SYSTEM AND METHOD FOR APPLICATION-BASED MICRO-SEGMENTATION

§101 §103

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION This Office Action is in response to the application 18/861,872 filed on 10/30/2024. Claims 1-20 are currently pending; claims 1, 11, and 18 are independent claims; claims 1-20 have been examined. This Action is made Non-FINAL. Information Disclosure Statement The information disclosure statement (IDS) submitted on 10/30/2024 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement has been considered by the examiner. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-20 are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter as being directed to an abstract idea without being integrated into a practical application or significantly more. Regarding claim 11, the claim recites the limitations “recovering information…”generating a first subset of rules,” “generating a second subset of rules” Broadly interpreted, the aforementioned steps are directed to mental processes as said steps could be performed in the human mind. Therefore, the claims recite an abstract idea. Said abstract idea and/or judicial exception is not integrated into a practical application as the claim does not recite any other active steps that could be considered that the abstract idea is being integrated into a practical application. It’s noted that the claim recites the operations “‘determining a virtual region” and “using micro-segmentation” However, said operations are not sufficient to consider that the abstract idea is being interpreted into a practical application. Said operations are recited at a high level of generality in gathering/processing/storing information, which are a form of insignificant extra-solution activity. It’s also noted that the claims recite additional limitation/elements (i.e., cloud service provider, overlay network, underlay network etc.,). However, said additional elements are recited at a high-level of generality (i.e., as a generic computing device performing a generic computer functions) such that it amounts no more than mere instructions to apply the exception or abstract idea using generic computer components. Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. The claims do not include additional elements/limitations/embodiments that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. As mentioned above, although the claims recite additional elements, said elements taken individually or as a combination, do not result in the claim amounting to significantly more than the abstract idea because as the additional elements perform generic computer content distributing functions routinely used in information technology field. As discussed above, the additional elements recited at a high-level of generality such that they amount no more than mere instructions to apply the exception using a generic computer component. Therefore, the claim is directed to non-statutory subject matter. Regarding claims 1-10 and 12-20, claims 1-10 and 12-20 are also rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter for the same reasons addressed above as the claims recite an abstract idea and the claims do not positively recite any other operations that could be considered as the abstract idea is being integrated into a practical application or significantly more. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically discloses as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. Claims 1-4. 6-8, 11-14, 16, and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Kulkarni (US20220103471), filed August 4, 2021, in view of Kreeger (US20130170490), filed December 30, 2011. Regarding claim 1, Kulkarni discloses controller comprising: a processor (Kulkarni, paragraph 0059, software, processor, storage, RAM memory). a non-transitory storage medium communicatively coupled to the processor, the non-transitory storage medium includes (Kulkarni, paragraph 0059, software, processor, storage, RAM memory). (i) classification logic that, based on recovered information associated with an endpoint, determines a virtual region in which the endpoint resides (Kulkarni, paragraph 0064, policies configured based on application classification techniques; paragraph 0035, define applicable business policies region by region, business policies can be customized on a regional basis) (ii) rule generation logic configured to (a) generate a first subset of rules for controlling a flow of messages between a destination and a source via native cloud constructs associated with a cloud service provider (CSP) underlay network when the destination and source reside within a first virtual region (Kulkarni, paragraph 0035, define applicable business policies region by region, local cloud security service provider in a region; paragraph 0159, security and networking policies customized on a regional basis; paragraph 0077, network traffic may traverse between each appliance in a region (intra-region); paragraph 0052, underlay network) (b) generate a second subset of rules for controlling a flow of messages between