Merge branch 'main' into refactor/jwt-group-sync

# Conflicts: # management/server/file_store.go
2026-05-06 17:08:53 +00:00 · 2024-10-03 20:22:39 +03:00
parent 37021fcf3c 158936fb15
commit a46d386520
171 changed files with 5452 additions and 5195 deletions
--- a/management/server/account.go
+++ b/management/server/account.go
@@ -113,7 +113,7 @@ type AccountManager interface {
 	DeletePolicy(ctx context.Context, accountID, policyID, userID string) error
 	ListPolicies(ctx context.Context, accountID, userID string) ([]*Policy, error)
 	GetRoute(ctx context.Context, accountID string, routeID route.ID, userID string) (*route.Route, error)
-	CreateRoute(ctx context.Context, accountID string, prefix netip.Prefix, networkType route.NetworkType, domains domain.List, peerID string, peerGroupIDs []string, description string, netID route.NetID, masquerade bool, metric int, groups []string, enabled bool, userID string, keepRoute bool) (*route.Route, error)
+	CreateRoute(ctx context.Context, accountID string, prefix netip.Prefix, networkType route.NetworkType, domains domain.List, peerID string, peerGroupIDs []string, description string, netID route.NetID, masquerade bool, metric int, groups, accessControlGroupIDs []string, enabled bool, userID string, keepRoute bool) (*route.Route, error)
 	SaveRoute(ctx context.Context, accountID, userID string, route *route.Route) error
 	DeleteRoute(ctx context.Context, accountID string, routeID route.ID, userID string) error
 	ListRoutes(ctx context.Context, accountID, userID string) ([]*route.Route, error)
@@ -460,6 +460,7 @@ func (a *Account) GetPeerNetworkMap(
 	}

 	routesUpdate := a.getRoutesToSync(ctx, peerID, peersToConnect)
+	routesFirewallRules := a.getPeerRoutesFirewallRules(ctx, peerID, validatedPeersMap)

 	dnsManagementStatus := a.getPeerDNSManagementStatus(peerID)
 	dnsUpdate := nbdns.Config{
@@ -483,6 +484,7 @@ func (a *Account) GetPeerNetworkMap(
 		DNSConfig:     dnsUpdate,
 		OfflinePeers:  expiredPeers,
 		FirewallRules: firewallRules,
+		RoutesFirewallRules: routesFirewallRules,
 	}

 	if metrics != nil {
--- a/management/server/account_test.go
+++ b/management/server/account_test.go
@@ -1597,9 +1597,10 @@ func TestAccount_Copy(t *testing.T) {
 		},
 		Routes: map[route.ID]*route.Route{
 			"route1": {
-				ID:         "route1",
-				PeerGroups: []string{},
-				Groups:     []string{"group1"},
+				ID:                  "route1",
+				PeerGroups:          []string{},
+				Groups:              []string{"group1"},
+				AccessControlGroups: []string{},
 			},
 		},
 		NameServerGroups: map[string]*nbdns.NameServerGroup{
@@ -2422,7 +2423,7 @@ func createManager(t TB) (*DefaultAccountManager, error) {
 func createStore(t TB) (Store, error) {
 	t.Helper()
 	dataDir := t.TempDir()
-	store, cleanUp, err := NewTestStoreFromJson(context.Background(), dataDir)
+	store, cleanUp, err := NewTestStoreFromSqlite(context.Background(), "", dataDir)
 	if err != nil {
 		return nil, err
 	}
--- a/management/server/dns_test.go
+++ b/management/server/dns_test.go
@@ -210,7 +210,7 @@ func createDNSManager(t *testing.T) (*DefaultAccountManager, error) {
 func createDNSStore(t *testing.T) (Store, error) {
 	t.Helper()
 	dataDir := t.TempDir()
-	store, cleanUp, err := NewTestStoreFromJson(context.Background(), dataDir)
+	store, cleanUp, err := NewTestStoreFromSqlite(context.Background(), "", dataDir)
 	if err != nil {
 		return nil, err
 	}
--- a/management/server/file_store.go
+++ b/management/server/file_store.go
@@ -2,24 +2,18 @@ package server

 import (
 	"context"
-	"errors"
-	"net"
 	"os"
 	"path/filepath"
 	"strings"
 	"sync"
 	"time"

-	"github.com/netbirdio/netbird/dns"
-	nbgroup "github.com/netbirdio/netbird/management/server/group"
-	nbpeer "github.com/netbirdio/netbird/management/server/peer"
-	"github.com/netbirdio/netbird/management/server/posture"
-	"github.com/netbirdio/netbird/management/server/status"
-	"github.com/netbirdio/netbird/management/server/telemetry"
-	"github.com/netbirdio/netbird/route"
 	"github.com/rs/xid"
 	log "github.com/sirupsen/logrus"

+	nbgroup "github.com/netbirdio/netbird/management/server/group"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+	"github.com/netbirdio/netbird/management/server/telemetry"
 	"github.com/netbirdio/netbird/util"
 )

@@ -42,167 +36,9 @@ type FileStore struct {
 	mux       sync.Mutex `json:"-"`
 	storeFile string     `json:"-"`

-	// sync.Mutex indexed by resource ID
-	resourceLocks     sync.Map   `json:"-"`
-	globalAccountLock sync.Mutex `json:"-"`
-
 	metrics telemetry.AppMetrics `json:"-"`
 }

-func (s *FileStore) ExecuteInTransaction(ctx context.Context, f func(store Store) error) error {
-	return f(s)
-}
-
-func (s *FileStore) IncrementSetupKeyUsage(ctx context.Context, setupKeyID string) error {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	accountID, ok := s.SetupKeyID2AccountID[strings.ToUpper(setupKeyID)]
-	if !ok {
-		return status.NewSetupKeyNotFoundError()
-	}
-
-	account, err := s.getAccount(accountID)
-	if err != nil {
-		return err
-	}
-
-	account.SetupKeys[setupKeyID].UsedTimes++
-
-	return s.SaveAccount(ctx, account)
-}
-
-func (s *FileStore) AddPeerToAllGroup(ctx context.Context, accountID string, peerID string) error {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	account, err := s.getAccount(accountID)
-	if err != nil {
-		return err
-	}
-
-	allGroup, err := account.GetGroupAll()
-	if err != nil || allGroup == nil {
-		return errors.New("all group not found")
-	}
-
-	allGroup.Peers = append(allGroup.Peers, peerID)
-
-	return nil
-}
-
-func (s *FileStore) AddPeerToGroup(ctx context.Context, accountId string, peerId string, groupID string) error {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	account, err := s.getAccount(accountId)
-	if err != nil {
-		return err
-	}
-
-	account.Groups[groupID].Peers = append(account.Groups[groupID].Peers, peerId)
-
-	return nil
-}
-
-func (s *FileStore) AddPeerToAccount(ctx context.Context, peer *nbpeer.Peer) error {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	account, ok := s.Accounts[peer.AccountID]
-	if !ok {
-		return status.NewAccountNotFoundError(peer.AccountID)
-	}
-
-	account.Peers[peer.ID] = peer
-	return s.SaveAccount(ctx, account)
-}
-
-func (s *FileStore) IncrementNetworkSerial(ctx context.Context, accountId string) error {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	account, ok := s.Accounts[accountId]
-	if !ok {
-		return status.NewAccountNotFoundError(accountId)
-	}
-
-	account.Network.Serial++
-
-	return s.SaveAccount(ctx, account)
-}
-
-func (s *FileStore) GetSetupKeyBySecret(ctx context.Context, lockStrength LockingStrength, key string) (*SetupKey, error) {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	accountID, ok := s.SetupKeyID2AccountID[strings.ToUpper(key)]
-	if !ok {
-		return nil, status.NewSetupKeyNotFoundError()
-	}
-
-	account, err := s.getAccount(accountID)
-	if err != nil {
-		return nil, err
-	}
-
-	setupKey, ok := account.SetupKeys[key]
-	if !ok {
-		return nil, status.Errorf(status.NotFound, "setup key not found")
-	}
-
-	return setupKey, nil
-}
-
-func (s *FileStore) GetTakenIPs(ctx context.Context, lockStrength LockingStrength, accountID string) ([]net.IP, error) {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	account, err := s.getAccount(accountID)
-	if err != nil {
-		return nil, err
-	}
-
-	var takenIps []net.IP
-	for _, existingPeer := range account.Peers {
-		takenIps = append(takenIps, existingPeer.IP)
-	}
-
-	return takenIps, nil
-}
-
-func (s *FileStore) GetPeerLabelsInAccount(ctx context.Context, lockStrength LockingStrength, accountID string) ([]string, error) {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	account, err := s.getAccount(accountID)
-	if err != nil {
-		return nil, err
-	}
-
-	existingLabels := []string{}
-	for _, peer := range account.Peers {
-		if peer.DNSLabel != "" {
-			existingLabels = append(existingLabels, peer.DNSLabel)
-		}
-	}
-	return existingLabels, nil
-}
-
-func (s *FileStore) GetAccountNetwork(ctx context.Context, lockStrength LockingStrength, accountID string) (*Network, error) {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	account, err := s.getAccount(accountID)
-	if err != nil {
-		return nil, err
-	}
-
-	return account.Network, nil
-}
-
-type StoredAccount struct{}
-
 // NewFileStore restores a store from the file located in the datadir
 func NewFileStore(ctx context.Context, dataDir string, metrics telemetry.AppMetrics) (*FileStore, error) {
 	fs, err := restore(ctx, filepath.Join(dataDir, storeFileName))
@@ -213,25 +49,6 @@ func NewFileStore(ctx context.Context, dataDir string, metrics telemetry.AppMetr
 	return fs, nil
 }

-// NewFilestoreFromSqliteStore restores a store from Sqlite and stores to Filestore json in the file located in datadir
-func NewFilestoreFromSqliteStore(ctx context.Context, sqlStore *SqlStore, dataDir string, metrics telemetry.AppMetrics) (*FileStore, error) {
-	store, err := NewFileStore(ctx, dataDir, metrics)
-	if err != nil {
-		return nil, err
-	}
-
-	err = store.SaveInstallationID(ctx, sqlStore.GetInstallationID())
-	if err != nil {
-		return nil, err
-	}
-
-	for _, account := range sqlStore.GetAllAccounts(ctx) {
-		store.Accounts[account.Id] = account
-	}
-
-	return store, store.persist(ctx, store.storeFile)
-}
-
 // restore the state of the store from the file.
 // Creates a new empty store file if doesn't exist
 func restore(ctx context.Context, file string) (*FileStore, error) {
@@ -240,7 +57,6 @@ func restore(ctx context.Context, file string) (*FileStore, error) {
 		s := &FileStore{
 			Accounts:                make(map[string]*Account),
 			mux:                     sync.Mutex{},
-			globalAccountLock:       sync.Mutex{},
 			SetupKeyID2AccountID:    make(map[string]string),
 			PeerKeyID2AccountID:     make(map[string]string),
 			UserID2AccountID:        make(map[string]string),
@@ -416,252 +232,6 @@ func (s *FileStore) persist(ctx context.Context, file string) error {
 	return nil
 }

-// AcquireGlobalLock acquires global lock across all the accounts and returns a function that releases the lock
-func (s *FileStore) AcquireGlobalLock(ctx context.Context) (unlock func()) {
-	log.WithContext(ctx).Debugf("acquiring global lock")
-	start := time.Now()
-	s.globalAccountLock.Lock()
-
-	unlock = func() {
-		s.globalAccountLock.Unlock()
-		log.WithContext(ctx).Debugf("released global lock in %v", time.Since(start))
-	}
-
-	took := time.Since(start)
-	log.WithContext(ctx).Debugf("took %v to acquire global lock", took)
-	if s.metrics != nil {
-		s.metrics.StoreMetrics().CountGlobalLockAcquisitionDuration(took)
-	}
-
-	return unlock
-}
-
-// AcquireWriteLockByUID acquires an ID lock for writing to a resource and returns a function that releases the lock
-func (s *FileStore) AcquireWriteLockByUID(ctx context.Context, uniqueID string) (unlock func()) {
-	log.WithContext(ctx).Debugf("acquiring lock for ID %s", uniqueID)
-	start := time.Now()
-	value, _ := s.resourceLocks.LoadOrStore(uniqueID, &sync.Mutex{})
-	mtx := value.(*sync.Mutex)
-	mtx.Lock()
-
-	unlock = func() {
-		mtx.Unlock()
-		log.WithContext(ctx).Debugf("released lock for ID %s in %v", uniqueID, time.Since(start))
-	}
-
-	return unlock
-}
-
-// AcquireReadLockByUID acquires an ID lock for reading a resource and returns a function that releases the lock
-// This method is still returns a write lock as file store can't handle read locks
-func (s *FileStore) AcquireReadLockByUID(ctx context.Context, uniqueID string) (unlock func()) {
-	return s.AcquireWriteLockByUID(ctx, uniqueID)
-}
-
-func (s *FileStore) SaveAccount(ctx context.Context, account *Account) error {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	if account.Id == "" {
-		return status.Errorf(status.InvalidArgument, "account id should not be empty")
-	}
-
-	accountCopy := account.Copy()
-
-	s.Accounts[accountCopy.Id] = accountCopy
-
-	// todo check that account.Id and keyId are not exist already
-	// because if keyId exists for other accounts this can be bad
-	for keyID := range accountCopy.SetupKeys {
-		s.SetupKeyID2AccountID[strings.ToUpper(keyID)] = accountCopy.Id
-	}
-
-	// enforce peer to account index and delete peer to route indexes for rebuild
-	for _, peer := range accountCopy.Peers {
-		s.PeerKeyID2AccountID[peer.Key] = accountCopy.Id
-		s.PeerID2AccountID[peer.ID] = accountCopy.Id
-	}
-
-	for _, user := range accountCopy.Users {
-		s.UserID2AccountID[user.Id] = accountCopy.Id
-		for _, pat := range user.PATs {
-			s.TokenID2UserID[pat.ID] = user.Id
-			s.HashedPAT2TokenID[pat.HashedToken] = pat.ID
-		}
-	}
-
-	if accountCopy.DomainCategory == PrivateCategory && accountCopy.IsDomainPrimaryAccount {
-		s.PrivateDomain2AccountID[accountCopy.Domain] = accountCopy.Id
-	}
-
-	return s.persist(ctx, s.storeFile)
-}
-
-func (s *FileStore) DeleteAccount(ctx context.Context, account *Account) error {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	if account.Id == "" {
-		return status.Errorf(status.InvalidArgument, "account id should not be empty")
-	}
-
-	for keyID := range account.SetupKeys {
-		delete(s.SetupKeyID2AccountID, strings.ToUpper(keyID))
-	}
-
-	// enforce peer to account index and delete peer to route indexes for rebuild
-	for _, peer := range account.Peers {
-		delete(s.PeerKeyID2AccountID, peer.Key)
-		delete(s.PeerID2AccountID, peer.ID)
-	}
-
-	for _, user := range account.Users {
-		for _, pat := range user.PATs {
-			delete(s.TokenID2UserID, pat.ID)
-			delete(s.HashedPAT2TokenID, pat.HashedToken)
-		}
-		delete(s.UserID2AccountID, user.Id)
-	}
-
-	if account.DomainCategory == PrivateCategory && account.IsDomainPrimaryAccount {
-		delete(s.PrivateDomain2AccountID, account.Domain)
-	}
-
-	delete(s.Accounts, account.Id)
-
-	return s.persist(ctx, s.storeFile)
-}
-
-// DeleteHashedPAT2TokenIDIndex removes an entry from the indexing map HashedPAT2TokenID
-func (s *FileStore) DeleteHashedPAT2TokenIDIndex(hashedToken string) error {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	delete(s.HashedPAT2TokenID, hashedToken)
-
-	return nil
-}
-
-// DeleteTokenID2UserIDIndex removes an entry from the indexing map TokenID2UserID
-func (s *FileStore) DeleteTokenID2UserIDIndex(tokenID string) error {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	delete(s.TokenID2UserID, tokenID)
-
-	return nil
-}
-
-// GetAccountByPrivateDomain returns account by private domain
-func (s *FileStore) GetAccountByPrivateDomain(_ context.Context, domain string) (*Account, error) {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	accountID, ok := s.PrivateDomain2AccountID[strings.ToLower(domain)]
-	if !ok {
-		return nil, status.Errorf(status.NotFound, "account not found: provided domain is not registered or is not private")
-	}
-
-	account, err := s.getAccount(accountID)
-	if err != nil {
-		return nil, err
-	}
-
-	return account.Copy(), nil
-}
-
-// GetAccountBySetupKey returns account by setup key id
-func (s *FileStore) GetAccountBySetupKey(_ context.Context, setupKey string) (*Account, error) {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	accountID, ok := s.SetupKeyID2AccountID[strings.ToUpper(setupKey)]
-	if !ok {
-		return nil, status.NewSetupKeyNotFoundError()
-	}
-
-	account, err := s.getAccount(accountID)
-	if err != nil {
-		return nil, err
-	}
-
-	return account.Copy(), nil
-}
-
-// GetTokenIDByHashedToken returns the id of a personal access token by its hashed secret
-func (s *FileStore) GetTokenIDByHashedToken(_ context.Context, token string) (string, error) {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	tokenID, ok := s.HashedPAT2TokenID[token]
-	if !ok {
-		return "", status.Errorf(status.NotFound, "tokenID not found: provided token doesn't exists")
-	}
-
-	return tokenID, nil
-}
-
-// GetUserByTokenID returns a User object a tokenID belongs to
-func (s *FileStore) GetUserByTokenID(_ context.Context, tokenID string) (*User, error) {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	userID, ok := s.TokenID2UserID[tokenID]
-	if !ok {
-		return nil, status.Errorf(status.NotFound, "user not found: provided tokenID doesn't exists")
-	}
-
-	accountID, ok := s.UserID2AccountID[userID]
-	if !ok {
-		return nil, status.Errorf(status.NotFound, "accountID not found: provided userID doesn't exists")
-	}
-
-	account, err := s.getAccount(accountID)
-	if err != nil {
-		return nil, err
-	}
-
-	return account.Users[userID].Copy(), nil
-}
-
-func (s *FileStore) GetUserByUserID(_ context.Context, _ LockingStrength, userID string) (*User, error) {
-	accountID, ok := s.UserID2AccountID[userID]
-	if !ok {
-		return nil, status.Errorf(status.NotFound, "accountID not found: provided userID doesn't exists")
-	}
-
-	account, err := s.getAccount(accountID)
-	if err != nil {
-		return nil, err
-	}
-
-	user := account.Users[userID].Copy()
-	pat := make([]PersonalAccessToken, 0, len(user.PATs))
-	for _, token := range user.PATs {
-		if token != nil {
-			pat = append(pat, *token)
-		}
-	}
-	user.PATsG = pat
-
-	return user, nil
-}
-
-func (s *FileStore) GetAccountGroups(_ context.Context, accountID string) ([]*nbgroup.Group, error) {
-	account, err := s.getAccount(accountID)
-	if err != nil {
-		return nil, err
-	}
-
-	groupsSlice := make([]*nbgroup.Group, 0, len(account.Groups))
-
-	for _, group := range account.Groups {
-		groupsSlice = append(groupsSlice, group)
-	}
-
-	return groupsSlice, nil
-}
-
 // GetAllAccounts returns all accounts
 func (s *FileStore) GetAllAccounts(_ context.Context) (all []*Account) {
 	s.mux.Lock()
@@ -673,278 +243,6 @@ func (s *FileStore) GetAllAccounts(_ context.Context) (all []*Account) {
 	return all
 }

