account for routing peers

# Conflicts:
#	management/server/peer.go

client/internal/rosenpass/manager_test.go

@@ -22,14 +22,14 @@ type removePeerCall struct {
 }
 
 type mockServer struct {
-	mu         sync.Mutex
-	addCalls   []addPeerCall
-	removed    []removePeerCall
-	nextID     rp.PeerID
-	addErr     error
-	removeErr  error
-	closed     bool
-	ran        bool
+	mu        sync.Mutex
+	addCalls  []addPeerCall
+	removed   []removePeerCall
+	nextID    rp.PeerID
+	addErr    error
+	removeErr error
+	closed    bool
+	ran       bool
 }
 
 func (m *mockServer) AddPeer(cfg rp.PeerConfig) (rp.PeerID, error) {
@@ -51,7 +51,7 @@ func (m *mockServer) RemovePeer(id rp.PeerID) error {
 	return m.removeErr
 }
 
-func (m *mockServer) Run() error  { m.ran = true; return nil }
+func (m *mockServer) Run() error   { m.ran = true; return nil }
 func (m *mockServer) Close() error { m.closed = true; return nil }
 
 type setPSKCall struct {

client/internal/rosenpass/seed_test.go

@@ -41,4 +41,3 @@ func TestDeterministicSeedKey_TooShortKey_ReturnsError(t *testing.T) {
 	_, err = DeterministicSeedKey(long, short)
 	require.Error(t, err)
 }
-

management/internals/controllers/network_map/controller/controller.go

@@ -44,7 +44,7 @@ type Controller struct {
 	EphemeralPeersManager ephemeral.Manager
 
 	accountUpdateLocks               sync.Map
-	sendAccountUpdateLocks           sync.Map
+	affectedPeerUpdateLocks          sync.Map
 	updateAccountPeersBufferInterval atomic.Int64
 	// dnsDomain is used for peer resolution. This is appended to the peer's name
 	dnsDomain string
@@ -63,6 +63,13 @@ type bufferUpdate struct {
 	update atomic.Bool
 }
 
+type bufferAffectedUpdate struct {
+	sendMu  sync.Mutex
+	dataMu  sync.Mutex
+	next    *time.Timer
+	peerIDs map[string]struct{}
+}
+
 var _ network_map.Controller = (*Controller)(nil)
 
 func NewController(ctx context.Context, store store.Store, metrics telemetry.AppMetrics, peersUpdateManager network_map.PeersUpdateManager, requestBuffer account.RequestBuffer, integratedPeerValidator integrated_validator.IntegratedValidator, settingsManager settings.Manager, dnsDomain string, proxyController port_forwarding.Controller, ephemeralPeersManager ephemeral.Manager, config *config.Config) *Controller {
@@ -200,7 +207,7 @@ func (c *Controller) sendUpdateAccountPeers(ctx context.Context, accountID strin
 
 			c.metrics.CountCalcPeerNetworkMapDuration(time.Since(start))
 
-			proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
+			proxyNetworkMap, ok := proxyNetworkMaps[p.ID]
 			if ok {
 				remotePeerNetworkMap.Merge(proxyNetworkMap)
 			}
@@ -225,44 +232,6 @@ func (c *Controller) sendUpdateAccountPeers(ctx context.Context, accountID strin
 	return nil
 }
 
-func (c *Controller) bufferSendUpdateAccountPeers(ctx context.Context, accountID string, reason types.UpdateReason) error {
-	log.WithContext(ctx).Tracef("buffer sending update peers for account %s from %s", accountID, util.GetCallerName())
-
-	if c.accountManagerMetrics != nil {
-		c.accountManagerMetrics.CountUpdateAccountPeersTriggered(string(reason.Resource), string(reason.Operation))
-	}
-
-	bufUpd, _ := c.sendAccountUpdateLocks.LoadOrStore(accountID, &bufferUpdate{})
-	b := bufUpd.(*bufferUpdate)
-
-	if !b.mu.TryLock() {
-		b.update.Store(true)
-		return nil
-	}
-
-	if b.next != nil {
-		b.next.Stop()
-	}
-
-	go func() {
-		defer b.mu.Unlock()
-		_ = c.sendUpdateAccountPeers(ctx, accountID, reason)
-		if !b.update.Load() {
-			return
-		}
-		b.update.Store(false)
-		if b.next == nil {
-			b.next = time.AfterFunc(time.Duration(c.updateAccountPeersBufferInterval.Load()), func() {
-				_ = c.sendUpdateAccountPeers(ctx, accountID, reason)
-			})
-			return
-		}
-		b.next.Reset(time.Duration(c.updateAccountPeersBufferInterval.Load()))
-	}()
-
-	return nil
-}
-
 // UpdatePeers updates all peers that belong to an account.
 // Should be called when changes have to be synced to peers.
 func (c *Controller) UpdateAccountPeers(ctx context.Context, accountID string, reason types.UpdateReason) error {
@@ -272,6 +241,143 @@ func (c *Controller) UpdateAccountPeers(ctx context.Context, accountID string, r
 	return c.sendUpdateAccountPeers(ctx, accountID, reason)
 }
 
