[client, management] Add new network concept (#3047)

--------- Co-authored-by: Pascal Fischer <32096965+pascal-fischer@users.noreply.github.com> Co-authored-by: bcmmbaga <bethuelmbaga12@gmail.com> Co-authored-by: Maycon Santos <mlsmaycon@gmail.com> Co-authored-by: Zoltan Papp <zoltan.pmail@gmail.com>
2026-04-18 08:16:39 +00:00 · 2024-12-20 11:30:28 +01:00
parent 37ad370344
commit ddc365f7a0
155 changed files with 13909 additions and 4993 deletions
--- a/management/server/networks/manager.go
+++ b/management/server/networks/manager.go
@@ -0,0 +1,187 @@
+package networks
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/rs/xid"
+
+	s "github.com/netbirdio/netbird/management/server"
+	"github.com/netbirdio/netbird/management/server/activity"
+	"github.com/netbirdio/netbird/management/server/networks/resources"
+	"github.com/netbirdio/netbird/management/server/networks/routers"
+	"github.com/netbirdio/netbird/management/server/networks/types"
+	"github.com/netbirdio/netbird/management/server/permissions"
+	"github.com/netbirdio/netbird/management/server/status"
+	"github.com/netbirdio/netbird/management/server/store"
+)
+
+type Manager interface {
+	GetAllNetworks(ctx context.Context, accountID, userID string) ([]*types.Network, error)
+	CreateNetwork(ctx context.Context, userID string, network *types.Network) (*types.Network, error)
+	GetNetwork(ctx context.Context, accountID, userID, networkID string) (*types.Network, error)
+	UpdateNetwork(ctx context.Context, userID string, network *types.Network) (*types.Network, error)
+	DeleteNetwork(ctx context.Context, accountID, userID, networkID string) error
+}
+
+type managerImpl struct {
+	store              store.Store
+	accountManager     s.AccountManager
+	permissionsManager permissions.Manager
+	resourcesManager   resources.Manager
+	routersManager     routers.Manager
+}
+
+func NewManager(store store.Store, permissionsManager permissions.Manager, resourceManager resources.Manager, routersManager routers.Manager, accountManager s.AccountManager) Manager {
+	return &managerImpl{
+		store:              store,
+		permissionsManager: permissionsManager,
+		resourcesManager:   resourceManager,
+		routersManager:     routersManager,
+		accountManager:     accountManager,
+	}
+}
+
+func (m *managerImpl) GetAllNetworks(ctx context.Context, accountID, userID string) ([]*types.Network, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, permissions.Networks, permissions.Read)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
+	return m.store.GetAccountNetworks(ctx, store.LockingStrengthShare, accountID)
+}
+
+func (m *managerImpl) CreateNetwork(ctx context.Context, userID string, network *types.Network) (*types.Network, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, network.AccountID, userID, permissions.Networks, permissions.Write)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
+	network.ID = xid.New().String()
+
+	unlock := m.store.AcquireWriteLockByUID(ctx, network.AccountID)
+	defer unlock()
+
+	err = m.store.SaveNetwork(ctx, store.LockingStrengthUpdate, network)
+	if err != nil {
+		return nil, fmt.Errorf("failed to save network: %w", err)
+	}
+
+	m.accountManager.StoreEvent(ctx, userID, network.ID, network.AccountID, activity.NetworkCreated, network.EventMeta())
+
+	return network, nil
+}
+
+func (m *managerImpl) GetNetwork(ctx context.Context, accountID, userID, networkID string) (*types.Network, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, permissions.Networks, permissions.Read)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
+	return m.store.GetNetworkByID(ctx, store.LockingStrengthShare, accountID, networkID)
+}
+
+func (m *managerImpl) UpdateNetwork(ctx context.Context, userID string, network *types.Network) (*types.Network, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, network.AccountID, userID, permissions.Networks, permissions.Write)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
+	unlock := m.store.AcquireWriteLockByUID(ctx, network.AccountID)
+	defer unlock()
+
+	_, err = m.store.GetNetworkByID(ctx, store.LockingStrengthUpdate, network.AccountID, network.ID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get network: %w", err)
+	}
+
+	m.accountManager.StoreEvent(ctx, userID, network.ID, network.AccountID, activity.NetworkUpdated, network.EventMeta())
+
+	return network, m.store.SaveNetwork(ctx, store.LockingStrengthUpdate, network)
+}
+
+func (m *managerImpl) DeleteNetwork(ctx context.Context, accountID, userID, networkID string) error {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, permissions.Networks, permissions.Write)
+	if err != nil {
+		return status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return status.NewPermissionDeniedError()
+	}
+
+	network, err := m.store.GetNetworkByID(ctx, store.LockingStrengthUpdate, accountID, networkID)
+	if err != nil {
+		return fmt.Errorf("failed to get network: %w", err)
+	}
+
+	unlock := m.store.AcquireWriteLockByUID(ctx, accountID)
+	defer unlock()
+
+	var eventsToStore []func()
+	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		resources, err := transaction.GetNetworkResourcesByNetID(ctx, store.LockingStrengthUpdate, accountID, networkID)
+		if err != nil {
+			return fmt.Errorf("failed to get resources in network: %w", err)
+		}
+
+		for _, resource := range resources {
+			event, err := m.resourcesManager.DeleteResourceInTransaction(ctx, transaction, accountID, userID, networkID, resource.ID)
+			if err != nil {
+				return fmt.Errorf("failed to delete resource: %w", err)
+			}
+			eventsToStore = append(eventsToStore, event...)
+		}
+
+		routers, err := transaction.GetNetworkRoutersByNetID(ctx, store.LockingStrengthUpdate, accountID, networkID)
+		if err != nil {
+			return fmt.Errorf("failed to get routers in network: %w", err)
+		}
+
+		for _, router := range routers {
+			event, err := m.routersManager.DeleteRouterInTransaction(ctx, transaction, accountID, userID, networkID, router.ID)
+			if err != nil {
+				return fmt.Errorf("failed to delete router: %w", err)
+			}
+			eventsToStore = append(eventsToStore, event)
+		}
+
+		err = transaction.DeleteNetwork(ctx, store.LockingStrengthUpdate, accountID, networkID)
+		if err != nil {
+			return fmt.Errorf("failed to delete network: %w", err)
+		}
+
+		err = transaction.IncrementNetworkSerial(ctx, store.LockingStrengthUpdate, accountID)
+		if err != nil {
+			return fmt.Errorf("failed to increment network serial: %w", err)
+		}
+
+		eventsToStore = append(eventsToStore, func() {
+			m.accountManager.StoreEvent(ctx, userID, networkID, accountID, activity.NetworkDeleted, network.EventMeta())
+		})
+
+		return nil
+	})
+	if err != nil {
+		return fmt.Errorf("failed to delete network: %w", err)
+	}
+
+	for _, event := range eventsToStore {
+		event()
+	}
+
+	go m.accountManager.UpdateAccountPeers(ctx, accountID)
+
+	return nil
+}
--- a/management/server/networks/manager_test.go
+++ b/management/server/networks/manager_test.go
@@ -0,0 +1,254 @@
+package networks
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/management/server/groups"
+	"github.com/netbirdio/netbird/management/server/mock_server"
+	"github.com/netbirdio/netbird/management/server/networks/resources"
+	"github.com/netbirdio/netbird/management/server/networks/routers"
+	"github.com/netbirdio/netbird/management/server/networks/types"
+	"github.com/netbirdio/netbird/management/server/permissions"
+	"github.com/netbirdio/netbird/management/server/store"
+)
+
+func Test_GetAllNetworksReturnsNetworks(t *testing.T) {
+	ctx := context.Background()
+	accountID := "testAccountId"
+	userID := "allowedUser"
+
+	s, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	am := mock_server.MockAccountManager{}
+	permissionsManager := permissions.NewManagerMock()
+	groupsManager := groups.NewManagerMock()
+	routerManager := routers.NewManagerMock()
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
+	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)
+
+	networks, err := manager.GetAllNetworks(ctx, accountID, userID)
+	require.NoError(t, err)
+	require.Len(t, networks, 1)
+	require.Equal(t, "testNetworkId", networks[0].ID)
+}
+
+func Test_GetAllNetworksReturnsPermissionDenied(t *testing.T) {
+	ctx := context.Background()
+	accountID := "testAccountId"
+	userID := "invalidUser"
+
+	s, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	am := mock_server.MockAccountManager{}
+	permissionsManager := permissions.NewManagerMock()
+	groupsManager := groups.NewManagerMock()
+	routerManager := routers.NewManagerMock()
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
+	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)
