Merge branch 'main' into refactor/mgmt-bootstrap

fix tests
2026-05-24 17:49:55 +00:00 · 2026-05-24 17:47:39 +03:00 · 2026-05-24 17:46:31 +03:00 · 2026-05-23 00:06:51 +03:00 · 2026-05-23 00:06:32 +03:00 · 2026-05-22 18:05:48 +03:00
52 changed files with 907 additions and 4063 deletions
--- a/client/cmd/testutil_test.go
+++ b/client/cmd/testutil_test.go
@@ -109,7 +109,7 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 		t.Fatal(err)
 	}

-	iv, _ := integrations.NewIntegratedValidator(ctx, peersmanager, settingsManagerMock, eventStore, cacheStore)
+	iv, _ := integrations.NewIntegratedValidator(ctx, nil, nil, peersmanager, settingsManagerMock, eventStore, cacheStore)

 	metrics, err := telemetry.NewDefaultAppMetrics(ctx)
 	require.NoError(t, err)
@@ -124,18 +124,18 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp

 	updateManager := update_channel.NewPeersUpdateManager(metrics)
 	requestBuffer := mgmt.NewAccountRequestBuffer(ctx, store)
-	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, mgmt.MockIntegratedValidator{}, settingsMockManager, "netbird.cloud", port_forwarding.NewControllerMock(), manager.NewEphemeralManager(store, peersmanager), config)
+	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, mgmt.MockIntegratedValidator{}, settingsMockManager, "netbird.cloud", port_forwarding.NewControllerMock(), manager.NewEphemeralManager(store, peersmanager), config, nil)

 	accountManager, err := mgmt.BuildManager(ctx, config, store, networkMapController, jobManager, nil, "", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false, cacheStore)
 	if err != nil {
 		t.Fatal(err)
 	}

-	secretsManager, err := nbgrpc.NewTimeBasedAuthSecretsManager(updateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager)
+	secretsManager, err := nbgrpc.NewTimeBasedAuthSecretsManager(updateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
-	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &mgmt.MockIntegratedValidator{}, networkMapController, nil, nil)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &mgmt.MockIntegratedValidator{}, networkMapController, nil, nil, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/client/internal/engine_test.go
+++ b/client/internal/engine_test.go
@@ -66,8 +66,8 @@ import (
 	"github.com/netbirdio/netbird/route"
 	mgmt "github.com/netbirdio/netbird/shared/management/client"
 	mgmtProto "github.com/netbirdio/netbird/shared/management/proto"
-	relayClient "github.com/netbirdio/netbird/shared/relay/client"
 	"github.com/netbirdio/netbird/shared/netiputil"
+	relayClient "github.com/netbirdio/netbird/shared/relay/client"
 	signal "github.com/netbirdio/netbird/shared/signal/client"
 	"github.com/netbirdio/netbird/shared/signal/proto"
 	signalServer "github.com/netbirdio/netbird/signal/server"
@@ -1641,7 +1641,7 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 		return nil, "", err
 	}

-	ia, _ := integrations.NewIntegratedValidator(context.Background(), peersManager, nil, eventStore, cacheStore)
+	ia, _ := integrations.NewIntegratedValidator(context.Background(), nil, nil, peersManager, nil, eventStore, cacheStore)

 	metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
 	require.NoError(t, err)
@@ -1662,17 +1662,17 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri

 	updateManager := update_channel.NewPeersUpdateManager(metrics)
 	requestBuffer := server.NewAccountRequestBuffer(context.Background(), store)
-	networkMapController := controller.NewController(context.Background(), store, metrics, updateManager, requestBuffer, server.MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock(), manager.NewEphemeralManager(store, peersManager), config)
+	networkMapController := controller.NewController(context.Background(), store, metrics, updateManager, requestBuffer, server.MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock(), manager.NewEphemeralManager(store, peersManager), config, nil)
 	accountManager, err := server.BuildManager(context.Background(), config, store, networkMapController, jobManager, nil, "", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false, cacheStore)
 	if err != nil {
 		return nil, "", err
 	}

-	secretsManager, err := nbgrpc.NewTimeBasedAuthSecretsManager(updateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager)
+	secretsManager, err := nbgrpc.NewTimeBasedAuthSecretsManager(updateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager, nil)
 	if err != nil {
 		return nil, "", err
 	}
-	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController, nil, nil)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController, nil, nil, nil)
 	if err != nil {
 		return nil, "", err
 	}
--- a/client/server/server_test.go
+++ b/client/server/server_test.go
@@ -315,7 +315,7 @@ func startManagement(t *testing.T, signalAddr string, counter *int) (*grpc.Serve
 		return nil, "", err
 	}

-	ia, _ := integrations.NewIntegratedValidator(context.Background(), peersManager, settingsManagerMock, eventStore, cacheStore)
+	ia, _ := integrations.NewIntegratedValidator(context.Background(), nil, nil, peersManager, settingsManagerMock, eventStore, cacheStore)

 	metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
 	require.NoError(t, err)
@@ -325,17 +325,17 @@ func startManagement(t *testing.T, signalAddr string, counter *int) (*grpc.Serve

 	requestBuffer := server.NewAccountRequestBuffer(context.Background(), store)
 	peersUpdateManager := update_channel.NewPeersUpdateManager(metrics)
-	networkMapController := controller.NewController(context.Background(), store, metrics, peersUpdateManager, requestBuffer, server.MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock(), manager.NewEphemeralManager(store, peersManager), config)
+	networkMapController := controller.NewController(context.Background(), store, metrics, peersUpdateManager, requestBuffer, server.MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock(), manager.NewEphemeralManager(store, peersManager), config, nil)
 	accountManager, err := server.BuildManager(context.Background(), config, store, networkMapController, jobManager, nil, "", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false, cacheStore)
 	if err != nil {
 		return nil, "", err
 	}

-	secretsManager, err := nbgrpc.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager)
+	secretsManager, err := nbgrpc.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager, nil)
 	if err != nil {
 		return nil, "", err
 	}
-	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController, nil, nil)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController, nil, nil, nil)
 	if err != nil {
 		return nil, "", err
 	}
--- a/combined/cmd/root.go
+++ b/combined/cmd/root.go
@@ -332,7 +332,7 @@ func setupServerHooks(servers *serverInstances, cfg *CombinedConfig) {
 			log.Infof("Signal server registered on port %s", cfg.Server.ListenAddress)
 		}

-		s.SetHandlerFunc(createCombinedHandler(grpcSrv, s.APIHandler(), servers.relaySrv, servers.metricsServer.Meter, cfg))
+		s.SetHandlerFunc(createCombinedHandler(grpcSrv, s.APIHandler(), s.IDPHandler(), servers.relaySrv, servers.metricsServer.Meter, cfg))
 		if servers.relaySrv != nil {
 			log.Infof("Relay WebSocket handler added (path: /relay)")
 		}
@@ -521,7 +521,7 @@ func createManagementServer(cfg *CombinedConfig, mgmtConfig *nbconfig.Config) (*
 }

 // createCombinedHandler creates an HTTP handler that multiplexes Management, Signal (via wsproxy), and Relay WebSocket traffic
-func createCombinedHandler(grpcServer *grpc.Server, httpHandler http.Handler, relaySrv *relayServer.Server, meter metric.Meter, cfg *CombinedConfig) http.Handler {
+func createCombinedHandler(grpcServer *grpc.Server, httpHandler http.Handler, idpHandler http.Handler, relaySrv *relayServer.Server, meter metric.Meter, cfg *CombinedConfig) http.Handler {
 	wsProxy := wsproxyserver.New(grpcServer, wsproxyserver.WithOTelMeter(meter))

 	var relayAcceptFn func(conn listener.Conn)
@@ -556,6 +556,10 @@ func createCombinedHandler(grpcServer *grpc.Server, httpHandler http.Handler, re
 				http.Error(w, "Relay service not enabled", http.StatusNotFound)
 			}

+		// Embedded IdP (Dex)
+		case idpHandler != nil && strings.HasPrefix(r.URL.Path, "/oauth2"):
+			idpHandler.ServeHTTP(w, r)
+
 		// Management HTTP API (default)
 		default:
 			httpHandler.ServeHTTP(w, r)
--- a/management/internals/controllers/network_map/controller/controller.go
+++ b/management/internals/controllers/network_map/controller/controller.go
@@ -44,7 +44,7 @@ type Controller struct {
 	EphemeralPeersManager ephemeral.Manager

 	accountUpdateLocks               sync.Map
-	affectedPeerUpdateLocks          sync.Map
+	sendAccountUpdateLocks           sync.Map
 	updateAccountPeersBufferInterval atomic.Int64
 	// dnsDomain is used for peer resolution. This is appended to the peer's name
 	dnsDomain string
@@ -55,6 +55,8 @@ type Controller struct {
 	proxyController port_forwarding.Controller

 	integratedPeerValidator integrated_validator.IntegratedValidator
+
+	configExtender grpc.ConfigExtender
 }

 type bufferUpdate struct {
@@ -63,16 +65,9 @@ type bufferUpdate struct {
 	update atomic.Bool
 }

-type bufferAffectedUpdate struct {
-	sendMu  sync.Mutex
-	dataMu  sync.Mutex
-	next    *time.Timer
-	peerIDs map[string]struct{}
-}
-
 var _ network_map.Controller = (*Controller)(nil)

-func NewController(ctx context.Context, store store.Store, metrics telemetry.AppMetrics, peersUpdateManager network_map.PeersUpdateManager, requestBuffer account.RequestBuffer, integratedPeerValidator integrated_validator.IntegratedValidator, settingsManager settings.Manager, dnsDomain string, proxyController port_forwarding.Controller, ephemeralPeersManager ephemeral.Manager, config *config.Config) *Controller {
+func NewController(ctx context.Context, store store.Store, metrics telemetry.AppMetrics, peersUpdateManager network_map.PeersUpdateManager, requestBuffer account.RequestBuffer, integratedPeerValidator integrated_validator.IntegratedValidator, settingsManager settings.Manager, dnsDomain string, proxyController port_forwarding.Controller, ephemeralPeersManager ephemeral.Manager, config *config.Config, configExtender grpc.ConfigExtender) *Controller {
 	nMetrics, err := newMetrics(metrics.UpdateChannelMetrics())
 	if err != nil {
 		log.Fatal(fmt.Errorf("error creating metrics: %w", err))
@@ -91,6 +86,8 @@ func NewController(ctx context.Context, store store.Store, metrics telemetry.App

 		proxyController:       proxyController,
 		EphemeralPeersManager: ephemeralPeersManager,
+
+		configExtender: configExtender,
 	}
 }

@@ -203,14 +200,14 @@ func (c *Controller) sendUpdateAccountPeers(ctx context.Context, accountID strin

 			c.metrics.CountCalcPeerNetworkMapDuration(time.Since(start))

-			proxyNetworkMap, ok := proxyNetworkMaps[p.ID]
+			proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
 			if ok {
 				remotePeerNetworkMap.Merge(proxyNetworkMap)
 			}

 			peerGroups := account.GetPeerGroups(p.ID)
 			start = time.Now()
-			update := grpc.ToSyncResponse(ctx, nil, c.config.HttpConfig, c.config.DeviceAuthorizationFlow, p, nil, nil, remotePeerNetworkMap, dnsDomain, postureChecks, dnsCache, account.Settings, extraSetting, maps.Keys(peerGroups), dnsFwdPort)
+			update := grpc.ToSyncResponse(ctx, nil, c.config.HttpConfig, c.config.DeviceAuthorizationFlow, p, nil, nil, remotePeerNetworkMap, dnsDomain, postureChecks, dnsCache, account.Settings, extraSetting, maps.Keys(peerGroups), dnsFwdPort, c.configExtender)
 			c.metrics.CountToSyncResponseDuration(time.Since(start))

 			c.peersUpdateManager.SendUpdate(ctx, p.ID, &network_map.UpdateMessage{
@@ -228,6 +225,44 @@ func (c *Controller) sendUpdateAccountPeers(ctx context.Context, accountID strin
 	return nil
 }

+func (c *Controller) bufferSendUpdateAccountPeers(ctx context.Context, accountID string, reason types.UpdateReason) error {
+	log.WithContext(ctx).Tracef("buffer sending update peers for account %s from %s", accountID, util.GetCallerName())
+
+	if c.accountManagerMetrics != nil {
+		c.accountManagerMetrics.CountUpdateAccountPeersTriggered(string(reason.Resource), string(reason.Operation))
+	}
+
+	bufUpd, _ := c.sendAccountUpdateLocks.LoadOrStore(accountID, &bufferUpdate{})
+	b := bufUpd.(*bufferUpdate)
+
+	if !b.mu.TryLock() {
+		b.update.Store(true)
+		return nil
+	}
+
+	if b.next != nil {
+		b.next.Stop()
+	}
+
+	go func() {
+		defer b.mu.Unlock()
+		_ = c.sendUpdateAccountPeers(ctx, accountID)
+		if !b.update.Load() {
+			return
+		}
+		b.update.Store(false)
+		if b.next == nil {
+			b.next = time.AfterFunc(time.Duration(c.updateAccountPeersBufferInterval.Load()), func() {
+				_ = c.sendUpdateAccountPeers(ctx, accountID)
+			})
+			return
+		}
+		b.next.Reset(time.Duration(c.updateAccountPeersBufferInterval.Load()))
+	}()
+
+	return nil
+}
+
 // UpdatePeers updates all peers that belong to an account.
 // Should be called when changes have to be synced to peers.
 func (c *Controller) UpdateAccountPeers(ctx context.Context, accountID string, reason types.UpdateReason) error {
@@ -237,143 +272,6 @@ func (c *Controller) UpdateAccountPeers(ctx context.Context, accountID string, r
 	return c.sendUpdateAccountPeers(ctx, accountID)
 }

-// UpdateAffectedPeers updates only the specified peers that belong to an account.
-func (c *Controller) UpdateAffectedPeers(ctx context.Context, accountID string, peerIDs []string) error {
-	if len(peerIDs) == 0 {
-		return nil
-	}
-	return c.sendUpdateForAffectedPeers(ctx, accountID, peerIDs)
-}
-
-func (c *Controller) sendUpdateForAffectedPeers(ctx context.Context, accountID string, peerIDs []string) error {
-	log.WithContext(ctx).Tracef("sendUpdateForAffectedPeers: account %s, %d affected peers: %v (caller: %s)", accountID, len(peerIDs), peerIDs, util.GetCallerName())
-
-	if !c.hasConnectedPeers(peerIDs) {
-		log.WithContext(ctx).Tracef("sendUpdateForAffectedPeers: no connected peers among %v, skipping", peerIDs)
-		return nil
-	}
-
-	account, err := c.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
-	if err != nil {
-		return fmt.Errorf("failed to get account: %v", err)
-	}
-
-	globalStart := time.Now()
-
-	peersToUpdate := c.filterConnectedAffectedPeers(account, peerIDs)
-	if len(peersToUpdate) == 0 {
-		log.WithContext(ctx).Tracef("sendUpdateForAffectedPeers: no peers to update (affected peers not found in account or no channels)")
-		return nil
-	}
-
-	log.WithContext(ctx).Tracef("sendUpdateForAffectedPeers: sending network map to %d connected peers", len(peersToUpdate))
-
-	approvedPeersMap, err := c.integratedPeerValidator.GetValidatedPeers(ctx, account.Id, maps.Values(account.Groups), maps.Values(account.Peers), account.Settings.Extra)
-	if err != nil {
-		return fmt.Errorf("failed to get validate peers: %v", err)
-	}
-
-	var wg sync.WaitGroup
-	semaphore := make(chan struct{}, 10)
-
-	account.InjectProxyPolicies(ctx)
-	dnsCache := &cache.DNSConfigCache{}
-	dnsDomain := c.GetDNSDomain(account.Settings)
-	peersCustomZone := account.GetPeersCustomZone(ctx, dnsDomain)
-	resourcePolicies := account.GetResourcePoliciesMap()
-	routers := account.GetResourceRoutersMap()
-	groupIDToUserIDs := account.GetActiveGroupUsers()
-
-	proxyNetworkMaps, err := c.proxyController.GetProxyNetworkMapsAll(ctx, accountID, account.Peers)
-	if err != nil {
-		log.WithContext(ctx).Errorf("failed to get proxy network maps: %v", err)
-		return fmt.Errorf("failed to get proxy network maps: %v", err)
-	}
-
-	extraSetting, err := c.settingsManager.GetExtraSettings(ctx, accountID)
-	if err != nil {
-		return fmt.Errorf("failed to get flow enabled status: %v", err)
-	}
-
-	dnsFwdPort := computeForwarderPort(maps.Values(account.Peers), network_map.DnsForwarderPortMinVersion)
-
-	accountZones, err := c.repo.GetAccountZones(ctx, account.Id)
-	if err != nil {
-		log.WithContext(ctx).Errorf("failed to get account zones: %v", err)
-		return fmt.Errorf("failed to get account zones: %v", err)
-	}
-
-	for _, peer := range peersToUpdate {
-		wg.Add(1)
-		semaphore <- struct{}{}
-		go func(p *nbpeer.Peer) {
-			defer wg.Done()
-			defer func() { <-semaphore }()
-
-			start := time.Now()
-
-			postureChecks, err := c.getPeerPostureChecks(account, p.ID)
-			if err != nil {
-				log.WithContext(ctx).Debugf("failed to get posture checks for peer %s: %v", p.ID, err)
-				return
-			}
-
-			c.metrics.CountCalcPostureChecksDuration(time.Since(start))
-			start = time.Now()
-
-			remotePeerNetworkMap := account.GetPeerNetworkMapFromComponents(ctx, p.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
-
-			c.metrics.CountCalcPeerNetworkMapDuration(time.Since(start))
-
-			proxyNetworkMap, ok := proxyNetworkMaps[p.ID]
-			if ok {
-				remotePeerNetworkMap.Merge(proxyNetworkMap)
-			}
-
-			peerGroups := account.GetPeerGroups(p.ID)
-			start = time.Now()
-			update := grpc.ToSyncResponse(ctx, nil, c.config.HttpConfig, c.config.DeviceAuthorizationFlow, p, nil, nil, remotePeerNetworkMap, dnsDomain, postureChecks, dnsCache, account.Settings, extraSetting, maps.Keys(peerGroups), dnsFwdPort)
-			c.metrics.CountToSyncResponseDuration(time.Since(start))
-
-			c.peersUpdateManager.SendUpdate(ctx, p.ID, &network_map.UpdateMessage{
-				Update:      update,
-				MessageType: network_map.MessageTypeNetworkMap,
-			})
-		}(peer)
-	}
-
-	wg.Wait()
-	if c.accountManagerMetrics != nil {
-		c.accountManagerMetrics.CountUpdateAccountPeersDuration(time.Since(globalStart))
-	}
-
-	return nil
-}
-
-func (c *Controller) hasConnectedPeers(peerIDs []string) bool {
-	for _, id := range peerIDs {
-		if c.peersUpdateManager.HasChannel(id) {
-			return true
-		}
-	}
-	return false
-}
-
-func (c *Controller) filterConnectedAffectedPeers(account *types.Account, peerIDs []string) []*nbpeer.Peer {
-	affected := make(map[string]struct{}, len(peerIDs))
-	for _, id := range peerIDs {
-		affected[id] = struct{}{}
-	}
-
-	var result []*nbpeer.Peer
-	for _, peer := range account.Peers {
-		if _, ok := affected[peer.ID]; ok && c.peersUpdateManager.HasChannel(peer.ID) {
-			result = append(result, peer)
-		}
-	}
-	return result
-}
-
 func (c *Controller) UpdateAccountPeer(ctx context.Context, accountId string, peerId string) error {
 	if !c.peersUpdateManager.HasChannel(peerId) {
 		return fmt.Errorf("peer %s doesn't have a channel, skipping network map update", peerId)
@@ -435,7 +333,7 @@ func (c *Controller) UpdateAccountPeer(ctx context.Context, accountId string, pe
 	peerGroups := account.GetPeerGroups(peerId)
 	dnsFwdPort := computeForwarderPort(maps.Values(account.Peers), network_map.DnsForwarderPortMinVersion)

-	update := grpc.ToSyncResponse(ctx, nil, c.config.HttpConfig, c.config.DeviceAuthorizationFlow, peer, nil, nil, remotePeerNetworkMap, dnsDomain, postureChecks, dnsCache, account.Settings, extraSettings, maps.Keys(peerGroups), dnsFwdPort)
+	update := grpc.ToSyncResponse(ctx, nil, c.config.HttpConfig, c.config.DeviceAuthorizationFlow, peer, nil, nil, remotePeerNetworkMap, dnsDomain, postureChecks, dnsCache, account.Settings, extraSettings, maps.Keys(peerGroups), dnsFwdPort, c.configExtender)
 	c.peersUpdateManager.SendUpdate(ctx, peer.ID, &network_map.UpdateMessage{
 		Update:      update,
 		MessageType: network_map.MessageTypeNetworkMap,
@@ -482,100 +380,6 @@ func (c *Controller) BufferUpdateAccountPeers(ctx context.Context, accountID str
 	return nil
 }

-// BufferUpdateAffectedPeers accumulates peer IDs and flushes them after the buffer interval.
-func (c *Controller) BufferUpdateAffectedPeers(ctx context.Context, accountID string, peerIDs []string, reason types.UpdateReason) error {
-	if len(peerIDs) == 0 {
-		return nil
-	}
-
-	if c.accountManagerMetrics != nil {
-		c.accountManagerMetrics.CountUpdateAccountPeersTriggered(string(reason.Resource), string(reason.Operation))
-	}
-
-	log.WithContext(ctx).Tracef("buffer updating %d affected peers for account %s from %s", len(peerIDs), accountID, util.GetCallerName())
-
-	bufUpd, _ := c.affectedPeerUpdateLocks.LoadOrStore(accountID, &bufferAffectedUpdate{
-		peerIDs: make(map[string]struct{}),
-	})
-	b := bufUpd.(*bufferAffectedUpdate)
-
-	b.addPeerIDs(peerIDs)
-
-	if !b.sendMu.TryLock() {
-		// Another goroutine is already sending; it will pick up our IDs on its next drain.
-		return nil
-	}
-
-	b.stopTimer()
-
-	collected := b.drainPeerIDs()
-	go func() {
-		defer b.sendMu.Unlock()
-		_ = c.sendUpdateForAffectedPeers(ctx, accountID, collected)
-
-		// Check if more peer IDs accumulated while we were sending.
-		if !b.hasPending() {
-			return
-		}
-
-		// Schedule a debounced flush for the newly accumulated IDs.
-		b.setTimer(time.Duration(c.updateAccountPeersBufferInterval.Load()), func() {
-			ids := b.drainPeerIDs()
-			if len(ids) > 0 {
-				_ = c.sendUpdateForAffectedPeers(ctx, accountID, ids)
-			}
-		})
-	}()
-
-	return nil
-}
-
-func (b *bufferAffectedUpdate) addPeerIDs(ids []string) {
-	b.dataMu.Lock()
-	for _, id := range ids {
-		b.peerIDs[id] = struct{}{}
-	}
-	b.dataMu.Unlock()
-}
-
-func (b *bufferAffectedUpdate) drainPeerIDs() []string {
-	b.dataMu.Lock()
-	defer b.dataMu.Unlock()
-	if len(b.peerIDs) == 0 {
-		return nil
-	}
-	ids := make([]string, 0, len(b.peerIDs))
-	for id := range b.peerIDs {
-		ids = append(ids, id)
-	}
-	b.peerIDs = make(map[string]struct{})
-	return ids
-}
-
-func (b *bufferAffectedUpdate) hasPending() bool {
-	b.dataMu.Lock()
-	defer b.dataMu.Unlock()
-	return len(b.peerIDs) > 0
-}
-
-func (b *bufferAffectedUpdate) stopTimer() {
-	b.dataMu.Lock()
-	defer b.dataMu.Unlock()
-	if b.next != nil {
-		b.next.Stop()
-	}
-}
-
-func (b *bufferAffectedUpdate) setTimer(d time.Duration, f func()) {
-	b.dataMu.Lock()
-	defer b.dataMu.Unlock()
-	if b.next == nil {
-		b.next = time.AfterFunc(d, f)
-		return
-	}
-	b.next.Reset(d)
-}
-
 func (c *Controller) GetValidatedPeerWithMap(ctx context.Context, isRequiresApproval bool, accountID string, peer *nbpeer.Peer) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, int64, error) {
 	if isRequiresApproval {
 		network, err := c.repo.GetAccountNetwork(ctx, accountID)
@@ -773,24 +577,21 @@ func isPeerInPolicySourceGroups(account *types.Account, peerID string, policy *t
 	return false, nil
 }

-func (c *Controller) OnPeersUpdated(ctx context.Context, accountID string, peerIDs []string, affectedPeerIDs []string) error {
-	if len(affectedPeerIDs) == 0 {
-		log.WithContext(ctx).Tracef("no affected peers for peer update in account %s, skipping", accountID)
-		return nil
+func (c *Controller) OnPeersUpdated(ctx context.Context, accountID string, peerIDs []string) error {
+	err := c.bufferSendUpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourcePeer, Operation: types.UpdateOperationUpdate})
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to buffer update account peers for peer update in account %s: %v", accountID, err)
 	}
-	return c.BufferUpdateAffectedPeers(ctx, accountID, affectedPeerIDs, types.UpdateReason{Resource: types.UpdateResourcePeer, Operation: types.UpdateOperationUpdate})
+
+	return nil
 }

-func (c *Controller) OnPeersAdded(ctx context.Context, accountID string, peerIDs []string, affectedPeerIDs []string) error {
+func (c *Controller) OnPeersAdded(ctx context.Context, accountID string, peerIDs []string) error {
 	log.WithContext(ctx).Debugf("OnPeersAdded call to add peers: %v", peerIDs)
-	if len(affectedPeerIDs) == 0 {
-		log.WithContext(ctx).Tracef("no affected peers for peer add in account %s, skipping", accountID)
-		return nil
-	}
-	return c.BufferUpdateAffectedPeers(ctx, accountID, affectedPeerIDs, types.UpdateReason{Resource: types.UpdateResourcePeer, Operation: types.UpdateOperationCreate})
+	return c.bufferSendUpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourcePeer, Operation: types.UpdateOperationCreate})
 }

-func (c *Controller) OnPeersDeleted(ctx context.Context, accountID string, peerIDs []string, affectedPeerIDs []string) error {
+func (c *Controller) OnPeersDeleted(ctx context.Context, accountID string, peerIDs []string) error {
 	network, err := c.repo.GetAccountNetwork(ctx, accountID)
 	if err != nil {
 		return err
@@ -823,11 +624,7 @@ func (c *Controller) OnPeersDeleted(ctx context.Context, accountID string, peerI
 		c.peersUpdateManager.CloseChannel(ctx, peerID)
 	}

-	if len(affectedPeerIDs) == 0 {
-		log.WithContext(ctx).Tracef("no affected peers for peer delete in account %s, skipping network map update", accountID)
-		return nil
-	}
-	return c.BufferUpdateAffectedPeers(ctx, accountID, affectedPeerIDs, types.UpdateReason{Resource: types.UpdateResourcePeer, Operation: types.UpdateOperationDelete})
+	return c.bufferSendUpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourcePeer, Operation: types.UpdateOperationDelete})
 }

 // GetNetworkMap returns Network map for a given peer (omits original peer from the Peers result)
--- a/management/internals/controllers/network_map/interface.go
+++ b/management/internals/controllers/network_map/interface.go
@@ -19,8 +19,6 @@ const (

 type Controller interface {
 	UpdateAccountPeers(ctx context.Context, accountID string, reason types.UpdateReason) error
-	UpdateAffectedPeers(ctx context.Context, accountID string, peerIDs []string) error
-	BufferUpdateAffectedPeers(ctx context.Context, accountID string, peerIDs []string, reason types.UpdateReason) error
 	UpdateAccountPeer(ctx context.Context, accountId string, peerId string) error
 	BufferUpdateAccountPeers(ctx context.Context, accountID string, reason types.UpdateReason) error
 	GetValidatedPeerWithMap(ctx context.Context, isRequiresApproval bool, accountID string, p *nbpeer.Peer) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, int64, error)
@@ -29,9 +27,9 @@ type Controller interface {
 	GetNetworkMap(ctx context.Context, peerID string) (*types.NetworkMap, error)
 	CountStreams() int

-	OnPeersUpdated(ctx context.Context, accountId string, peerIDs []string, affectedPeerIDs []string) error
-	OnPeersAdded(ctx context.Context, accountID string, peerIDs []string, affectedPeerIDs []string) error
-	OnPeersDeleted(ctx context.Context, accountID string, peerIDs []string, affectedPeerIDs []string) error
+	OnPeersUpdated(ctx context.Context, accountId string, peerIDs []string) error
+	OnPeersAdded(ctx context.Context, accountID string, peerIDs []string) error
+	OnPeersDeleted(ctx context.Context, accountID string, peerIDs []string) error
 	DisconnectPeers(ctx context.Context, accountId string, peerIDs []string)
 	OnPeerConnected(ctx context.Context, accountID string, peerID string) (chan *UpdateMessage, error)
 	OnPeerDisconnected(ctx context.Context, accountID string, peerID string)
--- a/management/internals/controllers/network_map/interface_mock.go
+++ b/management/internals/controllers/network_map/interface_mock.go
@@ -57,20 +57,6 @@ func (mr *MockControllerMockRecorder) BufferUpdateAccountPeers(ctx, accountID, r
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "BufferUpdateAccountPeers", reflect.TypeOf((*MockController)(nil).BufferUpdateAccountPeers), ctx, accountID, reason)
 }

-// BufferUpdateAffectedPeers mocks base method.
-func (m *MockController) BufferUpdateAffectedPeers(ctx context.Context, accountID string, peerIDs []string, reason types.UpdateReason) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "BufferUpdateAffectedPeers", ctx, accountID, peerIDs, reason)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// BufferUpdateAffectedPeers indicates an expected call of BufferUpdateAffectedPeers.
-func (mr *MockControllerMockRecorder) BufferUpdateAffectedPeers(ctx, accountID, peerIDs, reason any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "BufferUpdateAffectedPeers", reflect.TypeOf((*MockController)(nil).BufferUpdateAffectedPeers), ctx, accountID, peerIDs, reason)
-}
-
 // CountStreams mocks base method.
 func (m *MockController) CountStreams() int {
 	m.ctrl.T.Helper()
@@ -172,45 +158,45 @@ func (mr *MockControllerMockRecorder) OnPeerDisconnected(ctx, accountID, peerID
 }

 // OnPeersAdded mocks base method.
-func (m *MockController) OnPeersAdded(ctx context.Context, accountID string, peerIDs []string, affectedPeerIDs []string) error {
+func (m *MockController) OnPeersAdded(ctx context.Context, accountID string, peerIDs []string) error {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "OnPeersAdded", ctx, accountID, peerIDs, affectedPeerIDs)
+	ret := m.ctrl.Call(m, "OnPeersAdded", ctx, accountID, peerIDs)
 	ret0, _ := ret[0].(error)
 	return ret0
 }