+// UpdateAffectedPeers updates only the specified peers that belong to an account.
+func (c *Controller) UpdateAffectedPeers(ctx context.Context, accountID string, peerIDs []string) error {
+	if len(peerIDs) == 0 {
+		return nil
+	}
+	return c.sendUpdateForAffectedPeers(ctx, accountID, peerIDs)
+}
+
+func (c *Controller) sendUpdateForAffectedPeers(ctx context.Context, accountID string, peerIDs []string) error {
+	log.WithContext(ctx).Tracef("sendUpdateForAffectedPeers: account %s, %d affected peers: %v (caller: %s)", accountID, len(peerIDs), peerIDs, util.GetCallerName())
+
+	if !c.hasConnectedPeers(peerIDs) {
+		log.WithContext(ctx).Tracef("sendUpdateForAffectedPeers: no connected peers among %v, skipping", peerIDs)
+		return nil
+	}
+
+	account, err := c.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
+	if err != nil {
+		return fmt.Errorf("failed to get account: %v", err)
+	}
+
+	globalStart := time.Now()
+
+	peersToUpdate := c.filterConnectedAffectedPeers(account, peerIDs)
+	if len(peersToUpdate) == 0 {
+		log.WithContext(ctx).Tracef("sendUpdateForAffectedPeers: no peers to update (affected peers not found in account or no channels)")
+		return nil
+	}
+
+	log.WithContext(ctx).Tracef("sendUpdateForAffectedPeers: sending network map to %d connected peers", len(peersToUpdate))
+
+	approvedPeersMap, err := c.integratedPeerValidator.GetValidatedPeers(ctx, account.Id, maps.Values(account.Groups), maps.Values(account.Peers), account.Settings.Extra)
+	if err != nil {
+		return fmt.Errorf("failed to get validate peers: %v", err)
+	}
+
+	var wg sync.WaitGroup
+	semaphore := make(chan struct{}, 10)
+
+	account.InjectProxyPolicies(ctx)
+	dnsCache := &cache.DNSConfigCache{}
+	dnsDomain := c.GetDNSDomain(account.Settings)
+	peersCustomZone := account.GetPeersCustomZone(ctx, dnsDomain)
+	resourcePolicies := account.GetResourcePoliciesMap()
+	routers := account.GetResourceRoutersMap()
+	groupIDToUserIDs := account.GetActiveGroupUsers()
+
+	proxyNetworkMaps, err := c.proxyController.GetProxyNetworkMapsAll(ctx, accountID, account.Peers)
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to get proxy network maps: %v", err)
+		return fmt.Errorf("failed to get proxy network maps: %v", err)
+	}
+
+	extraSetting, err := c.settingsManager.GetExtraSettings(ctx, accountID)
+	if err != nil {
+		return fmt.Errorf("failed to get flow enabled status: %v", err)
+	}
+
+	dnsFwdPort := computeForwarderPort(maps.Values(account.Peers), network_map.DnsForwarderPortMinVersion)
+
+	accountZones, err := c.repo.GetAccountZones(ctx, account.Id)
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to get account zones: %v", err)
+		return fmt.Errorf("failed to get account zones: %v", err)
+	}
+
+	for _, peer := range peersToUpdate {
+		wg.Add(1)
+		semaphore <- struct{}{}
+		go func(p *nbpeer.Peer) {
+			defer wg.Done()
+			defer func() { <-semaphore }()
+
+			start := time.Now()
+
+			postureChecks, err := c.getPeerPostureChecks(account, p.ID)
+			if err != nil {
+				log.WithContext(ctx).Debugf("failed to get posture checks for peer %s: %v", p.ID, err)
+				return
+			}
+
+			c.metrics.CountCalcPostureChecksDuration(time.Since(start))
+			start = time.Now()
+
+			remotePeerNetworkMap := account.GetPeerNetworkMapFromComponents(ctx, p.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
+
+			c.metrics.CountCalcPeerNetworkMapDuration(time.Since(start))
+
+			proxyNetworkMap, ok := proxyNetworkMaps[p.ID]
+			if ok {
+				remotePeerNetworkMap.Merge(proxyNetworkMap)
+			}
+
+			peerGroups := account.GetPeerGroups(p.ID)
+			start = time.Now()
+			update := grpc.ToSyncResponse(ctx, nil, c.config.HttpConfig, c.config.DeviceAuthorizationFlow, p, nil, nil, remotePeerNetworkMap, dnsDomain, postureChecks, dnsCache, account.Settings, extraSetting, maps.Keys(peerGroups), dnsFwdPort)
+			c.metrics.CountToSyncResponseDuration(time.Since(start))
+
+			c.peersUpdateManager.SendUpdate(ctx, p.ID, &network_map.UpdateMessage{
+				Update:      update,
+				MessageType: network_map.MessageTypeNetworkMap,
+			})
+		}(peer)
+	}
+
+	wg.Wait()
+	if c.accountManagerMetrics != nil {
+		c.accountManagerMetrics.CountUpdateAccountPeersDuration(time.Since(globalStart))
+	}
+
+	return nil
+}
+
+func (c *Controller) hasConnectedPeers(peerIDs []string) bool {
+	for _, id := range peerIDs {
+		if c.peersUpdateManager.HasChannel(id) {
+			return true
+		}
+	}
+	return false
+}
+
+func (c *Controller) filterConnectedAffectedPeers(account *types.Account, peerIDs []string) []*nbpeer.Peer {
+	affected := make(map[string]struct{}, len(peerIDs))
+	for _, id := range peerIDs {
+		affected[id] = struct{}{}
+	}
+
+	var result []*nbpeer.Peer
+	for _, peer := range account.Peers {
+		if _, ok := affected[peer.ID]; ok && c.peersUpdateManager.HasChannel(peer.ID) {
+			result = append(result, peer)
+		}
+	}
+	return result
+}
+
 func (c *Controller) UpdateAccountPeer(ctx context.Context, accountId string, peerId string) error {
 	if !c.peersUpdateManager.HasChannel(peerId) {
 		return fmt.Errorf("peer %s doesn't have a channel, skipping network map update", peerId)
@@ -380,6 +486,100 @@ func (c *Controller) BufferUpdateAccountPeers(ctx context.Context, accountID str
 	return nil
 }
 