+
+	networks, err := manager.GetAllNetworks(ctx, accountID, userID)
+	require.Error(t, err)
+	require.Nil(t, networks)
+}
+
+func Test_GetNetworkReturnsNetwork(t *testing.T) {
+	ctx := context.Background()
+	accountID := "testAccountId"
+	userID := "allowedUser"
+	networkID := "testNetworkId"
+
+	s, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	am := mock_server.MockAccountManager{}
+	permissionsManager := permissions.NewManagerMock()
+	groupsManager := groups.NewManagerMock()
+	routerManager := routers.NewManagerMock()
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
+	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)
+
+	networks, err := manager.GetNetwork(ctx, accountID, userID, networkID)
+	require.NoError(t, err)
+	require.Equal(t, "testNetworkId", networks.ID)
+}
+
+func Test_GetNetworkReturnsPermissionDenied(t *testing.T) {
+	ctx := context.Background()
+	accountID := "testAccountId"
+	userID := "invalidUser"
+	networkID := "testNetworkId"
+
+	s, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	am := mock_server.MockAccountManager{}
+	permissionsManager := permissions.NewManagerMock()
+	groupsManager := groups.NewManagerMock()
+	routerManager := routers.NewManagerMock()
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
+	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)
+
+	network, err := manager.GetNetwork(ctx, accountID, userID, networkID)
+	require.Error(t, err)
+	require.Nil(t, network)
+}
+
+func Test_CreateNetworkSuccessfully(t *testing.T) {
+	ctx := context.Background()
+	userID := "allowedUser"
+	network := &types.Network{
+		AccountID: "testAccountId",
+		Name:      "new-network",
+	}
+
+	s, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	am := mock_server.MockAccountManager{}
+	permissionsManager := permissions.NewManagerMock()
+	groupsManager := groups.NewManagerMock()
+	routerManager := routers.NewManagerMock()
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
+	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)
+
+	createdNetwork, err := manager.CreateNetwork(ctx, userID, network)
+	require.NoError(t, err)
+	require.Equal(t, network.Name, createdNetwork.Name)
+}
+
+func Test_CreateNetworkFailsWithPermissionDenied(t *testing.T) {
+	ctx := context.Background()
+	userID := "invalidUser"
+	network := &types.Network{
+		AccountID: "testAccountId",
+		Name:      "new-network",
+	}
+
+	s, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	am := mock_server.MockAccountManager{}
+	permissionsManager := permissions.NewManagerMock()
+	groupsManager := groups.NewManagerMock()
+	routerManager := routers.NewManagerMock()
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
+	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)
+
+	createdNetwork, err := manager.CreateNetwork(ctx, userID, network)
+	require.Error(t, err)
+	require.Nil(t, createdNetwork)
+}
+
+func Test_DeleteNetworkSuccessfully(t *testing.T) {
+	ctx := context.Background()
+	accountID := "testAccountId"
+	userID := "allowedUser"
+	networkID := "testNetworkId"
+
+	s, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	am := mock_server.MockAccountManager{}
+	permissionsManager := permissions.NewManagerMock()
+	groupsManager := groups.NewManagerMock()
+	routerManager := routers.NewManagerMock()
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
+	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)
+
+	err = manager.DeleteNetwork(ctx, accountID, userID, networkID)
+	require.NoError(t, err)
+}
+
+func Test_DeleteNetworkFailsWithPermissionDenied(t *testing.T) {
+	ctx := context.Background()
+	accountID := "testAccountId"
+	userID := "invalidUser"
+	networkID := "testNetworkId"
+
+	s, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	am := mock_server.MockAccountManager{}
+	permissionsManager := permissions.NewManagerMock()
+	groupsManager := groups.NewManagerMock()
+	routerManager := routers.NewManagerMock()
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
+	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)
+
+	err = manager.DeleteNetwork(ctx, accountID, userID, networkID)
+	require.Error(t, err)
+}
+
+func Test_UpdateNetworkSuccessfully(t *testing.T) {
+	ctx := context.Background()
+	userID := "allowedUser"
+	network := &types.Network{
+		AccountID: "testAccountId",
+		ID:        "testNetworkId",
+		Name:      "new-network",
+	}
+
+	s, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	am := mock_server.MockAccountManager{}
+	permissionsManager := permissions.NewManagerMock()
+	groupsManager := groups.NewManagerMock()
+	routerManager := routers.NewManagerMock()
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
+	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)
+
+	updatedNetwork, err := manager.UpdateNetwork(ctx, userID, network)
+	require.NoError(t, err)
+	require.Equal(t, network.Name, updatedNetwork.Name)
+}
+
+func Test_UpdateNetworkFailsWithPermissionDenied(t *testing.T) {
+	ctx := context.Background()
+	userID := "invalidUser"
+	network := &types.Network{
+		AccountID: "testAccountId",
+		ID:        "testNetworkId",
+		Name:      "new-network",
+	}
+
+	s, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+
+	am := mock_server.MockAccountManager{}
+	permissionsManager := permissions.NewManagerMock()
+	groupsManager := groups.NewManagerMock()
+	routerManager := routers.NewManagerMock()
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
+	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)
+
+	updatedNetwork, err := manager.UpdateNetwork(ctx, userID, network)
+	require.Error(t, err)
+	require.Nil(t, updatedNetwork)
+}
--- a/management/server/networks/resources/manager.go
+++ b/management/server/networks/resources/manager.go
@@ -0,0 +1,383 @@
+package resources
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	s "github.com/netbirdio/netbird/management/server"
+	"github.com/netbirdio/netbird/management/server/activity"
+	"github.com/netbirdio/netbird/management/server/groups"
+	"github.com/netbirdio/netbird/management/server/networks/resources/types"
+	"github.com/netbirdio/netbird/management/server/permissions"
+	"github.com/netbirdio/netbird/management/server/status"
+	"github.com/netbirdio/netbird/management/server/store"
+	nbtypes "github.com/netbirdio/netbird/management/server/types"
+	"github.com/netbirdio/netbird/management/server/util"
+)
+
+type Manager interface {
+	GetAllResourcesInNetwork(ctx context.Context, accountID, userID, networkID string) ([]*types.NetworkResource, error)
+	GetAllResourcesInAccount(ctx context.Context, accountID, userID string) ([]*types.NetworkResource, error)
+	GetAllResourceIDsInAccount(ctx context.Context, accountID, userID string) (map[string][]string, error)
+	CreateResource(ctx context.Context, userID string, resource *types.NetworkResource) (*types.NetworkResource, error)
+	GetResource(ctx context.Context, accountID, userID, networkID, resourceID string) (*types.NetworkResource, error)
+	UpdateResource(ctx context.Context, userID string, resource *types.NetworkResource) (*types.NetworkResource, error)
+	DeleteResource(ctx context.Context, accountID, userID, networkID, resourceID string) error
+	DeleteResourceInTransaction(ctx context.Context, transaction store.Store, accountID, userID, networkID, resourceID string) ([]func(), error)
+}
+
+type managerImpl struct {
+	store              store.Store
+	permissionsManager permissions.Manager
+	groupsManager      groups.Manager
+	accountManager     s.AccountManager
+}
+
+func NewManager(store store.Store, permissionsManager permissions.Manager, groupsManager groups.Manager, accountManager s.AccountManager) Manager {
+	return &managerImpl{
+		store:              store,
+		permissionsManager: permissionsManager,
+		groupsManager:      groupsManager,
+		accountManager:     accountManager,
+	}
+}
+
+func (m *managerImpl) GetAllResourcesInNetwork(ctx context.Context, accountID, userID, networkID string) ([]*types.NetworkResource, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, permissions.Networks, permissions.Read)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
+	return m.store.GetNetworkResourcesByNetID(ctx, store.LockingStrengthShare, accountID, networkID)
+}
+
+func (m *managerImpl) GetAllResourcesInAccount(ctx context.Context, accountID, userID string) ([]*types.NetworkResource, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, permissions.Networks, permissions.Read)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
+	return m.store.GetNetworkResourcesByAccountID(ctx, store.LockingStrengthShare, accountID)
+}
+