-// getAccount returns a reference to the Account. Should not return a copy.
-func (s *FileStore) getAccount(accountID string) (*Account, error) {
-	account, ok := s.Accounts[accountID]
-	if !ok {
-		return nil, status.NewAccountNotFoundError(accountID)
-	}
-
-	return account, nil
-}
-
-// GetAccount returns an account for ID
-func (s *FileStore) GetAccount(_ context.Context, accountID string) (*Account, error) {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	account, err := s.getAccount(accountID)
-	if err != nil {
-		return nil, err
-	}
-
-	return account.Copy(), nil
-}
-
-// GetAccountByUser returns a user account
-func (s *FileStore) GetAccountByUser(_ context.Context, userID string) (*Account, error) {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	accountID, ok := s.UserID2AccountID[userID]
-	if !ok {
-		return nil, status.NewUserNotFoundError(userID)
-	}
-
-	account, err := s.getAccount(accountID)
-	if err != nil {
-		return nil, err
-	}
-
-	return account.Copy(), nil
-}
-
-// GetAccountByPeerID returns an account for a given peer ID
-func (s *FileStore) GetAccountByPeerID(ctx context.Context, peerID string) (*Account, error) {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	accountID, ok := s.PeerID2AccountID[peerID]
-	if !ok {
-		return nil, status.Errorf(status.NotFound, "provided peer ID doesn't exists %s", peerID)
-	}
-
-	account, err := s.getAccount(accountID)
-	if err != nil {
-		return nil, err
-	}
-
-	// this protection is needed because when we delete a peer, we don't really remove index peerID -> accountID.
-	// check Account.Peers for a match
-	if _, ok := account.Peers[peerID]; !ok {
-		delete(s.PeerID2AccountID, peerID)
-		log.WithContext(ctx).Warnf("removed stale peerID %s to accountID %s index", peerID, accountID)
-		return nil, status.NewPeerNotFoundError(peerID)
-	}
-
-	return account.Copy(), nil
-}
-
-// GetAccountByPeerPubKey returns an account for a given peer WireGuard public key
-func (s *FileStore) GetAccountByPeerPubKey(ctx context.Context, peerKey string) (*Account, error) {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	accountID, ok := s.PeerKeyID2AccountID[peerKey]
-	if !ok {
-		return nil, status.NewPeerNotFoundError(peerKey)
-	}
-
-	account, err := s.getAccount(accountID)
-	if err != nil {
-		return nil, err
-	}
-
-	// this protection is needed because when we delete a peer, we don't really remove index peerKey -> accountID.
-	// check Account.Peers for a match
-	stale := true
-	for _, peer := range account.Peers {
-		if peer.Key == peerKey {
-			stale = false
-			break
-		}
-	}
-	if stale {
-		delete(s.PeerKeyID2AccountID, peerKey)
-		log.WithContext(ctx).Warnf("removed stale peerKey %s to accountID %s index", peerKey, accountID)
-		return nil, status.NewPeerNotFoundError(peerKey)
-	}
-
-	return account.Copy(), nil
-}
-
-func (s *FileStore) GetAccountIDByPeerPubKey(_ context.Context, peerKey string) (string, error) {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	accountID, ok := s.PeerKeyID2AccountID[peerKey]
-	if !ok {
-		return "", status.NewPeerNotFoundError(peerKey)
-	}
-
-	return accountID, nil
-}
-
-func (s *FileStore) GetAccountIDByUserID(userID string) (string, error) {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	accountID, ok := s.UserID2AccountID[userID]
-	if !ok {
-		return "", status.NewUserNotFoundError(userID)
-	}
-
-	return accountID, nil
-}
-
-func (s *FileStore) GetAccountIDBySetupKey(_ context.Context, setupKey string) (string, error) {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	accountID, ok := s.SetupKeyID2AccountID[strings.ToUpper(setupKey)]
-	if !ok {
-		return "", status.NewSetupKeyNotFoundError()
-	}
-
-	return accountID, nil
-}
-
-func (s *FileStore) GetPeerByPeerPubKey(_ context.Context, _ LockingStrength, peerKey string) (*nbpeer.Peer, error) {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	accountID, ok := s.PeerKeyID2AccountID[peerKey]
-	if !ok {
-		return nil, status.NewPeerNotFoundError(peerKey)
-	}
-
-	account, err := s.getAccount(accountID)
-	if err != nil {
-		return nil, err
-	}
-
-	for _, peer := range account.Peers {
-		if peer.Key == peerKey {
-			return peer.Copy(), nil
-		}
-	}
-
-	return nil, status.NewPeerNotFoundError(peerKey)
-}
-
-func (s *FileStore) GetAccountSettings(_ context.Context, _ LockingStrength, accountID string) (*Settings, error) {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	account, err := s.getAccount(accountID)
-	if err != nil {
-		return nil, err
-	}
-
-	return account.Settings.Copy(), nil
-}
-
-// GetInstallationID returns the installation ID from the store
-func (s *FileStore) GetInstallationID() string {
-	return s.InstallationID
-}
-
-// SaveInstallationID saves the installation ID
-func (s *FileStore) SaveInstallationID(ctx context.Context, ID string) error {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	s.InstallationID = ID
-
-	return s.persist(ctx, s.storeFile)
-}
-
-// SavePeer saves the peer in the account
-func (s *FileStore) SavePeer(_ context.Context, accountID string, peer *nbpeer.Peer) error {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	account, err := s.getAccount(accountID)
-	if err != nil {
-		return err
-	}
-
-	newPeer := peer.Copy()
-
-	account.Peers[peer.ID] = newPeer
-
-	s.PeerKeyID2AccountID[peer.Key] = accountID
-	s.PeerID2AccountID[peer.ID] = accountID
-
-	return nil
-}
-
-// SavePeerStatus stores the PeerStatus in memory. It doesn't attempt to persist data to speed up things.
-// PeerStatus will be saved eventually when some other changes occur.
-func (s *FileStore) SavePeerStatus(accountID, peerID string, peerStatus nbpeer.PeerStatus) error {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	account, err := s.getAccount(accountID)
-	if err != nil {
-		return err
-	}
-
-	peer := account.Peers[peerID]
-	if peer == nil {
-		return status.Errorf(status.NotFound, "peer %s not found", peerID)
-	}
-
-	peer.Status = &peerStatus
-
-	return nil
-}
-
-// SavePeerLocation stores the PeerStatus in memory. It doesn't attempt to persist data to speed up things.
-// Peer.Location will be saved eventually when some other changes occur.
-func (s *FileStore) SavePeerLocation(accountID string, peerWithLocation *nbpeer.Peer) error {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	account, err := s.getAccount(accountID)
-	if err != nil {
-		return err
-	}
-
-	peer := account.Peers[peerWithLocation.ID]
-	if peer == nil {
-		return status.Errorf(status.NotFound, "peer %s not found", peerWithLocation.ID)
-	}
-
-	peer.Location = peerWithLocation.Location
-
-	return nil
-}
-
-// SaveUserLastLogin stores the last login time for a user in memory. It doesn't attempt to persist data to speed up things.
-func (s *FileStore) SaveUserLastLogin(_ context.Context, accountID, userID string, lastLogin time.Time) error {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	account, err := s.getAccount(accountID)
-	if err != nil {
-		return err
-	}
-
-	peer := account.Users[userID]
-	if peer == nil {
-		return status.Errorf(status.NotFound, "user %s not found", userID)
-	}
-
-	peer.LastLogin = lastLogin
-
-	return nil
-}
-
-func (s *FileStore) GetPostureCheckByChecksDefinition(_ string, _ *posture.ChecksDefinition) (*posture.Checks, error) {
-	return nil, status.Errorf(status.Internal, "GetPostureCheckByChecksDefinition is not implemented")
-}
-
 // Close the FileStore persisting data to disk
 func (s *FileStore) Close(ctx context.Context) error {
 	s.mux.Lock()
@@ -959,98 +257,3 @@ func (s *FileStore) Close(ctx context.Context) error {
 func (s *FileStore) GetStoreEngine() StoreEngine {
 	return FileStoreEngine
 }
-
-func (s *FileStore) SaveUsers(_ string, _ map[string]*User) error {
-	return status.Errorf(status.Internal, "SaveUsers is not implemented")
-}
-
-func (s *FileStore) SaveGroups(_ context.Context, _ LockingStrength, _ []*nbgroup.Group) error {
-	return status.Errorf(status.Internal, "SaveGroups is not implemented")
-}
-
-func (s *FileStore) GetAccountIDByPrivateDomain(_ context.Context, _ LockingStrength, _ string) (string, error) {
-	return "", status.Errorf(status.Internal, "GetAccountIDByPrivateDomain is not implemented")
-}
-
-func (s *FileStore) GetAccountDomainAndCategory(_ context.Context, _ LockingStrength, accountID string) (string, string, error) {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	account, err := s.getAccount(accountID)
-	if err != nil {
-		return "", "", err
-	}
-
-	return account.Domain, account.DomainCategory, nil
-}
-
-// AccountExists checks whether an account exists by the given ID.
-func (s *FileStore) AccountExists(_ context.Context, _ LockingStrength, id string) (bool, error) {
-	_, exists := s.Accounts[id]
-	return exists, nil
-}
-
-func (s *FileStore) GetAccountDNSSettings(_ context.Context, _ LockingStrength, _ string) (*DNSSettings, error) {
-	return nil, status.Errorf(status.Internal, "GetAccountDNSSettings is not implemented")
-}
-
-func (s *FileStore) GetGroupByID(_ context.Context, _ LockingStrength, _, _ string) (*nbgroup.Group, error) {
-	return nil, status.Errorf(status.Internal, "GetGroupByID is not implemented")
-}
-
-func (s *FileStore) GetGroupByName(_ context.Context, _ LockingStrength, _, _ string) (*nbgroup.Group, error) {
-	return nil, status.Errorf(status.Internal, "GetGroupByName is not implemented")
-}
-
-func (s *FileStore) GetAccountPolicies(_ context.Context, _ LockingStrength, _ string) ([]*Policy, error) {
-	return nil, status.Errorf(status.Internal, "GetPolicyByID is not implemented")
-}
-
-func (s *FileStore) GetPolicyByID(_ context.Context, _ LockingStrength, _ string, _ string) (*Policy, error) {
-	return nil, status.Errorf(status.Internal, "GetPolicyByID is not implemented")
-
-}
-
-func (s *FileStore) GetAccountPostureChecks(_ context.Context, _ LockingStrength, _ string) ([]*posture.Checks, error) {
-	return nil, status.Errorf(status.Internal, "GetAccountPostureChecks is not implemented")
-}
-
-func (s *FileStore) GetPostureChecksByID(_ context.Context, _ LockingStrength, _ string, _ string) (*posture.Checks, error) {
-	return nil, status.Errorf(status.Internal, "GetPostureChecksByID is not implemented")
-}
-
-func (s *FileStore) GetAccountRoutes(_ context.Context, _ LockingStrength, _ string) ([]*route.Route, error) {
-	return nil, status.Errorf(status.Internal, "GetAccountRoutes is not implemented")
-}
-
-func (s *FileStore) GetRouteByID(_ context.Context, _ LockingStrength, _ string, _ string) (*route.Route, error) {
-	return nil, status.Errorf(status.Internal, "GetRouteByID is not implemented")
-}
-
-func (s *FileStore) GetAccountSetupKeys(_ context.Context, _ LockingStrength, _ string) ([]*SetupKey, error) {
-	return nil, status.Errorf(status.Internal, "GetAccountSetupKeys is not implemented")
-}
-
-func (s *FileStore) GetSetupKeyByID(_ context.Context, _ LockingStrength, _ string, _ string) (*SetupKey, error) {
-	return nil, status.Errorf(status.Internal, "GetSetupKeyByID is not implemented")
-}
-
-func (s *FileStore) GetAccountNameServerGroups(_ context.Context, _ LockingStrength, _ string) ([]*dns.NameServerGroup, error) {
-	return nil, status.Errorf(status.Internal, "GetAccountNameServerGroups is not implemented")
-}
-
-func (s *FileStore) GetNameServerGroupByID(_ context.Context, _ LockingStrength, _ string, _ string) (*dns.NameServerGroup, error) {
-	return nil, status.Errorf(status.Internal, "GetNameServerGroupByID is not implemented")
-}
-
-func (s *FileStore) SaveUser(_ context.Context, _ LockingStrength, _ *User) error {
-	return status.Errorf(status.Internal, "SaveUser is not implemented")
-}
-
-func (s *FileStore) SaveGroup(_ context.Context, _ LockingStrength, _ *nbgroup.Group) error {
-	return status.Errorf(status.Internal, "SaveGroup is not implemented")
-}
-
-func (s *FileStore) GetUserPeers(_ context.Context, _ LockingStrength, _, _ string) ([]*nbpeer.Peer, error) {
-	return nil, status.Errorf(status.Internal, "GetUserPeers is not implemented")
-}
--- a/management/server/file_store_test.go
+++ b/management/server/file_store_test.go
@@ -1,655 +0,0 @@
-package server
-
-import (
-	"context"
-	"crypto/sha256"
-	"net"
-	"path/filepath"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/management/server/group"
-	nbpeer "github.com/netbirdio/netbird/management/server/peer"
-	"github.com/netbirdio/netbird/util"
-)
-
-type accounts struct {
-	Accounts map[string]*Account
-}
-
-func TestStalePeerIndices(t *testing.T) {
-	storeDir := t.TempDir()
-
-	err := util.CopyFileContents("testdata/store.json", filepath.Join(storeDir, "store.json"))
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	store, err := NewFileStore(context.Background(), storeDir, nil)
-	if err != nil {
-		return
-	}
-
-	account, err := store.GetAccount(context.Background(), "bf1c8084-ba50-4ce7-9439-34653001fc3b")
-	require.NoError(t, err)
-
-	peerID := "some_peer"
-	peerKey := "some_peer_key"
-	account.Peers[peerID] = &nbpeer.Peer{
-		ID:  peerID,
-		Key: peerKey,
-	}
-
-	err = store.SaveAccount(context.Background(), account)
-	require.NoError(t, err)
-
-	account.DeletePeer(peerID)
-
-	err = store.SaveAccount(context.Background(), account)
-	require.NoError(t, err)
-
-	_, err = store.GetAccountByPeerID(context.Background(), peerID)
-	require.Error(t, err, "expecting to get an error when found stale index")
-
-	_, err = store.GetAccountByPeerPubKey(context.Background(), peerKey)
-	require.Error(t, err, "expecting to get an error when found stale index")
-}
-
-func TestNewStore(t *testing.T) {
-	store := newStore(t)
-	defer store.Close(context.Background())
-
-	if store.Accounts == nil || len(store.Accounts) != 0 {
-		t.Errorf("expected to create a new empty Accounts map when creating a new FileStore")
-	}
-
-	if store.SetupKeyID2AccountID == nil || len(store.SetupKeyID2AccountID) != 0 {
-		t.Errorf("expected to create a new empty SetupKeyID2AccountID map when creating a new FileStore")
-	}
-
-	if store.PeerKeyID2AccountID == nil || len(store.PeerKeyID2AccountID) != 0 {
-		t.Errorf("expected to create a new empty PeerKeyID2AccountID map when creating a new FileStore")
-	}
-
-	if store.UserID2AccountID == nil || len(store.UserID2AccountID) != 0 {
-		t.Errorf("expected to create a new empty UserID2AccountID map when creating a new FileStore")
-	}
-
-	if store.HashedPAT2TokenID == nil || len(store.HashedPAT2TokenID) != 0 {
-		t.Errorf("expected to create a new empty HashedPAT2TokenID map when creating a new FileStore")
-	}
-
-	if store.TokenID2UserID == nil || len(store.TokenID2UserID) != 0 {
-		t.Errorf("expected to create a new empty TokenID2UserID map when creating a new FileStore")
-	}
-}
-
-func TestSaveAccount(t *testing.T) {
-	store := newStore(t)
-	defer store.Close(context.Background())
-
-	account := newAccountWithId(context.Background(), "account_id", "testuser", "")
-	setupKey := GenerateDefaultSetupKey()
-	account.SetupKeys[setupKey.Key] = setupKey
-	account.Peers["testpeer"] = &nbpeer.Peer{
-		Key:      "peerkey",
-		SetupKey: "peerkeysetupkey",
-		IP:       net.IP{127, 0, 0, 1},
-		Meta:     nbpeer.PeerSystemMeta{},
-		Name:     "peer name",
-		Status:   &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now().UTC()},
-	}
-
-	// SaveAccount should trigger persist
-	err := store.SaveAccount(context.Background(), account)
-	if err != nil {
-		return
-	}
-
-	if store.Accounts[account.Id] == nil {
-		t.Errorf("expecting Account to be stored after SaveAccount()")
-	}
-
-	if store.PeerKeyID2AccountID["peerkey"] == "" {
-		t.Errorf("expecting PeerKeyID2AccountID index updated after SaveAccount()")
-	}
-
-	if store.UserID2AccountID["testuser"] == "" {
-		t.Errorf("expecting UserID2AccountID index updated after SaveAccount()")
-	}
-
-	if store.SetupKeyID2AccountID[setupKey.Key] == "" {
-		t.Errorf("expecting SetupKeyID2AccountID index updated after SaveAccount()")
-	}
-}
-
-func TestDeleteAccount(t *testing.T) {
-	storeDir := t.TempDir()
-	storeFile := filepath.Join(storeDir, "store.json")
-	err := util.CopyFileContents("testdata/store.json", storeFile)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	store, err := NewFileStore(context.Background(), storeDir, nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer store.Close(context.Background())
-
-	var account *Account
-	for _, a := range store.Accounts {
-		account = a
-		break
-	}
-
-	require.NotNil(t, account, "failed to restore a FileStore file and get at least one account")
-
-	err = store.DeleteAccount(context.Background(), account)
-	require.NoError(t, err, "failed to delete account, error: %v", err)
-
-	_, ok := store.Accounts[account.Id]
-	require.False(t, ok, "failed to delete account")
-
-	for id := range account.Users {
-		_, ok := store.UserID2AccountID[id]
-		assert.False(t, ok, "failed to delete UserID2AccountID index")
-		for _, pat := range account.Users[id].PATs {
-			_, ok := store.HashedPAT2TokenID[pat.HashedToken]
-			assert.False(t, ok, "failed to delete HashedPAT2TokenID index")
-			_, ok = store.TokenID2UserID[pat.ID]
-			assert.False(t, ok, "failed to delete TokenID2UserID index")
-		}
-	}
-
-	for _, p := range account.Peers {
-		_, ok := store.PeerKeyID2AccountID[p.Key]
-		assert.False(t, ok, "failed to delete PeerKeyID2AccountID index")
-		_, ok = store.PeerID2AccountID[p.ID]
-		assert.False(t, ok, "failed to delete PeerID2AccountID index")
-	}
-
-	for id := range account.SetupKeys {
-		_, ok := store.SetupKeyID2AccountID[id]
-		assert.False(t, ok, "failed to delete SetupKeyID2AccountID index")
-	}
-
-	_, ok = store.PrivateDomain2AccountID[account.Domain]
-	assert.False(t, ok, "failed to delete PrivateDomain2AccountID index")
-
-}
-
-func TestStore(t *testing.T) {
-	store := newStore(t)
-	defer store.Close(context.Background())
-
-	account := newAccountWithId(context.Background(), "account_id", "testuser", "")
-	account.Peers["testpeer"] = &nbpeer.Peer{
-		Key:      "peerkey",
-		SetupKey: "peerkeysetupkey",
-		IP:       net.IP{127, 0, 0, 1},
-		Meta:     nbpeer.PeerSystemMeta{},
-		Name:     "peer name",
-		Status:   &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now().UTC()},
-	}
-	account.Groups["all"] = &group.Group{
-		ID:    "all",
-		Name:  "all",
-		Peers: []string{"testpeer"},
-	}
-	account.Policies = append(account.Policies, &Policy{
-		ID:      "all",
-		Name:    "all",
-		Enabled: true,
-		Rules: []*PolicyRule{
-			{
-				ID:           "all",
-				Name:         "all",
-				Sources:      []string{"all"},
-				Destinations: []string{"all"},
-			},
-		},
-	})
-	account.Policies = append(account.Policies, &Policy{
-		ID:      "dmz",
-		Name:    "dmz",
-		Enabled: true,
-		Rules: []*PolicyRule{
-			{
-				ID:           "dmz",
-				Name:         "dmz",
-				Enabled:      true,
-				Sources:      []string{"all"},
-				Destinations: []string{"all"},
-			},
-		},
-	})
-
-	// SaveAccount should trigger persist
-	err := store.SaveAccount(context.Background(), account)
-	if err != nil {
-		return
-	}
-
-	restored, err := NewFileStore(context.Background(), store.storeFile, nil)
-	if err != nil {
-		return
-	}
-
-	restoredAccount := restored.Accounts[account.Id]
-	if restoredAccount == nil {
-		t.Errorf("failed to restore a FileStore file - missing Account %s", account.Id)
-		return
-	}
-
-	if restoredAccount.Peers["testpeer"] == nil {
-		t.Errorf("failed to restore a FileStore file - missing Peer testpeer")
-	}
-
-	if restoredAccount.CreatedBy != "testuser" {
-		t.Errorf("failed to restore a FileStore file - missing Account CreatedBy")
-	}
-
-	if restoredAccount.Users["testuser"] == nil {
-		t.Errorf("failed to restore a FileStore file - missing User testuser")
-	}
-
-	if restoredAccount.Network == nil {
-		t.Errorf("failed to restore a FileStore file - missing Network")
-	}
-
-	if restoredAccount.Groups["all"] == nil {
-		t.Errorf("failed to restore a FileStore file - missing Group all")
-	}
-
-	if len(restoredAccount.Policies) != 2 {
-		t.Errorf("failed to restore a FileStore file - missing Policies")
-		return
-	}
-
-	assert.Equal(t, account.Policies[0], restoredAccount.Policies[0], "failed to restore a FileStore file - missing Policy all")
-	assert.Equal(t, account.Policies[1], restoredAccount.Policies[1], "failed to restore a FileStore file - missing Policy dmz")
-}
-
-func TestRestore(t *testing.T) {
-	storeDir := t.TempDir()
-
-	err := util.CopyFileContents("testdata/store.json", filepath.Join(storeDir, "store.json"))
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	store, err := NewFileStore(context.Background(), storeDir, nil)
-	if err != nil {
-		return
-	}
-
-	account := store.Accounts["bf1c8084-ba50-4ce7-9439-34653001fc3b"]
-
-	require.NotNil(t, account, "failed to restore a FileStore file - missing account bf1c8084-ba50-4ce7-9439-34653001fc3b")
-
-	require.NotNil(t, account.Users["edafee4e-63fb-11ec-90d6-0242ac120003"], "failed to restore a FileStore file - missing Account User edafee4e-63fb-11ec-90d6-0242ac120003")
-
-	require.NotNil(t, account.Users["f4f6d672-63fb-11ec-90d6-0242ac120003"], "failed to restore a FileStore file - missing Account User f4f6d672-63fb-11ec-90d6-0242ac120003")
-
-	require.NotNil(t, account.Network, "failed to restore a FileStore file - missing Account Network")
-
-	require.NotNil(t, account.SetupKeys["A2C8E62B-38F5-4553-B31E-DD66C696CEBB"], "failed to restore a FileStore file - missing Account SetupKey A2C8E62B-38F5-4553-B31E-DD66C696CEBB")
-
-	require.NotNil(t, account.Users["f4f6d672-63fb-11ec-90d6-0242ac120003"].PATs["9dj38s35-63fb-11ec-90d6-0242ac120003"], "failed to restore a FileStore wrong PATs length")
-
-	require.Len(t, store.UserID2AccountID, 2, "failed to restore a FileStore wrong UserID2AccountID mapping length")
-
-	require.Len(t, store.SetupKeyID2AccountID, 1, "failed to restore a FileStore wrong SetupKeyID2AccountID mapping length")
-
-	require.Len(t, store.PrivateDomain2AccountID, 1, "failed to restore a FileStore wrong PrivateDomain2AccountID mapping length")
-
-	require.Len(t, store.HashedPAT2TokenID, 1, "failed to restore a FileStore wrong HashedPAT2TokenID mapping length")
-
-	require.Len(t, store.TokenID2UserID, 1, "failed to restore a FileStore wrong TokenID2UserID mapping length")
-}
-
-func TestRestoreGroups_Migration(t *testing.T) {
-	storeDir := t.TempDir()
-
-	err := util.CopyFileContents("testdata/store.json", filepath.Join(storeDir, "store.json"))
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	store, err := NewFileStore(context.Background(), storeDir, nil)
-	if err != nil {
-		return
-	}
-
-	// create default group
-	account := store.Accounts["bf1c8084-ba50-4ce7-9439-34653001fc3b"]
-	account.Groups = map[string]*group.Group{
-		"cfefqs706sqkneg59g3g": {
-			ID:   "cfefqs706sqkneg59g3g",
-			Name: "All",
-		},
-	}
-	err = store.SaveAccount(context.Background(), account)
-	require.NoError(t, err, "failed to save account")
-
-	// restore account with default group with empty Issue field
-	if store, err = NewFileStore(context.Background(), storeDir, nil); err != nil {
-		return
-	}
-	account = store.Accounts["bf1c8084-ba50-4ce7-9439-34653001fc3b"]
-
-	require.Contains(t, account.Groups, "cfefqs706sqkneg59g3g", "failed to restore a FileStore file - missing Account Groups")
-	require.Equal(t, group.GroupIssuedAPI, account.Groups["cfefqs706sqkneg59g3g"].Issued, "default group should has API issued mark")
-}
-
-func TestGetAccountByPrivateDomain(t *testing.T) {
-	storeDir := t.TempDir()
-
-	err := util.CopyFileContents("testdata/store.json", filepath.Join(storeDir, "store.json"))
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	store, err := NewFileStore(context.Background(), storeDir, nil)
-	if err != nil {
-		return
-	}
-
-	existingDomain := "test.com"
-
-	account, err := store.GetAccountByPrivateDomain(context.Background(), existingDomain)
-	require.NoError(t, err, "should found account")
-	require.Equal(t, existingDomain, account.Domain, "domains should match")
-
-	_, err = store.GetAccountByPrivateDomain(context.Background(), "missing-domain.com")
-	require.Error(t, err, "should return error on domain lookup")
-}
-
-func TestFileStore_GetAccount(t *testing.T) {
-	storeDir := t.TempDir()
-	storeFile := filepath.Join(storeDir, "store.json")
-	err := util.CopyFileContents("testdata/store.json", storeFile)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	accounts := &accounts{}
-	_, err = util.ReadJson(storeFile, accounts)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	store, err := NewFileStore(context.Background(), storeDir, nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	expected := accounts.Accounts["bf1c8084-ba50-4ce7-9439-34653001fc3b"]
-	if expected == nil {
-		t.Fatalf("expected account doesn't exist")
-		return
-	}
-
-	account, err := store.GetAccount(context.Background(), expected.Id)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	assert.Equal(t, expected.IsDomainPrimaryAccount, account.IsDomainPrimaryAccount)
-	assert.Equal(t, expected.DomainCategory, account.DomainCategory)
-	assert.Equal(t, expected.Domain, account.Domain)
-	assert.Equal(t, expected.CreatedBy, account.CreatedBy)
-	assert.Equal(t, expected.Network.Identifier, account.Network.Identifier)
-	assert.Len(t, account.Peers, len(expected.Peers))
-	assert.Len(t, account.Users, len(expected.Users))
-	assert.Len(t, account.SetupKeys, len(expected.SetupKeys))
-	assert.Len(t, account.Routes, len(expected.Routes))
-	assert.Len(t, account.NameServerGroups, len(expected.NameServerGroups))
-}
-
-func TestFileStore_GetTokenIDByHashedToken(t *testing.T) {
-	storeDir := t.TempDir()
-	storeFile := filepath.Join(storeDir, "store.json")
-	err := util.CopyFileContents("testdata/store.json", storeFile)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	accounts := &accounts{}
-	_, err = util.ReadJson(storeFile, accounts)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	store, err := NewFileStore(context.Background(), storeDir, nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	hashedToken := accounts.Accounts["bf1c8084-ba50-4ce7-9439-34653001fc3b"].Users["f4f6d672-63fb-11ec-90d6-0242ac120003"].PATs["9dj38s35-63fb-11ec-90d6-0242ac120003"].HashedToken
-	tokenID, err := store.GetTokenIDByHashedToken(context.Background(), hashedToken)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	expectedTokenID := accounts.Accounts["bf1c8084-ba50-4ce7-9439-34653001fc3b"].Users["f4f6d672-63fb-11ec-90d6-0242ac120003"].PATs["9dj38s35-63fb-11ec-90d6-0242ac120003"].ID
-	assert.Equal(t, expectedTokenID, tokenID)
-}
-
-func TestFileStore_DeleteHashedPAT2TokenIDIndex(t *testing.T) {
-	store := newStore(t)
-	defer store.Close(context.Background())
-	store.HashedPAT2TokenID["someHashedToken"] = "someTokenId"
-
-	err := store.DeleteHashedPAT2TokenIDIndex("someHashedToken")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	assert.Empty(t, store.HashedPAT2TokenID["someHashedToken"])
-}
-
-func TestFileStore_DeleteTokenID2UserIDIndex(t *testing.T) {
-	store := newStore(t)
-	store.TokenID2UserID["someTokenId"] = "someUserId"
-
-	err := store.DeleteTokenID2UserIDIndex("someTokenId")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	assert.Empty(t, store.TokenID2UserID["someTokenId"])
-}
-
-func TestFileStore_GetTokenIDByHashedToken_Failure(t *testing.T) {
-	storeDir := t.TempDir()
-	storeFile := filepath.Join(storeDir, "store.json")
-	err := util.CopyFileContents("testdata/store.json", storeFile)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	accounts := &accounts{}
-	_, err = util.ReadJson(storeFile, accounts)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	store, err := NewFileStore(context.Background(), storeDir, nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	wrongToken := sha256.Sum256([]byte("someNotValidTokenThatFails1234"))
-	_, err = store.GetTokenIDByHashedToken(context.Background(), string(wrongToken[:]))
-
-	assert.Error(t, err, "GetTokenIDByHashedToken should throw error if token invalid")
-}
-
-func TestFileStore_GetUserByTokenID(t *testing.T) {
-	storeDir := t.TempDir()
-	storeFile := filepath.Join(storeDir, "store.json")
-	err := util.CopyFileContents("testdata/store.json", storeFile)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	accounts := &accounts{}
-	_, err = util.ReadJson(storeFile, accounts)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	store, err := NewFileStore(context.Background(), storeDir, nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	tokenID := accounts.Accounts["bf1c8084-ba50-4ce7-9439-34653001fc3b"].Users["f4f6d672-63fb-11ec-90d6-0242ac120003"].PATs["9dj38s35-63fb-11ec-90d6-0242ac120003"].ID
-	user, err := store.GetUserByTokenID(context.Background(), tokenID)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	assert.Equal(t, "f4f6d672-63fb-11ec-90d6-0242ac120003", user.Id)
-}
-
-func TestFileStore_GetUserByTokenID_Failure(t *testing.T) {
-	storeDir := t.TempDir()
-	storeFile := filepath.Join(storeDir, "store.json")
-	err := util.CopyFileContents("testdata/store.json", storeFile)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	accounts := &accounts{}
-	_, err = util.ReadJson(storeFile, accounts)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	store, err := NewFileStore(context.Background(), storeDir, nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	wrongTokenID := "someNonExistingTokenID"
-	_, err = store.GetUserByTokenID(context.Background(), wrongTokenID)
-
-	assert.Error(t, err, "GetUserByTokenID should throw error if tokenID invalid")
-}
-
-func TestFileStore_SavePeerStatus(t *testing.T) {
-	storeDir := t.TempDir()
-
-	err := util.CopyFileContents("testdata/store.json", filepath.Join(storeDir, "store.json"))
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	store, err := NewFileStore(context.Background(), storeDir, nil)
-	if err != nil {
-		return
-	}
-
-	account, err := store.getAccount("bf1c8084-ba50-4ce7-9439-34653001fc3b")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// save status of non-existing peer
-	newStatus := nbpeer.PeerStatus{Connected: true, LastSeen: time.Now().UTC()}
-	err = store.SavePeerStatus(account.Id, "non-existing-peer", newStatus)
-	assert.Error(t, err)
-
-	// save new status of existing peer
-	account.Peers["testpeer"] = &nbpeer.Peer{
-		Key:      "peerkey",
-		ID:       "testpeer",
-		SetupKey: "peerkeysetupkey",
-		IP:       net.IP{127, 0, 0, 1},
-		Meta:     nbpeer.PeerSystemMeta{},
-		Name:     "peer name",
-		Status:   &nbpeer.PeerStatus{Connected: false, LastSeen: time.Now().UTC()},
-	}
-
-	err = store.SaveAccount(context.Background(), account)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	err = store.SavePeerStatus(account.Id, "testpeer", newStatus)
-	if err != nil {
-		t.Fatal(err)
-	}
-	account, err = store.getAccount(account.Id)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	actual := account.Peers["testpeer"].Status
-	assert.Equal(t, newStatus, *actual)
-}
-
-func TestFileStore_SavePeerLocation(t *testing.T) {
-	storeDir := t.TempDir()
-
-	err := util.CopyFileContents("testdata/store.json", filepath.Join(storeDir, "store.json"))
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	store, err := NewFileStore(context.Background(), storeDir, nil)
-	if err != nil {
-		return
-	}
-	account, err := store.GetAccount(context.Background(), "bf1c8084-ba50-4ce7-9439-34653001fc3b")
-	require.NoError(t, err)
-
-	peer := &nbpeer.Peer{
-		AccountID: account.Id,
-		ID:        "testpeer",
-		Location: nbpeer.Location{
-			ConnectionIP: net.ParseIP("10.0.0.0"),
-			CountryCode:  "YY",
-			CityName:     "City",
-			GeoNameID:    1,
-		},
-		Meta: nbpeer.PeerSystemMeta{},
-	}
-	// error is expected as peer is not in store yet
-	err = store.SavePeerLocation(account.Id, peer)
-	assert.Error(t, err)
-
-	account.Peers[peer.ID] = peer
-	err = store.SaveAccount(context.Background(), account)
-	require.NoError(t, err)
-
-	peer.Location.ConnectionIP = net.ParseIP("35.1.1.1")
-	peer.Location.CountryCode = "DE"
-	peer.Location.CityName = "Berlin"
-	peer.Location.GeoNameID = 2950159
-
-	err = store.SavePeerLocation(account.Id, account.Peers[peer.ID])
-	assert.NoError(t, err)
-
-	account, err = store.GetAccount(context.Background(), account.Id)
-	require.NoError(t, err)
-
-	actual := account.Peers[peer.ID].Location
-	assert.Equal(t, peer.Location, actual)
-}
-
-func newStore(t *testing.T) *FileStore {
-	t.Helper()
-	store, err := NewFileStore(context.Background(), t.TempDir(), nil)
-	if err != nil {
-		t.Errorf("failed creating a new store")
-	}
-
-	return store
-}
--- a/management/server/grpcserver.go
+++ b/management/server/grpcserver.go
@@ -596,6 +596,10 @@ func toSyncResponse(ctx context.Context, config *Config, peer *nbpeer.Peer, turn
 	response.NetworkMap.FirewallRules = firewallRules
 	response.NetworkMap.FirewallRulesIsEmpty = len(firewallRules) == 0

