getValidatedPeerWithMap get account from cache for exp

sprintf to strings builder
load or store for account
2026-04-20 01:06:45 +00:00 · 2025-10-30 12:30:36 +01:00 · 2025-10-30 00:27:05 +01:00 · 2025-10-29 23:35:16 +01:00 · 2025-10-29 22:15:09 +01:00 · 2025-10-29 17:09:05 +01:00
45 changed files with 7324 additions and 1134 deletions
--- a/go.mod
+++ b/go.mod
@@ -56,6 +56,7 @@ require (
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/go-secure-stdlib/base62 v0.1.2
 	github.com/hashicorp/go-version v1.6.0
+	github.com/jackc/pgx/v5 v5.5.5
 	github.com/libdns/route53 v1.5.0
 	github.com/libp2p/go-netroute v0.2.1
 	github.com/mdlayher/socket v0.5.1
@@ -183,7 +184,6 @@ require (
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
-	github.com/jackc/pgx/v5 v5.5.5 // indirect
 	github.com/jackc/puddle/v2 v2.2.1 // indirect
 	github.com/jeandeaual/go-locale v0.0.0-20240223122105-ce5225dcaa49 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
--- a/management/main.go
+++ b/management/main.go
@@ -1,11 +1,18 @@
 package main

 import (
-	"github.com/netbirdio/netbird/management/cmd"
+	"log"
+	"net/http"
+	_ "net/http/pprof"
 	"os"
+
+	"github.com/netbirdio/netbird/management/cmd"
 )

 func main() {
+	go func() {
+		log.Println(http.ListenAndServe("localhost:6060", nil))
+	}()
 	if err := cmd.Execute(); err != nil {
 		os.Exit(1)
 	}
--- a/management/server/account.go
+++ b/management/server/account.go
@@ -53,6 +53,9 @@ const (
 	peerSchedulerRetryInterval = 3 * time.Second
 	emptyUserID                = "empty user ID in claims"
 	errorGettingDomainAccIDFmt = "error getting account ID by private domain: %v"
+
+	envNewNetworkMapBuilder  = "NB_EXPERIMENT_NETWORK_MAP"
+	envNewNetworkMapAccounts = "NB_EXPERIMENT_NETWORK_MAP_ACCOUNTS"
 )

 type userLoggedInOnce bool
@@ -109,6 +112,11 @@ type DefaultAccountManager struct {
 	loginFilter *loginFilter

 	disableDefaultPolicy bool
+
+	holder *types.Holder
+
+	expNewNetworkMap     bool
+	expNewNetworkMapAIDs map[string]struct{}
 }

 func isUniqueConstraintError(err error) bool {
@@ -196,6 +204,18 @@ func BuildManager(
 		log.WithContext(ctx).Debugf("took %v to instantiate account manager", time.Since(start))
 	}()

+	newNetworkMapBuilder, err := strconv.ParseBool(os.Getenv(envNewNetworkMapBuilder))
+	if err != nil {
+		log.WithContext(ctx).Warnf("failed to parse %s, using default value false: %v", envNewNetworkMapBuilder, err)
+		newNetworkMapBuilder = false
+	}
+
+	ids := strings.Split(os.Getenv(envNewNetworkMapAccounts), ",")
+	expIDs := make(map[string]struct{}, len(ids))
+	for _, id := range ids {
+		expIDs[id] = struct{}{}
+	}
+
 	am := &DefaultAccountManager{
 		Store:                    store,
 		geo:                      geo,
@@ -217,6 +237,10 @@ func BuildManager(
 		permissionsManager:       permissionsManager,
 		loginFilter:              newLoginFilter(),
 		disableDefaultPolicy:     disableDefaultPolicy,
+		holder:                   types.NewHolder(),
+
+		expNewNetworkMap:     newNetworkMapBuilder,
+		expNewNetworkMapAIDs: expIDs,
 	}

 	am.startWarmup(ctx)
@@ -395,6 +419,9 @@ func (am *DefaultAccountManager) UpdateAccountSettings(ctx context.Context, acco
 	}

 	if updateAccountPeers || extraSettingsChanged || groupChangesAffectPeers {
+		if err := am.RecalculateNetworkMapCache(ctx, accountID); err != nil {
+			return nil, err
+		}
 		go am.UpdateAccountPeers(ctx, accountID)
 	}

@@ -1477,6 +1504,10 @@ func (am *DefaultAccountManager) SyncUserJWTGroups(ctx context.Context, userAuth
 		}

 		if removedGroupAffectsPeers || newGroupsAffectsPeers {
+			if err := am.RecalculateNetworkMapCache(ctx, userAuth.AccountId); err != nil {
+				return err
+			}
+
 			log.WithContext(ctx).Tracef("user %s: JWT group membership changed, updating account peers", userAuth.UserId)
 			am.BufferUpdateAccountPeers(ctx, userAuth.AccountId)
 		}
@@ -2129,6 +2160,11 @@ func (am *DefaultAccountManager) UpdatePeerIP(ctx context.Context, accountID, us
 	}

 	if updateNetworkMap {
+		peer, err := am.Store.GetPeerByID(ctx, store.LockingStrengthNone, accountID, peerID)
+		if err != nil {
+			return err
+		}
+		am.updatePeerInNetworkMapCache(peer.AccountID, peer)
 		am.BufferUpdateAccountPeers(ctx, accountID)
 	}
 	return nil
--- a/management/server/account/manager.go
+++ b/management/server/account/manager.go
@@ -128,4 +128,5 @@ type Manager interface {
 	GetCurrentUserInfo(ctx context.Context, userAuth nbcontext.UserAuth) (*users.UserInfoWithPermissions, error)
 	SetEphemeralManager(em ephemeral.Manager)
 	AllowSync(string, uint64) bool
+	RecalculateNetworkMapCache(ctx context.Context, accountId string) error
 }
--- a/management/server/account_test.go
+++ b/management/server/account_test.go
@@ -1154,7 +1154,16 @@ func TestAccountManager_AddPeerWithUserID(t *testing.T) {
 	assert.Equal(t, peer.IP.String(), fmt.Sprint(ev.Meta["ip"]))
 }

+func TestAccountManager_NetworkUpdates_SaveGroup_Experimental(t *testing.T) {
+	t.Setenv(envNewNetworkMapBuilder, "true")
+	testAccountManager_NetworkUpdates_SaveGroup(t)
+}
+
 func TestAccountManager_NetworkUpdates_SaveGroup(t *testing.T) {
+	testAccountManager_NetworkUpdates_SaveGroup(t)
+}
+
+func testAccountManager_NetworkUpdates_SaveGroup(t *testing.T) {
 	manager, account, peer1, peer2, peer3 := setupNetworkMapTest(t)

 	group := types.Group{
@@ -1181,7 +1190,7 @@ func TestAccountManager_NetworkUpdates_SaveGroup(t *testing.T) {
 	}, true)
 	require.NoError(t, err)

-	updMsg := manager.peersUpdateManager.CreateChannel(context.Background(), peer1.ID)
+	updChan := manager.peersUpdateManager.CreateChannel(context.Background(), peer1.ID)
 	defer manager.peersUpdateManager.CloseChannel(context.Background(), peer1.ID)

 	wg := sync.WaitGroup{}
@@ -1189,7 +1198,12 @@ func TestAccountManager_NetworkUpdates_SaveGroup(t *testing.T) {
 	go func() {
 		defer wg.Done()

-		message := <-updMsg
+		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		defer cancel()
+		message, _, _, err := updChan.NetworkMap.Pop(ctx)
+		if err != nil {
+			t.Errorf("timeout waiting for network update")
+		}
 		networkMap := message.Update.GetNetworkMap()
 		if len(networkMap.RemotePeers) != 2 {
 			t.Errorf("mismatch peers count: 2 expected, got %v", len(networkMap.RemotePeers))
@@ -1205,18 +1219,26 @@ func TestAccountManager_NetworkUpdates_SaveGroup(t *testing.T) {
 	wg.Wait()
 }

+func TestAccountManager_NetworkUpdates_DeletePolicy_Experimental(t *testing.T) {
+	t.Setenv(envNewNetworkMapBuilder, "true")
+	testAccountManager_NetworkUpdates_DeletePolicy(t)
+}
+
 func TestAccountManager_NetworkUpdates_DeletePolicy(t *testing.T) {
+	testAccountManager_NetworkUpdates_DeletePolicy(t)
+}
+
+func testAccountManager_NetworkUpdates_DeletePolicy(t *testing.T) {
 	manager, account, peer1, _, _ := setupNetworkMapTest(t)

 	updMsg := manager.peersUpdateManager.CreateChannel(context.Background(), peer1.ID)
 	defer manager.peersUpdateManager.CloseChannel(context.Background(), peer1.ID)

-	// Ensure that we do not receive an update message before the policy is deleted
-	time.Sleep(time.Second)
-	select {
-	case <-updMsg:
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
+	defer cancel()
+	_, _, _, err := updMsg.NetworkMap.Pop(ctx)
+	if err != nil {
 		t.Logf("received addPeer update message before policy deletion")
-	default:
 	}

 	wg := sync.WaitGroup{}
@@ -1224,7 +1246,12 @@ func TestAccountManager_NetworkUpdates_DeletePolicy(t *testing.T) {
 	go func() {
 		defer wg.Done()

-		message := <-updMsg
+		ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
+		defer cancel()
+		message, _, _, err := updMsg.NetworkMap.Pop(ctx)
+		if err != nil {
+			t.Errorf("timeout waiting for network update")
+		}
 		networkMap := message.Update.GetNetworkMap()
 		if len(networkMap.RemotePeers) != 0 {
 			t.Errorf("mismatch peers count: 0 expected, got %v", len(networkMap.RemotePeers))
@@ -1239,7 +1266,16 @@ func TestAccountManager_NetworkUpdates_DeletePolicy(t *testing.T) {
 	wg.Wait()
 }

+func TestAccountManager_NetworkUpdates_SavePolicy_Experimental(t *testing.T) {
+	t.Setenv(envNewNetworkMapBuilder, "true")
+	testAccountManager_NetworkUpdates_SavePolicy(t)
+}
+
 func TestAccountManager_NetworkUpdates_SavePolicy(t *testing.T) {
+	testAccountManager_NetworkUpdates_SavePolicy(t)
+}
+
+func testAccountManager_NetworkUpdates_SavePolicy(t *testing.T) {
 	manager, account, peer1, peer2, _ := setupNetworkMapTest(t)

 	group := types.Group{
@@ -1261,7 +1297,12 @@ func TestAccountManager_NetworkUpdates_SavePolicy(t *testing.T) {
 	go func() {
 		defer wg.Done()

-		message := <-updMsg
+		ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
+		defer cancel()
+		message, _, _, err := updMsg.NetworkMap.Pop(ctx)
+		if err != nil {
+			t.Errorf("timeout waiting for network update")
+		}
 		networkMap := message.Update.GetNetworkMap()
 		if len(networkMap.RemotePeers) != 2 {
 			t.Errorf("mismatch peers count: 2 expected, got %v", len(networkMap.RemotePeers))
@@ -1288,7 +1329,16 @@ func TestAccountManager_NetworkUpdates_SavePolicy(t *testing.T) {
 	wg.Wait()
 }

+func TestAccountManager_NetworkUpdates_DeletePeer_Experimental(t *testing.T) {
+	t.Setenv(envNewNetworkMapBuilder, "true")
+	testAccountManager_NetworkUpdates_DeletePeer(t)
+}
+
 func TestAccountManager_NetworkUpdates_DeletePeer(t *testing.T) {
+	testAccountManager_NetworkUpdates_DeletePeer(t)
+}
+
+func testAccountManager_NetworkUpdates_DeletePeer(t *testing.T) {
 	manager, account, peer1, _, peer3 := setupNetworkMapTest(t)

 	group := types.Group{
@@ -1326,7 +1376,12 @@ func TestAccountManager_NetworkUpdates_DeletePeer(t *testing.T) {
 	go func() {
 		defer wg.Done()

-		message := <-updMsg
+		ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
+		defer cancel()
+		message, _, _, err := updMsg.NetworkMap.Pop(ctx)
+		if err != nil {
+			t.Errorf("timeout waiting for network update")
+		}
 		networkMap := message.Update.GetNetworkMap()
 		if len(networkMap.RemotePeers) != 1 {
 			t.Errorf("mismatch peers count: 1 expected, got %v", len(networkMap.RemotePeers))
@@ -1341,7 +1396,16 @@ func TestAccountManager_NetworkUpdates_DeletePeer(t *testing.T) {
 	wg.Wait()
 }

+func TestAccountManager_NetworkUpdates_DeleteGroup_Experimental(t *testing.T) {
+	t.Setenv(envNewNetworkMapBuilder, "true")
+	testAccountManager_NetworkUpdates_DeleteGroup(t)
+}
+
 func TestAccountManager_NetworkUpdates_DeleteGroup(t *testing.T) {
+	testAccountManager_NetworkUpdates_DeleteGroup(t)
+}
+
+func testAccountManager_NetworkUpdates_DeleteGroup(t *testing.T) {
 	manager, account, peer1, peer2, peer3 := setupNetworkMapTest(t)

 	updMsg := manager.peersUpdateManager.CreateChannel(context.Background(), peer1.ID)
@@ -1382,7 +1446,12 @@ func TestAccountManager_NetworkUpdates_DeleteGroup(t *testing.T) {
 	go func() {
 		defer wg.Done()

-		message := <-updMsg
+		ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
+		defer cancel()
+		message, _, _, err := updMsg.NetworkMap.Pop(ctx)
+		if err != nil {
+			t.Errorf("timeout waiting for network update")
+		}
 		networkMap := message.Update.GetNetworkMap()
 		if len(networkMap.RemotePeers) != 0 {
 			t.Errorf("mismatch peers count: 0 expected, got %v", len(networkMap.RemotePeers))
@@ -1736,6 +1805,7 @@ func TestAccount_Copy(t *testing.T) {
 				Address:   "172.12.6.1/24",
 			},
 		},
+		NetworkMapCache: &types.NetworkMapBuilder{},
 	}
 	err := hasNilField(account)
 	if err != nil {
@@ -2893,7 +2963,7 @@ func createManager(t testing.TB) (*DefaultAccountManager, error) {

 	permissionsManager := permissions.NewManager(store)

-	manager, err := BuildManager(context.Background(), store, NewPeersUpdateManager(nil), nil, "", "netbird.cloud", eventStore, nil, false, MockIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
+	manager, err := BuildManager(context.Background(), store, NewPeersUpdateManager(metrics), nil, "", "netbird.cloud", eventStore, nil, false, MockIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
 	if err != nil {
 		return nil, err
 	}
@@ -2974,27 +3044,33 @@ func setupNetworkMapTest(t *testing.T) (*DefaultAccountManager, *types.Account,
 	return manager, account, peer1, peer2, peer3
 }

-func peerShouldNotReceiveUpdate(t *testing.T, updateMessage <-chan *UpdateMessage) {
+func peerShouldNotReceiveUpdate(t *testing.T, updateMessageBuffer *UpdateBuffer) {
 	t.Helper()
-	select {
-	case msg := <-updateMessage:
+	ctx, cancel := context.WithTimeout(context.Background(), 500*time.Millisecond)
+	defer cancel()
+	msg, _, _, _ := updateMessageBuffer.Pop(ctx)
+	if msg != nil {
 		t.Errorf("Unexpected message received: %+v", msg)
-	case <-time.After(500 * time.Millisecond):
+	}
+
 	return
 }
-}

-func peerShouldReceiveUpdate(t *testing.T, updateMessage <-chan *UpdateMessage) {
+func peerShouldReceiveUpdate(t *testing.T, updateMessageBuffer *UpdateBuffer) {
 	t.Helper()

-	select {
-	case msg := <-updateMessage:
+	ctx, cancel := context.WithTimeout(context.Background(), 500*time.Millisecond)
+	defer cancel()
+
+	msg, _, _, err := updateMessageBuffer.Pop(ctx)
+	if err != nil {
+		t.Errorf("Expected update message, but none received")
+	}
 	if msg == nil {
 		t.Errorf("Received nil update message, expected valid message")
 	}
-	case <-time.After(500 * time.Millisecond):
-		t.Error("Timed out waiting for update message")
-	}
+
+	return
 }

 func BenchmarkSyncAndMarkPeer(b *testing.B) {
@@ -3031,11 +3107,13 @@ func BenchmarkSyncAndMarkPeer(b *testing.B) {
 			if err != nil {
 				b.Fatalf("Failed to get account: %v", err)
 			}
-			peerChannels := make(map[string]chan *UpdateMessage)
+			peerChannels := make(map[string]*UpdateChannel)
 			for peerID := range account.Peers {
-				peerChannels[peerID] = make(chan *UpdateMessage, channelBufferSize)
+				peerChannels[peerID] = &UpdateChannel{
+					Important:  make(chan *UpdateMessage, channelBufferSize),
+					NetworkMap: NewUpdateBuffer(manager.metrics.UpdateChannelMetrics()),
+				}
 			}
-			manager.peersUpdateManager.peerChannels = peerChannels

 			b.ResetTimer()
 			start := time.Now()
@@ -3094,9 +3172,12 @@ func BenchmarkLoginPeer_ExistingPeer(b *testing.B) {
 			if err != nil {
 				b.Fatalf("Failed to get account: %v", err)
 			}
-			peerChannels := make(map[string]chan *UpdateMessage)
+			peerChannels := make(map[string]*UpdateChannel)
 			for peerID := range account.Peers {
-				peerChannels[peerID] = make(chan *UpdateMessage, channelBufferSize)
+				peerChannels[peerID] = &UpdateChannel{
+					Important:  make(chan *UpdateMessage, channelBufferSize),
+					NetworkMap: NewUpdateBuffer(manager.metrics.UpdateChannelMetrics()),
+				}
 			}
 			manager.peersUpdateManager.peerChannels = peerChannels

@@ -3164,9 +3245,12 @@ func BenchmarkLoginPeer_NewPeer(b *testing.B) {
 			if err != nil {
 				b.Fatalf("Failed to get account: %v", err)
 			}
-			peerChannels := make(map[string]chan *UpdateMessage)
+			peerChannels := make(map[string]*UpdateChannel)
 			for peerID := range account.Peers {
-				peerChannels[peerID] = make(chan *UpdateMessage, channelBufferSize)
+				peerChannels[peerID] = &UpdateChannel{
+					Important:  make(chan *UpdateMessage, channelBufferSize),
+					NetworkMap: NewUpdateBuffer(manager.metrics.UpdateChannelMetrics()),
+				}
 			}
 			manager.peersUpdateManager.peerChannels = peerChannels

--- a/management/server/dns.go
+++ b/management/server/dns.go
@@ -117,6 +117,9 @@ func (am *DefaultAccountManager) SaveDNSSettings(ctx context.Context, accountID
 	}

 	if updateAccountPeers {
+		if err := am.RecalculateNetworkMapCache(ctx, accountID); err != nil {
+			return err
+		}
 		am.UpdateAccountPeers(ctx, accountID)
 	}

--- a/management/server/dns_test.go
+++ b/management/server/dns_test.go
@@ -609,7 +609,7 @@ func TestDNSAccountPeersUpdate(t *testing.T) {
 	t.Run("saving dns setting with unused groups", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg)
+			peerShouldNotReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -629,7 +629,7 @@ func TestDNSAccountPeersUpdate(t *testing.T) {
 	t.Run("creating dns setting with unused groups", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg)
+			peerShouldNotReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -662,7 +662,7 @@ func TestDNSAccountPeersUpdate(t *testing.T) {

 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -688,7 +688,7 @@ func TestDNSAccountPeersUpdate(t *testing.T) {
 	t.Run("saving dns setting with used groups", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -708,7 +708,7 @@ func TestDNSAccountPeersUpdate(t *testing.T) {
 	t.Run("removing group with no peers from dns settings", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg)
+			peerShouldNotReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -728,7 +728,7 @@ func TestDNSAccountPeersUpdate(t *testing.T) {
 	t.Run("removing group with peers from dns settings", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

--- a/management/server/group.go
+++ b/management/server/group.go
@@ -114,6 +114,9 @@ func (am *DefaultAccountManager) CreateGroup(ctx context.Context, accountID, use
 	}

 	if updateAccountPeers {
+		if err := am.RecalculateNetworkMapCache(ctx, accountID); err != nil {
+			return err
+		}
 		am.UpdateAccountPeers(ctx, accountID)
 	}

@@ -182,6 +185,9 @@ func (am *DefaultAccountManager) UpdateGroup(ctx context.Context, accountID, use
 	}

 	if updateAccountPeers {
+		if err := am.RecalculateNetworkMapCache(ctx, accountID); err != nil {
+			return err
+		}
 		am.UpdateAccountPeers(ctx, accountID)
 	}

@@ -250,6 +256,9 @@ func (am *DefaultAccountManager) CreateGroups(ctx context.Context, accountID, us
 	}

 	if updateAccountPeers {
+		if err := am.RecalculateNetworkMapCache(ctx, accountID); err != nil {
+			return err
+		}
 		am.UpdateAccountPeers(ctx, accountID)
 	}

@@ -318,6 +327,9 @@ func (am *DefaultAccountManager) UpdateGroups(ctx context.Context, accountID, us
 	}

 	if updateAccountPeers {
+		if err := am.RecalculateNetworkMapCache(ctx, accountID); err != nil {
+			return err
+		}
 		am.UpdateAccountPeers(ctx, accountID)
 	}

@@ -471,6 +483,9 @@ func (am *DefaultAccountManager) GroupAddPeer(ctx context.Context, accountID, gr
 	}

 	if updateAccountPeers {
+		if err := am.RecalculateNetworkMapCache(ctx, accountID); err != nil {
+			return err
+		}
 		am.UpdateAccountPeers(ctx, accountID)
 	}

@@ -509,6 +524,9 @@ func (am *DefaultAccountManager) GroupAddResource(ctx context.Context, accountID
 	}

 	if updateAccountPeers {
+		if err := am.RecalculateNetworkMapCache(ctx, accountID); err != nil {
+			return err
+		}
 		am.UpdateAccountPeers(ctx, accountID)
 	}

@@ -537,6 +555,9 @@ func (am *DefaultAccountManager) GroupDeletePeer(ctx context.Context, accountID,
 	}

 	if updateAccountPeers {
+		if err := am.RecalculateNetworkMapCache(ctx, accountID); err != nil {
+			return err
+		}
 		am.UpdateAccountPeers(ctx, accountID)
 	}

