PRIVATE ALIAS ENDPOINTS FOR ISOLATED VIRTUAL NETWORKS

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant's arguments filed 11/06/2025 have been fully considered but they are not persuasive. Applicant’s argument (Summary of pages 8 – 11, Examiner emphasis – underlined) …applicant argues that Li fails to teach or suggest a cloud computing environment that receives an indication that a first subset of virtual machines of the cloud computing environment is permitted to utilize the private endpoint established at the cloud computing environment. In fact, Li is silent regarding any particular subset of virtual machines of a cloud computing environment that is permitted to utilize a private endpoint that has been established at the same cloud computing environment. Response: Examiner respectfully disagrees. See updated rejection of independent claim 1. Furthermore, fig. 7, Li in method 700 illustrates a packet 203 sent from devices in source “A” 201 in a private enterprise network 101 to endpoints in a destination “B” 116a in a cloud network 103 environment. Upon receiving a packet 203, at step 701, source "A" 201 queries customer edge router 110a in the private enterprise network 101 for the MAC address of destination "B" 116a. In step 702, the customer edge router 110a queries its VRF table for an IP-to-MAC mapping of destination "B" 201 to determine if the source and the destination devices are permitted to communicate. In step 704, the customer edge router 110a returns the MAC address of destination "B' 116a when the IP-to-MAC address mapping is in the device's VRF table, indicating that the source “A” 201 is permitted to access and utilize the endpoints in the private endpoint/destination “B” in the private enterprise network 101. [0024;0063] further discloses the private enterprise network 101 includes private endpoints/devices that share a common virtual local area network (VLAN). The system receives a security token 602 that is used to verify authorized access to virtual machines 116a-d located in a virtual stub (vstub). Virtual stub (vstub) 104 may be a logical network that includes all resources in cloud network 103 allocated to a particular customer. That is, the group of VMs are granted access to a particular endpoint located in a private cloud as required by amended claim 21. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 21-25,27-32 and 34-39 is/are rejected under 35 U.S.C. 103 as being unpatentable over Li et al. (US 2011/0075667 A1), in view of Yoon et al. (US 2015/0188802 A1). Regarding claim 21, Li discloses a computer-implemented method (Li, [0008] disclose a method of sending a packet received from a source in a private enterprise network to a destination in a cloud network allocated to the private enterprise network), comprising: receiving, at the cloud computing environment (Cloud Data Center), an indication (IP-to-MAC address mapping) that a first subset of virtual machines (a source "A" 201) of the cloud computing environment is permitted to utilize the private endpoint (a destination "B" 116a in private enterprise network 101) established at the cloud computing environment (Li [0024;0063; 0065-0070] a private enterprise network 101 include private endpoints/devices that share a common virtual local area network (VLAN). The system receives a security token 602 that is used to verify authorized access to virtual machines 116a-d located in a virtual stub (vstub). Virtual stub (vstub) 104 may be a logical network that includes all resources in cloud network 103 allocated to a particular customer. Fig. 7 [0065-0070] method 700 illustrates a packet 203 sent from source “A” 201 in a private enterprise network 101 to a destination “B” 116a/endpoints in a cloud network 103. At step 701, source "A" 201 queries customer edge router 110a in the private enterprise network 101 for the MAC address of destination "B" 116a. In step 702, the customer edge router 110a queries its VRF table for an IP-to-MAC mapping of destination "B" 201. In step 704, the customer edge router 110a returns the MAC address of destination "B' 116a when the IP-to-MAC address mapping is in the device's VRF table, indicating that the source “A” 201 is permitted to access and utilize the endpoints in the private endpoint/destination “B” in the private enterprise network 101); and verifying, at the cloud computing environment prior to transmitting, to the service, a request which (a) originates at a particular virtual machine of the cloud computing environment (Li [0009] a hypervisor in a server hosting a virtual machine receiving a Layer 2 packet, the virtual machine being located in a logical network in the cloud network comprising resources allocated to the private enterprise network, querying a directory server in the logical network for a destination address when the Layer 2 packet's destination address is not in a virtual routing and forwarding table at the server; [0051] hypervisor 115a may also verify a security token in packet 210 to verify that the packet is from the same enterprise network.); and (b) is to be directed to the service via the private endpoint, that the particular virtual machine is a member of the first subset (Li [0026; 0051] devices in a private enterprise network 101 may share the same address space, thus sharing a VLAN. The devices may be located behind the same security boundary, such that network security may isolate devices inside the security boundary from devices outside the boundary. Access to the devices behind the security boundary is controlled through a security token 602. When a packet is received, hypervisor 115a may verify a security token in packet 210 to verify that the packet is from the same enterprise network or a particular virtual machine authorized to access the virtual machines behind the security boundary. When the security token cannot be verified, the packet may be dropped). Li did not explicitly disclose establishing, in response to one or more programmatic requests directed to a cloud computing environment, a private endpoint which can be used to transmit, without utilizing