+	routesFirewallRules := toProtocolRoutesFirewallRules(networkMap.RoutesFirewallRules)
+	response.NetworkMap.RoutesFirewallRules = routesFirewallRules
+	response.NetworkMap.RoutesFirewallRulesIsEmpty = len(routesFirewallRules) == 0
+
 	return response
 }

--- a/management/server/http/api/openapi.yml
+++ b/management/server/http/api/openapi.yml
@@ -727,17 +727,39 @@ components:
          enum: ["all", "tcp", "udp", "icmp"]
          example: "tcp"
        ports:
-          description: Policy rule affected ports or it ranges list
+          description: Policy rule affected ports
          type: array
          items:
            type: string
            example: "80"
+        port_ranges:
+          description: Policy rule affected ports ranges list
+          type: array
+          items:
+            $ref: '#/components/schemas/RulePortRange'
      required:
        - name
        - enabled
        - bidirectional
        - protocol
        - action
+
+    RulePortRange:
+      description: Policy rule affected ports range
+      type: object
+      properties:
+        start:
+          description: The starting port of the range
+          type: integer
+          example: 80
+        end:
+          description: The ending port of the range
+          type: integer
+          example: 320
+      required:
+        - start
+        - end
+
    PolicyRuleUpdate:
      allOf:
        - $ref: '#/components/schemas/PolicyRuleMinimum'
@@ -1106,6 +1128,12 @@ components:
          description: Indicate if the route should be kept after a domain doesn't resolve that IP anymore
          type: boolean
          example: true
+        access_control_groups:
+          description: Access control group identifier associated with route.
+          type: array
+          items:
+            type: string
+            example: "chacbco6lnnbn6cg5s91"
      required:
        - id
        - description
--- a/management/server/http/api/types.gen.go
+++ b/management/server/http/api/types.gen.go
@@ -780,7 +780,10 @@ type PolicyRule struct {
 	// Name Policy rule name identifier
 	Name string `json:"name"`

-	// Ports Policy rule affected ports or it ranges list
+	// PortRanges Policy rule affected ports ranges list
+	PortRanges *[]RulePortRange `json:"port_ranges,omitempty"`
+
+	// Ports Policy rule affected ports
 	Ports *[]string `json:"ports,omitempty"`

 	// Protocol Policy rule type of the traffic
@@ -816,7 +819,10 @@ type PolicyRuleMinimum struct {
 	// Name Policy rule name identifier
 	Name string `json:"name"`

-	// Ports Policy rule affected ports or it ranges list
+	// PortRanges Policy rule affected ports ranges list
+	PortRanges *[]RulePortRange `json:"port_ranges,omitempty"`
+
+	// Ports Policy rule affected ports
 	Ports *[]string `json:"ports,omitempty"`

 	// Protocol Policy rule type of the traffic
@@ -852,7 +858,10 @@ type PolicyRuleUpdate struct {
 	// Name Policy rule name identifier
 	Name string `json:"name"`

-	// Ports Policy rule affected ports or it ranges list
+	// PortRanges Policy rule affected ports ranges list
+	PortRanges *[]RulePortRange `json:"port_ranges,omitempty"`
+
+	// Ports Policy rule affected ports
 	Ports *[]string `json:"ports,omitempty"`

 	// Protocol Policy rule type of the traffic
@@ -935,6 +944,9 @@ type ProcessCheck struct {

 // Route defines model for Route.
 type Route struct {
+	// AccessControlGroups Access control group identifier associated with route.
+	AccessControlGroups *[]string `json:"access_control_groups,omitempty"`
+
 	// Description Route description
 	Description string `json:"description"`

@@ -977,6 +989,9 @@ type Route struct {

 // RouteRequest defines model for RouteRequest.
 type RouteRequest struct {
+	// AccessControlGroups Access control group identifier associated with route.
+	AccessControlGroups *[]string `json:"access_control_groups,omitempty"`
+
 	// Description Route description
 	Description string `json:"description"`

@@ -1011,6 +1026,15 @@ type RouteRequest struct {
 	PeerGroups *[]string `json:"peer_groups,omitempty"`
 }

+// RulePortRange Policy rule affected ports range
+type RulePortRange struct {
+	// End The ending port of the range
+	End int `json:"end"`
+
+	// Start The starting port of the range
+	Start int `json:"start"`
+}
+
 // SetupKey defines model for SetupKey.
 type SetupKey struct {
 	// AutoGroups List of group IDs to auto-assign to peers registered with this key
--- a/management/server/http/policies_handler.go
+++ b/management/server/http/policies_handler.go
@@ -172,6 +172,11 @@ func (h *Policies) savePolicy(w http.ResponseWriter, r *http.Request, accountID
 			return
 		}

+		if (rule.Ports != nil && len(*rule.Ports) != 0) && (rule.PortRanges != nil && len(*rule.PortRanges) != 0) {
+			util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "specify either individual ports or port ranges, not both"), w)
+			return
+		}
+
 		if rule.Ports != nil && len(*rule.Ports) != 0 {
 			for _, v := range *rule.Ports {
 				if port, err := strconv.Atoi(v); err != nil || port < 1 || port > 65535 {
@@ -182,10 +187,23 @@ func (h *Policies) savePolicy(w http.ResponseWriter, r *http.Request, accountID
 			}
 		}

+		if rule.PortRanges != nil && len(*rule.PortRanges) != 0 {
+			for _, portRange := range *rule.PortRanges {
+				if portRange.Start < 1 || portRange.End > 65535 {
+					util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "valid port value is in 1..65535 range"), w)
+					return
+				}
+				pr.PortRanges = append(pr.PortRanges, server.RulePortRange{
+					Start: uint16(portRange.Start),
+					End:   uint16(portRange.End),
+				})
+			}
+		}
+
 		// validate policy object
 		switch pr.Protocol {
 		case server.PolicyRuleProtocolALL, server.PolicyRuleProtocolICMP:
-			if len(pr.Ports) != 0 {
+			if len(pr.Ports) != 0 || len(pr.PortRanges) != 0 {
 				util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "for ALL or ICMP protocol ports is not allowed"), w)
 				return
 			}
@@ -194,7 +212,7 @@ func (h *Policies) savePolicy(w http.ResponseWriter, r *http.Request, accountID
 				return
 			}
 		case server.PolicyRuleProtocolTCP, server.PolicyRuleProtocolUDP:
-			if !pr.Bidirectional && len(pr.Ports) == 0 {
+			if !pr.Bidirectional && (len(pr.Ports) == 0 || len(pr.PortRanges) != 0) {
 				util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "for ALL or ICMP protocol type flow can be only bi-directional"), w)
 				return
 			}
@@ -320,6 +338,17 @@ func toPolicyResponse(groups []*nbgroup.Group, policy *server.Policy) *api.Polic
 			rule.Ports = &portsCopy
 		}

+		if len(r.PortRanges) != 0 {
+			portRanges := make([]api.RulePortRange, 0, len(r.PortRanges))
+			for _, portRange := range r.PortRanges {
+				portRanges = append(portRanges, api.RulePortRange{
+					End:   int(portRange.End),
+					Start: int(portRange.Start),
+				})
+			}
+			rule.PortRanges = &portRanges
+		}
+
 		for _, gid := range r.Sources {
 			_, ok := cache[gid]
 			if ok {
--- a/management/server/http/routes_handler.go
+++ b/management/server/http/routes_handler.go
@@ -117,9 +117,14 @@ func (h *RoutesHandler) CreateRoute(w http.ResponseWriter, r *http.Request) {
 		peerGroupIds = *req.PeerGroups
 	}

+	var accessControlGroupIds []string
+	if req.AccessControlGroups != nil {
+		accessControlGroupIds = *req.AccessControlGroups
+	}
+
 	newRoute, err := h.accountManager.CreateRoute(r.Context(), accountID, newPrefix, networkType, domains, peerId, peerGroupIds,
-		req.Description, route.NetID(req.NetworkId), req.Masquerade, req.Metric, req.Groups, req.Enabled, userID, req.KeepRoute,
-	)
+		req.Description, route.NetID(req.NetworkId), req.Masquerade, req.Metric, req.Groups, accessControlGroupIds, req.Enabled, userID, req.KeepRoute)
+
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -233,6 +238,10 @@ func (h *RoutesHandler) UpdateRoute(w http.ResponseWriter, r *http.Request) {
 		newRoute.PeerGroups = *req.PeerGroups
 	}

+	if req.AccessControlGroups != nil {
+		newRoute.AccessControlGroups = *req.AccessControlGroups
+	}
+
 	err = h.accountManager.SaveRoute(r.Context(), accountID, userID, newRoute)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
@@ -326,6 +335,9 @@ func toRouteResponse(serverRoute *route.Route) (*api.Route, error) {
 	if len(serverRoute.PeerGroups) > 0 {
 		route.PeerGroups = &serverRoute.PeerGroups
 	}
+	if len(serverRoute.AccessControlGroups) > 0 {
+		route.AccessControlGroups = &serverRoute.AccessControlGroups
+	}
 	return route, nil
 }

--- a/management/server/http/routes_handler_test.go
+++ b/management/server/http/routes_handler_test.go
@@ -105,7 +105,7 @@ func initRoutesTestData() *RoutesHandler {
 				}
 				return nil, status.Errorf(status.NotFound, "route with ID %s not found", routeID)
 			},
-			CreateRouteFunc: func(_ context.Context, accountID string, prefix netip.Prefix, networkType route.NetworkType, domains domain.List, peerID string, peerGroups []string, description string, netID route.NetID, masquerade bool, metric int, groups []string, enabled bool, _ string, keepRoute bool) (*route.Route, error) {
+			CreateRouteFunc: func(_ context.Context, accountID string, prefix netip.Prefix, networkType route.NetworkType, domains domain.List, peerID string, peerGroups []string, description string, netID route.NetID, masquerade bool, metric int, groups, accessControlGroups []string, enabled bool, _ string, keepRoute bool) (*route.Route, error) {
 				if peerID == notFoundPeerID {
 					return nil, status.Errorf(status.InvalidArgument, "peer with ID %s not found", peerID)
 				}
@@ -119,18 +119,19 @@ func initRoutesTestData() *RoutesHandler {
 				}

 				return &route.Route{
-					ID:          existingRouteID,
-					NetID:       netID,
-					Peer:        peerID,
-					PeerGroups:  peerGroups,
-					Network:     prefix,
-					Domains:     domains,
-					NetworkType: networkType,
-					Description: description,
-					Masquerade:  masquerade,
-					Enabled:     enabled,
-					Groups:      groups,
-					KeepRoute:   keepRoute,
+					ID:                  existingRouteID,
+					NetID:               netID,
+					Peer:                peerID,
+					PeerGroups:          peerGroups,
+					Network:             prefix,
+					Domains:             domains,
+					NetworkType:         networkType,
+					Description:         description,
+					Masquerade:          masquerade,
+					Enabled:             enabled,
+					Groups:              groups,
+					KeepRoute:           keepRoute,
+					AccessControlGroups: accessControlGroups,
 				}, nil
 			},
 			SaveRouteFunc: func(_ context.Context, _, _ string, r *route.Route) error {
@@ -268,6 +269,27 @@ func TestRoutesHandlers(t *testing.T) {
 				Groups:      []string{existingGroupID},
 			},
 		},
+		{
+			name:        "POST OK With Access Control Groups",
+			requestType: http.MethodPost,
+			requestPath: "/api/routes",
+			requestBody: bytes.NewBuffer(
+				[]byte(fmt.Sprintf("{\"Description\":\"Post\",\"Network\":\"192.168.0.0/16\",\"network_id\":\"awesomeNet\",\"Peer\":\"%s\",\"groups\":[\"%s\"],\"access_control_groups\":[\"%s\"]}", existingPeerID, existingGroupID, existingGroupID))),
+			expectedStatus: http.StatusOK,
+			expectedBody:   true,
+			expectedRoute: &api.Route{
+				Id:                  existingRouteID,
+				Description:         "Post",
+				NetworkId:           "awesomeNet",
+				Network:             toPtr("192.168.0.0/16"),
+				Peer:                &existingPeerID,
+				NetworkType:         route.IPv4NetworkString,
+				Masquerade:          false,
+				Enabled:             false,
+				Groups:              []string{existingGroupID},
+				AccessControlGroups: &[]string{existingGroupID},
+			},
+		},
 		{
 			name:           "POST Non Linux Peer",
 			requestType:    http.MethodPost,
--- a/management/server/management_proto_test.go
+++ b/management/server/management_proto_test.go
@@ -6,7 +6,6 @@ import (
 	"io"
 	"net"
 	"os"
-	"path/filepath"
 	"runtime"
 	"sync"
 	"sync/atomic"
@@ -89,14 +88,7 @@ func getServerKey(client mgmtProto.ManagementServiceClient) (*wgtypes.Key, error

 func Test_SyncProtocol(t *testing.T) {
 	dir := t.TempDir()
-	err := util.CopyFileContents("testdata/store_with_expired_peers.json", filepath.Join(dir, "store.json"))
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer func() {
-		os.Remove(filepath.Join(dir, "store.json")) //nolint
-	}()
-	mgmtServer, _, mgmtAddr, err := startManagementForTest(t, &Config{
+	mgmtServer, _, mgmtAddr, cleanup, err := startManagementForTest(t, "testdata/store_with_expired_peers.sqlite", &Config{
 		Stuns: []*Host{{
 			Proto: "udp",
 			URI:   "stun:stun.wiretrustee.com:3468",
@@ -117,6 +109,7 @@ func Test_SyncProtocol(t *testing.T) {
 		Datadir:    dir,
 		HttpConfig: nil,
 	})
+	defer cleanup()
 	if err != nil {
 		t.Fatal(err)
 		return
@@ -412,18 +405,18 @@ func TestServer_GetDeviceAuthorizationFlow(t *testing.T) {
 	}
 }