+func (m *managerImpl) GetAllResourceIDsInAccount(ctx context.Context, accountID, userID string) (map[string][]string, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, permissions.Networks, permissions.Read)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
+	resources, err := m.store.GetNetworkResourcesByAccountID(ctx, store.LockingStrengthShare, accountID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get network resources: %w", err)
+	}
+
+	resourceMap := make(map[string][]string)
+	for _, resource := range resources {
+		resourceMap[resource.NetworkID] = append(resourceMap[resource.NetworkID], resource.ID)
+	}
+
+	return resourceMap, nil
+}
+
+func (m *managerImpl) CreateResource(ctx context.Context, userID string, resource *types.NetworkResource) (*types.NetworkResource, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, resource.AccountID, userID, permissions.Networks, permissions.Write)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
+	resource, err = types.NewNetworkResource(resource.AccountID, resource.NetworkID, resource.Name, resource.Description, resource.Address, resource.GroupIDs)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create new network resource: %w", err)
+	}
+
+	unlock := m.store.AcquireWriteLockByUID(ctx, resource.AccountID)
+	defer unlock()
+
+	var eventsToStore []func()
+	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		_, err = transaction.GetNetworkResourceByName(ctx, store.LockingStrengthShare, resource.AccountID, resource.Name)
+		if err == nil {
+			return errors.New("resource already exists")
+		}
+
+		network, err := transaction.GetNetworkByID(ctx, store.LockingStrengthUpdate, resource.AccountID, resource.NetworkID)
+		if err != nil {
+			return fmt.Errorf("failed to get network: %w", err)
+		}
+
+		err = transaction.SaveNetworkResource(ctx, store.LockingStrengthUpdate, resource)
+		if err != nil {
+			return fmt.Errorf("failed to save network resource: %w", err)
+		}
+
+		event := func() {
+			m.accountManager.StoreEvent(ctx, userID, resource.ID, resource.AccountID, activity.NetworkResourceCreated, resource.EventMeta(network))
+		}
+		eventsToStore = append(eventsToStore, event)
+
+		res := nbtypes.Resource{
+			ID:   resource.ID,
+			Type: resource.Type.String(),
+		}
+		for _, groupID := range resource.GroupIDs {
+			event, err := m.groupsManager.AddResourceToGroupInTransaction(ctx, transaction, resource.AccountID, userID, groupID, &res)
+			if err != nil {
+				return fmt.Errorf("failed to add resource to group: %w", err)
+			}
+			eventsToStore = append(eventsToStore, event)
+		}
+
+		err = transaction.IncrementNetworkSerial(ctx, store.LockingStrengthUpdate, resource.AccountID)
+		if err != nil {
+			return fmt.Errorf("failed to increment network serial: %w", err)
+		}
+
+		return nil
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to create network resource: %w", err)
+	}
+
+	for _, event := range eventsToStore {
+		event()
+	}
+
+	go m.accountManager.UpdateAccountPeers(ctx, resource.AccountID)
+
+	return resource, nil
+}
+
+func (m *managerImpl) GetResource(ctx context.Context, accountID, userID, networkID, resourceID string) (*types.NetworkResource, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, permissions.Networks, permissions.Read)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
+	resource, err := m.store.GetNetworkResourceByID(ctx, store.LockingStrengthShare, accountID, resourceID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get network resource: %w", err)
+	}
+
+	if resource.NetworkID != networkID {
+		return nil, errors.New("resource not part of network")
+	}
+
+	return resource, nil
+}
+
+func (m *managerImpl) UpdateResource(ctx context.Context, userID string, resource *types.NetworkResource) (*types.NetworkResource, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, resource.AccountID, userID, permissions.Networks, permissions.Write)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
+	resourceType, domain, prefix, err := types.GetResourceType(resource.Address)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get resource type: %w", err)
+	}
+
+	resource.Type = resourceType
+	resource.Domain = domain
+	resource.Prefix = prefix
+
+	unlock := m.store.AcquireWriteLockByUID(ctx, resource.AccountID)
+	defer unlock()
+
+	var eventsToStore []func()
+	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		network, err := transaction.GetNetworkByID(ctx, store.LockingStrengthUpdate, resource.AccountID, resource.NetworkID)
+		if err != nil {
+			return fmt.Errorf("failed to get network: %w", err)
+		}
+
+		if network.ID != resource.NetworkID {
+			return status.NewResourceNotPartOfNetworkError(resource.ID, resource.NetworkID)
+		}
+
+		_, err = transaction.GetNetworkResourceByID(ctx, store.LockingStrengthShare, resource.AccountID, resource.ID)
+		if err != nil {
+			return fmt.Errorf("failed to get network resource: %w", err)
+		}
+
+		oldResource, err := transaction.GetNetworkResourceByName(ctx, store.LockingStrengthShare, resource.AccountID, resource.Name)
+		if err == nil && oldResource.ID != resource.ID {
+			return errors.New("new resource name already exists")
+		}
+
+		oldResource, err = transaction.GetNetworkResourceByID(ctx, store.LockingStrengthShare, resource.AccountID, resource.ID)
+		if err != nil {
+			return fmt.Errorf("failed to get network resource: %w", err)
+		}
+
+		err = transaction.SaveNetworkResource(ctx, store.LockingStrengthUpdate, resource)
+		if err != nil {
+			return fmt.Errorf("failed to save network resource: %w", err)
+		}
+
+		events, err := m.updateResourceGroups(ctx, transaction, userID, resource, oldResource)
+		if err != nil {
+			return fmt.Errorf("failed to update resource groups: %w", err)
+		}
+
+		eventsToStore = append(eventsToStore, events...)
+		eventsToStore = append(eventsToStore, func() {
+			m.accountManager.StoreEvent(ctx, userID, resource.ID, resource.AccountID, activity.NetworkResourceUpdated, resource.EventMeta(network))
+		})
+
+		err = transaction.IncrementNetworkSerial(ctx, store.LockingStrengthUpdate, resource.AccountID)
+		if err != nil {
+			return fmt.Errorf("failed to increment network serial: %w", err)
+		}
+
+		return nil
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to update network resource: %w", err)
+	}
+
+	for _, event := range eventsToStore {
+		event()
+	}
+
+	go m.accountManager.UpdateAccountPeers(ctx, resource.AccountID)
+
+	return resource, nil
+}
+
+func (m *managerImpl) updateResourceGroups(ctx context.Context, transaction store.Store, userID string, newResource, oldResource *types.NetworkResource) ([]func(), error) {
+	res := nbtypes.Resource{
+		ID:   newResource.ID,
+		Type: newResource.Type.String(),
+	}
+
+	oldResourceGroups, err := m.groupsManager.GetResourceGroupsInTransaction(ctx, transaction, store.LockingStrengthUpdate, oldResource.AccountID, oldResource.ID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get resource groups: %w", err)
+	}
+
+	oldGroupsIds := make([]string, 0)
+	for _, group := range oldResourceGroups {
+		oldGroupsIds = append(oldGroupsIds, group.ID)
+	}
+
+	var eventsToStore []func()
+	groupsToAdd := util.Difference(newResource.GroupIDs, oldGroupsIds)
+	for _, groupID := range groupsToAdd {
+		events, err := m.groupsManager.AddResourceToGroupInTransaction(ctx, transaction, newResource.AccountID, userID, groupID, &res)
+		if err != nil {
+			return nil, fmt.Errorf("failed to add resource to group: %w", err)
+		}
+		eventsToStore = append(eventsToStore, events)
+	}
+
+	groupsToRemove := util.Difference(oldGroupsIds, newResource.GroupIDs)
+	for _, groupID := range groupsToRemove {
+		events, err := m.groupsManager.RemoveResourceFromGroupInTransaction(ctx, transaction, newResource.AccountID, userID, groupID, res.ID)
+		if err != nil {
+			return nil, fmt.Errorf("failed to add resource to group: %w", err)
+		}
+		eventsToStore = append(eventsToStore, events)
+	}
+
+	return eventsToStore, nil
+}
+
+func (m *managerImpl) DeleteResource(ctx context.Context, accountID, userID, networkID, resourceID string) error {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, permissions.Networks, permissions.Write)
+	if err != nil {
+		return status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return status.NewPermissionDeniedError()
+	}
+
+	unlock := m.store.AcquireWriteLockByUID(ctx, accountID)
+	defer unlock()
+
+	var events []func()
+	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		events, err = m.DeleteResourceInTransaction(ctx, transaction, accountID, userID, networkID, resourceID)
+		if err != nil {
+			return fmt.Errorf("failed to delete resource: %w", err)
+		}
+
+		err = transaction.IncrementNetworkSerial(ctx, store.LockingStrengthUpdate, accountID)