the public Internet, requests to a service which is accessible via a public Internet Protocol address. In an analogous art, Yoon teaches establishing, in response to one or more programmatic requests (requests the connection setting to the ETR 141 (S210)) directed to a cloud computing environment (cloud center 140), a private endpoint (private IP address identifying an endpoint – endpoint identifier-routing locator (EID-RLOC)) which can be used to transmit, without utilizing the public Internet (Private IP address), requests to a service which is accessible via a public Internet Protocol (IP) address (Yoon, fig. 2, [0048-0050] when the server 142 within the cloud center requests the connection setting to the ETR 141 (S210), the ETR 141 may recognize the EID of the server 142 which requests the connection setting. Next, when recognizing the EID of the server 142 which requests the connection setting, the ETR 141 may generate the LISP control message including the recognized EID of the server and the RLOC of the cloud center to which the server belongs and transmit the generated LISP control message to the map-server to request the registration of the EID-RLOC mapping information (S211). Next, a connection is established using the information of the requesting server and the egress tunnel router (ETR) based on EID-RLOC mapping information on the corresponding server based on the transmitted LISP control message and store and register the generated EID-RLOC mapping information). One of ordinary skill would have been motivated to combine the teachings of Li and Yoon because these teachings are from the same field of endeavor with respect to techniques for accessing resources in a private cloud network. Therefore, it would have been obvious to the one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Yoon with the teachings of Li in order to provide a map-server storing EID-RLOC mapping information; an ITR receiving RLOC information on a corresponding EID from an ETR designated by the map-server based on a destination EID and a tenant identifier of a corresponding enterprise network when receiving packets for requesting allocation of computing resources from a terminal within the enterprise networks, Yoon, [Abstract]. Regarding claim 22, Li modified by Yoon disclose the computer-implemented method as recited in claim 21, wherein the particular virtual machine is configured within a virtual private cloud (network 100/private cloud network 103) of the cloud computing environment, and wherein the service is implemented using resources outside (cloud resources inside the enterprise's private address space) the VPC (Li [0011;0028] cloud resources are placed inside the enterprise's private address space, thereby seamlessly integrating the cloud resources into the enterprise's existing topology. The resources can also be placed inside a security boundary of the enterprise network, isolated from any resources outside the network. The resources may be grouped as virtual machines 116a-d). The motivation to combine is similar to that of claim 21. Regarding claim 23, Li modified by Yoon disclose the computer-implemented method as recited in claim 21, wherein the service comprises one or more of: (a) a storage service of the cloud computing environment or (b) a database service of the cloud computing environment (Li [0041] discloses a server 114a may be a device that provides computing services to clients. More specifically, a server may be a networking device hosting computing resources, such as storage and processing capacity). The motivation to combine is similar to that of claim 21. Regarding claim 24, Li modified by Yoon disclose the computer-implemented method as recited in claim 21, wherein the particular virtual machine is configured within a VPC of the cloud computing environment, and wherein the private endpoint (virtual machine 116a-d) is configured within the VPC (Li [0045] fig. 2 discloses a virtual stub 104 in the cloud network 103 may share a common VLAN with the private enterprise 101. Each endpoint virtual machine 116a-d inside the virtual stub 104 is also assigned a corresponding address within the IP subnet). The motivation to combine is similar to that of claim 21. Regarding claim 25, Li modified by Yoon disclose the computer-implemented method as recited in claim 21, wherein said transmitting the request to the service comprises: preparing an encapsulation packet comprising the request at a virtualization management component associated with the particular virtual machine (Li [0037] a source in private enterprise network 101 may use an assigned IP address within the enterprise network to send information in the form of packets to the virtual machine 116a within the cloud network 103. In this instance, the Cloud Data Center CE 112 may receive such packets addressed using an Ethernet frame embedded with an IP header and may encapsulate the received packets sent to the destination virtual machine 116a with both the cloudIP address header and locIP address header corresponding to the destination virtual machine 116a within the cloud network 103); and transmitting, from the virtualization management component, the encapsulation packet to a first intermediary device (intermediate switches 117a-c) configured to process traffic of a VPC within which the particular virtual machine is configured (Li [0040] Data Center Interconnect 113 may connect to the series of servers 114a-d through a series of intermediate switches 117a-c. In such instances, each intermediate switch 117a-c may connect to multiple servers 114a-d simultaneously. The intermediate switch 117a may have a unique location IP (locIP) address within the virtual stub 104. When receiving packets addressed to a virtual machine 116a on one of its connected servers 114a, the intermediate switch 117a may decapsulate the locIP header from the packet and may then forward the packet to the server 114a with the corresponding cloudIP address). The motivation to combine is similar to that of claim 21. Regarding claim 27, Li modified by Yoon disclose the computer-implemented