-func startManagementForTest(t TestingT, config *Config) (*grpc.Server, *DefaultAccountManager, string, error) {
+func startManagementForTest(t *testing.T, testFile string, config *Config) (*grpc.Server, *DefaultAccountManager, string, func(), error) {
 	t.Helper()
 	lis, err := net.Listen("tcp", "localhost:0")
 	if err != nil {
-		return nil, nil, "", err
+		return nil, nil, "", nil, err
 	}
 	s := grpc.NewServer(grpc.KeepaliveEnforcementPolicy(kaep), grpc.KeepaliveParams(kasp))
-	store, cleanUp, err := NewTestStoreFromJson(context.Background(), config.Datadir)
+
+	store, cleanup, err := NewSqliteTestStore(context.Background(), t.TempDir(), testFile)
 	if err != nil {
-		return nil, nil, "", err
+		t.Fatal(err)
 	}
-	t.Cleanup(cleanUp)

 	peersUpdateManager := NewPeersUpdateManager(nil)
 	eventStore := &activity.InMemoryEventStore{}
@@ -437,7 +430,8 @@ func startManagementForTest(t TestingT, config *Config) (*grpc.Server, *DefaultA
 		eventStore, nil, false, MocIntegratedValidator{}, metrics)

 	if err != nil {
-		return nil, nil, "", err
+		cleanup()
+		return nil, nil, "", cleanup, err
 	}

 	secretsManager := NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay)
@@ -445,7 +439,7 @@ func startManagementForTest(t TestingT, config *Config) (*grpc.Server, *DefaultA
 	ephemeralMgr := NewEphemeralManager(store, accountManager)
 	mgmtServer, err := NewServer(context.Background(), config, accountManager, peersUpdateManager, secretsManager, nil, ephemeralMgr)
 	if err != nil {
-		return nil, nil, "", err
+		return nil, nil, "", cleanup, err
 	}
 	mgmtProto.RegisterManagementServiceServer(s, mgmtServer)

@@ -455,7 +449,7 @@ func startManagementForTest(t TestingT, config *Config) (*grpc.Server, *DefaultA
 		}
 	}()

-	return s, accountManager, lis.Addr().String(), nil
+	return s, accountManager, lis.Addr().String(), cleanup, nil
 }

 func createRawClient(addr string) (mgmtProto.ManagementServiceClient, *grpc.ClientConn, error) {
@@ -475,6 +469,7 @@ func createRawClient(addr string) (mgmtProto.ManagementServiceClient, *grpc.Clie

 	return mgmtProto.NewManagementServiceClient(conn), conn, nil
 }
+
 func Test_SyncStatusRace(t *testing.T) {
 	if os.Getenv("CI") == "true" && os.Getenv("NETBIRD_STORE_ENGINE") == "postgres" {
 		t.Skip("Skipping on CI and Postgres store")
@@ -488,15 +483,8 @@ func Test_SyncStatusRace(t *testing.T) {
 func testSyncStatusRace(t *testing.T) {
 	t.Helper()
 	dir := t.TempDir()
-	err := util.CopyFileContents("testdata/store_with_expired_peers.json", filepath.Join(dir, "store.json"))
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer func() {
-		os.Remove(filepath.Join(dir, "store.json")) //nolint
-	}()

-	mgmtServer, am, mgmtAddr, err := startManagementForTest(t, &Config{
+	mgmtServer, am, mgmtAddr, cleanup, err := startManagementForTest(t, "testdata/store_with_expired_peers.sqlite", &Config{
 		Stuns: []*Host{{
 			Proto: "udp",
 			URI:   "stun:stun.wiretrustee.com:3468",
@@ -517,6 +505,7 @@ func testSyncStatusRace(t *testing.T) {
 		Datadir:    dir,
 		HttpConfig: nil,
 	})
+	defer cleanup()
 	if err != nil {
 		t.Fatal(err)
 		return
@@ -665,15 +654,8 @@ func Test_LoginPerformance(t *testing.T) {
 		t.Run(bc.name, func(t *testing.T) {
 			t.Helper()
 			dir := t.TempDir()
-			err := util.CopyFileContents("testdata/store_with_expired_peers.json", filepath.Join(dir, "store.json"))
-			if err != nil {
-				t.Fatal(err)
-			}
-			defer func() {
-				os.Remove(filepath.Join(dir, "store.json")) //nolint
-			}()

-			mgmtServer, am, _, err := startManagementForTest(t, &Config{
+			mgmtServer, am, _, cleanup, err := startManagementForTest(t, "testdata/store_with_expired_peers.sqlite", &Config{
 				Stuns: []*Host{{
 					Proto: "udp",
 					URI:   "stun:stun.wiretrustee.com:3468",
@@ -694,6 +676,7 @@ func Test_LoginPerformance(t *testing.T) {
 				Datadir:    dir,
 				HttpConfig: nil,
 			})
+			defer cleanup()
 			if err != nil {
 				t.Fatal(err)
 				return
--- a/management/server/management_test.go
+++ b/management/server/management_test.go
@@ -5,7 +5,6 @@ import (
 	"math/rand"
 	"net"
 	"os"
-	"path/filepath"
 	"runtime"
 	sync2 "sync"
 	"time"
@@ -52,8 +51,6 @@ var _ = Describe("Management service", func() {
 		dataDir, err = os.MkdirTemp("", "wiretrustee_mgmt_test_tmp_*")
 		Expect(err).NotTo(HaveOccurred())

-		err = util.CopyFileContents("testdata/store.json", filepath.Join(dataDir, "store.json"))
-		Expect(err).NotTo(HaveOccurred())
 		var listener net.Listener

 		config := &server.Config{}
@@ -61,7 +58,7 @@ var _ = Describe("Management service", func() {
 		Expect(err).NotTo(HaveOccurred())
 		config.Datadir = dataDir

-		s, listener = startServer(config)
+		s, listener = startServer(config, dataDir, "testdata/store.sqlite")
 		addr = listener.Addr().String()
 		client, conn = createRawClient(addr)

@@ -530,12 +527,12 @@ func createRawClient(addr string) (mgmtProto.ManagementServiceClient, *grpc.Clie
 	return mgmtProto.NewManagementServiceClient(conn), conn
 }

-func startServer(config *server.Config) (*grpc.Server, net.Listener) {
+func startServer(config *server.Config, dataDir string, testFile string) (*grpc.Server, net.Listener) {
 	lis, err := net.Listen("tcp", ":0")
 	Expect(err).NotTo(HaveOccurred())
 	s := grpc.NewServer()

-	store, _, err := server.NewTestStoreFromJson(context.Background(), config.Datadir)
+	store, _, err := server.NewTestStoreFromSqlite(context.Background(), testFile, dataDir)
 	if err != nil {
 		log.Fatalf("failed creating a store: %s: %v", config.Datadir, err)
 	}
--- a/management/server/mock_server/account_mock.go
+++ b/management/server/mock_server/account_mock.go
@@ -58,7 +58,7 @@ type MockAccountManager struct {
 	UpdatePeerMetaFunc                  func(ctx context.Context, peerID string, meta nbpeer.PeerSystemMeta) error
 	UpdatePeerSSHKeyFunc                func(ctx context.Context, peerID string, sshKey string) error
 	UpdatePeerFunc                      func(ctx context.Context, accountID, userID string, peer *nbpeer.Peer) (*nbpeer.Peer, error)
-	CreateRouteFunc                     func(ctx context.Context, accountID string, prefix netip.Prefix, networkType route.NetworkType, domains domain.List, peer string, peerGroups []string, description string, netID route.NetID, masquerade bool, metric int, groups []string, enabled bool, userID string, keepRoute bool) (*route.Route, error)
+	CreateRouteFunc                     func(ctx context.Context, accountID string, prefix netip.Prefix, networkType route.NetworkType, domains domain.List, peer string, peerGroups []string, description string, netID route.NetID, masquerade bool, metric int, groups,accessControlGroupIDs []string, enabled bool, userID string, keepRoute bool) (*route.Route, error)
 	GetRouteFunc                        func(ctx context.Context, accountID string, routeID route.ID, userID string) (*route.Route, error)
 	SaveRouteFunc                       func(ctx context.Context, accountID string, userID string, route *route.Route) error
 	DeleteRouteFunc                     func(ctx context.Context, accountID string, routeID route.ID, userID string) error
@@ -367,7 +367,7 @@ func (am *MockAccountManager) DeleteRule(ctx context.Context, accountID, ruleID,
 	if am.DeleteRuleFunc != nil {
 		return am.DeleteRuleFunc(ctx, accountID, ruleID, userID)
 	}
-	return status.Errorf(codes.Unimplemented, "method DeleteRule is not implemented")
+	return status.Errorf(codes.Unimplemented, "method DeletePeerRule is not implemented")
 }

 // GetPolicy mock implementation of GetPolicy from server.AccountManager interface
@@ -442,9 +442,9 @@ func (am *MockAccountManager) UpdatePeer(ctx context.Context, accountID, userID
 }

 // CreateRoute mock implementation of CreateRoute from server.AccountManager interface
-func (am *MockAccountManager) CreateRoute(ctx context.Context, accountID string, prefix netip.Prefix, networkType route.NetworkType, domains domain.List, peerID string, peerGroupIDs []string, description string, netID route.NetID, masquerade bool, metric int, groups []string, enabled bool, userID string, keepRoute bool) (*route.Route, error) {
+func (am *MockAccountManager) CreateRoute(ctx context.Context, accountID string, prefix netip.Prefix, networkType route.NetworkType, domains domain.List, peerID string, peerGroupIDs []string, description string, netID route.NetID, masquerade bool, metric int, groups, accessControlGroupID []string, enabled bool, userID string, keepRoute bool) (*route.Route, error) {
 	if am.CreateRouteFunc != nil {
-		return am.CreateRouteFunc(ctx, accountID, prefix, networkType, domains, peerID, peerGroupIDs, description, netID, masquerade, metric, groups, enabled, userID, keepRoute)
+		return am.CreateRouteFunc(ctx, accountID, prefix, networkType, domains, peerID, peerGroupIDs, description, netID, masquerade, metric, groups,accessControlGroupID, enabled, userID, keepRoute)
 	}
 	return nil, status.Errorf(codes.Unimplemented, "method CreateRoute is not implemented")
 }
--- a/management/server/nameserver_test.go
+++ b/management/server/nameserver_test.go
@@ -773,7 +773,7 @@ func createNSManager(t *testing.T) (*DefaultAccountManager, error) {
 func createNSStore(t *testing.T) (Store, error) {
 	t.Helper()
 	dataDir := t.TempDir()
-	store, cleanUp, err := NewTestStoreFromJson(context.Background(), dataDir)
+	store, cleanUp, err := NewTestStoreFromSqlite(context.Background(), "", dataDir)
 	if err != nil {
 		return nil, err
 	}
--- a/management/server/network.go
+++ b/management/server/network.go
@@ -26,12 +26,13 @@ const (
 )

 type NetworkMap struct {
-	Peers         []*nbpeer.Peer
-	Network       *Network
-	Routes        []*route.Route
-	DNSConfig     nbdns.Config
-	OfflinePeers  []*nbpeer.Peer
-	FirewallRules []*FirewallRule
+	Peers               []*nbpeer.Peer
+	Network             *Network
+	Routes              []*route.Route
+	DNSConfig           nbdns.Config
+	OfflinePeers        []*nbpeer.Peer
+	FirewallRules       []*FirewallRule
+	RoutesFirewallRules []*RouteFirewallRule
 }

 type Network struct {
--- a/management/server/peer_test.go
+++ b/management/server/peer_test.go
@@ -646,7 +646,6 @@ func TestDefaultAccountManager_GetPeers(t *testing.T) {

 		})
 	}
-
 }

 func setupTestAccountManager(b *testing.B, peers int, groups int) (*DefaultAccountManager, string, string, error) {
@@ -991,9 +990,9 @@ func TestToSyncResponse(t *testing.T) {
 	// assert network map Firewall
 	assert.Equal(t, 1, len(response.NetworkMap.FirewallRules))
 	assert.Equal(t, "192.168.1.2", response.NetworkMap.FirewallRules[0].PeerIP)
-	assert.Equal(t, proto.FirewallRule_IN, response.NetworkMap.FirewallRules[0].Direction)
-	assert.Equal(t, proto.FirewallRule_ACCEPT, response.NetworkMap.FirewallRules[0].Action)
-	assert.Equal(t, proto.FirewallRule_TCP, response.NetworkMap.FirewallRules[0].Protocol)
+	assert.Equal(t, proto.RuleDirection_IN, response.NetworkMap.FirewallRules[0].Direction)
+	assert.Equal(t, proto.RuleAction_ACCEPT, response.NetworkMap.FirewallRules[0].Action)
+	assert.Equal(t, proto.RuleProtocol_TCP, response.NetworkMap.FirewallRules[0].Protocol)
 	assert.Equal(t, "80", response.NetworkMap.FirewallRules[0].Port)
 	// assert posture checks
 	assert.Equal(t, 1, len(response.Checks))
@@ -1005,7 +1004,11 @@ func Test_RegisterPeerByUser(t *testing.T) {
 		t.Skip("The SQLite store is not properly supported by Windows yet")
 	}

-	store := newSqliteStoreFromFile(t, "testdata/extended-store.json")
+	store, cleanup, err := NewSqliteTestStore(context.Background(), t.TempDir(), "testdata/extended-store.sqlite")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cleanup()

 	eventStore := &activity.InMemoryEventStore{}

@@ -1066,7 +1069,11 @@ func Test_RegisterPeerBySetupKey(t *testing.T) {
 		t.Skip("The SQLite store is not properly supported by Windows yet")
 	}

-	store := newSqliteStoreFromFile(t, "testdata/extended-store.json")
+	store, cleanup, err := NewSqliteTestStore(context.Background(), t.TempDir(), "testdata/extended-store.sqlite")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cleanup()

 	eventStore := &activity.InMemoryEventStore{}

@@ -1128,7 +1135,11 @@ func Test_RegisterPeerRollbackOnFailure(t *testing.T) {
 		t.Skip("The SQLite store is not properly supported by Windows yet")
 	}

-	store := newSqliteStoreFromFile(t, "testdata/extended-store.json")
+	store, cleanup, err := NewSqliteTestStore(context.Background(), t.TempDir(), "testdata/extended-store.sqlite")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cleanup()

 	eventStore := &activity.InMemoryEventStore{}

--- a/management/server/policy.go
+++ b/management/server/policy.go
@@ -76,6 +76,12 @@ type PolicyUpdateOperation struct {
 	Values []string
 }

+// RulePortRange represents a range of ports for a firewall rule.
+type RulePortRange struct {
+	Start uint16
+	End   uint16
+}
+
 // PolicyRule is the metadata of the policy
 type PolicyRule struct {
 	// ID of the policy rule
@@ -110,6 +116,9 @@ type PolicyRule struct {

 	// Ports or it ranges list
 	Ports []string `gorm:"serializer:json"`
+
+	// PortRanges a list of port ranges.
+	PortRanges []RulePortRange `gorm:"serializer:json"`
 }

 // Copy returns a copy of a policy rule
@@ -125,10 +134,12 @@ func (pm *PolicyRule) Copy() *PolicyRule {
 		Bidirectional: pm.Bidirectional,
 		Protocol:      pm.Protocol,
 		Ports:         make([]string, len(pm.Ports)),
+		PortRanges:    make([]RulePortRange, len(pm.PortRanges)),
 	}
 	copy(rule.Destinations, pm.Destinations)
 	copy(rule.Sources, pm.Sources)
 	copy(rule.Ports, pm.Ports)
+	copy(rule.PortRanges, pm.PortRanges)
 	return rule
 }

@@ -445,36 +456,17 @@ func (am *DefaultAccountManager) savePolicy(account *Account, policyToSave *Poli
 	return nil
 }

-func toProtocolFirewallRules(update []*FirewallRule) []*proto.FirewallRule {
-	result := make([]*proto.FirewallRule, len(update))
-	for i := range update {
-		direction := proto.FirewallRule_IN
-		if update[i].Direction == firewallRuleDirectionOUT {
-			direction = proto.FirewallRule_OUT
-		}
-		action := proto.FirewallRule_ACCEPT
-		if update[i].Action == string(PolicyTrafficActionDrop) {
-			action = proto.FirewallRule_DROP
-		}
-
-		protocol := proto.FirewallRule_UNKNOWN
-		switch PolicyRuleProtocolType(update[i].Protocol) {
-		case PolicyRuleProtocolALL:
-			protocol = proto.FirewallRule_ALL
-		case PolicyRuleProtocolTCP:
-			protocol = proto.FirewallRule_TCP
-		case PolicyRuleProtocolUDP:
-			protocol = proto.FirewallRule_UDP
-		case PolicyRuleProtocolICMP:
-			protocol = proto.FirewallRule_ICMP
-		}
+func toProtocolFirewallRules(rules []*FirewallRule) []*proto.FirewallRule {
+	result := make([]*proto.FirewallRule, len(rules))
+	for i := range rules {
+		rule := rules[i]

 		result[i] = &proto.FirewallRule{
-			PeerIP:    update[i].PeerIP,
-			Direction: direction,
-			Action:    action,
-			Protocol:  protocol,
-			Port:      update[i].Port,
+			PeerIP:    rule.PeerIP,
+			Direction: getProtoDirection(rule.Direction),
+			Action:    getProtoAction(rule.Action),
+			Protocol:  getProtoProtocol(rule.Protocol),
+			Port:      rule.Port,
 		}
 	}
 	return result
--- a/management/server/route.go
+++ b/management/server/route.go
@@ -4,9 +4,15 @@ import (
 	"context"
 	"fmt"
 	"net/netip"
+	"slices"
+	"strconv"
+	"strings"
 	"unicode/utf8"

 	"github.com/rs/xid"
+	log "github.com/sirupsen/logrus"
+
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"

 	"github.com/netbirdio/netbird/management/domain"
 	"github.com/netbirdio/netbird/management/proto"
@@ -15,6 +21,30 @@ import (
 	"github.com/netbirdio/netbird/route"
 )

+// RouteFirewallRule a firewall rule applicable for a routed network.
+type RouteFirewallRule struct {
+	// SourceRanges IP ranges of the routing peers.
+	SourceRanges []string
+
+	// Action of the traffic when the rule is applicable
+	Action string
+
+	// Destination a network prefix for the routed traffic
+	Destination string
+
+	// Protocol of the traffic
+	Protocol string
+
+	// Port of the traffic
+	Port uint16
+
+	// PortRange represents the range of ports for a firewall rule
+	PortRange RulePortRange
+
+	// isDynamic indicates whether the rule is for DNS routing
+	IsDynamic bool
+}
+
 // GetRoute gets a route object from account and route IDs
 func (am *DefaultAccountManager) GetRoute(ctx context.Context, accountID string, routeID route.ID, userID string) (*route.Route, error) {
 	user, err := am.Store.GetUserByUserID(ctx, LockingStrengthShare, userID)
@@ -112,7 +142,7 @@ func getRouteDescriptor(prefix netip.Prefix, domains domain.List) string {
 }

 // CreateRoute creates and saves a new route
-func (am *DefaultAccountManager) CreateRoute(ctx context.Context, accountID string, prefix netip.Prefix, networkType route.NetworkType, domains domain.List, peerID string, peerGroupIDs []string, description string, netID route.NetID, masquerade bool, metric int, groups []string, enabled bool, userID string, keepRoute bool) (*route.Route, error) {
+func (am *DefaultAccountManager) CreateRoute(ctx context.Context, accountID string, prefix netip.Prefix, networkType route.NetworkType, domains domain.List, peerID string, peerGroupIDs []string, description string, netID route.NetID, masquerade bool, metric int, groups, accessControlGroupIDs []string, enabled bool, userID string, keepRoute bool) (*route.Route, error) {
 	unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
 	defer unlock()

@@ -157,6 +187,13 @@ func (am *DefaultAccountManager) CreateRoute(ctx context.Context, accountID stri
 		}
 	}