+		if err != nil {
+			return fmt.Errorf("failed to increment network serial: %w", err)
+		}
+
+		return nil
+	})
+	if err != nil {
+		return fmt.Errorf("failed to delete network resource: %w", err)
+	}
+
+	for _, event := range events {
+		event()
+	}
+
+	go m.accountManager.UpdateAccountPeers(ctx, accountID)
+
+	return nil
+}
+
+func (m *managerImpl) DeleteResourceInTransaction(ctx context.Context, transaction store.Store, accountID, userID, networkID, resourceID string) ([]func(), error) {
+	resource, err := transaction.GetNetworkResourceByID(ctx, store.LockingStrengthUpdate, accountID, resourceID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get network resource: %w", err)
+	}
+
+	network, err := transaction.GetNetworkByID(ctx, store.LockingStrengthUpdate, accountID, networkID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get network: %w", err)
+	}
+
+	if resource.NetworkID != networkID {
+		return nil, errors.New("resource not part of network")
+	}
+
+	groups, err := m.groupsManager.GetResourceGroupsInTransaction(ctx, transaction, store.LockingStrengthUpdate, accountID, resourceID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get resource groups: %w", err)
+	}
+
+	var eventsToStore []func()
+
+	for _, group := range groups {
+		event, err := m.groupsManager.RemoveResourceFromGroupInTransaction(ctx, transaction, accountID, userID, group.ID, resourceID)
+		if err != nil {
+			return nil, fmt.Errorf("failed to remove resource from group: %w", err)
+		}
+		eventsToStore = append(eventsToStore, event)
+	}
+
+	err = transaction.DeleteNetworkResource(ctx, store.LockingStrengthUpdate, accountID, resourceID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to delete network resource: %w", err)
+	}
+
+	eventsToStore = append(eventsToStore, func() {
+		m.accountManager.StoreEvent(ctx, userID, resourceID, accountID, activity.NetworkResourceDeleted, resource.EventMeta(network))
+	})
+
+	return eventsToStore, nil
+}
--- a/management/server/networks/resources/manager_test.go
+++ b/management/server/networks/resources/manager_test.go
@@ -0,0 +1,411 @@
+package resources
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/management/server/groups"
+	"github.com/netbirdio/netbird/management/server/mock_server"
+	"github.com/netbirdio/netbird/management/server/networks/resources/types"
+	"github.com/netbirdio/netbird/management/server/permissions"
+	"github.com/netbirdio/netbird/management/server/status"
+	"github.com/netbirdio/netbird/management/server/store"
+)
+
+func Test_GetAllResourcesInNetworkReturnsResources(t *testing.T) {
+	ctx := context.Background()
+	accountID := "testAccountId"
+	userID := "allowedUser"
+	networkID := "testNetworkId"
+
+	store, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	permissionsManager := permissions.NewManagerMock()
+	am := mock_server.MockAccountManager{}
+	groupsManager := groups.NewManagerMock()
+	manager := NewManager(store, permissionsManager, groupsManager, &am)
+
+	resources, err := manager.GetAllResourcesInNetwork(ctx, accountID, userID, networkID)
+	require.NoError(t, err)
+	require.Len(t, resources, 2)
+}
+
+func Test_GetAllResourcesInNetworkReturnsPermissionDenied(t *testing.T) {
+	ctx := context.Background()
+	accountID := "testAccountId"
+	userID := "invalidUser"
+	networkID := "testNetworkId"
+
+	store, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	permissionsManager := permissions.NewManagerMock()
+	am := mock_server.MockAccountManager{}
+	groupsManager := groups.NewManagerMock()
+	manager := NewManager(store, permissionsManager, groupsManager, &am)
+
+	resources, err := manager.GetAllResourcesInNetwork(ctx, accountID, userID, networkID)
+	require.Error(t, err)
+	require.Equal(t, status.NewPermissionDeniedError(), err)
+	require.Nil(t, resources)
+}
+func Test_GetAllResourcesInAccountReturnsResources(t *testing.T) {
+	ctx := context.Background()
+	accountID := "testAccountId"
+	userID := "allowedUser"
+
+	store, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	permissionsManager := permissions.NewManagerMock()
+	am := mock_server.MockAccountManager{}
+	groupsManager := groups.NewManagerMock()
+	manager := NewManager(store, permissionsManager, groupsManager, &am)
+
+	resources, err := manager.GetAllResourcesInAccount(ctx, accountID, userID)
+	require.NoError(t, err)
+	require.Len(t, resources, 2)
+}
+
+func Test_GetAllResourcesInAccountReturnsPermissionDenied(t *testing.T) {
+	ctx := context.Background()
+	accountID := "testAccountId"
+	userID := "invalidUser"
+
+	store, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	permissionsManager := permissions.NewManagerMock()
+	am := mock_server.MockAccountManager{}
+	groupsManager := groups.NewManagerMock()
+	manager := NewManager(store, permissionsManager, groupsManager, &am)
+
+	resources, err := manager.GetAllResourcesInAccount(ctx, accountID, userID)
+	require.Error(t, err)
+	require.Equal(t, status.NewPermissionDeniedError(), err)
+	require.Nil(t, resources)
+}
+
+func Test_GetResourceInNetworkReturnsResources(t *testing.T) {
+	ctx := context.Background()
+	accountID := "testAccountId"
+	userID := "allowedUser"
+	networkID := "testNetworkId"
+	resourceID := "testResourceId"
+
+	store, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	permissionsManager := permissions.NewManagerMock()
+	am := mock_server.MockAccountManager{}
+	groupsManager := groups.NewManagerMock()
+	manager := NewManager(store, permissionsManager, groupsManager, &am)
+
+	resource, err := manager.GetResource(ctx, accountID, userID, networkID, resourceID)
+	require.NoError(t, err)
+	require.Equal(t, resourceID, resource.ID)
+}
+
+func Test_GetResourceInNetworkReturnsPermissionDenied(t *testing.T) {
+	ctx := context.Background()
+	accountID := "testAccountId"
+	userID := "invalidUser"
+	networkID := "testNetworkId"
+	resourceID := "testResourceId"
+
+	store, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	permissionsManager := permissions.NewManagerMock()
+	am := mock_server.MockAccountManager{}
+	groupsManager := groups.NewManagerMock()
+	manager := NewManager(store, permissionsManager, groupsManager, &am)
+
+	resources, err := manager.GetResource(ctx, accountID, userID, networkID, resourceID)
+	require.Error(t, err)
+	require.Equal(t, status.NewPermissionDeniedError(), err)
+	require.Nil(t, resources)
+}
+
+func Test_CreateResourceSuccessfully(t *testing.T) {
+	ctx := context.Background()
+	userID := "allowedUser"
+	resource := &types.NetworkResource{
+		AccountID:   "testAccountId",
+		NetworkID:   "testNetworkId",
+		Name:        "newResourceId",
+		Description: "description",
+		Address:     "192.168.1.1",
+	}
+
+	store, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	permissionsManager := permissions.NewManagerMock()
+	am := mock_server.MockAccountManager{}
+	groupsManager := groups.NewManagerMock()
+	manager := NewManager(store, permissionsManager, groupsManager, &am)
+
+	createdResource, err := manager.CreateResource(ctx, userID, resource)
+	require.NoError(t, err)
+	require.Equal(t, resource.Name, createdResource.Name)
+}
+
+func Test_CreateResourceFailsWithPermissionDenied(t *testing.T) {
+	ctx := context.Background()
+	userID := "invalidUser"
+	resource := &types.NetworkResource{
+		AccountID:   "testAccountId",
+		NetworkID:   "testNetworkId",
+		Name:        "testResourceId",
+		Description: "description",
+		Address:     "192.168.1.1",
+	}
+
+	store, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	permissionsManager := permissions.NewManagerMock()
+	am := mock_server.MockAccountManager{}
+	groupsManager := groups.NewManagerMock()
+	manager := NewManager(store, permissionsManager, groupsManager, &am)
+
+	createdResource, err := manager.CreateResource(ctx, userID, resource)
+	require.Error(t, err)
+	require.Equal(t, status.NewPermissionDeniedError(), err)
+	require.Nil(t, createdResource)
+}
+
+func Test_CreateResourceFailsWithInvalidAddress(t *testing.T) {
+	ctx := context.Background()
+	userID := "allowedUser"
+	resource := &types.NetworkResource{
+		AccountID:   "testAccountId",
+		NetworkID:   "testNetworkId",
+		Name:        "testResourceId",
+		Description: "description",
+		Address:     "invalid-address",
+	}
+
+	store, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	permissionsManager := permissions.NewManagerMock()
+	am := mock_server.MockAccountManager{}
+	groupsManager := groups.NewManagerMock()
+	manager := NewManager(store, permissionsManager, groupsManager, &am)
+
+	createdResource, err := manager.CreateResource(ctx, userID, resource)
+	require.Error(t, err)
+	require.Nil(t, createdResource)
+}
+