+// BufferUpdateAffectedPeers accumulates peer IDs and flushes them after the buffer interval.
+func (c *Controller) BufferUpdateAffectedPeers(ctx context.Context, accountID string, peerIDs []string, reason types.UpdateReason) error {
+	if len(peerIDs) == 0 {
+		return nil
+	}
+
+	if c.accountManagerMetrics != nil {
+		c.accountManagerMetrics.CountUpdateAccountPeersTriggered(string(reason.Resource), string(reason.Operation))
+	}
+
+	log.WithContext(ctx).Tracef("buffer updating %d affected peers for account %s from %s", len(peerIDs), accountID, util.GetCallerName())
+
+	bufUpd, _ := c.affectedPeerUpdateLocks.LoadOrStore(accountID, &bufferAffectedUpdate{
+		peerIDs: make(map[string]struct{}),
+	})
+	b := bufUpd.(*bufferAffectedUpdate)
+
+	b.addPeerIDs(peerIDs)
+
+	if !b.sendMu.TryLock() {
+		// Another goroutine is already sending; it will pick up our IDs on its next drain.
+		return nil
+	}
+
+	b.stopTimer()
+
+	collected := b.drainPeerIDs()
+	go func() {
+		defer b.sendMu.Unlock()
+		_ = c.sendUpdateForAffectedPeers(ctx, accountID, collected)
+
+		// Check if more peer IDs accumulated while we were sending.
+		if !b.hasPending() {
+			return
+		}
+
+		// Schedule a debounced flush for the newly accumulated IDs.
+		b.setTimer(time.Duration(c.updateAccountPeersBufferInterval.Load()), func() {
+			ids := b.drainPeerIDs()
+			if len(ids) > 0 {
+				_ = c.sendUpdateForAffectedPeers(ctx, accountID, ids)
+			}
+		})
+	}()
+
+	return nil
+}
+
+func (b *bufferAffectedUpdate) addPeerIDs(ids []string) {
+	b.dataMu.Lock()
+	for _, id := range ids {
+		b.peerIDs[id] = struct{}{}
+	}
+	b.dataMu.Unlock()
+}
+
+func (b *bufferAffectedUpdate) drainPeerIDs() []string {
+	b.dataMu.Lock()
+	defer b.dataMu.Unlock()
+	if len(b.peerIDs) == 0 {
+		return nil
+	}
+	ids := make([]string, 0, len(b.peerIDs))
+	for id := range b.peerIDs {
+		ids = append(ids, id)
+	}
+	b.peerIDs = make(map[string]struct{})
+	return ids
+}
+
+func (b *bufferAffectedUpdate) hasPending() bool {
+	b.dataMu.Lock()
+	defer b.dataMu.Unlock()
+	return len(b.peerIDs) > 0
+}
+
+func (b *bufferAffectedUpdate) stopTimer() {
+	b.dataMu.Lock()
+	defer b.dataMu.Unlock()
+	if b.next != nil {
+		b.next.Stop()
+	}
+}
+
+func (b *bufferAffectedUpdate) setTimer(d time.Duration, f func()) {
+	b.dataMu.Lock()
+	defer b.dataMu.Unlock()
+	if b.next == nil {
+		b.next = time.AfterFunc(d, f)
+		return
+	}
+	b.next.Reset(d)
+}
+
 func (c *Controller) GetValidatedPeerWithMap(ctx context.Context, isRequiresApproval bool, accountID string, peer *nbpeer.Peer) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, int64, error) {
 	if isRequiresApproval {
 		network, err := c.repo.GetAccountNetwork(ctx, accountID)
@@ -577,21 +777,24 @@ func isPeerInPolicySourceGroups(account *types.Account, peerID string, policy *t
 	return false, nil
 }
 