+	if len(accessControlGroupIDs) > 0 {
+		err = validateGroups(accessControlGroupIDs, account.Groups)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	err = am.checkRoutePrefixOrDomainsExistForPeers(account, peerID, newRoute.ID, peerGroupIDs, prefix, domains)
 	if err != nil {
 		return nil, err
@@ -187,6 +224,7 @@ func (am *DefaultAccountManager) CreateRoute(ctx context.Context, accountID stri
 	newRoute.Enabled = enabled
 	newRoute.Groups = groups
 	newRoute.KeepRoute = keepRoute
+	newRoute.AccessControlGroups = accessControlGroupIDs

 	if account.Routes == nil {
 		account.Routes = make(map[route.ID]*route.Route)
@@ -258,6 +296,13 @@ func (am *DefaultAccountManager) SaveRoute(ctx context.Context, accountID, userI
 		}
 	}

+	if len(routeToSave.AccessControlGroups) > 0 {
+		err = validateGroups(routeToSave.AccessControlGroups, account.Groups)
+		if err != nil {
+			return err
+		}
+	}
+
 	err = am.checkRoutePrefixOrDomainsExistForPeers(account, routeToSave.Peer, routeToSave.ID, routeToSave.Copy().PeerGroups, routeToSave.Network, routeToSave.Domains)
 	if err != nil {
 		return err
@@ -351,3 +396,248 @@ func getPlaceholderIP() netip.Prefix {
 	// Using an IP from the documentation range to minimize impact in case older clients try to set a route
 	return netip.PrefixFrom(netip.AddrFrom4([4]byte{192, 0, 2, 0}), 32)
 }
+
+// getPeerRoutesFirewallRules gets the routes firewall rules associated with a routing peer ID for the account.
+func (a *Account) getPeerRoutesFirewallRules(ctx context.Context, peerID string, validatedPeersMap map[string]struct{}) []*RouteFirewallRule {
+	routesFirewallRules := make([]*RouteFirewallRule, 0, len(a.Routes))
+
+	enabledRoutes, _ := a.getRoutingPeerRoutes(ctx, peerID)
+	for _, route := range enabledRoutes {
+		// If no access control groups are specified, accept all traffic.
+		if len(route.AccessControlGroups) == 0 {
+			defaultPermit := getDefaultPermit(route)
+			routesFirewallRules = append(routesFirewallRules, defaultPermit...)
+			continue
+		}
+
+		policies := getAllRoutePoliciesFromGroups(a, route.AccessControlGroups)
+		for _, policy := range policies {
+			if !policy.Enabled {
+				continue
+			}
+
+			for _, rule := range policy.Rules {
+				if !rule.Enabled {
+					continue
+				}
+
+				distributionGroupPeers, _ := a.getAllPeersFromGroups(ctx, route.Groups, peerID, nil, validatedPeersMap)
+				rules := generateRouteFirewallRules(ctx, route, rule, distributionGroupPeers, firewallRuleDirectionIN)
+				routesFirewallRules = append(routesFirewallRules, rules...)
+			}
+		}
+	}
+
+	return routesFirewallRules
+}
+
+func getDefaultPermit(route *route.Route) []*RouteFirewallRule {
+	var rules []*RouteFirewallRule
+
+	sources := []string{"0.0.0.0/0"}
+	if route.Network.Addr().Is6() {
+		sources = []string{"::/0"}
+	}
+	rule := RouteFirewallRule{
+		SourceRanges: sources,
+		Action:       string(PolicyTrafficActionAccept),
+		Destination:  route.Network.String(),
+		Protocol:     string(PolicyRuleProtocolALL),
+		IsDynamic:    route.IsDynamic(),
+	}
+
+	rules = append(rules, &rule)
+
+	// dynamic routes always contain an IPv4 placeholder as destination, hence we must add IPv6 rules additionally
+	if route.IsDynamic() {
+		ruleV6 := rule
+		ruleV6.SourceRanges = []string{"::/0"}
+		rules = append(rules, &ruleV6)
+	}
+
+	return rules
+}
+
+// getAllRoutePoliciesFromGroups retrieves route policies associated with the specified access control groups
+// and returns a list of policies that have rules with destinations matching the specified groups.
+func getAllRoutePoliciesFromGroups(account *Account, accessControlGroups []string) []*Policy {
+	routePolicies := make([]*Policy, 0)
+	for _, groupID := range accessControlGroups {
+		group, ok := account.Groups[groupID]
+		if !ok {
+			continue
+		}
+
+		for _, policy := range account.Policies {
+			for _, rule := range policy.Rules {
+				exist := slices.ContainsFunc(rule.Destinations, func(groupID string) bool {
+					return groupID == group.ID
+				})
+				if exist {
+					routePolicies = append(routePolicies, policy)
+					continue
+				}
+			}
+		}
+	}
+
+	return routePolicies
+}
+
+// generateRouteFirewallRules generates a list of firewall rules for a given route.
+func generateRouteFirewallRules(ctx context.Context, route *route.Route, rule *PolicyRule, groupPeers []*nbpeer.Peer, direction int) []*RouteFirewallRule {
+	rulesExists := make(map[string]struct{})
+	rules := make([]*RouteFirewallRule, 0)
+
+	sourceRanges := make([]string, 0, len(groupPeers))
+	for _, peer := range groupPeers {
+		if peer == nil {
+			continue
+		}
+		sourceRanges = append(sourceRanges, fmt.Sprintf(AllowedIPsFormat, peer.IP))
+	}
+
+	baseRule := RouteFirewallRule{
+		SourceRanges: sourceRanges,
+		Action:       string(rule.Action),
+		Destination:  route.Network.String(),
+		Protocol:     string(rule.Protocol),
+		IsDynamic:    route.IsDynamic(),
+	}
+
+	// generate rule for port range
+	if len(rule.Ports) == 0 {
+		rules = append(rules, generateRulesWithPortRanges(baseRule, rule, rulesExists)...)
+	} else {
+		rules = append(rules, generateRulesWithPorts(ctx, baseRule, rule, rulesExists)...)
+
+	}
+
+	// TODO: generate IPv6 rules for dynamic routes
+
+	return rules
+}
+
+// generateRuleIDBase generates the base rule ID for checking duplicates.
+func generateRuleIDBase(rule *PolicyRule, baseRule RouteFirewallRule) string {
+	return rule.ID + strings.Join(baseRule.SourceRanges, ",") + strconv.Itoa(firewallRuleDirectionIN) + baseRule.Protocol + baseRule.Action
+}
+
+// generateRulesForPeer generates rules for a given peer based on ports and port ranges.
+func generateRulesWithPortRanges(baseRule RouteFirewallRule, rule *PolicyRule, rulesExists map[string]struct{}) []*RouteFirewallRule {
+	rules := make([]*RouteFirewallRule, 0)
+
+	ruleIDBase := generateRuleIDBase(rule, baseRule)
+	if len(rule.Ports) == 0 {
+		if len(rule.PortRanges) == 0 {
+			if _, ok := rulesExists[ruleIDBase]; !ok {
+				rulesExists[ruleIDBase] = struct{}{}
+				rules = append(rules, &baseRule)
+			}
+		} else {
+			for _, portRange := range rule.PortRanges {
+				ruleID := fmt.Sprintf("%s%d-%d", ruleIDBase, portRange.Start, portRange.End)
+				if _, ok := rulesExists[ruleID]; !ok {
+					rulesExists[ruleID] = struct{}{}
+					pr := baseRule
+					pr.PortRange = portRange
+					rules = append(rules, &pr)
+				}
+			}
+		}
+		return rules
+	}
+
+	return rules
+}
+
+// generateRulesWithPorts generates rules when specific ports are provided.
+func generateRulesWithPorts(ctx context.Context, baseRule RouteFirewallRule, rule *PolicyRule, rulesExists map[string]struct{}) []*RouteFirewallRule {
+	rules := make([]*RouteFirewallRule, 0)
+	ruleIDBase := generateRuleIDBase(rule, baseRule)
+
+	for _, port := range rule.Ports {
+		ruleID := ruleIDBase + port
+		if _, ok := rulesExists[ruleID]; ok {
+			continue
+		}
+		rulesExists[ruleID] = struct{}{}
+
+		pr := baseRule
+		p, err := strconv.ParseUint(port, 10, 16)
+		if err != nil {
+			log.WithContext(ctx).Errorf("failed to parse port %s for rule: %s", port, rule.ID)
+			continue
+		}
+
+		pr.Port = uint16(p)
+		rules = append(rules, &pr)
+	}
+
+	return rules
+}
+
+func toProtocolRoutesFirewallRules(rules []*RouteFirewallRule) []*proto.RouteFirewallRule {
+	result := make([]*proto.RouteFirewallRule, len(rules))
+	for i := range rules {
+		rule := rules[i]
+		result[i] = &proto.RouteFirewallRule{
+			SourceRanges: rule.SourceRanges,
+			Action:       getProtoAction(rule.Action),
+			Destination:  rule.Destination,
+			Protocol:     getProtoProtocol(rule.Protocol),
+			PortInfo:     getProtoPortInfo(rule),
+			IsDynamic:    rule.IsDynamic,
+		}
+	}
+
+	return result
+}
+
+// getProtoDirection converts the direction to proto.RuleDirection.
+func getProtoDirection(direction int) proto.RuleDirection {
+	if direction == firewallRuleDirectionOUT {
+		return proto.RuleDirection_OUT
+	}
+	return proto.RuleDirection_IN
+}
+
+// getProtoAction converts the action to proto.RuleAction.
+func getProtoAction(action string) proto.RuleAction {
+	if action == string(PolicyTrafficActionDrop) {
+		return proto.RuleAction_DROP
+	}
+	return proto.RuleAction_ACCEPT
+}
+
+// getProtoProtocol converts the protocol to proto.RuleProtocol.
+func getProtoProtocol(protocol string) proto.RuleProtocol {
+	switch PolicyRuleProtocolType(protocol) {
+	case PolicyRuleProtocolALL:
+		return proto.RuleProtocol_ALL
+	case PolicyRuleProtocolTCP:
+		return proto.RuleProtocol_TCP
+	case PolicyRuleProtocolUDP:
+		return proto.RuleProtocol_UDP
+	case PolicyRuleProtocolICMP:
+		return proto.RuleProtocol_ICMP
+	default:
+		return proto.RuleProtocol_UNKNOWN
+	}
+}
+
+// getProtoPortInfo converts the port info to proto.PortInfo.
+func getProtoPortInfo(rule *RouteFirewallRule) *proto.PortInfo {
+	var portInfo proto.PortInfo
+	if rule.Port != 0 {
+		portInfo.PortSelection = &proto.PortInfo_Port{Port: uint32(rule.Port)}
+	} else if portRange := rule.PortRange; portRange.Start != 0 && portRange.End != 0 {
+		portInfo.PortSelection = &proto.PortInfo_Range_{
+			Range: &proto.PortInfo_Range{
+				Start: uint32(portRange.Start),
+				End:   uint32(portRange.End),
+			},
+		}
+	}
+	return &portInfo
+}
--- a/management/server/route_test.go
+++ b/management/server/route_test.go
@@ -2,6 +2,8 @@ package server

 import (
 	"context"
+	"fmt"
+	"net"
 	"net/netip"
 	"testing"

@@ -44,18 +46,19 @@ var existingDomains = domain.List{"example.com"}

 func TestCreateRoute(t *testing.T) {
 	type input struct {
-		network      netip.Prefix
-		domains      domain.List
-		keepRoute    bool
-		networkType  route.NetworkType
-		netID        route.NetID
-		peerKey      string
-		peerGroupIDs []string
-		description  string
-		masquerade   bool
-		metric       int
-		enabled      bool
-		groups       []string
+		network             netip.Prefix
+		domains             domain.List
+		keepRoute           bool
+		networkType         route.NetworkType
+		netID               route.NetID
+		peerKey             string
+		peerGroupIDs        []string
+		description         string
+		masquerade          bool
+		metric              int
+		enabled             bool
+		groups              []string
+		accessControlGroups []string
 	}

 	testCases := []struct {
@@ -69,100 +72,107 @@ func TestCreateRoute(t *testing.T) {
 		{
 			name: "Happy Path Network",
 			inputArgs: input{
-				network:     netip.MustParsePrefix("192.168.0.0/16"),
-				networkType: route.IPv4Network,
-				netID:       "happy",
-				peerKey:     peer1ID,
-				description: "super",
-				masquerade:  false,
-				metric:      9999,
-				enabled:     true,
-				groups:      []string{routeGroup1},
+				network:             netip.MustParsePrefix("192.168.0.0/16"),
+				networkType:         route.IPv4Network,
+				netID:               "happy",
+				peerKey:             peer1ID,
+				description:         "super",
+				masquerade:          false,
+				metric:              9999,
+				enabled:             true,
+				groups:              []string{routeGroup1},
+				accessControlGroups: []string{routeGroup1},
 			},
 			errFunc:      require.NoError,
 			shouldCreate: true,
 			expectedRoute: &route.Route{
-				Network:     netip.MustParsePrefix("192.168.0.0/16"),
-				NetworkType: route.IPv4Network,
-				NetID:       "happy",
-				Peer:        peer1ID,
-				Description: "super",
-				Masquerade:  false,
-				Metric:      9999,
-				Enabled:     true,
-				Groups:      []string{routeGroup1},
+				Network:             netip.MustParsePrefix("192.168.0.0/16"),
+				NetworkType:         route.IPv4Network,
+				NetID:               "happy",
+				Peer:                peer1ID,
+				Description:         "super",
+				Masquerade:          false,
+				Metric:              9999,
+				Enabled:             true,
+				Groups:              []string{routeGroup1},
+				AccessControlGroups: []string{routeGroup1},
 			},
 		},
 		{
 			name: "Happy Path Domains",
 			inputArgs: input{
-				domains:     domain.List{"domain1", "domain2"},
-				keepRoute:   true,
-				networkType: route.DomainNetwork,
-				netID:       "happy",
-				peerKey:     peer1ID,
-				description: "super",
-				masquerade:  false,
-				metric:      9999,
-				enabled:     true,
-				groups:      []string{routeGroup1},
+				domains:             domain.List{"domain1", "domain2"},
+				keepRoute:           true,
+				networkType:         route.DomainNetwork,
+				netID:               "happy",
+				peerKey:             peer1ID,
+				description:         "super",
+				masquerade:          false,
+				metric:              9999,
+				enabled:             true,
+				groups:              []string{routeGroup1},
+				accessControlGroups: []string{routeGroup1},
 			},
 			errFunc:      require.NoError,
 			shouldCreate: true,
 			expectedRoute: &route.Route{
-				Network:     netip.MustParsePrefix("192.0.2.0/32"),
-				Domains:     domain.List{"domain1", "domain2"},
-				NetworkType: route.DomainNetwork,
-				NetID:       "happy",
-				Peer:        peer1ID,
-				Description: "super",
-				Masquerade:  false,
-				Metric:      9999,
-				Enabled:     true,
-				Groups:      []string{routeGroup1},
-				KeepRoute:   true,
+				Network:             netip.MustParsePrefix("192.0.2.0/32"),
+				Domains:             domain.List{"domain1", "domain2"},
+				NetworkType:         route.DomainNetwork,
+				NetID:               "happy",
+				Peer:                peer1ID,
+				Description:         "super",
+				Masquerade:          false,
+				Metric:              9999,
+				Enabled:             true,
+				Groups:              []string{routeGroup1},
+				KeepRoute:           true,
+				AccessControlGroups: []string{routeGroup1},
 			},
 		},
 		{
 			name: "Happy Path Peer Groups",
 			inputArgs: input{
-				network:      netip.MustParsePrefix("192.168.0.0/16"),
-				networkType:  route.IPv4Network,
-				netID:        "happy",
-				peerGroupIDs: []string{routeGroupHA1, routeGroupHA2},
-				description:  "super",
-				masquerade:   false,
-				metric:       9999,
-				enabled:      true,
-				groups:       []string{routeGroup1, routeGroup2},
+				network:             netip.MustParsePrefix("192.168.0.0/16"),
+				networkType:         route.IPv4Network,
+				netID:               "happy",
+				peerGroupIDs:        []string{routeGroupHA1, routeGroupHA2},
+				description:         "super",
+				masquerade:          false,
+				metric:              9999,
+				enabled:             true,
+				groups:              []string{routeGroup1, routeGroup2},
+				accessControlGroups: []string{routeGroup1, routeGroup2},
 			},
 			errFunc:      require.NoError,
 			shouldCreate: true,
 			expectedRoute: &route.Route{
-				Network:     netip.MustParsePrefix("192.168.0.0/16"),
-				NetworkType: route.IPv4Network,
-				NetID:       "happy",
-				PeerGroups:  []string{routeGroupHA1, routeGroupHA2},
-				Description: "super",
-				Masquerade:  false,
-				Metric:      9999,
-				Enabled:     true,
-				Groups:      []string{routeGroup1, routeGroup2},
+				Network:             netip.MustParsePrefix("192.168.0.0/16"),
+				NetworkType:         route.IPv4Network,
+				NetID:               "happy",
+				PeerGroups:          []string{routeGroupHA1, routeGroupHA2},
+				Description:         "super",
+				Masquerade:          false,
+				Metric:              9999,
+				Enabled:             true,
+				Groups:              []string{routeGroup1, routeGroup2},
+				AccessControlGroups: []string{routeGroup1, routeGroup2},
 			},
 		},
 		{
 			name: "Both network and domains provided should fail",
 			inputArgs: input{
-				network:      netip.MustParsePrefix("192.168.0.0/16"),
-				domains:      domain.List{"domain1", "domain2"},
-				netID:        "happy",
-				peerKey:      peer1ID,
-				peerGroupIDs: []string{routeGroupHA1},
-				description:  "super",
-				masquerade:   false,
-				metric:       9999,
-				enabled:      true,
-				groups:       []string{routeGroup1},
+				network:             netip.MustParsePrefix("192.168.0.0/16"),
+				domains:             domain.List{"domain1", "domain2"},
+				netID:               "happy",
+				peerKey:             peer1ID,
+				peerGroupIDs:        []string{routeGroupHA1},
+				description:         "super",
+				masquerade:          false,
+				metric:              9999,
+				enabled:             true,
+				groups:              []string{routeGroup1},
+				accessControlGroups: []string{routeGroup2},
 			},
 			errFunc:      require.Error,
 			shouldCreate: false,
@@ -170,16 +180,17 @@ func TestCreateRoute(t *testing.T) {
 		{
 			name: "Both peer and peer_groups Provided Should Fail",
 			inputArgs: input{
-				network:      netip.MustParsePrefix("192.168.0.0/16"),
-				networkType:  route.IPv4Network,
-				netID:        "happy",
-				peerKey:      peer1ID,
-				peerGroupIDs: []string{routeGroupHA1},
-				description:  "super",
-				masquerade:   false,
-				metric:       9999,
-				enabled:      true,
-				groups:       []string{routeGroup1},
+				network:             netip.MustParsePrefix("192.168.0.0/16"),
+				networkType:         route.IPv4Network,
+				netID:               "happy",
+				peerKey:             peer1ID,
+				peerGroupIDs:        []string{routeGroupHA1},
+				description:         "super",
+				masquerade:          false,
+				metric:              9999,
+				enabled:             true,
+				groups:              []string{routeGroup1},
+				accessControlGroups: []string{routeGroup2},
 			},
 			errFunc:      require.Error,
 			shouldCreate: false,
@@ -423,13 +434,13 @@ func TestCreateRoute(t *testing.T) {
 			if testCase.createInitRoute {
 				groupAll, errInit := account.GetGroupAll()
 				require.NoError(t, errInit)
-				_, errInit = am.CreateRoute(context.Background(), account.Id, existingNetwork, 1, nil, "", []string{routeGroup3, routeGroup4}, "", existingRouteID, false, 1000, []string{groupAll.ID}, true, userID, false)
+				_, errInit = am.CreateRoute(context.Background(), account.Id, existingNetwork, 1, nil, "", []string{routeGroup3, routeGroup4}, "", existingRouteID, false, 1000, []string{groupAll.ID}, []string{}, true, userID, false)
 				require.NoError(t, errInit)
-				_, errInit = am.CreateRoute(context.Background(), account.Id, netip.Prefix{}, 3, existingDomains, "", []string{routeGroup3, routeGroup4}, "", existingRouteID, false, 1000, []string{groupAll.ID}, true, userID, false)
+				_, errInit = am.CreateRoute(context.Background(), account.Id, netip.Prefix{}, 3, existingDomains, "", []string{routeGroup3, routeGroup4}, "", existingRouteID, false, 1000, []string{groupAll.ID}, []string{groupAll.ID}, true, userID, false)
 				require.NoError(t, errInit)
 			}

-			outRoute, err := am.CreateRoute(context.Background(), account.Id, testCase.inputArgs.network, testCase.inputArgs.networkType, testCase.inputArgs.domains, testCase.inputArgs.peerKey, testCase.inputArgs.peerGroupIDs, testCase.inputArgs.description, testCase.inputArgs.netID, testCase.inputArgs.masquerade, testCase.inputArgs.metric, testCase.inputArgs.groups, testCase.inputArgs.enabled, userID, testCase.inputArgs.keepRoute)
+			outRoute, err := am.CreateRoute(context.Background(), account.Id, testCase.inputArgs.network, testCase.inputArgs.networkType, testCase.inputArgs.domains, testCase.inputArgs.peerKey, testCase.inputArgs.peerGroupIDs, testCase.inputArgs.description, testCase.inputArgs.netID, testCase.inputArgs.masquerade, testCase.inputArgs.metric, testCase.inputArgs.groups, testCase.inputArgs.accessControlGroups, testCase.inputArgs.enabled, userID, testCase.inputArgs.keepRoute)

 			testCase.errFunc(t, err)