+func Test_CreateResourceFailsWithUsedName(t *testing.T) {
+	ctx := context.Background()
+	userID := "allowedUser"
+	resource := &types.NetworkResource{
+		AccountID:   "testAccountId",
+		NetworkID:   "testNetworkId",
+		Name:        "testResourceId",
+		Description: "description",
+		Address:     "invalid-address",
+	}
+
+	store, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	permissionsManager := permissions.NewManagerMock()
+	am := mock_server.MockAccountManager{}
+	groupsManager := groups.NewManagerMock()
+	manager := NewManager(store, permissionsManager, groupsManager, &am)
+
+	createdResource, err := manager.CreateResource(ctx, userID, resource)
+	require.Error(t, err)
+	require.Nil(t, createdResource)
+}
+
+func Test_UpdateResourceSuccessfully(t *testing.T) {
+	ctx := context.Background()
+	accountID := "testAccountId"
+	userID := "allowedUser"
+	networkID := "testNetworkId"
+	resourceID := "testResourceId"
+	resource := &types.NetworkResource{
+		AccountID:   accountID,
+		NetworkID:   networkID,
+		Name:        "someNewName",
+		ID:          resourceID,
+		Description: "new-description",
+		Address:     "1.2.3.0/24",
+	}
+
+	store, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	permissionsManager := permissions.NewManagerMock()
+	am := mock_server.MockAccountManager{}
+	groupsManager := groups.NewManagerMock()
+	manager := NewManager(store, permissionsManager, groupsManager, &am)
+
+	updatedResource, err := manager.UpdateResource(ctx, userID, resource)
+	require.NoError(t, err)
+	require.NotNil(t, updatedResource)
+	require.Equal(t, "new-description", updatedResource.Description)
+	require.Equal(t, "1.2.3.0/24", updatedResource.Address)
+	require.Equal(t, types.NetworkResourceType("subnet"), updatedResource.Type)
+}
+
+func Test_UpdateResourceFailsWithResourceNotFound(t *testing.T) {
+	ctx := context.Background()
+	accountID := "testAccountId"
+	userID := "allowedUser"
+	networkID := "testNetworkId"
+	resourceID := "otherResourceId"
+	resource := &types.NetworkResource{
+		AccountID:   accountID,
+		NetworkID:   networkID,
+		Name:        resourceID,
+		Description: "new-description",
+		Address:     "1.2.3.0/24",
+	}
+
+	store, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	permissionsManager := permissions.NewManagerMock()
+	am := mock_server.MockAccountManager{}
+	groupsManager := groups.NewManagerMock()
+	manager := NewManager(store, permissionsManager, groupsManager, &am)
+
+	updatedResource, err := manager.UpdateResource(ctx, userID, resource)
+	require.Error(t, err)
+	require.Nil(t, updatedResource)
+}
+
+func Test_UpdateResourceFailsWithNameInUse(t *testing.T) {
+	ctx := context.Background()
+	accountID := "testAccountId"
+	userID := "allowedUser"
+	networkID := "testNetworkId"
+	resourceID := "testResourceId"
+	resource := &types.NetworkResource{
+		AccountID:   accountID,
+		NetworkID:   networkID,
+		ID:          resourceID,
+		Name:        "used-name",
+		Description: "new-description",
+		Address:     "1.2.3.0/24",
+	}
+
+	store, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	permissionsManager := permissions.NewManagerMock()
+	am := mock_server.MockAccountManager{}
+	groupsManager := groups.NewManagerMock()
+	manager := NewManager(store, permissionsManager, groupsManager, &am)
+
+	updatedResource, err := manager.UpdateResource(ctx, userID, resource)
+	require.Error(t, err)
+	require.Nil(t, updatedResource)
+}
+
+func Test_UpdateResourceFailsWithPermissionDenied(t *testing.T) {
+	ctx := context.Background()
+	accountID := "testAccountId"
+	userID := "invalidUser"
+	networkID := "testNetworkId"
+	resourceID := "testResourceId"
+	resource := &types.NetworkResource{
+		AccountID:   accountID,
+		NetworkID:   networkID,
+		Name:        resourceID,
+		Description: "new-description",
+		Address:     "1.2.3.0/24",
+	}
+
+	store, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	permissionsManager := permissions.NewManagerMock()
+	am := mock_server.MockAccountManager{}
+	groupsManager := groups.NewManagerMock()
+	manager := NewManager(store, permissionsManager, groupsManager, &am)
+
+	updatedResource, err := manager.UpdateResource(ctx, userID, resource)
+	require.Error(t, err)
+	require.Nil(t, updatedResource)
+}
+
+func Test_DeleteResourceSuccessfully(t *testing.T) {
+	ctx := context.Background()
+	accountID := "testAccountId"
+	userID := "allowedUser"
+	networkID := "testNetworkId"
+	resourceID := "testResourceId"
+
+	store, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	permissionsManager := permissions.NewManagerMock()
+	am := mock_server.MockAccountManager{}
+	groupsManager := groups.NewManagerMock()
+	manager := NewManager(store, permissionsManager, groupsManager, &am)
+
+	err = manager.DeleteResource(ctx, accountID, userID, networkID, resourceID)
+	require.NoError(t, err)
+}
+
+func Test_DeleteResourceFailsWithPermissionDenied(t *testing.T) {
+	ctx := context.Background()
+	accountID := "testAccountId"
+	userID := "invalidUser"
+	networkID := "testNetworkId"
+	resourceID := "testResourceId"
+
+	store, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	permissionsManager := permissions.NewManagerMock()
+	am := mock_server.MockAccountManager{}
+	groupsManager := groups.NewManagerMock()
+	manager := NewManager(store, permissionsManager, groupsManager, &am)
+
+	err = manager.DeleteResource(ctx, accountID, userID, networkID, resourceID)
+	require.Error(t, err)
+}
--- a/management/server/networks/resources/types/resource.go
+++ b/management/server/networks/resources/types/resource.go
@@ -0,0 +1,169 @@
+package types
+
+import (
+	"errors"
+	"fmt"
+	"net/netip"
+	"regexp"
+
+	"github.com/rs/xid"
+
+	nbDomain "github.com/netbirdio/netbird/management/domain"
+	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
+	networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+	"github.com/netbirdio/netbird/route"
+
+	"github.com/netbirdio/netbird/management/server/http/api"
+)
+
+type NetworkResourceType string
+
+const (
+	host   NetworkResourceType = "host"
+	subnet NetworkResourceType = "subnet"
+	domain NetworkResourceType = "domain"
+)
+
+func (p NetworkResourceType) String() string {
+	return string(p)
+}
+
+type NetworkResource struct {
+	ID          string `gorm:"index"`
+	NetworkID   string `gorm:"index"`
+	AccountID   string `gorm:"index"`
+	Name        string
+	Description string
+	Type        NetworkResourceType
+	Address     string   `gorm:"-"`
+	GroupIDs    []string `gorm:"-"`
+	Domain      string
+	Prefix      netip.Prefix `gorm:"serializer:json"`
+}
+
+func NewNetworkResource(accountID, networkID, name, description, address string, groupIDs []string) (*NetworkResource, error) {
+	resourceType, domain, prefix, err := GetResourceType(address)
+	if err != nil {
+		return nil, fmt.Errorf("invalid address: %w", err)
+	}
+
+	return &NetworkResource{
+		ID:          xid.New().String(),
+		AccountID:   accountID,
+		NetworkID:   networkID,
+		Name:        name,
+		Description: description,
+		Type:        resourceType,
+		Address:     address,
+		Domain:      domain,
+		Prefix:      prefix,
+		GroupIDs:    groupIDs,
+	}, nil
+}
+
+func (n *NetworkResource) ToAPIResponse(groups []api.GroupMinimum) *api.NetworkResource {
+	addr := n.Prefix.String()
+	if n.Type == domain {
+		addr = n.Domain
+	}
+
+	return &api.NetworkResource{
+		Id:          n.ID,
+		Name:        n.Name,
+		Description: &n.Description,
+		Type:        api.NetworkResourceType(n.Type.String()),
+		Address:     addr,
+		Groups:      groups,
+	}
+}
+
+func (n *NetworkResource) FromAPIRequest(req *api.NetworkResourceRequest) {
+	n.Name = req.Name
+
+	if req.Description != nil {
+		n.Description = *req.Description
+	}
+	n.Address = req.Address
+	n.GroupIDs = req.Groups
+}
+
+func (n *NetworkResource) Copy() *NetworkResource {
+	return &NetworkResource{
+		ID:          n.ID,
+		AccountID:   n.AccountID,
+		NetworkID:   n.NetworkID,
+		Name:        n.Name,
+		Description: n.Description,
+		Type:        n.Type,
+		Address:     n.Address,
+		Domain:      n.Domain,
+		Prefix:      n.Prefix,
+		GroupIDs:    n.GroupIDs,
+	}
+}
+
+func (n *NetworkResource) ToRoute(peer *nbpeer.Peer, router *routerTypes.NetworkRouter) *route.Route {
+	r := &route.Route{
+		ID:                  route.ID(fmt.Sprintf("%s:%s", n.ID, peer.ID)),
+		AccountID:           n.AccountID,
+		KeepRoute:           true,
+		NetID:               route.NetID(n.Name),
+		Description:         n.Description,
+		Peer:                peer.Key,
+		PeerGroups:          nil,
+		Masquerade:          router.Masquerade,
+		Metric:              router.Metric,
+		Enabled:             true,
+		Groups:              nil,
+		AccessControlGroups: nil,
