Managing Application Access Controls And Routing In Cloud Computing Platforms

DETAILED ACTION The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to RCE This office action is in response to applicant’s RCE with IDS filed 10/31/25, of application filed, with the above serial number, on 12/18/20 in which claims 1-19 are pending in the application. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-7, 11-18, 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Walker et al (hereinafter “Walker”, 11,394,636) in view of Foxhoven (hereinafter “Foxhoven”, 2017/0310709 (PGPUB cite no 5 on 10/31/25 IDS)). As per Claim 1, Walker discloses a method comprising: instantiating a plurality of edge clusters on one or more cloud computing platforms, one or more edge cluster of the plurality of edge clusters being located in each regional cloud of a plurality of regional clouds in the one or more cloud computing platforms, the plurality of regional clouds being connected to one another by one or more cloud backbone networks, the plurality of regional clouds being further connected to a wide area network (WAN) that does not include the one or more cloud backbone networks (at least Fig. 2; col. 4:30-65; cloud provider network 120 can be formed as a number of regions, where a region is a separate geographical area in which the cloud provider clusters data centers. Each region can include two or more availability zones connected to one another via a private high-speed network, for example, a fiber communication connection. … Customers can connect to availability zones of the cloud provider network via a publicly accessible network (e.g., the Internet, a cellular communication network) by way of a transit center (TC). TCs are the primary backbone locations linking customers to the cloud provider network, and may be collocated at other network provider facilities (e.g., Internet service providers, telecommunications providers) and securely connected (e.g., via a VPN or direct connection) to the availability zones. Each region can operate two or more TCs for redundancy. Regions are connected to a global network which includes private networking infrastructure (e.g., fiber connections controlled by the cloud provider) connecting each region to at least one other region. The cloud provider network may deliver content from points of presence outside of, but networked with, these regions and/or availability zones by way of edge locations and regional edge cache servers); instantiating an application instance in a first regional cloud of the plurality of regional clouds, a first edge cluster of the plurality of edge clusters executing in the first regional cloud (at least col. 3:40-4:29; Users can access the cloud provider network 120 via the network 104 to view or manage their data and computing resources, as well as to use websites and/or applications hosted by the cloud provider network 120. The servers 118 can include any network-equipped computing device, for example, web servers, application servers, file servers, database servers, media servers, game servers, proxy servers), the application instance having an associated domain name and address (at least col. 8:27-31, 11:19-37, 10:1-22; DNS where service providers associate endpoints with global network addresses which are addressable in the network in load balanced manner); configuring one or both of the one or more cloud computing platforms and the plurality of edge clusters to direct traffic addressed to the application instance to the first edge cluster over either of the WAN and the one or more cloud backbone networks (at least col. 5:65-6:25; Fig. 2; load balancer 109 may forward one or more network packets received from a global access point 106 to an instance 112 executing a copy of the packet forwarder code 116. The load balancer 109 may also forward one or more network packets received from an instance 112 to a global access point 106 in the connection path associated with such network packets. In some embodiments, the load balancer 109 is implemented on a physical machine comprising computer hardware and storing load balancer code that, when executed, configures the physical machine to perform the load balancing operations described herein. The instance 112 may provide the compute capacity usable to execute a packet forwarder (e.g., packet forwarder code 116) that can be used to forward a received network packet along an obfuscated network signal path and eventually to the intended destination (e.g., server 118)). Walker fails to explicitly disclose providing the domain name and the address to the first edge cluster; and configuring the first edge cluster to control access to the application instance by: receiving a request from an endpoint to resolve the domain name; (a) authenticating the endpoint with respect to the application instance; and in response to (a), responding to the request. However, the use and advantages for using such a system was well known to one skilled in the art before the effective filing date of the claimed invention as evidenced by the teachings of Foxhoven. Foxhoven discloses, in an analogous art, steering DNS traffic by use of an anycast DNS server associated with a distributed security cloud, wherein DNS surrogation provides DNS service geographic localization such that a client or endpoint DNS request is both authenticated for the endpoint and the content or application, and uses DNS for dynamic routing of traffic, per user authentication and policy enforcement for the cloud application (at least Foxhoven paragraph 25, 28-33, 45, 54, 76). Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate the use of Foxhoven’s DNS authentication with Walker as Foxhoven teaches the need and desire for an easy to deploy cloud security system using ubiquitous DNS resolution offering user level differentiated policies that can differ based on locations (at least Foxhoven paragraph 7, 95-96) and that would be configurable and usable with Walker’s load balancer performing authentication of source devices (at least col. 11:12-18). As per Claim 2. The method of claim 1, further comprising configuring a domain name service (DNS) of the one or more cloud computing platforms to control routing of traffic received over the WAN and addressed to the application instance over either the WAN or the one or more cloud backbone networks (at least Foxhoven paragraph 5, 25, 28-34, 45, 54, 67-68, 76; distributed security cloud 202 can be viewed as an intelligent routing platform; DNS is practically universally supported by Internet devices which make DNS ideal for the intelligent routing platform; Content is geo-localized or routed to the best destination based on the source IP address of the DNS server that performed the recursion). As per Claim 3. The method of claim 2, wherein configuring the DNS of the one or more cloud computing platform comprises configuring an ANYCAST internet protocol (IP) address associated with the application instance (at least Foxhoven paragraph 68-70; re-directing traffic to the distributed security cloud 202 using the anycast DNS server 206; also see Walker col. 10:13-22: 16/219,770 application incorporate by reference par. 17, 20, 40). As per Claim 4. The method of claim 1, further comprising configuring a second edge cluster executing in the first regional cloud with alternative routing logic instructing the second edge cluster to redirect traffic addressed to the application instance to the first edge cluster (at least col. 10:43-67; 106a selecting load balancer based on load and selecting load balancer 109b alternatively to 109a which it would routinely do). As per Claim 5. The method of claim 4, wherein configuring the first edge cluster to control access to the application instance comprises configuring the first edge cluster to verify a source of the traffic addressed to the application instance using an identity provider (IDP) (at least col. 11:12-18; Fig. 1; load balancer 109A or the global access point 106A may authenticate the source client device 102; see Fig. 1: first row for 106a/109a for instance 112a for a region; 106b for 112b etc.). As per Claim 6. The method of claim 4, further comprising configuring, by an intelligent routing module, the one or more cloud computing platforms to implement a fast lane by configuring the one or more cloud computing platforms to direct a portion of the traffic addressed to the application instance received by a second regional cloud to the application instance in the first regional cloud over the one or more cloud backbone networks (at least col. 10:13-22: 16/219,770 application incorporate by reference par.41 access point 106 can route the request to the endpoint. In one embodiment, the access point 106 uses NAT translation or encapsulation to redirect the request to the endpoint over the network 108, preventing disclosure of a network address of the endpoint to the client devices 102. Where connection-oriented communication sessions are utilized between client devices 102 and an endpoint, the access point 106 may operate to conduct an initialization phase of the communication session on behalf of the endpoint, in accordance with the present embodiments. In instances where the network 108 is a private network, the global access points 106 may further function as an “offloading” point for traffic to the endpoints, moving that traffic from a public network (e.g., network 104) to the private network 108. Generally, such a private network would be expected to have greater performance than a public network, and thus such offloading may further increase the speed of communication between client devices 102 and endpoints). As per Claim 7. The method of claim 6, further comprising configuring, by the intelligent routing module, the one or more cloud computing platforms to implement the fast lane by routing the portion through a cloud point of presence (POP) in the second regional cloud (at least col. 8:42-64; the global access points 106 represent devices in co-tenanted locations, such as network “points of presence” or Internet Exchange Points (IXPs).; col. 10:36-58; routing traffic from each region through global access point POP 106). As per Claim 11. The method of claim 1, wherein the WAN includes any of an Internet, a 5G Cellular Network, and a LONG TERM EVOLUTION (LTE) cellular network (at least col. 3:4-46). As per Claim 12. The method of claim 1, wherein each edge cluster of the plurality of edge clusters is a KUBERNETES cluster (at least col. 4:3-29). As per Claim 20. The system of claim 11, the intelligent routing module is programmed to: evaluate cacheability of responses of the application instance; if the cacheability meets a threshold condition, configure the cloud computing platform to route each request to the application instance to an edge cluster of the plurality of edge clusters closest to a source of each request. (at least col. 4:30-5:16). Claims 13-18 do not, in substance, add or define any additional limitations over claims 1-7, 11-12 and therefore are rejected for similar reasons, supra. Claim(s) 8-10, 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Walker in view of Foxhoven, further in view of Scholl (hereinafter “Scholl, 8,949,459). As per Claim 8. Walker/Foxhoven fail to explicitly disclose configuring, by an intelligent routing module, the one or more cloud computing platforms to implement a performance lane by configuring the one or more cloud computing platforms to direct a portion of the traffic addressed to the application instance and received from a user endpoint in a region associated with a second regional cloud to the first edge cluster over the one or more cloud backbone networks and in bypass of a cloud point of presence (POP) in the second regional cloud. However, the use and advantages for using such a system was well known to one skilled in the art before the effective filing date of the claimed invention as evidenced by the teachings of Scholl. Scholl discloses, in an analogous art by the same Assignee, taking into consideration costs and bandwidths with different IP transit providers when determining whether to bypass backbone paths and RPOPs (at least col. 9:23-42, 11:10-33; 13:17-33). Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate the use of Scholl’s algorithms with Walker/Foxhoven as Scholl teaches such cost effective routing protecting backbone links from suspect lower cost traffic that can lead to backbone congestion or service failures (col. 12:30-63). As per Claim 9. Walker/Foxhoven fails to explicitly disclose configuring, by an intelligent routing module, the one or more cloud computing platforms to implement a cost effective lane by configuring the one or more cloud computing platforms to direct a portion of the traffic addressed to the application instance and received from a user endpoint in a region associated with a second regional cloud to the first edge cluster in bypass of the one or more cloud backbone networks. However, the use and advantages for using such a system was well known to one skilled in the art before the effective filing date of the claimed invention as evidenced by the teachings of Scholl. Scholl discloses, in an analogous art by the same Assignee, taking into consideration costs and bandwidths with different IP transit providers when determining whether to bypass backbone paths and RPOPs (at least col. 9:23-42, 11:10-33; 13:17-33). Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate the use of Scholl’s algorithms with Walker/Foxhoven as Scholl teaches such cost effective routing protecting backbone links from suspect lower cost traffic that can lead to backbone congestion or service failures (col. 12:30-63). As per Claim 10. Walker fails to explicitly disclose configuring, by the intelligent routing module, the one or more cloud computing platforms to implement the cost effective lane by routing the portion in bypass of a cloud point of presence (POP) in the second regional cloud. However, the use and advantages for using such a system was well known to one skilled in the art before the effective filing date of the claimed invention as evidenced by the teachings of Scholl. Scholl discloses, in an analogous art by the same Assignee, taking into consideration costs and bandwidths with different IP transit providers when determining whether to bypass backbone paths and RPOPs (at least col. 9:23-42, 11:10-33; 13:17-33). Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate the use of Scholl’s algorithms with Walker/Foxhoven as Scholl teaches such cost effective routing protecting backbone links from suspect lower cost traffic that can lead to backbone congestion or service failures (col. 12:30-63). As per Claim 18. Walker/Foxhoven fails to explicitly disclose wherein the intelligent routing module is further programmed to implement each of a fast lane, a performance lane, and a cost effective lane with respect in accordance with an instruction from a user; wherein the intelligent routing module is programmed to configure the cloud computing platform to implement the fast lane by configuring the cloud computing platform to direct a portion of the traffic addressed to the application instance received by a second regional cloud to the application instance in the first regional cloud over the cloud backbone network through a cloud point of presence (POP) in the second regional cloud; wherein the intelligent routing module is programmed to configure the cloud computing platform to implement the performance lane by configuring the cloud computing platform to direct the portion of the traffic addressed to the application instance to the first edge cluster over the cloud backbone network and in bypass of the cloud POP; and wherein the intelligent routing module is programmed to configure the cloud computing platform to implement the cost effective lane by configuring the cloud computing platform to direct the portion of the traffic addressed to the application instance to the first edge cluster in bypass of the cloud backbone network and the cloud POP. However, the use and advantages for using such a system was well known to one skilled in the art before the effective filing date of the claimed invention as evidenced by the teachings of Scholl. Scholl discloses, in an analogous art by the same Assignee, taking into consideration costs and bandwidths with different IP transit providers when determining whether to bypass backbone paths and RPOPs (at least col. 9:23-42, 11:10-33; 13:17-33). Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate the use of Scholl’s algorithms with Walker/Foxhoven as Scholl teaches such cost effective routing protecting backbone links from suspect lower cost traffic that can lead to backbone congestion or service failures (col. 12:30-63). Response to RCE and IDS Application history being a Final Rejection was mailed 5/8/23, an Appeal Brief filed 9/6/23, Examiner Answer filed 1/11/24, Reply Brief filed 3/7/24. PTAB reversed the Final Rejection 7/18/25 and the claims were subsequently allowed 10/15/25. In light of the disclosure in Applicant’s IDS, Foxhoven is prior art for the claimed limitation at issue in the Appeal, see above. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Any inquiry concerning this communication or earlier communications from the examiner should be directed to GREGORY TODD whose telephone number is (303)297-4763. The examiner can normally be reached 8:30-5 MST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nicholas Taylor can be reached on 571-272-3889. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /GREGORY TODD/Primary Examiner, Art Unit 2443