-func (c *Controller) OnPeersUpdated(ctx context.Context, accountID string, peerIDs []string) error {
-	err := c.bufferSendUpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourcePeer, Operation: types.UpdateOperationUpdate})
-	if err != nil {
-		log.WithContext(ctx).Errorf("failed to buffer update account peers for peer update in account %s: %v", accountID, err)
+func (c *Controller) OnPeersUpdated(ctx context.Context, accountID string, peerIDs []string, affectedPeerIDs []string) error {
+	if len(affectedPeerIDs) == 0 {
+		log.WithContext(ctx).Tracef("no affected peers for peer update in account %s, skipping", accountID)
+		return nil
 	}
-
-	return nil
+	return c.BufferUpdateAffectedPeers(ctx, accountID, affectedPeerIDs, types.UpdateReason{Resource: types.UpdateResourcePeer, Operation: types.UpdateOperationUpdate})
 }
 
-func (c *Controller) OnPeersAdded(ctx context.Context, accountID string, peerIDs []string) error {
+func (c *Controller) OnPeersAdded(ctx context.Context, accountID string, peerIDs []string, affectedPeerIDs []string) error {
 	log.WithContext(ctx).Debugf("OnPeersAdded call to add peers: %v", peerIDs)
-	return c.bufferSendUpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourcePeer, Operation: types.UpdateOperationCreate})
+	if len(affectedPeerIDs) == 0 {
+		log.WithContext(ctx).Tracef("no affected peers for peer add in account %s, skipping", accountID)
+		return nil
+	}
+	return c.BufferUpdateAffectedPeers(ctx, accountID, affectedPeerIDs, types.UpdateReason{Resource: types.UpdateResourcePeer, Operation: types.UpdateOperationCreate})
 }
 
-func (c *Controller) OnPeersDeleted(ctx context.Context, accountID string, peerIDs []string) error {
+func (c *Controller) OnPeersDeleted(ctx context.Context, accountID string, peerIDs []string, affectedPeerIDs []string) error {
 	network, err := c.repo.GetAccountNetwork(ctx, accountID)
 	if err != nil {
 		return err
@@ -624,7 +827,11 @@ func (c *Controller) OnPeersDeleted(ctx context.Context, accountID string, peerI
 		c.peersUpdateManager.CloseChannel(ctx, peerID)
 	}
 
-	return c.bufferSendUpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourcePeer, Operation: types.UpdateOperationDelete})
+	if len(affectedPeerIDs) == 0 {
+		log.WithContext(ctx).Tracef("no affected peers for peer delete in account %s, skipping network map update", accountID)
+		return nil
+	}
+	return c.BufferUpdateAffectedPeers(ctx, accountID, affectedPeerIDs, types.UpdateReason{Resource: types.UpdateResourcePeer, Operation: types.UpdateOperationDelete})
 }
 