@@ -575,6 +596,9 @@ func (am *DefaultAccountManager) GroupDeleteResource(ctx context.Context, accoun
 	}

 	if updateAccountPeers {
+		if err := am.RecalculateNetworkMapCache(ctx, accountID); err != nil {
+			return err
+		}
 		am.UpdateAccountPeers(ctx, accountID)
 	}

--- a/management/server/group_test.go
+++ b/management/server/group_test.go
@@ -451,7 +451,7 @@ func TestGroupAccountPeersUpdate(t *testing.T) {
 	t.Run("saving unlinked group", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg)
+			peerShouldNotReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -474,7 +474,7 @@ func TestGroupAccountPeersUpdate(t *testing.T) {
 	t.Run("adding peer to unlinked group", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg)
+			peerShouldNotReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -493,7 +493,7 @@ func TestGroupAccountPeersUpdate(t *testing.T) {
 	t.Run("removing peer from unliked group", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg)
+			peerShouldNotReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -511,7 +511,7 @@ func TestGroupAccountPeersUpdate(t *testing.T) {
 	t.Run("deleting group", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg)
+			peerShouldNotReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -544,7 +544,7 @@ func TestGroupAccountPeersUpdate(t *testing.T) {
 	t.Run("saving linked group to policy", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -566,7 +566,7 @@ func TestGroupAccountPeersUpdate(t *testing.T) {
 	t.Run("adding peer to linked group", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -584,7 +584,7 @@ func TestGroupAccountPeersUpdate(t *testing.T) {
 	t.Run("removing peer from linked group", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -613,7 +613,7 @@ func TestGroupAccountPeersUpdate(t *testing.T) {

 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -654,7 +654,7 @@ func TestGroupAccountPeersUpdate(t *testing.T) {

 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -681,7 +681,7 @@ func TestGroupAccountPeersUpdate(t *testing.T) {

 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -728,7 +728,7 @@ func TestGroupAccountPeersUpdate(t *testing.T) {

 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

--- a/management/server/grpcserver.go
+++ b/management/server/grpcserver.go
@@ -7,8 +7,10 @@ import (
 	"net"
 	"net/netip"
 	"os"
+	"strconv"
 	"strings"
 	"sync"
+	"sync/atomic"
 	"time"

 	pb "github.com/golang/protobuf/proto" // nolint
@@ -44,6 +46,9 @@ import (
 const (
 	envLogBlockedPeers = "NB_LOG_BLOCKED_PEERS"
 	envBlockPeers      = "NB_BLOCK_SAME_PEERS"
+	envConcurrentSyncs = "NB_MAX_CONCURRENT_SYNCS"
+
+	defaultSyncLim = 1000
 )

 // GRPCServer an instance of a Management gRPC API server
@@ -63,6 +68,10 @@ type GRPCServer struct {
 	logBlockedPeers          bool
 	blockPeersWithSameConfig bool
 	integratedPeerValidator  integrated_validator.IntegratedValidator
+	debounce                 int
+
+	syncSem atomic.Int32
+	syncLim int32
 }

 // NewServer creates a new Management server
@@ -86,7 +95,7 @@ func NewServer(
 	if appMetrics != nil {
 		// update gauge based on number of connected peers which is equal to open gRPC streams
 		err = appMetrics.GRPCMetrics().RegisterConnectedStreams(func() int64 {
-			return int64(len(peersUpdateManager.peerChannels))
+			return int64(peersUpdateManager.GetChannelCount())
 		})
 		if err != nil {
 			return nil, err
@@ -96,6 +105,24 @@ func NewServer(
 	logBlockedPeers := strings.ToLower(os.Getenv(envLogBlockedPeers)) == "true"
 	blockPeersWithSameConfig := strings.ToLower(os.Getenv(envBlockPeers)) == "true"

+	debounce := 1
+	if decounceStr := os.Getenv("NB_UPDATE_BUFFER_DEBOUNCE_S"); decounceStr != "" {
+		debounce, err = strconv.Atoi(decounceStr)
+		if err != nil {
+			log.Errorf("invalid value for NB_UPDATE_BUFFER_DEBOUNCE_S: %v using 1 second", err)
+		}
+	}
+
+	syncLim := int32(defaultSyncLim)
+	if syncLimStr := os.Getenv(envConcurrentSyncs); syncLimStr != "" {
+		syncLimParsed, err := strconv.Atoi(syncLimStr)
+		if err != nil {
+			log.Errorf("invalid value for %s: %v using %d", envConcurrentSyncs, err, defaultSyncLim)
+		} else {
+			syncLim = int32(syncLimParsed)
+		}
+	}
+
 	return &GRPCServer{
 		wgKey: key,
 		// peerKey -> event channel
@@ -110,6 +137,9 @@ func NewServer(
 		logBlockedPeers:          logBlockedPeers,
 		blockPeersWithSameConfig: blockPeersWithSameConfig,
 		integratedPeerValidator:  integratedPeerValidator,
+		debounce:                 debounce,
+
+		syncLim: syncLim,
 	}, nil
 }

@@ -151,6 +181,11 @@ func getRealIP(ctx context.Context) net.IP {
 // Sync validates the existence of a connecting peer, sends an initial state (all available for the connecting peers) and
 // notifies the connected peer of any updates (e.g. new peers under the same account)
 func (s *GRPCServer) Sync(req *proto.EncryptedMessage, srv proto.ManagementService_SyncServer) error {
+	if s.syncSem.Load() >= s.syncLim {
+		return status.Errorf(codes.ResourceExhausted, "too many concurrent sync requests, please try again later")
+	}
+	s.syncSem.Add(1)
+
 	reqStart := time.Now()

 	ctx := srv.Context()
@@ -158,6 +193,7 @@ func (s *GRPCServer) Sync(req *proto.EncryptedMessage, srv proto.ManagementServi
 	syncReq := &proto.SyncRequest{}
 	peerKey, err := s.parseRequest(ctx, req, syncReq)
 	if err != nil {
+		s.syncSem.Add(-1)
 		return err
 	}
 	realIP := getRealIP(ctx)
@@ -172,6 +208,7 @@ func (s *GRPCServer) Sync(req *proto.EncryptedMessage, srv proto.ManagementServi
 			log.WithContext(ctx).Warnf("peer %s with meta hash %d is blocked from syncing", peerKey.String(), metahashed)
 		}
 		if s.blockPeersWithSameConfig {
+			s.syncSem.Add(-1)
 			return mapError(ctx, internalStatus.ErrPeerAlreadyLoggedIn)
 		}
 	}
@@ -196,8 +233,10 @@ func (s *GRPCServer) Sync(req *proto.EncryptedMessage, srv proto.ManagementServi
 		ctx = context.WithValue(ctx, nbContext.AccountIDKey, "UNKNOWN")
 		log.WithContext(ctx).Tracef("peer %s is not registered", peerKey.String())
 		if errStatus, ok := internalStatus.FromError(err); ok && errStatus.Type() == internalStatus.NotFound {
+			s.syncSem.Add(-1)
 			return status.Errorf(codes.PermissionDenied, "peer is not registered")
 		}
+		s.syncSem.Add(-1)
 		return err
 	}

@@ -213,12 +252,14 @@ func (s *GRPCServer) Sync(req *proto.EncryptedMessage, srv proto.ManagementServi
 	peer, netMap, postureChecks, err := s.accountManager.SyncAndMarkPeer(ctx, accountID, peerKey.String(), peerMeta, realIP)
 	if err != nil {
 		log.WithContext(ctx).Debugf("error while syncing peer %s: %v", peerKey.String(), err)
+		s.syncSem.Add(-1)
 		return mapError(ctx, err)
 	}

 	err = s.sendInitialSync(ctx, peerKey, peer, netMap, postureChecks, srv)
 	if err != nil {
 		log.WithContext(ctx).Debugf("error while sending initial sync for %s: %v", peerKey.String(), err)
+		s.syncSem.Add(-1)
 		return err
 	}

@@ -237,18 +278,62 @@ func (s *GRPCServer) Sync(req *proto.EncryptedMessage, srv proto.ManagementServi

 	log.WithContext(ctx).Debugf("Sync: took %v", time.Since(reqStart))

+	s.syncSem.Add(-1)
+
 	return s.handleUpdates(ctx, accountID, peerKey, peer, updates, srv)
 }

 // handleUpdates sends updates to the connected peer until the updates channel is closed.
-func (s *GRPCServer) handleUpdates(ctx context.Context, accountID string, peerKey wgtypes.Key, peer *nbpeer.Peer, updates chan *UpdateMessage, srv proto.ManagementService_SyncServer) error {
+func (s *GRPCServer) handleUpdates(ctx context.Context, accountID string, peerKey wgtypes.Key, peer *nbpeer.Peer, updates *UpdateChannel, srv proto.ManagementService_SyncServer) error {
 	log.WithContext(ctx).Tracef("starting to handle updates for peer %s", peerKey.String())
+
+	// Channel to receive network map updates with metadata
+	type networkMapUpdate struct {
+		msg              *UpdateMessage
+		overwrites       int
+		timeSinceLastPop time.Duration
+	}
+	networkMapCh := make(chan networkMapUpdate)
+
+	// Start goroutine to Pop from buffer
+	go func() {
+		for {
+			start := time.Now()
+			update, overwrites, timeSinceLastPop, err := updates.NetworkMap.Pop(ctx)
+			log.WithContext(ctx).Debugf("popped an update for peer %s from the network map buffer in %v (overwrites: %d)", peerKey.String(), time.Since(start), overwrites)
+			if err != nil {
+				close(networkMapCh)
+				return
+			}
+			// start := time.Now()
+			select {
+			case networkMapCh <- networkMapUpdate{
+				msg:              update,
+				overwrites:       overwrites,
+				timeSinceLastPop: timeSinceLastPop,
+			}:
+				// log.WithContext(ctx).Debugf("forwarded an update for peer %s from the network map buffer in %v (overwrites: %d)", peerKey.String(), time.Since(start), overwrites)
+
+				// Adaptive debounce: increase delay based on overwrite rate
+				// If many overwrites happened, wait longer to let things settle
+				debounce := s.calculateDebounce(overwrites, timeSinceLastPop)
+				if debounce > 0 {
+					// start = time.Now()
+					time.Sleep(debounce)
+					// log.WithContext(ctx).Debugf("debounced for %v for peer %s (overwrites: %d)", time.Since(start), peerKey.String(), overwrites)
+				}
+			case <-ctx.Done():
+				return
+			}
+		}
+	}()
+
 	for {
 		select {
 		// condition when there are some updates
-		case update, open := <-updates:
+		case update, open := <-updates.Important:
 			if s.appMetrics != nil {
-				s.appMetrics.GRPCMetrics().UpdateChannelQueueLength(len(updates) + 1)
+				s.appMetrics.GRPCMetrics().UpdateChannelQueueLength(len(updates.Important) + 1)
 			}

 			if !open {
@@ -256,13 +341,24 @@ func (s *GRPCServer) handleUpdates(ctx context.Context, accountID string, peerKe
 				s.cancelPeerRoutines(ctx, accountID, peer)
 				return nil
 			}
-			log.WithContext(ctx).Debugf("received an update for peer %s", peerKey.String())
+			// log.WithContext(ctx).Debugf("received an update for peer %s", peerKey.String())

 			if err := s.sendUpdate(ctx, accountID, peerKey, peer, update, srv); err != nil {
 				log.WithContext(ctx).Debugf("error while sending an update to peer %s: %v", peerKey.String(), err)
 				return err
 			}

+		case updateData, ok := <-networkMapCh:
+			if !ok {
+				log.WithContext(ctx).Debugf("update buffer for peer %s closed", peerKey.String())
+				s.cancelPeerRoutines(ctx, accountID, peer)
+				return nil
+			}
+			// log.WithContext(ctx).Debugf("sending latest update to peer %s (overwrites: %d)", peerKey.String(), updateData.overwrites)
+			if err := s.sendUpdate(ctx, accountID, peerKey, peer, updateData.msg, srv); err != nil {
+				return err
+			}
+
 		// condition when client <-> server connection has been terminated
 		case <-srv.Context().Done():
 			// happens when connection drops, e.g. client disconnects
@@ -273,6 +369,33 @@ func (s *GRPCServer) handleUpdates(ctx context.Context, accountID string, peerKe
 	}
 }

+// calculateDebounce calculates adaptive debounce duration based on overwrite rate
+// More overwrites = longer debounce to let updates settle
+func (s *GRPCServer) calculateDebounce(overwrites int, timeSinceLastPop time.Duration) time.Duration {
+	if overwrites == 0 {
+		// No overwrites, use base debounce
+		return time.Duration(s.debounce) * time.Second
+	}
+
+	var rate float64
+	if timeSinceLastPop > 0 {
+		rate = float64(overwrites) / timeSinceLastPop.Seconds()
+	} else {
+		rate = float64(overwrites)
+	}
+
+	multiplier := 2.0
+	adaptiveDebounce := float64(s.debounce) + (rate * multiplier)
+
+	// Cap at 10x base debounce
+	maxDebounce := float64(s.debounce) * 10
+	if adaptiveDebounce > maxDebounce {
+		adaptiveDebounce = maxDebounce
+	}
+
+	return time.Duration(adaptiveDebounce * float64(time.Second))
+}
+
 // sendUpdate encrypts the update message using the peer key and the server's wireguard key,
 // then sends the encrypted message to the connected peer via the sync server.
 func (s *GRPCServer) sendUpdate(ctx context.Context, accountID string, peerKey wgtypes.Key, peer *nbpeer.Peer, update *UpdateMessage, srv proto.ManagementService_SyncServer) error {
--- a/management/server/holder.go
+++ b/management/server/holder.go
@@ -0,0 +1,39 @@
+package server
+
+import (
+	"github.com/netbirdio/netbird/management/server/types"
+)
+
+func (am *DefaultAccountManager) enrichAccountFromHolder(account *types.Account) {
+	a := am.holder.GetAccount(account.Id)
+	if a == nil {
+		am.holder.AddAccount(account)
+		return
+	}
+	account.NetworkMapCache = a.NetworkMapCache
+	if account.NetworkMapCache == nil {
+		return
+	}
+	account.NetworkMapCache.UpdateAccountPointer(account)
+	am.holder.AddAccount(account)
+}
+
+func (am *DefaultAccountManager) getAccountFromHolder(accountID string) *types.Account {
+	return am.holder.GetAccount(accountID)
+}
+
+func (am *DefaultAccountManager) getAccountFromHolderOrInit(accountID string) *types.Account {
+	a := am.holder.GetAccount(accountID)
+	if a != nil {
+		return a
+	}
+	account, err := am.holder.LoadOrStoreFunc(accountID, am.requestBuffer.GetAccountWithBackpressure)
+	if err != nil {
+		return nil
+	}
+	return account
+}
+
+func (am *DefaultAccountManager) updateAccountInHolder(account *types.Account) {
+	am.holder.AddAccount(account)
+}
--- a/management/server/mock_server/account_mock.go
+++ b/management/server/mock_server/account_mock.go
@@ -128,6 +128,7 @@ type MockAccountManager struct {
 	AllowSyncFunc                  func(string, uint64) bool
 	UpdateAccountPeersFunc         func(ctx context.Context, accountID string)
 	BufferUpdateAccountPeersFunc   func(ctx context.Context, accountID string)
+	RecalculateNetworkMapCacheFunc func(ctx context.Context, accountId string) error
 }

 func (am *MockAccountManager) CreateGroup(ctx context.Context, accountID, userID string, group *types.Group) error {
@@ -986,3 +987,10 @@ func (am *MockAccountManager) AllowSync(key string, hash uint64) bool {
 	}
 	return true
 }
+
+func (am *MockAccountManager) RecalculateNetworkMapCache(ctx context.Context, accountID string) error {
+	if am.RecalculateNetworkMapCacheFunc != nil {
+		return am.RecalculateNetworkMapCacheFunc(ctx, accountID)
+	}
+	return nil
+}
--- a/management/server/nameserver.go
+++ b/management/server/nameserver.go
@@ -83,6 +83,9 @@ func (am *DefaultAccountManager) CreateNameServerGroup(ctx context.Context, acco
 	am.StoreEvent(ctx, userID, newNSGroup.ID, accountID, activity.NameserverGroupCreated, newNSGroup.EventMeta())

 	if updateAccountPeers {
+		if err := am.RecalculateNetworkMapCache(ctx, accountID); err != nil {
+			return nil, err
+		}
 		am.UpdateAccountPeers(ctx, accountID)
 	}

@@ -134,6 +137,9 @@ func (am *DefaultAccountManager) SaveNameServerGroup(ctx context.Context, accoun
 	am.StoreEvent(ctx, userID, nsGroupToSave.ID, accountID, activity.NameserverGroupUpdated, nsGroupToSave.EventMeta())

 	if updateAccountPeers {
+		if err := am.RecalculateNetworkMapCache(ctx, accountID); err != nil {
+			return err
+		}
 		am.UpdateAccountPeers(ctx, accountID)
 	}

@@ -177,6 +183,9 @@ func (am *DefaultAccountManager) DeleteNameServerGroup(ctx context.Context, acco
 	am.StoreEvent(ctx, userID, nsGroup.ID, accountID, activity.NameserverGroupDeleted, nsGroup.EventMeta())

 	if updateAccountPeers {
+		if err := am.RecalculateNetworkMapCache(ctx, accountID); err != nil {
+			return err
+		}
 		am.UpdateAccountPeers(ctx, accountID)
 	}

--- a/management/server/nameserver_test.go
+++ b/management/server/nameserver_test.go
@@ -1004,7 +1004,7 @@ func TestNameServerAccountPeersUpdate(t *testing.T) {
 	t.Run("creating nameserver group with distribution group no peers", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg)
+			peerShouldNotReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -1031,7 +1031,7 @@ func TestNameServerAccountPeersUpdate(t *testing.T) {
 	t.Run("saving nameserver group with distribution group no peers", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg)
+			peerShouldNotReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -1049,7 +1049,7 @@ func TestNameServerAccountPeersUpdate(t *testing.T) {
 	t.Run("creating nameserver group with distribution group has peers", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -1075,7 +1075,7 @@ func TestNameServerAccountPeersUpdate(t *testing.T) {
 	t.Run("saving nameserver group with distribution group has peers", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -1105,7 +1105,7 @@ func TestNameServerAccountPeersUpdate(t *testing.T) {
 	t.Run("deleting nameserver group", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

--- a/management/server/networkmap.go
+++ b/management/server/networkmap.go
@@ -0,0 +1,80 @@
+package server
+
+import (
+	"context"
+
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/exp/maps"
+
+	nbdns "github.com/netbirdio/netbird/dns"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+	"github.com/netbirdio/netbird/management/server/telemetry"
+	"github.com/netbirdio/netbird/management/server/types"
+)
+
+func (am *DefaultAccountManager) initNetworkMapBuilderIfNeeded(account *types.Account, validatedPeers map[string]struct{}) {
+	am.enrichAccountFromHolder(account)
+	account.InitNetworkMapBuilderIfNeeded(validatedPeers)
+}
+
+func (am *DefaultAccountManager) getPeerNetworkMapExp(
+	ctx context.Context,
+	accountId string,
+	peerId string,
+	validatedPeers map[string]struct{},
+	customZone nbdns.CustomZone,
+	metrics *telemetry.AccountManagerMetrics,
+) *types.NetworkMap {
+	account := am.getAccountFromHolderOrInit(accountId)
+	if account == nil {
+		log.WithContext(ctx).Warnf("account %s not found in holder when getting peer network map", accountId)
+		return &types.NetworkMap{
+			Network: &types.Network{},
+		}
+	}
+	return account.GetPeerNetworkMapExp(ctx, peerId, customZone, validatedPeers, metrics)
+}
+
+func (am *DefaultAccountManager) onPeerAddedUpdNetworkMapCache(account *types.Account, peerId string) error {
+	am.enrichAccountFromHolder(account)
+	return account.OnPeerAddedUpdNetworkMapCache(peerId)
+}
+
+func (am *DefaultAccountManager) onPeerDeletedUpdNetworkMapCache(account *types.Account, peerId string) error {
+	am.enrichAccountFromHolder(account)
+	return account.OnPeerDeletedUpdNetworkMapCache(peerId)
+}
+
+func (am *DefaultAccountManager) updatePeerInNetworkMapCache(accountId string, peer *nbpeer.Peer) {
+	account := am.getAccountFromHolder(accountId)
+	if account == nil {
+		return
+	}
+	account.UpdatePeerInNetworkMapCache(peer)
+}
+
+func (am *DefaultAccountManager) recalculateNetworkMapCache(account *types.Account, validatedPeers map[string]struct{}) {
+	account.RecalculateNetworkMapCache(validatedPeers)
+	am.updateAccountInHolder(account)
+}
+
+func (am *DefaultAccountManager) RecalculateNetworkMapCache(ctx context.Context, accountId string) error {
+	if am.experimentalNetworkMap(accountId) {
+		account, err := am.requestBuffer.GetAccountWithBackpressure(ctx, accountId)
+		if err != nil {
+			return err
+		}
+		validatedPeers, err := am.integratedPeerValidator.GetValidatedPeers(ctx, account.Id, maps.Values(account.Groups), maps.Values(account.Peers), account.Settings.Extra)
+		if err != nil {
+			log.WithContext(ctx).Errorf("failed to get validate peers: %v", err)
+			return err
+		}
+		am.recalculateNetworkMapCache(account, validatedPeers)
+	}
+	return nil
+}
+
+func (am *DefaultAccountManager) experimentalNetworkMap(accountId string) bool {
+	_, ok := am.expNewNetworkMapAIDs[accountId]
+	return am.expNewNetworkMap || ok
+}
--- a/management/server/networks/manager.go
+++ b/management/server/networks/manager.go
@@ -177,6 +177,9 @@ func (m *managerImpl) DeleteNetwork(ctx context.Context, accountID, userID, netw
 		event()
 	}

+	if err := m.accountManager.RecalculateNetworkMapCache(ctx, accountID); err != nil {
+		return err
+	}
 	go m.accountManager.UpdateAccountPeers(ctx, accountID)

 	return nil
--- a/management/server/networks/resources/manager.go
+++ b/management/server/networks/resources/manager.go
@@ -157,6 +157,9 @@ func (m *managerImpl) CreateResource(ctx context.Context, userID string, resourc
 		event()
 	}

+	if err := m.accountManager.RecalculateNetworkMapCache(ctx, resource.AccountID); err != nil {
+		return nil, err
+	}
 	go m.accountManager.UpdateAccountPeers(ctx, resource.AccountID)

 	return resource, nil
@@ -257,6 +260,9 @@ func (m *managerImpl) UpdateResource(ctx context.Context, userID string, resourc
 		event()
 	}