+	}
+
+	if n.Type == host || n.Type == subnet {
+		r.Network = n.Prefix
+
+		r.NetworkType = route.IPv4Network
+		if n.Prefix.Addr().Is6() {
+			r.NetworkType = route.IPv6Network
+		}
+	}
+
+	if n.Type == domain {
+		domainList, err := nbDomain.FromStringList([]string{n.Domain})
+		if err != nil {
+			return nil
+		}
+		r.Domains = domainList
+		r.NetworkType = route.DomainNetwork
+
+		// add default placeholder for domain network
+		r.Network = netip.PrefixFrom(netip.AddrFrom4([4]byte{192, 0, 2, 0}), 32)
+	}
+
+	return r
+}
+
+func (n *NetworkResource) EventMeta(network *networkTypes.Network) map[string]any {
+	return map[string]any{"name": n.Name, "type": n.Type, "network_name": network.Name, "network_id": network.ID}
+}
+
+// GetResourceType returns the type of the resource based on the address
+func GetResourceType(address string) (NetworkResourceType, string, netip.Prefix, error) {
+	if prefix, err := netip.ParsePrefix(address); err == nil {
+		if prefix.Bits() == 32 || prefix.Bits() == 128 {
+			return host, "", prefix, nil
+		}
+		return subnet, "", prefix, nil
+	}
+
+	if ip, err := netip.ParseAddr(address); err == nil {
+		return host, "", netip.PrefixFrom(ip, ip.BitLen()), nil
+	}
+
+	domainRegex := regexp.MustCompile(`^(\*\.)?([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,}$`)
+	if domainRegex.MatchString(address) {
+		return domain, address, netip.Prefix{}, nil
+	}
+
+	return "", "", netip.Prefix{}, errors.New("not a valid host, subnet, or domain")
+}
--- a/management/server/networks/resources/types/resource_test.go
+++ b/management/server/networks/resources/types/resource_test.go
@@ -0,0 +1,53 @@
+package types
+
+import (
+	"net/netip"
+	"testing"
+)
+
+func TestGetResourceType(t *testing.T) {
+	tests := []struct {
+		input          string
+		expectedType   NetworkResourceType
+		expectedErr    bool
+		expectedDomain string
+		expectedPrefix netip.Prefix
+	}{
+		// Valid host IPs
+		{"1.1.1.1", host, false, "", netip.MustParsePrefix("1.1.1.1/32")},
+		{"1.1.1.1/32", host, false, "", netip.MustParsePrefix("1.1.1.1/32")},
+		// Valid subnets
+		{"192.168.1.0/24", subnet, false, "", netip.MustParsePrefix("192.168.1.0/24")},
+		{"10.0.0.0/16", subnet, false, "", netip.MustParsePrefix("10.0.0.0/16")},
+		// Valid domains
+		{"example.com", domain, false, "example.com", netip.Prefix{}},
+		{"*.example.com", domain, false, "*.example.com", netip.Prefix{}},
+		{"sub.example.com", domain, false, "sub.example.com", netip.Prefix{}},
+		// Invalid inputs
+		{"invalid", "", true, "", netip.Prefix{}},
+		{"1.1.1.1/abc", "", true, "", netip.Prefix{}},
+		{"1234", "", true, "", netip.Prefix{}},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.input, func(t *testing.T) {
+			result, domain, prefix, err := GetResourceType(tt.input)
+      
+			if result != tt.expectedType {
+				t.Errorf("Expected type %v, got %v", tt.expectedType, result)
+			}
+
+			if tt.expectedErr && err == nil {
+				t.Errorf("Expected error, got nil")
+			}
+
+			if prefix != tt.expectedPrefix {
+				t.Errorf("Expected address %v, got %v", tt.expectedPrefix, prefix)
+			}
+
+			if domain != tt.expectedDomain {
+				t.Errorf("Expected domain %v, got %v", tt.expectedDomain, domain)
+			}
+		})
+	}
+}
--- a/management/server/networks/routers/manager.go
+++ b/management/server/networks/routers/manager.go
@@ -0,0 +1,289 @@
+package routers
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"github.com/rs/xid"
+
+	s "github.com/netbirdio/netbird/management/server"
+	"github.com/netbirdio/netbird/management/server/activity"
+	"github.com/netbirdio/netbird/management/server/networks/routers/types"
+	networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
+	"github.com/netbirdio/netbird/management/server/permissions"
+	"github.com/netbirdio/netbird/management/server/status"
+	"github.com/netbirdio/netbird/management/server/store"
+)
+
+type Manager interface {
+	GetAllRoutersInNetwork(ctx context.Context, accountID, userID, networkID string) ([]*types.NetworkRouter, error)
+	GetAllRoutersInAccount(ctx context.Context, accountID, userID string) (map[string][]*types.NetworkRouter, error)
+	CreateRouter(ctx context.Context, userID string, router *types.NetworkRouter) (*types.NetworkRouter, error)
+	GetRouter(ctx context.Context, accountID, userID, networkID, routerID string) (*types.NetworkRouter, error)
+	UpdateRouter(ctx context.Context, userID string, router *types.NetworkRouter) (*types.NetworkRouter, error)
+	DeleteRouter(ctx context.Context, accountID, userID, networkID, routerID string) error
+	DeleteRouterInTransaction(ctx context.Context, transaction store.Store, accountID, userID, networkID, routerID string) (func(), error)
+}
+
+type managerImpl struct {
+	store              store.Store
+	permissionsManager permissions.Manager
+	accountManager     s.AccountManager
+}
+
+type mockManager struct {
+}
+
+func NewManager(store store.Store, permissionsManager permissions.Manager, accountManager s.AccountManager) Manager {
+	return &managerImpl{
+		store:              store,
+		permissionsManager: permissionsManager,
+		accountManager:     accountManager,
+	}
+}
+
+func (m *managerImpl) GetAllRoutersInNetwork(ctx context.Context, accountID, userID, networkID string) ([]*types.NetworkRouter, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, permissions.Networks, permissions.Read)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
+	return m.store.GetNetworkRoutersByNetID(ctx, store.LockingStrengthShare, accountID, networkID)
+}
+
+func (m *managerImpl) GetAllRoutersInAccount(ctx context.Context, accountID, userID string) (map[string][]*types.NetworkRouter, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, permissions.Networks, permissions.Read)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
+	routers, err := m.store.GetNetworkRoutersByAccountID(ctx, store.LockingStrengthShare, accountID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get network routers: %w", err)
+	}
+
+	routersMap := make(map[string][]*types.NetworkRouter)
+	for _, router := range routers {
+		routersMap[router.NetworkID] = append(routersMap[router.NetworkID], router)
+	}
+
+	return routersMap, nil
+}
+
+func (m *managerImpl) CreateRouter(ctx context.Context, userID string, router *types.NetworkRouter) (*types.NetworkRouter, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, router.AccountID, userID, permissions.Networks, permissions.Write)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
+	unlock := m.store.AcquireWriteLockByUID(ctx, router.AccountID)
+	defer unlock()
+
+	var network *networkTypes.Network
+	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		network, err = transaction.GetNetworkByID(ctx, store.LockingStrengthShare, router.AccountID, router.NetworkID)
+		if err != nil {
+			return fmt.Errorf("failed to get network: %w", err)
+		}
+
+		if network.ID != router.NetworkID {
+			return status.NewNetworkNotFoundError(router.NetworkID)
+		}
+
+		router.ID = xid.New().String()
+
+		err = transaction.SaveNetworkRouter(ctx, store.LockingStrengthUpdate, router)
+		if err != nil {
+			return fmt.Errorf("failed to create network router: %w", err)
+		}
+
+		err = transaction.IncrementNetworkSerial(ctx, store.LockingStrengthUpdate, router.AccountID)
+		if err != nil {
+			return fmt.Errorf("failed to increment network serial: %w", err)
+		}
+
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	m.accountManager.StoreEvent(ctx, userID, router.ID, router.AccountID, activity.NetworkRouterCreated, router.EventMeta(network))
+
+	go m.accountManager.UpdateAccountPeers(ctx, router.AccountID)
+
+	return router, nil
+}
+
+func (m *managerImpl) GetRouter(ctx context.Context, accountID, userID, networkID, routerID string) (*types.NetworkRouter, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, permissions.Networks, permissions.Read)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
+	router, err := m.store.GetNetworkRouterByID(ctx, store.LockingStrengthShare, accountID, routerID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get network router: %w", err)
+	}
+
+	if router.NetworkID != networkID {
+		return nil, errors.New("router not part of network")
+	}
+
+	return router, nil
+}
+
+func (m *managerImpl) UpdateRouter(ctx context.Context, userID string, router *types.NetworkRouter) (*types.NetworkRouter, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, router.AccountID, userID, permissions.Networks, permissions.Write)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
+	unlock := m.store.AcquireWriteLockByUID(ctx, router.AccountID)
+	defer unlock()
+
+	var network *networkTypes.Network