 // OnPeersAdded indicates an expected call of OnPeersAdded.
-func (mr *MockControllerMockRecorder) OnPeersAdded(ctx, accountID, peerIDs, affectedPeerIDs any) *gomock.Call {
+func (mr *MockControllerMockRecorder) OnPeersAdded(ctx, accountID, peerIDs any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "OnPeersAdded", reflect.TypeOf((*MockController)(nil).OnPeersAdded), ctx, accountID, peerIDs, affectedPeerIDs)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "OnPeersAdded", reflect.TypeOf((*MockController)(nil).OnPeersAdded), ctx, accountID, peerIDs)
 }

 // OnPeersDeleted mocks base method.
-func (m *MockController) OnPeersDeleted(ctx context.Context, accountID string, peerIDs []string, affectedPeerIDs []string) error {
+func (m *MockController) OnPeersDeleted(ctx context.Context, accountID string, peerIDs []string) error {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "OnPeersDeleted", ctx, accountID, peerIDs, affectedPeerIDs)
+	ret := m.ctrl.Call(m, "OnPeersDeleted", ctx, accountID, peerIDs)
 	ret0, _ := ret[0].(error)
 	return ret0
 }

 // OnPeersDeleted indicates an expected call of OnPeersDeleted.
-func (mr *MockControllerMockRecorder) OnPeersDeleted(ctx, accountID, peerIDs, affectedPeerIDs any) *gomock.Call {
+func (mr *MockControllerMockRecorder) OnPeersDeleted(ctx, accountID, peerIDs any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "OnPeersDeleted", reflect.TypeOf((*MockController)(nil).OnPeersDeleted), ctx, accountID, peerIDs, affectedPeerIDs)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "OnPeersDeleted", reflect.TypeOf((*MockController)(nil).OnPeersDeleted), ctx, accountID, peerIDs)
 }

 // OnPeersUpdated mocks base method.
-func (m *MockController) OnPeersUpdated(ctx context.Context, accountId string, peerIDs []string, affectedPeerIDs []string) error {
+func (m *MockController) OnPeersUpdated(ctx context.Context, accountId string, peerIDs []string) error {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "OnPeersUpdated", ctx, accountId, peerIDs, affectedPeerIDs)
+	ret := m.ctrl.Call(m, "OnPeersUpdated", ctx, accountId, peerIDs)
 	ret0, _ := ret[0].(error)
 	return ret0
 }

 // OnPeersUpdated indicates an expected call of OnPeersUpdated.
-func (mr *MockControllerMockRecorder) OnPeersUpdated(ctx, accountId, peerIDs, affectedPeerIDs any) *gomock.Call {
+func (mr *MockControllerMockRecorder) OnPeersUpdated(ctx, accountId, peerIDs any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "OnPeersUpdated", reflect.TypeOf((*MockController)(nil).OnPeersUpdated), ctx, accountId, peerIDs, affectedPeerIDs)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "OnPeersUpdated", reflect.TypeOf((*MockController)(nil).OnPeersUpdated), ctx, accountId, peerIDs)
 }

 // StartWarmup mocks base method.
@@ -264,17 +250,3 @@ func (mr *MockControllerMockRecorder) UpdateAccountPeers(ctx, accountID, reason
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateAccountPeers", reflect.TypeOf((*MockController)(nil).UpdateAccountPeers), ctx, accountID, reason)
 }
-
-// UpdateAffectedPeers mocks base method.
-func (m *MockController) UpdateAffectedPeers(ctx context.Context, accountID string, peerIDs []string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "UpdateAffectedPeers", ctx, accountID, peerIDs)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// UpdateAffectedPeers indicates an expected call of UpdateAffectedPeers.
-func (mr *MockControllerMockRecorder) UpdateAffectedPeers(ctx, accountID, peerIDs any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateAffectedPeers", reflect.TypeOf((*MockController)(nil).UpdateAffectedPeers), ctx, accountID, peerIDs)
-}
--- a/management/internals/server/boot.go
+++ b/management/internals/server/boot.go
@@ -10,8 +10,10 @@ import (
 	"slices"
 	"time"

+	"github.com/gorilla/mux"
 	grpcMiddleware "github.com/grpc-ecosystem/go-grpc-middleware/v2"
 	"github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/realip"
+	"github.com/rs/cors"
 	"github.com/rs/xid"
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc"
@@ -19,7 +21,6 @@ import (
 	"google.golang.org/grpc/keepalive"

 	cachestore "github.com/eko/gocache/lib/v4/store"
-	"github.com/netbirdio/management-integrations/integrations"

 	"github.com/netbirdio/netbird/encryption"
 	"github.com/netbirdio/netbird/formatter/hook"
@@ -27,16 +28,20 @@ import (
 	accesslogsmanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs/manager"
 	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
 	"github.com/netbirdio/netbird/management/server/activity"
+	activitystore "github.com/netbirdio/netbird/management/server/activity/store"
 	nbcache "github.com/netbirdio/netbird/management/server/cache"
 	nbContext "github.com/netbirdio/netbird/management/server/context"
 	nbhttp "github.com/netbirdio/netbird/management/server/http"
 	"github.com/netbirdio/netbird/management/server/http/middleware"
+	"github.com/netbirdio/netbird/management/server/idp"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/telemetry"
 	mgmtProto "github.com/netbirdio/netbird/shared/management/proto"
 	"github.com/netbirdio/netbird/util/crypt"
 )

+const apiPrefix = "/api"
+
 var (
 	kaep = keepalive.EnforcementPolicy{
 		MinTime:             15 * time.Second,
@@ -94,12 +99,17 @@ func (s *BaseServer) Store() store.Store {

 func (s *BaseServer) EventStore() activity.Store {
 	return Create(s, func() activity.Store {
-		integrationMetrics, err := integrations.InitIntegrationMetrics(context.Background(), s.Metrics())
-		if err != nil {
-			log.Fatalf("failed to initialize integration metrics: %v", err)
+		var err error
+		key := s.Config.DataStoreEncryptionKey
+		if key == "" {
+			log.Debugf("generate new activity store encryption key")
+			key, err = crypt.GenerateKey()
+			if err != nil {
+				log.Fatalf("failed to generate event store encryption key: %v", err)
+			}
 		}

-		eventStore, _, err := integrations.InitEventStore(context.Background(), s.Config.Datadir, s.Config.DataStoreEncryptionKey, integrationMetrics)
+		eventStore, err := activitystore.NewSqlStore(context.Background(), s.Config.Datadir, key)
 		if err != nil {
 			log.Fatalf("failed to initialize event store: %v", err)
 		}
@@ -110,7 +120,7 @@ func (s *BaseServer) EventStore() activity.Store {

 func (s *BaseServer) APIHandler() http.Handler {
 	return Create(s, func() http.Handler {
-		httpAPIHandler, err := nbhttp.NewAPIHandler(context.Background(), s.AccountManager(), s.NetworksManager(), s.ResourcesManager(), s.RoutesManager(), s.GroupsManager(), s.GeoLocationManager(), s.AuthManager(), s.Metrics(), s.IntegratedValidator(), s.ProxyController(), s.PermissionsManager(), s.PeersManager(), s.SettingsManager(), s.ZonesManager(), s.RecordsManager(), s.NetworkMapController(), s.IdpManager(), s.ServiceManager(), s.ReverseProxyDomainManager(), s.AccessLogsManager(), s.ReverseProxyGRPCServer(), s.Config.ReverseProxy.TrustedHTTPProxies, s.RateLimiter())
+		httpAPIHandler, err := nbhttp.NewAPIHandler(context.Background(), s.Router(), s.AccountManager(), s.NetworksManager(), s.ResourcesManager(), s.RoutesManager(), s.GroupsManager(), s.GeoLocationManager(), s.AuthManager(), s.Metrics(), s.PermissionsManager(), s.SettingsManager(), s.ZonesManager(), s.RecordsManager(), s.NetworkMapController(), s.IdpManager(), s.ServiceManager(), s.ReverseProxyDomainManager(), s.AccessLogsManager(), s.ReverseProxyGRPCServer(), s.Config.ReverseProxy.TrustedHTTPProxies, s.RateLimiter(), s.IsValidChildAccount)
 		if err != nil {
 			log.Fatalf("failed to create API handler: %v", err)
 		}
@@ -118,6 +128,22 @@ func (s *BaseServer) APIHandler() http.Handler {
 	})
 }

+// IDPHandler returns the HTTP handler for the embedded IdP (Dex), or nil if
+// the deployment isn't using the embedded variant.
+func (s *BaseServer) IDPHandler() http.Handler {
+	embeddedIdP, ok := s.IdpManager().(*idp.EmbeddedIdPManager)
+	if !ok || embeddedIdP == nil {
+		return nil
+	}
+	return cors.AllowAll().Handler(embeddedIdP.Handler())
+}
+
+func (s *BaseServer) Router() *mux.Router {
+	return Create(s, func() *mux.Router {
+		return mux.NewRouter().PathPrefix(apiPrefix).Subrouter()
+	})
+}
+
 func (s *BaseServer) RateLimiter() *middleware.APIRateLimiter {
 	return Create(s, func() *middleware.APIRateLimiter {
 		cfg, enabled := middleware.RateLimiterConfigFromEnv()
@@ -129,68 +155,72 @@ func (s *BaseServer) RateLimiter() *middleware.APIRateLimiter {

 func (s *BaseServer) GRPCServer() *grpc.Server {
 	return Create(s, func() *grpc.Server {
-		trustedPeers := s.Config.ReverseProxy.TrustedPeers
-		defaultTrustedPeers := []netip.Prefix{netip.MustParsePrefix("0.0.0.0/0"), netip.MustParsePrefix("::/0")}
-		if len(trustedPeers) == 0 || slices.Equal[[]netip.Prefix](trustedPeers, defaultTrustedPeers) {
-			log.WithContext(context.Background()).Warn("TrustedPeers are configured to default value '0.0.0.0/0', '::/0'. This allows connection IP spoofing.")
-			trustedPeers = defaultTrustedPeers
-		}
-		trustedHTTPProxies := s.Config.ReverseProxy.TrustedHTTPProxies
-		trustedProxiesCount := s.Config.ReverseProxy.TrustedHTTPProxiesCount
-		if len(trustedHTTPProxies) > 0 && trustedProxiesCount > 0 {
-			log.WithContext(context.Background()).Warn("TrustedHTTPProxies and TrustedHTTPProxiesCount both are configured. " +
-				"This is not recommended way to extract X-Forwarded-For. Consider using one of these options.")
-		}
-		realipOpts := []realip.Option{
-			realip.WithTrustedPeers(trustedPeers),
-			realip.WithTrustedProxies(trustedHTTPProxies),
-			realip.WithTrustedProxiesCount(trustedProxiesCount),
-			realip.WithHeaders([]string{realip.XForwardedFor, realip.XRealIp}),
-		}
-		proxyUnary, proxyStream, proxyAuthClose := nbgrpc.NewProxyAuthInterceptors(s.Store())
-		s.proxyAuthClose = proxyAuthClose
-		gRPCOpts := []grpc.ServerOption{
-			grpc.KeepaliveEnforcementPolicy(kaep),
-			grpc.KeepaliveParams(kasp),
-			grpc.ChainUnaryInterceptor(realip.UnaryServerInterceptorOpts(realipOpts...), unaryInterceptor, proxyUnary),
-			grpc.ChainStreamInterceptor(realip.StreamServerInterceptorOpts(realipOpts...), streamInterceptor, proxyStream),
-		}
-
-		if s.Config.HttpConfig.LetsEncryptDomain != "" {
-			certManager, err := encryption.CreateCertManager(s.Config.Datadir, s.Config.HttpConfig.LetsEncryptDomain)
-			if err != nil {
-				log.Fatalf("failed to create certificate service: %v", err)
-			}
-			transportCredentials := credentials.NewTLS(certManager.TLSConfig())
-			gRPCOpts = append(gRPCOpts, grpc.Creds(transportCredentials))
-		} else if s.Config.HttpConfig.CertFile != "" && s.Config.HttpConfig.CertKey != "" {
-			tlsConfig, err := loadTLSConfig(s.Config.HttpConfig.CertFile, s.Config.HttpConfig.CertKey)
-			if err != nil {
-				log.Fatalf("cannot load TLS credentials: %v", err)
-			}
-			transportCredentials := credentials.NewTLS(tlsConfig)
-			gRPCOpts = append(gRPCOpts, grpc.Creds(transportCredentials))
-		}
-
-		gRPCAPIHandler := grpc.NewServer(gRPCOpts...)
-		srv, err := nbgrpc.NewServer(s.Config, s.AccountManager(), s.SettingsManager(), s.JobManager(), s.SecretsManager(), s.Metrics(), s.AuthManager(), s.IntegratedValidator(), s.NetworkMapController(), s.OAuthConfigProvider(), s.SessionStore())
-		if err != nil {
-			log.Fatalf("failed to create management server: %v", err)
-		}
-		serviceMgr := s.ServiceManager()
-		srv.SetReverseProxyManager(serviceMgr)
-		if serviceMgr != nil {
-			serviceMgr.StartExposeReaper(context.Background())
-		}
-		mgmtProto.RegisterManagementServiceServer(gRPCAPIHandler, srv)
-
-		mgmtProto.RegisterProxyServiceServer(gRPCAPIHandler, s.ReverseProxyGRPCServer())
-		log.Info("ProxyService registered on gRPC server")
-
-		return gRPCAPIHandler
+		return s.BuildGRPCServer(s.ExtendNetBirdConfig)
 	})
 }

+func (s *BaseServer) BuildGRPCServer(configExtender nbgrpc.ConfigExtender) *grpc.Server {
+	trustedPeers := s.Config.ReverseProxy.TrustedPeers
+	defaultTrustedPeers := []netip.Prefix{netip.MustParsePrefix("0.0.0.0/0"), netip.MustParsePrefix("::/0")}
+	if len(trustedPeers) == 0 || slices.Equal(trustedPeers, defaultTrustedPeers) {
+		log.WithContext(context.Background()).Warn("TrustedPeers are configured to default value '0.0.0.0/0', '::/0'. This allows connection IP spoofing.")
+		trustedPeers = defaultTrustedPeers
+	}
+	trustedHTTPProxies := s.Config.ReverseProxy.TrustedHTTPProxies
+	trustedProxiesCount := s.Config.ReverseProxy.TrustedHTTPProxiesCount
+	if len(trustedHTTPProxies) > 0 && trustedProxiesCount > 0 {
+		log.WithContext(context.Background()).Warn("TrustedHTTPProxies and TrustedHTTPProxiesCount both are configured. " +
+			"This is not recommended way to extract X-Forwarded-For. Consider using one of these options.")
+	}
+	realipOpts := []realip.Option{
+		realip.WithTrustedPeers(trustedPeers),
+		realip.WithTrustedProxies(trustedHTTPProxies),
+		realip.WithTrustedProxiesCount(trustedProxiesCount),
+		realip.WithHeaders([]string{realip.XForwardedFor, realip.XRealIp}),
+	}
+	proxyUnary, proxyStream, proxyAuthClose := nbgrpc.NewProxyAuthInterceptors(s.Store())
+	s.proxyAuthClose = proxyAuthClose
+	gRPCOpts := []grpc.ServerOption{
+		grpc.KeepaliveEnforcementPolicy(kaep),
+		grpc.KeepaliveParams(kasp),
+		grpc.ChainUnaryInterceptor(realip.UnaryServerInterceptorOpts(realipOpts...), unaryInterceptor, proxyUnary),
+		grpc.ChainStreamInterceptor(realip.StreamServerInterceptorOpts(realipOpts...), streamInterceptor, proxyStream),
+	}
+
+	if s.Config.HttpConfig.LetsEncryptDomain != "" {
+		certManager, err := encryption.CreateCertManager(s.Config.Datadir, s.Config.HttpConfig.LetsEncryptDomain)
+		if err != nil {
+			log.Fatalf("failed to create certificate service: %v", err)
+		}
+		transportCredentials := credentials.NewTLS(certManager.TLSConfig())
+		gRPCOpts = append(gRPCOpts, grpc.Creds(transportCredentials))
+	} else if s.Config.HttpConfig.CertFile != "" && s.Config.HttpConfig.CertKey != "" {
+		tlsConfig, err := loadTLSConfig(s.Config.HttpConfig.CertFile, s.Config.HttpConfig.CertKey)
+		if err != nil {
+			log.Fatalf("cannot load TLS credentials: %v", err)
+		}
+		transportCredentials := credentials.NewTLS(tlsConfig)
+		gRPCOpts = append(gRPCOpts, grpc.Creds(transportCredentials))
+	}
+
+	gRPCAPIHandler := grpc.NewServer(gRPCOpts...)
+	srv, err := nbgrpc.NewServer(s.Config, s.AccountManager(), s.SettingsManager(), s.JobManager(), s.SecretsManager(), s.Metrics(), s.AuthManager(), s.IntegratedValidator(), s.NetworkMapController(), s.OAuthConfigProvider(), s.SessionStore(), configExtender)
+	if err != nil {
+		log.Fatalf("failed to create management server: %v", err)
+	}
+	serviceMgr := s.ServiceManager()
+	srv.SetReverseProxyManager(serviceMgr)
+	if serviceMgr != nil {
+		serviceMgr.StartExposeReaper(context.Background())
+	}
+	mgmtProto.RegisterManagementServiceServer(gRPCAPIHandler, srv)
+
+	mgmtProto.RegisterProxyServiceServer(gRPCAPIHandler, s.ReverseProxyGRPCServer())
+	log.Info("ProxyService registered on gRPC server")
+
+	return gRPCAPIHandler
+}
+
 func (s *BaseServer) ReverseProxyGRPCServer() *nbgrpc.ProxyServiceServer {
 	return Create(s, func() *nbgrpc.ProxyServiceServer {
 		proxyService := nbgrpc.NewProxyServiceServer(s.AccessLogsManager(), s.ProxyTokenStore(), s.PKCEVerifierStore(), s.proxyOIDCConfig(), s.PeersManager(), s.UsersManager(), s.ProxyManager(), s.Store())
--- a/management/internals/server/controllers.go
+++ b/management/internals/server/controllers.go
@@ -21,7 +21,9 @@ import (
 	"github.com/netbirdio/netbird/management/server/integrations/integrated_validator"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
 	"github.com/netbirdio/netbird/management/server/job"
+	"github.com/netbirdio/netbird/management/server/types"
 	nbjwt "github.com/netbirdio/netbird/shared/auth/jwt"
+	"github.com/netbirdio/netbird/shared/management/proto"
 )

 func (s *BaseServer) PeersUpdateManager() network_map.PeersUpdateManager {
@@ -38,8 +40,11 @@ func (s *BaseServer) JobManager() *job.Manager {

 func (s *BaseServer) IntegratedValidator() integrated_validator.IntegratedValidator {
 	return Create(s, func() integrated_validator.IntegratedValidator {
+		// TODO: Replace
 		integratedPeerValidator, err := integrations.NewIntegratedValidator(
 			context.Background(),
+			nil,
+			s.Store(),
 			s.PeersManager(),
 			s.SettingsManager(),
 			s.EventStore(),
@@ -59,7 +64,7 @@ func (s *BaseServer) ProxyController() port_forwarding.Controller {

 func (s *BaseServer) SecretsManager() grpc.SecretsManager {
 	return Create(s, func() grpc.SecretsManager {
-		secretsManager, err := grpc.NewTimeBasedAuthSecretsManager(s.PeersUpdateManager(), s.Config.TURNConfig, s.Config.Relay, s.SettingsManager(), s.GroupsManager())
+		secretsManager, err := grpc.NewTimeBasedAuthSecretsManager(s.PeersUpdateManager(), s.Config.TURNConfig, s.Config.Relay, s.SettingsManager(), s.GroupsManager(), s.ExtendNetBirdConfig)
 		if err != nil {
 			log.Fatalf("failed to create secrets manager: %v", err)
 		}
@@ -122,7 +127,7 @@ func (s *BaseServer) EphemeralManager() ephemeral.Manager {

 func (s *BaseServer) NetworkMapController() network_map.Controller {
 	return Create(s, func() network_map.Controller {
-		return nmapcontroller.NewController(context.Background(), s.Store(), s.Metrics(), s.PeersUpdateManager(), s.AccountRequestBuffer(), s.IntegratedValidator(), s.SettingsManager(), s.DNSDomain(), s.ProxyController(), s.EphemeralManager(), s.Config)
+		return nmapcontroller.NewController(context.Background(), s.Store(), s.Metrics(), s.PeersUpdateManager(), s.AccountRequestBuffer(), s.IntegratedValidator(), s.SettingsManager(), s.DNSDomain(), s.ProxyController(), s.EphemeralManager(), s.Config, s.ExtendNetBirdConfig)
 	})
 }

@@ -145,3 +150,7 @@ func (s *BaseServer) AccountRequestBuffer() *server.AccountRequestBuffer {
 func (s *BaseServer) DNSDomain() string {
 	return s.dnsDomain
 }
+
+func (s *BaseServer) ExtendNetBirdConfig(_ string, _ []string, config *proto.NetbirdConfig, _ *types.ExtraSettings) *proto.NetbirdConfig {
+	return config
+}
--- a/management/internals/server/modules.go
+++ b/management/internals/server/modules.go
@@ -57,13 +57,7 @@ func (s *BaseServer) GeoLocationManager() geolocation.Geolocation {

 func (s *BaseServer) PermissionsManager() permissions.Manager {
 	return Create(s, func() permissions.Manager {
-		manager := integrations.InitPermissionsManager(s.Store(), s.Metrics().GetMeter())
-
-		s.AfterInit(func(s *BaseServer) {
-			manager.SetAccountManager(s.AccountManager())
-		})
-
-		return manager
+		return permissions.NewManager(s.Store())
 	})
 }

@@ -153,7 +147,6 @@ func (s *BaseServer) IdpManager() idp.Manager {
 			return idpManager
 		}

-
 		return nil
 	})
 }
@@ -235,3 +228,7 @@ func (s *BaseServer) ReverseProxyDomainManager() *manager.Manager {
 		return &m
 	})
 }
+
+func (s *BaseServer) IsValidChildAccount(_ context.Context, _, _, _ string) bool {
+	return false
+}
--- a/management/internals/server/server.go
+++ b/management/internals/server/server.go
@@ -188,7 +188,7 @@ func (s *BaseServer) Start(ctx context.Context) error {
 		log.WithContext(srvCtx).Infof("running gRPC backward compatibility server: %s", compatListener.Addr().String())
 	}

-	rootHandler := s.handlerFunc(srvCtx, s.GRPCServer(), s.APIHandler(), s.Metrics().GetMeter())
+	rootHandler := s.handlerFunc(srvCtx, s.GRPCServer(), s.APIHandler(), s.IDPHandler(), s.Metrics().GetMeter())
 	switch {
 	case s.certManager != nil:
 		// a call to certManager.Listener() always creates a new listener so we do it once
@@ -299,7 +299,7 @@ func (s *BaseServer) SetHandlerFunc(handler http.Handler) {
 	log.Tracef("custom handler set successfully")
 }

-func (s *BaseServer) handlerFunc(_ context.Context, gRPCHandler *grpc.Server, httpHandler http.Handler, meter metric.Meter) http.Handler {
+func (s *BaseServer) handlerFunc(_ context.Context, gRPCHandler *grpc.Server, httpHandler http.Handler, idpHandler http.Handler, meter metric.Meter) http.Handler {
 	// Check if a custom handler was set (for multiplexing additional services)
 	if customHandler, ok := s.GetContainer("customHandler"); ok {
 		if handler, ok := customHandler.(http.Handler); ok {
@@ -318,6 +318,8 @@ func (s *BaseServer) handlerFunc(_ context.Context, gRPCHandler *grpc.Server, ht
 			gRPCHandler.ServeHTTP(writer, request)
 		case request.URL.Path == wsproxy.ProxyPath+wsproxy.ManagementComponent:
 			wsProxy.Handler().ServeHTTP(writer, request)
+		case idpHandler != nil && strings.HasPrefix(request.URL.Path, "/oauth2"):
+			idpHandler.ServeHTTP(writer, request)
 		default:
 			httpHandler.ServeHTTP(writer, request)
 		}
--- a/management/internals/shared/grpc/conversion.go
+++ b/management/internals/shared/grpc/conversion.go
@@ -10,8 +10,6 @@ import (
 	log "github.com/sirupsen/logrus"
 	goproto "google.golang.org/protobuf/proto"

-	integrationsConfig "github.com/netbirdio/management-integrations/integrations/config"
-
 	"github.com/netbirdio/netbird/client/ssh/auth"

 	nbdns "github.com/netbirdio/netbird/dns"
@@ -26,6 +24,8 @@ import (
 	"github.com/netbirdio/netbird/shared/sshauth"
 )

+type ConfigExtender func(peerID string, peerGroups []string, config *proto.NetbirdConfig, extras *types.ExtraSettings) *proto.NetbirdConfig
+
 func toNetbirdConfig(config *nbconfig.Config, turnCredentials *Token, relayToken *Token, extraSettings *types.ExtraSettings) *proto.NetbirdConfig {
 	if config == nil {
 		return nil
@@ -127,7 +127,7 @@ func toPeerConfig(peer *nbpeer.Peer, network *types.Network, dnsName string, set
 	return peerConfig
 }

-func ToSyncResponse(ctx context.Context, config *nbconfig.Config, httpConfig *nbconfig.HttpServerConfig, deviceFlowConfig *nbconfig.DeviceAuthorizationFlow, peer *nbpeer.Peer, turnCredentials *Token, relayCredentials *Token, networkMap *types.NetworkMap, dnsName string, checks []*posture.Checks, dnsCache *cache.DNSConfigCache, settings *types.Settings, extraSettings *types.ExtraSettings, peerGroups []string, dnsFwdPort int64) *proto.SyncResponse {
+func ToSyncResponse(ctx context.Context, config *nbconfig.Config, httpConfig *nbconfig.HttpServerConfig, deviceFlowConfig *nbconfig.DeviceAuthorizationFlow, peer *nbpeer.Peer, turnCredentials *Token, relayCredentials *Token, networkMap *types.NetworkMap, dnsName string, checks []*posture.Checks, dnsCache *cache.DNSConfigCache, settings *types.Settings, extraSettings *types.ExtraSettings, peerGroups []string, dnsFwdPort int64, configExtender ConfigExtender) *proto.SyncResponse {
 	// IPv6 data in AllowedIPs and SourcePrefixes wildcard expansion depends on
 	// whether the target peer supports IPv6. Routes and firewall rules are already
 	// filtered at the source (network map builder).
@@ -146,8 +146,10 @@ func ToSyncResponse(ctx context.Context, config *nbconfig.Config, httpConfig *nb
 	}

 	nbConfig := toNetbirdConfig(config, turnCredentials, relayCredentials, extraSettings)
-	extendedConfig := integrationsConfig.ExtendNetBirdConfig(peer.ID, peerGroups, nbConfig, extraSettings)
-	response.NetbirdConfig = extendedConfig
+	if configExtender != nil {
+		nbConfig = configExtender(peer.ID, peerGroups, nbConfig, extraSettings)
+	}
+	response.NetbirdConfig = nbConfig

 	response.NetworkMap.PeerConfig = response.PeerConfig

@@ -332,7 +334,6 @@ func toProtocolFirewallRules(rules []*types.FirewallRule, includeIPv6, useSource
 	return result
 }

-
 // populateSourcePrefixes sets SourcePrefixes on fwRule and returns any
 // additional rules needed (e.g. a v6 wildcard clone when the peer IP is unspecified).
 func populateSourcePrefixes(fwRule *proto.FirewallRule, rule *types.FirewallRule, includeIPv6 bool) []*proto.FirewallRule {
--- a/management/internals/shared/grpc/server.go
+++ b/management/internals/shared/grpc/server.go
@@ -86,6 +86,8 @@ type Server struct {

 	reverseProxyManager rpservice.Manager
 	reverseProxyMu      sync.RWMutex
+
+	configExtender ConfigExtender
 }

 // NewServer creates a new Management server
@@ -101,6 +103,7 @@ func NewServer(
 	networkMapController network_map.Controller,
 	oAuthConfigProvider idp.OAuthConfigProvider,
 	sessionStore *auth.SessionStore,
+	configExtender ConfigExtender,
 ) (*Server, error) {
 	if appMetrics != nil {
 		// update gauge based on number of connected peers which is equal to open gRPC streams
@@ -144,6 +147,7 @@ func NewServer(
 		networkMapController:     networkMapController,
 		oAuthConfigProvider:      oAuthConfigProvider,
 		sessionStore:             sessionStore,
+		configExtender:           configExtender,

 		loginFilter: newLoginFilter(),

@@ -932,7 +936,7 @@ func (s *Server) sendInitialSync(ctx context.Context, peerKey wgtypes.Key, peer
 		return status.Errorf(codes.Internal, "failed to get peer groups %s", err)
 	}

-	plainResp := ToSyncResponse(ctx, s.config, s.config.HttpConfig, s.config.DeviceAuthorizationFlow, peer, turnToken, relayToken, networkMap, s.networkMapController.GetDNSDomain(settings), postureChecks, nil, settings, settings.Extra, peerGroups, dnsFwdPort)
+	plainResp := ToSyncResponse(ctx, s.config, s.config.HttpConfig, s.config.DeviceAuthorizationFlow, peer, turnToken, relayToken, networkMap, s.networkMapController.GetDNSDomain(settings), postureChecks, nil, settings, settings.Extra, peerGroups, dnsFwdPort, s.configExtender)

 	key, err := s.secretsManager.GetWGKey()
 	if err != nil {
--- a/management/internals/shared/grpc/token_mgr.go
+++ b/management/internals/shared/grpc/token_mgr.go
@@ -12,7 +12,6 @@ import (
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"

-	integrationsConfig "github.com/netbirdio/management-integrations/integrations/config"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
 	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
 	"github.com/netbirdio/netbird/management/server/groups"
@@ -46,11 +45,12 @@ type TimeBasedAuthSecretsManager struct {
 	turnCancelMap   map[string]chan struct{}
 	relayCancelMap  map[string]chan struct{}
 	wgKey           wgtypes.Key
+	configExtender  ConfigExtender
 }

 type Token auth.Token

-func NewTimeBasedAuthSecretsManager(updateManager network_map.PeersUpdateManager, turnCfg *nbconfig.TURNConfig, relayCfg *nbconfig.Relay, settingsManager settings.Manager, groupsManager groups.Manager) (*TimeBasedAuthSecretsManager, error) {
+func NewTimeBasedAuthSecretsManager(updateManager network_map.PeersUpdateManager, turnCfg *nbconfig.TURNConfig, relayCfg *nbconfig.Relay, settingsManager settings.Manager, groupsManager groups.Manager, configExtender ConfigExtender) (*TimeBasedAuthSecretsManager, error) {
 	key, err := wgtypes.GeneratePrivateKey()
 	if err != nil {
 		return nil, err
@@ -65,6 +65,7 @@ func NewTimeBasedAuthSecretsManager(updateManager network_map.PeersUpdateManager
 		settingsManager: settingsManager,
 		groupsManager:   groupsManager,
 		wgKey:           key,
+		configExtender:  configExtender,
 	}

 	if turnCfg != nil {
@@ -286,6 +287,7 @@ func (m *TimeBasedAuthSecretsManager) extendNetbirdConfig(ctx context.Context, p
 		log.WithContext(ctx).Errorf("failed to get peer groups: %v", err)
 	}