+	if err := m.accountManager.RecalculateNetworkMapCache(ctx, resource.AccountID); err != nil {
+		return nil, err
+	}
 	go m.accountManager.UpdateAccountPeers(ctx, resource.AccountID)

 	return resource, nil
@@ -331,6 +337,9 @@ func (m *managerImpl) DeleteResource(ctx context.Context, accountID, userID, net
 		event()
 	}

+	if err := m.accountManager.RecalculateNetworkMapCache(ctx, accountID); err != nil {
+		return err
+	}
 	go m.accountManager.UpdateAccountPeers(ctx, accountID)

 	return nil
--- a/management/server/networks/routers/manager.go
+++ b/management/server/networks/routers/manager.go
@@ -119,6 +119,9 @@ func (m *managerImpl) CreateRouter(ctx context.Context, userID string, router *t

 	m.accountManager.StoreEvent(ctx, userID, router.ID, router.AccountID, activity.NetworkRouterCreated, router.EventMeta(network))

+	if err := m.accountManager.RecalculateNetworkMapCache(ctx, router.AccountID); err != nil {
+		return nil, err
+	}
 	go m.accountManager.UpdateAccountPeers(ctx, router.AccountID)

 	return router, nil
@@ -183,6 +186,9 @@ func (m *managerImpl) UpdateRouter(ctx context.Context, userID string, router *t

 	m.accountManager.StoreEvent(ctx, userID, router.ID, router.AccountID, activity.NetworkRouterUpdated, router.EventMeta(network))

+	if err := m.accountManager.RecalculateNetworkMapCache(ctx, router.AccountID); err != nil {
+		return nil, err
+	}
 	go m.accountManager.UpdateAccountPeers(ctx, router.AccountID)

 	return router, nil
@@ -217,6 +223,9 @@ func (m *managerImpl) DeleteRouter(ctx context.Context, accountID, userID, netwo

 	event()

+	if err := m.accountManager.RecalculateNetworkMapCache(ctx, accountID); err != nil {
+		return err
+	}
 	go m.accountManager.UpdateAccountPeers(ctx, accountID)

 	return nil
--- a/management/server/peer.go
+++ b/management/server/peer.go
@@ -6,6 +6,7 @@ import (
 	b64 "encoding/base64"
 	"fmt"
 	"net"
+	"runtime"
 	"slices"
 	"strings"
 	"sync"
@@ -145,6 +146,9 @@ func (am *DefaultAccountManager) MarkPeerConnected(ctx context.Context, peerPubK
 	}

 	if expired {
+		if am.experimentalNetworkMap(accountID) {
+			am.updatePeerInNetworkMapCache(peer.AccountID, peer)
+		}
 		// we need to update other peers because when peer login expires all other peers are notified to disconnect from
 		// the expired one. Here we notify them that connection is now allowed again.
 		am.BufferUpdateAccountPeers(ctx, accountID)
@@ -321,6 +325,10 @@ func (am *DefaultAccountManager) UpdatePeer(ctx context.Context, accountID, user
 		}
 	}

+	if am.experimentalNetworkMap(accountID) {
+		am.updatePeerInNetworkMapCache(peer.AccountID, peer)
+	}
+
 	if peerLabelChanged || requiresPeerUpdates {
 		am.UpdateAccountPeers(ctx, accountID)
 	} else if sshChanged {
@@ -381,6 +389,18 @@ func (am *DefaultAccountManager) DeletePeer(ctx context.Context, accountID, peer
 		storeEvent()
 	}

+	if am.experimentalNetworkMap(accountID) {
+		account, err := am.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
+		if err != nil {
+			return err
+		}
+
+		if err := am.onPeerDeletedUpdNetworkMapCache(account, peerID); err != nil {
+			log.WithContext(ctx).Errorf("failed to update network map cache for peer %s: %v", peerID, err)
+		}
+
+	}
+
 	if userID != activity.SystemInitiator {
 		am.BufferUpdateAccountPeers(ctx, accountID)
 	}
@@ -417,7 +437,13 @@ func (am *DefaultAccountManager) GetNetworkMap(ctx context.Context, peerID strin
 		return nil, err
 	}

-	networkMap := account.GetPeerNetworkMap(ctx, peer.ID, customZone, validatedPeers, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), nil)
+	var networkMap *types.NetworkMap
+
+	if am.experimentalNetworkMap(peer.AccountID) {
+		networkMap = am.getPeerNetworkMapExp(ctx, peer.AccountID, peerID, validatedPeers, customZone, nil)
+	} else {
+		networkMap = account.GetPeerNetworkMap(ctx, peer.ID, customZone, validatedPeers, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), nil)
+	}

 	proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
 	if ok {
@@ -690,6 +716,17 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe

 	am.StoreEvent(ctx, opEvent.InitiatorID, opEvent.TargetID, opEvent.AccountID, opEvent.Activity, opEvent.Meta)

+	if am.experimentalNetworkMap(accountID) {
+		account, err := am.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
+		if err != nil {
+			return nil, nil, nil, err
+		}
+
+		if err := am.onPeerAddedUpdNetworkMapCache(account, newPeer.ID); err != nil {
+			log.WithContext(ctx).Errorf("failed to update network map cache for peer %s: %v", newPeer.ID, err)
+		}
+	}
+
 	am.BufferUpdateAccountPeers(ctx, accountID)

 	return am.getValidatedPeerWithMap(ctx, false, accountID, newPeer)
@@ -776,6 +813,9 @@ func (am *DefaultAccountManager) SyncPeer(ctx context.Context, sync types.PeerSy
 	}

 	if isStatusChanged || sync.UpdateAccountPeers || (updated && (len(postureChecks) > 0 || versionChanged)) {
+		if am.experimentalNetworkMap(accountID) {
+			am.updatePeerInNetworkMapCache(peer.AccountID, peer)
+		}
 		am.BufferUpdateAccountPeers(ctx, accountID)
 	}

@@ -901,6 +941,9 @@ func (am *DefaultAccountManager) LoginPeer(ctx context.Context, login types.Peer
 	}

 	if updateRemotePeers || isStatusChanged || (isPeerUpdated && len(postureChecks) > 0) {
+		if am.experimentalNetworkMap(accountID) {
+			am.updatePeerInNetworkMapCache(peer.AccountID, peer)
+		}
 		am.BufferUpdateAccountPeers(ctx, accountID)
 	}

@@ -1014,10 +1057,18 @@ func (am *DefaultAccountManager) getValidatedPeerWithMap(ctx context.Context, is
 		return peer, emptyMap, nil, nil
 	}

-	account, err := am.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
+	var (
+		account *types.Account
+		err     error
+	)
+	if am.experimentalNetworkMap(accountID) {
+		account = am.getAccountFromHolderOrInit(accountID)
+	} else {
+		account, err = am.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
 		if err != nil {
 			return nil, nil, nil, err
 		}
+	}

 	approvedPeersMap, err := am.integratedPeerValidator.GetValidatedPeers(ctx, account.Id, maps.Values(account.Groups), maps.Values(account.Peers), account.Settings.Extra)
 	if err != nil {
@@ -1037,7 +1088,13 @@ func (am *DefaultAccountManager) getValidatedPeerWithMap(ctx context.Context, is
 		return nil, nil, nil, err
 	}

-	networkMap := account.GetPeerNetworkMap(ctx, peer.ID, customZone, approvedPeersMap, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), am.metrics.AccountManagerMetrics())
+	var networkMap *types.NetworkMap
+
+	if am.experimentalNetworkMap(accountID) {
+		networkMap = am.getPeerNetworkMapExp(ctx, peer.AccountID, peer.ID, approvedPeersMap, customZone, am.metrics.AccountManagerMetrics())
+	} else {
+		networkMap = account.GetPeerNetworkMap(ctx, peer.ID, customZone, approvedPeersMap, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), am.metrics.AccountManagerMetrics())
+	}

 	proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
 	if ok {
@@ -1167,12 +1224,19 @@ func (am *DefaultAccountManager) checkIfUserOwnsPeer(ctx context.Context, accoun
 // Should be called when changes have to be synced to peers.
 func (am *DefaultAccountManager) UpdateAccountPeers(ctx context.Context, accountID string) {
 	log.WithContext(ctx).Tracef("updating peers for account %s from %s", accountID, util.GetCallerName())
-
-	account, err := am.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
+	var (
+		account *types.Account
+		err     error
+	)
+	if am.experimentalNetworkMap(accountID) {
+		account = am.getAccountFromHolderOrInit(accountID)
+	} else {
+		account, err = am.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
 		if err != nil {
 			log.WithContext(ctx).Errorf("failed to send out updates to peers. failed to get account: %v", err)
 			return
 		}
+	}

 	globalStart := time.Now()

@@ -1196,7 +1260,6 @@ func (am *DefaultAccountManager) UpdateAccountPeers(ctx context.Context, account
 	}

 	var wg sync.WaitGroup
-	semaphore := make(chan struct{}, 10)

 	dnsCache := &DNSConfigCache{}
 	dnsDomain := am.GetDNSDomain(account.Settings)
@@ -1204,6 +1267,10 @@ func (am *DefaultAccountManager) UpdateAccountPeers(ctx context.Context, account
 	resourcePolicies := account.GetResourcePoliciesMap()
 	routers := account.GetResourceRoutersMap()

+	if am.experimentalNetworkMap(accountID) {
+		am.initNetworkMapBuilderIfNeeded(account, approvedPeersMap)
+	}
+
 	proxyNetworkMaps, err := am.proxyController.GetProxyNetworkMapsAll(ctx, accountID, account.Peers)
 	if err != nil {
 		log.WithContext(ctx).Errorf("failed to get proxy network maps: %v", err)
@@ -1218,30 +1285,25 @@ func (am *DefaultAccountManager) UpdateAccountPeers(ctx context.Context, account

 	dnsFwdPort := computeForwarderPort(maps.Values(account.Peers), dnsForwarderPortMinVersion)

-	for _, peer := range account.Peers {
-		if !am.peersUpdateManager.HasChannel(peer.ID) {
-			log.WithContext(ctx).Tracef("peer %s doesn't have a channel, skipping network map update", peer.ID)
-			continue
-		}
-
-		wg.Add(1)
-		semaphore <- struct{}{}
-		go func(p *nbpeer.Peer) {
-			defer wg.Done()
-			defer func() { <-semaphore }()
-
+	processNetworkMap := func(p *nbpeer.Peer) {
 		start := time.Now()

 		postureChecks, err := am.getPeerPostureChecks(account, p.ID)
 		if err != nil {
-				log.WithContext(ctx).Debugf("failed to get posture checks for peer %s: %v", peer.ID, err)
+			log.WithContext(ctx).Debugf("failed to get posture checks for peer %s: %v", p.ID, err)
 			return
 		}

 		am.metrics.UpdateChannelMetrics().CountCalcPostureChecksDuration(time.Since(start))
 		start = time.Now()

-			remotePeerNetworkMap := account.GetPeerNetworkMap(ctx, p.ID, customZone, approvedPeersMap, resourcePolicies, routers, am.metrics.AccountManagerMetrics())
+		var remotePeerNetworkMap *types.NetworkMap
+
+		if am.experimentalNetworkMap(accountID) {
+			remotePeerNetworkMap = am.getPeerNetworkMapExp(ctx, p.AccountID, p.ID, approvedPeersMap, customZone, am.metrics.AccountManagerMetrics())
+		} else {
+			remotePeerNetworkMap = account.GetPeerNetworkMap(ctx, p.ID, customZone, approvedPeersMap, resourcePolicies, routers, am.metrics.AccountManagerMetrics())
+		}

 		am.metrics.UpdateChannelMetrics().CountCalcPeerNetworkMapDuration(time.Since(start))
 		start = time.Now()
@@ -1257,12 +1319,30 @@ func (am *DefaultAccountManager) UpdateAccountPeers(ctx context.Context, account
 		update := toSyncResponse(ctx, nil, p, nil, nil, remotePeerNetworkMap, dnsDomain, postureChecks, dnsCache, account.Settings, extraSetting, maps.Keys(peerGroups), dnsFwdPort)
 		am.metrics.UpdateChannelMetrics().CountToSyncResponseDuration(time.Since(start))

-			am.peersUpdateManager.SendUpdate(ctx, p.ID, &UpdateMessage{Update: update, NetworkMap: remotePeerNetworkMap})
-		}(peer)
+		am.peersUpdateManager.SendNetworkMapUpdate(ctx, p.ID, &UpdateMessage{Update: update})
 	}

-	//
+	numWorkers := runtime.NumCPU()
+	wch := make(chan *nbpeer.Peer, numWorkers)
+	wg.Add(numWorkers)
+	for range numWorkers {
+		go func() {
+			for peer := range wch {
+				processNetworkMap(peer)
+			}
+			wg.Done()
+		}()
+	}

+	for _, peer := range account.Peers {
+		if !am.peersUpdateManager.HasChannel(peer.ID) {
+			log.WithContext(ctx).Tracef("peer %s doesn't have a channel, skipping network map update", peer.ID)
+			continue
+		}
+		wch <- peer
+	}
+
+	close(wch)
 	wg.Wait()
 	if am.metrics != nil {
 		am.metrics.AccountManagerMetrics().CountUpdateAccountPeersDuration(time.Since(globalStart))
@@ -1273,6 +1353,8 @@ type bufferUpdate struct {
 	mu            sync.Mutex
 	next          *time.Timer
 	update        atomic.Bool
+	requestCount  atomic.Int32
+	lastResetTime atomic.Int64 // Unix timestamp in milliseconds
 }

 func (am *DefaultAccountManager) BufferUpdateAccountPeers(ctx context.Context, accountID string) {
@@ -1283,6 +1365,7 @@ func (am *DefaultAccountManager) BufferUpdateAccountPeers(ctx context.Context, a

 	if !b.mu.TryLock() {
 		b.update.Store(true)
+		b.requestCount.Add(1)
 		return
 	}

@@ -1292,18 +1375,41 @@ func (am *DefaultAccountManager) BufferUpdateAccountPeers(ctx context.Context, a

 	go func() {
 		defer b.mu.Unlock()
+
+		start := time.Now()
+
+		b.requestCount.Store(0)
+
 		am.UpdateAccountPeers(ctx, accountID)
+
 		if !b.update.Load() {
 			return
 		}
 		b.update.Store(false)
+
+		requestsDuringProcessing := b.requestCount.Load()
+		executionTime := time.Since(start)
+
+		requestsPerMinute := float64(requestsDuringProcessing) / executionTime.Seconds() * 60
+
+		adaptiveDelay := time.Duration(requestsPerMinute) * 250 * time.Millisecond
+
+		// cap the maximum delay to avoid too long delays
+		maxDelay := 30 * time.Second
+		if adaptiveDelay > maxDelay {
+			adaptiveDelay = maxDelay
+		}
+
+		log.WithContext(ctx).Debugf("adaptive debounce for account %s: %d requests during %v execution, waiting %v",
+			accountID, requestsDuringProcessing, executionTime, adaptiveDelay)
+
 		if b.next == nil {
-			b.next = time.AfterFunc(time.Duration(am.updateAccountPeersBufferInterval.Load()), func() {
+			b.next = time.AfterFunc(adaptiveDelay, func() {
 				am.UpdateAccountPeers(ctx, accountID)
 			})
 			return
 		}
-		b.next.Reset(time.Duration(am.updateAccountPeersBufferInterval.Load()))
+		b.next.Reset(adaptiveDelay)
 	}()
 }

@@ -1351,7 +1457,13 @@ func (am *DefaultAccountManager) UpdateAccountPeer(ctx context.Context, accountI
 		return
 	}

-	remotePeerNetworkMap := account.GetPeerNetworkMap(ctx, peerId, customZone, approvedPeersMap, resourcePolicies, routers, am.metrics.AccountManagerMetrics())
+	var remotePeerNetworkMap *types.NetworkMap
+
+	if am.experimentalNetworkMap(accountId) {
+		remotePeerNetworkMap = am.getPeerNetworkMapExp(ctx, peer.AccountID, peer.ID, approvedPeersMap, customZone, am.metrics.AccountManagerMetrics())
+	} else {
+		remotePeerNetworkMap = account.GetPeerNetworkMap(ctx, peerId, customZone, approvedPeersMap, resourcePolicies, routers, am.metrics.AccountManagerMetrics())
+	}

 	proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
 	if ok {
@@ -1368,7 +1480,7 @@ func (am *DefaultAccountManager) UpdateAccountPeer(ctx context.Context, accountI
 	dnsFwdPort := computeForwarderPort(maps.Values(account.Peers), dnsForwarderPortMinVersion)

 	update := toSyncResponse(ctx, nil, peer, nil, nil, remotePeerNetworkMap, dnsDomain, postureChecks, dnsCache, account.Settings, extraSettings, maps.Keys(peerGroups), dnsFwdPort)
-	am.peersUpdateManager.SendUpdate(ctx, peer.ID, &UpdateMessage{Update: update, NetworkMap: remotePeerNetworkMap})
+	am.peersUpdateManager.SendNetworkMapUpdate(ctx, peer.ID, &UpdateMessage{Update: update})
 }

 // getNextPeerExpiration returns the minimum duration in which the next peer of the account will expire if it was found.
@@ -1565,7 +1677,7 @@ func deletePeers(ctx context.Context, am *DefaultAccountManager, transaction sto
 			return nil, err
 		}

-		am.peersUpdateManager.SendUpdate(ctx, peer.ID, &UpdateMessage{
+		am.peersUpdateManager.SendImportantUpdate(ctx, peer.ID, &UpdateMessage{
 			Update: &proto.SyncResponse{
 				RemotePeers:        []*proto.RemotePeerConfig{},
 				RemotePeersIsEmpty: true,
@@ -1580,7 +1692,6 @@ func deletePeers(ctx context.Context, am *DefaultAccountManager, transaction sto
 					},
 				},
 			},
-			NetworkMap: &types.NetworkMap{},
 		})
 		am.peersUpdateManager.CloseChannel(ctx, peer.ID)
 		peerDeletedEvents = append(peerDeletedEvents, func() {
--- a/management/server/peer_test.go
+++ b/management/server/peer_test.go
@@ -26,7 +26,6 @@ import (
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"

 	"github.com/netbirdio/netbird/management/internals/server/config"
-	"github.com/netbirdio/netbird/management/server/http/testing/testing_tools"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
 	"github.com/netbirdio/netbird/management/server/mock_server"
 	"github.com/netbirdio/netbird/management/server/permissions"
@@ -168,6 +167,15 @@ func TestPeer_SessionExpired(t *testing.T) {
 }

 func TestAccountManager_GetNetworkMap(t *testing.T) {
+	testGetNetworkMapGeneral(t)
+}
+
+func TestAccountManager_GetNetworkMap_Experimental(t *testing.T) {
+	t.Setenv(envNewNetworkMapBuilder, "true")
+	testGetNetworkMapGeneral(t)
+}
+
+func testGetNetworkMapGeneral(t *testing.T) {
 	manager, err := createManager(t)
 	if err != nil {
 		t.Fatal(err)
@@ -945,14 +953,15 @@ func BenchmarkUpdateAccountPeers(b *testing.B) {
 		minMsPerOpCICD  float64
 		maxMsPerOpCICD  float64
 	}{
-		{"Small", 50, 5, 90, 120, 90, 120},
-		{"Medium", 500, 100, 110, 150, 120, 260},
-		{"Large", 5000, 200, 800, 1700, 2500, 5000},
-		{"Small single", 50, 10, 90, 120, 90, 120},
-		{"Medium single", 500, 10, 110, 170, 120, 200},
-		{"Large 5", 5000, 15, 1300, 2100, 4900, 7000},
-		{"Extra Large", 2000, 2000, 1300, 2400, 3000, 6400},
+		{"Small", 350, 5, 90, 120, 90, 120},
+		// {"Medium", 500, 100, 110, 150, 120, 260},
+		// {"Large", 5000, 2, 800, 1700, 2500, 5000},
+		// {"Small single", 50, 10, 90, 120, 90, 120},
+		// {"Medium single", 500, 10, 110, 170, 120, 200},
+		// {"Large 5", 5000, 15, 1300, 2100, 4900, 7000},
+		// {"Extra Large", 2000, 2000, 1300, 2400, 3000, 6400},
 	}
+	b.Setenv("NB_EXPERIMENT_NETWORK_MAP", "false")

 	log.SetOutput(io.Discard)
 	defer log.SetOutput(os.Stderr)
@@ -971,39 +980,49 @@ func BenchmarkUpdateAccountPeers(b *testing.B) {
 				b.Fatalf("Failed to get account: %v", err)
 			}

-			peerChannels := make(map[string]chan *UpdateMessage)
+			peerChannels := make(map[string]*UpdateChannel)

 			for peerID := range account.Peers {
-				peerChannels[peerID] = make(chan *UpdateMessage, channelBufferSize)
+				peerChannels[peerID] = &UpdateChannel{
+					Important:  make(chan *UpdateMessage, channelBufferSize),
+					NetworkMap: NewUpdateBuffer(manager.metrics.UpdateChannelMetrics()),
+				}
 			}

 			manager.peersUpdateManager.peerChannels = peerChannels

-			b.ResetTimer()
-			start := time.Now()
+			for i := 0; i < 1000; i++ {
+				b.Logf("Run %d", i)
+				manager.UpdateAccountPeers(ctx, account.Id)
+				mm(b)
+				manager.Store.IncrementNetworkSerial(ctx, account.Id)
+			}

 			for i := 0; i < b.N; i++ {
 				manager.UpdateAccountPeers(ctx, account.Id)
 			}

-			duration := time.Since(start)
-			msPerOp := float64(duration.Nanoseconds()) / float64(b.N) / 1e6
-			b.ReportMetric(msPerOp, "ms/op")
-
-			maxExpected := bc.maxMsPerOpLocal
-			if os.Getenv("CI") == "true" {
-				maxExpected = bc.maxMsPerOpCICD
-				testing_tools.EvaluateBenchmarkResults(b, bc.name, time.Since(start), "login", "newPeer")
-			}
-
-			if msPerOp > maxExpected {
-				b.Logf("Benchmark %s: too slow (%.2f ms/op, max %.2f ms/op)", bc.name, msPerOp, maxExpected)
-			}
 		})
 	}
 }

+func mm(b *testing.B) {
+	var m runtime.MemStats
+	runtime.ReadMemStats(&m)
+	// runtime.GC()
+	b.Logf("Alloc: %v MB, TotalAlloc: %v MB, Sys: %v MB, NumGC: %v", m.Alloc/1024/1024, m.TotalAlloc/1024/1024, m.Sys/1024/1024, m.NumGC)
+}
+
+func TestUpdateAccountPeers_Experimental(t *testing.T) {
+	t.Setenv(envNewNetworkMapBuilder, "true")
+	testUpdateAccountPeers(t)
+}
+
 func TestUpdateAccountPeers(t *testing.T) {
+	testUpdateAccountPeers(t)
+}
+
+func testUpdateAccountPeers(t *testing.T) {
 	testCases := []struct {
 		name   string
 		peers  int
@@ -1026,25 +1045,33 @@ func TestUpdateAccountPeers(t *testing.T) {

 			ctx := context.Background()