 // GetNetworkMap returns Network map for a given peer (omits original peer from the Peers result)

management/internals/controllers/network_map/interface.go

@@ -19,6 +19,8 @@ const (
 
 type Controller interface {
 	UpdateAccountPeers(ctx context.Context, accountID string, reason types.UpdateReason) error
+	UpdateAffectedPeers(ctx context.Context, accountID string, peerIDs []string) error
+	BufferUpdateAffectedPeers(ctx context.Context, accountID string, peerIDs []string, reason types.UpdateReason) error
 	UpdateAccountPeer(ctx context.Context, accountId string, peerId string) error
 	BufferUpdateAccountPeers(ctx context.Context, accountID string, reason types.UpdateReason) error
 	GetValidatedPeerWithMap(ctx context.Context, isRequiresApproval bool, accountID string, p *nbpeer.Peer) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, int64, error)
@@ -27,9 +29,9 @@ type Controller interface {
 	GetNetworkMap(ctx context.Context, peerID string) (*types.NetworkMap, error)
 	CountStreams() int
 
-	OnPeersUpdated(ctx context.Context, accountId string, peerIDs []string) error
-	OnPeersAdded(ctx context.Context, accountID string, peerIDs []string) error
-	OnPeersDeleted(ctx context.Context, accountID string, peerIDs []string) error
+	OnPeersUpdated(ctx context.Context, accountId string, peerIDs []string, affectedPeerIDs []string) error
+	OnPeersAdded(ctx context.Context, accountID string, peerIDs []string, affectedPeerIDs []string) error
+	OnPeersDeleted(ctx context.Context, accountID string, peerIDs []string, affectedPeerIDs []string) error
 	DisconnectPeers(ctx context.Context, accountId string, peerIDs []string)
 	OnPeerConnected(ctx context.Context, accountID string, peerID string) (chan *UpdateMessage, error)
 	OnPeerDisconnected(ctx context.Context, accountID string, peerID string)

management/internals/controllers/network_map/interface_mock.go

@@ -57,6 +57,20 @@ func (mr *MockControllerMockRecorder) BufferUpdateAccountPeers(ctx, accountID, r
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "BufferUpdateAccountPeers", reflect.TypeOf((*MockController)(nil).BufferUpdateAccountPeers), ctx, accountID, reason)
 }
 
+// BufferUpdateAffectedPeers mocks base method.
+func (m *MockController) BufferUpdateAffectedPeers(ctx context.Context, accountID string, peerIDs []string, reason types.UpdateReason) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "BufferUpdateAffectedPeers", ctx, accountID, peerIDs, reason)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// BufferUpdateAffectedPeers indicates an expected call of BufferUpdateAffectedPeers.
+func (mr *MockControllerMockRecorder) BufferUpdateAffectedPeers(ctx, accountID, peerIDs, reason any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "BufferUpdateAffectedPeers", reflect.TypeOf((*MockController)(nil).BufferUpdateAffectedPeers), ctx, accountID, peerIDs, reason)
+}
+
 // CountStreams mocks base method.
 func (m *MockController) CountStreams() int {
 	m.ctrl.T.Helper()
@@ -158,45 +172,45 @@ func (mr *MockControllerMockRecorder) OnPeerDisconnected(ctx, accountID, peerID
 }
 
 // OnPeersAdded mocks base method.
-func (m *MockController) OnPeersAdded(ctx context.Context, accountID string, peerIDs []string) error {
+func (m *MockController) OnPeersAdded(ctx context.Context, accountID string, peerIDs []string, affectedPeerIDs []string) error {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "OnPeersAdded", ctx, accountID, peerIDs)
+	ret := m.ctrl.Call(m, "OnPeersAdded", ctx, accountID, peerIDs, affectedPeerIDs)
 	ret0, _ := ret[0].(error)
 	return ret0
 }
 
 // OnPeersAdded indicates an expected call of OnPeersAdded.
-func (mr *MockControllerMockRecorder) OnPeersAdded(ctx, accountID, peerIDs any) *gomock.Call {
+func (mr *MockControllerMockRecorder) OnPeersAdded(ctx, accountID, peerIDs, affectedPeerIDs any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "OnPeersAdded", reflect.TypeOf((*MockController)(nil).OnPeersAdded), ctx, accountID, peerIDs)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "OnPeersAdded", reflect.TypeOf((*MockController)(nil).OnPeersAdded), ctx, accountID, peerIDs, affectedPeerIDs)
 }
 
 // OnPeersDeleted mocks base method.
-func (m *MockController) OnPeersDeleted(ctx context.Context, accountID string, peerIDs []string) error {
+func (m *MockController) OnPeersDeleted(ctx context.Context, accountID string, peerIDs []string, affectedPeerIDs []string) error {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "OnPeersDeleted", ctx, accountID, peerIDs)
+	ret := m.ctrl.Call(m, "OnPeersDeleted", ctx, accountID, peerIDs, affectedPeerIDs)
 	ret0, _ := ret[0].(error)
 	return ret0
 }
 