-	extendedConfig := integrationsConfig.ExtendNetBirdConfig(peerID, peerGroups, update.NetbirdConfig, extraSettings)
-	update.NetbirdConfig = extendedConfig
+	if m.configExtender != nil {
+		update.NetbirdConfig = m.configExtender(peerID, peerGroups, update.NetbirdConfig, extraSettings)
+	}
 }
--- a/management/internals/shared/grpc/token_mgr_test.go
+++ b/management/internals/shared/grpc/token_mgr_test.go
@@ -51,7 +51,7 @@ func TestTimeBasedAuthSecretsManager_GenerateCredentials(t *testing.T) {
 		Secret:               secret,
 		Turns:                []*config.Host{TurnTestHost},
 		TimeBasedCredentials: true,
-	}, rc, settingsMockManager, groupsManager)
+	}, rc, settingsMockManager, groupsManager, nil)
 	require.NoError(t, err)

 	turnCredentials, err := tested.GenerateTurnToken()
@@ -104,7 +104,7 @@ func TestTimeBasedAuthSecretsManager_SetupRefresh(t *testing.T) {
 		Secret:               secret,
 		Turns:                []*config.Host{TurnTestHost},
 		TimeBasedCredentials: true,
-	}, rc, settingsMockManager, groupsManager)
+	}, rc, settingsMockManager, groupsManager, nil)
 	require.NoError(t, err)

 	ctx, cancel := context.WithCancel(context.Background())
@@ -208,7 +208,7 @@ func TestTimeBasedAuthSecretsManager_CancelRefresh(t *testing.T) {
 		Secret:               secret,
 		Turns:                []*config.Host{TurnTestHost},
 		TimeBasedCredentials: true,
-	}, rc, settingsMockManager, groupsManager)
+	}, rc, settingsMockManager, groupsManager, nil)
 	require.NoError(t, err)

 	tested.SetupRefresh(context.Background(), "someAccountID", peer)
--- a/management/server/account.go
+++ b/management/server/account.go
@@ -2562,9 +2562,7 @@ func (am *DefaultAccountManager) UpdatePeerIP(ctx context.Context, accountID, us
 		if err != nil {
 			return err
 		}
-		changedPeerIDs := []string{peerID}
-		affectedPeerIDs := am.resolveAffectedPeersForPeerChanges(ctx, am.Store, accountID, changedPeerIDs)
-		err = am.networkMapController.OnPeersUpdated(ctx, peer.AccountID, changedPeerIDs, affectedPeerIDs)
+		err = am.networkMapController.OnPeersUpdated(ctx, peer.AccountID, []string{peerID})
 		if err != nil {
 			return fmt.Errorf("notify network map controller of peer update: %w", err)
 		}
@@ -2655,9 +2653,7 @@ func (am *DefaultAccountManager) UpdatePeerIPv6(ctx context.Context, accountID,
 	}

 	if updateNetworkMap {
-		changedPeerIDs := []string{peerID}
-		affectedPeerIDs := am.resolveAffectedPeersForPeerChanges(ctx, am.Store, accountID, changedPeerIDs)
-		if err := am.networkMapController.OnPeersUpdated(ctx, accountID, changedPeerIDs, affectedPeerIDs); err != nil {
+		if err := am.networkMapController.OnPeersUpdated(ctx, accountID, []string{peerID}); err != nil {
 			return fmt.Errorf("notify network map controller: %w", err)
 		}
 	}
--- a/management/server/account/manager.go
+++ b/management/server/account/manager.go
@@ -127,8 +127,6 @@ type Manager interface {
 	GetAccountSettings(ctx context.Context, accountID string, userID string) (*types.Settings, error)
 	DeleteSetupKey(ctx context.Context, accountID, userID, keyID string) error
 	UpdateAccountPeers(ctx context.Context, accountID string, reason types.UpdateReason)
-	UpdateAffectedPeers(ctx context.Context, accountID string, peerIDs []string)
-	BufferUpdateAffectedPeers(ctx context.Context, accountID string, peerIDs []string, reason types.UpdateReason)
 	BufferUpdateAccountPeers(ctx context.Context, accountID string, reason types.UpdateReason)
 	BuildUserInfosForAccount(ctx context.Context, accountID, initiatorUserID string, accountUsers []*types.User) (map[string]*types.UserInfo, error)
 	SyncUserJWTGroups(ctx context.Context, userAuth auth.UserAuth) error
--- a/management/server/account/manager_mock.go
+++ b/management/server/account/manager_mock.go
@@ -122,18 +122,6 @@ func (mr *MockManagerMockRecorder) BufferUpdateAccountPeers(ctx, accountID, reas
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "BufferUpdateAccountPeers", reflect.TypeOf((*MockManager)(nil).BufferUpdateAccountPeers), ctx, accountID, reason)
 }

-// BufferUpdateAffectedPeers mocks base method.
-func (m *MockManager) BufferUpdateAffectedPeers(ctx context.Context, accountID string, peerIDs []string, reason types.UpdateReason) {
-	m.ctrl.T.Helper()
-	m.ctrl.Call(m, "BufferUpdateAffectedPeers", ctx, accountID, peerIDs, reason)
-}
-
-// BufferUpdateAffectedPeers indicates an expected call of BufferUpdateAffectedPeers.
-func (mr *MockManagerMockRecorder) BufferUpdateAffectedPeers(ctx, accountID, peerIDs, reason interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "BufferUpdateAffectedPeers", reflect.TypeOf((*MockManager)(nil).BufferUpdateAffectedPeers), ctx, accountID, peerIDs, reason)
-}
-
 // BuildUserInfosForAccount mocks base method.
 func (m *MockManager) BuildUserInfosForAccount(ctx context.Context, accountID, initiatorUserID string, accountUsers []*types.User) (map[string]*types.UserInfo, error) {
 	m.ctrl.T.Helper()
@@ -1634,18 +1622,6 @@ func (mr *MockManagerMockRecorder) UpdateAccountPeers(ctx, accountID, reason int
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateAccountPeers", reflect.TypeOf((*MockManager)(nil).UpdateAccountPeers), ctx, accountID, reason)
 }

-// UpdateAffectedPeers mocks base method.
-func (m *MockManager) UpdateAffectedPeers(ctx context.Context, accountID string, peerIDs []string) {
-	m.ctrl.T.Helper()
-	m.ctrl.Call(m, "UpdateAffectedPeers", ctx, accountID, peerIDs)
-}
-
-// UpdateAffectedPeers indicates an expected call of UpdateAffectedPeers.
-func (mr *MockManagerMockRecorder) UpdateAffectedPeers(ctx, accountID, peerIDs interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateAffectedPeers", reflect.TypeOf((*MockManager)(nil).UpdateAffectedPeers), ctx, accountID, peerIDs)
-}
-
 // UpdateAccountSettings mocks base method.
 func (m *MockManager) UpdateAccountSettings(ctx context.Context, accountID, userID string, newSettings *types.Settings) (*types.Settings, error) {
 	m.ctrl.T.Helper()
--- a/management/server/account_test.go
+++ b/management/server/account_test.go
@@ -3186,7 +3186,7 @@ func createManager(t testing.TB) (*DefaultAccountManager, *update_channel.PeersU

 	updateManager := update_channel.NewPeersUpdateManager(metrics)
 	requestBuffer := NewAccountRequestBuffer(ctx, store)
-	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, MockIntegratedValidator{}, settingsMockManager, "netbird.cloud", port_forwarding.NewControllerMock(), ephemeral_manager.NewEphemeralManager(store, peers.NewManager(store, permissionsManager)), &config.Config{})
+	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, MockIntegratedValidator{}, settingsMockManager, "netbird.cloud", port_forwarding.NewControllerMock(), ephemeral_manager.NewEphemeralManager(store, peers.NewManager(store, permissionsManager)), &config.Config{}, nil)
 	manager, err := BuildManager(ctx, &config.Config{}, store, networkMapController, job.NewJobManager(nil, store, peersManager), nil, "", eventStore, nil, false, MockIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false, cacheStore)
 	if err != nil {
 		return nil, nil, err
@@ -3282,19 +3282,6 @@ func setupNetworkMapTest(t *testing.T) (*DefaultAccountManager, *update_channel.
 // when the channel delivers.
 const peerUpdateTimeout = 5 * time.Second

-func drainPeerUpdates(ch <-chan *network_map.UpdateMessage) {
-	for {
-		select {
-		case _, ok := <-ch:
-			if !ok {
-				return
-			}
-		case <-time.After(200 * time.Millisecond):
-			return
-		}
-	}
-}
-
 func peerShouldNotReceiveUpdate(t *testing.T, updateMessage <-chan *network_map.UpdateMessage) {
 	t.Helper()
 	select {
--- a/management/server/affected_groups.go
+++ b/management/server/affected_groups.go
@@ -1,223 +0,0 @@
-package server
-
-import (
-	"context"
-
-	log "github.com/sirupsen/logrus"
-
-	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
-	"github.com/netbirdio/netbird/management/server/store"
-	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/route"
-)
-
-// collectPeerChangeAffectedGroups walks policies, routes, nameservers, DNS settings,
-// and network routers to collect all group IDs and direct peer IDs affected by the
-// changed groups and/or changed peers. Each collection is fetched from the store exactly once.
-func collectPeerChangeAffectedGroups(ctx context.Context, transaction store.Store, accountID string, changedGroupIDs, changedPeerIDs []string) (allGroupIDs []string, directPeerIDs []string) {
-	if len(changedGroupIDs) == 0 && len(changedPeerIDs) == 0 {
-		return nil, nil
-	}
-
-	changedGroupSet := toSet(changedGroupIDs)
-	changedPeerSet := toSet(changedPeerIDs)
-
-	groupSet := make(map[string]struct{})
-	peerSet := make(map[string]struct{})
-
-	collectAffectedFromPolicies(ctx, transaction, accountID, changedGroupSet, changedPeerSet, groupSet, peerSet)
-	collectAffectedFromRoutes(ctx, transaction, accountID, changedGroupSet, changedPeerSet, groupSet, peerSet)
-	collectAffectedFromNameServers(ctx, transaction, accountID, changedGroupSet, groupSet)
-	collectAffectedFromDNSSettings(ctx, transaction, accountID, changedGroupSet, groupSet)
-	collectAffectedFromNetworkRouters(ctx, transaction, accountID, changedGroupSet, changedPeerSet, groupSet, peerSet)
-
-	allGroupIDs = setToSlice(groupSet)
-	directPeerIDs = setToSlice(peerSet)
-
-	log.WithContext(ctx).Tracef("affected groups resolution: changedGroups=%v changedPeers=%v -> affectedGroups=%v, directPeers=%v",
-		changedGroupIDs, changedPeerIDs, allGroupIDs, directPeerIDs)
-
-	return allGroupIDs, directPeerIDs
-}
-
-// collectGroupChangeAffectedGroups is a convenience wrapper used by callers that only have changed groups.
-func collectGroupChangeAffectedGroups(ctx context.Context, transaction store.Store, accountID string, changedGroupIDs []string) ([]string, []string) {
-	return collectPeerChangeAffectedGroups(ctx, transaction, accountID, changedGroupIDs, nil)
-}
-
-func collectAffectedFromPolicies(ctx context.Context, transaction store.Store, accountID string, changedGroupSet, changedPeerSet map[string]struct{}, groupSet, peerSet map[string]struct{}) {
-	policies, err := transaction.GetAccountPolicies(ctx, store.LockingStrengthNone, accountID)
-	if err != nil {
-		log.WithContext(ctx).Errorf("failed to get policies for affected group resolution: %v", err)
-		return
-	}
-
-	for _, policy := range policies {
-		matchedByGroup := policyReferencesGroups(policy, changedGroupSet)
-		matchedByPeer := len(changedPeerSet) > 0 && policyReferencesDirectPeers(policy, changedPeerSet)
-		if !matchedByGroup && !matchedByPeer {
-			continue
-		}
-		addAllToSet(groupSet, policy.RuleGroups())
-		collectPolicyDirectPeers(policy, peerSet)
-	}
-}
-
-func collectAffectedFromRoutes(ctx context.Context, transaction store.Store, accountID string, changedGroupSet, changedPeerSet map[string]struct{}, groupSet, peerSet map[string]struct{}) {
-	routes, err := transaction.GetAccountRoutes(ctx, store.LockingStrengthNone, accountID)
-	if err != nil {
-		log.WithContext(ctx).Errorf("failed to get routes for affected group resolution: %v", err)
-		return
-	}
-
-	for _, r := range routes {
-		matchedByGroup := routeReferencesGroups(r, changedGroupSet)
-		matchedByPeer := r.Peer != "" && len(changedPeerSet) > 0 && isInSet(r.Peer, changedPeerSet)
-		if !matchedByGroup && !matchedByPeer {
-			continue
-		}
-		addAllToSet(groupSet, r.Groups, r.PeerGroups, r.AccessControlGroups)
-		if r.Peer != "" {
-			peerSet[r.Peer] = struct{}{}
-		}
-	}
-}
-
-func collectAffectedFromNameServers(ctx context.Context, transaction store.Store, accountID string, changedGroupSet map[string]struct{}, groupSet map[string]struct{}) {
-	if len(changedGroupSet) == 0 {
-		return
-	}
-
-	nsGroups, err := transaction.GetAccountNameServerGroups(ctx, store.LockingStrengthNone, accountID)
-	if err != nil {
-		log.WithContext(ctx).Errorf("failed to get nameserver groups for affected group resolution: %v", err)
-		return
-	}
-
-	for _, ns := range nsGroups {
-		if anyInSet(ns.Groups, changedGroupSet) {
-			addAllToSet(groupSet, ns.Groups)
-		}
-	}
-}
-
-func collectAffectedFromDNSSettings(ctx context.Context, transaction store.Store, accountID string, changedGroupSet map[string]struct{}, groupSet map[string]struct{}) {
-	if len(changedGroupSet) == 0 {
-		return
-	}
-
-	dnsSettings, err := transaction.GetAccountDNSSettings(ctx, store.LockingStrengthNone, accountID)
-	if err != nil {
-		log.WithContext(ctx).Errorf("failed to get DNS settings for affected group resolution: %v", err)
-		return
-	}
-
-	for _, gID := range dnsSettings.DisabledManagementGroups {
-		if _, ok := changedGroupSet[gID]; ok {
-			groupSet[gID] = struct{}{}
-		}
-	}
-}
-
-func collectAffectedFromNetworkRouters(ctx context.Context, transaction store.Store, accountID string, changedGroupSet, changedPeerSet map[string]struct{}, groupSet, peerSet map[string]struct{}) {
-	routers, err := transaction.GetNetworkRoutersByAccountID(ctx, store.LockingStrengthNone, accountID)
-	if err != nil {
-		log.WithContext(ctx).Errorf("failed to get network routers for affected group resolution: %v", err)
-		return
-	}
-
-	for _, router := range routers {
-		matchedByGroup := routerReferencesGroups(router, changedGroupSet)
-		matchedByPeer := router.Peer != "" && len(changedPeerSet) > 0 && isInSet(router.Peer, changedPeerSet)
-		if !matchedByGroup && !matchedByPeer {
-			continue
-		}
-		addAllToSet(groupSet, router.PeerGroups)
-		if router.Peer != "" {
-			peerSet[router.Peer] = struct{}{}
-		}
-	}
-}
-
-func collectPolicyDirectPeers(policy *types.Policy, peerSet map[string]struct{}) {
-	for _, rule := range policy.Rules {
-		if rule.SourceResource.Type == types.ResourceTypePeer && rule.SourceResource.ID != "" {
-			peerSet[rule.SourceResource.ID] = struct{}{}
-		}
-		if rule.DestinationResource.Type == types.ResourceTypePeer && rule.DestinationResource.ID != "" {
-			peerSet[rule.DestinationResource.ID] = struct{}{}
-		}
-	}
-}
-
-func policyReferencesGroups(policy *types.Policy, groupSet map[string]struct{}) bool {
-	for _, rule := range policy.Rules {
-		if anyInSet(rule.Sources, groupSet) || anyInSet(rule.Destinations, groupSet) {
-			return true
-		}
-	}
-	return false
-}
-
-func policyReferencesDirectPeers(policy *types.Policy, changedSet map[string]struct{}) bool {
-	for _, rule := range policy.Rules {
-		if isDirectPeerInSet(rule.SourceResource, changedSet) || isDirectPeerInSet(rule.DestinationResource, changedSet) {
-			return true
-		}
-	}
-	return false
-}
-
-func isDirectPeerInSet(res types.Resource, set map[string]struct{}) bool {
-	if res.Type != types.ResourceTypePeer || res.ID == "" {
-		return false
-	}
-	_, ok := set[res.ID]
-	return ok
-}
-
-func routeReferencesGroups(r *route.Route, groupSet map[string]struct{}) bool {
-	return anyInSet(r.Groups, groupSet) || anyInSet(r.PeerGroups, groupSet) || anyInSet(r.AccessControlGroups, groupSet)
-}
-
-func routerReferencesGroups(router *routerTypes.NetworkRouter, groupSet map[string]struct{}) bool {
-	return anyInSet(router.PeerGroups, groupSet)
-}
-
-func anyInSet(ids []string, set map[string]struct{}) bool {
-	for _, id := range ids {
-		if _, ok := set[id]; ok {
-			return true
-		}
-	}
-	return false
-}
-
-func isInSet(id string, set map[string]struct{}) bool {
-	_, ok := set[id]
-	return ok
-}
-
-func addAllToSet(set map[string]struct{}, slices ...[]string) {
-	for _, s := range slices {
-		for _, id := range s {
-			set[id] = struct{}{}
-		}
-	}
-}
-
-func toSet(ids []string) map[string]struct{} {
-	set := make(map[string]struct{}, len(ids))
-	for _, id := range ids {
-		set[id] = struct{}{}
-	}
-	return set
-}
-
-func setToSlice(set map[string]struct{}) []string {
-	s := make([]string, 0, len(set))
-	for id := range set {
-		s = append(s, id)
-	}
-	return s
-}
--- a/management/server/affected_peers_test.go
+++ b/management/server/affected_peers_test.go
--- a/management/server/dns.go
+++ b/management/server/dns.go
@@ -47,8 +47,8 @@ func (am *DefaultAccountManager) SaveDNSSettings(ctx context.Context, accountID
 		return status.NewPermissionDeniedError()
 	}

+	var updateAccountPeers bool
 	var eventsToStore []func()
-	var affectedPeerIDs []string

 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		if err = validateDNSSettings(ctx, transaction, accountID, dnsSettingsToSave); err != nil {
@@ -63,6 +63,11 @@ func (am *DefaultAccountManager) SaveDNSSettings(ctx context.Context, accountID
 		addedGroups := util.Difference(dnsSettingsToSave.DisabledManagementGroups, oldSettings.DisabledManagementGroups)
 		removedGroups := util.Difference(oldSettings.DisabledManagementGroups, dnsSettingsToSave.DisabledManagementGroups)

+		updateAccountPeers, err = areDNSSettingChangesAffectPeers(ctx, transaction, accountID, addedGroups, removedGroups)
+		if err != nil {
+			return err
+		}
+
 		events := am.prepareDNSSettingsEvents(ctx, transaction, accountID, userID, addedGroups, removedGroups)
 		eventsToStore = append(eventsToStore, events...)

@@ -70,9 +75,6 @@ func (am *DefaultAccountManager) SaveDNSSettings(ctx context.Context, accountID
 			return err
 		}

-		allGroups := slices.Concat(addedGroups, removedGroups)
-		affectedPeerIDs = am.resolvePeerIDs(ctx, transaction, accountID, allGroups, nil)
-
 		return transaction.IncrementNetworkSerial(ctx, accountID)
 	})
 	if err != nil {
@@ -83,11 +85,8 @@ func (am *DefaultAccountManager) SaveDNSSettings(ctx context.Context, accountID
 		storeEvent()
 	}

-	if len(affectedPeerIDs) > 0 {
-		log.WithContext(ctx).Debugf("SaveDNSSettings: updating %d affected peers: %v", len(affectedPeerIDs), affectedPeerIDs)
-		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
-	} else {
-		log.WithContext(ctx).Tracef("SaveDNSSettings: no affected peers")
+	if updateAccountPeers {
+		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourceDNSSettings, Operation: types.UpdateOperationUpdate})
 	}

 	return nil
@@ -134,6 +133,20 @@ func (am *DefaultAccountManager) prepareDNSSettingsEvents(ctx context.Context, t
 	return eventsToStore
 }

+// areDNSSettingChangesAffectPeers checks if the DNS settings changes affect any peers.
+func areDNSSettingChangesAffectPeers(ctx context.Context, transaction store.Store, accountID string, addedGroups, removedGroups []string) (bool, error) {
+	hasPeers, err := anyGroupHasPeersOrResources(ctx, transaction, accountID, addedGroups)
+	if err != nil {
+		return false, err
+	}
+
+	if hasPeers {
+		return true, nil
+	}
+
+	return anyGroupHasPeersOrResources(ctx, transaction, accountID, removedGroups)
+}
+
 // validateDNSSettings validates the DNS settings.
 func validateDNSSettings(ctx context.Context, transaction store.Store, accountID string, settings *types.DNSSettings) error {
 	if len(settings.DisabledManagementGroups) == 0 {
--- a/management/server/dns_test.go
+++ b/management/server/dns_test.go
@@ -234,7 +234,7 @@ func createDNSManager(t *testing.T) (*DefaultAccountManager, error) {

 	updateManager := update_channel.NewPeersUpdateManager(metrics)
 	requestBuffer := NewAccountRequestBuffer(ctx, store)
-	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, MockIntegratedValidator{}, settingsMockManager, "netbird.test", port_forwarding.NewControllerMock(), ephemeral_manager.NewEphemeralManager(store, peers.NewManager(store, permissionsManager)), &config.Config{})
+	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, MockIntegratedValidator{}, settingsMockManager, "netbird.test", port_forwarding.NewControllerMock(), ephemeral_manager.NewEphemeralManager(store, peers.NewManager(store, permissionsManager)), &config.Config{}, nil)

 	return BuildManager(context.Background(), nil, store, networkMapController, job.NewJobManager(nil, store, peersManager), nil, "", eventStore, nil, false, MockIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false, cacheStore)
 }
--- a/management/server/group.go
+++ b/management/server/group.go
@@ -9,12 +9,15 @@ import (
 	"github.com/rs/xid"
 	log "github.com/sirupsen/logrus"

+	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/server/activity"
+	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
 	"github.com/netbirdio/netbird/management/server/permissions/modules"
 	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/management/server/util"
+	"github.com/netbirdio/netbird/route"
 	"github.com/netbirdio/netbird/shared/management/status"
 )

@@ -76,7 +79,7 @@ func (am *DefaultAccountManager) CreateGroup(ctx context.Context, accountID, use
 	}

 	var eventsToStore []func()
-	var affectedPeerIDs []string
+	var updateAccountPeers bool

 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		if err = validateNewGroup(ctx, transaction, accountID, newGroup); err != nil {
@@ -88,6 +91,11 @@ func (am *DefaultAccountManager) CreateGroup(ctx context.Context, accountID, use
 		events := am.prepareGroupEvents(ctx, transaction, accountID, userID, newGroup)
 		eventsToStore = append(eventsToStore, events...)

+		updateAccountPeers, err = areGroupChangesAffectPeers(ctx, transaction, accountID, []string{newGroup.ID})
+		if err != nil {
+			return err
+		}
+
 		if err := transaction.CreateGroup(ctx, newGroup); err != nil {
 			return status.Errorf(status.Internal, "failed to create group: %v", err)
 		}
@@ -98,9 +106,6 @@ func (am *DefaultAccountManager) CreateGroup(ctx context.Context, accountID, use
 			}
 		}

-		groupIDs, directPeerIDs := collectGroupChangeAffectedGroups(ctx, transaction, accountID, []string{newGroup.ID})
-		affectedPeerIDs = am.resolvePeerIDs(ctx, transaction, accountID, groupIDs, directPeerIDs)
-
 		return transaction.IncrementNetworkSerial(ctx, accountID)
 	})
 	if err != nil {
@@ -111,11 +116,8 @@ func (am *DefaultAccountManager) CreateGroup(ctx context.Context, accountID, use
 		storeEvent()
 	}

-	if len(affectedPeerIDs) > 0 {
-		log.WithContext(ctx).Debugf("CreateGroup %s: updating %d affected peers: %v", newGroup.ID, len(affectedPeerIDs), affectedPeerIDs)
-		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
-	} else {
-		log.WithContext(ctx).Tracef("CreateGroup %s: no affected peers", newGroup.ID)
+	if updateAccountPeers {
+		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourceGroup, Operation: types.UpdateOperationCreate})
 	}

 	return nil
@@ -132,7 +134,7 @@ func (am *DefaultAccountManager) UpdateGroup(ctx context.Context, accountID, use
 	}

 	var eventsToStore []func()
-	var affectedPeerIDs []string
+	var updateAccountPeers bool

 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		if err = validateNewGroup(ctx, transaction, accountID, newGroup); err != nil {
@@ -163,6 +165,11 @@ func (am *DefaultAccountManager) UpdateGroup(ctx context.Context, accountID, use
 			}
 		}

+		updateAccountPeers, err = areGroupChangesAffectPeers(ctx, transaction, accountID, []string{newGroup.ID})
+		if err != nil {
+			return err
+		}
+
 		if err = transaction.UpdateGroup(ctx, newGroup); err != nil {
 			return err
 		}
@@ -171,9 +178,6 @@ func (am *DefaultAccountManager) UpdateGroup(ctx context.Context, accountID, use
 			return err
 		}

-		groupIDs, directPeerIDs := collectGroupChangeAffectedGroups(ctx, transaction, accountID, []string{newGroup.ID})
-		affectedPeerIDs = am.resolvePeerIDs(ctx, transaction, accountID, groupIDs, directPeerIDs)
-
 		return transaction.IncrementNetworkSerial(ctx, accountID)
 	})
 	if err != nil {
@@ -184,11 +188,8 @@ func (am *DefaultAccountManager) UpdateGroup(ctx context.Context, accountID, use
 		storeEvent()
 	}

-	if len(affectedPeerIDs) > 0 {
-		log.WithContext(ctx).Debugf("UpdateGroup %s: updating %d affected peers: %v", newGroup.ID, len(affectedPeerIDs), affectedPeerIDs)
-		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
-	} else {
-		log.WithContext(ctx).Tracef("UpdateGroup %s: no affected peers", newGroup.ID)
+	if updateAccountPeers {
+		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourceGroup, Operation: types.UpdateOperationUpdate})
 	}

 	return nil
@@ -208,6 +209,7 @@ func (am *DefaultAccountManager) CreateGroups(ctx context.Context, accountID, us
 	}

 	var eventsToStore []func()
+	var updateAccountPeers bool

 	var globalErr error
 	groupIDs := make([]string, 0, len(groups))
@@ -245,17 +247,17 @@ func (am *DefaultAccountManager) CreateGroups(ctx context.Context, accountID, us
 		}
 	}

+	updateAccountPeers, err = areGroupChangesAffectPeers(ctx, am.Store, accountID, groupIDs)
+	if err != nil {
+		return err
+	}
+
 	for _, storeEvent := range eventsToStore {
 		storeEvent()
 	}

-	allGroupIDs, directPeerIDs := collectGroupChangeAffectedGroups(ctx, am.Store, accountID, groupIDs)
-	affectedPeerIDs := am.resolvePeerIDs(ctx, am.Store, accountID, allGroupIDs, directPeerIDs)
-	if len(affectedPeerIDs) > 0 {
-		log.WithContext(ctx).Debugf("CreateGroups %v: updating %d affected peers: %v", groupIDs, len(affectedPeerIDs), affectedPeerIDs)
-		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
-	} else {
-		log.WithContext(ctx).Tracef("CreateGroups %v: no affected peers", groupIDs)
+	if updateAccountPeers {
+		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourceGroup, Operation: types.UpdateOperationCreate})
 	}

 	return globalErr
@@ -275,6 +277,7 @@ func (am *DefaultAccountManager) UpdateGroups(ctx context.Context, accountID, us
 	}

 	var eventsToStore []func()
+	var updateAccountPeers bool

 	var globalErr error
 	groupIDs := make([]string, 0, len(groups))
@@ -292,17 +295,17 @@ func (am *DefaultAccountManager) UpdateGroups(ctx context.Context, accountID, us
 		groupIDs = append(groupIDs, newGroup.ID)
 	}

+	updateAccountPeers, err = areGroupChangesAffectPeers(ctx, am.Store, accountID, groupIDs)
+	if err != nil {
+		return err
+	}
+
 	for _, storeEvent := range eventsToStore {
 		storeEvent()
 	}

-	allGroupIDs, directPeerIDs := collectGroupChangeAffectedGroups(ctx, am.Store, accountID, groupIDs)
-	affectedPeerIDs := am.resolvePeerIDs(ctx, am.Store, accountID, allGroupIDs, directPeerIDs)
-	if len(affectedPeerIDs) > 0 {
-		log.WithContext(ctx).Debugf("UpdateGroups %v: updating %d affected peers: %v", groupIDs, len(affectedPeerIDs), affectedPeerIDs)
-		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
-	} else {
-		log.WithContext(ctx).Tracef("UpdateGroups %v: no affected peers", groupIDs)
+	if updateAccountPeers {
+		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourceGroup, Operation: types.UpdateOperationUpdate})
 	}

 	return globalErr
@@ -485,10 +488,15 @@ func (am *DefaultAccountManager) DeleteGroups(ctx context.Context, accountID, us

 // GroupAddPeer appends peer to the group
 func (am *DefaultAccountManager) GroupAddPeer(ctx context.Context, accountID, groupID, peerID string) error {
-	var affectedPeerIDs []string
+	var updateAccountPeers bool
 	var err error

 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		updateAccountPeers, err = areGroupChangesAffectPeers(ctx, transaction, accountID, []string{groupID})
+		if err != nil {
+			return err
+		}
+
 		if err = transaction.AddPeerToGroup(ctx, accountID, peerID, groupID); err != nil {
 			return err
 		}
@@ -497,20 +505,14 @@ func (am *DefaultAccountManager) GroupAddPeer(ctx context.Context, accountID, gr
 			return err
 		}

