diff --git a/management/server/types/account.go b/management/server/types/account.go
index 6937b7e83..246b2feea 100644
--- a/management/server/types/account.go
+++ b/management/server/types/account.go
@@ -374,74 +374,6 @@ func (a *Account) GetPeerNetworkMap(
 	return nm
 }
 
-// GetProxyConnectionResources returns ACL peers for the proxy-embedded peer based on exposed services.
-// No firewall rules are generated here; the proxy peer is always a new on-demand client with a stateful
-// firewall, so OUT rules are unnecessary. Inbound rules are handled on the target/router peer side.
-func (a *Account) GetProxyConnectionResources(ctx context.Context, exposedServices map[string][]*reverseproxy.Service) []*nbpeer.Peer {
-	var aclPeers []*nbpeer.Peer
-
-	for _, peerServices := range exposedServices {
-		for _, service := range peerServices {
-			if !service.Enabled {
-				continue
-			}
-			for _, target := range service.Targets {
-				if !target.Enabled {
-					continue
-				}
-				if target.TargetType == reverseproxy.TargetTypePeer {
-					tpeer := a.GetPeer(target.TargetId)
-					if tpeer == nil {
-						continue
-					}
-					aclPeers = append(aclPeers, tpeer)
-				}
-			}
-		}
-	}
-
-	return aclPeers
-}
-
-// GetPeerProxyResources returns ACL peers and inbound firewall rules for a peer that is targeted by reverse proxy services.
-// Only IN rules are generated; OUT rules are omitted since proxy peers are always new clients with stateful firewalls.
-// Rules use PortRange only (not the legacy Port field) as this feature only targets current peer versions.
-func (a *Account) GetPeerProxyResources(peerID string, services []*reverseproxy.Service, proxyPeers []*nbpeer.Peer) ([]*nbpeer.Peer, []*FirewallRule) {
-	var aclPeers []*nbpeer.Peer
-	var firewallRules []*FirewallRule
-
-	for _, service := range services {
-		if !service.Enabled {
-			continue
-		}
-		for _, target := range service.Targets {
-			if !target.Enabled {
-				continue
-			}
-
-			aclPeers = proxyPeers
-
-			needsPeerRules := (target.TargetType == reverseproxy.TargetTypePeer && target.TargetId == peerID) ||
-				(target.TargetType == reverseproxy.TargetTypeHost || target.TargetType == reverseproxy.TargetTypeSubnet || target.TargetType == reverseproxy.TargetTypeDomain)
-
-			if needsPeerRules {
-				for _, proxyPeer := range proxyPeers {
-					firewallRules = append(firewallRules, &FirewallRule{
-						PolicyID:  "proxy-" + service.ID,
-						PeerIP:    proxyPeer.IP.String(),
-						Direction: FirewallRuleDirectionIN,
-						Action:    "allow",
-						Protocol:  string(PolicyRuleProtocolTCP),
-						PortRange: RulePortRange{Start: uint16(target.Port), End: uint16(target.Port)},
-					})
-				}
-			}
-		}
-	}
-
-	return aclPeers, firewallRules
-}
-
 func (a *Account) addNetworksRoutingPeers(
 	networkResourcesRoutes []*route.Route,
 	peer *nbpeer.Peer,
@@ -1864,71 +1796,6 @@ func (a *Account) GetProxyPeers() map[string][]*nbpeer.Peer {
 	return proxyPeers
 }
 
-func (a *Account) GetPeerProxyRoutes(ctx context.Context, peer *nbpeer.Peer, proxies map[string][]*reverseproxy.Service, resourcesMap map[string]*resourceTypes.NetworkResource, routers map[string]map[string]*routerTypes.NetworkRouter, proxyPeers []*nbpeer.Peer) ([]*route.Route, []*RouteFirewallRule, []*nbpeer.Peer) {
-	sourceRanges := make([]string, 0, len(proxyPeers))
-	for _, proxyPeer := range proxyPeers {
-		sourceRanges = append(sourceRanges, fmt.Sprintf(AllowedIPsFormat, proxyPeer.IP))
-	}
-	peers := make(map[string]*nbpeer.Peer, len(resourcesMap))
-
-	var routes []*route.Route
-	var firewallRules []*RouteFirewallRule
-	for _, proxyPerResource := range proxies {
-		for _, proxy := range proxyPerResource {
-			for _, target := range proxy.Targets {
-				if target.TargetType == reverseproxy.TargetTypeHost || target.TargetType == reverseproxy.TargetTypeSubnet || target.TargetType == reverseproxy.TargetTypeDomain {
-					resource, ok := resourcesMap[target.TargetId]
-					if !ok {
-						log.WithContext(ctx).Warnf("proxy target %s not found in resources map", target.TargetId)
-						continue
-					}
-					networkRouters, ok := routers[resource.NetworkID]
-					if !ok {
-						log.WithContext(ctx).Warnf("proxy target %s not found in routers map", target.TargetId)
-						continue
-					}
-					for peerID, router := range networkRouters {
-						routePeer := a.GetPeer(peerID)
-						route := resource.ToRoute(routePeer, router)
-						routes = append(routes, route)
-						rule := RouteFirewallRule{
-							PolicyID:     fmt.Sprintf("proxy-%s-%s", proxy.ID, route.ID),
-							RouteID:      route.ID,
-							SourceRanges: sourceRanges,
-							Action:       string(PolicyTrafficActionAccept),
-							Destination:  route.Network.String(),
-							Protocol:     string(PolicyRuleProtocolTCP),
-							Domains:      route.Domains,
-							IsDynamic:    route.IsDynamic(),
-							PortRange: RulePortRange{
-								Start: uint16(target.Port),
-								End:   uint16(target.Port),
-							},
-						}
-						firewallRules = append(firewallRules, &rule)
-						peers[peerID] = routePeer
-					}
-				}
-			}
-		}
-	}
-
-	resultPeers := make([]*nbpeer.Peer, 0, len(peers))
-	for _, peer := range peers {
-		resultPeers = append(resultPeers, peer)
-	}
-
-	return routes, firewallRules, resultPeers
-}
-
-func (a *Account) GetResourcesMap() map[string]*resourceTypes.NetworkResource {
-	resourcesMap := make(map[string]*resourceTypes.NetworkResource, len(a.NetworkResources))
-	for _, resource := range a.NetworkResources {
-		resourcesMap[resource.ID] = resource
-	}
-	return resourcesMap
-}
-
 func (a *Account) InjectProxyPolicies(ctx context.Context) {
 	if len(a.Services) == 0 {
 		return