+			metrics, err := telemetry.NewDefaultAppMetrics(ctx)
+			if err != nil {
+				t.Fatalf("Failed to create metrics: %v", err)
+			}
+
 			account, err := manager.Store.GetAccount(ctx, accountID)
 			if err != nil {
 				t.Fatalf("Failed to get account: %v", err)
 			}

-			peerChannels := make(map[string]chan *UpdateMessage)
+			peerChannels := make(map[string]*UpdateChannel)

 			for peerID := range account.Peers {
-				peerChannels[peerID] = make(chan *UpdateMessage, channelBufferSize)
+				peerChannels[peerID] = &UpdateChannel{
+					Important:  make(chan *UpdateMessage, channelBufferSize),
+					NetworkMap: NewUpdateBuffer(metrics.UpdateChannelMetrics()),
+				}
 			}

 			manager.peersUpdateManager.peerChannels = peerChannels
 			manager.UpdateAccountPeers(ctx, account.Id)

 			for _, channel := range peerChannels {
-				update := <-channel
+				update, _, _, _ := channel.NetworkMap.Pop(ctx)
 				assert.Nil(t, update.Update.NetbirdConfig)
-				assert.Equal(t, tc.peers, len(update.NetworkMap.Peers))
-				assert.Equal(t, tc.peers*2, len(update.NetworkMap.FirewallRules))
+				assert.Equal(t, tc.peers, len(update.Update.NetworkMap.RemotePeers))
+				assert.Equal(t, tc.peers*2, len(update.Update.NetworkMap.FirewallRules))
 			}
 		})
 	}
@@ -1548,6 +1575,7 @@ func Test_RegisterPeerRollbackOnFailure(t *testing.T) {
 }

 func Test_LoginPeer(t *testing.T) {
+	t.Setenv(envNewNetworkMapBuilder, "true")
 	if runtime.GOOS == "windows" {
 		t.Skip("The SQLite store is not properly supported by Windows yet")
 	}
@@ -1772,7 +1800,7 @@ func TestPeerAccountPeersUpdate(t *testing.T) {
 	t.Run("updating not expired peer and peer expiration is enabled", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg)
+			peerShouldNotReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -1790,7 +1818,7 @@ func TestPeerAccountPeersUpdate(t *testing.T) {
 	t.Run("adding peer to unlinked group", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg) //
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap) //
 			close(done)
 		}()

@@ -1815,7 +1843,7 @@ func TestPeerAccountPeersUpdate(t *testing.T) {
 	t.Run("deleting peer with unlinked group", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -1833,7 +1861,7 @@ func TestPeerAccountPeersUpdate(t *testing.T) {
 	t.Run("updating peer label", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -1856,7 +1884,7 @@ func TestPeerAccountPeersUpdate(t *testing.T) {
 		manager.integratedPeerValidator = MockIntegratedValidator{ValidatePeerFunc: requireUpdateFunc}
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -1878,7 +1906,7 @@ func TestPeerAccountPeersUpdate(t *testing.T) {
 		manager.integratedPeerValidator = MockIntegratedValidator{ValidatePeerFunc: requireNoUpdateFunc}
 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg)
+			peerShouldNotReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -1911,7 +1939,7 @@ func TestPeerAccountPeersUpdate(t *testing.T) {

 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -1937,7 +1965,7 @@ func TestPeerAccountPeersUpdate(t *testing.T) {
 	t.Run("deleting peer with linked group to policy", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -1975,7 +2003,7 @@ func TestPeerAccountPeersUpdate(t *testing.T) {

 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -2001,7 +2029,7 @@ func TestPeerAccountPeersUpdate(t *testing.T) {
 	t.Run("deleting peer with linked group to route", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -2030,7 +2058,7 @@ func TestPeerAccountPeersUpdate(t *testing.T) {

 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -2056,7 +2084,7 @@ func TestPeerAccountPeersUpdate(t *testing.T) {
 	t.Run("deleting peer with linked group to route", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

--- a/management/server/policy.go
+++ b/management/server/policy.go
@@ -77,6 +77,9 @@ func (am *DefaultAccountManager) SavePolicy(ctx context.Context, accountID, user
 	am.StoreEvent(ctx, userID, policy.ID, accountID, action, policy.EventMeta())

 	if updateAccountPeers {
+		if err := am.RecalculateNetworkMapCache(ctx, accountID); err != nil {
+			return nil, err
+		}
 		am.UpdateAccountPeers(ctx, accountID)
 	}

@@ -120,6 +123,9 @@ func (am *DefaultAccountManager) DeletePolicy(ctx context.Context, accountID, po
 	am.StoreEvent(ctx, userID, policyID, accountID, activity.PolicyRemoved, policy.EventMeta())

 	if updateAccountPeers {
+		if err := am.RecalculateNetworkMapCache(ctx, accountID); err != nil {
+			return err
+		}
 		am.UpdateAccountPeers(ctx, accountID)
 	}

--- a/management/server/policy_test.go
+++ b/management/server/policy_test.go
@@ -1034,7 +1034,7 @@ func TestPolicyAccountPeersUpdate(t *testing.T) {
 	t.Run("saving policy with rule groups with no peers", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg)
+			peerShouldNotReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -1065,7 +1065,7 @@ func TestPolicyAccountPeersUpdate(t *testing.T) {
 	t.Run("saving policy where source has peers but destination does not", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -1097,7 +1097,7 @@ func TestPolicyAccountPeersUpdate(t *testing.T) {
 	t.Run("saving policy where destination has peers but source does not", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -1129,7 +1129,7 @@ func TestPolicyAccountPeersUpdate(t *testing.T) {
 	t.Run("saving policy with source and destination groups with peers", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -1160,7 +1160,7 @@ func TestPolicyAccountPeersUpdate(t *testing.T) {
 	t.Run("disabling policy with source and destination groups with peers", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -1180,7 +1180,7 @@ func TestPolicyAccountPeersUpdate(t *testing.T) {
 	t.Run("updating disabled policy with source and destination groups with peers", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg)
+			peerShouldNotReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -1201,7 +1201,7 @@ func TestPolicyAccountPeersUpdate(t *testing.T) {
 	t.Run("enabling policy with source and destination groups with peers", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -1220,7 +1220,7 @@ func TestPolicyAccountPeersUpdate(t *testing.T) {
 	t.Run("deleting policy with source and destination groups with peers", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -1240,7 +1240,7 @@ func TestPolicyAccountPeersUpdate(t *testing.T) {
 	t.Run("deleting policy where destination has peers but source does not", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -1258,7 +1258,7 @@ func TestPolicyAccountPeersUpdate(t *testing.T) {
 	t.Run("deleting policy with no peers in groups", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg)
+			peerShouldNotReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

--- a/management/server/posture_checks.go
+++ b/management/server/posture_checks.go
@@ -80,6 +80,9 @@ func (am *DefaultAccountManager) SavePostureChecks(ctx context.Context, accountI
 	am.StoreEvent(ctx, userID, postureChecks.ID, accountID, action, postureChecks.EventMeta())

 	if updateAccountPeers {
+		if err := am.RecalculateNetworkMapCache(ctx, accountID); err != nil {
+			return nil, err
+		}
 		am.UpdateAccountPeers(ctx, accountID)
 	}

--- a/management/server/posture_checks_test.go
+++ b/management/server/posture_checks_test.go
@@ -180,7 +180,7 @@ func TestPostureCheckAccountPeersUpdate(t *testing.T) {
 	t.Run("saving unused posture check", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg)
+			peerShouldNotReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -198,7 +198,7 @@ func TestPostureCheckAccountPeersUpdate(t *testing.T) {
 	t.Run("updating unused posture check", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg)
+			peerShouldNotReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -235,7 +235,7 @@ func TestPostureCheckAccountPeersUpdate(t *testing.T) {
 	t.Run("linking posture check to policy with peers", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -264,7 +264,7 @@ func TestPostureCheckAccountPeersUpdate(t *testing.T) {

 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -282,7 +282,7 @@ func TestPostureCheckAccountPeersUpdate(t *testing.T) {
 	t.Run("removing posture check from policy", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -301,7 +301,7 @@ func TestPostureCheckAccountPeersUpdate(t *testing.T) {
 	t.Run("deleting unused posture check", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg)
+			peerShouldNotReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -337,7 +337,7 @@ func TestPostureCheckAccountPeersUpdate(t *testing.T) {

 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg)
+			peerShouldNotReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -381,7 +381,7 @@ func TestPostureCheckAccountPeersUpdate(t *testing.T) {

 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg1)
+			peerShouldReceiveUpdate(t, updMsg1.NetworkMap)
 			close(done)
 		}()

@@ -420,7 +420,7 @@ func TestPostureCheckAccountPeersUpdate(t *testing.T) {

 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

--- a/management/server/route.go
+++ b/management/server/route.go
@@ -192,6 +192,9 @@ func (am *DefaultAccountManager) CreateRoute(ctx context.Context, accountID stri
 	am.StoreEvent(ctx, userID, string(newRoute.ID), accountID, activity.RouteCreated, newRoute.EventMeta())

 	if updateAccountPeers {
+		if err := am.RecalculateNetworkMapCache(ctx, accountID); err != nil {
+			return nil, err
+		}
 		am.UpdateAccountPeers(ctx, accountID)
 	}

@@ -246,6 +249,9 @@ func (am *DefaultAccountManager) SaveRoute(ctx context.Context, accountID, userI
 	am.StoreEvent(ctx, userID, string(routeToSave.ID), accountID, activity.RouteUpdated, routeToSave.EventMeta())

 	if oldRouteAffectsPeers || newRouteAffectsPeers {
+		if err := am.RecalculateNetworkMapCache(ctx, accountID); err != nil {
+			return err
+		}
 		am.UpdateAccountPeers(ctx, accountID)
 	}

@@ -289,6 +295,9 @@ func (am *DefaultAccountManager) DeleteRoute(ctx context.Context, accountID stri
 	am.StoreEvent(ctx, userID, string(route.ID), accountID, activity.RouteRemoved, route.EventMeta())

 	if updateAccountPeers {
+		if err := am.RecalculateNetworkMapCache(ctx, accountID); err != nil {
+			return err
+		}
 		am.UpdateAccountPeers(ctx, accountID)
 	}

--- a/management/server/route_test.go
+++ b/management/server/route_test.go
@@ -1998,7 +1998,7 @@ func TestRouteAccountPeersUpdate(t *testing.T) {

 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg)
+			peerShouldNotReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -2034,7 +2034,7 @@ func TestRouteAccountPeersUpdate(t *testing.T) {

 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -2070,7 +2070,7 @@ func TestRouteAccountPeersUpdate(t *testing.T) {
 	t.Run("creating route with a routing peer", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -2095,7 +2095,7 @@ func TestRouteAccountPeersUpdate(t *testing.T) {

 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -2113,7 +2113,7 @@ func TestRouteAccountPeersUpdate(t *testing.T) {
 	t.Run("deleting route", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -2149,7 +2149,7 @@ func TestRouteAccountPeersUpdate(t *testing.T) {

 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -2189,7 +2189,7 @@ func TestRouteAccountPeersUpdate(t *testing.T) {

 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

--- a/management/server/setupkey_test.go
+++ b/management/server/setupkey_test.go
@@ -431,7 +431,7 @@ func TestSetupKeyAccountPeersUpdate(t *testing.T) {
 	t.Run("creating setup key", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg)
+			peerShouldNotReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -449,7 +449,7 @@ func TestSetupKeyAccountPeersUpdate(t *testing.T) {
 	t.Run("saving setup key", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg)
+			peerShouldNotReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

--- a/management/server/store/sql_store.go
+++ b/management/server/store/sql_store.go
--- a/management/server/store/sqlstore_bench_test.go
+++ b/management/server/store/sqlstore_bench_test.go
--- a/management/server/telemetry/updatechannel_metrics.go
+++ b/management/server/telemetry/updatechannel_metrics.go
@@ -22,6 +22,9 @@ type UpdateChannelMetrics struct {
 	calcPeerNetworkMapDurationMs      metric.Int64Histogram
 	mergeNetworkMapDurationMicro      metric.Int64Histogram
 	toSyncResponseDurationMicro       metric.Int64Histogram
+	bufferPushCounter                 metric.Int64Counter
+	bufferOverwriteCounter            metric.Int64Counter
+	bufferIgnoreCounter               metric.Int64Counter
 	ctx                               context.Context
 }

@@ -125,6 +128,27 @@ func NewUpdateChannelMetrics(ctx context.Context, meter metric.Meter) (*UpdateCh
 		return nil, err
 	}

+	bufferPushCounter, err := meter.Int64Counter("management.updatechannel.buffer.push.counter",
+		metric.WithUnit("1"),
+		metric.WithDescription("Number of updates pushed to an empty buffer"))
+	if err != nil {
+		return nil, err
+	}
+
+	bufferOverwriteCounter, err := meter.Int64Counter("management.updatechannel.buffer.overwrite.counter",
+		metric.WithUnit("1"),
+		metric.WithDescription("Number of updates overwriting old unsent updates in the buffer"))
+	if err != nil {
+		return nil, err
+	}
+
+	bufferIgnoreCounter, err := meter.Int64Counter("management.updatechannel.buffer.ignore.counter",
+		metric.WithUnit("1"),
+		metric.WithDescription("Number of updates being ignored due to old network serial"))
+	if err != nil {
+		return nil, err
+	}
+
 	return &UpdateChannelMetrics{
 		createChannelDurationMicro:        createChannelDurationMicro,
 		closeChannelDurationMicro:         closeChannelDurationMicro,
@@ -138,6 +162,9 @@ func NewUpdateChannelMetrics(ctx context.Context, meter metric.Meter) (*UpdateCh
 		calcPeerNetworkMapDurationMs:      calcPeerNetworkMapDurationMs,
 		mergeNetworkMapDurationMicro:      mergeNetworkMapDurationMicro,
 		toSyncResponseDurationMicro:       toSyncResponseDurationMicro,
+		bufferPushCounter:                 bufferPushCounter,
+		bufferOverwriteCounter:            bufferOverwriteCounter,
+		bufferIgnoreCounter:               bufferIgnoreCounter,
 		ctx:                               ctx,
 	}, nil
 }
@@ -193,3 +220,18 @@ func (metrics *UpdateChannelMetrics) CountMergeNetworkMapDuration(duration time.
 func (metrics *UpdateChannelMetrics) CountToSyncResponseDuration(duration time.Duration) {
 	metrics.toSyncResponseDurationMicro.Record(metrics.ctx, duration.Microseconds())
 }
+
+// CountBufferPush counts how many buffer push operations are happening on an empty buffer
+func (metrics *UpdateChannelMetrics) CountBufferPush() {
+	metrics.bufferPushCounter.Add(metrics.ctx, 1)
+}
+
+// CountBufferOverwrite counts how many buffer overwrite operations are happening on a non-empty buffer
+func (metrics *UpdateChannelMetrics) CountBufferOverwrite() {
+	metrics.bufferOverwriteCounter.Add(metrics.ctx, 1)
+}
+
+// CountBufferIgnore counts how many buffer ignore operations are happening when a new update is pushed
+func (metrics *UpdateChannelMetrics) CountBufferIgnore() {
+	metrics.bufferIgnoreCounter.Add(metrics.ctx, 1)
+}
--- a/management/server/token_mgr.go
+++ b/management/server/token_mgr.go
@@ -227,7 +227,7 @@ func (m *TimeBasedAuthSecretsManager) pushNewTURNAndRelayTokens(ctx context.Cont
 	m.extendNetbirdConfig(ctx, peerID, accountID, update)

 	log.WithContext(ctx).Debugf("sending new TURN credentials to peer %s", peerID)
-	m.updateManager.SendUpdate(ctx, peerID, &UpdateMessage{Update: update})
+	m.updateManager.SendImportantUpdate(ctx, peerID, &UpdateMessage{Update: update})
 }

 func (m *TimeBasedAuthSecretsManager) pushNewRelayTokens(ctx context.Context, accountID, peerID string) {
@@ -251,7 +251,7 @@ func (m *TimeBasedAuthSecretsManager) pushNewRelayTokens(ctx context.Context, ac
 	m.extendNetbirdConfig(ctx, peerID, accountID, update)

 	log.WithContext(ctx).Debugf("sending new relay credentials to peer %s", peerID)
-	m.updateManager.SendUpdate(ctx, peerID, &UpdateMessage{Update: update})
+	m.updateManager.SendImportantUpdate(ctx, peerID, &UpdateMessage{Update: update})
 }

 func (m *TimeBasedAuthSecretsManager) extendNetbirdConfig(ctx context.Context, peerID, accountID string, update *proto.SyncResponse) {
--- a/management/server/token_mgr_test.go
+++ b/management/server/token_mgr_test.go
@@ -121,7 +121,7 @@ func TestTimeBasedAuthSecretsManager_SetupRefresh(t *testing.T) {
 loop:
 	for timeout := time.After(5 * time.Second); ; {
 		select {
-		case update := <-updateChannel:
+		case update := <-updateChannel.Important:
 			updates = append(updates, update)
 		case <-timeout:
 			break loop
--- a/management/server/types/account.go
+++ b/management/server/types/account.go
@@ -8,6 +8,7 @@ import (
 	"slices"
 	"strconv"
 	"strings"
+	"sync"
 	"time"

 	"github.com/hashicorp/go-multierror"
@@ -21,7 +22,6 @@ import (
 	networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/posture"
-	"github.com/netbirdio/netbird/management/server/telemetry"
 	"github.com/netbirdio/netbird/management/server/util"
 	"github.com/netbirdio/netbird/route"
 	"github.com/netbirdio/netbird/shared/management/domain"
@@ -87,6 +87,13 @@ type Account struct {
 	NetworkRouters   []*routerTypes.NetworkRouter     `gorm:"foreignKey:AccountID;references:id"`
 	NetworkResources []*resourceTypes.NetworkResource `gorm:"foreignKey:AccountID;references:id"`
 	Onboarding       AccountOnboarding                `gorm:"foreignKey:AccountID;references:id;constraint:OnDelete:CASCADE"`
+
+	NetworkMapCache *NetworkMapBuilder `gorm:"-"`
+	nmapInitOnce    *sync.Once         `gorm:"-"`
+}
+
+func (a *Account) InitOnce() {
+	a.nmapInitOnce = &sync.Once{}
 }

 // this class is used by gorm only
@@ -124,109 +131,6 @@ func (o AccountOnboarding) IsEqual(onboarding AccountOnboarding) bool {
 		o.SignupFormPending == onboarding.SignupFormPending
 }

-// GetRoutesToSync returns the enabled routes for the peer ID and the routes
-// from the ACL peers that have distribution groups associated with the peer ID.
-// Please mind, that the returned route.Route objects will contain Peer.Key instead of Peer.ID.
-func (a *Account) GetRoutesToSync(ctx context.Context, peerID string, aclPeers []*nbpeer.Peer) []*route.Route {
-	routes, peerDisabledRoutes := a.getRoutingPeerRoutes(ctx, peerID)
-	peerRoutesMembership := make(LookupMap)
-	for _, r := range append(routes, peerDisabledRoutes...) {
-		peerRoutesMembership[string(r.GetHAUniqueID())] = struct{}{}
-	}
-
-	groupListMap := a.GetPeerGroups(peerID)
-	for _, peer := range aclPeers {
-		activeRoutes, _ := a.getRoutingPeerRoutes(ctx, peer.ID)
-		groupFilteredRoutes := a.filterRoutesByGroups(activeRoutes, groupListMap)
-		filteredRoutes := a.filterRoutesFromPeersOfSameHAGroup(groupFilteredRoutes, peerRoutesMembership)
-		routes = append(routes, filteredRoutes...)
-	}
-
-	return routes
-}
-
-// filterRoutesFromPeersOfSameHAGroup filters and returns a list of routes that don't share the same HA route membership
-func (a *Account) filterRoutesFromPeersOfSameHAGroup(routes []*route.Route, peerMemberships LookupMap) []*route.Route {
-	var filteredRoutes []*route.Route
-	for _, r := range routes {
-		_, found := peerMemberships[string(r.GetHAUniqueID())]
-		if !found {
-			filteredRoutes = append(filteredRoutes, r)
-		}
-	}
-	return filteredRoutes
-}
-
-// filterRoutesByGroups returns a list with routes that have distribution groups in the group's map
-func (a *Account) filterRoutesByGroups(routes []*route.Route, groupListMap LookupMap) []*route.Route {
-	var filteredRoutes []*route.Route
-	for _, r := range routes {
-		for _, groupID := range r.Groups {
-			_, found := groupListMap[groupID]
-			if found {
-				filteredRoutes = append(filteredRoutes, r)
-				break
-			}
-		}
-	}
-	return filteredRoutes
-}
-
-// getRoutingPeerRoutes returns the enabled and disabled lists of routes that the given routing peer serves
-// Please mind, that the returned route.Route objects will contain Peer.Key instead of Peer.ID.
-// If the given is not a routing peer, then the lists are empty.
-func (a *Account) getRoutingPeerRoutes(ctx context.Context, peerID string) (enabledRoutes []*route.Route, disabledRoutes []*route.Route) {
-
-	peer := a.GetPeer(peerID)
-	if peer == nil {
-		log.WithContext(ctx).Errorf("peer %s that doesn't exist under account %s", peerID, a.Id)
-		return enabledRoutes, disabledRoutes
-	}
-
-	seenRoute := make(map[route.ID]struct{})
-
-	takeRoute := func(r *route.Route, id string) {
-		if _, ok := seenRoute[r.ID]; ok {
-			return
-		}
-		seenRoute[r.ID] = struct{}{}
-
-		if r.Enabled {
-			r.Peer = peer.Key
-			enabledRoutes = append(enabledRoutes, r)
-			return
-		}
-		disabledRoutes = append(disabledRoutes, r)
-	}
-
-	for _, r := range a.Routes {
-		for _, groupID := range r.PeerGroups {
-			group := a.GetGroup(groupID)
-			if group == nil {
-				log.WithContext(ctx).Errorf("route %s has peers group %s that doesn't exist under account %s", r.ID, groupID, a.Id)
-				continue
-			}
-			for _, id := range group.Peers {
-				if id != peerID {
-					continue
-				}
-
-				newPeerRoute := r.Copy()
-				newPeerRoute.Peer = id
-				newPeerRoute.PeerGroups = nil
-				newPeerRoute.ID = route.ID(string(r.ID) + ":" + id) // we have to provide unique route id when distribute network map
-				takeRoute(newPeerRoute, id)
-				break
-			}
-		}
-		if r.Peer == peerID {
-			takeRoute(r.Copy(), peerID)
-		}
-	}
-
-	return enabledRoutes, disabledRoutes
-}
-
 // GetRoutesByPrefixOrDomains return list of routes by account and route prefix
 func (a *Account) GetRoutesByPrefixOrDomains(prefix netip.Prefix, domains domain.List) []*route.Route {
 	var routes []*route.Route
@@ -246,174 +150,6 @@ func (a *Account) GetGroup(groupID string) *Group {
 	return a.Groups[groupID]
 }