-		allGroupIDs, directPeerIDs := collectGroupChangeAffectedGroups(ctx, transaction, accountID, []string{groupID})
-		affectedPeerIDs = am.resolvePeerIDs(ctx, transaction, accountID, allGroupIDs, directPeerIDs)
-
 		return transaction.IncrementNetworkSerial(ctx, accountID)
 	})
 	if err != nil {
 		return err
 	}

-	if len(affectedPeerIDs) > 0 {
-		log.WithContext(ctx).Debugf("GroupAddPeer group=%s peer=%s: updating %d affected peers: %v", groupID, peerID, len(affectedPeerIDs), affectedPeerIDs)
-		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
-	} else {
-		log.WithContext(ctx).Tracef("GroupAddPeer group=%s peer=%s: no affected peers", groupID, peerID)
+	if updateAccountPeers {
+		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourceGroup, Operation: types.UpdateOperationUpdate})
 	}

 	return nil
@@ -519,7 +521,7 @@ func (am *DefaultAccountManager) GroupAddPeer(ctx context.Context, accountID, gr
 // GroupAddResource appends resource to the group
 func (am *DefaultAccountManager) GroupAddResource(ctx context.Context, accountID, groupID string, resource types.Resource) error {
 	var group *types.Group
-	var affectedPeerIDs []string
+	var updateAccountPeers bool
 	var err error

 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
@@ -532,12 +534,14 @@ func (am *DefaultAccountManager) GroupAddResource(ctx context.Context, accountID
 			return nil
 		}

-		if err = transaction.UpdateGroup(ctx, group); err != nil {
+		updateAccountPeers, err = areGroupChangesAffectPeers(ctx, transaction, accountID, []string{groupID})
+		if err != nil {
 			return err
 		}

-		allGroupIDs, directPeerIDs := collectGroupChangeAffectedGroups(ctx, transaction, accountID, []string{groupID})
-		affectedPeerIDs = am.resolvePeerIDs(ctx, transaction, accountID, allGroupIDs, directPeerIDs)
+		if err = transaction.UpdateGroup(ctx, group); err != nil {
+			return err
+		}

 		return transaction.IncrementNetworkSerial(ctx, accountID)
 	})
@@ -545,11 +549,8 @@ func (am *DefaultAccountManager) GroupAddResource(ctx context.Context, accountID
 		return err
 	}

-	if len(affectedPeerIDs) > 0 {
-		log.WithContext(ctx).Debugf("GroupAddResource group=%s resource=%s: updating %d affected peers: %v", groupID, resource.ID, len(affectedPeerIDs), affectedPeerIDs)
-		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
-	} else {
-		log.WithContext(ctx).Tracef("GroupAddResource group=%s resource=%s: no affected peers", groupID, resource.ID)
+	if updateAccountPeers {
+		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourceGroup, Operation: types.UpdateOperationUpdate})
 	}

 	return nil
@@ -557,13 +558,14 @@ func (am *DefaultAccountManager) GroupAddResource(ctx context.Context, accountID

 // GroupDeletePeer removes peer from the group
 func (am *DefaultAccountManager) GroupDeletePeer(ctx context.Context, accountID, groupID, peerID string) error {
-	var affectedPeerIDs []string
+	var updateAccountPeers bool
 	var err error

 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		// Resolve before removing, so the peer being removed is still included
-		allGroupIDs, directPeerIDs := collectGroupChangeAffectedGroups(ctx, transaction, accountID, []string{groupID})
-		affectedPeerIDs = am.resolvePeerIDs(ctx, transaction, accountID, allGroupIDs, directPeerIDs)
+		updateAccountPeers, err = areGroupChangesAffectPeers(ctx, transaction, accountID, []string{groupID})
+		if err != nil {
+			return err
+		}

 		if err = transaction.RemovePeerFromGroup(ctx, peerID, groupID); err != nil {
 			return err
@@ -579,11 +581,8 @@ func (am *DefaultAccountManager) GroupDeletePeer(ctx context.Context, accountID,
 		return err
 	}

-	if len(affectedPeerIDs) > 0 {
-		log.WithContext(ctx).Debugf("GroupDeletePeer group=%s peer=%s: updating %d affected peers: %v", groupID, peerID, len(affectedPeerIDs), affectedPeerIDs)
-		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
-	} else {
-		log.WithContext(ctx).Tracef("GroupDeletePeer group=%s peer=%s: no affected peers", groupID, peerID)
+	if updateAccountPeers {
+		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourceGroup, Operation: types.UpdateOperationUpdate})
 	}

 	return nil
@@ -592,7 +591,7 @@ func (am *DefaultAccountManager) GroupDeletePeer(ctx context.Context, accountID,
 // GroupDeleteResource removes resource from the group
 func (am *DefaultAccountManager) GroupDeleteResource(ctx context.Context, accountID, groupID string, resource types.Resource) error {
 	var group *types.Group
-	var affectedPeerIDs []string
+	var updateAccountPeers bool
 	var err error

 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
@@ -605,12 +604,14 @@ func (am *DefaultAccountManager) GroupDeleteResource(ctx context.Context, accoun
 			return nil
 		}

-		if err = transaction.UpdateGroup(ctx, group); err != nil {
+		updateAccountPeers, err = areGroupChangesAffectPeers(ctx, transaction, accountID, []string{groupID})
+		if err != nil {
 			return err
 		}

-		allGroupIDs, directPeerIDs := collectGroupChangeAffectedGroups(ctx, transaction, accountID, []string{groupID})
-		affectedPeerIDs = am.resolvePeerIDs(ctx, transaction, accountID, allGroupIDs, directPeerIDs)
+		if err = transaction.UpdateGroup(ctx, group); err != nil {
+			return err
+		}

 		return transaction.IncrementNetworkSerial(ctx, accountID)
 	})
@@ -618,11 +619,8 @@ func (am *DefaultAccountManager) GroupDeleteResource(ctx context.Context, accoun
 		return err
 	}

-	if len(affectedPeerIDs) > 0 {
-		log.WithContext(ctx).Debugf("GroupDeleteResource group=%s resource=%s: updating %d affected peers: %v", groupID, resource.ID, len(affectedPeerIDs), affectedPeerIDs)
-		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
-	} else {
-		log.WithContext(ctx).Tracef("GroupDeleteResource group=%s resource=%s: no affected peers", groupID, resource.ID)
+	if updateAccountPeers {
+		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourceGroup, Operation: types.UpdateOperationUpdate})
 	}

 	return nil
@@ -653,3 +651,230 @@ func validateNewGroup(ctx context.Context, transaction store.Store, accountID st

 	return nil
 }
+
+func validateDeleteGroup(ctx context.Context, transaction store.Store, group *types.Group, userID string, flowGroups []string) error {
+	// disable a deleting integration group if the initiator is not an admin service user
+	if group.Issued == types.GroupIssuedIntegration {
+		executingUser, err := transaction.GetUserByUserID(ctx, store.LockingStrengthNone, userID)
+		if err != nil {
+			return status.Errorf(status.Internal, "failed to get user")
+		}
+		if executingUser.Role != types.UserRoleAdmin || !executingUser.IsServiceUser {
+			return status.Errorf(status.PermissionDenied, "only service users with admin power can delete integration group")
+		}
+	}
+
+	if group.IsGroupAll() {
+		return status.Errorf(status.InvalidArgument, "deleting group ALL is not allowed")
+	}
+
+	if len(group.Resources) > 0 {
+		return &GroupLinkError{"network resource", group.Resources[0].ID}
+	}
+
+	if slices.Contains(flowGroups, group.ID) {
+		return &GroupLinkError{"settings", "traffic event logging"}
+	}
+
+	if isLinked, linkedRoute := isGroupLinkedToRoute(ctx, transaction, group.AccountID, group.ID); isLinked {
+		return &GroupLinkError{"route", string(linkedRoute.NetID)}
+	}
+
+	if isLinked, linkedDns := isGroupLinkedToDns(ctx, transaction, group.AccountID, group.ID); isLinked {
+		return &GroupLinkError{"name server groups", linkedDns.Name}
+	}
+
+	if isLinked, linkedPolicy := isGroupLinkedToPolicy(ctx, transaction, group.AccountID, group.ID); isLinked {
+		return &GroupLinkError{"policy", linkedPolicy.Name}
+	}
+
+	if isLinked, linkedSetupKey := isGroupLinkedToSetupKey(ctx, transaction, group.AccountID, group.ID); isLinked {
+		return &GroupLinkError{"setup key", linkedSetupKey.Name}
+	}
+
+	if isLinked, linkedUser := isGroupLinkedToUser(ctx, transaction, group.AccountID, group.ID); isLinked {
+		return &GroupLinkError{"user", linkedUser.Id}
+	}
+
+	if isLinked, linkedRouter := isGroupLinkedToNetworkRouter(ctx, transaction, group.AccountID, group.ID); isLinked {
+		return &GroupLinkError{"network router", linkedRouter.ID}
+	}
+
+	return checkGroupLinkedToSettings(ctx, transaction, group)
+}
+
+// checkGroupLinkedToSettings verifies if a group is linked to any settings in the account.
+func checkGroupLinkedToSettings(ctx context.Context, transaction store.Store, group *types.Group) error {
+	dnsSettings, err := transaction.GetAccountDNSSettings(ctx, store.LockingStrengthNone, group.AccountID)
+	if err != nil {
+		return status.Errorf(status.Internal, "failed to get DNS settings")
+	}
+
+	if slices.Contains(dnsSettings.DisabledManagementGroups, group.ID) {
+		return &GroupLinkError{"disabled DNS management groups", group.Name}
+	}
+
+	settings, err := transaction.GetAccountSettings(ctx, store.LockingStrengthNone, group.AccountID)
+	if err != nil {
+		return status.Errorf(status.Internal, "failed to get account settings")
+	}
+
+	if settings.Extra != nil && slices.Contains(settings.Extra.IntegratedValidatorGroups, group.ID) {
+		return &GroupLinkError{"integrated validator", group.Name}
+	}
+
+	return nil
+}
+
+// isGroupLinkedToRoute checks if a group is linked to any route in the account.
+func isGroupLinkedToRoute(ctx context.Context, transaction store.Store, accountID string, groupID string) (bool, *route.Route) {
+	routes, err := transaction.GetAccountRoutes(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		log.WithContext(ctx).Errorf("error retrieving routes while checking group linkage: %v", err)
+		return false, nil
+	}
+
+	for _, r := range routes {
+		isLinked := slices.Contains(r.Groups, groupID) ||
+			slices.Contains(r.PeerGroups, groupID) ||
+			slices.Contains(r.AccessControlGroups, groupID)
+		if isLinked {
+			return true, r
+		}
+	}
+
+	return false, nil
+}
+
+// isGroupLinkedToPolicy checks if a group is linked to any policy in the account.
+func isGroupLinkedToPolicy(ctx context.Context, transaction store.Store, accountID string, groupID string) (bool, *types.Policy) {
+	policies, err := transaction.GetAccountPolicies(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		log.WithContext(ctx).Errorf("error retrieving policies while checking group linkage: %v", err)
+		return false, nil
+	}
+
+	for _, policy := range policies {
+		for _, rule := range policy.Rules {
+			if slices.Contains(rule.Sources, groupID) || slices.Contains(rule.Destinations, groupID) {
+				return true, policy
+			}
+		}
+	}
+	return false, nil
+}
+
+// isGroupLinkedToDns checks if a group is linked to any nameserver group in the account.
+func isGroupLinkedToDns(ctx context.Context, transaction store.Store, accountID string, groupID string) (bool, *nbdns.NameServerGroup) {
+	nameServerGroups, err := transaction.GetAccountNameServerGroups(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		log.WithContext(ctx).Errorf("error retrieving name server groups while checking group linkage: %v", err)
+		return false, nil
+	}
+
+	for _, dns := range nameServerGroups {
+		for _, g := range dns.Groups {
+			if g == groupID {
+				return true, dns
+			}
+		}
+	}
+
+	return false, nil
+}
+
+// isGroupLinkedToSetupKey checks if a group is linked to any setup key in the account.
+func isGroupLinkedToSetupKey(ctx context.Context, transaction store.Store, accountID string, groupID string) (bool, *types.SetupKey) {
+	setupKeys, err := transaction.GetAccountSetupKeys(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		log.WithContext(ctx).Errorf("error retrieving setup keys while checking group linkage: %v", err)
+		return false, nil
+	}
+
+	for _, setupKey := range setupKeys {
+		if slices.Contains(setupKey.AutoGroups, groupID) {
+			return true, setupKey
+		}
+	}
+	return false, nil
+}
+
+// isGroupLinkedToUser checks if a group is linked to any user in the account.
+func isGroupLinkedToUser(ctx context.Context, transaction store.Store, accountID string, groupID string) (bool, *types.User) {
+	users, err := transaction.GetAccountUsers(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		log.WithContext(ctx).Errorf("error retrieving users while checking group linkage: %v", err)
+		return false, nil
+	}
+
+	for _, user := range users {
+		if slices.Contains(user.AutoGroups, groupID) {
+			return true, user
+		}
+	}
+	return false, nil
+}
+
+// isGroupLinkedToNetworkRouter checks if a group is linked to any network router in the account.
+func isGroupLinkedToNetworkRouter(ctx context.Context, transaction store.Store, accountID string, groupID string) (bool, *routerTypes.NetworkRouter) {
+	routers, err := transaction.GetNetworkRoutersByAccountID(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		log.WithContext(ctx).Errorf("error retrieving network routers while checking group linkage: %v", err)
+		return false, nil
+	}
+
+	for _, router := range routers {
+		if slices.Contains(router.PeerGroups, groupID) {
+			return true, router
+		}
+	}
+	return false, nil
+}
+
+// areGroupChangesAffectPeers checks if any changes to the specified groups will affect peers.
+func areGroupChangesAffectPeers(ctx context.Context, transaction store.Store, accountID string, groupIDs []string) (bool, error) {
+	if len(groupIDs) == 0 {
+		return false, nil
+	}
+
+	dnsSettings, err := transaction.GetAccountDNSSettings(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		return false, err
+	}
+
+	for _, groupID := range groupIDs {
+		if slices.Contains(dnsSettings.DisabledManagementGroups, groupID) {
+			return true, nil
+		}
+		if linked, _ := isGroupLinkedToDns(ctx, transaction, accountID, groupID); linked {
+			return true, nil
+		}
+		if linked, _ := isGroupLinkedToPolicy(ctx, transaction, accountID, groupID); linked {
+			return true, nil
+		}
+		if linked, _ := isGroupLinkedToRoute(ctx, transaction, accountID, groupID); linked {
+			return true, nil
+		}
+		if linked, _ := isGroupLinkedToNetworkRouter(ctx, transaction, accountID, groupID); linked {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}
+
+// anyGroupHasPeersOrResources checks if any of the given groups in the account have peers or resources.
+func anyGroupHasPeersOrResources(ctx context.Context, transaction store.Store, accountID string, groupIDs []string) (bool, error) {
+	groups, err := transaction.GetGroupsByIDs(ctx, store.LockingStrengthNone, accountID, groupIDs)
+	if err != nil {
+		return false, err
+	}
+
+	for _, group := range groups {
+		if group.HasPeers() || group.HasResources() {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}
--- a/management/server/group_linkage.go
+++ b/management/server/group_linkage.go
@@ -1,287 +0,0 @@
-package server
-
-import (
-	"context"
-	"slices"
-
-	log "github.com/sirupsen/logrus"
-
-	nbdns "github.com/netbirdio/netbird/dns"
-	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
-	"github.com/netbirdio/netbird/management/server/store"
-	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/route"
-	"github.com/netbirdio/netbird/shared/management/status"
-)
-
-func validateDeleteGroup(ctx context.Context, transaction store.Store, group *types.Group, userID string, flowGroups []string) error {
-	// disable a deleting integration group if the initiator is not an admin service user
-	if group.Issued == types.GroupIssuedIntegration {
-		executingUser, err := transaction.GetUserByUserID(ctx, store.LockingStrengthNone, userID)
-		if err != nil {
-			return status.Errorf(status.Internal, "failed to get user")
-		}
-		if executingUser.Role != types.UserRoleAdmin || !executingUser.IsServiceUser {
-			return status.Errorf(status.PermissionDenied, "only service users with admin power can delete integration group")
-		}
-	}
-
-	if group.IsGroupAll() {
-		return status.Errorf(status.InvalidArgument, "deleting group ALL is not allowed")
-	}
-
-	if len(group.Resources) > 0 {
-		return &GroupLinkError{"network resource", group.Resources[0].ID}
-	}
-
-	if slices.Contains(flowGroups, group.ID) {
-		return &GroupLinkError{"settings", "traffic event logging"}
-	}
-
-	if isLinked, linkedRoute := isGroupLinkedToRoute(ctx, transaction, group.AccountID, group.ID); isLinked {
-		return &GroupLinkError{"route", string(linkedRoute.NetID)}
-	}
-
-	if isLinked, linkedDns := isGroupLinkedToDns(ctx, transaction, group.AccountID, group.ID); isLinked {
-		return &GroupLinkError{"name server groups", linkedDns.Name}
-	}
-
-	if isLinked, linkedPolicy := isGroupLinkedToPolicy(ctx, transaction, group.AccountID, group.ID); isLinked {
-		return &GroupLinkError{"policy", linkedPolicy.Name}
-	}
-
-	if isLinked, linkedSetupKey := isGroupLinkedToSetupKey(ctx, transaction, group.AccountID, group.ID); isLinked {
-		return &GroupLinkError{"setup key", linkedSetupKey.Name}
-	}
-
-	if isLinked, linkedUser := isGroupLinkedToUser(ctx, transaction, group.AccountID, group.ID); isLinked {
-		return &GroupLinkError{"user", linkedUser.Id}
-	}
-
-	if isLinked, linkedRouter := isGroupLinkedToNetworkRouter(ctx, transaction, group.AccountID, group.ID); isLinked {
-		return &GroupLinkError{"network router", linkedRouter.ID}
-	}
-
-	return checkGroupLinkedToSettings(ctx, transaction, group)
-}
-
-// checkGroupLinkedToSettings verifies if a group is linked to any settings in the account.
-func checkGroupLinkedToSettings(ctx context.Context, transaction store.Store, group *types.Group) error {
-	dnsSettings, err := transaction.GetAccountDNSSettings(ctx, store.LockingStrengthNone, group.AccountID)
-	if err != nil {
-		return status.Errorf(status.Internal, "failed to get DNS settings")
-	}
-
-	if slices.Contains(dnsSettings.DisabledManagementGroups, group.ID) {
-		return &GroupLinkError{"disabled DNS management groups", group.Name}
-	}
-
-	settings, err := transaction.GetAccountSettings(ctx, store.LockingStrengthNone, group.AccountID)
-	if err != nil {
-		return status.Errorf(status.Internal, "failed to get account settings")
-	}
-
-	if settings.Extra != nil && slices.Contains(settings.Extra.IntegratedValidatorGroups, group.ID) {
-		return &GroupLinkError{"integrated validator", group.Name}
-	}
-
-	return nil
-}
-
-// isGroupLinkedToRoute checks if a group is linked to any route in the account.
-func isGroupLinkedToRoute(ctx context.Context, transaction store.Store, accountID string, groupID string) (bool, *route.Route) {
-	routes, err := transaction.GetAccountRoutes(ctx, store.LockingStrengthNone, accountID)
-	if err != nil {
-		log.WithContext(ctx).Errorf("error retrieving routes while checking group linkage: %v", err)
-		return false, nil
-	}
-
-	for _, r := range routes {
-		isLinked := slices.Contains(r.Groups, groupID) ||
-			slices.Contains(r.PeerGroups, groupID) ||
-			slices.Contains(r.AccessControlGroups, groupID)
-		if isLinked {
-			return true, r
-		}
-	}
-
-	return false, nil
-}
-
-// isGroupLinkedToPolicy checks if a group is linked to any policy in the account.
-func isGroupLinkedToPolicy(ctx context.Context, transaction store.Store, accountID string, groupID string) (bool, *types.Policy) {
-	policies, err := transaction.GetAccountPolicies(ctx, store.LockingStrengthNone, accountID)
-	if err != nil {
-		log.WithContext(ctx).Errorf("error retrieving policies while checking group linkage: %v", err)
-		return false, nil
-	}
-
-	for _, policy := range policies {
-		for _, rule := range policy.Rules {
-			if slices.Contains(rule.Sources, groupID) || slices.Contains(rule.Destinations, groupID) {
-				return true, policy
-			}
-		}
-	}
-	return false, nil
-}
-
-// isGroupLinkedToDns checks if a group is linked to any nameserver group in the account.
-func isGroupLinkedToDns(ctx context.Context, transaction store.Store, accountID string, groupID string) (bool, *nbdns.NameServerGroup) {
-	nameServerGroups, err := transaction.GetAccountNameServerGroups(ctx, store.LockingStrengthNone, accountID)
-	if err != nil {
-		log.WithContext(ctx).Errorf("error retrieving name server groups while checking group linkage: %v", err)
-		return false, nil
-	}
-
-	for _, dns := range nameServerGroups {
-		for _, g := range dns.Groups {
-			if g == groupID {
-				return true, dns
-			}
-		}
-	}
-
-	return false, nil
-}
-
-// isGroupLinkedToSetupKey checks if a group is linked to any setup key in the account.
-func isGroupLinkedToSetupKey(ctx context.Context, transaction store.Store, accountID string, groupID string) (bool, *types.SetupKey) {
-	setupKeys, err := transaction.GetAccountSetupKeys(ctx, store.LockingStrengthNone, accountID)
-	if err != nil {
-		log.WithContext(ctx).Errorf("error retrieving setup keys while checking group linkage: %v", err)
-		return false, nil
-	}
-
-	for _, setupKey := range setupKeys {
-		if slices.Contains(setupKey.AutoGroups, groupID) {
-			return true, setupKey
-		}
-	}
-	return false, nil
-}
-
-// isGroupLinkedToUser checks if a group is linked to any user in the account.
-func isGroupLinkedToUser(ctx context.Context, transaction store.Store, accountID string, groupID string) (bool, *types.User) {
-	users, err := transaction.GetAccountUsers(ctx, store.LockingStrengthNone, accountID)
-	if err != nil {
-		log.WithContext(ctx).Errorf("error retrieving users while checking group linkage: %v", err)
-		return false, nil
-	}
-
-	for _, user := range users {
-		if slices.Contains(user.AutoGroups, groupID) {
-			return true, user
-		}
-	}
-	return false, nil
-}
-
-// isGroupLinkedToNetworkRouter checks if a group is linked to any network router in the account.
-func isGroupLinkedToNetworkRouter(ctx context.Context, transaction store.Store, accountID string, groupID string) (bool, *routerTypes.NetworkRouter) {
-	routers, err := transaction.GetNetworkRoutersByAccountID(ctx, store.LockingStrengthNone, accountID)
-	if err != nil {
-		log.WithContext(ctx).Errorf("error retrieving network routers while checking group linkage: %v", err)
-		return false, nil
-	}
-
-	for _, router := range routers {
-		if slices.Contains(router.PeerGroups, groupID) {
-			return true, router
-		}
-	}
-	return false, nil
-}
-
-// areGroupChangesAffectPeers checks if any changes to the specified groups will affect peers.
-// It fetches each collection once and checks all groupIDs against them in memory.
-func areGroupChangesAffectPeers(ctx context.Context, transaction store.Store, accountID string, groupIDs []string) (bool, error) {
-	if len(groupIDs) == 0 {
-		return false, nil
-	}
-
-	groupSet := make(map[string]struct{}, len(groupIDs))
-	for _, id := range groupIDs {
-		groupSet[id] = struct{}{}
-	}
-
-	if affected, err := dnsSettingsReferenceGroups(ctx, transaction, accountID, groupSet); affected || err != nil {
-		return affected, err
-	}
-	if affected, err := nameServersReferenceGroups(ctx, transaction, accountID, groupSet); affected || err != nil {
-		return affected, err
-	}
-	if affected, err := policiesReferenceGroups(ctx, transaction, accountID, groupSet); affected || err != nil {
-		return affected, err
-	}
-	if affected, err := routesReferenceGroups(ctx, transaction, accountID, groupSet); affected || err != nil {
-		return affected, err
-	}
-	if affected, err := networkRoutersReferenceGroups(ctx, transaction, accountID, groupSet); affected || err != nil {
-		return affected, err
-	}
-
-	return false, nil
-}
-
-func dnsSettingsReferenceGroups(ctx context.Context, transaction store.Store, accountID string, groupSet map[string]struct{}) (bool, error) {
-	dnsSettings, err := transaction.GetAccountDNSSettings(ctx, store.LockingStrengthNone, accountID)
-	if err != nil {
-		return false, err
-	}
-	return anyInSet(dnsSettings.DisabledManagementGroups, groupSet), nil
-}
-
-func nameServersReferenceGroups(ctx context.Context, transaction store.Store, accountID string, groupSet map[string]struct{}) (bool, error) {
-	nameServerGroups, err := transaction.GetAccountNameServerGroups(ctx, store.LockingStrengthNone, accountID)
-	if err != nil {
-		return false, err
-	}
-	for _, ns := range nameServerGroups {
-		if anyInSet(ns.Groups, groupSet) {
-			return true, nil
-		}
-	}
-	return false, nil
-}
-
-func policiesReferenceGroups(ctx context.Context, transaction store.Store, accountID string, groupSet map[string]struct{}) (bool, error) {
-	policies, err := transaction.GetAccountPolicies(ctx, store.LockingStrengthNone, accountID)
-	if err != nil {
-		return false, err
-	}
-	for _, policy := range policies {
-		for _, rule := range policy.Rules {
-			if anyInSet(rule.Sources, groupSet) || anyInSet(rule.Destinations, groupSet) {
-				return true, nil
-			}
-		}
-	}
-	return false, nil
-}
-
-func routesReferenceGroups(ctx context.Context, transaction store.Store, accountID string, groupSet map[string]struct{}) (bool, error) {
-	routes, err := transaction.GetAccountRoutes(ctx, store.LockingStrengthNone, accountID)
-	if err != nil {
-		return false, err
-	}
-	for _, r := range routes {
-		if anyInSet(r.Groups, groupSet) || anyInSet(r.PeerGroups, groupSet) || anyInSet(r.AccessControlGroups, groupSet) {
-			return true, nil
-		}
-	}
-	return false, nil
-}
-
-func networkRoutersReferenceGroups(ctx context.Context, transaction store.Store, accountID string, groupSet map[string]struct{}) (bool, error) {
-	routers, err := transaction.GetNetworkRoutersByAccountID(ctx, store.LockingStrengthNone, accountID)
-	if err != nil {
-		return false, err
-	}
-	for _, router := range routers {
-		if anyInSet(router.PeerGroups, groupSet) {
-			return true, nil
-		}
-	}
-	return false, nil
-}
--- a/management/server/http/handler.go
+++ b/management/server/http/handler.go
@@ -15,15 +15,13 @@ import (
 	"github.com/netbirdio/netbird/management/server/types"

 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/service"
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/proxytoken"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/service"
 	reverseproxymanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/service/manager"

 	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
 	idpmanager "github.com/netbirdio/netbird/management/server/idp"

-	"github.com/netbirdio/management-integrations/integrations"
-
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
 	"github.com/netbirdio/netbird/management/internals/modules/zones"
 	zonesManager "github.com/netbirdio/netbird/management/internals/modules/zones/manager"
@@ -32,12 +30,10 @@ import (
 	"github.com/netbirdio/netbird/management/server/account"
 	"github.com/netbirdio/netbird/management/server/settings"

-	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
 	"github.com/netbirdio/netbird/management/server/permissions"

 	"github.com/netbirdio/netbird/management/server/http/handlers/proxy"

-	nbpeers "github.com/netbirdio/netbird/management/internals/modules/peers"
 	"github.com/netbirdio/netbird/management/server/auth"
 	"github.com/netbirdio/netbird/management/server/geolocation"
 	nbgroups "github.com/netbirdio/netbird/management/server/groups"
@@ -56,17 +52,14 @@ import (
 	"github.com/netbirdio/netbird/management/server/http/middleware"
 	"github.com/netbirdio/netbird/management/server/http/middleware/bypass"
 	nbinstance "github.com/netbirdio/netbird/management/server/instance"
-	"github.com/netbirdio/netbird/management/server/integrations/integrated_validator"
 	nbnetworks "github.com/netbirdio/netbird/management/server/networks"
 	"github.com/netbirdio/netbird/management/server/networks/resources"
 	"github.com/netbirdio/netbird/management/server/networks/routers"
 	"github.com/netbirdio/netbird/management/server/telemetry"
 )

-const apiPrefix = "/api"
-
 // NewAPIHandler creates the Management service HTTP API handler registering all the available endpoints.
-func NewAPIHandler(ctx context.Context, accountManager account.Manager, networksManager nbnetworks.Manager, resourceManager resources.Manager, routerManager routers.Manager, groupsManager nbgroups.Manager, LocationManager geolocation.Geolocation, authManager auth.Manager, appMetrics telemetry.AppMetrics, integratedValidator integrated_validator.IntegratedValidator, proxyController port_forwarding.Controller, permissionsManager permissions.Manager, peersManager nbpeers.Manager, settingsManager settings.Manager, zManager zones.Manager, rManager records.Manager, networkMapController network_map.Controller, idpManager idpmanager.Manager, serviceManager service.Manager, reverseProxyDomainManager *manager.Manager, reverseProxyAccessLogsManager accesslogs.Manager, proxyGRPCServer *nbgrpc.ProxyServiceServer, trustedHTTPProxies []netip.Prefix, rateLimiter *middleware.APIRateLimiter) (http.Handler, error) {
+func NewAPIHandler(ctx context.Context, router *mux.Router, accountManager account.Manager, networksManager nbnetworks.Manager, resourceManager resources.Manager, routerManager routers.Manager, groupsManager nbgroups.Manager, LocationManager geolocation.Geolocation, authManager auth.Manager, appMetrics telemetry.AppMetrics, permissionsManager permissions.Manager, settingsManager settings.Manager, zManager zones.Manager, rManager records.Manager, networkMapController network_map.Controller, idpManager idpmanager.Manager, serviceManager service.Manager, reverseProxyDomainManager *manager.Manager, reverseProxyAccessLogsManager accesslogs.Manager, proxyGRPCServer *nbgrpc.ProxyServiceServer, trustedHTTPProxies []netip.Prefix, rateLimiter *middleware.APIRateLimiter, isValidChildAccount middleware.IsValidChildAccountFunc) (http.Handler, error) {

 	// Register bypass paths for unauthenticated endpoints
 	if err := bypass.AddBypassPath("/api/instance"); err != nil {
@@ -100,25 +93,16 @@ func NewAPIHandler(ctx context.Context, accountManager account.Manager, networks
 		accountManager.GetUserFromUserAuth,
 		rateLimiter,
 		appMetrics.GetMeter(),
+		isValidChildAccount,
 	)

 	corsMiddleware := cors.AllowAll()