the destination and the source via an overlay network providing communications between the first virtual region and a second virtual region when the destination and the source reside within different virtual regions (Kulkarni, paragraph 0035, communication network divided into regions, applicable business polices can be defined region by region; paragraph 0036, each region can have different combinations of transport links with different link qualities and link bandwidths; paragraph 0052, overlay network). use micro-segmentation to set and manage security policies (Kulkarni, paragraph 0159, polices may be configured on a regional basis; paragraph 0038, segmentation , security policies). Kulkarni discloses (i) classification logic that, based on recovered information associated with an endpoint, determines a virtual region in which the endpoint resides, but does not explicitly disclose (i) classification logic that, based on recovered information associated with a newly discovered endpoint, determines a virtual region in which the newly discovered endpoint resides. However, in an analogous art, Kreeger discloses i) classification logic that, based on recovered information associated with a newly discovered endpoint, determines a virtual region in which the newly discovered endpoint resides (Kreeger, paragraph 0012, discovering endpoints in an overlayer environment for subsequent troubleshooting of network issues, paragraph 0031, discovering endpoints to troubleshoot connectivity; paragraph 0042, discover endpoints). Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Kreeger with the controller/ method/ nontransitory storage medium of Kulkarni to include i) classification logic that, based on recovered information associated with a newly discovered endpoint, determines a virtual region in which the newly discovered endpoint resides to provide users with the benefits of discovering multipoint endpoints in a network environment (Kreeger: paragraph 0001). Regarding claim 2, Kulkarni and Kreeger disclose the controller of claim 1. Kulkarni and Kreeger discloses wherein the first virtual region corresponds to a first virtual private cloud network (VPC) and the second virtual region corresponds to a second VPC (Kulkarni, paragraph 0048, first location 110, second location 120, private network; paragraph 0055 private cloud network). Regarding claim 3, Kulkarni and Kreeger disclose the controller of claim 2. Kulkarni and Kreeger discloses wherein the first VPC resides within a first public cloud network and a second VPC resides within a second public cloud network different than the first public cloud network (Kulkarni, paragraph 0056, first locations, second locations, different web services (locations)). Regarding claim 4, Kulkarni and Kreeger disclose the controller of claim 2. Kulkarni and Kreeger discloses wherein the second set of rules include filtering rules that formulate one or more policies that influence a propagation of inter-VPC network traffic over the overlay network establishing a communication path between the first VPC and the second VPC (Kulkarni, paragraph 0038, policies, local configuration, global aspects; paragraph 0093, routing). Regarding claim 6, Kulkarni and Kreeger disclose the controller of claim 1. Kulkarni and Kreeger disclose wherein the non-transitory storage medium further comprises endpoint discovery logic configured to identify newly added, modified, or deleted endpoints within one or more public cloud networks including the first virtual region and the second virtual region (Kulkarni, paragraph 0156, appliance reassigned from first region to second region; paragraph 0005, public cloud) (Kreeger, paragraph 0012, discovering endpoints in an overlayer environment for subsequent troubleshooting of network issues, paragraph 0031, discovering endpoints to troubleshoot connectivity; paragraph 0042, discover endpoints). Regarding claim 7, Kulkarni and Kreeger disclose the controller of claim 6. Kulkarni and Kreeger disclose wherein the recovered information associated with the newly discovered endpoint includes an identifier of the endpoint and an identifier of the virtual region (Kreeger, paragraph 0036, endpoint identifier, paragraph 0012, discovering endpoints in an overlayer environment for subsequent troubleshooting of network issues, paragraph 0031, discovering endpoints to troubleshoot connectivity; paragraph 0042, discover endpoints). Regarding claim 8, Kulkarni and Kreeger disclose the controller of claim 7. Kulkarni and Kreeger disclose wherein the identifier of the virtual region includes a virtual private cloud network (VPC) identifier upon which the newly discovered endpoint resides (Kreeger, paragraph 0036, endpoint identifier, paragraph 0012, discovering endpoints in an overlayer environment for subsequent troubleshooting of network issues, paragraph 0031, discovering endpoints to troubleshoot connectivity; paragraph 0042, discover endpoints).. Regarding claim 11, Kulkarni discloses a method for controlling network traffic flow separation between inter-VPC communications