 // OnPeersDeleted indicates an expected call of OnPeersDeleted.
-func (mr *MockControllerMockRecorder) OnPeersDeleted(ctx, accountID, peerIDs any) *gomock.Call {
+func (mr *MockControllerMockRecorder) OnPeersDeleted(ctx, accountID, peerIDs, affectedPeerIDs any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "OnPeersDeleted", reflect.TypeOf((*MockController)(nil).OnPeersDeleted), ctx, accountID, peerIDs)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "OnPeersDeleted", reflect.TypeOf((*MockController)(nil).OnPeersDeleted), ctx, accountID, peerIDs, affectedPeerIDs)
 }
 
 // OnPeersUpdated mocks base method.
-func (m *MockController) OnPeersUpdated(ctx context.Context, accountId string, peerIDs []string) error {
+func (m *MockController) OnPeersUpdated(ctx context.Context, accountId string, peerIDs []string, affectedPeerIDs []string) error {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "OnPeersUpdated", ctx, accountId, peerIDs)
+	ret := m.ctrl.Call(m, "OnPeersUpdated", ctx, accountId, peerIDs, affectedPeerIDs)
 	ret0, _ := ret[0].(error)
 	return ret0
 }
 
 // OnPeersUpdated indicates an expected call of OnPeersUpdated.
-func (mr *MockControllerMockRecorder) OnPeersUpdated(ctx, accountId, peerIDs any) *gomock.Call {
+func (mr *MockControllerMockRecorder) OnPeersUpdated(ctx, accountId, peerIDs, affectedPeerIDs any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "OnPeersUpdated", reflect.TypeOf((*MockController)(nil).OnPeersUpdated), ctx, accountId, peerIDs)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "OnPeersUpdated", reflect.TypeOf((*MockController)(nil).OnPeersUpdated), ctx, accountId, peerIDs, affectedPeerIDs)
 }
 
 // StartWarmup mocks base method.
@@ -250,3 +264,17 @@ func (mr *MockControllerMockRecorder) UpdateAccountPeers(ctx, accountID, reason
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateAccountPeers", reflect.TypeOf((*MockController)(nil).UpdateAccountPeers), ctx, accountID, reason)
 }
+
+// UpdateAffectedPeers mocks base method.
+func (m *MockController) UpdateAffectedPeers(ctx context.Context, accountID string, peerIDs []string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "UpdateAffectedPeers", ctx, accountID, peerIDs)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// UpdateAffectedPeers indicates an expected call of UpdateAffectedPeers.
+func (mr *MockControllerMockRecorder) UpdateAffectedPeers(ctx, accountID, peerIDs any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateAffectedPeers", reflect.TypeOf((*MockController)(nil).UpdateAffectedPeers), ctx, accountID, peerIDs)
+}

management/server/account.go

@@ -2573,7 +2573,9 @@ func (am *DefaultAccountManager) UpdatePeerIP(ctx context.Context, accountID, us
 		if err != nil {
 			return err
 		}
-		err = am.networkMapController.OnPeersUpdated(ctx, peer.AccountID, []string{peerID})
+		changedPeerIDs := []string{peerID}
+		affectedPeerIDs := am.resolveAffectedPeersForPeerChanges(ctx, am.Store, accountID, changedPeerIDs)
+		err = am.networkMapController.OnPeersUpdated(ctx, peer.AccountID, changedPeerIDs, affectedPeerIDs)
 		if err != nil {
 			return fmt.Errorf("notify network map controller of peer update: %w", err)
 		}
@@ -2664,7 +2666,9 @@ func (am *DefaultAccountManager) UpdatePeerIPv6(ctx context.Context, accountID,
 	}
 
 	if updateNetworkMap {
-		if err := am.networkMapController.OnPeersUpdated(ctx, accountID, []string{peerID}); err != nil {
+		changedPeerIDs := []string{peerID}
+		affectedPeerIDs := am.resolveAffectedPeersForPeerChanges(ctx, am.Store, accountID, changedPeerIDs)
+		if err := am.networkMapController.OnPeersUpdated(ctx, accountID, changedPeerIDs, affectedPeerIDs); err != nil {
 			return fmt.Errorf("notify network map controller: %w", err)
 		}
 	}