-	rootRouter := mux.NewRouter()
 	metricsMiddleware := appMetrics.HTTPMiddleware()

-	prefix := apiPrefix
-	router := rootRouter.PathPrefix(prefix).Subrouter()
-
 	router.Use(metricsMiddleware.Handler, corsMiddleware.Handler, authMiddleware.Handler)

-	if _, err := integrations.RegisterHandlers(ctx, prefix, router, accountManager, integratedValidator, appMetrics.GetMeter(), permissionsManager, peersManager, proxyController, settingsManager); err != nil {
-		return nil, fmt.Errorf("register integrations endpoints: %w", err)
-	}
-
-	// Check if embedded IdP is enabled for instance manager
-	embeddedIdP, embeddedIdpEnabled := idpManager.(*idpmanager.EmbeddedIdPManager)
-	instanceManager, err := nbinstance.NewManager(ctx, accountManager.GetStore(), embeddedIdP)
+	instanceManager, err := nbinstance.NewManager(ctx, accountManager.GetStore(), idpManager)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create instance manager: %w", err)
 	}
@@ -154,10 +138,5 @@ func NewAPIHandler(ctx context.Context, accountManager account.Manager, networks
 		oauthHandler.RegisterEndpoints(router)
 	}

-	// Mount embedded IdP handler at /oauth2 path if configured
-	if embeddedIdpEnabled {
-		rootRouter.PathPrefix("/oauth2").Handler(corsMiddleware.Handler(embeddedIdP.Handler()))
-	}
-
-	return rootRouter, nil
+	return router, nil
 }
--- a/management/server/http/middleware/auth_middleware.go
+++ b/management/server/http/middleware/auth_middleware.go
@@ -11,8 +11,6 @@ import (
 	log "github.com/sirupsen/logrus"
 	"go.opentelemetry.io/otel/metric"

-	"github.com/netbirdio/management-integrations/integrations"
-
 	serverauth "github.com/netbirdio/netbird/management/server/auth"
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/http/middleware/bypass"
@@ -27,6 +25,8 @@ type SyncUserJWTGroupsFunc func(ctx context.Context, userAuth auth.UserAuth) err

 type GetUserFromUserAuthFunc func(ctx context.Context, userAuth auth.UserAuth) (*types.User, error)

+type IsValidChildAccountFunc func(ctx context.Context, userID, accountID, childAccountID string) bool
+
 // AuthMiddleware middleware to verify personal access tokens (PAT) and JWT tokens
 type AuthMiddleware struct {
 	authManager         serverauth.Manager
@@ -35,6 +35,7 @@ type AuthMiddleware struct {
 	syncUserJWTGroups   SyncUserJWTGroupsFunc
 	rateLimiter         *APIRateLimiter
 	patUsageTracker     *PATUsageTracker
+	isValidChildAccount IsValidChildAccountFunc
 }

 // NewAuthMiddleware instance constructor
@@ -45,6 +46,7 @@ func NewAuthMiddleware(
 	getUserFromUserAuth GetUserFromUserAuthFunc,
 	rateLimiter *APIRateLimiter,
 	meter metric.Meter,
+	isValidChildAccount IsValidChildAccountFunc,
 ) *AuthMiddleware {
 	var patUsageTracker *PATUsageTracker
 	if meter != nil {
@@ -62,6 +64,7 @@ func NewAuthMiddleware(
 		getUserFromUserAuth: getUserFromUserAuth,
 		rateLimiter:         rateLimiter,
 		patUsageTracker:     patUsageTracker,
+		isValidChildAccount: isValidChildAccount,
 	}
 }

@@ -124,7 +127,7 @@ func (m *AuthMiddleware) checkJWTFromRequest(r *http.Request, authHeaderParts []
 	}

 	if impersonate, ok := r.URL.Query()["account"]; ok && len(impersonate) == 1 {
-		if integrations.IsValidChildAccount(ctx, userAuth.UserId, userAuth.AccountId, impersonate[0]) {
+		if m.isValidChildAccount(ctx, userAuth.UserId, userAuth.AccountId, impersonate[0]) {
 			userAuth.AccountId = impersonate[0]
 			userAuth.IsChild = true
 		}
@@ -203,7 +206,7 @@ func (m *AuthMiddleware) checkPATFromRequest(r *http.Request, authHeaderParts []
 	}

 	if impersonate, ok := r.URL.Query()["account"]; ok && len(impersonate) == 1 {
-		if integrations.IsValidChildAccount(r.Context(), userAuth.UserId, userAuth.AccountId, impersonate[0]) {
+		if m.isValidChildAccount(r.Context(), userAuth.UserId, userAuth.AccountId, impersonate[0]) {
 			userAuth.AccountId = impersonate[0]
 			userAuth.IsChild = true
 		}
--- a/management/server/http/middleware/auth_middleware_test.go
+++ b/management/server/http/middleware/auth_middleware_test.go
@@ -211,6 +211,7 @@ func TestAuthMiddleware_Handler(t *testing.T) {
 		},
 		disabledLimiter,
 		nil,
+		func(_ context.Context, _, _, _ string) bool { return false },
 	)

 	handlerToTest := authMiddleware.Handler(nextHandler)
@@ -270,6 +271,7 @@ func TestAuthMiddleware_RateLimiting(t *testing.T) {
 			},
 			NewAPIRateLimiter(rateLimitConfig),
 			nil,
+			func(_ context.Context, _, _, _ string) bool { return false },
 		)

 		handler := authMiddleware.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -322,6 +324,7 @@ func TestAuthMiddleware_RateLimiting(t *testing.T) {
 			},
 			NewAPIRateLimiter(rateLimitConfig),
 			nil,
+			func(_ context.Context, _, _, _ string) bool { return false },
 		)

 		handler := authMiddleware.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -365,6 +368,7 @@ func TestAuthMiddleware_RateLimiting(t *testing.T) {
 			},
 			NewAPIRateLimiter(rateLimitConfig),
 			nil,
+			func(_ context.Context, _, _, _ string) bool { return false },
 		)

 		handler := authMiddleware.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -409,6 +413,7 @@ func TestAuthMiddleware_RateLimiting(t *testing.T) {
 			},
 			NewAPIRateLimiter(rateLimitConfig),
 			nil,
+			func(_ context.Context, _, _, _ string) bool { return false },
 		)

 		handler := authMiddleware.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -473,6 +478,7 @@ func TestAuthMiddleware_RateLimiting(t *testing.T) {
 			},
 			NewAPIRateLimiter(rateLimitConfig),
 			nil,
+			func(_ context.Context, _, _, _ string) bool { return false },
 		)

 		handler := authMiddleware.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -532,6 +538,7 @@ func TestAuthMiddleware_RateLimiting(t *testing.T) {
 			},
 			NewAPIRateLimiter(rateLimitConfig),
 			nil,
+			func(_ context.Context, _, _, _ string) bool { return false },
 		)

 		handler := authMiddleware.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -587,6 +594,7 @@ func TestAuthMiddleware_RateLimiting(t *testing.T) {
 			},
 			NewAPIRateLimiter(rateLimitConfig),
 			nil,
+			func(_ context.Context, _, _, _ string) bool { return false },
 		)

 		handler := authMiddleware.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -687,6 +695,7 @@ func TestAuthMiddleware_Handler_Child(t *testing.T) {
 		},
 		disabledLimiter,
 		nil,
+		func(_ context.Context, _, _, _ string) bool { return false },
 	)

 	for _, tc := range tt {
--- a/management/server/http/testing/testing_tools/channel/channel.go
+++ b/management/server/http/testing/testing_tools/channel/channel.go
@@ -7,6 +7,7 @@ import (
 	"time"

 	"github.com/golang-jwt/jwt/v5"
+	"github.com/gorilla/mux"
 	"github.com/stretchr/testify/assert"

 	"go.opentelemetry.io/otel/metric/noop"
@@ -95,7 +96,7 @@ func BuildApiBlackBoxWithDBState(t testing_tools.TB, sqlFile string, expectedPee
 	}

 	requestBuffer := server.NewAccountRequestBuffer(ctx, store)
-	networkMapController := controller.NewController(ctx, store, metrics, peersUpdateManager, requestBuffer, server.MockIntegratedValidator{}, settingsManager, "", port_forwarding.NewControllerMock(), ephemeral_manager.NewEphemeralManager(store, peersManager), &config.Config{})
+	networkMapController := controller.NewController(ctx, store, metrics, peersUpdateManager, requestBuffer, server.MockIntegratedValidator{}, settingsManager, "", port_forwarding.NewControllerMock(), ephemeral_manager.NewEphemeralManager(store, peersManager), &config.Config{}, nil)
 	am, err := server.BuildManager(ctx, nil, store, networkMapController, jobManager, nil, "", &activity.InMemoryEventStore{}, geoMock, false, validatorMock, metrics, proxyController, settingsManager, permissionsManager, false, cacheStore)
 	if err != nil {
 		t.Fatalf("Failed to create manager: %v", err)
@@ -135,7 +136,8 @@ func BuildApiBlackBoxWithDBState(t testing_tools.TB, sqlFile string, expectedPee
 	customZonesManager := zonesManager.NewManager(store, am, permissionsManager, "")
 	zoneRecordsManager := recordsManager.NewManager(store, am, permissionsManager)

-	apiHandler, err := http2.NewAPIHandler(context.Background(), am, networksManager, resourcesManager, routersManager, groupsManager, geoMock, authManagerMock, metrics, validatorMock, proxyController, permissionsManager, peersManager, settingsManager, customZonesManager, zoneRecordsManager, networkMapController, nil, serviceManager, nil, nil, nil, nil, nil)
+	apiRouter := mux.NewRouter().PathPrefix("/api").Subrouter()
+	apiHandler, err := http2.NewAPIHandler(context.Background(), apiRouter, am, networksManager, resourcesManager, routersManager, groupsManager, geoMock, authManagerMock, metrics, permissionsManager, settingsManager, customZonesManager, zoneRecordsManager, networkMapController, nil, serviceManager, nil, nil, nil, nil, nil, nil)
 	if err != nil {
 		t.Fatalf("Failed to create API handler: %v", err)
 	}
@@ -224,7 +226,7 @@ func BuildApiBlackBoxWithDBStateAndPeerChannel(t testing_tools.TB, sqlFile strin
 	}

 	requestBuffer := server.NewAccountRequestBuffer(ctx, store)
-	networkMapController := controller.NewController(ctx, store, metrics, peersUpdateManager, requestBuffer, server.MockIntegratedValidator{}, settingsManager, "", port_forwarding.NewControllerMock(), ephemeral_manager.NewEphemeralManager(store, peersManager), &config.Config{})
+	networkMapController := controller.NewController(ctx, store, metrics, peersUpdateManager, requestBuffer, server.MockIntegratedValidator{}, settingsManager, "", port_forwarding.NewControllerMock(), ephemeral_manager.NewEphemeralManager(store, peersManager), &config.Config{}, nil)
 	am, err := server.BuildManager(ctx, nil, store, networkMapController, jobManager, nil, "", &activity.InMemoryEventStore{}, geoMock, false, validatorMock, metrics, proxyController, settingsManager, permissionsManager, false, cacheStore)
 	if err != nil {
 		t.Fatalf("Failed to create manager: %v", err)
@@ -264,7 +266,8 @@ func BuildApiBlackBoxWithDBStateAndPeerChannel(t testing_tools.TB, sqlFile strin
 	customZonesManager := zonesManager.NewManager(store, am, permissionsManager, "")
 	zoneRecordsManager := recordsManager.NewManager(store, am, permissionsManager)

-	apiHandler, err := http2.NewAPIHandler(context.Background(), am, networksManager, resourcesManager, routersManager, groupsManager, geoMock, authManagerMock, metrics, validatorMock, proxyController, permissionsManager, peersManager, settingsManager, customZonesManager, zoneRecordsManager, networkMapController, nil, serviceManager, nil, nil, nil, nil, nil)
+	apiRouter := mux.NewRouter().PathPrefix("/api").Subrouter()
+	apiHandler, err := http2.NewAPIHandler(context.Background(), apiRouter, am, networksManager, resourcesManager, routersManager, groupsManager, geoMock, authManagerMock, metrics, permissionsManager, settingsManager, customZonesManager, zoneRecordsManager, networkMapController, nil, serviceManager, nil, nil, nil, nil, nil, nil)
 	if err != nil {
 		t.Fatalf("Failed to create API handler: %v", err)
 	}
--- a/management/server/identity_provider_test.go
+++ b/management/server/identity_provider_test.go
@@ -92,7 +92,7 @@ func createManagerWithEmbeddedIdP(t testing.TB) (*DefaultAccountManager, *update

 	updateManager := update_channel.NewPeersUpdateManager(metrics)
 	requestBuffer := NewAccountRequestBuffer(ctx, testStore)
-	networkMapController := controller.NewController(ctx, testStore, metrics, updateManager, requestBuffer, MockIntegratedValidator{}, settingsMockManager, "netbird.cloud", port_forwarding.NewControllerMock(), ephemeral_manager.NewEphemeralManager(testStore, peersManager), &config.Config{})
+	networkMapController := controller.NewController(ctx, testStore, metrics, updateManager, requestBuffer, MockIntegratedValidator{}, settingsMockManager, "netbird.cloud", port_forwarding.NewControllerMock(), ephemeral_manager.NewEphemeralManager(testStore, peersManager), &config.Config{}, nil)
 	manager, err := BuildManager(ctx, &config.Config{}, testStore, networkMapController, job.NewJobManager(nil, testStore, peersManager), idpManager, "", eventStore, nil, false, MockIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false, cacheStore)
 	if err != nil {
 		return nil, nil, err
--- a/management/server/management_proto_test.go
+++ b/management/server/management_proto_test.go
@@ -376,7 +376,7 @@ func startManagementForTest(t *testing.T, testFile string, config *config.Config
 		return nil, nil, "", cleanup, err
 	}

-	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock(), ephemeralMgr, config)
+	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock(), ephemeralMgr, config, nil)
 	accountManager, err := BuildManager(ctx, nil, store, networkMapController, jobManager, nil, "",
 		eventStore, nil, false, MockIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false, cacheStore)

@@ -385,13 +385,13 @@ func startManagementForTest(t *testing.T, testFile string, config *config.Config
 		return nil, nil, "", cleanup, err
 	}

-	secretsManager, err := nbgrpc.NewTimeBasedAuthSecretsManager(updateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager)
+	secretsManager, err := nbgrpc.NewTimeBasedAuthSecretsManager(updateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager, nil)
 	if err != nil {
 		cleanup()
 		return nil, nil, "", cleanup, err
 	}

-	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, MockIntegratedValidator{}, networkMapController, nil, nil)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, MockIntegratedValidator{}, networkMapController, nil, nil, nil)
 	if err != nil {
 		return nil, nil, "", cleanup, err
 	}
--- a/management/server/management_test.go
+++ b/management/server/management_test.go
@@ -216,7 +216,7 @@ func startServer(

 	updateManager := update_channel.NewPeersUpdateManager(metrics)
 	requestBuffer := server.NewAccountRequestBuffer(ctx, str)
-	networkMapController := controller.NewController(ctx, str, metrics, updateManager, requestBuffer, server.MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock(), ephemeral_manager.NewEphemeralManager(str, peers.NewManager(str, permissionsManager)), config)
+	networkMapController := controller.NewController(ctx, str, metrics, updateManager, requestBuffer, server.MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock(), ephemeral_manager.NewEphemeralManager(str, peers.NewManager(str, permissionsManager)), config, nil)

 	accountManager, err := server.BuildManager(
 		context.Background(),
@@ -241,7 +241,7 @@ func startServer(
 	}

 	groupsManager := groups.NewManager(str, permissionsManager, accountManager)
-	secretsManager, err := nbgrpc.NewTimeBasedAuthSecretsManager(updateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager)
+	secretsManager, err := nbgrpc.NewTimeBasedAuthSecretsManager(updateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager, nil)
 	if err != nil {
 		t.Fatalf("failed creating secrets manager: %v", err)
 	}
@@ -257,6 +257,7 @@ func startServer(
 		networkMapController,
 		nil,
 		nil,
+		nil,
 	)
 	if err != nil {
 		t.Fatalf("failed creating management server: %v", err)
--- a/management/server/mock_server/account_mock.go
+++ b/management/server/mock_server/account_mock.go
@@ -131,8 +131,6 @@ type MockAccountManager struct {

 	AllowSyncFunc                  func(string, uint64) bool
 	UpdateAccountPeersFunc         func(ctx context.Context, accountID string, reason types.UpdateReason)
-	UpdateAffectedPeersFunc        func(ctx context.Context, accountID string, peerIDs []string)
-	BufferUpdateAffectedPeersFunc  func(ctx context.Context, accountID string, peerIDs []string, reason types.UpdateReason)
 	BufferUpdateAccountPeersFunc   func(ctx context.Context, accountID string, reason types.UpdateReason)
 	RecalculateNetworkMapCacheFunc func(ctx context.Context, accountId string) error

@@ -210,18 +208,6 @@ func (am *MockAccountManager) UpdateAccountPeers(ctx context.Context, accountID
 	}
 }

-func (am *MockAccountManager) UpdateAffectedPeers(ctx context.Context, accountID string, peerIDs []string) {
-	if am.UpdateAffectedPeersFunc != nil {
-		am.UpdateAffectedPeersFunc(ctx, accountID, peerIDs)
-	}
-}
-
-func (am *MockAccountManager) BufferUpdateAffectedPeers(ctx context.Context, accountID string, peerIDs []string, reason types.UpdateReason) {
-	if am.BufferUpdateAffectedPeersFunc != nil {
-		am.BufferUpdateAffectedPeersFunc(ctx, accountID, peerIDs, reason)
-	}
-}
-
 func (am *MockAccountManager) BufferUpdateAccountPeers(ctx context.Context, accountID string, reason types.UpdateReason) {
 	if am.BufferUpdateAccountPeersFunc != nil {
 		am.BufferUpdateAccountPeersFunc(ctx, accountID, reason)
--- a/management/server/nameserver.go
+++ b/management/server/nameserver.go
@@ -4,12 +4,10 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"slices"
 	"strings"
 	"unicode/utf8"

 	"github.com/rs/xid"
-	log "github.com/sirupsen/logrus"

 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/server/activity"
@@ -59,18 +57,21 @@ func (am *DefaultAccountManager) CreateNameServerGroup(ctx context.Context, acco
 		SearchDomainsEnabled: searchDomainEnabled,
 	}

-	var affectedPeerIDs []string
+	var updateAccountPeers bool

 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		if err = validateNameServerGroup(ctx, transaction, accountID, newNSGroup); err != nil {
 			return err
 		}

-		if err = transaction.SaveNameServerGroup(ctx, newNSGroup); err != nil {
+		updateAccountPeers, err = anyGroupHasPeersOrResources(ctx, transaction, accountID, newNSGroup.Groups)
+		if err != nil {
 			return err
 		}

-		affectedPeerIDs = am.resolvePeerIDs(ctx, transaction, accountID, newNSGroup.Groups, nil)
+		if err = transaction.SaveNameServerGroup(ctx, newNSGroup); err != nil {
+			return err
+		}

 		return transaction.IncrementNetworkSerial(ctx, accountID)
 	})
@@ -80,11 +81,8 @@ func (am *DefaultAccountManager) CreateNameServerGroup(ctx context.Context, acco

 	am.StoreEvent(ctx, userID, newNSGroup.ID, accountID, activity.NameserverGroupCreated, newNSGroup.EventMeta())

-	if len(affectedPeerIDs) > 0 {
-		log.WithContext(ctx).Debugf("CreateNameServerGroup %s: updating %d affected peers: %v", newNSGroup.ID, len(affectedPeerIDs), affectedPeerIDs)
-		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
-	} else {
-		log.WithContext(ctx).Tracef("CreateNameServerGroup %s: no affected peers", newNSGroup.ID)
+	if updateAccountPeers {
+		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourceNameServerGroup, Operation: types.UpdateOperationCreate})
 	}

 	return newNSGroup.Copy(), nil
@@ -104,7 +102,7 @@ func (am *DefaultAccountManager) SaveNameServerGroup(ctx context.Context, accoun
 		return status.NewPermissionDeniedError()
 	}

-	var affectedPeerIDs []string
+	var updateAccountPeers bool

 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		oldNSGroup, err := transaction.GetNameServerGroupByID(ctx, store.LockingStrengthNone, accountID, nsGroupToSave.ID)
@@ -117,12 +115,14 @@ func (am *DefaultAccountManager) SaveNameServerGroup(ctx context.Context, accoun
 			return err
 		}

-		if err = transaction.SaveNameServerGroup(ctx, nsGroupToSave); err != nil {
+		updateAccountPeers, err = areNameServerGroupChangesAffectPeers(ctx, transaction, nsGroupToSave, oldNSGroup)
+		if err != nil {
 			return err
 		}

-		allGroups := slices.Concat(nsGroupToSave.Groups, oldNSGroup.Groups)
-		affectedPeerIDs = am.resolvePeerIDs(ctx, transaction, accountID, allGroups, nil)
+		if err = transaction.SaveNameServerGroup(ctx, nsGroupToSave); err != nil {
+			return err
+		}

 		return transaction.IncrementNetworkSerial(ctx, accountID)
 	})
@@ -132,11 +132,8 @@ func (am *DefaultAccountManager) SaveNameServerGroup(ctx context.Context, accoun

 	am.StoreEvent(ctx, userID, nsGroupToSave.ID, accountID, activity.NameserverGroupUpdated, nsGroupToSave.EventMeta())

-	if len(affectedPeerIDs) > 0 {
-		log.WithContext(ctx).Debugf("SaveNameServerGroup %s: updating %d affected peers: %v", nsGroupToSave.ID, len(affectedPeerIDs), affectedPeerIDs)
-		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
-	} else {
-		log.WithContext(ctx).Tracef("SaveNameServerGroup %s: no affected peers", nsGroupToSave.ID)
+	if updateAccountPeers {
+		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourceNameServerGroup, Operation: types.UpdateOperationUpdate})
 	}

 	return nil
@@ -153,7 +150,7 @@ func (am *DefaultAccountManager) DeleteNameServerGroup(ctx context.Context, acco
 	}

 	var nsGroup *nbdns.NameServerGroup
-	var affectedPeerIDs []string
+	var updateAccountPeers bool

 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		nsGroup, err = transaction.GetNameServerGroupByID(ctx, store.LockingStrengthUpdate, accountID, nsGroupID)
@@ -161,7 +158,10 @@ func (am *DefaultAccountManager) DeleteNameServerGroup(ctx context.Context, acco
 			return err
 		}

-		affectedPeerIDs = am.resolvePeerIDs(ctx, transaction, accountID, nsGroup.Groups, nil)
+		updateAccountPeers, err = anyGroupHasPeersOrResources(ctx, transaction, accountID, nsGroup.Groups)
+		if err != nil {
+			return err
+		}

 		if err = transaction.DeleteNameServerGroup(ctx, accountID, nsGroupID); err != nil {
 			return err
@@ -175,11 +175,8 @@ func (am *DefaultAccountManager) DeleteNameServerGroup(ctx context.Context, acco

 	am.StoreEvent(ctx, userID, nsGroup.ID, accountID, activity.NameserverGroupDeleted, nsGroup.EventMeta())

-	if len(affectedPeerIDs) > 0 {
-		log.WithContext(ctx).Debugf("DeleteNameServerGroup %s: updating %d affected peers: %v", nsGroupID, len(affectedPeerIDs), affectedPeerIDs)
-		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
-	} else {
-		log.WithContext(ctx).Tracef("DeleteNameServerGroup %s: no affected peers", nsGroupID)
+	if updateAccountPeers {
+		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourceNameServerGroup, Operation: types.UpdateOperationDelete})
 	}

 	return nil
@@ -227,6 +224,24 @@ func validateNameServerGroup(ctx context.Context, transaction store.Store, accou
 	return validateGroups(nameserverGroup.Groups, groups)
 }

+// areNameServerGroupChangesAffectPeers checks if the changes in the nameserver group affect the peers.
+func areNameServerGroupChangesAffectPeers(ctx context.Context, transaction store.Store, newNSGroup, oldNSGroup *nbdns.NameServerGroup) (bool, error) {
+	if !newNSGroup.Enabled && !oldNSGroup.Enabled {
+		return false, nil
+	}
+
+	hasPeers, err := anyGroupHasPeersOrResources(ctx, transaction, newNSGroup.AccountID, newNSGroup.Groups)
+	if err != nil {
+		return false, err
+	}
+
+	if hasPeers {
+		return true, nil
+	}
+
+	return anyGroupHasPeersOrResources(ctx, transaction, oldNSGroup.AccountID, oldNSGroup.Groups)
+}
+
 func validateDomainInput(primary bool, domains []string, searchDomainsEnabled bool) error {
 	if !primary && len(domains) == 0 {
 		return status.Errorf(status.InvalidArgument, "nameserver group primary status is false and domains are empty,"+
--- a/management/server/nameserver_test.go
+++ b/management/server/nameserver_test.go
@@ -803,7 +803,7 @@ func createNSManager(t *testing.T) (*DefaultAccountManager, error) {

 	updateManager := update_channel.NewPeersUpdateManager(metrics)
 	requestBuffer := NewAccountRequestBuffer(ctx, store)
-	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock(), ephemeral_manager.NewEphemeralManager(store, peers.NewManager(store, permissionsManager)), &config.Config{})
+	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock(), ephemeral_manager.NewEphemeralManager(store, peers.NewManager(store, permissionsManager)), &config.Config{}, nil)

 	return BuildManager(context.Background(), nil, store, networkMapController, job.NewJobManager(nil, store, peersManager), nil, "", eventStore, nil, false, MockIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false, cacheStore)
 }
--- a/management/server/networks/manager.go
+++ b/management/server/networks/manager.go
@@ -5,7 +5,6 @@ import (
 	"fmt"

 	"github.com/rs/xid"
-	log "github.com/sirupsen/logrus"

 	"github.com/netbirdio/netbird/management/server/account"
 	"github.com/netbirdio/netbird/management/server/activity"
@@ -16,7 +15,7 @@ import (
 	"github.com/netbirdio/netbird/management/server/permissions/modules"
 	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/store"
-	nbTypes "github.com/netbirdio/netbird/management/server/types"
+	serverTypes "github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/shared/management/status"
 )

@@ -113,14 +112,6 @@ func (m *managerImpl) UpdateNetwork(ctx context.Context, userID string, network
 	return network, m.store.SaveNetwork(ctx, network)
 }

-// networkAffectedPeersData holds data loaded inside the transaction for affected peer resolution.
-type networkAffectedPeersData struct {
-	resourceGroupIDs []string
-	routerPeerGroups []string
-	directPeerIDs    []string
-	policies         []*nbTypes.Policy
-}
-
 func (m *managerImpl) DeleteNetwork(ctx context.Context, accountID, userID, networkID string) error {
 	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Networks, operations.Delete)
 	if err != nil {
@@ -136,22 +127,13 @@ func (m *managerImpl) DeleteNetwork(ctx context.Context, accountID, userID, netw
 	}

 	var eventsToStore []func()
-	var affectedData *networkAffectedPeersData
 	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		resources, err := transaction.GetNetworkResourcesByNetID(ctx, store.LockingStrengthUpdate, accountID, networkID)
 		if err != nil {
 			return fmt.Errorf("failed to get resources in network: %w", err)
 		}

-		var resourceGroupIDs []string
 		for _, resource := range resources {
-			groups, err := transaction.GetResourceGroups(ctx, store.LockingStrengthNone, accountID, resource.ID)
-			if err == nil {
-				for _, g := range groups {
-					resourceGroupIDs = append(resourceGroupIDs, g.ID)
-				}
-			}
-
 			event, err := m.resourcesManager.DeleteResourceInTransaction(ctx, transaction, accountID, userID, networkID, resource.ID)
 			if err != nil {
 				return fmt.Errorf("failed to delete resource: %w", err)
@@ -159,19 +141,12 @@ func (m *managerImpl) DeleteNetwork(ctx context.Context, accountID, userID, netw
 			eventsToStore = append(eventsToStore, event...)
 		}

-		netRouters, err := transaction.GetNetworkRoutersByNetID(ctx, store.LockingStrengthUpdate, accountID, networkID)
+		routers, err := transaction.GetNetworkRoutersByNetID(ctx, store.LockingStrengthUpdate, accountID, networkID)
 		if err != nil {
 			return fmt.Errorf("failed to get routers in network: %w", err)
 		}

-		var routerPeerGroups []string
-		var directPeerIDs []string
-		for _, router := range netRouters {
-			routerPeerGroups = append(routerPeerGroups, router.PeerGroups...)
-			if router.Peer != "" {
-				directPeerIDs = append(directPeerIDs, router.Peer)
-			}
-
+		for _, router := range routers {
 			event, err := m.routersManager.DeleteRouterInTransaction(ctx, transaction, accountID, userID, networkID, router.ID)
 			if err != nil {
 				return fmt.Errorf("failed to delete router: %w", err)
@@ -179,24 +154,6 @@ func (m *managerImpl) DeleteNetwork(ctx context.Context, accountID, userID, netw
 			eventsToStore = append(eventsToStore, event)
 		}

-		// load policies before deleting so group memberships are still present
-		var policies []*nbTypes.Policy
-		if len(resourceGroupIDs) > 0 {
-			policies, err = transaction.GetAccountPolicies(ctx, store.LockingStrengthNone, accountID)
-			if err != nil {
-				log.WithContext(ctx).Errorf("failed to get policies for affected peers: %v", err)
-			}
-		}
-
-		if len(resourceGroupIDs) > 0 || len(routerPeerGroups) > 0 || len(directPeerIDs) > 0 {
-			affectedData = &networkAffectedPeersData{
-				resourceGroupIDs: resourceGroupIDs,
-				routerPeerGroups: routerPeerGroups,
-				directPeerIDs:    directPeerIDs,
-				policies:         policies,
-			}
-		}
-
 		err = transaction.DeleteNetwork(ctx, accountID, networkID)
 		if err != nil {
 			return fmt.Errorf("failed to delete network: %w", err)
@@ -221,111 +178,11 @@ func (m *managerImpl) DeleteNetwork(ctx context.Context, accountID, userID, netw
 		event()
 	}