-// GetPeerNetworkMap returns the networkmap for the given peer ID.
-func (a *Account) GetPeerNetworkMap(
-	ctx context.Context,
-	peerID string,
-	peersCustomZone nbdns.CustomZone,
-	validatedPeersMap map[string]struct{},
-	resourcePolicies map[string][]*Policy,
-	routers map[string]map[string]*routerTypes.NetworkRouter,
-	metrics *telemetry.AccountManagerMetrics,
-) *NetworkMap {
-	start := time.Now()
-
-	peer := a.Peers[peerID]
-	if peer == nil {
-		return &NetworkMap{
-			Network: a.Network.Copy(),
-		}
-	}
-
-	if _, ok := validatedPeersMap[peerID]; !ok {
-		return &NetworkMap{
-			Network: a.Network.Copy(),
-		}
-	}
-
-	aclPeers, firewallRules := a.GetPeerConnectionResources(ctx, peer, validatedPeersMap)
-	// exclude expired peers
-	var peersToConnect []*nbpeer.Peer
-	var expiredPeers []*nbpeer.Peer
-	for _, p := range aclPeers {
-		expired, _ := p.LoginExpired(a.Settings.PeerLoginExpiration)
-		if a.Settings.PeerLoginExpirationEnabled && expired {
-			expiredPeers = append(expiredPeers, p)
-			continue
-		}
-		peersToConnect = append(peersToConnect, p)
-	}
-
-	routesUpdate := a.GetRoutesToSync(ctx, peerID, peersToConnect)
-	routesFirewallRules := a.GetPeerRoutesFirewallRules(ctx, peerID, validatedPeersMap)
-	isRouter, networkResourcesRoutes, sourcePeers := a.GetNetworkResourcesRoutesToSync(ctx, peerID, resourcePolicies, routers)
-	var networkResourcesFirewallRules []*RouteFirewallRule
-	if isRouter {
-		networkResourcesFirewallRules = a.GetPeerNetworkResourceFirewallRules(ctx, peer, validatedPeersMap, networkResourcesRoutes, resourcePolicies)
-	}
-	peersToConnectIncludingRouters := a.addNetworksRoutingPeers(networkResourcesRoutes, peer, peersToConnect, expiredPeers, isRouter, sourcePeers)
-
-	dnsManagementStatus := a.getPeerDNSManagementStatus(peerID)
-	dnsUpdate := nbdns.Config{
-		ServiceEnable: dnsManagementStatus,
-	}
-
-	if dnsManagementStatus {
-		var zones []nbdns.CustomZone
-		if peersCustomZone.Domain != "" {
-			records := filterZoneRecordsForPeers(peer, peersCustomZone, peersToConnectIncludingRouters, expiredPeers)
-			zones = append(zones, nbdns.CustomZone{
-				Domain:  peersCustomZone.Domain,
-				Records: records,
-			})
-		}
-		dnsUpdate.CustomZones = zones
-		dnsUpdate.NameServerGroups = getPeerNSGroups(a, peerID)
-	}
-
-	nm := &NetworkMap{
-		Peers:               peersToConnectIncludingRouters,
-		Network:             a.Network.Copy(),
-		Routes:              slices.Concat(networkResourcesRoutes, routesUpdate),
-		DNSConfig:           dnsUpdate,
-		OfflinePeers:        expiredPeers,
-		FirewallRules:       firewallRules,
-		RoutesFirewallRules: slices.Concat(networkResourcesFirewallRules, routesFirewallRules),
-	}
-
-	if metrics != nil {
-		objectCount := int64(len(peersToConnectIncludingRouters) + len(expiredPeers) + len(routesUpdate) + len(networkResourcesRoutes) + len(firewallRules) + +len(networkResourcesFirewallRules) + len(routesFirewallRules))
-		metrics.CountNetworkMapObjects(objectCount)
-		metrics.CountGetPeerNetworkMapDuration(time.Since(start))
-
-		if objectCount > 5000 {
-			log.WithContext(ctx).Tracef("account: %s has a total resource count of %d objects, "+
-				"peers to connect: %d, expired peers: %d, routes: %d, firewall rules: %d, network resources routes: %d, network resources firewall rules: %d, routes firewall rules: %d",
-				a.Id, objectCount, len(peersToConnectIncludingRouters), len(expiredPeers), len(routesUpdate), len(firewallRules), len(networkResourcesRoutes), len(networkResourcesFirewallRules), len(routesFirewallRules))
-		}
-	}
-
-	return nm
-}
-
-func (a *Account) addNetworksRoutingPeers(
-	networkResourcesRoutes []*route.Route,
-	peer *nbpeer.Peer,
-	peersToConnect []*nbpeer.Peer,
-	expiredPeers []*nbpeer.Peer,
-	isRouter bool,
-	sourcePeers map[string]struct{},
-) []*nbpeer.Peer {
-
-	networkRoutesPeers := make(map[string]struct{}, len(networkResourcesRoutes))
-	for _, r := range networkResourcesRoutes {
-		networkRoutesPeers[r.PeerID] = struct{}{}
-	}
-
-	delete(sourcePeers, peer.ID)
-	delete(networkRoutesPeers, peer.ID)
-
-	for _, existingPeer := range peersToConnect {
-		delete(sourcePeers, existingPeer.ID)
-		delete(networkRoutesPeers, existingPeer.ID)
-	}
-	for _, expPeer := range expiredPeers {
-		delete(sourcePeers, expPeer.ID)
-		delete(networkRoutesPeers, expPeer.ID)
-	}
-
-	missingPeers := make(map[string]struct{}, len(sourcePeers)+len(networkRoutesPeers))
-	if isRouter {
-		for p := range sourcePeers {
-			missingPeers[p] = struct{}{}
-		}
-	}
-	for p := range networkRoutesPeers {
-		missingPeers[p] = struct{}{}
-	}
-
-	for p := range missingPeers {
-		if missingPeer := a.Peers[p]; missingPeer != nil {
-			peersToConnect = append(peersToConnect, missingPeer)
-		}
-	}
-
-	return peersToConnect
-}
-
-func getPeerNSGroups(account *Account, peerID string) []*nbdns.NameServerGroup {
-	groupList := account.GetPeerGroups(peerID)
-
-	var peerNSGroups []*nbdns.NameServerGroup
-
-	for _, nsGroup := range account.NameServerGroups {
-		if !nsGroup.Enabled {
-			continue
-		}
-		for _, gID := range nsGroup.Groups {
-			_, found := groupList[gID]
-			if found {
-				if !peerIsNameserver(account.GetPeer(peerID), nsGroup) {
-					peerNSGroups = append(peerNSGroups, nsGroup.Copy())
-					break
-				}
-			}
-		}
-	}
-
-	return peerNSGroups
-}
-
-// peerIsNameserver returns true if the peer is a nameserver for a nsGroup
-func peerIsNameserver(peer *nbpeer.Peer, nsGroup *nbdns.NameServerGroup) bool {
-	for _, ns := range nsGroup.NameServers {
-		if peer.IP.Equal(ns.IP.AsSlice()) {
-			return true
-		}
-	}
-	return false
-}
-
 func AddPeerLabelsToAccount(ctx context.Context, account *Account, peerLabels LookupMap) {
 	for _, peer := range account.Peers {
 		label, err := GetPeerHostLabel(peer.Name, peerLabels)
@@ -760,32 +496,6 @@ func (a *Account) GetPeerGroupsList(peerID string) []string {
 	return grps
 }

-func (a *Account) getPeerDNSManagementStatus(peerID string) bool {
-	peerGroups := a.GetPeerGroups(peerID)
-	enabled := true
-	for _, groupID := range a.DNSSettings.DisabledManagementGroups {
-		_, found := peerGroups[groupID]
-		if found {
-			enabled = false
-			break
-		}
-	}
-	return enabled
-}
-
-func (a *Account) GetPeerGroups(peerID string) LookupMap {
-	groupList := make(LookupMap)
-	for groupID, group := range a.Groups {
-		for _, id := range group.Peers {
-			if id == peerID {
-				groupList[groupID] = struct{}{}
-				break
-			}
-		}
-	}
-	return groupList
-}
-
 func (a *Account) GetTakenIPs() []net.IP {
 	var takenIps []net.IP
 	for _, existingPeer := range a.Peers {
@@ -890,6 +600,7 @@ func (a *Account) Copy() *Account {
 		NetworkRouters:         networkRouters,
 		NetworkResources:       networkResources,
 		Onboarding:             a.Onboarding,
+		NetworkMapCache:        a.NetworkMapCache,
 	}
 }

@@ -985,192 +696,6 @@ func (a *Account) UserGroupsRemoveFromPeers(userID string, groups ...string) map
 	return groupUpdates
 }

-// GetPeerConnectionResources for a given peer
-//
-// This function returns the list of peers and firewall rules that are applicable to a given peer.
-func (a *Account) GetPeerConnectionResources(ctx context.Context, peer *nbpeer.Peer, validatedPeersMap map[string]struct{}) ([]*nbpeer.Peer, []*FirewallRule) {
-	generateResources, getAccumulatedResources := a.connResourcesGenerator(ctx, peer)
-
-	for _, policy := range a.Policies {
-		if !policy.Enabled {
-			continue
-		}
-
-		for _, rule := range policy.Rules {
-			if !rule.Enabled {
-				continue
-			}
-
-			var sourcePeers, destinationPeers []*nbpeer.Peer
-			var peerInSources, peerInDestinations bool
-
-			if rule.SourceResource.Type == ResourceTypePeer && rule.SourceResource.ID != "" {
-				sourcePeers, peerInSources = a.getPeerFromResource(rule.SourceResource, peer.ID)
-			} else {
-				sourcePeers, peerInSources = a.getAllPeersFromGroups(ctx, rule.Sources, peer.ID, policy.SourcePostureChecks, validatedPeersMap)
-			}
-
-			if rule.DestinationResource.Type == ResourceTypePeer && rule.DestinationResource.ID != "" {
-				destinationPeers, peerInDestinations = a.getPeerFromResource(rule.DestinationResource, peer.ID)
-			} else {
-				destinationPeers, peerInDestinations = a.getAllPeersFromGroups(ctx, rule.Destinations, peer.ID, nil, validatedPeersMap)
-			}
-
-			if rule.Bidirectional {
-				if peerInSources {
-					generateResources(rule, destinationPeers, FirewallRuleDirectionIN)
-				}
-				if peerInDestinations {
-					generateResources(rule, sourcePeers, FirewallRuleDirectionOUT)
-				}
-			}
-
-			if peerInSources {
-				generateResources(rule, destinationPeers, FirewallRuleDirectionOUT)
-			}
-
-			if peerInDestinations {
-				generateResources(rule, sourcePeers, FirewallRuleDirectionIN)
-			}
-		}
-	}
-
-	return getAccumulatedResources()
-}
-
-// connResourcesGenerator returns generator and accumulator function which returns the result of generator calls
-//
-// The generator function is used to generate the list of peers and firewall rules that are applicable to a given peer.
-// It safe to call the generator function multiple times for same peer and different rules no duplicates will be
-// generated. The accumulator function returns the result of all the generator calls.
-func (a *Account) connResourcesGenerator(ctx context.Context, targetPeer *nbpeer.Peer) (func(*PolicyRule, []*nbpeer.Peer, int), func() ([]*nbpeer.Peer, []*FirewallRule)) {
-	rulesExists := make(map[string]struct{})
-	peersExists := make(map[string]struct{})
-	rules := make([]*FirewallRule, 0)
-	peers := make([]*nbpeer.Peer, 0)
-
-	all, err := a.GetGroupAll()
-	if err != nil {
-		log.WithContext(ctx).Errorf("failed to get group all: %v", err)
-		all = &Group{}
-	}
-
-	return func(rule *PolicyRule, groupPeers []*nbpeer.Peer, direction int) {
-			isAll := (len(all.Peers) - 1) == len(groupPeers)
-			for _, peer := range groupPeers {
-				if peer == nil {
-					continue
-				}
-
-				if _, ok := peersExists[peer.ID]; !ok {
-					peers = append(peers, peer)
-					peersExists[peer.ID] = struct{}{}
-				}
-
-				fr := FirewallRule{
-					PolicyID:  rule.ID,
-					PeerIP:    peer.IP.String(),
-					Direction: direction,
-					Action:    string(rule.Action),
-					Protocol:  string(rule.Protocol),
-				}
-
-				if isAll {
-					fr.PeerIP = "0.0.0.0"
-				}
-
-				ruleID := rule.ID + fr.PeerIP + strconv.Itoa(direction) +
-					fr.Protocol + fr.Action + strings.Join(rule.Ports, ",")
-				if _, ok := rulesExists[ruleID]; ok {
-					continue
-				}
-				rulesExists[ruleID] = struct{}{}
-
-				if len(rule.Ports) == 0 && len(rule.PortRanges) == 0 {
-					rules = append(rules, &fr)
-					continue
-				}
-
-				rules = append(rules, expandPortsAndRanges(fr, rule, targetPeer)...)
-			}
-		}, func() ([]*nbpeer.Peer, []*FirewallRule) {
-			return peers, rules
-		}
-}
-
-// getAllPeersFromGroups for given peer ID and list of groups
-//
-// Returns a list of peers from specified groups that pass specified posture checks
-// and a boolean indicating if the supplied peer ID exists within these groups.
-//
-// Important: Posture checks are applicable only to source group peers,
-// for destination group peers, call this method with an empty list of sourcePostureChecksIDs
-func (a *Account) getAllPeersFromGroups(ctx context.Context, groups []string, peerID string, sourcePostureChecksIDs []string, validatedPeersMap map[string]struct{}) ([]*nbpeer.Peer, bool) {
-	peerInGroups := false
-	uniquePeerIDs := a.getUniquePeerIDsFromGroupsIDs(ctx, groups)
-	filteredPeers := make([]*nbpeer.Peer, 0, len(uniquePeerIDs))
-	for _, p := range uniquePeerIDs {
-		peer, ok := a.Peers[p]
-		if !ok || peer == nil {
-			continue
-		}
-
-		// validate the peer based on policy posture checks applied
-		isValid := a.validatePostureChecksOnPeer(ctx, sourcePostureChecksIDs, peer.ID)
-		if !isValid {
-			continue
-		}
-
-		if _, ok := validatedPeersMap[peer.ID]; !ok {
-			continue
-		}
-
-		if peer.ID == peerID {
-			peerInGroups = true
-			continue
-		}
-
-		filteredPeers = append(filteredPeers, peer)
-	}
-
-	return filteredPeers, peerInGroups
-}
-
-func (a *Account) getPeerFromResource(resource Resource, peerID string) ([]*nbpeer.Peer, bool) {
-	peer := a.GetPeer(resource.ID)
-	if peer == nil {
-		return []*nbpeer.Peer{}, false
-	}
-
-	return []*nbpeer.Peer{peer}, resource.ID == peerID
-}
-
-// validatePostureChecksOnPeer validates the posture checks on a peer
-func (a *Account) validatePostureChecksOnPeer(ctx context.Context, sourcePostureChecksID []string, peerID string) bool {
-	peer, ok := a.Peers[peerID]
-	if !ok && peer == nil {
-		return false
-	}
-
-	for _, postureChecksID := range sourcePostureChecksID {
-		postureChecks := a.GetPostureChecks(postureChecksID)
-		if postureChecks == nil {
-			continue
-		}
-
-		for _, check := range postureChecks.GetChecks() {
-			isValid, err := check.Check(ctx, *peer)
-			if err != nil {
-				log.WithContext(ctx).Debugf("an error occurred check %s: on peer: %s :%s", check.Name(), peer.ID, err.Error())
-			}
-			if !isValid {
-				return false
-			}
-		}
-	}
-	return true
-}
-
 func (a *Account) GetPostureChecks(postureChecksID string) *posture.Checks {
 	for _, postureChecks := range a.PostureChecks {
 		if postureChecks.ID == postureChecksID {
@@ -1180,174 +705,6 @@ func (a *Account) GetPostureChecks(postureChecksID string) *posture.Checks {
 	return nil
 }

-// GetPeerRoutesFirewallRules gets the routes firewall rules associated with a routing peer ID for the account.
-func (a *Account) GetPeerRoutesFirewallRules(ctx context.Context, peerID string, validatedPeersMap map[string]struct{}) []*RouteFirewallRule {
-	routesFirewallRules := make([]*RouteFirewallRule, 0, len(a.Routes))
-
-	enabledRoutes, _ := a.getRoutingPeerRoutes(ctx, peerID)
-	for _, route := range enabledRoutes {
-		// If no access control groups are specified, accept all traffic.
-		if len(route.AccessControlGroups) == 0 {
-			defaultPermit := getDefaultPermit(route)
-			routesFirewallRules = append(routesFirewallRules, defaultPermit...)
-			continue
-		}
-
-		distributionPeers := a.getDistributionGroupsPeers(route)
-
-		for _, accessGroup := range route.AccessControlGroups {
-			policies := GetAllRoutePoliciesFromGroups(a, []string{accessGroup})
-			rules := a.getRouteFirewallRules(ctx, peerID, policies, route, validatedPeersMap, distributionPeers)
-			routesFirewallRules = append(routesFirewallRules, rules...)
-		}
-	}
-
-	return routesFirewallRules
-}
-
-func (a *Account) getRouteFirewallRules(ctx context.Context, peerID string, policies []*Policy, route *route.Route, validatedPeersMap map[string]struct{}, distributionPeers map[string]struct{}) []*RouteFirewallRule {
-	var fwRules []*RouteFirewallRule
-	for _, policy := range policies {
-		if !policy.Enabled {
-			continue
-		}
-
-		for _, rule := range policy.Rules {
-			if !rule.Enabled {
-				continue
-			}
-
-			rulePeers := a.getRulePeers(rule, policy.SourcePostureChecks, peerID, distributionPeers, validatedPeersMap)
-			rules := generateRouteFirewallRules(ctx, route, rule, rulePeers, FirewallRuleDirectionIN)
-			fwRules = append(fwRules, rules...)
-		}
-	}
-	return fwRules
-}
-
-func (a *Account) getRulePeers(rule *PolicyRule, postureChecks []string, peerID string, distributionPeers map[string]struct{}, validatedPeersMap map[string]struct{}) []*nbpeer.Peer {
-	distPeersWithPolicy := make(map[string]struct{})
-	for _, id := range rule.Sources {
-		group := a.Groups[id]
-		if group == nil {
-			continue
-		}
-
-		for _, pID := range group.Peers {
-			if pID == peerID {
-				continue
-			}
-			_, distPeer := distributionPeers[pID]
-			_, valid := validatedPeersMap[pID]
-			if distPeer && valid && a.validatePostureChecksOnPeer(context.Background(), postureChecks, pID) {
-				distPeersWithPolicy[pID] = struct{}{}
-			}
-		}
-	}
-
-	distributionGroupPeers := make([]*nbpeer.Peer, 0, len(distPeersWithPolicy))
-	for pID := range distPeersWithPolicy {
-		peer := a.Peers[pID]
-		if peer == nil {
-			continue
-		}
-		distributionGroupPeers = append(distributionGroupPeers, peer)
-	}
-	return distributionGroupPeers
-}
-
-func (a *Account) getDistributionGroupsPeers(route *route.Route) map[string]struct{} {
-	distPeers := make(map[string]struct{})
-	for _, id := range route.Groups {
-		group := a.Groups[id]
-		if group == nil {
-			continue
-		}
-
-		for _, pID := range group.Peers {
-			distPeers[pID] = struct{}{}
-		}
-	}
-	return distPeers
-}
-
-func getDefaultPermit(route *route.Route) []*RouteFirewallRule {
-	var rules []*RouteFirewallRule
-
-	sources := []string{"0.0.0.0/0"}
-	if route.Network.Addr().Is6() {
-		sources = []string{"::/0"}
-	}
-	rule := RouteFirewallRule{
-		SourceRanges: sources,
-		Action:       string(PolicyTrafficActionAccept),
-		Destination:  route.Network.String(),
-		Protocol:     string(PolicyRuleProtocolALL),
-		Domains:      route.Domains,
-		IsDynamic:    route.IsDynamic(),
-		RouteID:      route.ID,
-	}
-
-	rules = append(rules, &rule)
-
-	// dynamic routes always contain an IPv4 placeholder as destination, hence we must add IPv6 rules additionally
-	if route.IsDynamic() {
-		ruleV6 := rule
-		ruleV6.SourceRanges = []string{"::/0"}
-		rules = append(rules, &ruleV6)
-	}
-
-	return rules
-}
-
-// GetAllRoutePoliciesFromGroups retrieves route policies associated with the specified access control groups
-// and returns a list of policies that have rules with destinations matching the specified groups.
-func GetAllRoutePoliciesFromGroups(account *Account, accessControlGroups []string) []*Policy {
-	routePolicies := make([]*Policy, 0)
-	for _, groupID := range accessControlGroups {
-		group, ok := account.Groups[groupID]
-		if !ok {
-			continue
-		}
-
-		for _, policy := range account.Policies {
-			for _, rule := range policy.Rules {
-				exist := slices.ContainsFunc(rule.Destinations, func(groupID string) bool {
-					return groupID == group.ID
-				})
-				if exist {
-					routePolicies = append(routePolicies, policy)
-					continue
-				}
-			}
-		}
-	}
-
-	return routePolicies
-}
-
-// GetPeerNetworkResourceFirewallRules gets the network resources firewall rules associated with a routing peer ID for the account.
-func (a *Account) GetPeerNetworkResourceFirewallRules(ctx context.Context, peer *nbpeer.Peer, validatedPeersMap map[string]struct{}, routes []*route.Route, resourcePolicies map[string][]*Policy) []*RouteFirewallRule {
-	routesFirewallRules := make([]*RouteFirewallRule, 0)
-
-	for _, route := range routes {
-		if route.Peer != peer.Key {
-			continue
-		}
-		resourceAppliedPolicies := resourcePolicies[string(route.GetResourceID())]
-		distributionPeers := getPoliciesSourcePeers(resourceAppliedPolicies, a.Groups)
-
-		rules := a.getRouteFirewallRules(ctx, peer.ID, resourceAppliedPolicies, route, validatedPeersMap, distributionPeers)
-		for _, rule := range rules {
-			if len(rule.SourceRanges) > 0 {
-				routesFirewallRules = append(routesFirewallRules, rule)
-			}
-		}
-	}
-
-	return routesFirewallRules
-}
-
 // getNetworkResourceGroups retrieves all groups associated with the given network resource.
 func (a *Account) getNetworkResourceGroups(resourceID string) []*Group {
 	var networkResourceGroups []*Group
@@ -1377,91 +734,6 @@ func (a *Account) GetResourcePoliciesMap() map[string][]*Policy {
 	return resourcePolicies
 }