management/server/account/manager.go

@@ -128,6 +128,8 @@ type Manager interface {
 	GetAccountSettings(ctx context.Context, accountID string, userID string) (*types.Settings, error)
 	DeleteSetupKey(ctx context.Context, accountID, userID, keyID string) error
 	UpdateAccountPeers(ctx context.Context, accountID string, reason types.UpdateReason)
+	UpdateAffectedPeers(ctx context.Context, accountID string, peerIDs []string)
+	BufferUpdateAffectedPeers(ctx context.Context, accountID string, peerIDs []string, reason types.UpdateReason)
 	BufferUpdateAccountPeers(ctx context.Context, accountID string, reason types.UpdateReason)
 	BuildUserInfosForAccount(ctx context.Context, accountID, initiatorUserID string, accountUsers []*types.User) (map[string]*types.UserInfo, error)
 	SyncUserJWTGroups(ctx context.Context, userAuth auth.UserAuth) error

management/server/account/manager_mock.go

@@ -122,6 +122,18 @@ func (mr *MockManagerMockRecorder) BufferUpdateAccountPeers(ctx, accountID, reas
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "BufferUpdateAccountPeers", reflect.TypeOf((*MockManager)(nil).BufferUpdateAccountPeers), ctx, accountID, reason)
 }
 
+// BufferUpdateAffectedPeers mocks base method.
+func (m *MockManager) BufferUpdateAffectedPeers(ctx context.Context, accountID string, peerIDs []string, reason types.UpdateReason) {
+	m.ctrl.T.Helper()
+	m.ctrl.Call(m, "BufferUpdateAffectedPeers", ctx, accountID, peerIDs, reason)
+}
+
+// BufferUpdateAffectedPeers indicates an expected call of BufferUpdateAffectedPeers.
+func (mr *MockManagerMockRecorder) BufferUpdateAffectedPeers(ctx, accountID, peerIDs, reason interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "BufferUpdateAffectedPeers", reflect.TypeOf((*MockManager)(nil).BufferUpdateAffectedPeers), ctx, accountID, peerIDs, reason)
+}
+
 // BuildUserInfosForAccount mocks base method.
 func (m *MockManager) BuildUserInfosForAccount(ctx context.Context, accountID, initiatorUserID string, accountUsers []*types.User) (map[string]*types.UserInfo, error) {
 	m.ctrl.T.Helper()
@@ -1637,6 +1649,18 @@ func (mr *MockManagerMockRecorder) UpdateAccountPeers(ctx, accountID, reason int
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateAccountPeers", reflect.TypeOf((*MockManager)(nil).UpdateAccountPeers), ctx, accountID, reason)
 }
 
+// UpdateAffectedPeers mocks base method.
+func (m *MockManager) UpdateAffectedPeers(ctx context.Context, accountID string, peerIDs []string) {
+	m.ctrl.T.Helper()
+	m.ctrl.Call(m, "UpdateAffectedPeers", ctx, accountID, peerIDs)
+}
+
+// UpdateAffectedPeers indicates an expected call of UpdateAffectedPeers.
+func (mr *MockManagerMockRecorder) UpdateAffectedPeers(ctx, accountID, peerIDs interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateAffectedPeers", reflect.TypeOf((*MockManager)(nil).UpdateAffectedPeers), ctx, accountID, peerIDs)
+}
+
 // UpdateAccountSettings mocks base method.
 func (m *MockManager) UpdateAccountSettings(ctx context.Context, accountID, userID string, newSettings *types.Settings) (*types.Settings, error) {
 	m.ctrl.T.Helper()

management/server/account_test.go

@@ -3282,6 +3282,19 @@ func setupNetworkMapTest(t *testing.T) (*DefaultAccountManager, *update_channel.
 // when the channel delivers.
 const peerUpdateTimeout = 5 * time.Second
 
+func drainPeerUpdates(ch <-chan *network_map.UpdateMessage) {
+	for {
+		select {
+		case _, ok := <-ch:
+			if !ok {
+				return
+			}
+		case <-time.After(200 * time.Millisecond):
+			return
+		}
+	}
+}
+
 func peerShouldNotReceiveUpdate(t *testing.T, updateMessage <-chan *network_map.UpdateMessage) {
 	t.Helper()
 	select {