-	if affectedData != nil {
-		affectedPeerIDs := resolveNetworkAffectedPeers(ctx, m.store, accountID, affectedData)
-		if len(affectedPeerIDs) > 0 {
-			log.WithContext(ctx).Debugf("DeleteNetwork %s: updating %d affected peers: %v", networkID, len(affectedPeerIDs), affectedPeerIDs)
-			go m.accountManager.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
-		} else {
-			log.WithContext(ctx).Tracef("DeleteNetwork %s: no affected peers", networkID)
-		}
-	}
+	go m.accountManager.UpdateAccountPeers(ctx, accountID, serverTypes.UpdateReason{Resource: serverTypes.UpdateResourceNetwork, Operation: serverTypes.UpdateOperationDelete})

 	return nil
 }

-// resolveNetworkAffectedPeers computes affected peer IDs from preloaded data outside the transaction.
-func resolveNetworkAffectedPeers(ctx context.Context, s store.Store, accountID string, data *networkAffectedPeersData) []string {
-	log.WithContext(ctx).Tracef("resolveNetworkAffectedPeers: routerPeerGroups=%v, resourceGroupIDs=%v, directPeerIDs=%v, policies=%d",
-		data.routerPeerGroups, data.resourceGroupIDs, data.directPeerIDs, len(data.policies))
-	groupSet := make(map[string]struct{})
-
-	for _, gID := range data.routerPeerGroups {
-		groupSet[gID] = struct{}{}
-	}
-
-	if len(data.resourceGroupIDs) > 0 {
-		for _, gID := range data.resourceGroupIDs {
-			groupSet[gID] = struct{}{}
-		}
-		collectPolicySourceGroups(data.policies, data.resourceGroupIDs, groupSet)
-	}
-
-	if len(groupSet) == 0 && len(data.directPeerIDs) == 0 {
-		return nil
-	}
-
-	peerIDs := resolveGroupsAndDirectPeers(ctx, s, accountID, groupSet, data.directPeerIDs)
-
-	log.WithContext(ctx).Tracef("resolveNetworkAffectedPeers: result %d peers: %v", len(peerIDs), peerIDs)
-	return peerIDs
-}
-
-// collectPolicySourceGroups finds policies whose rules reference any of the destination group IDs
-// and adds their source groups to the groupSet.
-func collectPolicySourceGroups(policies []*nbTypes.Policy, destGroupIDs []string, groupSet map[string]struct{}) {
-	destSet := make(map[string]struct{}, len(destGroupIDs))
-	for _, gID := range destGroupIDs {
-		destSet[gID] = struct{}{}
-	}
-
-	for _, policy := range policies {
-		if policy == nil || !policy.Enabled {
-			continue
-		}
-		for _, rule := range policy.Rules {
-			if rule == nil || !rule.Enabled {
-				continue
-			}
-			if ruleMatchesDestinations(rule, destSet) {
-				for _, gID := range rule.Sources {
-					groupSet[gID] = struct{}{}
-				}
-			}
-		}
-	}
-}
-
-// ruleMatchesDestinations checks if a policy rule references any of the destination groups.
-func ruleMatchesDestinations(rule *nbTypes.PolicyRule, destSet map[string]struct{}) bool {
-	for _, gID := range rule.Destinations {
-		if _, ok := destSet[gID]; ok {
-			return true
-		}
-	}
-	return false
-}
-
-// resolveGroupsAndDirectPeers resolves group IDs and direct peer IDs into a deduplicated peer ID list.
-func resolveGroupsAndDirectPeers(ctx context.Context, s store.Store, accountID string, groupSet map[string]struct{}, directPeerIDs []string) []string {
-	groupIDs := make([]string, 0, len(groupSet))
-	for gID := range groupSet {
-		groupIDs = append(groupIDs, gID)
-	}
-
-	peerIDs, err := s.GetPeerIDsByGroups(ctx, accountID, groupIDs)
-	if err != nil {
-		log.WithContext(ctx).Errorf("failed to resolve peer IDs: %v", err)
-		return nil
-	}
-
-	if len(directPeerIDs) == 0 {
-		return peerIDs
-	}
-
-	seen := make(map[string]struct{}, len(peerIDs))
-	for _, id := range peerIDs {
-		seen[id] = struct{}{}
-	}
-	for _, id := range directPeerIDs {
-		if _, exists := seen[id]; !exists {
-			peerIDs = append(peerIDs, id)
-			seen[id] = struct{}{}
-		}
-	}
-	return peerIDs
-}
-
 func NewManagerMock() Manager {
 	return &mockManager{}
 }
--- a/management/server/networks/resources/manager.go
+++ b/management/server/networks/resources/manager.go
@@ -114,11 +114,45 @@ func (m *managerImpl) CreateResource(ctx context.Context, userID string, resourc
 	}

 	var eventsToStore []func()
-	var affectedData *resourceAffectedPeersData
 	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		var txErr error
-		eventsToStore, affectedData, txErr = m.createResourceInTransaction(ctx, transaction, userID, resource)
-		return txErr
+		_, err = transaction.GetNetworkResourceByName(ctx, store.LockingStrengthNone, resource.AccountID, resource.Name)
+		if err == nil {
+			return status.Errorf(status.InvalidArgument, "resource with name %s already exists", resource.Name)
+		}
+
+		network, err := transaction.GetNetworkByID(ctx, store.LockingStrengthUpdate, resource.AccountID, resource.NetworkID)
+		if err != nil {
+			return fmt.Errorf("failed to get network: %w", err)
+		}
+
+		err = transaction.SaveNetworkResource(ctx, resource)
+		if err != nil {
+			return fmt.Errorf("failed to save network resource: %w", err)
+		}
+
+		event := func() {
+			m.accountManager.StoreEvent(ctx, userID, resource.ID, resource.AccountID, activity.NetworkResourceCreated, resource.EventMeta(network))
+		}
+		eventsToStore = append(eventsToStore, event)
+
+		res := nbtypes.Resource{
+			ID:   resource.ID,
+			Type: nbtypes.ResourceType(resource.Type.String()),
+		}
+		for _, groupID := range resource.GroupIDs {
+			event, err := m.groupsManager.AddResourceToGroupInTransaction(ctx, transaction, resource.AccountID, userID, groupID, &res)
+			if err != nil {
+				return fmt.Errorf("failed to add resource to group: %w", err)
+			}
+			eventsToStore = append(eventsToStore, event)
+		}
+
+		err = transaction.IncrementNetworkSerial(ctx, resource.AccountID)
+		if err != nil {
+			return fmt.Errorf("failed to increment network serial: %w", err)
+		}
+
+		return nil
 	})
 	if err != nil {
 		return nil, fmt.Errorf("failed to create network resource: %w", err)
@@ -128,60 +162,11 @@ func (m *managerImpl) CreateResource(ctx context.Context, userID string, resourc
 		event()
 	}

-	if affectedPeerIDs := m.resolveResourceAffectedPeers(ctx, resource.AccountID, affectedData); len(affectedPeerIDs) > 0 {
-		log.WithContext(ctx).Debugf("CreateResource %s: updating %d affected peers: %v", resource.ID, len(affectedPeerIDs), affectedPeerIDs)
-		go m.accountManager.UpdateAffectedPeers(ctx, resource.AccountID, affectedPeerIDs)
-	} else {
-		log.WithContext(ctx).Tracef("CreateResource %s: no affected peers", resource.ID)
-	}
+	go m.accountManager.UpdateAccountPeers(ctx, resource.AccountID, nbtypes.UpdateReason{Resource: nbtypes.UpdateResourceNetworkResource, Operation: nbtypes.UpdateOperationCreate})

 	return resource, nil
 }

-func (m *managerImpl) createResourceInTransaction(ctx context.Context, transaction store.Store, userID string, resource *types.NetworkResource) ([]func(), *resourceAffectedPeersData, error) {
-	_, err := transaction.GetNetworkResourceByName(ctx, store.LockingStrengthNone, resource.AccountID, resource.Name)
-	if err == nil {
-		return nil, nil, status.Errorf(status.InvalidArgument, "resource with name %s already exists", resource.Name)
-	}
-
-	network, err := transaction.GetNetworkByID(ctx, store.LockingStrengthUpdate, resource.AccountID, resource.NetworkID)
-	if err != nil {
-		return nil, nil, fmt.Errorf("failed to get network: %w", err)
-	}
-
-	if err = transaction.SaveNetworkResource(ctx, resource); err != nil {
-		return nil, nil, fmt.Errorf("failed to save network resource: %w", err)
-	}
-
-	var eventsToStore []func()
-	eventsToStore = append(eventsToStore, func() {
-		m.accountManager.StoreEvent(ctx, userID, resource.ID, resource.AccountID, activity.NetworkResourceCreated, resource.EventMeta(network))
-	})
-
-	res := nbtypes.Resource{
-		ID:   resource.ID,
-		Type: nbtypes.ResourceType(resource.Type.String()),
-	}
-	for _, groupID := range resource.GroupIDs {
-		event, err := m.groupsManager.AddResourceToGroupInTransaction(ctx, transaction, resource.AccountID, userID, groupID, &res)
-		if err != nil {
-			return nil, nil, fmt.Errorf("failed to add resource to group: %w", err)
-		}
-		eventsToStore = append(eventsToStore, event)
-	}
-
-	if err = transaction.IncrementNetworkSerial(ctx, resource.AccountID); err != nil {
-		return nil, nil, fmt.Errorf("failed to increment network serial: %w", err)
-	}
-
-	affectedData, err := loadResourceAffectedPeersData(ctx, transaction, resource.AccountID, resource.NetworkID, resource.GroupIDs)
-	if err != nil {
-		log.WithContext(ctx).Errorf("failed to load affected peers data: %v", err)
-	}
-
-	return eventsToStore, affectedData, nil
-}
-
 func (m *managerImpl) GetResource(ctx context.Context, accountID, userID, networkID, resourceID string) (*types.NetworkResource, error) {
 	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Networks, operations.Read)
 	if err != nil {
@@ -222,7 +207,6 @@ func (m *managerImpl) UpdateResource(ctx context.Context, userID string, resourc
 	resource.Prefix = prefix

 	var eventsToStore []func()
-	var affectedData *resourceAffectedPeersData
 	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		network, err := transaction.GetNetworkByID(ctx, store.LockingStrengthUpdate, resource.AccountID, resource.NetworkID)
 		if err != nil {
@@ -248,15 +232,6 @@ func (m *managerImpl) UpdateResource(ctx context.Context, userID string, resourc
 			return fmt.Errorf("failed to get network resource: %w", err)
 		}

-		oldGroups, err := m.groupsManager.GetResourceGroupsInTransaction(ctx, transaction, store.LockingStrengthNone, oldResource.AccountID, oldResource.ID)
-		if err != nil {
-			return fmt.Errorf("failed to get old resource groups: %w", err)
-		}
-		var oldGroupIDs []string
-		for _, g := range oldGroups {
-			oldGroupIDs = append(oldGroupIDs, g.ID)
-		}
-
 		err = transaction.SaveNetworkResource(ctx, resource)
 		if err != nil {
 			return fmt.Errorf("failed to save network resource: %w", err)
@@ -272,11 +247,6 @@ func (m *managerImpl) UpdateResource(ctx context.Context, userID string, resourc
 			m.accountManager.StoreEvent(ctx, userID, resource.ID, resource.AccountID, activity.NetworkResourceUpdated, resource.EventMeta(network))
 		})

-		affectedData, err = loadResourceAffectedPeersData(ctx, transaction, resource.AccountID, resource.NetworkID, append(resource.GroupIDs, oldGroupIDs...))
-		if err != nil {
-			log.WithContext(ctx).Errorf("failed to load affected peers data: %v", err)
-		}
-
 		err = transaction.IncrementNetworkSerial(ctx, resource.AccountID)
 		if err != nil {
 			return fmt.Errorf("failed to increment network serial: %w", err)
@@ -300,12 +270,7 @@ func (m *managerImpl) UpdateResource(ctx context.Context, userID string, resourc
 		}
 	}()

-	if affectedPeerIDs := m.resolveResourceAffectedPeers(ctx, resource.AccountID, affectedData); len(affectedPeerIDs) > 0 {
-		log.WithContext(ctx).Debugf("UpdateResource %s: updating %d affected peers: %v", resource.ID, len(affectedPeerIDs), affectedPeerIDs)
-		go m.accountManager.UpdateAffectedPeers(ctx, resource.AccountID, affectedPeerIDs)
-	} else {
-		log.WithContext(ctx).Tracef("UpdateResource %s: no affected peers", resource.ID)
-	}
+	go m.accountManager.UpdateAccountPeers(ctx, resource.AccountID, nbtypes.UpdateReason{Resource: nbtypes.UpdateResourceNetworkResource, Operation: nbtypes.UpdateOperationUpdate})

 	return resource, nil
 }
@@ -366,22 +331,7 @@ func (m *managerImpl) DeleteResource(ctx context.Context, accountID, userID, net
 	}

 	var events []func()
-	var affectedData *resourceAffectedPeersData
 	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		groups, err := m.groupsManager.GetResourceGroupsInTransaction(ctx, transaction, store.LockingStrengthNone, accountID, resourceID)
-		if err != nil {
-			return fmt.Errorf("failed to get resource groups: %w", err)
-		}
-		var resourceGroupIDs []string
-		for _, g := range groups {
-			resourceGroupIDs = append(resourceGroupIDs, g.ID)
-		}
-
-		affectedData, err = loadResourceAffectedPeersData(ctx, transaction, accountID, networkID, resourceGroupIDs)
-		if err != nil {
-			log.WithContext(ctx).Errorf("failed to load affected peers data: %v", err)
-		}
-
 		events, err = m.DeleteResourceInTransaction(ctx, transaction, accountID, userID, networkID, resourceID)
 		if err != nil {
 			return fmt.Errorf("failed to delete resource: %w", err)
@@ -402,12 +352,7 @@ func (m *managerImpl) DeleteResource(ctx context.Context, accountID, userID, net
 		event()
 	}

-	if affectedPeerIDs := m.resolveResourceAffectedPeers(ctx, accountID, affectedData); len(affectedPeerIDs) > 0 {
-		log.WithContext(ctx).Debugf("DeleteResource %s: updating %d affected peers: %v", resourceID, len(affectedPeerIDs), affectedPeerIDs)
-		go m.accountManager.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
-	} else {
-		log.WithContext(ctx).Tracef("DeleteResource %s: no affected peers", resourceID)
-	}
+	go m.accountManager.UpdateAccountPeers(ctx, accountID, nbtypes.UpdateReason{Resource: nbtypes.UpdateResourceNetworkResource, Operation: nbtypes.UpdateOperationDelete})

 	return nil
 }
@@ -454,151 +399,6 @@ func (m *managerImpl) DeleteResourceInTransaction(ctx context.Context, transacti
 	return eventsToStore, nil
 }

-// resourceAffectedPeersData holds data loaded inside a transaction for affected peer resolution.
-type resourceAffectedPeersData struct {
-	resourceGroupIDs  []string
-	policies          []*nbtypes.Policy
-	routerPeerGroups  []string
-	routerDirectPeers []string
-}
-
-// loadResourceAffectedPeersData loads the data needed to determine affected peers within a transaction.
-func loadResourceAffectedPeersData(ctx context.Context, transaction store.Store, accountID, networkID string, resourceGroupIDs []string) (*resourceAffectedPeersData, error) {
-	if len(resourceGroupIDs) == 0 {
-		return &resourceAffectedPeersData{}, nil
-	}
-
-	policies, err := transaction.GetAccountPolicies(ctx, store.LockingStrengthNone, accountID)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get policies: %w", err)
-	}
-
-	routers, err := transaction.GetNetworkRoutersByNetID(ctx, store.LockingStrengthNone, accountID, networkID)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get routers: %w", err)
-	}
-
-	var routerPeerGroups []string
-	var routerDirectPeers []string
-	for _, router := range routers {
-		if !router.Enabled {
-			continue
-		}
-		routerPeerGroups = append(routerPeerGroups, router.PeerGroups...)
-		if router.Peer != "" {
-			routerDirectPeers = append(routerDirectPeers, router.Peer)
-		}
-	}
-
-	return &resourceAffectedPeersData{
-		resourceGroupIDs:  resourceGroupIDs,
-		policies:          policies,
-		routerPeerGroups:  routerPeerGroups,
-		routerDirectPeers: routerDirectPeers,
-	}, nil
-}
-
-// resolveResourceAffectedPeers computes affected peer IDs from preloaded data outside the transaction.
-func (m *managerImpl) resolveResourceAffectedPeers(ctx context.Context, accountID string, data *resourceAffectedPeersData) []string {
-	if data == nil {
-		return nil
-	}
-
-	log.WithContext(ctx).Tracef("resolveResourceAffectedPeers: resourceGroupIDs=%v, routerPeerGroups=%v, routerDirectPeers=%v, policies=%d",
-		data.resourceGroupIDs, data.routerPeerGroups, data.routerDirectPeers, len(data.policies))
-
-	groupSet := make(map[string]struct{})
-	directPeerIDs := collectResourcePolicySourceGroups(data.policies, data.resourceGroupIDs, groupSet)
-
-	for _, gID := range data.routerPeerGroups {
-		groupSet[gID] = struct{}{}
-	}
-	directPeerIDs = append(directPeerIDs, data.routerDirectPeers...)
-
-	if len(groupSet) == 0 && len(directPeerIDs) == 0 {
-		return nil
-	}
-
-	peerIDs := resolveGroupsAndDirectPeers(ctx, m.store, accountID, groupSet, directPeerIDs)
-
-	log.WithContext(ctx).Tracef("resolveResourceAffectedPeers: result %d peers: %v", len(peerIDs), peerIDs)
-	return peerIDs
-}
-
-// collectResourcePolicySourceGroups finds policies whose rules reference the resource destination groups,
-// adds their source groups to groupSet, and returns any direct peer IDs from source resources.
-func collectResourcePolicySourceGroups(policies []*nbtypes.Policy, destGroupIDs []string, groupSet map[string]struct{}) []string {
-	destSet := make(map[string]struct{}, len(destGroupIDs))
-	for _, gID := range destGroupIDs {
-		destSet[gID] = struct{}{}
-	}
-
-	var directPeerIDs []string
-	for _, policy := range policies {
-		if policy == nil || !policy.Enabled {
-			continue
-		}
-		directPeerIDs = collectSourcesFromPolicyRules(policy.Rules, destSet, groupSet, directPeerIDs)
-	}
-	return directPeerIDs
-}
-
-func collectSourcesFromPolicyRules(rules []*nbtypes.PolicyRule, destSet map[string]struct{}, groupSet map[string]struct{}, directPeerIDs []string) []string {
-	for _, rule := range rules {
-		if rule == nil || !rule.Enabled {
-			continue
-		}
-		if !ruleMatchesDestinations(rule, destSet) {
-			continue
-		}
-		for _, gID := range rule.Sources {
-			groupSet[gID] = struct{}{}
-		}
-		if rule.SourceResource.Type == nbtypes.ResourceTypePeer && rule.SourceResource.ID != "" {
-			directPeerIDs = append(directPeerIDs, rule.SourceResource.ID)
-		}
-	}
-	return directPeerIDs
-}
-
-func ruleMatchesDestinations(rule *nbtypes.PolicyRule, destSet map[string]struct{}) bool {
-	for _, gID := range rule.Destinations {
-		if _, ok := destSet[gID]; ok {
-			return true
-		}
-	}
-	return false
-}
-
-func resolveGroupsAndDirectPeers(ctx context.Context, s store.Store, accountID string, groupSet map[string]struct{}, directPeerIDs []string) []string {
-	groupIDs := make([]string, 0, len(groupSet))
-	for gID := range groupSet {
-		groupIDs = append(groupIDs, gID)
-	}
-
-	peerIDs, err := s.GetPeerIDsByGroups(ctx, accountID, groupIDs)
-	if err != nil {
-		log.WithContext(ctx).Errorf("failed to resolve peer IDs: %v", err)
-		return nil
-	}
-
-	if len(directPeerIDs) == 0 {
-		return peerIDs
-	}
-
-	seen := make(map[string]struct{}, len(peerIDs))
-	for _, id := range peerIDs {
-		seen[id] = struct{}{}
-	}
-	for _, id := range directPeerIDs {
-		if _, exists := seen[id]; !exists {
-			peerIDs = append(peerIDs, id)
-			seen[id] = struct{}{}
-		}
-	}
-	return peerIDs
-}
-
 func NewManagerMock() Manager {
 	return &mockManager{}
 }
--- a/management/server/networks/routers/manager.go
+++ b/management/server/networks/routers/manager.go
@@ -6,7 +6,6 @@ import (
 	"fmt"

 	"github.com/rs/xid"
-	log "github.com/sirupsen/logrus"

 	"github.com/netbirdio/netbird/management/server/account"
 	"github.com/netbirdio/netbird/management/server/activity"
@@ -16,7 +15,7 @@ import (
 	"github.com/netbirdio/netbird/management/server/permissions/modules"
 	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/store"
-	nbtypes "github.com/netbirdio/netbird/management/server/types"
+	serverTypes "github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/shared/management/status"
 )

@@ -91,7 +90,6 @@ func (m *managerImpl) CreateRouter(ctx context.Context, userID string, router *t
 	}

 	var network *networkTypes.Network
-	var affectedData *routerAffectedPeersData
 	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		network, err = transaction.GetNetworkByID(ctx, store.LockingStrengthNone, router.AccountID, router.NetworkID)
 		if err != nil {
@@ -114,11 +112,6 @@ func (m *managerImpl) CreateRouter(ctx context.Context, userID string, router *t
 			return fmt.Errorf("failed to increment network serial: %w", err)
 		}

-		affectedData, err = loadRouterAffectedPeersData(ctx, transaction, router.AccountID, router.NetworkID, router.PeerGroups, router.Peer)
-		if err != nil {
-			log.WithContext(ctx).Errorf("failed to load affected peers data: %v", err)
-		}
-
 		return nil
 	})
 	if err != nil {
@@ -127,12 +120,7 @@ func (m *managerImpl) CreateRouter(ctx context.Context, userID string, router *t

 	m.accountManager.StoreEvent(ctx, userID, router.ID, router.AccountID, activity.NetworkRouterCreated, router.EventMeta(network))

-	if affectedPeerIDs := m.resolveRouterAffectedPeers(ctx, router.AccountID, affectedData); len(affectedPeerIDs) > 0 {
-		log.WithContext(ctx).Debugf("CreateRouter %s: updating %d affected peers: %v", router.ID, len(affectedPeerIDs), affectedPeerIDs)
-		go m.accountManager.UpdateAffectedPeers(ctx, router.AccountID, affectedPeerIDs)
-	} else {
-		log.WithContext(ctx).Tracef("CreateRouter %s: no affected peers", router.ID)
-	}
+	go m.accountManager.UpdateAccountPeers(ctx, router.AccountID, serverTypes.UpdateReason{Resource: serverTypes.UpdateResourceNetworkRouter, Operation: serverTypes.UpdateOperationCreate})

 	return router, nil
 }
@@ -168,11 +156,36 @@ func (m *managerImpl) UpdateRouter(ctx context.Context, userID string, router *t
 	}

 	var network *networkTypes.Network
-	var affectedData *routerAffectedPeersData
 	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		var txErr error
-		network, affectedData, txErr = m.updateRouterInTransaction(ctx, transaction, router)
-		return txErr
+		network, err = transaction.GetNetworkByID(ctx, store.LockingStrengthNone, router.AccountID, router.NetworkID)
+		if err != nil {
+			return fmt.Errorf("failed to get network: %w", err)
+		}
+
+		existing, err := transaction.GetNetworkRouterByID(ctx, store.LockingStrengthUpdate, router.AccountID, router.ID)
+		if err != nil {
+			return fmt.Errorf("failed to get network router: %w", err)
+		}
+
+		if existing.AccountID != router.AccountID {
+			return status.NewNetworkRouterNotFoundError(router.ID)
+		}
+
+		if existing.NetworkID != router.NetworkID {
+			return status.NewRouterNotPartOfNetworkError(router.ID, router.NetworkID)
+		}
+
+		err = transaction.UpdateNetworkRouter(ctx, router)
+		if err != nil {
+			return fmt.Errorf("failed to update network router: %w", err)
+		}
+
+		err = transaction.IncrementNetworkSerial(ctx, router.AccountID)
+		if err != nil {
+			return fmt.Errorf("failed to increment network serial: %w", err)
+		}
+
+		return nil
 	})
 	if err != nil {
 		return nil, err
@@ -180,61 +193,11 @@ func (m *managerImpl) UpdateRouter(ctx context.Context, userID string, router *t

 	m.accountManager.StoreEvent(ctx, userID, router.ID, router.AccountID, activity.NetworkRouterUpdated, router.EventMeta(network))

-	if affectedPeerIDs := m.resolveRouterAffectedPeers(ctx, router.AccountID, affectedData); len(affectedPeerIDs) > 0 {
-		log.WithContext(ctx).Debugf("UpdateRouter %s: updating %d affected peers: %v", router.ID, len(affectedPeerIDs), affectedPeerIDs)
-		go m.accountManager.UpdateAffectedPeers(ctx, router.AccountID, affectedPeerIDs)
-	} else {
-		log.WithContext(ctx).Tracef("UpdateRouter %s: no affected peers", router.ID)
-	}
+	go m.accountManager.UpdateAccountPeers(ctx, router.AccountID, serverTypes.UpdateReason{Resource: serverTypes.UpdateResourceNetworkRouter, Operation: serverTypes.UpdateOperationUpdate})

 	return router, nil
 }

-func (m *managerImpl) updateRouterInTransaction(ctx context.Context, transaction store.Store, router *types.NetworkRouter) (*networkTypes.Network, *routerAffectedPeersData, error) {
-	network, err := transaction.GetNetworkByID(ctx, store.LockingStrengthNone, router.AccountID, router.NetworkID)
-	if err != nil {
-		return nil, nil, fmt.Errorf("failed to get network: %w", err)
-	}
-
-	existing, err := transaction.GetNetworkRouterByID(ctx, store.LockingStrengthUpdate, router.AccountID, router.ID)
-	if err != nil {
-		return nil, nil, fmt.Errorf("failed to get network router: %w", err)
-	}
-
-	if existing.AccountID != router.AccountID {
-		return nil, nil, status.NewNetworkRouterNotFoundError(router.ID)
-	}
-
-	if existing.NetworkID != router.NetworkID {
-		return nil, nil, status.NewRouterNotPartOfNetworkError(router.ID, router.NetworkID)
-	}
-
-	allPeerGroups := append([]string{}, router.PeerGroups...)
-	allPeerGroups = append(allPeerGroups, existing.PeerGroups...)
-	var directPeers []string
-	if router.Peer != "" {
-		directPeers = append(directPeers, router.Peer)
-	}
-	if existing.Peer != "" {
-		directPeers = append(directPeers, existing.Peer)
-	}
-
-	if err = transaction.UpdateNetworkRouter(ctx, router); err != nil {
-		return nil, nil, fmt.Errorf("failed to update network router: %w", err)
-	}
-
-	if err = transaction.IncrementNetworkSerial(ctx, router.AccountID); err != nil {
-		return nil, nil, fmt.Errorf("failed to increment network serial: %w", err)
-	}
-
-	affectedData, err := loadRouterAffectedPeersData(ctx, transaction, router.AccountID, router.NetworkID, allPeerGroups, directPeers...)
-	if err != nil {
-		log.WithContext(ctx).Errorf("failed to load affected peers data: %v", err)
-	}
-
-	return network, affectedData, nil
-}
-
 func (m *managerImpl) DeleteRouter(ctx context.Context, accountID, userID, networkID, routerID string) error {
 	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Networks, operations.Delete)
 	if err != nil {
@@ -245,19 +208,7 @@ func (m *managerImpl) DeleteRouter(ctx context.Context, accountID, userID, netwo
 	}

 	var event func()
-	var affectedData *routerAffectedPeersData
 	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		router, err := transaction.GetNetworkRouterByID(ctx, store.LockingStrengthNone, accountID, routerID)
-		if err != nil {
-			return fmt.Errorf("failed to get router: %w", err)
-		}
-
-		// load before delete so group memberships are still present
-		affectedData, err = loadRouterAffectedPeersData(ctx, transaction, accountID, networkID, router.PeerGroups, router.Peer)
-		if err != nil {
-			log.WithContext(ctx).Errorf("failed to load affected peers data: %v", err)
-		}
-
 		event, err = m.DeleteRouterInTransaction(ctx, transaction, accountID, userID, networkID, routerID)
 		if err != nil {
 			return fmt.Errorf("failed to delete network router: %w", err)
@@ -276,12 +227,7 @@ func (m *managerImpl) DeleteRouter(ctx context.Context, accountID, userID, netwo

 	event()

-	if affectedPeerIDs := m.resolveRouterAffectedPeers(ctx, accountID, affectedData); len(affectedPeerIDs) > 0 {
-		log.WithContext(ctx).Debugf("DeleteRouter %s: updating %d affected peers: %v", routerID, len(affectedPeerIDs), affectedPeerIDs)
-		go m.accountManager.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
-	} else {
-		log.WithContext(ctx).Tracef("DeleteRouter %s: no affected peers", routerID)
-	}
+	go m.accountManager.UpdateAccountPeers(ctx, accountID, serverTypes.UpdateReason{Resource: serverTypes.UpdateResourceNetworkRouter, Operation: serverTypes.UpdateOperationDelete})

 	return nil
 }
@@ -313,153 +259,6 @@ func (m *managerImpl) DeleteRouterInTransaction(ctx context.Context, transaction
 	return event, nil
 }