+	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		network, err = transaction.GetNetworkByID(ctx, store.LockingStrengthShare, router.AccountID, router.NetworkID)
+		if err != nil {
+			return fmt.Errorf("failed to get network: %w", err)
+		}
+
+		if network.ID != router.NetworkID {
+			return status.NewRouterNotPartOfNetworkError(router.ID, router.NetworkID)
+		}
+
+		err = transaction.SaveNetworkRouter(ctx, store.LockingStrengthUpdate, router)
+		if err != nil {
+			return fmt.Errorf("failed to update network router: %w", err)
+		}
+
+		err = transaction.IncrementNetworkSerial(ctx, store.LockingStrengthUpdate, router.AccountID)
+		if err != nil {
+			return fmt.Errorf("failed to increment network serial: %w", err)
+		}
+
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	m.accountManager.StoreEvent(ctx, userID, router.ID, router.AccountID, activity.NetworkRouterUpdated, router.EventMeta(network))
+
+	go m.accountManager.UpdateAccountPeers(ctx, router.AccountID)
+
+	return router, nil
+}
+
+func (m *managerImpl) DeleteRouter(ctx context.Context, accountID, userID, networkID, routerID string) error {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, permissions.Networks, permissions.Write)
+	if err != nil {
+		return status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return status.NewPermissionDeniedError()
+	}
+
+	unlock := m.store.AcquireWriteLockByUID(ctx, accountID)
+	defer unlock()
+
+	var event func()
+	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		event, err = m.DeleteRouterInTransaction(ctx, transaction, accountID, userID, networkID, routerID)
+		if err != nil {
+			return fmt.Errorf("failed to delete network router: %w", err)
+		}
+
+		err = transaction.IncrementNetworkSerial(ctx, store.LockingStrengthUpdate, accountID)
+		if err != nil {
+			return fmt.Errorf("failed to increment network serial: %w", err)
+		}
+
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+
+	event()
+
+	go m.accountManager.UpdateAccountPeers(ctx, accountID)
+
+	return nil
+}
+
+func (m *managerImpl) DeleteRouterInTransaction(ctx context.Context, transaction store.Store, accountID, userID, networkID, routerID string) (func(), error) {
+	network, err := transaction.GetNetworkByID(ctx, store.LockingStrengthShare, accountID, networkID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get network: %w", err)
+	}
+
+	router, err := transaction.GetNetworkRouterByID(ctx, store.LockingStrengthUpdate, accountID, routerID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get network router: %w", err)
+	}
+
+	if router.NetworkID != networkID {
+		return nil, status.NewRouterNotPartOfNetworkError(routerID, networkID)
+	}
+
+	err = transaction.DeleteNetworkRouter(ctx, store.LockingStrengthUpdate, accountID, routerID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to delete network router: %w", err)
+	}
+
+	event := func() {
+		m.accountManager.StoreEvent(ctx, userID, routerID, accountID, activity.NetworkRouterDeleted, router.EventMeta(network))
+	}
+
+	return event, nil
+}
+
+func NewManagerMock() Manager {
+	return &mockManager{}
+}
+
+func (m *mockManager) GetAllRoutersInNetwork(ctx context.Context, accountID, userID, networkID string) ([]*types.NetworkRouter, error) {
+	return []*types.NetworkRouter{}, nil
+}
+
+func (m *mockManager) GetAllRoutersInAccount(ctx context.Context, accountID, userID string) (map[string][]*types.NetworkRouter, error) {
+	return map[string][]*types.NetworkRouter{}, nil
+}
+
+func (m *mockManager) CreateRouter(ctx context.Context, userID string, router *types.NetworkRouter) (*types.NetworkRouter, error) {
+	return router, nil
+}
+
+func (m *mockManager) GetRouter(ctx context.Context, accountID, userID, networkID, routerID string) (*types.NetworkRouter, error) {
+	return &types.NetworkRouter{}, nil
+}
+
+func (m *mockManager) UpdateRouter(ctx context.Context, userID string, router *types.NetworkRouter) (*types.NetworkRouter, error) {
+	return router, nil
+}
+
+func (m *mockManager) DeleteRouter(ctx context.Context, accountID, userID, networkID, routerID string) error {
+	return nil
+}
+
+func (m *mockManager) DeleteRouterInTransaction(ctx context.Context, transaction store.Store, accountID, userID, networkID, routerID string) (func(), error) {
+	return func() {}, nil
+}
--- a/management/server/networks/routers/manager_test.go
+++ b/management/server/networks/routers/manager_test.go
@@ -0,0 +1,234 @@
+package routers
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/management/server/mock_server"
+	"github.com/netbirdio/netbird/management/server/networks/routers/types"
+	"github.com/netbirdio/netbird/management/server/permissions"
+	"github.com/netbirdio/netbird/management/server/status"
+	"github.com/netbirdio/netbird/management/server/store"
+)
+
+func Test_GetAllRoutersInNetworkReturnsRouters(t *testing.T) {
+	ctx := context.Background()
+	accountID := "testAccountId"
+	userID := "allowedUser"
+	networkID := "testNetworkId"
+
+	s, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	permissionsManager := permissions.NewManagerMock()
+	am := mock_server.MockAccountManager{}
+	manager := NewManager(s, permissionsManager, &am)
+
+	routers, err := manager.GetAllRoutersInNetwork(ctx, accountID, userID, networkID)
+	require.NoError(t, err)
+	require.Len(t, routers, 1)
+	require.Equal(t, "testRouterId", routers[0].ID)
+}
+
+func Test_GetAllRoutersInNetworkReturnsPermissionDenied(t *testing.T) {
+	ctx := context.Background()
+	accountID := "testAccountId"
+	userID := "invalidUser"
+	networkID := "testNetworkId"
+
+	s, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	permissionsManager := permissions.NewManagerMock()
+	am := mock_server.MockAccountManager{}
+	manager := NewManager(s, permissionsManager, &am)
+
+	routers, err := manager.GetAllRoutersInNetwork(ctx, accountID, userID, networkID)
+	require.Error(t, err)
+	require.Equal(t, status.NewPermissionDeniedError(), err)
+	require.Nil(t, routers)
+}
+
+func Test_GetRouterReturnsRouter(t *testing.T) {
+	ctx := context.Background()
+	accountID := "testAccountId"
+	userID := "allowedUser"
+	networkID := "testNetworkId"
+	resourceID := "testRouterId"
+
+	s, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	permissionsManager := permissions.NewManagerMock()
+	am := mock_server.MockAccountManager{}
+	manager := NewManager(s, permissionsManager, &am)
+
+	router, err := manager.GetRouter(ctx, accountID, userID, networkID, resourceID)
+	require.NoError(t, err)
+	require.Equal(t, "testRouterId", router.ID)
+}
+
+func Test_GetRouterReturnsPermissionDenied(t *testing.T) {
+	ctx := context.Background()
+	accountID := "testAccountId"
+	userID := "invalidUser"
+	networkID := "testNetworkId"
+	resourceID := "testRouterId"
+
+	s, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	permissionsManager := permissions.NewManagerMock()
+	am := mock_server.MockAccountManager{}
+	manager := NewManager(s, permissionsManager, &am)
+
+	router, err := manager.GetRouter(ctx, accountID, userID, networkID, resourceID)
+	require.Error(t, err)
+	require.Equal(t, status.NewPermissionDeniedError(), err)
+	require.Nil(t, router)
+}
+
+func Test_CreateRouterSuccessfully(t *testing.T) {
+	ctx := context.Background()
+	userID := "allowedUser"
+	router, err := types.NewNetworkRouter("testAccountId", "testNetworkId", "testPeerId", []string{}, false, 9999)
+	if err != nil {
+		require.NoError(t, err)
+	}
+
+	s, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	permissionsManager := permissions.NewManagerMock()
+	am := mock_server.MockAccountManager{}
+	manager := NewManager(s, permissionsManager, &am)
+
+	createdRouter, err := manager.CreateRouter(ctx, userID, router)
+	require.NoError(t, err)
+	require.NotEqual(t, "", router.ID)
+	require.Equal(t, router.NetworkID, createdRouter.NetworkID)
+	require.Equal(t, router.Peer, createdRouter.Peer)
+	require.Equal(t, router.Metric, createdRouter.Metric)
+	require.Equal(t, router.Masquerade, createdRouter.Masquerade)
+}
+
+func Test_CreateRouterFailsWithPermissionDenied(t *testing.T) {
+	ctx := context.Background()
+	userID := "invalidUser"
+	router, err := types.NewNetworkRouter("testAccountId", "testNetworkId", "testPeerId", []string{}, false, 9999)
+	if err != nil {
+		require.NoError(t, err)
+	}
+
+	s, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	permissionsManager := permissions.NewManagerMock()
+	am := mock_server.MockAccountManager{}
+	manager := NewManager(s, permissionsManager, &am)
+
+	createdRouter, err := manager.CreateRouter(ctx, userID, router)
+	require.Error(t, err)
+	require.Equal(t, status.NewPermissionDeniedError(), err)
+	require.Nil(t, createdRouter)
+}
+