method as recited in claim 21, further comprising: applying, in response to one or more programmatic requests, a control policy to the private endpoint, wherein the control policy indicates, with respect to requests transmitted to the service using the private endpoint, one or more of: (a) a permitted operation type, (b) a prohibited operation type, (c) a time interval during which a particular operation type is permitted, or (d) a particular object on which a particular operation type is permitted (Li [0029] A virtual machine 116a may be a server instance on server 114a in the cloud network 103 that is controlled by the customer located in private enterprise network 101. A customer may have the ability to create, use, and destroy any number of virtual machines 116a-d at will. This ability may be based upon user-defined criteria such as, for example, bandwidth, storage capacity, and processing needs). The motivation to combine is similar to that of claim 21. Regarding claim(s) 28 – 32 and 34, the claim(s) are rejected with rational similar to that of claim(s) 21-25 and 27, respectively. Regarding claim 35, Li discloses one or more non-transitory computer-accessible storage media storing program instructions that when executed on or across one or more processors cause the one or more processors to (Li [0079] discloses a network node such as router or switch storing instructions on a machine-readable storage medium, which may be read and executed by at least one processor to perform one or more operations). The rest of the limitations are rejected with rational similar to that of claim 21. Regarding claim(s) 36 – 39, the claim(s) are rejected with rational similar to that of claim(s) 22-25, respectively. Claim(s) 26, 33 and 40 is/are rejected under 35 U.S.C. 103 as being unpatentable over Li et al. (US 2011/0075667 A1), in view Yoon et al. (US 2015/0188802 A1), further in view of Miller et al. (US 7,937,438 B1). Regarding claim 26, Li modified by Yoon disclose the computer-implemented method as recited in claim 21, but did not explicitly disclose further comprising: storing an entry in a route table of the cloud computing environment, wherein the entry indicates the private endpoint as a destination for packets directed to the service, and wherein said transmitting the request to the service comprises utilizing the entry. Miller discloses storing an entry in a route table of the cloud computing environment, wherein the entry indicates the private endpoint as a destination for packets directed to the service (Miller, fig. 1C, col. 27, line 62 - col. 28, line 10, discloses a private network 165 which includes various computing systems 145a, as well as one or more routers 168 that connect the computing systems 145a to the internet 185. For example, virtual machine computing node 107a1 of the virtual computer network may initiate a communication to one of the computing systems 145a of the private network 165, such as computing system 145a-1--if the private network 165 and the provided virtual computer network are configured to operate together, the two networks may communicate using an internet-routable public network address assigned to destination computing system 145a-1. Col. 19, lines 24-42, disclose routing tables used by different protocols to determine a best route based on requirements such as best paths to destinations based on the minimum number of hops or on some other minimum distance measure); and wherein said transmitting the request to the service comprises utilizing the entry (Miller, Col. 19, lines 24-42, all communications including service request from and to the private or public networks are implemented using entries in routing tables based on different protocols to determine a best route based/requirements such as best paths to destinations based on the minimum number of hops or on some other minimum distance measure). One of ordinary skill would have been motivated to combine the teachings of Li, Yoon and Miller because these teachings are from the same field of endeavor with respect to a request to establish a private instance of a virtualization service. Therefore, it would have been obvious to the one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Miller with the teachings of Li and Yoon in order to provide support for interactions with devices that are external to the virtual computer network, including remote physical networking devices that are part of a remote computer network configured to interoperate with the virtual computer network, and/or specialized network devices that are accessible via a substrate network on which the virtual computer network is overlaid, Miller, [Abstract]. Regarding claim(s) 33, the claim(s) is/are rejected with rational similar to that of claim(s) 26. Regarding claim(s) 40, the claim(s) is/are rejected with rational similar to that of claim(s) 26. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following publications show the state of the art related to the establishment of a private instance of a virtualization service. Knight (US 2014/0241173 A1). Chen et al. (US 2012/028170A1). THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to DIXON F DABIPI whose telephone number is (571)270-3673. The examiner can normally be reached on Monday - Friday from 9:00 am – 5:00 pm. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Christopher L Parry, can be reached at telephone number 571-272-8328. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from Patent Center. Status information for published applications may be obtained from Patent Center. Status information for unpublished applications is available through Patent Center to authorized users only. Should you have questions about access to the USPTO patent electronic filing system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). Examiner interviews are available via a variety of formats. See MPEP § 713.01. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) Form at https://www.uspto.gov/InterviewPractice. /D.F.D/ Examiner, Art Unit 2451 /Chris Parry/Supervisory Patent Examiner, Art Unit 2451