@@ -1037,15 +1048,16 @@ func TestDeleteRoute(t *testing.T) {

 func TestGetNetworkMap_RouteSyncPeerGroups(t *testing.T) {
 	baseRoute := &route.Route{
-		Network:     netip.MustParsePrefix("192.168.0.0/16"),
-		NetID:       "superNet",
-		NetworkType: route.IPv4Network,
-		PeerGroups:  []string{routeGroupHA1, routeGroupHA2},
-		Description: "ha route",
-		Masquerade:  false,
-		Metric:      9999,
-		Enabled:     true,
-		Groups:      []string{routeGroup1, routeGroup2},
+		Network:             netip.MustParsePrefix("192.168.0.0/16"),
+		NetID:               "superNet",
+		NetworkType:         route.IPv4Network,
+		PeerGroups:          []string{routeGroupHA1, routeGroupHA2},
+		Description:         "ha route",
+		Masquerade:          false,
+		Metric:              9999,
+		Enabled:             true,
+		Groups:              []string{routeGroup1, routeGroup2},
+		AccessControlGroups: []string{routeGroup1},
 	}

 	am, err := createRouterManager(t)
@@ -1062,7 +1074,7 @@ func TestGetNetworkMap_RouteSyncPeerGroups(t *testing.T) {
 	require.NoError(t, err)
 	require.Len(t, newAccountRoutes.Routes, 0, "new accounts should have no routes")

-	newRoute, err := am.CreateRoute(context.Background(), account.Id, baseRoute.Network, baseRoute.NetworkType, baseRoute.Domains, baseRoute.Peer, baseRoute.PeerGroups, baseRoute.Description, baseRoute.NetID, baseRoute.Masquerade, baseRoute.Metric, baseRoute.Groups, baseRoute.Enabled, userID, baseRoute.KeepRoute)
+	newRoute, err := am.CreateRoute(context.Background(), account.Id, baseRoute.Network, baseRoute.NetworkType, baseRoute.Domains, baseRoute.Peer, baseRoute.PeerGroups, baseRoute.Description, baseRoute.NetID, baseRoute.Masquerade, baseRoute.Metric, baseRoute.Groups, baseRoute.AccessControlGroups, baseRoute.Enabled, userID, baseRoute.KeepRoute)
 	require.NoError(t, err)
 	require.Equal(t, newRoute.Enabled, true)

@@ -1127,16 +1139,17 @@ func TestGetNetworkMap_RouteSync(t *testing.T) {
 	// no routes for peer in different groups
 	// no routes when route is deleted
 	baseRoute := &route.Route{
-		ID:          "testingRoute",
-		Network:     netip.MustParsePrefix("192.168.0.0/16"),
-		NetID:       "superNet",
-		NetworkType: route.IPv4Network,
-		Peer:        peer1ID,
-		Description: "super",
-		Masquerade:  false,
-		Metric:      9999,
-		Enabled:     true,
-		Groups:      []string{routeGroup1},
+		ID:                  "testingRoute",
+		Network:             netip.MustParsePrefix("192.168.0.0/16"),
+		NetID:               "superNet",
+		NetworkType:         route.IPv4Network,
+		Peer:                peer1ID,
+		Description:         "super",
+		Masquerade:          false,
+		Metric:              9999,
+		Enabled:             true,
+		Groups:              []string{routeGroup1},
+		AccessControlGroups: []string{routeGroup1},
 	}

 	am, err := createRouterManager(t)
@@ -1153,7 +1166,7 @@ func TestGetNetworkMap_RouteSync(t *testing.T) {
 	require.NoError(t, err)
 	require.Len(t, newAccountRoutes.Routes, 0, "new accounts should have no routes")

-	createdRoute, err := am.CreateRoute(context.Background(), account.Id, baseRoute.Network, baseRoute.NetworkType, baseRoute.Domains, peer1ID, []string{}, baseRoute.Description, baseRoute.NetID, baseRoute.Masquerade, baseRoute.Metric, baseRoute.Groups, false, userID, baseRoute.KeepRoute)
+	createdRoute, err := am.CreateRoute(context.Background(), account.Id, baseRoute.Network, baseRoute.NetworkType, baseRoute.Domains, peer1ID, []string{}, baseRoute.Description, baseRoute.NetID, baseRoute.Masquerade, baseRoute.Metric, baseRoute.Groups, baseRoute.AccessControlGroups, false, userID, baseRoute.KeepRoute)
 	require.NoError(t, err)

 	noDisabledRoutes, err := am.GetNetworkMap(context.Background(), peer1ID)
@@ -1244,7 +1257,7 @@ func createRouterManager(t *testing.T) (*DefaultAccountManager, error) {
 func createRouterStore(t *testing.T) (Store, error) {
 	t.Helper()
 	dataDir := t.TempDir()
-	store, cleanUp, err := NewTestStoreFromJson(context.Background(), dataDir)
+	store, cleanUp, err := NewTestStoreFromSqlite(context.Background(), "", dataDir)
 	if err != nil {
 		return nil, err
 	}
@@ -1467,3 +1480,300 @@ func initTestRouteAccount(t *testing.T, am *DefaultAccountManager) (*Account, er

 	return am.Store.GetAccount(context.Background(), account.Id)
 }
+
+func TestAccount_getPeersRoutesFirewall(t *testing.T) {
+	var (
+		peerBIp = "100.65.80.39"
+		peerCIp = "100.65.254.139"
+		peerHIp = "100.65.29.55"
+	)
+
+	account := &Account{
+		Peers: map[string]*nbpeer.Peer{
+			"peerA": {
+				ID:     "peerA",
+				IP:     net.ParseIP("100.65.14.88"),
+				Status: &nbpeer.PeerStatus{},
+				Meta: nbpeer.PeerSystemMeta{
+					GoOS: "linux",
+				},
+			},
+			"peerB": {
+				ID:     "peerB",
+				IP:     net.ParseIP(peerBIp),
+				Status: &nbpeer.PeerStatus{},
+				Meta:   nbpeer.PeerSystemMeta{},
+			},
+			"peerC": {
+				ID:     "peerC",
+				IP:     net.ParseIP(peerCIp),
+				Status: &nbpeer.PeerStatus{},
+			},
+			"peerD": {
+				ID:     "peerD",
+				IP:     net.ParseIP("100.65.62.5"),
+				Status: &nbpeer.PeerStatus{},
+				Meta: nbpeer.PeerSystemMeta{
+					GoOS: "linux",
+				},
+			},
+			"peerE": {
+				ID:     "peerE",
+				IP:     net.ParseIP("100.65.32.206"),
+				Key:    peer1Key,
+				Status: &nbpeer.PeerStatus{},
+				Meta: nbpeer.PeerSystemMeta{
+					GoOS: "linux",
+				},
+			},
+			"peerF": {
+				ID:     "peerF",
+				IP:     net.ParseIP("100.65.250.202"),
+				Status: &nbpeer.PeerStatus{},
+			},
+			"peerG": {
+				ID:     "peerG",
+				IP:     net.ParseIP("100.65.13.186"),
+				Status: &nbpeer.PeerStatus{},
+			},
+			"peerH": {
+				ID:     "peerH",
+				IP:     net.ParseIP(peerHIp),
+				Status: &nbpeer.PeerStatus{},
+			},
+		},
+		Groups: map[string]*nbgroup.Group{
+			"routingPeer1": {
+				ID:   "routingPeer1",
+				Name: "RoutingPeer1",
+				Peers: []string{
+					"peerA",
+				},
+			},
+			"routingPeer2": {
+				ID:   "routingPeer2",
+				Name: "RoutingPeer2",
+				Peers: []string{
+					"peerD",
+				},
+			},
+			"route1": {
+				ID:    "route1",
+				Name:  "Route1",
+				Peers: []string{},
+			},
+			"route2": {
+				ID:    "route2",
+				Name:  "Route2",
+				Peers: []string{},
+			},
+			"finance": {
+				ID:   "finance",
+				Name: "Finance",
+				Peers: []string{
+					"peerF",
+					"peerG",
+				},
+			},
+			"dev": {
+				ID:   "dev",
+				Name: "Dev",
+				Peers: []string{
+					"peerC",
+					"peerH",
+					"peerB",
+				},
+			},
+			"contractors": {
+				ID:    "contractors",
+				Name:  "Contractors",
+				Peers: []string{},
+			},
+		},
+		Routes: map[route.ID]*route.Route{
+			"route1": {
+				ID:                  "route1",
+				Network:             netip.MustParsePrefix("192.168.0.0/16"),
+				NetID:               "route1",
+				NetworkType:         route.IPv4Network,
+				PeerGroups:          []string{"routingPeer1", "routingPeer2"},
+				Description:         "Route1 ha route",
+				Masquerade:          false,
+				Metric:              9999,
+				Enabled:             true,
+				Groups:              []string{"dev"},
+				AccessControlGroups: []string{"route1"},
+			},
+			"route2": {
+				ID:                  "route2",
+				Network:             existingNetwork,
+				NetID:               "route2",
+				NetworkType:         route.IPv4Network,
+				Peer:                "peerE",
+				Description:         "Allow",
+				Masquerade:          false,
+				Metric:              9999,
+				Enabled:             true,
+				Groups:              []string{"finance"},
+				AccessControlGroups: []string{"route2"},
+			},
+			"route3": {
+				ID:                  "route3",
+				Network:             netip.MustParsePrefix("192.0.2.0/32"),
+				Domains:             domain.List{"example.com"},
+				NetID:               "route3",
+				NetworkType:         route.DomainNetwork,
+				Peer:                "peerE",
+				Description:         "Allow all traffic to routed DNS network",
+				Masquerade:          false,
+				Metric:              9999,
+				Enabled:             true,
+				Groups:              []string{"contractors"},
+				AccessControlGroups: []string{},
+			},
+		},
+		Policies: []*Policy{
+			{
+				ID:      "RuleRoute1",
+				Name:    "Route1",
+				Enabled: true,
+				Rules: []*PolicyRule{
+					{
+						ID:            "RuleRoute1",
+						Name:          "ruleRoute1",
+						Bidirectional: true,
+						Enabled:       true,
+						Protocol:      PolicyRuleProtocolALL,
+						Action:        PolicyTrafficActionAccept,
+						Ports:         []string{"80", "320"},
+						Sources: []string{
+							"dev",
+						},
+						Destinations: []string{
+							"route1",
+						},
+					},
+				},
+			},
+			{
+				ID:      "RuleRoute2",
+				Name:    "Route2",
+				Enabled: true,
+				Rules: []*PolicyRule{
+					{
+						ID:            "RuleRoute2",
+						Name:          "ruleRoute2",
+						Bidirectional: true,
+						Enabled:       true,
+						Protocol:      PolicyRuleProtocolTCP,
+						Action:        PolicyTrafficActionAccept,
+						PortRanges: []RulePortRange{
+							{
+								Start: 80,
+								End:   350,
+							}, {
+								Start: 80,
+								End:   350,
+							},
+						},
+						Sources: []string{
+							"finance",
+						},
+						Destinations: []string{
+							"route2",
+						},
+					},
+				},
+			},
+		},
+	}
+
+	validatedPeers := make(map[string]struct{})
+	for p := range account.Peers {
+		validatedPeers[p] = struct{}{}
+	}
+
+	t.Run("check applied policies for the route", func(t *testing.T) {
+		route1 := account.Routes["route1"]
+		policies := getAllRoutePoliciesFromGroups(account, route1.AccessControlGroups)
+		assert.Len(t, policies, 1)
+
+		route2 := account.Routes["route2"]
+		policies = getAllRoutePoliciesFromGroups(account, route2.AccessControlGroups)
+		assert.Len(t, policies, 1)
+
+		route3 := account.Routes["route3"]
+		policies = getAllRoutePoliciesFromGroups(account, route3.AccessControlGroups)
+		assert.Len(t, policies, 0)
+	})
+
+	t.Run("check peer routes firewall rules", func(t *testing.T) {
+		routesFirewallRules := account.getPeerRoutesFirewallRules(context.Background(), "peerA", validatedPeers)
+		assert.Len(t, routesFirewallRules, 2)
+
+		expectedRoutesFirewallRules := []*RouteFirewallRule{
+			{
+				SourceRanges: []string{
+					fmt.Sprintf(AllowedIPsFormat, peerCIp),
+					fmt.Sprintf(AllowedIPsFormat, peerHIp),
+					fmt.Sprintf(AllowedIPsFormat, peerBIp),
+				},
+				Action:      "accept",
+				Destination: "192.168.0.0/16",
+				Protocol:    "all",
+				Port:        80,
+			},
+			{
+				SourceRanges: []string{
+					fmt.Sprintf(AllowedIPsFormat, peerCIp),
+					fmt.Sprintf(AllowedIPsFormat, peerHIp),
+					fmt.Sprintf(AllowedIPsFormat, peerBIp),
+				},
+				Action:      "accept",
+				Destination: "192.168.0.0/16",
+				Protocol:    "all",
+				Port:        320,
+			},
+		}
+		assert.ElementsMatch(t, routesFirewallRules, expectedRoutesFirewallRules)
+
+		// peerD is also the routing peer for route1, should contain same routes firewall rules as peerA
+		routesFirewallRules = account.getPeerRoutesFirewallRules(context.Background(), "peerD", validatedPeers)
+		assert.Len(t, routesFirewallRules, 2)
+		assert.ElementsMatch(t, routesFirewallRules, expectedRoutesFirewallRules)
+
+		// peerE is a single routing peer for route 2 and route 3
+		routesFirewallRules = account.getPeerRoutesFirewallRules(context.Background(), "peerE", validatedPeers)
+		assert.Len(t, routesFirewallRules, 3)
+
+		expectedRoutesFirewallRules = []*RouteFirewallRule{
+			{
+				SourceRanges: []string{"100.65.250.202/32", "100.65.13.186/32"},
+				Action:       "accept",
+				Destination:  existingNetwork.String(),
+				Protocol:     "tcp",
+				PortRange:    RulePortRange{Start: 80, End: 350},
+			},
+			{
+				SourceRanges: []string{"0.0.0.0/0"},
+				Action:       "accept",
+				Destination:  "192.0.2.0/32",
+				Protocol:     "all",
+				IsDynamic:    true,
+			},
+			{
+				SourceRanges: []string{"::/0"},
+				Action:       "accept",
+				Destination:  "192.0.2.0/32",
+				Protocol:     "all",
+				IsDynamic:    true,
+			},
+		}
+		assert.ElementsMatch(t, routesFirewallRules, expectedRoutesFirewallRules)
+
+		// peerC is part of route1 distribution groups but should not receive the routes firewall rules
+		routesFirewallRules = account.getPeerRoutesFirewallRules(context.Background(), "peerC", validatedPeers)
+		assert.Len(t, routesFirewallRules, 0)
+	})
+
+}
--- a/management/server/sql_store.go
+++ b/management/server/sql_store.go
@@ -927,6 +927,28 @@ func NewPostgresqlStoreFromFileStore(ctx context.Context, fileStore *FileStore,
 	return store, nil
 }

+// NewPostgresqlStoreFromSqlStore restores a store from SqlStore and stores Postgres DB.
+func NewPostgresqlStoreFromSqlStore(ctx context.Context, sqliteStore *SqlStore, dsn string, metrics telemetry.AppMetrics) (*SqlStore, error) {
+	store, err := NewPostgresqlStore(ctx, dsn, metrics)
+	if err != nil {
+		return nil, err
+	}
+
+	err = store.SaveInstallationID(ctx, sqliteStore.GetInstallationID())
+	if err != nil {
+		return nil, err
+	}
+
+	for _, account := range sqliteStore.GetAllAccounts(ctx) {
+		err := store.SaveAccount(ctx, account)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return store, nil
+}
+
 func (s *SqlStore) GetSetupKeyBySecret(ctx context.Context, lockStrength LockingStrength, key string) (*SetupKey, error) {
 	var setupKey SetupKey
 	result := s.db.WithContext(ctx).Clauses(clause.Locking{Strength: string(lockStrength)}).
--- a/management/server/sql_store_test.go
+++ b/management/server/sql_store_test.go
@@ -7,7 +7,6 @@ import (
 	"net"
 	"net/netip"
 	"os"
-	"path/filepath"
 	"runtime"
 	"testing"
 	"time"
@@ -25,7 +24,6 @@ import (
 	"github.com/netbirdio/netbird/management/server/status"

 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
-	"github.com/netbirdio/netbird/util"
 )

 func TestSqlite_NewStore(t *testing.T) {
@@ -347,7 +345,11 @@ func TestSqlite_GetAccount(t *testing.T) {
 		t.Skip("The SQLite store is not properly supported by Windows yet")
 	}

-	store := newSqliteStoreFromFile(t, "testdata/store.json")
+	store, cleanup, err := NewSqliteTestStore(context.Background(), t.TempDir(), "testdata/store.sqlite")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cleanup()

 	id := "bf1c8084-ba50-4ce7-9439-34653001fc3b"

@@ -367,7 +369,11 @@ func TestSqlite_SavePeer(t *testing.T) {
 		t.Skip("The SQLite store is not properly supported by Windows yet")
 	}

-	store := newSqliteStoreFromFile(t, "testdata/store.json")
+	store, cleanup, err := NewSqliteTestStore(context.Background(), t.TempDir(), "testdata/store.sqlite")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cleanup()

 	account, err := store.GetAccount(context.Background(), "bf1c8084-ba50-4ce7-9439-34653001fc3b")
 	require.NoError(t, err)
@@ -415,7 +421,11 @@ func TestSqlite_SavePeerStatus(t *testing.T) {
 		t.Skip("The SQLite store is not properly supported by Windows yet")
 	}

-	store := newSqliteStoreFromFile(t, "testdata/store.json")
+	store, cleanup, err := NewSqliteTestStore(context.Background(), t.TempDir(), "testdata/store.sqlite")
+	defer cleanup()
+	if err != nil {
+		t.Fatal(err)
+	}

 	account, err := store.GetAccount(context.Background(), "bf1c8084-ba50-4ce7-9439-34653001fc3b")
 	require.NoError(t, err)
@@ -468,8 +478,11 @@ func TestSqlite_SavePeerLocation(t *testing.T) {
 		t.Skip("The SQLite store is not properly supported by Windows yet")
 	}

-	store := newSqliteStoreFromFile(t, "testdata/store.json")
-
+	store, cleanup, err := NewSqliteTestStore(context.Background(), t.TempDir(), "testdata/store.sqlite")
+	defer cleanup()
+	if err != nil {
+		t.Fatal(err)
+	}
 	account, err := store.GetAccount(context.Background(), "bf1c8084-ba50-4ce7-9439-34653001fc3b")
 	require.NoError(t, err)

@@ -519,8 +532,11 @@ func TestSqlite_TestGetAccountByPrivateDomain(t *testing.T) {
 		t.Skip("The SQLite store is not properly supported by Windows yet")
 	}

-	store := newSqliteStoreFromFile(t, "testdata/store.json")
-
+	store, cleanup, err := NewSqliteTestStore(context.Background(), t.TempDir(), "testdata/store.sqlite")
+	defer cleanup()
+	if err != nil {
+		t.Fatal(err)
+	}
 	existingDomain := "test.com"

 	account, err := store.GetAccountByPrivateDomain(context.Background(), existingDomain)
@@ -539,8 +555,11 @@ func TestSqlite_GetTokenIDByHashedToken(t *testing.T) {
 		t.Skip("The SQLite store is not properly supported by Windows yet")
 	}

-	store := newSqliteStoreFromFile(t, "testdata/store.json")
-
+	store, cleanup, err := NewSqliteTestStore(context.Background(), t.TempDir(), "testdata/store.sqlite")
+	defer cleanup()
+	if err != nil {
+		t.Fatal(err)
+	}
 	hashed := "SoMeHaShEdToKeN"
 	id := "9dj38s35-63fb-11ec-90d6-0242ac120003"

@@ -560,8 +579,11 @@ func TestSqlite_GetUserByTokenID(t *testing.T) {
 		t.Skip("The SQLite store is not properly supported by Windows yet")
 	}

-	store := newSqliteStoreFromFile(t, "testdata/store.json")
-
+	store, cleanup, err := NewSqliteTestStore(context.Background(), t.TempDir(), "testdata/store.sqlite")
+	defer cleanup()
+	if err != nil {
+		t.Fatal(err)
+	}
 	id := "9dj38s35-63fb-11ec-90d6-0242ac120003"

 	user, err := store.GetUserByTokenID(context.Background(), id)
@@ -668,24 +690,9 @@ func newSqliteStore(t *testing.T) *SqlStore {
 	t.Helper()

 	store, err := NewSqliteStore(context.Background(), t.TempDir(), nil)
-	require.NoError(t, err)
-	require.NotNil(t, store)
-
-	return store
-}
-
-func newSqliteStoreFromFile(t *testing.T, filename string) *SqlStore {
-	t.Helper()
-
-	storeDir := t.TempDir()
-
-	err := util.CopyFileContents(filename, filepath.Join(storeDir, "store.json"))
-	require.NoError(t, err)
-
-	fStore, err := NewFileStore(context.Background(), storeDir, nil)
-	require.NoError(t, err)
-
-	store, err := NewSqliteStoreFromFileStore(context.Background(), fStore, storeDir, nil)
+	t.Cleanup(func() {
+		store.Close(context.Background())
+	})
 	require.NoError(t, err)
 	require.NotNil(t, store)

@@ -733,32 +740,31 @@ func newPostgresqlStore(t *testing.T) *SqlStore {
 	return store
 }

-func newPostgresqlStoreFromFile(t *testing.T, filename string) *SqlStore {
+func newPostgresqlStoreFromSqlite(t *testing.T, filename string) *SqlStore {
 	t.Helper()

-	storeDir := t.TempDir()
-	err := util.CopyFileContents(filename, filepath.Join(storeDir, "store.json"))
-	require.NoError(t, err)
+	store, cleanUpQ, err := NewSqliteTestStore(context.Background(), t.TempDir(), filename)
+	t.Cleanup(cleanUpQ)
+	if err != nil {
+		return nil
+	}

-	fStore, err := NewFileStore(context.Background(), storeDir, nil)
-	require.NoError(t, err)
-
-	cleanUp, err := testutil.CreatePGDB()
+	cleanUpP, err := testutil.CreatePGDB()
 	if err != nil {
 		t.Fatal(err)
 	}
-	t.Cleanup(cleanUp)
+	t.Cleanup(cleanUpP)

 	postgresDsn, ok := os.LookupEnv(postgresDsnEnv)
 	if !ok {
 		t.Fatalf("could not initialize postgresql store: %s is not set", postgresDsnEnv)
 	}

-	store, err := NewPostgresqlStoreFromFileStore(context.Background(), fStore, postgresDsn, nil)
+	pstore, err := NewPostgresqlStoreFromSqlStore(context.Background(), store, postgresDsn, nil)
 	require.NoError(t, err)
 	require.NotNil(t, store)