-// GetNetworkResourcesRoutesToSync returns network routes for syncing with a specific peer and its ACL peers.
-func (a *Account) GetNetworkResourcesRoutesToSync(ctx context.Context, peerID string, resourcePolicies map[string][]*Policy, routers map[string]map[string]*routerTypes.NetworkRouter) (bool, []*route.Route, map[string]struct{}) {
-	var isRoutingPeer bool
-	var routes []*route.Route
-	allSourcePeers := make(map[string]struct{}, len(a.Peers))
-
-	for _, resource := range a.NetworkResources {
-		if !resource.Enabled {
-			continue
-		}
-
-		var addSourcePeers bool
-
-		networkRoutingPeers, exists := routers[resource.NetworkID]
-		if exists {
-			if router, ok := networkRoutingPeers[peerID]; ok {
-				isRoutingPeer, addSourcePeers = true, true
-				routes = append(routes, a.getNetworkResourcesRoutes(resource, peerID, router, resourcePolicies)...)
-			}
-		}
-
-		addedResourceRoute := false
-		for _, policy := range resourcePolicies[resource.ID] {
-			var peers []string
-			if policy.Rules[0].SourceResource.Type == ResourceTypePeer && policy.Rules[0].SourceResource.ID != "" {
-				peers = []string{policy.Rules[0].SourceResource.ID}
-			} else {
-				peers = a.getUniquePeerIDsFromGroupsIDs(ctx, policy.SourceGroups())
-			}
-			if addSourcePeers {
-				for _, pID := range a.getPostureValidPeers(peers, policy.SourcePostureChecks) {
-					allSourcePeers[pID] = struct{}{}
-				}
-			} else if slices.Contains(peers, peerID) && a.validatePostureChecksOnPeer(ctx, policy.SourcePostureChecks, peerID) {
-				// add routes for the resource if the peer is in the distribution group
-				for peerId, router := range networkRoutingPeers {
-					routes = append(routes, a.getNetworkResourcesRoutes(resource, peerId, router, resourcePolicies)...)
-				}
-				addedResourceRoute = true
-			}
-			if addedResourceRoute {
-				break
-			}
-		}
-	}
-
-	return isRoutingPeer, routes, allSourcePeers
-}
-
-func (a *Account) getPostureValidPeers(inputPeers []string, postureChecksIDs []string) []string {
-	var dest []string
-	for _, peerID := range inputPeers {
-		if a.validatePostureChecksOnPeer(context.Background(), postureChecksIDs, peerID) {
-			dest = append(dest, peerID)
-		}
-	}
-	return dest
-}
-
-func (a *Account) getUniquePeerIDsFromGroupsIDs(ctx context.Context, groups []string) []string {
-	peerIDs := make(map[string]struct{}, len(groups)) // we expect at least one peer per group as initial capacity
-	for _, groupID := range groups {
-		group := a.GetGroup(groupID)
-		if group == nil {
-			log.WithContext(ctx).Warnf("group %s doesn't exist under account %s, will continue map generation without it", groupID, a.Id)
-			continue
-		}
-
-		if group.IsGroupAll() || len(groups) == 1 {
-			return group.Peers
-		}
-
-		for _, peerID := range group.Peers {
-			peerIDs[peerID] = struct{}{}
-		}
-	}
-
-	ids := make([]string, 0, len(peerIDs))
-	for peerID := range peerIDs {
-		ids = append(ids, peerID)
-	}
-
-	return ids
-}
-
 // getNetworkResources filters and returns a list of network resources associated with the given network ID.
 func (a *Account) getNetworkResources(networkID string) []*resourceTypes.NetworkResource {
 	var resources []*resourceTypes.NetworkResource
@@ -1527,22 +799,6 @@ func (a *Account) GetPoliciesAppliedInNetwork(networkID string) []string {
 	return result
 }

-// getNetworkResourcesRoutes convert the network resources list to routes list.
-func (a *Account) getNetworkResourcesRoutes(resource *resourceTypes.NetworkResource, peerId string, router *routerTypes.NetworkRouter, resourcePolicies map[string][]*Policy) []*route.Route {
-	resourceAppliedPolicies := resourcePolicies[resource.ID]
-
-	var routes []*route.Route
-	// distribute the resource routes only if there is policy applied to it
-	if len(resourceAppliedPolicies) > 0 {
-		peer := a.GetPeer(peerId)
-		if peer != nil {
-			routes = append(routes, resource.ToRoute(peer, router))
-		}
-	}
-
-	return routes
-}
-
 func (a *Account) GetResourceRoutersMap() map[string]map[string]*routerTypes.NetworkRouter {
 	routers := make(map[string]map[string]*routerTypes.NetworkRouter)

@@ -1573,28 +829,6 @@ func (a *Account) GetResourceRoutersMap() map[string]map[string]*routerTypes.Net
 	return routers
 }

-// getPoliciesSourcePeers collects all unique peers from the source groups defined in the given policies.
-func getPoliciesSourcePeers(policies []*Policy, groups map[string]*Group) map[string]struct{} {
-	sourcePeers := make(map[string]struct{})
-
-	for _, policy := range policies {
-		for _, rule := range policy.Rules {
-			for _, sourceGroup := range rule.Sources {
-				group := groups[sourceGroup]
-				if group == nil {
-					continue
-				}
-
-				for _, peer := range group.Peers {
-					sourcePeers[peer] = struct{}{}
-				}
-			}
-		}
-	}
-
-	return sourcePeers
-}
-
 // AddAllGroup to account object if it doesn't exist
 func (a *Account) AddAllGroup(disableDefaultPolicy bool) error {
 	if len(a.Groups) == 0 {
@@ -1638,70 +872,3 @@ func (a *Account) AddAllGroup(disableDefaultPolicy bool) error {
 	}
 	return nil
 }
-
-// expandPortsAndRanges expands Ports and PortRanges of a rule into individual firewall rules
-func expandPortsAndRanges(base FirewallRule, rule *PolicyRule, peer *nbpeer.Peer) []*FirewallRule {
-	var expanded []*FirewallRule
-
-	if len(rule.Ports) > 0 {
-		for _, port := range rule.Ports {
-			fr := base
-			fr.Port = port
-			expanded = append(expanded, &fr)
-		}
-		return expanded
-	}
-
-	supportPortRanges := peerSupportsPortRanges(peer.Meta.WtVersion)
-	for _, portRange := range rule.PortRanges {
-		fr := base
-
-		if supportPortRanges {
-			fr.PortRange = portRange
-		} else {
-			// Peer doesn't support port ranges, only allow single-port ranges
-			if portRange.Start != portRange.End {
-				continue
-			}
-			fr.Port = strconv.FormatUint(uint64(portRange.Start), 10)
-		}
-		expanded = append(expanded, &fr)
-	}
-
-	return expanded
-}
-
-// peerSupportsPortRanges checks if the peer version supports port ranges.
-func peerSupportsPortRanges(peerVer string) bool {
-	if strings.Contains(peerVer, "dev") {
-		return true
-	}
-
-	meetMinVer, err := posture.MeetsMinVersion(firewallRuleMinPortRangesVer, peerVer)
-	return err == nil && meetMinVer
-}
-
-// filterZoneRecordsForPeers filters DNS records to only include peers to connect.
-func filterZoneRecordsForPeers(peer *nbpeer.Peer, customZone nbdns.CustomZone, peersToConnect, expiredPeers []*nbpeer.Peer) []nbdns.SimpleRecord {
-	filteredRecords := make([]nbdns.SimpleRecord, 0, len(customZone.Records))
-	peerIPs := make(map[string]struct{})
-
-	// Add peer's own IP to include its own DNS records
-	peerIPs[peer.IP.String()] = struct{}{}
-
-	for _, peerToConnect := range peersToConnect {
-		peerIPs[peerToConnect.IP.String()] = struct{}{}
-	}
-
-	for _, expiredPeer := range expiredPeers {
-		peerIPs[expiredPeer.IP.String()] = struct{}{}
-	}
-
-	for _, record := range customZone.Records {
-		if _, exists := peerIPs[record.RData]; exists {
-			filteredRecords = append(filteredRecords, record)
-		}
-	}
-
-	return filteredRecords
-}
--- a/management/server/types/holder.go
+++ b/management/server/types/holder.go
@@ -0,0 +1,43 @@
+package types
+
+import (
+	"context"
+	"sync"
+)
+
+type Holder struct {
+	mu       sync.RWMutex
+	accounts map[string]*Account
+}
+
+func NewHolder() *Holder {
+	return &Holder{
+		accounts: make(map[string]*Account),
+	}
+}
+
+func (h *Holder) GetAccount(id string) *Account {
+	h.mu.RLock()
+	defer h.mu.RUnlock()
+	return h.accounts[id]
+}
+
+func (h *Holder) AddAccount(account *Account) {
+	h.mu.Lock()
+	defer h.mu.Unlock()
+	h.accounts[account.Id] = account
+}
+
+func (h *Holder) LoadOrStoreFunc(id string, accGetter func(context.Context, string) (*Account, error)) (*Account, error) {
+	h.mu.Lock()
+	defer h.mu.Unlock()
+	if acc, ok := h.accounts[id]; ok {
+		return acc, nil
+	}
+	account, err := accGetter(context.Background(), id)
+	if err != nil {
+		return nil, err
+	}
+	h.accounts[id] = account
+	return account, nil
+}
--- a/management/server/types/network.go
+++ b/management/server/types/network.go
@@ -9,12 +9,7 @@ import (

 	"github.com/c-robinson/iplib"
 	"github.com/rs/xid"
-	"golang.org/x/exp/maps"

-	nbdns "github.com/netbirdio/netbird/dns"
-	nbpeer "github.com/netbirdio/netbird/management/server/peer"
-	"github.com/netbirdio/netbird/management/server/util"
-	"github.com/netbirdio/netbird/route"
 	"github.com/netbirdio/netbird/shared/management/proto"
 	"github.com/netbirdio/netbird/shared/management/status"
 )
@@ -29,40 +24,6 @@ const (
 	AllowedIPsFormat = "%s/32"
 )