and intra-VPC communications, comprising: (Kulkarni, paragraph 0051, VPC); recovering information that identifies newly added, modified, or deleted endpoints within one or more public cloud networks (Kulkarni, paragraph 0005, public cloud, performing functions); based on recovered information associated with a newly discovered endpoint, determining a virtual region in which the newly discovered endpoint resides (Kulkarni, paragraph 0064, policies configured based on application classification techniques; paragraph 0035, define applicable business policies region by region, business policies can be customized on a regional basis); generating a first subset of rules for controlling a flow of messages sourced by or destined to the endpoint via native cloud constructs associated with a cloud service provider (CSP) underlay network when the endpoint and another endpoint in communication with and operating as a destination and a source of the flow of messages with the endpoint reside within a first virtual region (Kulkarni, paragraph 0035, define applicable business policies region by region, local cloud security service provider in a region; paragraph 0159, security and networking policies customized on a regional basis; paragraph 0077, network traffic may traverse between each appliance in a region (intra-region); paragraph 0052, underlay network); generating a second subset of rules for controlling a flow of messages sourced by or destined to the endpoint via an overlay network providing communications between the first virtual region and a second virtual region when the endpoint and another endpoint reside within different virtual regions (Kulkarni, paragraph 0035, communication network divided into regions, applicable business polices can be defined region by region; paragraph 0036, each region can have different combinations of transport links with different link qualities and link bandwidths; paragraph 0052, overlay network); using micro-segmentation to set and manage security policies (Kulkarni, paragraph 0159, polices may be configured on a regional basis; paragraph 0038, segmentation , security policies). Kulkarni discloses generating a first subset of rules for controlling a flow of messages sourced by or destined to the endpoint via native cloud constructs associated with a cloud service provider (CSP) underlay network when the endpoint and another endpoint in communication with and operating as a destination and a source of the flow of messages with the endpoint reside within a first virtual region; generating a second subset of rules for controlling a flow of messages sourced by or destined to the endpoint via an overlay network providing communications between the first virtual region and a second virtual region when the endpoint and another endpoint reside within different virtual regions; but does not explicitly disclose generating a first subset of rules for controlling a flow of messages sourced by or destined to the newly discovered endpoint via native cloud constructs associated with a cloud service provider (CSP) underlay network when the newly discovered endpoint and another endpoint in communication with and operating as a destination and a source of the flow of messages with the newly discovered endpoint reside within a first virtual region; generating a second subset of rules for controlling a flow of messages sourced by or destined to the newly discovered endpoint via an overlay network providing communications between the first virtual region and a second virtual region when the newly discovered endpoint and another endpoint reside within different virtual regions; and generating a first subset of rules for controlling a flow of messages sourced by or destined to the newly discovered endpoint via native cloud constructs associated with a cloud service provider (CSP) underlay network when the newly discovered endpoint and another endpoint in communication with and operating as a destination and a source of the flow of messages with the newly discovered endpoint reside within a first virtual region (Kreeger, paragraph 0012, discovering endpoints in an overlayer environment for subsequent troubleshooting of network issues, paragraph 0031, discovering endpoints to troubleshoot connectivity; paragraph 0042, discover endpoints); generating a second subset of rules for controlling a flow of messages sourced by or destined to the newly discovered endpoint via an overlay network providing communications between the first virtual region and a second virtual region when the newly discovered endpoint and another endpoint reside within different virtual regions (Kreeger, paragraph 0012, discovering endpoints in an overlayer environment for subsequent troubleshooting of network issues, paragraph 0031, discovering endpoints to troubleshoot connectivity; paragraph 0042, discover endpoints). Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Kreeger with the controller/ method/ nontransitory storage medium of Kulkarni to include newly discovered endpoints to provide users with the benefits of discovering multipoint endpoints in a network environment (Kreeger: paragraph 0001). Regarding claim 12, Kulkarni and Kreeger disclose the method of claim 11. Kulkarni and Kreeger discloses wherein the first virtual region corresponds to a first virtual private cloud network (VPC) and the second virtual region corresponds to a second VPC (Kulkarni, paragraph 0048, first location 110, second location 120, private network; paragraph 0055 private cloud network). Regarding claim 13, Kulkarni and Kreeger disclose the method of claim 12. Kulkarni and Kreeger discloses wherein the first VPC resides within a first public cloud network and a second VPC resides within a second public cloud network different than the first public cloud network (Kulkarni, paragraph 0056, first locations, second locations, different web services (locations)). Regarding claim 14, Kulkarni and Kreeger disclose the method of claim 12. Kulkarni and Kreeger discloses wherein the second set of rules include filtering rules that formulate one or more policies that influence a propagation of inter-VPC network traffic over the overlay network establishing a communication path between the first VPC and the second VPC (Kulkarni, paragraph 0038, policies, local configuration, global aspects; paragraph 0093, routing). Regarding claim 16, Kulkarni and Kreeger disclose the method of claim 11. Kulkarni and Kreeger disclose wherein the recovered information associated with the newly discovered endpoint includes an identifier of the endpoint and an identifier of the first virtual region (Kreeger, paragraph 0036, endpoint identifier, paragraph 0012, discovering endpoints in an overlayer environment for subsequent troubleshooting of network issues, paragraph 0031, discovering endpoints to troubleshoot connectivity; paragraph 0042, discover endpoints). Regarding claim 18, Kulkarni discloses a non-transitory storage medium including logic that, upon execution, controls flow separation for inter-VPC communications and intra-VPC communications, comprising: (Kulkarni, paragraph 0051, VPC, paragraph 0059, software, processor, storage, RAM memory); endpoint discovery logic configured to identify newly added, modified, or deleted endpoints within a plurality of public cloud networks (Kulkarni, paragraph 0005, public cloud, performing functions); classification logic configured, based on recovered information associated with an endpoint, to determine a virtual region in which the endpoint resides (Kulkarni, paragraph 0064, policies configured based on application classification techniques; paragraph 0035, define applicable business policies region by region, business policies can be customized on a regional basis); rule generation logic configured to (i) generate a first subset of rules for controlling a flow of messages between a destination and a source via native cloud constructs associated with a cloud service provider (CSP) underlay network when the destination and source reside within a first virtual region (Kulkarni, paragraph 0035, define applicable business policies region by region, local cloud security service provider in a region; paragraph 0159, security and networking policies customized on a regional basis; paragraph 0077, network traffic may traverse between each appliance in a region (intra-region); paragraph 0052, underlay network); (ii) generate a second subset of rules for controlling a flow of messages between the destination and the source via an overlay network providing communications between the first virtual region and a second virtual region when the destination and the source reside within different virtual regions (Kulkarni, paragraph 0035, communication network divided into regions, applicable business polices can be defined region by region; paragraph 0036, each region can have different combinations of transport links with different link qualities and link bandwidths; paragraph 0052, overlay network); use micro-segmentation to set and manage security policies (Kulkarni, paragraph 0159, polices may be configured on a regional basis; paragraph 0038, segmentation , security policies). Kulkarni discloses classification logic configured, based on recovered information associated with an endpoint, to determine a virtual region in which the endpoint resides; but does not explicitly disclose classification logic configured, based on recovered information associated with a newly discovered endpoint, to determine a virtual region in which the newly discovered endpoint resides. However, in an analogous art, Kreeger discloses classification logic configured, based on recovered information associated with a newly discovered endpoint, to determine a virtual region in which the newly discovered endpoint resides (Kreeger, paragraph 0012, discovering endpoints in an overlayer environment for subsequent troubleshooting of network issues, paragraph 0031, discovering endpoints to troubleshoot connectivity; paragraph 0042, discover endpoints). Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Kreeger with the controller/ method/ nontransitory storage medium of Kulkarni to include classification logic configured, based on recovered information associated with a newly discovered endpoint, to determine a virtual region in which the newly discovered endpoint resides to provide users with the benefits of discovering multipoint endpoints in a network environment (Kreeger: paragraph 0001). Regarding claim 19, Kulkarni and Kreeger disclose the non-transitory storage medium of claim 18. Kulkarni and Kreeger disclose wherein the second subset of rules includes a rule that controls and filter the messages over the overlay network when the source resides in the first virtual region included in the first public cloud network and the destination resides in the second virtual region included in the second public cloud network, to be enforced by native cloud constructs to propagate messages perform intra-VPC network traffic controls for messaging between and a second subset of rules to be enforced by one or more spoke gateways to perform inter-VPC network traffic controls (Kulkarni, paragraph 0035, define policies region by region, paragraph 0036, different links per region; paragraph 0038 policies; paragraph 0093, filtering). Regarding claim 20, Kulkarni and Kreeger disclose the non-transitory storage medium of claim 18. Kulkarni and Kreeger disclose wherein the non-transitory storage medium communicatively coupled to the processor, the non-transitory storage medium includes endpoint discovery logic, classification logic, security group generation logic, and rule generation logic (Kulkarni, paragraph 0038, global policies, security policies, regional network architecture; paragraph 0064, orchestrator can determine configuration of network and configuration of policies; paragraph 0098, updates; paragraph 0159, applications can be processed differently in different regions). Claims 5, 9, 15, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Kulkarni (US20220103471), filed August 4, 2021, in view of Kreeger (US20130170490), filed December 30, 2011, and further in view of Janakiraman (US20200059492), filed August 20, 2018. Regarding claim 5, Kulkarni and Kreeger disclose the controller of claim 4. Kulkarni and Kreeger disclose an underlay network (Kulkarni, paragraph 0035, define applicable business policies region by region, local cloud security service provider in a region; paragraph 0159, security and networking policies customized on a regional basis; paragraph 0077, network traffic may traverse between each appliance in a region (intra-region); paragraph 0052, underlay network), but do not explicitly disclose wherein the first set of rules include filtering rules that formulate one or more policies that influence a propagation of intra-VPC network traffic over the underlay network. However, in an analogous art, Janakiraman discloses wherein the first set of rules include filtering rules that formulate one or more policies that influence a propagation of intra-VPC network traffic over the underlay network. However, in an analogous art, Janakiraman discloses wherein the first set of rules include filtering rules that formulate one or more policies that influence a propagation of intra-VPC network traffic over the underlay network (Janakiraman, paragraph 0091, rules for intra-VPC traffic, paragraph 0036, filters). Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Janakiraman with the controller/ method/ nontransitory storage medium of Kulkarni and Kreeger to include wherein the first set of rules include filtering rules that formulate one or more policies that influence a propagation of intra-VPC network traffic over the underlay network to provide users with the benefits of multi-cloud policy scaling and integration (Janakiraman: paragraph 0001). Regarding claim 9, Kulkarni and Kreeger disclose the controller of claim 8. Kulkarni and Kreeger do not explicitly disclose wherein the non-transitory storage medium further comprises logic to create and maintain an endpoint-to-VPC identifier mapping for use in determining whether or not security group orchestration is needed to support intra-VPC communications between the source and the destination. However, in an analogous art, Janakiraman discloses wherein the non-transitory storage medium further comprises logic to create and maintain an endpoint-to-VPC identifier mapping for use in determining whether or not security group orchestration is needed to support intra-VPC communications between the source and the destination (Janakiraman: paragraph 0091, intra-VPC traffic; paragraph 0080, endpoints, VPC, mapped, mapping endpoints; paragraph 0081, distributing security policies, mapped, endpoints, VPC). Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Janakiraman with the controller/ method/ nontransitory storage medium of Kulkarni and Kreeger to include wherein the non-transitory storage medium further comprises logic to create and maintain an endpoint-to-VPC identifier mapping for use in determining whether or not security group orchestration is needed to support intra-VPC communications between the source and the destination to provide users with the benefits of multi-cloud policy scaling and integration (Janakiraman: paragraph 0001). Regarding claim 15, Kulkarni and Kreeger disclose the method of claim 14. Kulkarni and Kreeger disclose an underlay network (Kulkarni, paragraph 0035, define applicable business policies region by region, local cloud security service provider in a region; paragraph 0159, security and networking policies customized on a regional basis; paragraph 0077, network traffic may traverse between each appliance in a region (intra-region); paragraph 0052, underlay network), but do not explicitly disclose wherein the first set of rules include filtering rules that formulate one or more policies that influence a propagation of intra-VPC network traffic over the underlay network. However, in an analogous art, Janakiraman discloses wherein the first set of rules include filtering rules that formulate one or more policies that influence a propagation of intra-VPC network traffic over the underlay network. However, in an analogous art, Janakiraman discloses wherein the first set of rules include filtering rules that formulate one or more policies that influence a propagation of intra-VPC network traffic over the underlay network (Janakiraman, paragraph 0091, rules for intra-VPC traffic, paragraph 0036, filters). Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Janakiraman with the controller/ method/ nontransitory storage medium of Kulkarni and Kreeger to include wherein the first set of rules include filtering rules that formulate one or more policies that influence a propagation of intra-VPC network traffic over the underlay network to provide users with the benefits of multi-cloud policy scaling and integration (Janakiraman: paragraph 0001). Regarding claim 17, Kulkarni and Kreeger disclose the method of claim 11. Kulkarni and Kreeger do not explicitly disclose further comprising: creating and maintaining an endpoint-to-VPC identifier mapping for use in determining whether or not security group orchestration is needed to support intra-VPC communications between the newly discovered endpoint and another endpoint. However, in an analogous art, Janakiraman discloses further comprising: creating and maintaining an endpoint-to-VPC identifier mapping for use in determining whether or not security group orchestration is needed to support intra-VPC communications between the newly discovered endpoint and another endpoint (Janakiraman: paragraph 0091, intra-VPC traffic; paragraph 0080, endpoints, VPC, mapped, mapping endpoints; paragraph 0081, distributing security policies, mapped, endpoints, VPC). Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Janakiraman with the controller/ method/ nontransitory storage medium of Kulkarni and Kreeger to include further comprising: creating and maintaining an endpoint-to-VPC identifier mapping for use in determining whether or not security group orchestration is needed to support intra-VPC communications between the newly discovered endpoint and another endpoint to provide users with the benefits of multi-cloud policy scaling and integration (Janakiraman: paragraph 0001). Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Kulkarni (US20220103471), filed August 4, 2021, in view of Kreeger (US20130170490), filed December 30, 2011, and further in view of Shevade (US20220311744), filed March 29 2021. Regarding claim 10, Kulkarni and Kreeger disclose the controller of claim 6. Kulkarni and Kreeger do not explicitly disclose wherein the non-transitory storage medium further comprises security group generation logic configured to generate one or more network security groups, each network security group operating as a virtual firewall that is associated with an identified endpoint. However, in an analogous art, Shevade discloses wherein the non-transitory storage medium further comprises security group generation logic configured to generate one or more network security groups, each network security group operating as a virtual firewall that is associated with an identified endpoint (Shevade, paragraph 0015, network security groups, virtual firewall). Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Shevade with the controller/ method/ nontransitory storage medium of Kulkarni and Kreeger to include wherein the non-transitory storage medium further comprises security group generation logic configured to generate one or more network security groups, each network security group operating as a virtual firewall that is associated with an identified endpoint to provide users with the benefits of extending cloud-based virtual private networks to radio-based networks (Shevade: abstract). Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to WALTER J MALINOWSKI whose telephone number is (571)272-5368. The examiner can normally be reached 8-6:30 MTWH. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LUU PHAM can be reached at 5712705002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /W.J.M/ Examiner, Art Unit 2439 /JAMES R TURCHEN/Primary Examiner, Art Unit 2439