-// routerAffectedPeersData holds data loaded inside a transaction for affected peer resolution.
-type routerAffectedPeersData struct {
-	routerPeerGroups []string
-	directPeerIDs    []string
-	resourceGroupIDs []string
-	policies         []*nbtypes.Policy
-}
-
-// loadRouterAffectedPeersData loads the data needed to determine affected peers within a transaction.
-func loadRouterAffectedPeersData(ctx context.Context, transaction store.Store, accountID, networkID string, routerPeerGroups []string, directPeers ...string) (*routerAffectedPeersData, error) {
-	var directPeerIDs []string
-	for _, p := range directPeers {
-		if p != "" {
-			directPeerIDs = append(directPeerIDs, p)
-		}
-	}
-
-	if len(routerPeerGroups) == 0 && len(directPeerIDs) == 0 {
-		return &routerAffectedPeersData{}, nil
-	}
-
-	resources, err := transaction.GetNetworkResourcesByNetID(ctx, store.LockingStrengthNone, accountID, networkID)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get network resources: %w", err)
-	}
-
-	var resourceGroupIDs []string
-	for _, resource := range resources {
-		if !resource.Enabled {
-			continue
-		}
-		groups, err := transaction.GetResourceGroups(ctx, store.LockingStrengthNone, accountID, resource.ID)
-		if err != nil {
-			return nil, fmt.Errorf("failed to get groups for resource %s: %w", resource.ID, err)
-		}
-		for _, g := range groups {
-			resourceGroupIDs = append(resourceGroupIDs, g.ID)
-		}
-	}
-
-	var policies []*nbtypes.Policy
-	if len(resourceGroupIDs) > 0 {
-		policies, err = transaction.GetAccountPolicies(ctx, store.LockingStrengthNone, accountID)
-		if err != nil {
-			return nil, fmt.Errorf("failed to get policies: %w", err)
-		}
-	}
-
-	return &routerAffectedPeersData{
-		routerPeerGroups: routerPeerGroups,
-		directPeerIDs:    directPeerIDs,
-		resourceGroupIDs: resourceGroupIDs,
-		policies:         policies,
-	}, nil
-}
-
-// resolveRouterAffectedPeers computes affected peer IDs from preloaded data outside the transaction.
-func (m *managerImpl) resolveRouterAffectedPeers(ctx context.Context, accountID string, data *routerAffectedPeersData) []string {
-	if data == nil {
-		return nil
-	}
-
-	log.WithContext(ctx).Tracef("resolveRouterAffectedPeers: routerPeerGroups=%v, directPeerIDs=%v, resourceGroupIDs=%v, policies=%d",
-		data.routerPeerGroups, data.directPeerIDs, data.resourceGroupIDs, len(data.policies))
-	groupSet := make(map[string]struct{})
-
-	for _, gID := range data.routerPeerGroups {
-		groupSet[gID] = struct{}{}
-	}
-
-	if len(data.resourceGroupIDs) > 0 {
-		collectPolicySourceGroups(data.policies, data.resourceGroupIDs, groupSet)
-	}
-
-	if len(groupSet) == 0 && len(data.directPeerIDs) == 0 {
-		return nil
-	}
-
-	peerIDs := resolveGroupsAndDirectPeers(ctx, m.store, accountID, groupSet, data.directPeerIDs)
-
-	log.WithContext(ctx).Tracef("resolveRouterAffectedPeers: result %d peers: %v", len(peerIDs), peerIDs)
-	return peerIDs
-}
-
-// collectPolicySourceGroups finds policies whose rules reference any of the destination group IDs
-// and adds their source groups to the groupSet.
-func collectPolicySourceGroups(policies []*nbtypes.Policy, destGroupIDs []string, groupSet map[string]struct{}) {
-	destSet := make(map[string]struct{}, len(destGroupIDs))
-	for _, gID := range destGroupIDs {
-		destSet[gID] = struct{}{}
-	}
-
-	for _, policy := range policies {
-		if policy == nil || !policy.Enabled {
-			continue
-		}
-		for _, rule := range policy.Rules {
-			if rule == nil || !rule.Enabled {
-				continue
-			}
-			if ruleMatchesDestinations(rule, destSet) {
-				for _, gID := range rule.Sources {
-					groupSet[gID] = struct{}{}
-				}
-			}
-		}
-	}
-}
-
-func ruleMatchesDestinations(rule *nbtypes.PolicyRule, destSet map[string]struct{}) bool {
-	for _, gID := range rule.Destinations {
-		if _, ok := destSet[gID]; ok {
-			return true
-		}
-	}
-	return false
-}
-
-func resolveGroupsAndDirectPeers(ctx context.Context, s store.Store, accountID string, groupSet map[string]struct{}, directPeerIDs []string) []string {
-	groupIDs := make([]string, 0, len(groupSet))
-	for gID := range groupSet {
-		groupIDs = append(groupIDs, gID)
-	}
-
-	peerIDs, err := s.GetPeerIDsByGroups(ctx, accountID, groupIDs)
-	if err != nil {
-		log.WithContext(ctx).Errorf("failed to resolve peer IDs: %v", err)
-		return nil
-	}
-
-	if len(directPeerIDs) == 0 {
-		return peerIDs
-	}
-
-	seen := make(map[string]struct{}, len(peerIDs))
-	for _, id := range peerIDs {
-		seen[id] = struct{}{}
-	}
-	for _, id := range directPeerIDs {
-		if _, exists := seen[id]; !exists {
-			peerIDs = append(peerIDs, id)
-			seen[id] = struct{}{}
-		}
-	}
-	return peerIDs
-}
-
 func NewManagerMock() Manager {
 	return &mockManager{}
 }
--- a/management/server/peer.go
+++ b/management/server/peer.go
@@ -120,10 +120,7 @@ func (am *DefaultAccountManager) MarkPeerConnected(ctx context.Context, peerPubK
 	}

 	if expired {
-		changedPeerIDs := []string{peer.ID}
-		affectedPeerIDs := am.resolveAffectedPeersForPeerChanges(ctx, am.Store, accountID, changedPeerIDs)
-		err = am.networkMapController.OnPeersUpdated(ctx, accountID, changedPeerIDs, affectedPeerIDs)
-		if err != nil {
+		if err = am.networkMapController.OnPeersUpdated(ctx, accountID, []string{peer.ID}); err != nil {
 			return fmt.Errorf("notify network map controller of peer update: %w", err)
 		}
 	}
@@ -325,10 +322,7 @@ func (am *DefaultAccountManager) UpdatePeer(ctx context.Context, accountID, user
 		}
 	}

-	changedPeerIDs := []string{peer.ID}
-	affectedPeerIDs := am.resolveAffectedPeersForPeerChanges(ctx, am.Store, accountID, changedPeerIDs)
-	affectedPeerIDs = append(affectedPeerIDs, peer.ID)
-	err = am.networkMapController.OnPeersUpdated(ctx, accountID, changedPeerIDs, affectedPeerIDs)
+	err = am.networkMapController.OnPeersUpdated(ctx, accountID, []string{peer.ID})
 	if err != nil {
 		return nil, fmt.Errorf("notify network map controller of peer update: %w", err)
 	}
@@ -486,7 +480,6 @@ func (am *DefaultAccountManager) DeletePeer(ctx context.Context, accountID, peer
 	var peer *nbpeer.Peer
 	var settings *types.Settings
 	var eventsToStore []func()
-	var affectedPeerIDs []string

 	serviceID, err := am.serviceManager.GetServiceIDByTargetID(ctx, accountID, peerID)
 	if err != nil {
@@ -511,8 +504,6 @@ func (am *DefaultAccountManager) DeletePeer(ctx context.Context, accountID, peer
 			return err
 		}

-		affectedPeerIDs = am.resolveAffectedPeersForPeerChanges(ctx, transaction, accountID, []string{peerID})
-
 		eventsToStore, err = deletePeers(ctx, am, transaction, accountID, userID, []*nbpeer.Peer{peer}, settings)
 		if err != nil {
 			return fmt.Errorf("failed to delete peer: %w", err)
@@ -536,7 +527,7 @@ func (am *DefaultAccountManager) DeletePeer(ctx context.Context, accountID, peer
 		log.WithContext(ctx).Errorf("failed to delete peer %s from integrated validator: %v", peerID, err)
 	}

-	if err = am.networkMapController.OnPeersDeleted(ctx, accountID, []string{peerID}, affectedPeerIDs); err != nil {
+	if err = am.networkMapController.OnPeersDeleted(ctx, accountID, []string{peerID}); err != nil {
 		log.WithContext(ctx).Errorf("failed to delete peer %s from network map: %v", peerID, err)
 	}

@@ -909,9 +900,7 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 		am.StoreEvent(ctx, opEvent.InitiatorID, opEvent.TargetID, opEvent.AccountID, opEvent.Activity, opEvent.Meta)
 	}

-	changedPeerIDs := []string{newPeer.ID}
-	affectedPeerIDs := am.resolveAffectedPeersForPeerChanges(ctx, am.Store, accountID, changedPeerIDs)
-	if err := am.networkMapController.OnPeersAdded(ctx, accountID, changedPeerIDs, affectedPeerIDs); err != nil {
+	if err := am.networkMapController.OnPeersAdded(ctx, accountID, []string{newPeer.ID}); err != nil {
 		log.WithContext(ctx).Errorf("failed to update network map cache for peer %s: %v", newPeer.ID, err)
 	}

@@ -999,9 +988,7 @@ func (am *DefaultAccountManager) SyncPeer(ctx context.Context, sync types.PeerSy
 	}

 	if isStatusChanged || sync.UpdateAccountPeers || ipv6CapabilityChanged || (updated && (len(postureChecks) > 0 || versionChanged)) {
-		changedPeerIDs := []string{peer.ID}
-		affectedPeerIDs := am.resolveAffectedPeersForPeerChanges(ctx, am.Store, accountID, changedPeerIDs)
-		err = am.networkMapController.OnPeersUpdated(ctx, accountID, changedPeerIDs, affectedPeerIDs)
+		err = am.networkMapController.OnPeersUpdated(ctx, accountID, []string{peer.ID})
 		if err != nil {
 			return nil, nil, nil, 0, fmt.Errorf("notify network map controller of peer update: %w", err)
 		}
@@ -1131,9 +1118,7 @@ func (am *DefaultAccountManager) LoginPeer(ctx context.Context, login types.Peer
 	}

 	if updateRemotePeers || isStatusChanged || ipv6CapabilityChanged || (isPeerUpdated && len(postureChecks) > 0) {
-		changedPeerIDs := []string{peer.ID}
-		affectedPeerIDs := am.resolveAffectedPeersForPeerChanges(ctx, am.Store, accountID, changedPeerIDs)
-		err = am.networkMapController.OnPeersUpdated(ctx, accountID, changedPeerIDs, affectedPeerIDs)
+		err = am.networkMapController.OnPeersUpdated(ctx, accountID, []string{peer.ID})
 		if err != nil {
 			return nil, nil, nil, fmt.Errorf("notify network map controller of peer update: %w", err)
 		}
@@ -1325,64 +1310,6 @@ func (am *DefaultAccountManager) UpdateAccountPeers(ctx context.Context, account
 	_ = am.networkMapController.UpdateAccountPeers(ctx, accountID, reason)
 }

-// UpdateAffectedPeers updates only the specified peers that belong to an account.
-func (am *DefaultAccountManager) UpdateAffectedPeers(ctx context.Context, accountID string, peerIDs []string) {
-	ctx = context.WithoutCancel(ctx)
-	log.WithContext(ctx).Tracef("UpdateAffectedPeers: %d peers for account %s", len(peerIDs), accountID)
-	_ = am.networkMapController.UpdateAffectedPeers(ctx, accountID, peerIDs)
-}
-
-// resolvePeerIDs resolves group IDs and direct peer IDs into a deduplicated peer ID list.
-func (am *DefaultAccountManager) resolvePeerIDs(ctx context.Context, s store.Store, accountID string, groupIDs []string, directPeerIDs []string) []string {
-	peerIDs, err := s.GetPeerIDsByGroups(ctx, accountID, groupIDs)
-	if err != nil {
-		log.WithContext(ctx).Errorf("failed to resolve peer IDs by groups: %v", err)
-		return nil
-	}
-
-	if len(directPeerIDs) == 0 {
-		log.WithContext(ctx).Tracef("resolvePeerIDs: groups=%v -> %d peers: %v", groupIDs, len(peerIDs), peerIDs)
-		return peerIDs
-	}
-
-	seen := make(map[string]struct{}, len(peerIDs))
-	for _, id := range peerIDs {
-		seen[id] = struct{}{}
-	}
-	for _, id := range directPeerIDs {
-		if _, exists := seen[id]; !exists {
-			peerIDs = append(peerIDs, id)
-			seen[id] = struct{}{}
-		}
-	}
-
-	log.WithContext(ctx).Tracef("resolvePeerIDs: groups=%v + directPeers=%v -> %d peers: %v", groupIDs, directPeerIDs, len(peerIDs), peerIDs)
-	return peerIDs
-}
-
-// BufferUpdateAffectedPeers accumulates peer IDs and flushes them after the buffer interval.
-func (am *DefaultAccountManager) BufferUpdateAffectedPeers(ctx context.Context, accountID string, peerIDs []string, reason types.UpdateReason) {
-	_ = am.networkMapController.BufferUpdateAffectedPeers(ctx, accountID, peerIDs, reason)
-}
-
-// resolveAffectedPeersForPeerChanges resolves changed peer IDs into the full set of affected peer IDs.
-func (am *DefaultAccountManager) resolveAffectedPeersForPeerChanges(ctx context.Context, s store.Store, accountID string, changedPeerIDs []string) []string {
-	groupIDs, err := s.GetGroupIDsByPeerIDs(ctx, accountID, changedPeerIDs)
-	if err != nil {
-		log.WithContext(ctx).Errorf("failed to get group IDs for changed peers: %v", err)
-		return nil
-	}
-
-	log.WithContext(ctx).Tracef("resolveAffectedPeersForPeerChanges: changedPeers=%v -> groups=%v", changedPeerIDs, groupIDs)
-
-	// Single pass: find entities referencing the changed groups OR the changed peers directly
-	allGroupIDs, directPeerIDs := collectPeerChangeAffectedGroups(ctx, s, accountID, groupIDs, changedPeerIDs)
-	result := am.resolvePeerIDs(ctx, s, accountID, allGroupIDs, directPeerIDs)
-
-	log.WithContext(ctx).Tracef("resolveAffectedPeersForPeerChanges: changedPeers=%v -> %d affected peers", changedPeerIDs, len(result))
-	return result
-}
-
 func (am *DefaultAccountManager) BufferUpdateAccountPeers(ctx context.Context, accountID string, reason types.UpdateReason) {
 	_ = am.networkMapController.BufferUpdateAccountPeers(ctx, accountID, reason)
 }
--- a/management/server/peer_test.go
+++ b/management/server/peer_test.go
@@ -1179,7 +1179,7 @@ func TestToSyncResponse(t *testing.T) {
 	}
 	dnsCache := &cache.DNSConfigCache{}
 	accountSettings := &types.Settings{RoutingPeerDNSResolutionEnabled: true}
-	response := grpc.ToSyncResponse(context.Background(), config, config.HttpConfig, config.DeviceAuthorizationFlow, peer, turnRelayToken, turnRelayToken, networkMap, dnsName, checks, dnsCache, accountSettings, nil, []string{}, int64(dnsForwarderPort))
+	response := grpc.ToSyncResponse(context.Background(), config, config.HttpConfig, config.DeviceAuthorizationFlow, peer, turnRelayToken, turnRelayToken, networkMap, dnsName, checks, dnsCache, accountSettings, nil, []string{}, int64(dnsForwarderPort), nil)

 	assert.NotNil(t, response)
 	// assert peer config
@@ -1299,7 +1299,7 @@ func Test_RegisterPeerByUser(t *testing.T) {

 	updateManager := update_channel.NewPeersUpdateManager(metrics)
 	requestBuffer := NewAccountRequestBuffer(ctx, s)
-	networkMapController := controller.NewController(ctx, s, metrics, updateManager, requestBuffer, MockIntegratedValidator{}, settingsMockManager, "netbird.cloud", port_forwarding.NewControllerMock(), ephemeral_manager.NewEphemeralManager(s, peers.NewManager(s, permissionsManager)), &config.Config{})
+	networkMapController := controller.NewController(ctx, s, metrics, updateManager, requestBuffer, MockIntegratedValidator{}, settingsMockManager, "netbird.cloud", port_forwarding.NewControllerMock(), ephemeral_manager.NewEphemeralManager(s, peers.NewManager(s, permissionsManager)), &config.Config{}, nil)

 	am, err := BuildManager(context.Background(), nil, s, networkMapController, job.NewJobManager(nil, s, peersManager), nil, "", eventStore, nil, false, MockIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false, cacheStore)
 	assert.NoError(t, err)
@@ -1390,7 +1390,7 @@ func Test_RegisterPeerBySetupKey(t *testing.T) {

 	updateManager := update_channel.NewPeersUpdateManager(metrics)
 	requestBuffer := NewAccountRequestBuffer(ctx, s)
-	networkMapController := controller.NewController(ctx, s, metrics, updateManager, requestBuffer, MockIntegratedValidator{}, settingsMockManager, "netbird.cloud", port_forwarding.NewControllerMock(), ephemeral_manager.NewEphemeralManager(s, peers.NewManager(s, permissionsManager)), &config.Config{})
+	networkMapController := controller.NewController(ctx, s, metrics, updateManager, requestBuffer, MockIntegratedValidator{}, settingsMockManager, "netbird.cloud", port_forwarding.NewControllerMock(), ephemeral_manager.NewEphemeralManager(s, peers.NewManager(s, permissionsManager)), &config.Config{}, nil)

 	am, err := BuildManager(context.Background(), nil, s, networkMapController, job.NewJobManager(nil, s, peersManager), nil, "", eventStore, nil, false, MockIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false, cacheStore)
 	assert.NoError(t, err)
@@ -1549,7 +1549,7 @@ func Test_RegisterPeerRollbackOnFailure(t *testing.T) {

 	updateManager := update_channel.NewPeersUpdateManager(metrics)
 	requestBuffer := NewAccountRequestBuffer(ctx, s)
-	networkMapController := controller.NewController(ctx, s, metrics, updateManager, requestBuffer, MockIntegratedValidator{}, settingsMockManager, "netbird.cloud", port_forwarding.NewControllerMock(), ephemeral_manager.NewEphemeralManager(s, peers.NewManager(s, permissionsManager)), &config.Config{})
+	networkMapController := controller.NewController(ctx, s, metrics, updateManager, requestBuffer, MockIntegratedValidator{}, settingsMockManager, "netbird.cloud", port_forwarding.NewControllerMock(), ephemeral_manager.NewEphemeralManager(s, peers.NewManager(s, permissionsManager)), &config.Config{}, nil)

 	am, err := BuildManager(context.Background(), nil, s, networkMapController, job.NewJobManager(nil, s, peersManager), nil, "", eventStore, nil, false, MockIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false, cacheStore)
 	assert.NoError(t, err)
@@ -1634,7 +1634,7 @@ func Test_LoginPeer(t *testing.T) {

 	updateManager := update_channel.NewPeersUpdateManager(metrics)
 	requestBuffer := NewAccountRequestBuffer(ctx, s)
-	networkMapController := controller.NewController(ctx, s, metrics, updateManager, requestBuffer, MockIntegratedValidator{}, settingsMockManager, "netbird.cloud", port_forwarding.NewControllerMock(), ephemeral_manager.NewEphemeralManager(s, peers.NewManager(s, permissionsManager)), &config.Config{})
+	networkMapController := controller.NewController(ctx, s, metrics, updateManager, requestBuffer, MockIntegratedValidator{}, settingsMockManager, "netbird.cloud", port_forwarding.NewControllerMock(), ephemeral_manager.NewEphemeralManager(s, peers.NewManager(s, permissionsManager)), &config.Config{}, nil)

 	am, err := BuildManager(context.Background(), nil, s, networkMapController, job.NewJobManager(nil, s, peersManager), nil, "", eventStore, nil, false, MockIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false, cacheStore)
 	assert.NoError(t, err)
@@ -1855,7 +1855,7 @@ func TestPeerAccountPeersUpdate(t *testing.T) {
 	t.Run("adding peer to unlinked group", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg) //
 			close(done)
 		}()

@@ -1880,7 +1880,7 @@ func TestPeerAccountPeersUpdate(t *testing.T) {
 	t.Run("deleting peer with unlinked group", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg)
 			close(done)
 		}()

@@ -2018,10 +2018,7 @@ func TestPeerAccountPeersUpdate(t *testing.T) {
 		}
 	})

-	// drain any buffered updates from previous subtests
-	drainPeerUpdates(updMsg)
-
-	// Adding peer to group linked with route should update peers in that group, not unrelated peers
+	// Adding peer to group linked with route should update account peers and send peer update
 	t.Run("adding peer to group linked with route", func(t *testing.T) {
 		route := nbroute.Route{
 			ID:          "testingRoute1",
@@ -2045,7 +2042,7 @@ func TestPeerAccountPeersUpdate(t *testing.T) {

 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg)
 			close(done)
 		}()

@@ -2062,16 +2059,16 @@ func TestPeerAccountPeersUpdate(t *testing.T) {

 		select {
 		case <-done:
-		case <-time.After(time.Second):
-			t.Error("timeout waiting for peerShouldNotReceiveUpdate")
+		case <-time.After(peerUpdateTimeout):
+			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})

-	// Deleting peer with linked group to route should update peers in that group, not unrelated peers
+	// Deleting peer with linked group to route should update account peers and send peer update
 	t.Run("deleting peer with linked group to route", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg)
 			close(done)
 		}()

@@ -2080,12 +2077,12 @@ func TestPeerAccountPeersUpdate(t *testing.T) {

 		select {
 		case <-done:
-		case <-time.After(time.Second):
-			t.Error("timeout waiting for peerShouldNotReceiveUpdate")
+		case <-time.After(peerUpdateTimeout):
+			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})

-	// Adding peer to group linked with name server group should update peers in that group, not unrelated peers
+	// Adding peer to group linked with name server group should update account peers and send peer update
 	t.Run("adding peer to group linked with name server group", func(t *testing.T) {
 		_, err = manager.CreateNameServerGroup(
 			context.Background(), account.Id, "nsGroup", "nsGroup", []nbdns.NameServer{{
@@ -2100,7 +2097,7 @@ func TestPeerAccountPeersUpdate(t *testing.T) {

 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg)
 			close(done)
 		}()

@@ -2117,16 +2114,16 @@ func TestPeerAccountPeersUpdate(t *testing.T) {

 		select {
 		case <-done:
-		case <-time.After(time.Second):
-			t.Error("timeout waiting for peerShouldNotReceiveUpdate")
+		case <-time.After(peerUpdateTimeout):
+			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})

-	// Deleting peer with linked group to name server group should update peers in that group, not unrelated peers
+	// Deleting peer with linked group to name server group should update account peers and send peer update
 	t.Run("deleting peer with linked group to route", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg)
 			close(done)
 		}()

@@ -2135,8 +2132,8 @@ func TestPeerAccountPeersUpdate(t *testing.T) {

 		select {
 		case <-done:
-		case <-time.After(time.Second):
-			t.Error("timeout waiting for peerShouldNotReceiveUpdate")
+		case <-time.After(peerUpdateTimeout):
+			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})
 }
--- a/management/server/policy.go
+++ b/management/server/policy.go
@@ -5,7 +5,7 @@ import (
 	_ "embed"

 	"github.com/rs/xid"
-	log "github.com/sirupsen/logrus"
+	"github.com/sirupsen/logrus"

 	"github.com/netbirdio/netbird/management/server/permissions/modules"
 	"github.com/netbirdio/netbird/management/server/permissions/operations"
@@ -45,38 +45,44 @@ func (am *DefaultAccountManager) SavePolicy(ctx context.Context, accountID, user
 	}

 	var isUpdate = policy.ID != ""
-	var existingPolicy *types.Policy
+	var updateAccountPeers bool
 	var action = activity.PolicyAdded
 	var unchanged bool
-	var affectedPeerIDs []string

 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		existingPolicy, err = validatePolicy(ctx, transaction, accountID, policy)
+		existingPolicy, err := validatePolicy(ctx, transaction, accountID, policy)
 		if err != nil {
 			return err
 		}

 		if isUpdate {
 			if policy.Equal(existingPolicy) {
-				log.WithContext(ctx).Tracef("policy update skipped because equal to stored one - policy id %s", policy.ID)
+				logrus.WithContext(ctx).Tracef("policy update skipped because equal to stored one - policy id %s", policy.ID)
 				unchanged = true
 				return nil
 			}

 			action = activity.PolicyUpdated

+			updateAccountPeers, err = arePolicyChangesAffectPeersWithExisting(ctx, transaction, policy, existingPolicy)
+			if err != nil {
+				return err
+			}
+
 			if err = transaction.SavePolicy(ctx, policy); err != nil {
 				return err
 			}
 		} else {
+			updateAccountPeers, err = arePolicyChangesAffectPeers(ctx, transaction, policy)
+			if err != nil {
+				return err
+			}
+
 			if err = transaction.CreatePolicy(ctx, policy); err != nil {
 				return err
 			}
 		}

-		groupIDs, directPeerIDs := collectPolicyAffectedGroupsAndPeers(ctx, policy, existingPolicy)
-		affectedPeerIDs = am.resolvePeerIDs(ctx, transaction, accountID, groupIDs, directPeerIDs)
-
 		return transaction.IncrementNetworkSerial(ctx, accountID)
 	})
 	if err != nil {
@@ -89,11 +95,12 @@ func (am *DefaultAccountManager) SavePolicy(ctx context.Context, accountID, user

 	am.StoreEvent(ctx, userID, policy.ID, accountID, action, policy.EventMeta())

-	if len(affectedPeerIDs) > 0 {
-		log.WithContext(ctx).Tracef("SavePolicy %s: updating %d affected peers: %v", policy.ID, len(affectedPeerIDs), affectedPeerIDs)
-		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
-	} else {
-		log.WithContext(ctx).Tracef("SavePolicy %s: no affected peers", policy.ID)
+	if updateAccountPeers {
+		policyOp := types.UpdateOperationCreate
+		if isUpdate {
+			policyOp = types.UpdateOperationUpdate
+		}
+		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourcePolicy, Operation: policyOp})
 	}

 	return policy, nil
@@ -110,7 +117,7 @@ func (am *DefaultAccountManager) DeletePolicy(ctx context.Context, accountID, po
 	}

 	var policy *types.Policy
-	var affectedPeerIDs []string
+	var updateAccountPeers bool

 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		policy, err = transaction.GetPolicyByID(ctx, store.LockingStrengthUpdate, accountID, policyID)
@@ -118,8 +125,10 @@ func (am *DefaultAccountManager) DeletePolicy(ctx context.Context, accountID, po
 			return err
 		}

-		groupIDs, directPeerIDs := collectPolicyAffectedGroupsAndPeers(ctx, policy)
-		affectedPeerIDs = am.resolvePeerIDs(ctx, transaction, accountID, groupIDs, directPeerIDs)
+		updateAccountPeers, err = arePolicyChangesAffectPeers(ctx, transaction, policy)
+		if err != nil {
+			return err
+		}

 		if err = transaction.DeletePolicy(ctx, accountID, policyID); err != nil {
 			return err
@@ -133,11 +142,8 @@ func (am *DefaultAccountManager) DeletePolicy(ctx context.Context, accountID, po

 	am.StoreEvent(ctx, userID, policyID, accountID, activity.PolicyRemoved, policy.EventMeta())

-	if len(affectedPeerIDs) > 0 {
-		log.WithContext(ctx).Debugf("DeletePolicy %s: updating %d affected peers: %v", policyID, len(affectedPeerIDs), affectedPeerIDs)
-		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
-	} else {
-		log.WithContext(ctx).Tracef("DeletePolicy %s: no affected peers", policyID)
+	if updateAccountPeers {
+		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourcePolicy, Operation: types.UpdateOperationDelete})
 	}

 	return nil
@@ -156,28 +162,44 @@ func (am *DefaultAccountManager) ListPolicies(ctx context.Context, accountID, us
 	return am.Store.GetAccountPolicies(ctx, store.LockingStrengthNone, accountID)
 }

-// collectPolicyAffectedGroupsAndPeers returns group IDs and direct peer IDs from the given policies.
-func collectPolicyAffectedGroupsAndPeers(ctx context.Context, policies ...*types.Policy) (groupIDs []string, directPeerIDs []string) {
-	for _, policy := range policies {
-		if policy == nil {
-			continue
-		}
-		ruleGroups := policy.RuleGroups()
-		log.WithContext(ctx).Tracef("collectPolicyAffectedGroupsAndPeers: policy %s (%s) ruleGroups=%v", policy.ID, policy.Name, ruleGroups)
-		groupIDs = append(groupIDs, ruleGroups...)
-		for _, rule := range policy.Rules {
-			if rule.SourceResource.Type == types.ResourceTypePeer && rule.SourceResource.ID != "" {
-				log.WithContext(ctx).Tracef("collectPolicyAffectedGroupsAndPeers: policy %s rule %s direct source peer %s", policy.ID, rule.ID, rule.SourceResource.ID)
-				directPeerIDs = append(directPeerIDs, rule.SourceResource.ID)
-			}
-			if rule.DestinationResource.Type == types.ResourceTypePeer && rule.DestinationResource.ID != "" {
-				log.WithContext(ctx).Tracef("collectPolicyAffectedGroupsAndPeers: policy %s rule %s direct destination peer %s", policy.ID, rule.ID, rule.DestinationResource.ID)
-				directPeerIDs = append(directPeerIDs, rule.DestinationResource.ID)
-			}
+// arePolicyChangesAffectPeers checks if a policy (being created or deleted) will affect any associated peers.
+func arePolicyChangesAffectPeers(ctx context.Context, transaction store.Store, policy *types.Policy) (bool, error) {
+	for _, rule := range policy.Rules {
+		if rule.SourceResource.Type != "" || rule.DestinationResource.Type != "" {
+			return true, nil
 		}
 	}
-	log.WithContext(ctx).Tracef("collectPolicyAffectedGroupsAndPeers: result groupIDs=%v, directPeerIDs=%v", groupIDs, directPeerIDs)
-	return
+
+	return anyGroupHasPeersOrResources(ctx, transaction, policy.AccountID, policy.RuleGroups())
+}
+
+func arePolicyChangesAffectPeersWithExisting(ctx context.Context, transaction store.Store, policy *types.Policy, existingPolicy *types.Policy) (bool, error) {
+	if !policy.Enabled && !existingPolicy.Enabled {
+		return false, nil
+	}
+
+	for _, rule := range existingPolicy.Rules {
+		if rule.SourceResource.Type != "" || rule.DestinationResource.Type != "" {
+			return true, nil
+		}
+	}
+
+	hasPeers, err := anyGroupHasPeersOrResources(ctx, transaction, policy.AccountID, existingPolicy.RuleGroups())
+	if err != nil {
+		return false, err
+	}
+
+	if hasPeers {
+		return true, nil
+	}
+
+	for _, rule := range policy.Rules {
+		if rule.SourceResource.Type != "" || rule.DestinationResource.Type != "" {
+			return true, nil
+		}
+	}
+
+	return anyGroupHasPeersOrResources(ctx, transaction, policy.AccountID, policy.RuleGroups())
 }

 // validatePolicy validates the policy and its rules. For updates it returns
--- a/management/server/policy_test.go
+++ b/management/server/policy_test.go
@@ -1319,14 +1319,12 @@ func TestPolicyAccountPeersUpdate(t *testing.T) {
 		}
 	})

-	// Updating disabled policy with destination and source groups containing peers should still update account's peers
-	// because affected peer resolution does not filter by policy enabled state
+	// Updating disabled policy with destination and source groups containing peers should not update account's peers
+	// or send peer update
 	t.Run("updating disabled policy with source and destination groups with peers", func(t *testing.T) {
-		drainPeerUpdates(updMsg)
-
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldNotReceiveUpdate(t, updMsg)
 			close(done)
 		}()

@@ -1337,8 +1335,8 @@ func TestPolicyAccountPeersUpdate(t *testing.T) {

 		select {
 		case <-done:
-		case <-time.After(peerUpdateTimeout):
-			t.Error("timeout waiting for peerShouldReceiveUpdate")
+		case <-time.After(time.Second):
+			t.Error("timeout waiting for peerShouldNotReceiveUpdate")
 		}
 	})

--- a/management/server/posture_checks.go
+++ b/management/server/posture_checks.go
@@ -5,13 +5,13 @@ import (
 	"slices"

 	"github.com/rs/xid"
-	log "github.com/sirupsen/logrus"

 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/permissions/modules"
 	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/posture"
 	"github.com/netbirdio/netbird/management/server/store"
+	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/shared/management/status"
 )