-type NetworkMap struct {
-	Peers               []*nbpeer.Peer
-	Network             *Network
-	Routes              []*route.Route
-	DNSConfig           nbdns.Config
-	OfflinePeers        []*nbpeer.Peer
-	FirewallRules       []*FirewallRule
-	RoutesFirewallRules []*RouteFirewallRule
-	ForwardingRules     []*ForwardingRule
-}
-
-func (nm *NetworkMap) Merge(other *NetworkMap) {
-	nm.Peers = mergeUniquePeersByID(nm.Peers, other.Peers)
-	nm.Routes = util.MergeUnique(nm.Routes, other.Routes)
-	nm.OfflinePeers = mergeUniquePeersByID(nm.OfflinePeers, other.OfflinePeers)
-	nm.FirewallRules = util.MergeUnique(nm.FirewallRules, other.FirewallRules)
-	nm.RoutesFirewallRules = util.MergeUnique(nm.RoutesFirewallRules, other.RoutesFirewallRules)
-	nm.ForwardingRules = util.MergeUnique(nm.ForwardingRules, other.ForwardingRules)
-}
-
-func mergeUniquePeersByID(peers1, peers2 []*nbpeer.Peer) []*nbpeer.Peer {
-	result := make(map[string]*nbpeer.Peer)
-	for _, peer := range peers1 {
-		result[peer.ID] = peer
-	}
-	for _, peer := range peers2 {
-		if _, ok := result[peer.ID]; !ok {
-			result[peer.ID] = peer
-		}
-	}
-
-	return maps.Values(result)
-}
-
 type ForwardingRule struct {
 	RuleProtocol      string
 	DestinationPorts  RulePortRange
--- a/management/server/types/networkmap.go
+++ b/management/server/types/networkmap.go
@@ -0,0 +1,947 @@
+package types
+
+import (
+	"context"
+	"slices"
+	"strconv"
+	"strings"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/exp/maps"
+
+	nbdns "github.com/netbirdio/netbird/dns"
+	resourceTypes "github.com/netbirdio/netbird/management/server/networks/resources/types"
+	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+	"github.com/netbirdio/netbird/management/server/posture"
+	"github.com/netbirdio/netbird/management/server/telemetry"
+	"github.com/netbirdio/netbird/management/server/util"
+	"github.com/netbirdio/netbird/route"
+)
+
+type NetworkMap struct {
+	Peers               []*nbpeer.Peer
+	Network             *Network
+	Routes              []*route.Route
+	DNSConfig           nbdns.Config
+	OfflinePeers        []*nbpeer.Peer
+	FirewallRules       []*FirewallRule
+	RoutesFirewallRules []*RouteFirewallRule
+	ForwardingRules     []*ForwardingRule
+}
+
+// var nmapPool = sync.Pool{
+// 	New: func() any {
+// 		return &NetworkMap{}
+// 	},
+// }
+
+// func GetNetworkMap() *NetworkMap {
+// 	n := nmapPool.Get().(*NetworkMap)
+// 	n.reset()
+// 	return n
+// }
+
+// func PutNetworkMap(n *NetworkMap) {
+// 	nmapPool.Put(n)
+// }
+
+// func (n *NetworkMap) reset() {
+// 	n.Peers = n.Peers[:0]
+// 	n.Network = nil
+// 	n.Routes = n.Routes[:0]
+// 	n.DNSConfig = nbdns.Config{}
+// 	n.OfflinePeers = n.OfflinePeers[:0]
+// 	n.FirewallRules = n.FirewallRules[:0]
+// 	n.RoutesFirewallRules = n.RoutesFirewallRules[:0]
+// 	n.ForwardingRules = n.ForwardingRules[:0]
+// }
+
+func (nm *NetworkMap) Merge(other *NetworkMap) {
+	nm.Peers = mergeUniquePeersByID(nm.Peers, other.Peers)
+	nm.Routes = util.MergeUnique(nm.Routes, other.Routes)
+	nm.OfflinePeers = mergeUniquePeersByID(nm.OfflinePeers, other.OfflinePeers)
+	nm.FirewallRules = util.MergeUnique(nm.FirewallRules, other.FirewallRules)
+	nm.RoutesFirewallRules = util.MergeUnique(nm.RoutesFirewallRules, other.RoutesFirewallRules)
+	nm.ForwardingRules = util.MergeUnique(nm.ForwardingRules, other.ForwardingRules)
+}
+
+// TODO optimize
+func mergeUniquePeersByID(peers1, peers2 []*nbpeer.Peer) []*nbpeer.Peer {
+	result := make(map[string]*nbpeer.Peer)
+	for _, peer := range peers1 {
+		result[peer.ID] = peer
+	}
+	for _, peer := range peers2 {
+		if _, ok := result[peer.ID]; !ok {
+			result[peer.ID] = peer
+		}
+	}
+
+	return maps.Values(result)
+}
+
+// GetPeerNetworkMap returns the networkmap for the given peer ID.
+func (a *Account) GetPeerNetworkMap(
+	ctx context.Context,
+	peerID string,
+	peersCustomZone nbdns.CustomZone,
+	validatedPeersMap map[string]struct{},
+	resourcePolicies map[string][]*Policy,
+	routers map[string]map[string]*routerTypes.NetworkRouter,
+	metrics *telemetry.AccountManagerMetrics,
+) *NetworkMap {
+	start := time.Now()
+
+	peer := a.Peers[peerID]
+	if peer == nil {
+		return &NetworkMap{
+			Network: a.Network.Copy(),
+		}
+	}
+
+	if _, ok := validatedPeersMap[peerID]; !ok {
+		return &NetworkMap{
+			Network: a.Network.Copy(),
+		}
+	}
+
+	aclPeers, firewallRules := a.GetPeerConnectionResources(ctx, peer, validatedPeersMap)
+	// exclude expired peers
+	var peersToConnect []*nbpeer.Peer
+	var expiredPeers []*nbpeer.Peer
+	for _, p := range aclPeers {
+		expired, _ := p.LoginExpired(a.Settings.PeerLoginExpiration)
+		if a.Settings.PeerLoginExpirationEnabled && expired {
+			expiredPeers = append(expiredPeers, p)
+			continue
+		}
+		peersToConnect = append(peersToConnect, p)
+	}
+
+	routesUpdate := a.GetRoutesToSync(ctx, peerID, peersToConnect)
+	routesFirewallRules := a.GetPeerRoutesFirewallRules(ctx, peerID, validatedPeersMap)
+	isRouter, networkResourcesRoutes, sourcePeers := a.GetNetworkResourcesRoutesToSync(ctx, peerID, resourcePolicies, routers)
+	var networkResourcesFirewallRules []*RouteFirewallRule
+	if isRouter {
+		networkResourcesFirewallRules = a.GetPeerNetworkResourceFirewallRules(ctx, peer, validatedPeersMap, networkResourcesRoutes, resourcePolicies)
+	}
+	peersToConnectIncludingRouters := a.addNetworksRoutingPeers(networkResourcesRoutes, peer, peersToConnect, expiredPeers, isRouter, sourcePeers)
+
+	dnsManagementStatus := a.getPeerDNSManagementStatus(peerID)
+	dnsUpdate := nbdns.Config{
+		ServiceEnable: dnsManagementStatus,
+	}
+
+	if dnsManagementStatus {
+		var zones []nbdns.CustomZone
+		if peersCustomZone.Domain != "" {
+			records := filterZoneRecordsForPeers(peer, peersCustomZone, peersToConnectIncludingRouters, expiredPeers)
+			zones = append(zones, nbdns.CustomZone{
+				Domain:  peersCustomZone.Domain,
+				Records: records,
+			})
+		}
+		dnsUpdate.CustomZones = zones
+		dnsUpdate.NameServerGroups = getPeerNSGroups(a, peerID)
+	}
+
+	nm := &NetworkMap{
+		Peers:               peersToConnectIncludingRouters,
+		Network:             a.Network.Copy(),
+		Routes:              slices.Concat(networkResourcesRoutes, routesUpdate),
+		DNSConfig:           dnsUpdate,
+		OfflinePeers:        expiredPeers,
+		FirewallRules:       firewallRules,
+		RoutesFirewallRules: slices.Concat(networkResourcesFirewallRules, routesFirewallRules),
+	}
+
+	if metrics != nil {
+		objectCount := int64(len(peersToConnectIncludingRouters) + len(expiredPeers) + len(routesUpdate) + len(networkResourcesRoutes) + len(firewallRules) + +len(networkResourcesFirewallRules) + len(routesFirewallRules))
+		metrics.CountNetworkMapObjects(objectCount)
+		metrics.CountGetPeerNetworkMapDuration(time.Since(start))
+
+		if objectCount > 5000 {
+			log.WithContext(ctx).Tracef("account: %s has a total resource count of %d objects, "+
+				"peers to connect: %d, expired peers: %d, routes: %d, firewall rules: %d, network resources routes: %d, network resources firewall rules: %d, routes firewall rules: %d",
+				a.Id, objectCount, len(peersToConnectIncludingRouters), len(expiredPeers), len(routesUpdate), len(firewallRules), len(networkResourcesRoutes), len(networkResourcesFirewallRules), len(routesFirewallRules))
+		}
+	}
+
+	return nm
+}
+
+// GetPeerConnectionResources for a given peer
+//
+// This function returns the list of peers and firewall rules that are applicable to a given peer.
+func (a *Account) GetPeerConnectionResources(ctx context.Context, peer *nbpeer.Peer, validatedPeersMap map[string]struct{}) ([]*nbpeer.Peer, []*FirewallRule) {
+	generateResources, getAccumulatedResources := a.connResourcesGenerator(ctx, peer)
+
+	for _, policy := range a.Policies {
+		if !policy.Enabled {
+			continue
+		}
+
+		for _, rule := range policy.Rules {
+			if !rule.Enabled {
+				continue
+			}
+
+			sourcePeers, peerInSources := a.getAllPeersFromGroups(ctx, rule.Sources, peer.ID, policy.SourcePostureChecks, validatedPeersMap)
+			destinationPeers, peerInDestinations := a.getAllPeersFromGroups(ctx, rule.Destinations, peer.ID, nil, validatedPeersMap)
+
+			if rule.Bidirectional {
+				if peerInSources {
+					generateResources(rule, destinationPeers, FirewallRuleDirectionIN)
+				}
+				if peerInDestinations {
+					generateResources(rule, sourcePeers, FirewallRuleDirectionOUT)
+				}
+			}
+
+			if peerInSources {
+				generateResources(rule, destinationPeers, FirewallRuleDirectionOUT)
+			}
+
+			if peerInDestinations {
+				generateResources(rule, sourcePeers, FirewallRuleDirectionIN)
+			}
+		}
+	}
+
+	return getAccumulatedResources()
+}
+
+// connResourcesGenerator returns generator and accumulator function which returns the result of generator calls
+//
+// The generator function is used to generate the list of peers and firewall rules that are applicable to a given peer.
+// It safe to call the generator function multiple times for same peer and different rules no duplicates will be
+// generated. The accumulator function returns the result of all the generator calls.
+func (a *Account) connResourcesGenerator(ctx context.Context, targetPeer *nbpeer.Peer) (func(*PolicyRule, []*nbpeer.Peer, int), func() ([]*nbpeer.Peer, []*FirewallRule)) {
+	rulesExists := make(map[string]struct{})
+	peersExists := make(map[string]struct{})
+	rules := make([]*FirewallRule, 0)
+	peers := make([]*nbpeer.Peer, 0)
+
+	all, err := a.GetGroupAll()
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to get group all: %v", err)
+		all = &Group{}
+	}
+
+	return func(rule *PolicyRule, groupPeers []*nbpeer.Peer, direction int) {
+			isAll := (len(all.Peers) - 1) == len(groupPeers)
+			for _, peer := range groupPeers {
+				if peer == nil {
+					continue
+				}
+
+				if _, ok := peersExists[peer.ID]; !ok {
+					peers = append(peers, peer)
+					peersExists[peer.ID] = struct{}{}
+				}
+
+				fr := FirewallRule{
+					PolicyID:  rule.ID,
+					PeerIP:    peer.IP.String(),
+					Direction: direction,
+					Action:    string(rule.Action),
+					Protocol:  string(rule.Protocol),
+				}
+
+				if isAll {
+					fr.PeerIP = "0.0.0.0"
+				}
+
+				ruleID := rule.ID + fr.PeerIP + strconv.Itoa(direction) +
+					fr.Protocol + fr.Action + strings.Join(rule.Ports, ",")
+				if _, ok := rulesExists[ruleID]; ok {
+					continue
+				}
+				rulesExists[ruleID] = struct{}{}
+
+				if len(rule.Ports) == 0 && len(rule.PortRanges) == 0 {
+					rules = append(rules, &fr)
+					continue
+				}
+
+				rules = append(rules, expandPortsAndRanges(fr, rule, targetPeer)...)
+			}
+		}, func() ([]*nbpeer.Peer, []*FirewallRule) {
+			return peers, rules
+		}
+}
+
+// getAllPeersFromGroups for given peer ID and list of groups
+//
+// Returns a list of peers from specified groups that pass specified posture checks
+// and a boolean indicating if the supplied peer ID exists within these groups.
+//
+// Important: Posture checks are applicable only to source group peers,
+// for destination group peers, call this method with an empty list of sourcePostureChecksIDs
+func (a *Account) getAllPeersFromGroups(ctx context.Context, groups []string, peerID string, sourcePostureChecksIDs []string, validatedPeersMap map[string]struct{}) ([]*nbpeer.Peer, bool) {
+	peerInGroups := false
+	uniquePeerIDs := a.getUniquePeerIDsFromGroupsIDs(ctx, groups)
+	filteredPeers := make([]*nbpeer.Peer, 0, len(uniquePeerIDs))
+	for _, p := range uniquePeerIDs {
+		peer, ok := a.Peers[p]
+		if !ok || peer == nil {
+			continue
+		}
+
+		// validate the peer based on policy posture checks applied
+		isValid := a.validatePostureChecksOnPeer(ctx, sourcePostureChecksIDs, peer.ID)
+		if !isValid {
+			continue
+		}
+
+		if _, ok := validatedPeersMap[peer.ID]; !ok {
+			continue
+		}
+
+		if peer.ID == peerID {
+			peerInGroups = true
+			continue
+		}
+
+		filteredPeers = append(filteredPeers, peer)
+	}
+
+	return filteredPeers, peerInGroups
+}
+
+// validatePostureChecksOnPeer validates the posture checks on a peer
+func (a *Account) validatePostureChecksOnPeer(ctx context.Context, sourcePostureChecksID []string, peerID string) bool {
+	peer, ok := a.Peers[peerID]
+	if !ok && peer == nil {
+		return false
+	}
+
+	for _, postureChecksID := range sourcePostureChecksID {
+		postureChecks := a.GetPostureChecks(postureChecksID)
+		if postureChecks == nil {
+			continue
+		}
+
+		for _, check := range postureChecks.GetChecks() {
+			isValid, err := check.Check(ctx, *peer)
+			if err != nil {
+				log.WithContext(ctx).Debugf("an error occurred check %s: on peer: %s :%s", check.Name(), peer.ID, err.Error())
+			}
+			if !isValid {
+				return false
+			}
+		}
+	}
+	return true
+}
+
+// expandPortsAndRanges expands Ports and PortRanges of a rule into individual firewall rules
+func expandPortsAndRanges(base FirewallRule, rule *PolicyRule, peer *nbpeer.Peer) []*FirewallRule {
+	expanded := make([]*FirewallRule, 0, len(rule.Ports)+len(rule.PortRanges))
+
+	if len(rule.Ports) > 0 {
+		for _, port := range rule.Ports {
+			fr := base
+			fr.Port = port
+			expanded = append(expanded, &fr)
+		}
+		return expanded
+	}
+
+	supportPortRanges := peerSupportsPortRanges(peer.Meta.WtVersion)
+	for _, portRange := range rule.PortRanges {
+		fr := base
+
+		if supportPortRanges {
+			fr.PortRange = portRange
+		} else {
+			// Peer doesn't support port ranges, only allow single-port ranges
+			if portRange.Start != portRange.End {
+				continue
+			}
+			fr.Port = strconv.FormatUint(uint64(portRange.Start), 10)
+		}
+		expanded = append(expanded, &fr)
+	}
+
+	return expanded
+}
+
+// peerSupportsPortRanges checks if the peer version supports port ranges.
+func peerSupportsPortRanges(peerVer string) bool {
+	if strings.Contains(peerVer, "dev") {
+		return true
+	}
+
+	meetMinVer, err := posture.MeetsMinVersion(firewallRuleMinPortRangesVer, peerVer)
+	return err == nil && meetMinVer
+}
+
+// GetNetworkResourcesRoutesToSync returns network routes for syncing with a specific peer and its ACL peers.
+func (a *Account) GetNetworkResourcesRoutesToSync(ctx context.Context, peerID string, resourcePolicies map[string][]*Policy, routers map[string]map[string]*routerTypes.NetworkRouter) (bool, []*route.Route, map[string]struct{}) {
+	var isRoutingPeer bool
+	var routes []*route.Route
+	allSourcePeers := make(map[string]struct{}, len(a.Peers))
+
+	for _, resource := range a.NetworkResources {
+		if !resource.Enabled {
+			continue
+		}
+
+		var addSourcePeers bool
+
+		networkRoutingPeers, exists := routers[resource.NetworkID]
+		if exists {
+			if router, ok := networkRoutingPeers[peerID]; ok {
+				isRoutingPeer, addSourcePeers = true, true
+				routes = append(routes, a.getNetworkResourcesRoutes(resource, peerID, router, resourcePolicies)...)
+			}
+		}
+
+		addedResourceRoute := false
+		for _, policy := range resourcePolicies[resource.ID] {
+			peers := a.getUniquePeerIDsFromGroupsIDs(ctx, policy.SourceGroups())
+			if addSourcePeers {
+				for _, pID := range a.getPostureValidPeers(peers, policy.SourcePostureChecks) {
+					allSourcePeers[pID] = struct{}{}
+				}
+			} else if slices.Contains(peers, peerID) && a.validatePostureChecksOnPeer(ctx, policy.SourcePostureChecks, peerID) {
+				// add routes for the resource if the peer is in the distribution group
+				for peerId, router := range networkRoutingPeers {
+					routes = append(routes, a.getNetworkResourcesRoutes(resource, peerId, router, resourcePolicies)...)
+				}
+				addedResourceRoute = true
+			}
+			if addedResourceRoute {
+				break
+			}
+		}
+	}
+
+	return isRoutingPeer, routes, allSourcePeers
+}
+
+// getNetworkResourcesRoutes convert the network resources list to routes list.
+func (a *Account) getNetworkResourcesRoutes(resource *resourceTypes.NetworkResource, peerId string, router *routerTypes.NetworkRouter, resourcePolicies map[string][]*Policy) []*route.Route {
+	resourceAppliedPolicies := resourcePolicies[resource.ID]
+
+	var routes []*route.Route
+	// distribute the resource routes only if there is policy applied to it
+	if len(resourceAppliedPolicies) > 0 {
+		peer := a.GetPeer(peerId)
+		if peer != nil {
+			routes = append(routes, resource.ToRoute(peer, router))
+		}
+	}
+
+	return routes
+}
+
+func (a *Account) getPostureValidPeers(inputPeers []string, postureChecksIDs []string) []string {
+	var dest []string
+	for _, peerID := range inputPeers {
+		if a.validatePostureChecksOnPeer(context.Background(), postureChecksIDs, peerID) {
+			dest = append(dest, peerID)
+		}
+	}
+	return dest
+}
+
+func (a *Account) getUniquePeerIDsFromGroupsIDs(ctx context.Context, groups []string) []string {
+	peerIDs := make(map[string]struct{}, len(groups)) // we expect at least one peer per group as initial capacity
+	for _, groupID := range groups {
+		group := a.GetGroup(groupID)
+		if group == nil {
+			log.WithContext(ctx).Warnf("group %s doesn't exist under account %s, will continue map generation without it", groupID, a.Id)
+			continue
+		}
+
+		if group.IsGroupAll() || len(groups) == 1 {
+			return group.Peers
+		}
+
+		for _, peerID := range group.Peers {
+			peerIDs[peerID] = struct{}{}
+		}
+	}
+
+	ids := make([]string, 0, len(peerIDs))
+	for peerID := range peerIDs {
+		ids = append(ids, peerID)
+	}
+
+	return ids
+}
+
+// GetPeerRoutesFirewallRules gets the routes firewall rules associated with a routing peer ID for the account.
+func (a *Account) GetPeerRoutesFirewallRules(ctx context.Context, peerID string, validatedPeersMap map[string]struct{}) []*RouteFirewallRule {
+	routesFirewallRules := make([]*RouteFirewallRule, 0, len(a.Routes))
+
+	enabledRoutes, _ := a.getRoutingPeerRoutes(ctx, peerID)
+	for _, route := range enabledRoutes {
+		// If no access control groups are specified, accept all traffic.
+		if len(route.AccessControlGroups) == 0 {
+			defaultPermit := getDefaultPermit(route)
+			routesFirewallRules = append(routesFirewallRules, defaultPermit...)
+			continue
+		}
+
+		distributionPeers := a.getDistributionGroupsPeers(route)
+
+		for _, accessGroup := range route.AccessControlGroups {
+			policies := GetAllRoutePoliciesFromGroups(a, []string{accessGroup})
+			rules := a.getRouteFirewallRules(ctx, peerID, policies, route, validatedPeersMap, distributionPeers)
+			routesFirewallRules = append(routesFirewallRules, rules...)
+		}
+	}
+
+	return routesFirewallRules
+}
+
+func (a *Account) getRouteFirewallRules(ctx context.Context, peerID string, policies []*Policy, route *route.Route, validatedPeersMap map[string]struct{}, distributionPeers map[string]struct{}) []*RouteFirewallRule {
+	var fwRules []*RouteFirewallRule
+	for _, policy := range policies {
+		if !policy.Enabled {
+			continue
+		}
+
+		for _, rule := range policy.Rules {
+			if !rule.Enabled {
+				continue
+			}
+
+			rulePeers := a.getRulePeers(rule, policy.SourcePostureChecks, peerID, distributionPeers, validatedPeersMap)
+			rules := generateRouteFirewallRules(ctx, route, rule, rulePeers, FirewallRuleDirectionIN)
+			fwRules = append(fwRules, rules...)
+		}
+	}
+	return fwRules
+}
+
+func (a *Account) getRulePeers(rule *PolicyRule, postureChecks []string, peerID string, distributionPeers map[string]struct{}, validatedPeersMap map[string]struct{}) []*nbpeer.Peer {
+	distPeersWithPolicy := make(map[string]struct{})
+	for _, id := range rule.Sources {
+		group := a.Groups[id]
+		if group == nil {
+			continue
+		}
+
+		for _, pID := range group.Peers {
+			if pID == peerID {
+				continue
+			}
+			_, distPeer := distributionPeers[pID]
+			_, valid := validatedPeersMap[pID]
+			if distPeer && valid && a.validatePostureChecksOnPeer(context.Background(), postureChecks, pID) {
+				distPeersWithPolicy[pID] = struct{}{}
+			}
+		}
+	}
+
+	distributionGroupPeers := make([]*nbpeer.Peer, 0, len(distPeersWithPolicy))
+	for pID := range distPeersWithPolicy {
+		peer := a.Peers[pID]
+		if peer == nil {
+			continue
+		}
+		distributionGroupPeers = append(distributionGroupPeers, peer)
+	}
+	return distributionGroupPeers
+}
+
+func (a *Account) getDistributionGroupsPeers(route *route.Route) map[string]struct{} {
+	distPeers := make(map[string]struct{})
+	for _, id := range route.Groups {
+		group := a.Groups[id]
+		if group == nil {
+			continue
+		}
+
+		for _, pID := range group.Peers {
+			distPeers[pID] = struct{}{}
+		}
+	}
+	return distPeers
+}
+
+func getDefaultPermit(route *route.Route) []*RouteFirewallRule {
+	var rules []*RouteFirewallRule
+
+	sources := []string{"0.0.0.0/0"}
+	if route.Network.Addr().Is6() {
+		sources = []string{"::/0"}
+	}
+	rule := RouteFirewallRule{
+		SourceRanges: sources,
+		Action:       string(PolicyTrafficActionAccept),
+		Destination:  route.Network.String(),
+		Protocol:     string(PolicyRuleProtocolALL),
+		Domains:      route.Domains,
+		IsDynamic:    route.IsDynamic(),
+		RouteID:      route.ID,
+	}
+
+	rules = append(rules, &rule)
+
+	// dynamic routes always contain an IPv4 placeholder as destination, hence we must add IPv6 rules additionally
+	if route.IsDynamic() {
+		ruleV6 := rule
+		ruleV6.SourceRanges = []string{"::/0"}
+		rules = append(rules, &ruleV6)
+	}
+
+	return rules
+}
+
+// GetAllRoutePoliciesFromGroups retrieves route policies associated with the specified access control groups
+// and returns a list of policies that have rules with destinations matching the specified groups.
+func GetAllRoutePoliciesFromGroups(account *Account, accessControlGroups []string) []*Policy {
+	routePolicies := make([]*Policy, 0)
+	for _, groupID := range accessControlGroups {
+		group, ok := account.Groups[groupID]
+		if !ok {
+			continue
+		}
+
+		for _, policy := range account.Policies {
+			for _, rule := range policy.Rules {
+				exist := slices.ContainsFunc(rule.Destinations, func(groupID string) bool {
+					return groupID == group.ID
+				})
+				if exist {
+					routePolicies = append(routePolicies, policy)
+					continue
+				}
+			}
+		}
+	}
+
+	return routePolicies
+}
+
+// GetPeerNetworkResourceFirewallRules gets the network resources firewall rules associated with a routing peer ID for the account.
+func (a *Account) GetPeerNetworkResourceFirewallRules(ctx context.Context, peer *nbpeer.Peer, validatedPeersMap map[string]struct{}, routes []*route.Route, resourcePolicies map[string][]*Policy) []*RouteFirewallRule {
+	routesFirewallRules := make([]*RouteFirewallRule, 0)
+
+	for _, route := range routes {
+		if route.Peer != peer.Key {
+			continue
+		}
+		resourceAppliedPolicies := resourcePolicies[string(route.GetResourceID())]
+		distributionPeers := getPoliciesSourcePeers(resourceAppliedPolicies, a.Groups)
+
+		rules := a.getRouteFirewallRules(ctx, peer.ID, resourceAppliedPolicies, route, validatedPeersMap, distributionPeers)
+		for _, rule := range rules {
+			if len(rule.SourceRanges) > 0 {
+				routesFirewallRules = append(routesFirewallRules, rule)
+			}
+		}
+	}
+
+	return routesFirewallRules
+}
+
+// getPoliciesSourcePeers collects all unique peers from the source groups defined in the given policies.
+func getPoliciesSourcePeers(policies []*Policy, groups map[string]*Group) map[string]struct{} {
+	sourcePeers := make(map[string]struct{})
+
+	for _, policy := range policies {
+		for _, rule := range policy.Rules {
+			for _, sourceGroup := range rule.Sources {
+				group := groups[sourceGroup]
+				if group == nil {
+					continue
+				}
+
+				for _, peer := range group.Peers {
+					sourcePeers[peer] = struct{}{}
+				}
+			}
+		}
+	}
+
+	return sourcePeers
+}
+
+// GetRoutesToSync returns the enabled routes for the peer ID and the routes
+// from the ACL peers that have distribution groups associated with the peer ID.
+// Please mind, that the returned route.Route objects will contain Peer.Key instead of Peer.ID.
+func (a *Account) GetRoutesToSync(ctx context.Context, peerID string, aclPeers []*nbpeer.Peer) []*route.Route {
+	routes, peerDisabledRoutes := a.getRoutingPeerRoutes(ctx, peerID)
+	peerRoutesMembership := make(LookupMap)
+	for _, r := range append(routes, peerDisabledRoutes...) {
+		peerRoutesMembership[string(r.GetHAUniqueID())] = struct{}{}
+	}
+
+	groupListMap := a.GetPeerGroups(peerID)
+	for _, peer := range aclPeers {
+		activeRoutes, _ := a.getRoutingPeerRoutes(ctx, peer.ID)
+		groupFilteredRoutes := a.filterRoutesByGroups(activeRoutes, groupListMap)
+		filteredRoutes := a.filterRoutesFromPeersOfSameHAGroup(groupFilteredRoutes, peerRoutesMembership)
+		routes = append(routes, filteredRoutes...)
+	}
+
+	return routes
+}
+
+func (a *Account) GetPeerGroups(peerID string) LookupMap {
+	groupList := make(LookupMap)
+	for groupID, group := range a.Groups {
+		for _, id := range group.Peers {
+			if id == peerID {
+				groupList[groupID] = struct{}{}
+				break
+			}
+		}
+	}
+	return groupList
+}
+
+// filterRoutesFromPeersOfSameHAGroup filters and returns a list of routes that don't share the same HA route membership
+func (a *Account) filterRoutesFromPeersOfSameHAGroup(routes []*route.Route, peerMemberships LookupMap) []*route.Route {
+	var filteredRoutes []*route.Route
+	for _, r := range routes {
+		_, found := peerMemberships[string(r.GetHAUniqueID())]
+		if !found {
+			filteredRoutes = append(filteredRoutes, r)
+		}
+	}
+	return filteredRoutes
+}
+
+// filterRoutesByGroups returns a list with routes that have distribution groups in the group's map
+func (a *Account) filterRoutesByGroups(routes []*route.Route, groupListMap LookupMap) []*route.Route {
+	var filteredRoutes []*route.Route
+	for _, r := range routes {
+		for _, groupID := range r.Groups {
+			_, found := groupListMap[groupID]
+			if found {
+				filteredRoutes = append(filteredRoutes, r)
+				break
+			}
+		}
+	}
+	return filteredRoutes
+}
+
+// getRoutingPeerRoutes returns the enabled and disabled lists of routes that the given routing peer serves
+// Please mind, that the returned route.Route objects will contain Peer.Key instead of Peer.ID.
+// If the given is not a routing peer, then the lists are empty.
+func (a *Account) getRoutingPeerRoutes(ctx context.Context, peerID string) (enabledRoutes []*route.Route, disabledRoutes []*route.Route) {
+
+	peer := a.GetPeer(peerID)
+	if peer == nil {
+		// log.WithContext(ctx).Errorf("peer %s that doesn't exist under account %s", peerID, a.Id)
+		return enabledRoutes, disabledRoutes
+	}
+
+	seenRoute := make(map[route.ID]struct{})
+
+	takeRoute := func(r *route.Route, id string) {
+		if _, ok := seenRoute[r.ID]; ok {
+			return
+		}
+		seenRoute[r.ID] = struct{}{}
+
+		if r.Enabled {
+			r.Peer = peer.Key
+			enabledRoutes = append(enabledRoutes, r)
+			return
+		}
+		disabledRoutes = append(disabledRoutes, r)
+	}
+
+	for _, r := range a.Routes {
+		for _, groupID := range r.PeerGroups {
+			group := a.GetGroup(groupID)
+			if group == nil {
+				log.WithContext(ctx).Errorf("route %s has peers group %s that doesn't exist under account %s", r.ID, groupID, a.Id)
+				continue
+			}
+			for _, id := range group.Peers {
+				if id != peerID {
+					continue
+				}
+
+				newPeerRoute := r.Copy()
+				newPeerRoute.Peer = id
+				newPeerRoute.PeerGroups = nil
+				newPeerRoute.ID = route.ID(string(r.ID) + ":" + id) // we have to provide unique route id when distribute network map
+				takeRoute(newPeerRoute, id)
+				break
+			}
+		}
+		if r.Peer == peerID {
+			takeRoute(r.Copy(), peerID)
+		}
+	}
+
+	return enabledRoutes, disabledRoutes
+}
+
+func (a *Account) addNetworksRoutingPeers(
+	networkResourcesRoutes []*route.Route,
+	peer *nbpeer.Peer,
+	peersToConnect []*nbpeer.Peer,
+	expiredPeers []*nbpeer.Peer,
+	isRouter bool,
+	sourcePeers map[string]struct{},
+) []*nbpeer.Peer {
+
+	networkRoutesPeers := make(map[string]struct{}, len(networkResourcesRoutes))
+	for _, r := range networkResourcesRoutes {
+		networkRoutesPeers[r.PeerID] = struct{}{}
+	}
+
+	delete(sourcePeers, peer.ID)
+	delete(networkRoutesPeers, peer.ID)
+
+	for _, existingPeer := range peersToConnect {
+		delete(sourcePeers, existingPeer.ID)
+		delete(networkRoutesPeers, existingPeer.ID)
+	}
+	for _, expPeer := range expiredPeers {
+		delete(sourcePeers, expPeer.ID)
+		delete(networkRoutesPeers, expPeer.ID)
+	}
+
+	missingPeers := make(map[string]struct{}, len(sourcePeers)+len(networkRoutesPeers))
+	if isRouter {
+		for p := range sourcePeers {
+			missingPeers[p] = struct{}{}
+		}
+	}
+	for p := range networkRoutesPeers {
+		missingPeers[p] = struct{}{}
+	}
+
+	for p := range missingPeers {
+		if missingPeer := a.Peers[p]; missingPeer != nil {
+			peersToConnect = append(peersToConnect, missingPeer)
+		}
+	}
+
+	return peersToConnect
+}
+
+func (a *Account) getPeerDNSManagementStatus(peerID string) bool {
+	peerGroups := a.GetPeerGroups(peerID)
+	enabled := true
+	for _, groupID := range a.DNSSettings.DisabledManagementGroups {
+		_, found := peerGroups[groupID]
+		if found {
+			enabled = false
+			break
+		}
+	}
+	return enabled
+}
+
+func getPeerNSGroups(account *Account, peerID string) []*nbdns.NameServerGroup {
+	groupList := account.GetPeerGroups(peerID)
+
+	var peerNSGroups []*nbdns.NameServerGroup
+
+	for _, nsGroup := range account.NameServerGroups {
+		if !nsGroup.Enabled {
+			continue
+		}
+		for _, gID := range nsGroup.Groups {
+			_, found := groupList[gID]
+			if found {
+				if !peerIsNameserver(account.GetPeer(peerID), nsGroup) {
+					peerNSGroups = append(peerNSGroups, nsGroup.Copy())
+					break
+				}
+			}
+		}
+	}
+
+	return peerNSGroups
+}
+
+// peerIsNameserver returns true if the peer is a nameserver for a nsGroup
+func peerIsNameserver(peer *nbpeer.Peer, nsGroup *nbdns.NameServerGroup) bool {
+	for _, ns := range nsGroup.NameServers {
+		if peer.IP.Equal(ns.IP.AsSlice()) {
+			return true
+		}
+	}
+	return false
+}
+
+func (a *Account) initNetworkMapBuilder(validatedPeers map[string]struct{}) {
+	if a.NetworkMapCache != nil {
+		return
+	}
+	a.nmapInitOnce.Do(func() {
+		a.NetworkMapCache = NewNetworkMapBuilder(a, validatedPeers)
+	})
+}
+
+func (a *Account) InitNetworkMapBuilderIfNeeded(validatedPeers map[string]struct{}) {
+	a.initNetworkMapBuilder(validatedPeers)
+}
+
+func (a *Account) GetPeerNetworkMapExp(
+	ctx context.Context,
+	peerID string,
+	peersCustomZone nbdns.CustomZone,
+	validatedPeers map[string]struct{},
+	metrics *telemetry.AccountManagerMetrics,
+) *NetworkMap {
+	a.initNetworkMapBuilder(validatedPeers)
+	return a.NetworkMapCache.GetPeerNetworkMap(ctx, peerID, peersCustomZone, validatedPeers, metrics)
+}
+
+func (a *Account) OnPeerAddedUpdNetworkMapCache(peerId string) error {
+	if a.NetworkMapCache == nil {
+		return nil
+	}
+	return a.NetworkMapCache.OnPeerAddedIncremental(peerId)
+}
+
+func (a *Account) OnPeerDeletedUpdNetworkMapCache(peerId string) error {
+	if a.NetworkMapCache == nil {
+		return nil
+	}
+	return a.NetworkMapCache.OnPeerDeleted(peerId)
+}
+
+func (a *Account) UpdatePeerInNetworkMapCache(peer *nbpeer.Peer) {
+	if a.NetworkMapCache == nil {
+		return
+	}
+	a.NetworkMapCache.UpdatePeer(peer)
+}
+
+func (a *Account) RecalculateNetworkMapCache(validatedPeers map[string]struct{}) {
+	a.initNetworkMapBuilder(validatedPeers)
+}
+
+// filterZoneRecordsForPeers filters DNS records to only include peers to connect.
+func filterZoneRecordsForPeers(peer *nbpeer.Peer, customZone nbdns.CustomZone, peersToConnect, expiredPeers []*nbpeer.Peer) []nbdns.SimpleRecord {
+	filteredRecords := make([]nbdns.SimpleRecord, 0, len(customZone.Records))
+	peerIPs := make(map[string]struct{})
+
+	// Add peer's own IP to include its own DNS records
+	peerIPs[peer.IP.String()] = struct{}{}
+
+	for _, peerToConnect := range peersToConnect {
+		peerIPs[peerToConnect.IP.String()] = struct{}{}
+	}
+
+	for _, expiredPeer := range expiredPeers {
+		peerIPs[expiredPeer.IP.String()] = struct{}{}
+	}
+
+	for _, record := range customZone.Records {
+		if _, exists := peerIPs[record.RData]; exists {
+			filteredRecords = append(filteredRecords, record)
+		}
+	}
+
+	return filteredRecords
+}
--- a/management/server/types/networkmap_golden_test.go
+++ b/management/server/types/networkmap_golden_test.go
--- a/management/server/types/networkmapbuilder.go
+++ b/management/server/types/networkmapbuilder.go
--- a/management/server/update_buffer.go
+++ b/management/server/update_buffer.go
@@ -0,0 +1,106 @@
+package server
+
+import (
+	"context"
+	"fmt"
+	"sync"
+	"time"
+
+	"github.com/netbirdio/netbird/management/server/telemetry"
+)
+
+type UpdateBuffer struct {
+	mu             sync.Mutex
+	cond           *sync.Cond
+	update         *UpdateMessage
+	closed         bool
+	metrics        *telemetry.UpdateChannelMetrics
+	overwriteCount int       // Number of overwrites since last Pop
+	lastPopTime    time.Time // Time of last Pop
+}
+
+func NewUpdateBuffer(metrics *telemetry.UpdateChannelMetrics) *UpdateBuffer {
+	ub := &UpdateBuffer{metrics: metrics}
+	ub.cond = sync.NewCond(&ub.mu)
+	return ub
+}
+
+func (b *UpdateBuffer) Push(update *UpdateMessage) {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+
+	if b.update == nil || update.Update.NetworkMap.Serial > b.update.Update.NetworkMap.Serial || b.update.Update.NetworkMap.Serial == 0 {
+		if b.update == nil {
+			b.metrics.CountBufferPush()
+		} else {
+			b.metrics.CountBufferOverwrite()
+			b.overwriteCount++
+		}
+
+		b.update = update
+		b.cond.Signal()
+
+		return
+	}
+
+	b.metrics.CountBufferIgnore()
+}
+
+func (b *UpdateBuffer) Pop(ctx context.Context) (*UpdateMessage, int, time.Duration, error) {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+
+	for b.update == nil && !b.closed {
+		select {
+		case <-ctx.Done():
+			return nil, 0, 0, fmt.Errorf("context cancelled")
+		default:
+		}
+
+		waitCh := make(chan struct{})
+		go func() {
+			select {
+			case <-ctx.Done():
+				b.cond.Broadcast()
+			case <-waitCh:
+				// noop
+			}
+		}()
+		b.cond.Wait()
+		close(waitCh)
+
+		select {
+		case <-ctx.Done():
+			return nil, 0, 0, fmt.Errorf("context cancelled")
+		default:
+		}
+	}
+
+	if b.closed {
+		return nil, 0, 0, fmt.Errorf("buffer closed")
+	}
+
+	msg := b.update
+	overwrites := b.overwriteCount
+
+	// Calculate time since last pop
+	now := time.Now()
+	var timeSinceLastPop time.Duration
+	if !b.lastPopTime.IsZero() {
+		timeSinceLastPop = now.Sub(b.lastPopTime)
+	}
+
+	// Reset counters
+	b.update = nil
+	b.overwriteCount = 0
+	b.lastPopTime = now
+
+	return msg, overwrites, timeSinceLastPop, nil
+}
+
+func (b *UpdateBuffer) Close() {
+	b.mu.Lock()
+	b.closed = true
+	b.cond.Broadcast()
+	b.mu.Unlock()
+}
--- a/management/server/updatechannel.go
+++ b/management/server/updatechannel.go
@@ -7,21 +7,39 @@ import (