-	return store
+	return pstore
 }

 func TestPostgresql_NewStore(t *testing.T) {
@@ -924,7 +930,7 @@ func TestPostgresql_SavePeerStatus(t *testing.T) {
 		t.Skipf("The PostgreSQL store is not properly supported by %s yet", runtime.GOOS)
 	}

-	store := newPostgresqlStoreFromFile(t, "testdata/store.json")
+	store := newPostgresqlStoreFromSqlite(t, "testdata/store.sqlite")

 	account, err := store.GetAccount(context.Background(), "bf1c8084-ba50-4ce7-9439-34653001fc3b")
 	require.NoError(t, err)
@@ -963,7 +969,7 @@ func TestPostgresql_TestGetAccountByPrivateDomain(t *testing.T) {
 		t.Skipf("The PostgreSQL store is not properly supported by %s yet", runtime.GOOS)
 	}

-	store := newPostgresqlStoreFromFile(t, "testdata/store.json")
+	store := newPostgresqlStoreFromSqlite(t, "testdata/store.sqlite")

 	existingDomain := "test.com"

@@ -980,7 +986,7 @@ func TestPostgresql_GetTokenIDByHashedToken(t *testing.T) {
 		t.Skipf("The PostgreSQL store is not properly supported by %s yet", runtime.GOOS)
 	}

-	store := newPostgresqlStoreFromFile(t, "testdata/store.json")
+	store := newPostgresqlStoreFromSqlite(t, "testdata/store.sqlite")

 	hashed := "SoMeHaShEdToKeN"
 	id := "9dj38s35-63fb-11ec-90d6-0242ac120003"
@@ -995,7 +1001,7 @@ func TestPostgresql_GetUserByTokenID(t *testing.T) {
 		t.Skipf("The PostgreSQL store is not properly supported by %s yet", runtime.GOOS)
 	}

-	store := newPostgresqlStoreFromFile(t, "testdata/store.json")
+	store := newPostgresqlStoreFromSqlite(t, "testdata/store.sqlite")

 	id := "9dj38s35-63fb-11ec-90d6-0242ac120003"

@@ -1009,12 +1015,15 @@ func TestSqlite_GetTakenIPs(t *testing.T) {
 		t.Skip("The SQLite store is not properly supported by Windows yet")
 	}

-	store := newSqliteStoreFromFile(t, "testdata/extended-store.json")
-	defer store.Close(context.Background())
+	store, cleanup, err := NewSqliteTestStore(context.Background(), t.TempDir(), "testdata/extended-store.sqlite")
+	defer cleanup()
+	if err != nil {
+		t.Fatal(err)
+	}

 	existingAccountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"

-	_, err := store.GetAccount(context.Background(), existingAccountID)
+	_, err = store.GetAccount(context.Background(), existingAccountID)
 	require.NoError(t, err)

 	takenIPs, err := store.GetTakenIPs(context.Background(), LockingStrengthShare, existingAccountID)
@@ -1054,12 +1063,15 @@ func TestSqlite_GetPeerLabelsInAccount(t *testing.T) {
 		t.Skip("The SQLite store is not properly supported by Windows yet")
 	}

-	store := newSqliteStoreFromFile(t, "testdata/extended-store.json")
-	defer store.Close(context.Background())
+	store, cleanup, err := NewSqliteTestStore(context.Background(), t.TempDir(), "testdata/extended-store.sqlite")
+	if err != nil {
+		return
+	}
+	t.Cleanup(cleanup)

 	existingAccountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"

-	_, err := store.GetAccount(context.Background(), existingAccountID)
+	_, err = store.GetAccount(context.Background(), existingAccountID)
 	require.NoError(t, err)

 	labels, err := store.GetPeerLabelsInAccount(context.Background(), LockingStrengthShare, existingAccountID)
@@ -1096,12 +1108,15 @@ func TestSqlite_GetAccountNetwork(t *testing.T) {
 		t.Skip("The SQLite store is not properly supported by Windows yet")
 	}

-	store := newSqliteStoreFromFile(t, "testdata/extended-store.json")
-	defer store.Close(context.Background())
+	store, cleanup, err := NewSqliteTestStore(context.Background(), t.TempDir(), "testdata/extended-store.sqlite")
+	t.Cleanup(cleanup)
+	if err != nil {
+		t.Fatal(err)
+	}

 	existingAccountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"

-	_, err := store.GetAccount(context.Background(), existingAccountID)
+	_, err = store.GetAccount(context.Background(), existingAccountID)
 	require.NoError(t, err)

 	network, err := store.GetAccountNetwork(context.Background(), LockingStrengthShare, existingAccountID)
@@ -1118,12 +1133,15 @@ func TestSqlite_GetSetupKeyBySecret(t *testing.T) {
 	if runtime.GOOS == "windows" {
 		t.Skip("The SQLite store is not properly supported by Windows yet")
 	}
-	store := newSqliteStoreFromFile(t, "testdata/extended-store.json")
-	defer store.Close(context.Background())
+	store, cleanup, err := NewSqliteTestStore(context.Background(), t.TempDir(), "testdata/extended-store.sqlite")
+	t.Cleanup(cleanup)
+	if err != nil {
+		t.Fatal(err)
+	}

 	existingAccountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"

-	_, err := store.GetAccount(context.Background(), existingAccountID)
+	_, err = store.GetAccount(context.Background(), existingAccountID)
 	require.NoError(t, err)

 	setupKey, err := store.GetSetupKeyBySecret(context.Background(), LockingStrengthShare, "A2C8E62B-38F5-4553-B31E-DD66C696CEBB")
@@ -1137,12 +1155,16 @@ func TestSqlite_incrementSetupKeyUsage(t *testing.T) {
 	if runtime.GOOS == "windows" {
 		t.Skip("The SQLite store is not properly supported by Windows yet")
 	}
-	store := newSqliteStoreFromFile(t, "testdata/extended-store.json")
-	defer store.Close(context.Background())
+
+	store, cleanup, err := NewSqliteTestStore(context.Background(), t.TempDir(), "testdata/extended-store.sqlite")
+	t.Cleanup(cleanup)
+	if err != nil {
+		t.Fatal(err)
+	}

 	existingAccountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"

-	_, err := store.GetAccount(context.Background(), existingAccountID)
+	_, err = store.GetAccount(context.Background(), existingAccountID)
 	require.NoError(t, err)

 	setupKey, err := store.GetSetupKeyBySecret(context.Background(), LockingStrengthShare, "A2C8E62B-38F5-4553-B31E-DD66C696CEBB")
--- a/management/server/store.go
+++ b/management/server/store.go
@@ -12,10 +12,11 @@ import (
 	"strings"
 	"time"

-	"github.com/netbirdio/netbird/dns"
 	log "github.com/sirupsen/logrus"
 	"gorm.io/gorm"

+	"github.com/netbirdio/netbird/dns"
+
 	nbgroup "github.com/netbirdio/netbird/management/server/group"

 	"github.com/netbirdio/netbird/management/server/telemetry"
@@ -239,23 +240,29 @@ func getMigrations(ctx context.Context) []migrationFunc {
 	}
 }

-// NewTestStoreFromJson is only used in tests
-func NewTestStoreFromJson(ctx context.Context, dataDir string) (Store, func(), error) {
-	fstore, err := NewFileStore(ctx, dataDir, nil)
-	if err != nil {
-		return nil, nil, err
-	}
-
+// NewTestStoreFromSqlite is only used in tests
+func NewTestStoreFromSqlite(ctx context.Context, filename string, dataDir string) (Store, func(), error) {
 	// if store engine is not set in the config we first try to evaluate NETBIRD_STORE_ENGINE
 	kind := getStoreEngineFromEnv()
 	if kind == "" {
 		kind = SqliteStoreEngine
 	}

-	var (
-		store   Store
-		cleanUp func()
-	)
+	var store *SqlStore
+	var err error
+	var cleanUp func()
+
+	if filename == "" {
+		store, err = NewSqliteStore(ctx, dataDir, nil)
+		cleanUp = func() {
+			store.Close(ctx)
+		}
+	} else {
+		store, cleanUp, err = NewSqliteTestStore(ctx, dataDir, filename)
+	}
+	if err != nil {
+		return nil, nil, err
+	}

 	if kind == PostgresStoreEngine {
 		cleanUp, err = testutil.CreatePGDB()
@@ -268,21 +275,32 @@ func NewTestStoreFromJson(ctx context.Context, dataDir string) (Store, func(), e
 			return nil, nil, fmt.Errorf("%s is not set", postgresDsnEnv)
 		}

-		store, err = NewPostgresqlStoreFromFileStore(ctx, fstore, dsn, nil)
+		store, err = NewPostgresqlStoreFromSqlStore(ctx, store, dsn, nil)
 		if err != nil {
 			return nil, nil, err
 		}
-	} else {
-		store, err = NewSqliteStoreFromFileStore(ctx, fstore, dataDir, nil)
-		if err != nil {
-			return nil, nil, err
-		}
-		cleanUp = func() { store.Close(ctx) }
 	}

 	return store, cleanUp, nil
 }

+func NewSqliteTestStore(ctx context.Context, dataDir string, testFile string) (*SqlStore, func(), error) {
+	err := util.CopyFileContents(testFile, filepath.Join(dataDir, "store.db"))
+	if err != nil {
+		return nil, nil, err
+	}
+
+	store, err := NewSqliteStore(ctx, dataDir, nil)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return store, func() {
+		store.Close(ctx)
+		os.Remove(filepath.Join(dataDir, "store.db"))
+	}, nil
+}
+
 // MigrateFileStoreToSqlite migrates the file store to the SQLite store.
 func MigrateFileStoreToSqlite(ctx context.Context, dataDir string) error {
 	fileStorePath := path.Join(dataDir, storeFileName)
--- a/management/server/store_test.go
+++ b/management/server/store_test.go
@@ -14,12 +14,6 @@ type benchCase struct {
 	size    int
 }

-var newFs = func(b *testing.B) Store {
-	b.Helper()
-	store, _ := NewFileStore(context.Background(), b.TempDir(), nil)
-	return store
-}
-
 var newSqlite = func(b *testing.B) Store {
 	b.Helper()
 	store, _ := NewSqliteStore(context.Background(), b.TempDir(), nil)
@@ -28,13 +22,9 @@ var newSqlite = func(b *testing.B) Store {

 func BenchmarkTest_StoreWrite(b *testing.B) {
 	cases := []benchCase{
-		{name: "FileStore_Write", storeFn: newFs, size: 100},
 		{name: "SqliteStore_Write", storeFn: newSqlite, size: 100},
-		{name: "FileStore_Write", storeFn: newFs, size: 500},
 		{name: "SqliteStore_Write", storeFn: newSqlite, size: 500},
-		{name: "FileStore_Write", storeFn: newFs, size: 1000},
 		{name: "SqliteStore_Write", storeFn: newSqlite, size: 1000},
-		{name: "FileStore_Write", storeFn: newFs, size: 2000},
 		{name: "SqliteStore_Write", storeFn: newSqlite, size: 2000},
 	}

@@ -61,11 +51,8 @@ func BenchmarkTest_StoreWrite(b *testing.B) {

 func BenchmarkTest_StoreRead(b *testing.B) {
 	cases := []benchCase{
-		{name: "FileStore_Read", storeFn: newFs, size: 100},
 		{name: "SqliteStore_Read", storeFn: newSqlite, size: 100},
-		{name: "FileStore_Read", storeFn: newFs, size: 500},
 		{name: "SqliteStore_Read", storeFn: newSqlite, size: 500},
-		{name: "FileStore_Read", storeFn: newFs, size: 1000},
 		{name: "SqliteStore_Read", storeFn: newSqlite, size: 1000},
 	}

