rules. The prior art Vaidya (US 2020/0076685) of record discloses a virtual network interface for multiple networks where a network controller uses namespace specification data for virtual execution elements. The prior art Bansal (US 2017/0005986) of record discloses a central firewall management system used to manage different firewall devices and allows for the firewall rule sets to be dynamically modified. 
However, the prior art fails to anticipate or render the following limitations: “receiving an intent-based API (Application Programming Interface) request that refers to resources that are defined by reference to the first and second CRDs, said API specifying a set of one or more firewall service policies by reference to one dynamic group of endpoint machines” and “specifying, for each specified firewall service policy, at least one firewall rule to implement the firewall service policy, at least one specified firewall rule comprising a match criteria set defined by reference to the one dynamic group of endpoint machines, wherein the API request refers to the first and second CRDs in defining the set of firewall service policies” (as recited in claims 13 and 21).

Claims are allowed in light of the above claim limitations when in combination with the remaining claim limitations. 
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
8.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US 20180295036 A1 – Application/Context-based management of virtual networks using customizable workflows.
US 20180083835 A1 – Application management for a multi-tenant identity cloud service.

Applicant's amendment necessitated the new grounds of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZOHA P TAFAGHODI whose telephone number is (571)272-5199.  The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s acting supervisor, Kristine Kincaid can be reached on (571) 272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ZOHA PIYADEHGHIBI TAFAGHODI/Examiner, Art Unit 2437  

/KRISTINE L KINCAID/Supervisory Patent Examiner, Art Unit 2437