 	log "github.com/sirupsen/logrus"

-	"github.com/netbirdio/netbird/shared/management/proto"
 	"github.com/netbirdio/netbird/management/server/telemetry"
-	"github.com/netbirdio/netbird/management/server/types"
+	"github.com/netbirdio/netbird/shared/management/proto"
 )

 const channelBufferSize = 100

+type UpdateChannel struct {
+	Important  chan *UpdateMessage
+	NetworkMap *UpdateBuffer
+}
+
+func NewUpdateChannel(metrics *telemetry.UpdateChannelMetrics) *UpdateChannel {
+	channel := make(chan *UpdateMessage, channelBufferSize)
+	buffer := NewUpdateBuffer(metrics)
+
+	return &UpdateChannel{
+		Important:  channel,
+		NetworkMap: buffer,
+	}
+}
+
+func (u *UpdateChannel) Close() {
+	close(u.Important)
+	u.NetworkMap.Close()
+}
+
 type UpdateMessage struct {
 	Update *proto.SyncResponse
-	NetworkMap *types.NetworkMap
 }

 type PeersUpdateManager struct {
 	// peerChannels is an update channel indexed by Peer.ID
-	peerChannels map[string]chan *UpdateMessage
+	peerChannels map[string]*UpdateChannel
 	// channelsMux keeps the mutex to access peerChannels
 	channelsMux *sync.RWMutex
 	// metrics provides method to collect application metrics
@@ -31,14 +49,14 @@ type PeersUpdateManager struct {
 // NewPeersUpdateManager returns a new instance of PeersUpdateManager
 func NewPeersUpdateManager(metrics telemetry.AppMetrics) *PeersUpdateManager {
 	return &PeersUpdateManager{
-		peerChannels: make(map[string]chan *UpdateMessage),
+		peerChannels: make(map[string]*UpdateChannel),
 		channelsMux:  &sync.RWMutex{},
 		metrics:      metrics,
 	}
 }

-// SendUpdate sends update message to the peer's channel
-func (p *PeersUpdateManager) SendUpdate(ctx context.Context, peerID string, update *UpdateMessage) {
+// SendImportantUpdate sends update message to the peer that needs to be received
+func (p *PeersUpdateManager) SendImportantUpdate(ctx context.Context, peerID string, update *UpdateMessage) {
 	start := time.Now()
 	var found, dropped bool

@@ -54,19 +72,42 @@ func (p *PeersUpdateManager) SendUpdate(ctx context.Context, peerID string, upda
 	if channel, ok := p.peerChannels[peerID]; ok {
 		found = true
 		select {
-		case channel <- update:
-			log.WithContext(ctx).Debugf("update was sent to channel for peer %s", peerID)
+		case channel.Important <- update:
+			// log.WithContext(ctx).Debugf("update was sent to important channel for peer %s", peerID)
 		default:
 			dropped = true
-			log.WithContext(ctx).Warnf("channel for peer %s is %d full or closed", peerID, len(channel))
+			// log.WithContext(ctx).Warnf("important channel for peer %s is %d full or closed", peerID, len(channel.Important))
 		}
 	} else {
-		log.WithContext(ctx).Debugf("peer %s has no channel", peerID)
+		// log.WithContext(ctx).Debugf("peer %s has no important channel", peerID)
+	}
+}
+
+// SendNetworkMapUpdate sends a network map update to the peer's channel
+func (p *PeersUpdateManager) SendNetworkMapUpdate(ctx context.Context, peerID string, update *UpdateMessage) {
+	start := time.Now()
+	var found, dropped bool
+
+	p.channelsMux.RLock()
+
+	defer func() {
+		p.channelsMux.RUnlock()
+		if p.metrics != nil {
+			p.metrics.UpdateChannelMetrics().CountSendUpdateDuration(time.Since(start), found, dropped)
+		}
+	}()
+
+	if channel, ok := p.peerChannels[peerID]; ok {
+		found = true
+		channel.NetworkMap.Push(update)
+		// log.WithContext(ctx).Debugf("update was sent to network map buffer for peer %s", peerID)
+	} else {
+		// log.WithContext(ctx).Debugf("peer %s has no network map buffer", peerID)
 	}
 }

 // CreateChannel creates a go channel for a given peer used to deliver updates relevant to the peer.
-func (p *PeersUpdateManager) CreateChannel(ctx context.Context, peerID string) chan *UpdateMessage {
+func (p *PeersUpdateManager) CreateChannel(ctx context.Context, peerID string) *UpdateChannel {
 	start := time.Now()

 	closed := false
@@ -82,21 +123,21 @@ func (p *PeersUpdateManager) CreateChannel(ctx context.Context, peerID string) c
 	if channel, ok := p.peerChannels[peerID]; ok {
 		closed = true
 		delete(p.peerChannels, peerID)
-		close(channel)
+		channel.Close()
 	}
-	// mbragin: todo shouldn't it be more? or configurable?
-	channel := make(chan *UpdateMessage, channelBufferSize)
-	p.peerChannels[peerID] = channel
+
+	newChannel := NewUpdateChannel(p.metrics.UpdateChannelMetrics())
+	p.peerChannels[peerID] = newChannel

 	log.WithContext(ctx).Debugf("opened updates channel for a peer %s", peerID)

-	return channel
+	return newChannel
 }

 func (p *PeersUpdateManager) closeChannel(ctx context.Context, peerID string) {
 	if channel, ok := p.peerChannels[peerID]; ok {
 		delete(p.peerChannels, peerID)
-		close(channel)
+		channel.Close()

 		log.WithContext(ctx).Debugf("closed updates channel of a peer %s", peerID)
 		return
@@ -176,3 +217,10 @@ func (p *PeersUpdateManager) HasChannel(peerID string) bool {

 	return ok
 }
+
+// GetChannelCount returns the number of active peer channels
+func (p *PeersUpdateManager) GetChannelCount() int {
+	p.channelsMux.RLock()
+	defer p.channelsMux.RUnlock()
+	return len(p.peerChannels)
+}
--- a/management/server/updatechannel_test.go
+++ b/management/server/updatechannel_test.go
@@ -33,15 +33,15 @@ func TestSendUpdate(t *testing.T) {
 	if _, ok := peersUpdater.peerChannels[peer]; !ok {
 		t.Error("Error creating the channel")
 	}
-	peersUpdater.SendUpdate(context.Background(), peer, update1)
+	peersUpdater.SendImportantUpdate(context.Background(), peer, update1)
 	select {
-	case <-peersUpdater.peerChannels[peer]:
+	case <-peersUpdater.peerChannels[peer].Important:
 	default:
 		t.Error("Update wasn't send")
 	}

 	for range [channelBufferSize]int{} {
-		peersUpdater.SendUpdate(context.Background(), peer, update1)
+		peersUpdater.SendImportantUpdate(context.Background(), peer, update1)
 	}

 	update2 := &UpdateMessage{Update: &proto.SyncResponse{
@@ -50,13 +50,13 @@ func TestSendUpdate(t *testing.T) {
 		},
 	}}

-	peersUpdater.SendUpdate(context.Background(), peer, update2)
+	peersUpdater.SendImportantUpdate(context.Background(), peer, update2)
 	timeout := time.After(5 * time.Second)
 	for range [channelBufferSize]int{} {
 		select {
 		case <-timeout:
 			t.Error("timed out reading previously sent updates")
-		case updateReader := <-peersUpdater.peerChannels[peer]:
+		case updateReader := <-peersUpdater.peerChannels[peer].Important:
 			if updateReader.Update.NetworkMap.Serial == update2.Update.NetworkMap.Serial {
 				t.Error("got the update that shouldn't have been sent")
 			}
--- a/management/server/user.go
+++ b/management/server/user.go
@@ -961,6 +961,10 @@ func (am *DefaultAccountManager) expireAndUpdatePeers(ctx context.Context, accou
 			peer.UserID, peer.ID, accountID,
 			activity.PeerLoginExpired, peer.EventMeta(dnsDomain),
 		)
+
+		if am.experimentalNetworkMap(accountID) {
+			am.updatePeerInNetworkMapCache(peer.AccountID, peer)
+		}
 	}

 	if len(peerIDs) != 0 {
--- a/management/server/user_test.go
+++ b/management/server/user_test.go
@@ -1366,7 +1366,7 @@ func TestUserAccountPeersUpdate(t *testing.T) {
 	t.Run("creating new regular user with no groups", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg)
+			peerShouldNotReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -1389,7 +1389,7 @@ func TestUserAccountPeersUpdate(t *testing.T) {
 	t.Run("updating user with no linked peers", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg)
+			peerShouldNotReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -1412,7 +1412,7 @@ func TestUserAccountPeersUpdate(t *testing.T) {
 	t.Run("deleting user with no linked peers", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg)
+			peerShouldNotReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -1449,7 +1449,7 @@ func TestUserAccountPeersUpdate(t *testing.T) {
 	t.Run("updating user with linked peers", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg.NetworkMap)
 			close(done)
 		}()

@@ -1477,7 +1477,7 @@ func TestUserAccountPeersUpdate(t *testing.T) {
 	t.Run("deleting user with linked peers", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, peer4UpdMsg)
+			peerShouldReceiveUpdate(t, peer4UpdMsg.NetworkMap)
 			close(done)
 		}()

--- a/route/route.go
+++ b/route/route.go
@@ -124,6 +124,7 @@ func (r *Route) EventMeta() map[string]any {
 func (r *Route) Copy() *Route {
 	route := &Route{
 		ID:                  r.ID,
+		AccountID:           r.AccountID,
 		Description:         r.Description,
 		NetID:               r.NetID,
 		Network:             r.Network,
Author	SHA1	Message	Date
crn4	575b176371	getValidatedPeerWithMap get account from cache for exp	2025-10-30 12:30:36 +01:00
crn4	b96dfb834e	sprintf to strings builder	2025-10-30 00:27:05 +01:00
crn4	a654c286bf	load or store for account	2025-10-29 23:35:16 +01:00
crn4	20c65cffc2	fixed panic	2025-10-29 22:15:09 +01:00
crn4	95cf5ab673	minor change	2025-10-29 17:09:05 +01:00
crn4	ed0c5a470a	sync once pointer	2025-10-29 16:38:33 +01:00
crn4	3a11175d34	minor change	2025-10-29 15:40:21 +01:00
crn4	d82176e9ea	Merge branch 'main' into refactor/nmap-limit-buffer	2025-10-29 13:25:41 +01:00
crn4	56ebd004d9	build cache only once	2025-10-29 13:25:03 +01:00
crn4	bbb0910a2c	minor changes	2025-10-28 17:32:11 +01:00
crn4	ec035e5709	minor changes after merge main	2025-10-28 17:30:23 +01:00
crn4	d0f8868e4d	sync limit fix	2025-10-17 17:11:15 +02:00
crn4	31e3928e08	simple balancing	2025-10-17 16:06:53 +02:00
crn4	1793ad8ff0	nil slices to empty	2025-10-17 14:34:22 +02:00
crn4	7e51803a58	change main get account method	2025-10-17 11:53:58 +02:00
crn4	4cab69a76c	more nullable fields	2025-10-17 11:44:25 +02:00
crn4	dace4ff30c	more null fields	2025-10-17 11:25:15 +02:00
crn4	069586b77f	null bools	2025-10-17 11:03:04 +02:00
crn4	dac6fb16ba	go mod tidy	2025-10-17 10:19:29 +02:00
crn4	cd7dce7678	merge main	2025-10-17 00:37:40 +02:00
crn4	9bdabfbb2c	with test	2025-10-17 00:16:05 +02:00
crn4	2760c78bc2	new raw sql get account method	2025-10-16 23:54:17 +02:00
crn4	2882638c7f	workers for updateaccountpeers	2025-10-15 12:38:47 +02:00
Pascal Fischer	9c7c15ba8b	fix expandPortsAndRanges	2025-10-09 22:22:01 +02:00
Pascal Fischer	b0dcc9ff7b	fix expandPortsAndRanges	2025-10-09 22:17:13 +02:00
Pascal Fischer	11e2573747	fix expandPortsAndRanges	2025-10-09 20:51:19 +02:00
Pascal Fischer	6ac9e58911	use buffer and adaptive debounce for account peers update	2025-10-09 16:12:09 +02:00
Pascal Fischer	c115434d53	log pop	2025-10-08 22:52:31 +02:00
Pascal Fischer	3984f0ee08	adaptive debounce	2025-10-08 22:20:27 +02:00
Pascal Fischer	2dc5e7eb7a	dynamic debounce	2025-10-08 22:08:14 +02:00
Pascal Fischer	75dc7f6517	use sleep for busy updates	2025-10-08 21:48:20 +02:00
Pascal Fischer	409e2013cc	fix push method	2025-10-08 21:27:36 +02:00
Pascal Fischer	f13c6ba1b8	update logs	2025-10-08 21:05:25 +02:00
Pascal Fischer	fc2f23bd22	remove semaphore and fix push metrics	2025-10-08 21:03:15 +02:00
Pascal Fischer	26f5aee4b9	add additional buffer channel	2025-10-08 20:42:19 +02:00
Pascal Fischer	8d47175cdb	remove unused network map field from update	2025-10-08 19:33:49 +02:00
crn4	274711a37e	pprof	2025-10-07 15:01:19 +01:00
crn4	53e24ae7f7	panic fix	2025-10-07 11:12:39 +01:00
crn4	fbc02343e9	Merge branch 'main' into refactor/nmap	2025-10-07 10:07:58 +01:00
crn4	ffed4b38ef	minor fixes after tests	2025-10-07 10:07:14 +01:00
crn4	e926ca34b5	Merge branch 'main' into refactor/nmap	2025-10-06 12:35:17 +01:00
crn4	5d1c61369d	added env for account ids enabling new network map builder	2025-10-06 12:34:36 +01:00
crn4	fd9e21a5f3	get rid of direct get account calls	2025-10-02 14:41:58 +02:00
crn4	841bc7564a	minor fixes	2025-10-02 11:58:55 +02:00
crn4	f20a1b3328	get rid of get account calls for update peers	2025-10-02 11:55:43 +02:00
crn4	2ac0da6cac	conflicts resolution	2025-10-02 11:39:43 +02:00
crn4	148b8b04b3	cache and peeracls to unexported	2025-10-02 11:33:18 +02:00
crn4	9a56883ffb	cache read without account get from db	2025-10-02 11:28:59 +02:00
crn4	806be13dd5	fixed bug with duplicated firewall rules	2025-10-02 11:07:02 +02:00
crn4	90557da237	on peer deleted cleanup	2025-09-17 01:34:38 +02:00
crn4	1d6209841e	on peer added refactored	2025-09-17 00:54:34 +02:00
crn4	8f0e5708d5	onpeeradded optimization part 1	2025-09-16 17:21:35 +02:00
crn4	5a9aa55121	buildPeerRoutesView optimized	2025-09-16 14:03:23 +02:00
crn4	6082c7cdcb	buildPeerACLView optimized	2025-09-16 01:18:24 +02:00
crn4	06eae13352	Merge branch 'main' into refactor/nmap	2025-09-12 14:09:00 +02:00
crn4	08fba9876b	test fixes	2025-09-05 13:06:06 +02:00
crn4	ca85aa9b8f	implement new map builder full rebuilder for other parts	2025-09-05 12:30:13 +02:00
crn4	0ae2241573	removed test files	2025-09-03 16:15:38 +02:00
crn4	050c05164a	tests fix	2025-09-03 15:34:19 +02:00
crn4	333908d06e	minor fix	2025-09-03 14:54:58 +02:00
crn4	bc6c5ece6e	tests and linter fix	2025-09-03 14:22:08 +02:00
crn4	fd7b3ae21c	conflicts resolution after main merge	2025-09-03 13:34:24 +02:00
crn4	abd7a84a46	implement nmap builder to the code	2025-09-03 13:31:12 +02:00
crn4	f4b2bed1b9	changes to other code - nmap in separate file	2025-09-03 13:31:12 +02:00
crn4	2fb971e88a	nmap builder	2025-09-03 13:31:12 +02:00