@@ -41,9 +41,9 @@ func (am *DefaultAccountManager) SavePostureChecks(ctx context.Context, accountI
 		return nil, status.NewPermissionDeniedError()
 	}

+	var updateAccountPeers bool
 	var isUpdate = postureChecks.ID != ""
 	var action = activity.PostureCheckCreated
-	var affectedPeerIDs []string

 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		if err = validatePostureChecks(ctx, transaction, accountID, postureChecks); err != nil {
@@ -51,10 +51,12 @@ func (am *DefaultAccountManager) SavePostureChecks(ctx context.Context, accountI
 		}

 		if isUpdate {
-			action = activity.PostureCheckUpdated
+			updateAccountPeers, err = arePostureCheckChangesAffectPeers(ctx, transaction, accountID, postureChecks.ID)
+			if err != nil {
+				return err
+			}

-			groupIDs, directPeerIDs := collectPostureCheckAffectedGroupsAndPeers(ctx, transaction, accountID, postureChecks.ID)
-			affectedPeerIDs = am.resolvePeerIDs(ctx, transaction, accountID, groupIDs, directPeerIDs)
+			action = activity.PostureCheckUpdated
 		}

 		postureChecks.AccountID = accountID
@@ -74,11 +76,12 @@ func (am *DefaultAccountManager) SavePostureChecks(ctx context.Context, accountI

 	am.StoreEvent(ctx, userID, postureChecks.ID, accountID, action, postureChecks.EventMeta())

-	if len(affectedPeerIDs) > 0 {
-		log.WithContext(ctx).Debugf("SavePostureChecks %s: updating %d affected peers: %v", postureChecks.ID, len(affectedPeerIDs), affectedPeerIDs)
-		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
-	} else {
-		log.WithContext(ctx).Tracef("SavePostureChecks %s: no affected peers", postureChecks.ID)
+	if updateAccountPeers {
+		postureOp := types.UpdateOperationCreate
+		if isUpdate {
+			postureOp = types.UpdateOperationUpdate
+		}
+		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourcePostureCheck, Operation: postureOp})
 	}

 	return postureChecks, nil
@@ -134,25 +137,27 @@ func (am *DefaultAccountManager) ListPostureChecks(ctx context.Context, accountI
 	return am.Store.GetAccountPostureChecks(ctx, store.LockingStrengthNone, accountID)
 }

-// collectPostureCheckAffectedGroupsAndPeers returns group IDs and peer IDs from policies referencing the posture check.
-func collectPostureCheckAffectedGroupsAndPeers(ctx context.Context, transaction store.Store, accountID, postureCheckID string) (groupIDs []string, directPeerIDs []string) {
+// arePostureCheckChangesAffectPeers checks if the changes in posture checks are affecting peers.
+func arePostureCheckChangesAffectPeers(ctx context.Context, transaction store.Store, accountID, postureCheckID string) (bool, error) {
 	policies, err := transaction.GetAccountPolicies(ctx, store.LockingStrengthNone, accountID)
 	if err != nil {
-		log.WithContext(ctx).Errorf("failed to get policies for posture check affected peers resolution: %v", err)
-		return nil, nil
+		return false, err
 	}

 	for _, policy := range policies {
 		if slices.Contains(policy.SourcePostureChecks, postureCheckID) {
-			log.WithContext(ctx).Tracef("collectPostureCheckAffectedGroupsAndPeers: posture check %s referenced by policy %s (%s)", postureCheckID, policy.ID, policy.Name)
-			gIDs, pIDs := collectPolicyAffectedGroupsAndPeers(ctx, policy)
-			groupIDs = append(groupIDs, gIDs...)
-			directPeerIDs = append(directPeerIDs, pIDs...)
+			hasPeers, err := anyGroupHasPeersOrResources(ctx, transaction, accountID, policy.RuleGroups())
+			if err != nil {
+				return false, err
+			}
+
+			if hasPeers {
+				return true, nil
+			}
 		}
 	}

-	log.WithContext(ctx).Tracef("collectPostureCheckAffectedGroupsAndPeers: postureCheck=%s -> groupIDs=%v, directPeerIDs=%v", postureCheckID, groupIDs, directPeerIDs)
-	return groupIDs, directPeerIDs
+	return false, nil
 }

 // validatePostureChecks validates the posture checks.
--- a/management/server/posture_checks_test.go
+++ b/management/server/posture_checks_test.go
@@ -503,20 +503,21 @@ func TestArePostureCheckChangesAffectPeers(t *testing.T) {
 	require.NoError(t, err, "failed to save policy")

 	t.Run("posture check exists and is linked to policy with peers", func(t *testing.T) {
-		groupIDs, _ := collectPostureCheckAffectedGroupsAndPeers(context.Background(), manager.Store, account.Id, postureCheckA.ID)
-		assert.NotEmpty(t, groupIDs)
+		result, err := arePostureCheckChangesAffectPeers(context.Background(), manager.Store, account.Id, postureCheckA.ID)
+		require.NoError(t, err)
+		assert.True(t, result)
 	})

 	t.Run("posture check exists but is not linked to any policy", func(t *testing.T) {
-		groupIDs, directPeerIDs := collectPostureCheckAffectedGroupsAndPeers(context.Background(), manager.Store, account.Id, postureCheckB.ID)
-		assert.Empty(t, groupIDs)
-		assert.Empty(t, directPeerIDs)
+		result, err := arePostureCheckChangesAffectPeers(context.Background(), manager.Store, account.Id, postureCheckB.ID)
+		require.NoError(t, err)
+		assert.False(t, result)
 	})

 	t.Run("posture check does not exist", func(t *testing.T) {
-		groupIDs, directPeerIDs := collectPostureCheckAffectedGroupsAndPeers(context.Background(), manager.Store, account.Id, "unknown")
-		assert.Empty(t, groupIDs)
-		assert.Empty(t, directPeerIDs)
+		result, err := arePostureCheckChangesAffectPeers(context.Background(), manager.Store, account.Id, "unknown")
+		require.NoError(t, err)
+		assert.False(t, result)
 	})

 	t.Run("posture check is linked to policy with no peers in source groups", func(t *testing.T) {
@@ -525,8 +526,9 @@ func TestArePostureCheckChangesAffectPeers(t *testing.T) {
 		_, err = manager.SavePolicy(context.Background(), account.Id, adminUserID, policy, true)
 		require.NoError(t, err, "failed to update policy")

-		groupIDs, _ := collectPostureCheckAffectedGroupsAndPeers(context.Background(), manager.Store, account.Id, postureCheckA.ID)
-		assert.NotEmpty(t, groupIDs)
+		result, err := arePostureCheckChangesAffectPeers(context.Background(), manager.Store, account.Id, postureCheckA.ID)
+		require.NoError(t, err)
+		assert.True(t, result)
 	})

 	t.Run("posture check is linked to policy with no peers in destination groups", func(t *testing.T) {
@@ -535,8 +537,9 @@ func TestArePostureCheckChangesAffectPeers(t *testing.T) {
 		_, err = manager.SavePolicy(context.Background(), account.Id, adminUserID, policy, true)
 		require.NoError(t, err, "failed to update policy")

-		groupIDs, _ := collectPostureCheckAffectedGroupsAndPeers(context.Background(), manager.Store, account.Id, postureCheckA.ID)
-		assert.NotEmpty(t, groupIDs)
+		result, err := arePostureCheckChangesAffectPeers(context.Background(), manager.Store, account.Id, postureCheckA.ID)
+		require.NoError(t, err)
+		assert.True(t, result)
 	})

 	t.Run("posture check is linked to policy but no peers in groups", func(t *testing.T) {
@@ -544,9 +547,9 @@ func TestArePostureCheckChangesAffectPeers(t *testing.T) {
 		err = manager.UpdateGroup(context.Background(), account.Id, adminUserID, groupA)
 		require.NoError(t, err, "failed to save groups")

-		// The collector returns groups even if they have no peers — the groups are still referenced
-		groupIDs, _ := collectPostureCheckAffectedGroupsAndPeers(context.Background(), manager.Store, account.Id, postureCheckA.ID)
-		assert.NotEmpty(t, groupIDs)
+		result, err := arePostureCheckChangesAffectPeers(context.Background(), manager.Store, account.Id, postureCheckA.ID)
+		require.NoError(t, err)
+		assert.False(t, result)
 	})

 	t.Run("posture check is linked to policy with non-existent group", func(t *testing.T) {
@@ -555,10 +558,8 @@ func TestArePostureCheckChangesAffectPeers(t *testing.T) {
 		_, err = manager.SavePolicy(context.Background(), account.Id, adminUserID, policy, true)
 		require.NoError(t, err, "failed to update policy")

-		// Non-existent groups are filtered out during SavePolicy validation,
-		// so the saved policy has empty Sources/Destinations
-		groupIDs, directPeerIDs := collectPostureCheckAffectedGroupsAndPeers(context.Background(), manager.Store, account.Id, postureCheckA.ID)
-		assert.Empty(t, groupIDs)
-		assert.Empty(t, directPeerIDs)
+		result, err := arePostureCheckChangesAffectPeers(context.Background(), manager.Store, account.Id, postureCheckA.ID)
+		require.NoError(t, err)
+		assert.False(t, result)
 	})
 }
--- a/management/server/route.go
+++ b/management/server/route.go
@@ -8,7 +8,6 @@ import (
 	"unicode/utf8"

 	"github.com/rs/xid"
-	log "github.com/sirupsen/logrus"

 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/permissions/modules"
@@ -148,7 +147,7 @@ func (am *DefaultAccountManager) CreateRoute(ctx context.Context, accountID stri
 	}

 	var newRoute *route.Route
-	var affectedPeerIDs []string
+	var updateAccountPeers bool

 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		newRoute = &route.Route{
@@ -174,12 +173,14 @@ func (am *DefaultAccountManager) CreateRoute(ctx context.Context, accountID stri
 			return err
 		}

-		if err = transaction.SaveRoute(ctx, newRoute); err != nil {
+		updateAccountPeers, err = areRouteChangesAffectPeers(ctx, transaction, newRoute)
+		if err != nil {
 			return err
 		}

-		groupIDs, directPeerIDs := collectRouteAffectedGroupsAndPeers(ctx, newRoute)
-		affectedPeerIDs = am.resolvePeerIDs(ctx, transaction, accountID, groupIDs, directPeerIDs)
+		if err = transaction.SaveRoute(ctx, newRoute); err != nil {
+			return err
+		}

 		return transaction.IncrementNetworkSerial(ctx, accountID)
 	})
@@ -189,11 +190,8 @@ func (am *DefaultAccountManager) CreateRoute(ctx context.Context, accountID stri

 	am.StoreEvent(ctx, userID, string(newRoute.ID), accountID, activity.RouteCreated, newRoute.EventMeta())

-	if len(affectedPeerIDs) > 0 {
-		log.WithContext(ctx).Debugf("CreateRoute %s: updating %d affected peers: %v", newRoute.ID, len(affectedPeerIDs), affectedPeerIDs)
-		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
-	} else {
-		log.WithContext(ctx).Tracef("CreateRoute %s: no affected peers", newRoute.ID)
+	if updateAccountPeers {
+		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourceRoute, Operation: types.UpdateOperationCreate})
 	}

 	return newRoute, nil
@@ -210,7 +208,8 @@ func (am *DefaultAccountManager) SaveRoute(ctx context.Context, accountID, userI
 	}

 	var oldRoute *route.Route
-	var affectedPeerIDs []string
+	var oldRouteAffectsPeers bool
+	var newRouteAffectsPeers bool

 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		if err = validateRoute(ctx, transaction, accountID, routeToSave); err != nil {
@@ -222,15 +221,21 @@ func (am *DefaultAccountManager) SaveRoute(ctx context.Context, accountID, userI
 			return err
 		}

+		oldRouteAffectsPeers, err = areRouteChangesAffectPeers(ctx, transaction, oldRoute)
+		if err != nil {
+			return err
+		}
+
+		newRouteAffectsPeers, err = areRouteChangesAffectPeers(ctx, transaction, routeToSave)
+		if err != nil {
+			return err
+		}
 		routeToSave.AccountID = accountID

 		if err = transaction.SaveRoute(ctx, routeToSave); err != nil {
 			return err
 		}

-		groupIDs, directPeerIDs := collectRouteAffectedGroupsAndPeers(ctx, routeToSave, oldRoute)
-		affectedPeerIDs = am.resolvePeerIDs(ctx, transaction, accountID, groupIDs, directPeerIDs)
-
 		return transaction.IncrementNetworkSerial(ctx, accountID)
 	})
 	if err != nil {
@@ -239,11 +244,8 @@ func (am *DefaultAccountManager) SaveRoute(ctx context.Context, accountID, userI

 	am.StoreEvent(ctx, userID, string(routeToSave.ID), accountID, activity.RouteUpdated, routeToSave.EventMeta())

-	if len(affectedPeerIDs) > 0 {
-		log.WithContext(ctx).Debugf("SaveRoute %s: updating %d affected peers: %v", routeToSave.ID, len(affectedPeerIDs), affectedPeerIDs)
-		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
-	} else {
-		log.WithContext(ctx).Tracef("SaveRoute %s: no affected peers", routeToSave.ID)
+	if oldRouteAffectsPeers || newRouteAffectsPeers {
+		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourceRoute, Operation: types.UpdateOperationUpdate})
 	}

 	return nil
@@ -259,17 +261,19 @@ func (am *DefaultAccountManager) DeleteRoute(ctx context.Context, accountID stri
 		return status.NewPermissionDeniedError()
 	}

-	var rt *route.Route
-	var affectedPeerIDs []string
+	var route *route.Route
+	var updateAccountPeers bool

 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		rt, err = transaction.GetRouteByID(ctx, store.LockingStrengthUpdate, accountID, string(routeID))
+		route, err = transaction.GetRouteByID(ctx, store.LockingStrengthUpdate, accountID, string(routeID))
 		if err != nil {
 			return err
 		}

-		groupIDs, directPeerIDs := collectRouteAffectedGroupsAndPeers(ctx, rt)
-		affectedPeerIDs = am.resolvePeerIDs(ctx, transaction, accountID, groupIDs, directPeerIDs)
+		updateAccountPeers, err = areRouteChangesAffectPeers(ctx, transaction, route)
+		if err != nil {
+			return err
+		}

 		if err = transaction.DeleteRoute(ctx, accountID, string(routeID)); err != nil {
 			return err
@@ -281,13 +285,10 @@ func (am *DefaultAccountManager) DeleteRoute(ctx context.Context, accountID stri
 		return fmt.Errorf("failed to delete route %s: %w", routeID, err)
 	}

-	am.StoreEvent(ctx, userID, string(rt.ID), accountID, activity.RouteRemoved, rt.EventMeta())
+	am.StoreEvent(ctx, userID, string(route.ID), accountID, activity.RouteRemoved, route.EventMeta())

-	if len(affectedPeerIDs) > 0 {
-		log.WithContext(ctx).Debugf("DeleteRoute %s: updating %d affected peers: %v", routeID, len(affectedPeerIDs), affectedPeerIDs)
-		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
-	} else {
-		log.WithContext(ctx).Tracef("DeleteRoute %s: no affected peers", routeID)
+	if updateAccountPeers {
+		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourceRoute, Operation: types.UpdateOperationDelete})
 	}

 	return nil
@@ -376,23 +377,23 @@ func getPlaceholderIP() netip.Prefix {
 	return netip.PrefixFrom(netip.AddrFrom4([4]byte{192, 0, 2, 0}), 32)
 }

-// collectRouteAffectedGroupsAndPeers returns group IDs and direct peer IDs from the given routes.
-func collectRouteAffectedGroupsAndPeers(ctx context.Context, routes ...*route.Route) (groupIDs []string, directPeerIDs []string) {
-	for _, r := range routes {
-		if r == nil {
-			continue
-		}
-		log.WithContext(ctx).Tracef("collectRouteAffectedGroupsAndPeers: route %s groups=%v peerGroups=%v accessControlGroups=%v peer=%q",
-			r.ID, r.Groups, r.PeerGroups, r.AccessControlGroups, r.Peer)
-		groupIDs = append(groupIDs, r.Groups...)
-		groupIDs = append(groupIDs, r.PeerGroups...)
-		groupIDs = append(groupIDs, r.AccessControlGroups...)
-		if r.Peer != "" {
-			directPeerIDs = append(directPeerIDs, r.Peer)
-		}
+// areRouteChangesAffectPeers checks if a given route affects peers by determining
+// if it has a routing peer, distribution, or peer groups that include peers.
+func areRouteChangesAffectPeers(ctx context.Context, transaction store.Store, route *route.Route) (bool, error) {
+	if route.Peer != "" {
+		return true, nil
 	}
-	log.WithContext(ctx).Tracef("collectRouteAffectedGroupsAndPeers: result groupIDs=%v, directPeerIDs=%v", groupIDs, directPeerIDs)
-	return
+
+	hasPeers, err := anyGroupHasPeersOrResources(ctx, transaction, route.AccountID, route.Groups)
+	if err != nil {
+		return false, err
+	}
+
+	if hasPeers {
+		return true, nil
+	}
+
+	return anyGroupHasPeersOrResources(ctx, transaction, route.AccountID, route.PeerGroups)
 }

 // GetRoutesByPrefixOrDomains return list of routes by account and route prefix
--- a/management/server/route_test.go
+++ b/management/server/route_test.go
@@ -1299,7 +1299,7 @@ func createRouterManager(t *testing.T) (*DefaultAccountManager, *update_channel.

 	updateManager := update_channel.NewPeersUpdateManager(metrics)
 	requestBuffer := NewAccountRequestBuffer(ctx, store)
-	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock(), ephemeral_manager.NewEphemeralManager(store, peers.NewManager(store, permissionsManager)), &config.Config{})
+	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock(), ephemeral_manager.NewEphemeralManager(store, peers.NewManager(store, permissionsManager)), &config.Config{}, nil)

 	am, err := BuildManager(context.Background(), nil, store, networkMapController, job.NewJobManager(nil, store, peersManager), nil, "", eventStore, nil, false, MockIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false, cacheStore)
 	if err != nil {
@@ -1962,10 +1962,8 @@ func TestRouteAccountPeersUpdate(t *testing.T) {

 	})

-	// Creating a route with no routing peer and having peers in groups that don't include peer1 should not send peer1 an update
+	// Creating a route with no routing peer and having peers in groups should update account peers and send peer update
 	t.Run("creating a route with peers in  PeerGroups and Groups", func(t *testing.T) {
-		drainPeerUpdates(updMsg)
-
 		route := route.Route{
 			ID:          "testingRoute2",
 			Network:     netip.MustParsePrefix("192.0.2.0/32"),
@@ -1981,7 +1979,7 @@ func TestRouteAccountPeersUpdate(t *testing.T) {

 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg)
 			close(done)
 		}()

@@ -1994,8 +1992,8 @@ func TestRouteAccountPeersUpdate(t *testing.T) {

 		select {
 		case <-done:
-		case <-time.After(time.Second):
-			t.Error("timeout waiting for peerShouldNotReceiveUpdate")
+		case <-time.After(peerUpdateTimeout):
+			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}

 	})
--- a/management/server/store/sql_store.go
+++ b/management/server/store/sql_store.go
@@ -265,8 +265,7 @@ func (s *SqlStore) AcquireGlobalLock(ctx context.Context) (unlock func()) {
 	return unlock
 }

-// Deprecated: Full
-// account operations are no longer supported
+// Deprecated: Full account operations are no longer supported
 func (s *SqlStore) SaveAccount(ctx context.Context, account *types.Account) error {
 	start := time.Now()
 	defer func() {
@@ -4849,40 +4848,6 @@ func (s *SqlStore) GetPeersByGroupIDs(ctx context.Context, accountID string, gro
 	return peers, nil
 }

-func (s *SqlStore) GetPeerIDsByGroups(ctx context.Context, accountID string, groupIDs []string) ([]string, error) {
-	if len(groupIDs) == 0 {
-		return nil, nil
-	}
-
-	var peerIDs []string
-	result := s.db.Model(&types.GroupPeer{}).
-		Select("DISTINCT peer_id").
-		Where("account_id = ? AND group_id IN ?", accountID, groupIDs).
-		Pluck("peer_id", &peerIDs)
-	if result.Error != nil {
-		return nil, status.Errorf(status.Internal, "failed to get peer IDs by groups: %s", result.Error)
-	}
-
-	return peerIDs, nil
-}
-
-func (s *SqlStore) GetGroupIDsByPeerIDs(ctx context.Context, accountID string, peerIDs []string) ([]string, error) {
-	if len(peerIDs) == 0 {
-		return nil, nil
-	}
-
-	var groupIDs []string
-	result := s.db.Model(&types.GroupPeer{}).
-		Select("DISTINCT group_id").
-		Where("account_id = ? AND peer_id IN ?", accountID, peerIDs).
-		Pluck("group_id", &groupIDs)
-	if result.Error != nil {
-		return nil, status.Errorf(status.Internal, "failed to get group IDs by peers: %s", result.Error)
-	}
-
-	return groupIDs, nil
-}
-
 func (s *SqlStore) GetUserIDByPeerKey(ctx context.Context, lockStrength LockingStrength, peerKey string) (string, error) {
 	tx := s.db
 	if lockStrength != LockingStrengthNone {
--- a/management/server/store/store.go
+++ b/management/server/store/store.go
@@ -162,8 +162,6 @@ type Store interface {
 	GetPeerByID(ctx context.Context, lockStrength LockingStrength, accountID string, peerID string) (*nbpeer.Peer, error)
 	GetPeersByIDs(ctx context.Context, lockStrength LockingStrength, accountID string, peerIDs []string) (map[string]*nbpeer.Peer, error)
 	GetPeersByGroupIDs(ctx context.Context, accountID string, groupIDs []string) ([]*nbpeer.Peer, error)
-	GetPeerIDsByGroups(ctx context.Context, accountID string, groupIDs []string) ([]string, error)
-	GetGroupIDsByPeerIDs(ctx context.Context, accountID string, peerIDs []string) ([]string, error)
 	GetAccountPeersWithExpiration(ctx context.Context, lockStrength LockingStrength, accountID string) ([]*nbpeer.Peer, error)
 	GetAccountPeersWithInactivity(ctx context.Context, lockStrength LockingStrength, accountID string) ([]*nbpeer.Peer, error)
 	GetAllEphemeralPeers(ctx context.Context, lockStrength LockingStrength) ([]*nbpeer.Peer, error)
--- a/management/server/store/store_mock.go
+++ b/management/server/store/store_mock.go
@@ -1911,36 +1911,6 @@ func (mr *MockStoreMockRecorder) GetPeersByGroupIDs(ctx, accountID, groupIDs int
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetPeersByGroupIDs", reflect.TypeOf((*MockStore)(nil).GetPeersByGroupIDs), ctx, accountID, groupIDs)
 }

-// GetPeerIDsByGroups mocks base method.
-func (m *MockStore) GetPeerIDsByGroups(ctx context.Context, accountID string, groupIDs []string) ([]string, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetPeerIDsByGroups", ctx, accountID, groupIDs)
-	ret0, _ := ret[0].([]string)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetPeerIDsByGroups indicates an expected call of GetPeerIDsByGroups.
-func (mr *MockStoreMockRecorder) GetPeerIDsByGroups(ctx, accountID, groupIDs interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetPeerIDsByGroups", reflect.TypeOf((*MockStore)(nil).GetPeerIDsByGroups), ctx, accountID, groupIDs)
-}
-
-// GetGroupIDsByPeerIDs mocks base method.
-func (m *MockStore) GetGroupIDsByPeerIDs(ctx context.Context, accountID string, peerIDs []string) ([]string, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetGroupIDsByPeerIDs", ctx, accountID, peerIDs)
-	ret0, _ := ret[0].([]string)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetGroupIDsByPeerIDs indicates an expected call of GetGroupIDsByPeerIDs.
-func (mr *MockStoreMockRecorder) GetGroupIDsByPeerIDs(ctx, accountID, peerIDs interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetGroupIDsByPeerIDs", reflect.TypeOf((*MockStore)(nil).GetGroupIDsByPeerIDs), ctx, accountID, peerIDs)
-}
-
 // GetPeersByIDs mocks base method.
 func (m *MockStore) GetPeersByIDs(ctx context.Context, lockStrength LockingStrength, accountID string, peerIDs []string) (map[string]*peer.Peer, error) {
 	m.ctrl.T.Helper()
--- a/management/server/user.go
+++ b/management/server/user.go
@@ -1161,8 +1161,7 @@ func (am *DefaultAccountManager) expireAndUpdatePeers(ctx context.Context, accou
 		}
 	}

-	affectedPeerIDs := am.resolveAffectedPeersForPeerChanges(ctx, am.Store, accountID, peerIDs)
-	err = am.networkMapController.OnPeersUpdated(ctx, accountID, peerIDs, affectedPeerIDs)
+	err = am.networkMapController.OnPeersUpdated(ctx, accountID, peerIDs)
 	if err != nil {
 		return fmt.Errorf("notify network map controller of peer update: %w", err)
 	}
@@ -1278,7 +1277,6 @@ func (am *DefaultAccountManager) deleteRegularUser(ctx context.Context, accountI
 	var userPeers []*nbpeer.Peer
 	var targetUser *types.User
 	var settings *types.Settings
-	var affectedPeerIDs []string
 	var err error

 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
@@ -1299,14 +1297,6 @@ func (am *DefaultAccountManager) deleteRegularUser(ctx context.Context, accountI

 		if len(userPeers) > 0 {
 			updateAccountPeers = true
-
-			var peerIDs []string
-			for _, peer := range userPeers {
-				peerIDs = append(peerIDs, peer.ID)
-			}
-			// Resolve before delete so group memberships are still present.
-			affectedPeerIDs = am.resolveAffectedPeersForPeerChanges(ctx, transaction, accountID, peerIDs)
-
 			addPeerRemovedEvents, err = deletePeers(ctx, am, transaction, accountID, targetUserInfo.ID, userPeers, settings)
 			if err != nil {
 				return fmt.Errorf("failed to delete user peers: %w", err)
@@ -1330,7 +1320,7 @@ func (am *DefaultAccountManager) deleteRegularUser(ctx context.Context, accountI
 			log.WithContext(ctx).Errorf("failed to delete peer %s from integrated validator: %v", peer.ID, err)
 		}
 	}
-	if err := am.networkMapController.OnPeersDeleted(ctx, accountID, peerIDs, affectedPeerIDs); err != nil {
+	if err := am.networkMapController.OnPeersDeleted(ctx, accountID, peerIDs); err != nil {
 		log.WithContext(ctx).Errorf("failed to delete peers %s from network map: %v", peerIDs, err)
 	}

--- a/management/server/user_test.go
+++ b/management/server/user_test.go
@@ -846,7 +846,7 @@ func TestUser_DeleteUser_regularUser(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	networkMapControllerMock := network_map.NewMockController(ctrl)
 	networkMapControllerMock.EXPECT().
-		OnPeersDeleted(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).
+		OnPeersDeleted(gomock.Any(), gomock.Any(), gomock.Any()).
 		Return(nil)

 	permissionsManager := permissions.NewManager(store)
@@ -962,7 +962,7 @@ func TestUser_DeleteUser_RegularUsers(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	networkMapControllerMock := network_map.NewMockController(ctrl)
 	networkMapControllerMock.EXPECT().
-		OnPeersDeleted(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).
+		OnPeersDeleted(gomock.Any(), gomock.Any(), gomock.Any()).
 		Return(nil).
 		AnyTimes()

@@ -1531,14 +1531,11 @@ func TestUserAccountPeersUpdate(t *testing.T) {
 		}
 	})

-	// drain any buffered updates from previous subtests
-	drainPeerUpdates(updMsg)
-
 	// deleting user with no linked peers should not update account peers and not send peer update
 	t.Run("deleting user with no linked peers", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg)
 			close(done)
 		}()

@@ -2025,7 +2022,7 @@ func TestUser_Operations_WithEmbeddedIDP(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	networkMapControllerMock := network_map.NewMockController(ctrl)
 	networkMapControllerMock.EXPECT().
-		OnPeersDeleted(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).
+		OnPeersDeleted(gomock.Any(), gomock.Any(), gomock.Any()).
 		Return(nil).
 		AnyTimes()

--- a/shared/management/client/client_test.go
+++ b/shared/management/client/client_test.go
@@ -103,7 +103,7 @@ func startManagement(t *testing.T) (*grpc.Server, net.Listener) {
 		t.Fatal(err)
 	}

-	ia, _ := integrations.NewIntegratedValidator(ctx, peersManger, settingsManagerMock, eventStore, cacheStore)
+	ia, _ := integrations.NewIntegratedValidator(ctx, nil, nil, peersManger, settingsManagerMock, eventStore, cacheStore)

 	metrics, err := telemetry.NewDefaultAppMetrics(ctx)
 	require.NoError(t, err)
@@ -126,7 +126,7 @@ func startManagement(t *testing.T) (*grpc.Server, net.Listener) {

 	updateManager := update_channel.NewPeersUpdateManager(metrics)
 	requestBuffer := mgmt.NewAccountRequestBuffer(ctx, store)
-	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, mgmt.MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock(), ephemeral_manager.NewEphemeralManager(store, peersManger), config)
+	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, mgmt.MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock(), ephemeral_manager.NewEphemeralManager(store, peersManger), config, nil)
 	accountManager, err := mgmt.BuildManager(context.Background(), config, store, networkMapController, jobManager, nil, "", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false, cacheStore)
 	if err != nil {
 		t.Fatal(err)
@@ -134,11 +134,11 @@ func startManagement(t *testing.T) (*grpc.Server, net.Listener) {

 	groupsManager := groups.NewManagerMock()

-	secretsManager, err := nbgrpc.NewTimeBasedAuthSecretsManager(updateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager)
+	secretsManager, err := nbgrpc.NewTimeBasedAuthSecretsManager(updateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
-	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, mgmt.MockIntegratedValidator{}, networkMapController, nil, nil)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, mgmt.MockIntegratedValidator{}, networkMapController, nil, nil, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
Author	SHA1	Message	Date
bcmmbaga	5873064624	Merge branch 'main' into refactor/mgmt-bootstrap	2026-05-24 17:47:39 +03:00
bcmmbaga	4eadb6bde4	Merge branch 'main' into refactor/mgmt-bootstrap	2026-05-24 17:46:31 +03:00
bcmmbaga	5d6585bd43	fix tests	2026-05-23 00:06:51 +03:00
bcmmbaga	be1c6f594b	Refactor client config ext	2026-05-23 00:06:32 +03:00
bcmmbaga	63be4170e0	fix tests	2026-05-22 18:05:48 +03:00
bcmmbaga	27a1b2243d	Refactor embedded idp into module	2026-05-21 13:24:11 +03:00
bcmmbaga	e3b3396d10	wp: refactor	2026-05-19 15:45:59 +03:00