@@ -89,3 +76,11 @@ func BenchmarkTest_StoreRead(b *testing.B) {
 		})
 	}
 }
+
+func newStore(t *testing.T) Store {
+	t.Helper()
+
+	store := newSqliteStore(t)
+
+	return store
+}
--- a/management/server/testdata/extended-store.json
+++ b/management/server/testdata/extended-store.json
@@ -1,120 +0,0 @@
-{
-    "Accounts": {
-        "bf1c8084-ba50-4ce7-9439-34653001fc3b": {
-            "Id": "bf1c8084-ba50-4ce7-9439-34653001fc3b",
-            "CreatedBy": "",
-            "Domain": "test.com",
-            "DomainCategory": "private",
-            "IsDomainPrimaryAccount": true,
-            "SetupKeys": {
-                "A2C8E62B-38F5-4553-B31E-DD66C696CEBB": {
-                    "Id": "A2C8E62B-38F5-4553-B31E-DD66C696CEBB",
-                    "AccountID": "",
-                    "Key": "A2C8E62B-38F5-4553-B31E-DD66C696CEBB",
-                    "Name": "Default key",
-                    "Type": "reusable",
-                    "CreatedAt": "2021-08-19T20:46:20.005936822+02:00",
-                    "ExpiresAt": "2321-09-18T20:46:20.005936822+02:00",
-                    "UpdatedAt": "0001-01-01T00:00:00Z",
-                    "Revoked": false,
-                    "UsedTimes": 0,
-                    "LastUsed": "0001-01-01T00:00:00Z",
-                    "AutoGroups": ["cfefqs706sqkneg59g2g"],
-                    "UsageLimit": 0,
-                    "Ephemeral": false
-                },
-                "A2C8E62B-38F5-4553-B31E-DD66C696CEBC": {
-                    "Id": "A2C8E62B-38F5-4553-B31E-DD66C696CEBC",
-                    "AccountID": "",
-                    "Key": "A2C8E62B-38F5-4553-B31E-DD66C696CEBC",
-                    "Name": "Faulty key with non existing group",
-                    "Type": "reusable",
-                    "CreatedAt": "2021-08-19T20:46:20.005936822+02:00",
-                    "ExpiresAt": "2321-09-18T20:46:20.005936822+02:00",
-                    "UpdatedAt": "0001-01-01T00:00:00Z",
-                    "Revoked": false,
-                    "UsedTimes": 0,
-                    "LastUsed": "0001-01-01T00:00:00Z",
-                    "AutoGroups": ["abcd"],
-                    "UsageLimit": 0,
-                    "Ephemeral": false
-                }
-            },
-            "Network": {
-                "id": "af1c8024-ha40-4ce2-9418-34653101fc3c",
-                "Net": {
-                    "IP": "100.64.0.0",
-                    "Mask": "//8AAA=="
-                },
-                "Dns": "",
-                "Serial": 0
-            },
-            "Peers": {},
-            "Users": {
-                "edafee4e-63fb-11ec-90d6-0242ac120003": {
-                    "Id": "edafee4e-63fb-11ec-90d6-0242ac120003",
-                    "AccountID": "",
-                    "Role": "admin",
-                    "IsServiceUser": false,
-                    "ServiceUserName": "",
-                    "AutoGroups": ["cfefqs706sqkneg59g3g"],
-                    "PATs": {},
-                    "Blocked": false,
-                    "LastLogin": "0001-01-01T00:00:00Z"
-                },
-                "f4f6d672-63fb-11ec-90d6-0242ac120003": {
-                    "Id": "f4f6d672-63fb-11ec-90d6-0242ac120003",
-                    "AccountID": "",
-                    "Role": "user",
-                    "IsServiceUser": false,
-                    "ServiceUserName": "",
-                    "AutoGroups": null,
-                    "PATs": {
-                        "9dj38s35-63fb-11ec-90d6-0242ac120003": {
-                            "ID": "9dj38s35-63fb-11ec-90d6-0242ac120003",
-                            "UserID": "",
-                            "Name": "",
-                            "HashedToken": "SoMeHaShEdToKeN",
-                            "ExpirationDate": "2023-02-27T00:00:00Z",
-                            "CreatedBy": "user",
-                            "CreatedAt": "2023-01-01T00:00:00Z",
-                            "LastUsed": "2023-02-01T00:00:00Z"
-                        }
-                    },
-                    "Blocked": false,
-                    "LastLogin": "0001-01-01T00:00:00Z"
-                }
-            },
-            "Groups": {
-              "cfefqs706sqkneg59g4g": {
-                "ID": "cfefqs706sqkneg59g4g",
-                "Name": "All",
-                "Peers": []
-              },
-              "cfefqs706sqkneg59g3g": {
-                "ID": "cfefqs706sqkneg59g3g",
-                "Name": "AwesomeGroup1",
-                "Peers": []
-              },
-              "cfefqs706sqkneg59g2g": {
-                "ID": "cfefqs706sqkneg59g2g",
-                "Name": "AwesomeGroup2",
-                "Peers": []
-              }
-            },
-            "Rules": null,
-            "Policies": [],
-            "Routes": null,
-            "NameServerGroups": null,
-            "DNSSettings": null,
-            "Settings": {
-                "PeerLoginExpirationEnabled": false,
-                "PeerLoginExpiration": 86400000000000,
-                "GroupsPropagationEnabled": false,
-                "JWTGroupsEnabled": false,
-                "JWTGroupsClaimName": ""
-            }
-        }
-    },
-    "InstallationID": ""
-}
--- a/management/server/testdata/extended-store.sqlite
+++ b/management/server/testdata/extended-store.sqlite
--- a/management/server/testdata/store.json
+++ b/management/server/testdata/store.json
@@ -1,88 +0,0 @@
-{
-    "Accounts": {
-        "bf1c8084-ba50-4ce7-9439-34653001fc3b": {
-            "Id": "bf1c8084-ba50-4ce7-9439-34653001fc3b",
-            "CreatedBy": "",
-            "Domain": "test.com",
-            "DomainCategory": "private",
-            "IsDomainPrimaryAccount": true,
-            "SetupKeys": {
-                "A2C8E62B-38F5-4553-B31E-DD66C696CEBB": {
-                    "Id": "",
-                    "AccountID": "",
-                    "Key": "A2C8E62B-38F5-4553-B31E-DD66C696CEBB",
-                    "Name": "Default key",
-                    "Type": "reusable",
-                    "CreatedAt": "2021-08-19T20:46:20.005936822+02:00",
-                    "ExpiresAt": "2321-09-18T20:46:20.005936822+02:00",
-                    "UpdatedAt": "0001-01-01T00:00:00Z",
-                    "Revoked": false,
-                    "UsedTimes": 0,
-                    "LastUsed": "0001-01-01T00:00:00Z",
-                    "AutoGroups": null,
-                    "UsageLimit": 0,
-                    "Ephemeral": false
-                }
-            },
-            "Network": {
-                "id": "af1c8024-ha40-4ce2-9418-34653101fc3c",
-                "Net": {
-                    "IP": "100.64.0.0",
-                    "Mask": "//8AAA=="
-                },
-                "Dns": "",
-                "Serial": 0
-            },
-            "Peers": {},
-            "Users": {
-                "edafee4e-63fb-11ec-90d6-0242ac120003": {
-                    "Id": "edafee4e-63fb-11ec-90d6-0242ac120003",
-                    "AccountID": "",
-                    "Role": "admin",
-                    "IsServiceUser": false,
-                    "ServiceUserName": "",
-                    "AutoGroups": null,
-                    "PATs": {},
-                    "Blocked": false,
-                    "LastLogin": "0001-01-01T00:00:00Z"
-                },
-                "f4f6d672-63fb-11ec-90d6-0242ac120003": {
-                    "Id": "f4f6d672-63fb-11ec-90d6-0242ac120003",
-                    "AccountID": "",
-                    "Role": "user",
-                    "IsServiceUser": false,
-                    "ServiceUserName": "",
-                    "AutoGroups": null,
-                    "PATs": {
-                        "9dj38s35-63fb-11ec-90d6-0242ac120003": {
-                            "ID": "9dj38s35-63fb-11ec-90d6-0242ac120003",
-                            "UserID": "",
-                            "Name": "",
-                            "HashedToken": "SoMeHaShEdToKeN",
-                            "ExpirationDate": "2023-02-27T00:00:00Z",
-                            "CreatedBy": "user",
-                            "CreatedAt": "2023-01-01T00:00:00Z",
-                            "LastUsed": "2023-02-01T00:00:00Z"
-                        }
-                    },
-                    "Blocked": false,
-                    "LastLogin": "0001-01-01T00:00:00Z"
-                }
-            },
-            "Groups": null,
-            "Rules": null,
-            "Policies": [],
-            "Routes": null,
-            "NameServerGroups": null,
-            "DNSSettings": null,
-            "Settings": {
-                "PeerLoginExpirationEnabled": false,
-                "PeerLoginExpiration": 86400000000000,
-                "GroupsPropagationEnabled": false,
-                "JWTGroupsEnabled": false,
-                "JWTGroupsClaimName": ""
-            }
-        }
-    },
-    "InstallationID": ""
-}
--- a/management/server/testdata/store.sqlite
+++ b/management/server/testdata/store.sqlite
--- a/management/server/testdata/store_policy_migrate.json
+++ b/management/server/testdata/store_policy_migrate.json
@@ -1,116 +0,0 @@
-{
-    "Accounts": {
-        "bf1c8084-ba50-4ce7-9439-34653001fc3b": {
-            "Id": "bf1c8084-ba50-4ce7-9439-34653001fc3b",
-            "Domain": "test.com",
-            "DomainCategory": "private",
-            "IsDomainPrimaryAccount": true,
-            "SetupKeys": {
-                "A2C8E62B-38F5-4553-B31E-DD66C696CEBB": {
-                    "Key": "A2C8E62B-38F5-4553-B31E-DD66C696CEBB",
-                    "Name": "Default key",
-                    "Type": "reusable",
-                    "CreatedAt": "2021-08-19T20:46:20.005936822+02:00",
-                    "ExpiresAt": "2321-09-18T20:46:20.005936822+02:00",
-                    "Revoked": false,
-                    "UsedTimes": 0
-                }
-            },
-            "Network": {
-                "Id": "af1c8024-ha40-4ce2-9418-34653101fc3c",
-                "Net": {
-                    "IP": "100.64.0.0",
-                    "Mask": "//8AAA=="
-                },
-                "Dns": null
-            },
-            "Peers": {
-                "cfefqs706sqkneg59g4g": {
-                    "ID": "cfefqs706sqkneg59g4g",
-                    "Key": "MI5mHfJhbggPfD3FqEIsXm8X5bSWeUI2LhO9MpEEtWA=",
-                    "SetupKey": "",
-                    "IP": "100.103.179.238",
-                    "Meta": {
-                        "Hostname": "Ubuntu-2204-jammy-amd64-base",
-                        "GoOS": "linux",
-                        "Kernel": "Linux",
-                        "Core": "22.04",
-                        "Platform": "x86_64",
-                        "OS": "Ubuntu",
-                        "WtVersion": "development",
-                        "UIVersion": ""
-                    },
-                    "Name": "crocodile",
-                    "DNSLabel": "crocodile",
-                    "Status": {
-                        "LastSeen": "2023-02-13T12:37:12.635454796Z",
-                        "Connected": true
-                    },
-                    "UserID": "edafee4e-63fb-11ec-90d6-0242ac120003",
-                    "SSHKey": "AAAAC3NzaC1lZDI1NTE5AAAAIJN1NM4bpB9K",
-                    "SSHEnabled": false
-                },
-                "cfeg6sf06sqkneg59g50": {
-                    "ID": "cfeg6sf06sqkneg59g50",
-                    "Key": "zMAOKUeIYIuun4n0xPR1b3IdYZPmsyjYmB2jWCuloC4=",
-                    "SetupKey": "",
-                    "IP": "100.103.26.180",
-                    "Meta": {
-                        "Hostname": "borg",
-                        "GoOS": "linux",
-                        "Kernel": "Linux",
-                        "Core": "22.04",
-                        "Platform": "x86_64",
-                        "OS": "Ubuntu",
-                        "WtVersion": "development",
-                        "UIVersion": ""
-                    },
-                    "Name": "dingo",
-                    "DNSLabel": "dingo",
-                    "Status": {
-                        "LastSeen": "2023-02-21T09:37:42.565899199Z",
-                        "Connected": false
-                    },
-                    "UserID": "f4f6d672-63fb-11ec-90d6-0242ac120003",
-                    "SSHKey": "AAAAC3NzaC1lZDI1NTE5AAAAILHW",
-                    "SSHEnabled": true
-                }
-            },
-            "Groups": {
-                "cfefqs706sqkneg59g3g": {
-                    "ID": "cfefqs706sqkneg59g3g",
-                    "Name": "All",
-                    "Peers": [
-                        "cfefqs706sqkneg59g4g",
-                        "cfeg6sf06sqkneg59g50"
-                    ]
-                }
-            },
-            "Rules": {
-                "cfefqs706sqkneg59g40": {
-                    "ID": "cfefqs706sqkneg59g40",
-                    "Name": "Default",
-                    "Description": "This is a default rule that allows connections between all the resources",
-                    "Disabled": false,
-                    "Source": [
-                        "cfefqs706sqkneg59g3g"
-                    ],
-                    "Destination": [
-                        "cfefqs706sqkneg59g3g"
-                    ],
-                    "Flow": 0
-                }
-            },
-            "Users": {
-                "edafee4e-63fb-11ec-90d6-0242ac120003": {
-                    "Id": "edafee4e-63fb-11ec-90d6-0242ac120003",
-                    "Role": "admin"
-                },
-                "f4f6d672-63fb-11ec-90d6-0242ac120003": {
-                    "Id": "f4f6d672-63fb-11ec-90d6-0242ac120003",
-                    "Role": "user"
-                }
-            }
-        }
-    }
-}
--- a/management/server/testdata/store_policy_migrate.sqlite
+++ b/management/server/testdata/store_policy_migrate.sqlite
--- a/management/server/testdata/store_with_expired_peers.json
+++ b/management/server/testdata/store_with_expired_peers.json
@@ -1,130 +0,0 @@
-{
-    "Accounts": {
-        "bf1c8084-ba50-4ce7-9439-34653001fc3b": {
-            "Id": "bf1c8084-ba50-4ce7-9439-34653001fc3b",
-            "Domain": "test.com",
-            "DomainCategory": "private",
-            "IsDomainPrimaryAccount": true,
-            "Settings": {
-                "PeerLoginExpirationEnabled": true,
-                "PeerLoginExpiration": 3600000000000
-            },
-            "SetupKeys": {
-                "A2C8E62B-38F5-4553-B31E-DD66C696CEBB": {
-                    "Key": "A2C8E62B-38F5-4553-B31E-DD66C696CEBB",
-                    "Name": "Default key",
-                    "Type": "reusable",
-                    "CreatedAt": "2021-08-19T20:46:20.005936822+02:00",
-                    "ExpiresAt": "2321-09-18T20:46:20.005936822+02:00",
-                    "Revoked": false,
-                    "UsedTimes": 0
-
-                }
-            },
-            "Network": {
-                "Id": "af1c8024-ha40-4ce2-9418-34653101fc3c",
-                "Net": {
-                    "IP": "100.64.0.0",
-                    "Mask": "//8AAA=="
-                },
-                "Dns": null
-            },
-            "Peers": {
-                "cfvprsrlo1hqoo49ohog": {
-                    "ID": "cfvprsrlo1hqoo49ohog",
-                    "Key": "5rvhvriKJZ3S9oxYToVj5TzDM9u9y8cxg7htIMWlYAg=",
-                    "SetupKey": "72546A29-6BC8-4311-BCFC-9CDBF33F1A48",
-                    "IP": "100.64.114.31",
-                    "Meta": {
-                        "Hostname": "f2a34f6a4731",
-                        "GoOS": "linux",
-                        "Kernel": "Linux",
-                        "Core": "11",
-                        "Platform": "unknown",
-                        "OS": "Debian GNU/Linux",
-                        "WtVersion": "0.12.0",
-                        "UIVersion": ""
-                    },
-                    "Name": "f2a34f6a4731",
-                    "DNSLabel": "f2a34f6a4731",
-                    "Status": {
-                        "LastSeen": "2023-03-02T09:21:02.189035775+01:00",
-                        "Connected": false,
-                        "LoginExpired": false
-                    },
-                    "UserID": "",
-                    "SSHKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILzUUSYG/LGnV8zarb2SGN+tib/PZ+M7cL4WtTzUrTpk",
-                    "SSHEnabled": false,
-                    "LoginExpirationEnabled": true,
-                    "LastLogin": "2023-03-01T19:48:19.817799698+01:00"
-                },
-                "cg05lnblo1hkg2j514p0": {
-                    "ID": "cg05lnblo1hkg2j514p0",
-                    "Key": "RlSy2vzoG2HyMBTUImXOiVhCBiiBa5qD5xzMxkiFDW4=",
-                    "SetupKey": "",
-                    "IP": "100.64.39.54",
-                    "Meta": {
-                        "Hostname": "expiredhost",
-                        "GoOS": "linux",
-                        "Kernel": "Linux",
-                        "Core": "22.04",
-                        "Platform": "x86_64",
-                        "OS": "Ubuntu",
-                        "WtVersion": "development",
-                        "UIVersion": ""
-                    },
-                    "Name": "expiredhost",
-                    "DNSLabel": "expiredhost",
-                    "Status": {
-                        "LastSeen": "2023-03-02T09:19:57.276717255+01:00",
-                        "Connected": false,
-                        "LoginExpired": true
-                    },
-                    "UserID": "edafee4e-63fb-11ec-90d6-0242ac120003",
-                    "SSHKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMbK5ZXJsGOOWoBT4OmkPtgdPZe2Q7bDuS/zjn2CZxhK",
-                    "SSHEnabled": false,
-                    "LoginExpirationEnabled": true,
-                    "LastLogin": "2023-03-02T09:14:21.791679181+01:00"
-                },
-                "cg3161rlo1hs9cq94gdg": {
-                    "ID": "cg3161rlo1hs9cq94gdg",
-                    "Key": "mVABSKj28gv+JRsf7e0NEGKgSOGTfU/nPB2cpuG56HU=",
-                    "SetupKey": "",
-                    "IP": "100.64.117.96",
-                    "Meta": {
-                        "Hostname": "testhost",
-                        "GoOS": "linux",
-                        "Kernel": "Linux",
-                        "Core": "22.04",
-                        "Platform": "x86_64",
-                        "OS": "Ubuntu",
-                        "WtVersion": "development",
-                        "UIVersion": ""
-                    },
-                    "Name": "testhost",
-                    "DNSLabel": "testhost",
-                    "Status": {
-                        "LastSeen": "2023-03-06T18:21:27.252010027+01:00",
-                        "Connected": false,
-                        "LoginExpired": false
-                    },
-                    "UserID": "edafee4e-63fb-11ec-90d6-0242ac120003",
-                    "SSHKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINWvvUkFFcrj48CWTkNUb/do/n52i1L5dH4DhGu+4ZuM",
-                    "SSHEnabled": false,
-                    "LoginExpirationEnabled": false,
-                    "LastLogin": "2023-03-07T09:02:47.442857106+01:00"
-                }
-            },
-            "Users": {
-                "edafee4e-63fb-11ec-90d6-0242ac120003": {
-                    "Id": "edafee4e-63fb-11ec-90d6-0242ac120003",
-                    "Role": "admin"
-                },
-                "f4f6d672-63fb-11ec-90d6-0242ac120003": {
-                    "Id": "f4f6d672-63fb-11ec-90d6-0242ac120003",
-                    "Role": "user"
-                }
-            }
-        }
-    }
-}
--- a/management/server/testdata/store_with_expired_peers.sqlite
+++ b/management/server/testdata/store_with_expired_peers.sqlite
--- a/management/server/testdata/storev1.json
+++ b/management/server/testdata/storev1.json
@@ -1,154 +0,0 @@
-{
-  "Accounts": {
-    "auth0|61bf82ddeab084006aa1bccd": {
-      "Id": "auth0|61bf82ddeab084006aa1bccd",
-      "SetupKeys": {
-        "1B2B50B0-B3E8-4B0C-A426-525EDB8481BD": {
-          "Id": "831727121",
-          "Key": "1B2B50B0-B3E8-4B0C-A426-525EDB8481BD",
-          "Name": "One-off key",
-          "Type": "one-off",
-          "CreatedAt": "2021-12-24T16:09:45.926075752+01:00",
-          "ExpiresAt": "2022-01-23T16:09:45.926075752+01:00",
-          "Revoked": false,
-          "UsedTimes": 1,
-          "LastUsed": "2021-12-24T16:12:45.763424077+01:00"
-        },
-        "EB51E9EB-A11F-4F6E-8E49-C982891B405A": {
-          "Id": "1769568301",
-          "Key": "EB51E9EB-A11F-4F6E-8E49-C982891B405A",
-          "Name": "Default key",
-          "Type": "reusable",
-          "CreatedAt": "2021-12-24T16:09:45.926073628+01:00",
-          "ExpiresAt": "2022-01-23T16:09:45.926073628+01:00",
-          "Revoked": false,
-          "UsedTimes": 1,
-          "LastUsed": "2021-12-24T16:13:06.236748538+01:00"
-        }
-      },
-      "Network": {
-        "Id": "a443c07a-5765-4a78-97fc-390d9c1d0e49",
-        "Net": {
-          "IP": "100.64.0.0",
-          "Mask": "/8AAAA=="
-        },
-        "Dns": ""
-      },
-      "Peers": {
-        "oMNaI8qWi0CyclSuwGR++SurxJyM3pQEiPEHwX8IREo=": {
-          "Key": "oMNaI8qWi0CyclSuwGR++SurxJyM3pQEiPEHwX8IREo=",
-          "SetupKey": "EB51E9EB-A11F-4F6E-8E49-C982891B405A",
-          "IP": "100.64.0.2",
-          "Meta": {
-            "Hostname": "braginini",
-            "GoOS": "linux",
-            "Kernel": "Linux",
-            "Core": "21.04",
-            "Platform": "x86_64",
-            "OS": "Ubuntu",
-            "WtVersion": ""
-          },
-          "Name": "braginini",
-          "Status": {
-            "LastSeen": "2021-12-24T16:13:11.244342541+01:00",
-            "Connected": false
-          }
-        },
-        "xlx9/9D8+ibnRiIIB8nHGMxGOzxV17r8ShPHgi4aYSM=": {
-          "Key": "xlx9/9D8+ibnRiIIB8nHGMxGOzxV17r8ShPHgi4aYSM=",
-          "SetupKey": "1B2B50B0-B3E8-4B0C-A426-525EDB8481BD",
-          "IP": "100.64.0.1",
-          "Meta": {
-            "Hostname": "braginini",
-            "GoOS": "linux",
-            "Kernel": "Linux",
-            "Core": "21.04",
-            "Platform": "x86_64",
-            "OS": "Ubuntu",
-            "WtVersion": ""
-          },
-          "Name": "braginini",
-          "Status": {
-            "LastSeen": "2021-12-24T16:12:49.089339333+01:00",
-            "Connected": false
-          }
-        }
-      }
-    },
-    "google-oauth2|103201118415301331038": {
-      "Id": "google-oauth2|103201118415301331038",
-      "SetupKeys": {
-        "5AFB60DB-61F2-4251-8E11-494847EE88E9": {
-          "Id": "2485964613",
-          "Key": "5AFB60DB-61F2-4251-8E11-494847EE88E9",
-          "Name": "Default key",
-          "Type": "reusable",
-          "CreatedAt": "2021-12-24T16:10:02.238476+01:00",
-          "ExpiresAt": "2022-01-23T16:10:02.238476+01:00",
-          "Revoked": false,
-          "UsedTimes": 1,
-          "LastUsed": "2021-12-24T16:12:05.994307717+01:00"
-        },
-        "A72E4DC2-00DE-4542-8A24-62945438104E": {
-          "Id": "3504804807",
-          "Key": "A72E4DC2-00DE-4542-8A24-62945438104E",
-          "Name": "One-off key",
-          "Type": "one-off",
-          "CreatedAt": "2021-12-24T16:10:02.238478209+01:00",
-          "ExpiresAt": "2022-01-23T16:10:02.238478209+01:00",
-          "Revoked": false,
-          "UsedTimes": 1,
-          "LastUsed": "2021-12-24T16:11:27.015741738+01:00"
-        }
-      },
-      "Network": {
-        "Id": "b6d0b152-364e-40c1-a8a1-fa7bcac2267f",
-        "Net": {
-          "IP": "100.64.0.0",
-          "Mask": "/8AAAA=="
-        },
-        "Dns": ""
-      },
-      "Peers": {
-        "6kjbmVq1hmucVzvBXo5OucY5OYv+jSsB1jUTLq291Dw=": {
-          "Key": "6kjbmVq1hmucVzvBXo5OucY5OYv+jSsB1jUTLq291Dw=",
-          "SetupKey": "5AFB60DB-61F2-4251-8E11-494847EE88E9",
-          "IP": "100.64.0.2",
-          "Meta": {
-            "Hostname": "braginini",
-            "GoOS": "linux",
-            "Kernel": "Linux",
-            "Core": "21.04",
-            "Platform": "x86_64",
-            "OS": "Ubuntu",
-            "WtVersion": ""
-          },
-          "Name": "braginini",
-          "Status": {
-            "LastSeen": "2021-12-24T16:12:05.994305438+01:00",
-            "Connected": false
-          }
-        },
-        "Ok+5QMdt/UjoktNOvicGYj+IX2g98p+0N2PJ3vJ45RI=": {
-          "Key": "Ok+5QMdt/UjoktNOvicGYj+IX2g98p+0N2PJ3vJ45RI=",
-          "SetupKey": "A72E4DC2-00DE-4542-8A24-62945438104E",
-          "IP": "100.64.0.1",
-          "Meta": {
-            "Hostname": "braginini",
-            "GoOS": "linux",
-            "Kernel": "Linux",
-            "Core": "21.04",
-            "Platform": "x86_64",
-            "OS": "Ubuntu",
-            "WtVersion": ""
-          },
-          "Name": "braginini",
-          "Status": {
-            "LastSeen": "2021-12-24T16:11:27.015739803+01:00",
-            "Connected": false
-          }
-        }
-      }
-    }
-  }
-}
--- a/management/server/testdata/storev1.sqlite
+++ b/management/server/testdata/storev1.sqlite
--- a/management/server/user_test.go
+++ b/management/server/user_test.go
@@ -59,8 +59,10 @@ func TestUser_CreatePAT_ForSameUser(t *testing.T) {

 	assert.Equal(t, pat.CreatedBy, mockUserID)

-	fileStore := am.Store.(*FileStore)
-	tokenID := fileStore.HashedPAT2TokenID[pat.HashedToken]
+	tokenID, err := am.Store.GetTokenIDByHashedToken(context.Background(), pat.HashedToken)
+	if err != nil {
+		t.Fatalf("Error when getting token ID by hashed token: %s", err)
+	}

 	if tokenID == "" {
 		t.Fatal("GetTokenIDByHashedToken failed after adding PAT")
@@ -68,11 +70,12 @@ func TestUser_CreatePAT_ForSameUser(t *testing.T) {

 	assert.Equal(t, pat.ID, tokenID)

-	userID := fileStore.TokenID2UserID[tokenID]
-	if userID == "" {
-		t.Fatal("GetUserByTokenId failed after adding PAT")
+	user, err := am.Store.GetUserByTokenID(context.Background(), tokenID)
+	if err != nil {
+		t.Fatalf("Error when getting user by token ID: %s", err)
 	}
-	assert.Equal(t, mockUserID, userID)
+
+	assert.Equal(t, mockUserID, user.Id)
 }

 func TestUser_CreatePAT_ForDifferentUser(t *testing.T) {
@@ -189,9 +192,12 @@ func TestUser_DeletePAT(t *testing.T) {
 		t.Fatalf("Error when adding PAT to user: %s", err)
 	}

-	assert.Nil(t, store.Accounts[mockAccountID].Users[mockUserID].PATs[mockTokenID1])
-	assert.Empty(t, store.HashedPAT2TokenID[mockToken1])
-	assert.Empty(t, store.TokenID2UserID[mockTokenID1])
+	account, err = store.GetAccount(context.Background(), mockAccountID)
+	if err != nil {
+		t.Fatalf("Error when getting account: %s", err)
+	}
+
+	assert.Nil(t, account.Users[mockUserID].PATs[mockTokenID1])
 }

 func TestUser_GetPAT(t *testing.T) {
@@ -350,13 +356,16 @@ func TestUser_CreateServiceUser(t *testing.T) {
 		t.Fatalf("Error when creating service user: %s", err)
 	}

-	assert.Equal(t, 2, len(store.Accounts[mockAccountID].Users))
-	assert.NotNil(t, store.Accounts[mockAccountID].Users[user.ID])
-	assert.True(t, store.Accounts[mockAccountID].Users[user.ID].IsServiceUser)
-	assert.Equal(t, mockServiceUserName, store.Accounts[mockAccountID].Users[user.ID].ServiceUserName)
-	assert.Equal(t, UserRole(mockRole), store.Accounts[mockAccountID].Users[user.ID].Role)
-	assert.Equal(t, []string{"group1", "group2"}, store.Accounts[mockAccountID].Users[user.ID].AutoGroups)
-	assert.Equal(t, map[string]*PersonalAccessToken{}, store.Accounts[mockAccountID].Users[user.ID].PATs)
+	account, err = store.GetAccount(context.Background(), mockAccountID)
+	assert.NoError(t, err)
+
+	assert.Equal(t, 2, len(account.Users))
+	assert.NotNil(t, account.Users[user.ID])
+	assert.True(t, account.Users[user.ID].IsServiceUser)
+	assert.Equal(t, mockServiceUserName, account.Users[user.ID].ServiceUserName)
+	assert.Equal(t, UserRole(mockRole), account.Users[user.ID].Role)
+	assert.Equal(t, []string{"group1", "group2"}, account.Users[user.ID].AutoGroups)
+	assert.Equal(t, map[string]*PersonalAccessToken{}, account.Users[user.ID].PATs)

 	assert.Zero(t, user.Email)
 	assert.True(t, user.IsServiceUser)
@@ -394,12 +403,15 @@ func TestUser_CreateUser_ServiceUser(t *testing.T) {
 		t.Fatalf("Error when creating user: %s", err)
 	}

+	account, err = store.GetAccount(context.Background(), mockAccountID)
+	assert.NoError(t, err)
+
 	assert.True(t, user.IsServiceUser)
-	assert.Equal(t, 2, len(store.Accounts[mockAccountID].Users))
-	assert.True(t, store.Accounts[mockAccountID].Users[user.ID].IsServiceUser)
-	assert.Equal(t, mockServiceUserName, store.Accounts[mockAccountID].Users[user.ID].ServiceUserName)
-	assert.Equal(t, UserRole(mockRole), store.Accounts[mockAccountID].Users[user.ID].Role)
-	assert.Equal(t, []string{"group1", "group2"}, store.Accounts[mockAccountID].Users[user.ID].AutoGroups)
+	assert.Equal(t, 2, len(account.Users))
+	assert.True(t, account.Users[user.ID].IsServiceUser)
+	assert.Equal(t, mockServiceUserName, account.Users[user.ID].ServiceUserName)
+	assert.Equal(t, UserRole(mockRole), account.Users[user.ID].Role)
+	assert.Equal(t, []string{"group1", "group2"}, account.Users[user.ID].AutoGroups)

 	assert.Equal(t, mockServiceUserName, user.Name)
 	assert.Equal(t, mockRole, user.Role)
@@ -550,12 +562,15 @@ func TestUser_DeleteUser_ServiceUser(t *testing.T) {
 			err = am.DeleteUser(context.Background(), mockAccountID, mockUserID, mockServiceUserID)
 			tt.assertErrFunc(t, err, tt.assertErrMessage)

+			account, err2 := store.GetAccount(context.Background(), mockAccountID)
+			assert.NoError(t, err2)
+
 			if err != nil {
-				assert.Equal(t, 2, len(store.Accounts[mockAccountID].Users))
-				assert.NotNil(t, store.Accounts[mockAccountID].Users[mockServiceUserID])
+				assert.Equal(t, 2, len(account.Users))
+				assert.NotNil(t, account.Users[mockServiceUserID])
 			} else {
-				assert.Equal(t, 1, len(store.Accounts[mockAccountID].Users))
-				assert.Nil(t, store.Accounts[mockAccountID].Users[mockServiceUserID])
+				assert.Equal(t, 1, len(account.Users))
+				assert.Nil(t, account.Users[mockServiceUserID])
 			}
 		})
 	}