+func Test_DeleteRouterSuccessfully(t *testing.T) {
+	ctx := context.Background()
+	accountID := "testAccountId"
+	userID := "allowedUser"
+	networkID := "testNetworkId"
+	routerID := "testRouterId"
+
+	s, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	permissionsManager := permissions.NewManagerMock()
+	am := mock_server.MockAccountManager{}
+	manager := NewManager(s, permissionsManager, &am)
+
+	err = manager.DeleteRouter(ctx, accountID, userID, networkID, routerID)
+	require.NoError(t, err)
+}
+
+func Test_DeleteRouterFailsWithPermissionDenied(t *testing.T) {
+	ctx := context.Background()
+	accountID := "testAccountId"
+	userID := "invalidUser"
+	networkID := "testNetworkId"
+	routerID := "testRouterId"
+
+	s, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	permissionsManager := permissions.NewManagerMock()
+	am := mock_server.MockAccountManager{}
+	manager := NewManager(s, permissionsManager, &am)
+
+	err = manager.DeleteRouter(ctx, accountID, userID, networkID, routerID)
+	require.Error(t, err)
+	require.Equal(t, status.NewPermissionDeniedError(), err)
+}
+
+func Test_UpdateRouterSuccessfully(t *testing.T) {
+	ctx := context.Background()
+	userID := "allowedUser"
+	router, err := types.NewNetworkRouter("testAccountId", "testNetworkId", "testPeerId", []string{}, false, 1)
+	if err != nil {
+		require.NoError(t, err)
+	}
+
+	s, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	permissionsManager := permissions.NewManagerMock()
+	am := mock_server.MockAccountManager{}
+	manager := NewManager(s, permissionsManager, &am)
+
+	updatedRouter, err := manager.UpdateRouter(ctx, userID, router)
+	require.NoError(t, err)
+	require.Equal(t, router.Metric, updatedRouter.Metric)
+}
+
+func Test_UpdateRouterFailsWithPermissionDenied(t *testing.T) {
+	ctx := context.Background()
+	userID := "invalidUser"
+	router, err := types.NewNetworkRouter("testAccountId", "testNetworkId", "testPeerId", []string{}, false, 1)
+	if err != nil {
+		require.NoError(t, err)
+	}
+
+	s, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../../testdata/networks.sql", t.TempDir())
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(cleanUp)
+	permissionsManager := permissions.NewManagerMock()
+	am := mock_server.MockAccountManager{}
+	manager := NewManager(s, permissionsManager, &am)
+
+	updatedRouter, err := manager.UpdateRouter(ctx, userID, router)
+	require.Error(t, err)
+	require.Equal(t, status.NewPermissionDeniedError(), err)
+	require.Nil(t, updatedRouter)
+}
--- a/management/server/networks/routers/types/router.go
+++ b/management/server/networks/routers/types/router.go
@@ -0,0 +1,75 @@
+package types
+
+import (
+	"errors"
+
+	"github.com/rs/xid"
+
+	"github.com/netbirdio/netbird/management/server/http/api"
+	"github.com/netbirdio/netbird/management/server/networks/types"
+)
+
+type NetworkRouter struct {
+	ID         string `gorm:"index"`
+	NetworkID  string `gorm:"index"`
+	AccountID  string `gorm:"index"`
+	Peer       string
+	PeerGroups []string `gorm:"serializer:json"`
+	Masquerade bool
+	Metric     int
+}
+
+func NewNetworkRouter(accountID string, networkID string, peer string, peerGroups []string, masquerade bool, metric int) (*NetworkRouter, error) {
+	if peer != "" && len(peerGroups) > 0 {
+		return nil, errors.New("peer and peerGroups cannot be set at the same time")
+	}
+
+	return &NetworkRouter{
+		ID:         xid.New().String(),
+		AccountID:  accountID,
+		NetworkID:  networkID,
+		Peer:       peer,
+		PeerGroups: peerGroups,
+		Masquerade: masquerade,
+		Metric:     metric,
+	}, nil
+}
+
+func (n *NetworkRouter) ToAPIResponse() *api.NetworkRouter {
+	return &api.NetworkRouter{
+		Id:         n.ID,
+		Peer:       &n.Peer,
+		PeerGroups: &n.PeerGroups,
+		Masquerade: n.Masquerade,
+		Metric:     n.Metric,
+	}
+}
+
+func (n *NetworkRouter) FromAPIRequest(req *api.NetworkRouterRequest) {
+	if req.Peer != nil {
+		n.Peer = *req.Peer
+	}
+
+	if req.PeerGroups != nil {
+		n.PeerGroups = *req.PeerGroups
+	}
+
+	n.Masquerade = req.Masquerade
+	n.Metric = req.Metric
+}
+
+func (n *NetworkRouter) Copy() *NetworkRouter {
+	return &NetworkRouter{
+		ID:         n.ID,
+		NetworkID:  n.NetworkID,
+		AccountID:  n.AccountID,
+		Peer:       n.Peer,
+		PeerGroups: n.PeerGroups,
+		Masquerade: n.Masquerade,
+		Metric:     n.Metric,
+	}
+}
+
+func (n *NetworkRouter) EventMeta(network *types.Network) map[string]any {
+	return map[string]any{"network_name": network.Name, "network_id": network.ID, "peer": n.Peer, "peer_groups": n.PeerGroups}
+}
--- a/management/server/networks/routers/types/router_test.go
+++ b/management/server/networks/routers/types/router_test.go
@@ -0,0 +1,100 @@
+package types
+
+import "testing"
+
+func TestNewNetworkRouter(t *testing.T) {
+	tests := []struct {
+		name          string
+		accountID     string
+		networkID     string
+		peer          string
+		peerGroups    []string
+		masquerade    bool
+		metric        int
+		expectedError bool
+	}{
+		// Valid cases
+		{
+			name:          "Valid with peer only",
+			networkID:     "network-1",
+			accountID:     "account-1",
+			peer:          "peer-1",
+			peerGroups:    nil,
+			masquerade:    true,
+			metric:        100,
+			expectedError: false,
+		},
+		{
+			name:          "Valid with peerGroups only",
+			networkID:     "network-2",
+			accountID:     "account-2",
+			peer:          "",
+			peerGroups:    []string{"group-1", "group-2"},
+			masquerade:    false,
+			metric:        200,
+			expectedError: false,
+		},
+		{
+			name:          "Valid with no peer or peerGroups",
+			networkID:     "network-3",
+			accountID:     "account-3",
+			peer:          "",
+			peerGroups:    nil,
+			masquerade:    true,
+			metric:        300,
+			expectedError: false,
+		},
+
+		// Invalid cases
+		{
+			name:          "Invalid with both peer and peerGroups",
+			networkID:     "network-4",
+			accountID:     "account-4",
+			peer:          "peer-2",
+			peerGroups:    []string{"group-3"},
+			masquerade:    false,
+			metric:        400,
+			expectedError: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			router, err := NewNetworkRouter(tt.accountID, tt.networkID, tt.peer, tt.peerGroups, tt.masquerade, tt.metric)
+
+			if tt.expectedError && err == nil {
+				t.Fatalf("Expected an error, got nil")
+			}
+
+			if tt.expectedError == false {
+				if router == nil {
+					t.Fatalf("Expected a NetworkRouter object, got nil")
+				}
+
+				if router.AccountID != tt.accountID {
+					t.Errorf("Expected AccountID %s, got %s", tt.accountID, router.AccountID)
+				}
+
+				if router.NetworkID != tt.networkID {
+					t.Errorf("Expected NetworkID %s, got %s", tt.networkID, router.NetworkID)
+				}
+
+				if router.Peer != tt.peer {
+					t.Errorf("Expected Peer %s, got %s", tt.peer, router.Peer)
+				}
+
+				if len(router.PeerGroups) != len(tt.peerGroups) {
+					t.Errorf("Expected PeerGroups %v, got %v", tt.peerGroups, router.PeerGroups)
+				}
+
+				if router.Masquerade != tt.masquerade {
+					t.Errorf("Expected Masquerade %v, got %v", tt.masquerade, router.Masquerade)
+				}
+
+				if router.Metric != tt.metric {
+					t.Errorf("Expected Metric %d, got %d", tt.metric, router.Metric)
+				}
+			}
+		})
+	}
+}
--- a/management/server/networks/types/network.go
+++ b/management/server/networks/types/network.go
@@ -0,0 +1,56 @@
+package types
+
+import (
+	"github.com/rs/xid"
+
+	"github.com/netbirdio/netbird/management/server/http/api"
+)
+
+type Network struct {
+	ID          string `gorm:"index"`
+	AccountID   string `gorm:"index"`
+	Name        string
+	Description string
+}
+
+func NewNetwork(accountId, name, description string) *Network {
+	return &Network{
+		ID:          xid.New().String(),
+		AccountID:   accountId,
+		Name:        name,
+		Description: description,
+	}
+}
+
+func (n *Network) ToAPIResponse(routerIDs []string, resourceIDs []string, routingPeersCount int, policyIDs []string) *api.Network {
+	return &api.Network{
+		Id:                n.ID,
+		Name:              n.Name,
+		Description:       &n.Description,
+		Routers:           routerIDs,
+		Resources:         resourceIDs,
+		RoutingPeersCount: routingPeersCount,
+		Policies:          policyIDs,
+	}
+}
+
+func (n *Network) FromAPIRequest(req *api.NetworkRequest) {
+	n.Name = req.Name
+	if req.Description != nil {
+		n.Description = *req.Description
+	}
+}
+
+// Copy returns a copy of a posture checks.
+func (n *Network) Copy() *Network {
+	return &Network{
+		ID:          n.ID,
+		AccountID:   n.AccountID,
+		Name:        n.Name,
+		Description: n.Description,
+	}
+}
+
+func (n *Network) EventMeta() map[string]any {
+	return map[string]any{"name": n.Name}
+}