management/server/affected_groups.go

@@ -0,0 +1,425 @@
+package server
+
+import (
+	"context"
+
+	log "github.com/sirupsen/logrus"
+
+	rpservice "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/service"
+	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
+	"github.com/netbirdio/netbird/management/server/store"
+	"github.com/netbirdio/netbird/management/server/types"
+	"github.com/netbirdio/netbird/route"
+)
+
+// collectPeerChangeAffectedGroups walks policies, routes, nameservers, DNS settings,
+// and network routers to collect all group IDs and direct peer IDs affected by the
+// changed groups and/or changed peers. Each collection is fetched from the store exactly once.
+func collectPeerChangeAffectedGroups(ctx context.Context, transaction store.Store, accountID string, changedGroupIDs, changedPeerIDs []string) (allGroupIDs []string, directPeerIDs []string) {
+	if len(changedGroupIDs) == 0 && len(changedPeerIDs) == 0 {
+		return nil, nil
+	}
+
+	changedGroupSet := toSet(changedGroupIDs)
+	changedPeerSet := toSet(changedPeerIDs)
+
+	groupSet := make(map[string]struct{})
+	peerSet := make(map[string]struct{})
+
+	collectAffectedFromPolicies(ctx, transaction, accountID, changedGroupSet, changedPeerSet, groupSet, peerSet)
+	collectAffectedFromRoutes(ctx, transaction, accountID, changedGroupSet, changedPeerSet, groupSet, peerSet)
+	collectAffectedFromNameServers(ctx, transaction, accountID, changedGroupSet, groupSet)
+	collectAffectedFromDNSSettings(ctx, transaction, accountID, changedGroupSet, groupSet)
+	collectAffectedFromNetworkRouters(ctx, transaction, accountID, changedGroupSet, changedPeerSet, groupSet, peerSet)
+	collectAffectedFromProxyServices(ctx, transaction, accountID, changedGroupSet, changedPeerSet, peerSet)
+
+	allGroupIDs = setToSlice(groupSet)
+	directPeerIDs = setToSlice(peerSet)
+
+	log.WithContext(ctx).Tracef("affected groups resolution: changedGroups=%v changedPeers=%v -> affectedGroups=%v, directPeers=%v",
+		changedGroupIDs, changedPeerIDs, allGroupIDs, directPeerIDs)
+
+	return allGroupIDs, directPeerIDs
+}
+
+// collectGroupChangeAffectedGroups is a convenience wrapper used by callers that only have changed groups.
+func collectGroupChangeAffectedGroups(ctx context.Context, transaction store.Store, accountID string, changedGroupIDs []string) ([]string, []string) {
+	return collectPeerChangeAffectedGroups(ctx, transaction, accountID, changedGroupIDs, nil)
+}
+
+func collectAffectedFromPolicies(ctx context.Context, transaction store.Store, accountID string, changedGroupSet, changedPeerSet map[string]struct{}, groupSet, peerSet map[string]struct{}) {
+	policies, err := transaction.GetAccountPolicies(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to get policies for affected group resolution: %v", err)
+		return
+	}
+
+	for _, policy := range policies {
+		matchedByGroup := policyReferencesGroups(policy, changedGroupSet)
+		matchedByPeer := len(changedPeerSet) > 0 && policyReferencesDirectPeers(policy, changedPeerSet)
+		if !matchedByGroup && !matchedByPeer {
+			continue
+		}
+		addAllToSet(groupSet, policy.RuleGroups())
+		collectPolicyDirectPeers(policy, peerSet)
+	}
+}
+
+func collectAffectedFromRoutes(ctx context.Context, transaction store.Store, accountID string, changedGroupSet, changedPeerSet map[string]struct{}, groupSet, peerSet map[string]struct{}) {
+	routes, err := transaction.GetAccountRoutes(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to get routes for affected group resolution: %v", err)
+		return
+	}
+
+	for _, r := range routes {
+		matchedByGroup := routeReferencesGroups(r, changedGroupSet)
+		matchedByPeer := r.Peer != "" && len(changedPeerSet) > 0 && isInSet(r.Peer, changedPeerSet)
+		if !matchedByGroup && !matchedByPeer {
+			continue
+		}
+		addAllToSet(groupSet, r.Groups, r.PeerGroups, r.AccessControlGroups)
+		if r.Peer != "" {
+			peerSet[r.Peer] = struct{}{}
+		}
+	}
+}
+
+func collectAffectedFromNameServers(ctx context.Context, transaction store.Store, accountID string, changedGroupSet map[string]struct{}, groupSet map[string]struct{}) {
+	if len(changedGroupSet) == 0 {
+		return
+	}
+
+	nsGroups, err := transaction.GetAccountNameServerGroups(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to get nameserver groups for affected group resolution: %v", err)
+		return
+	}
+
+	for _, ns := range nsGroups {
+		if anyInSet(ns.Groups, changedGroupSet) {
+			addAllToSet(groupSet, ns.Groups)
+		}
+	}
+}
+
+func collectAffectedFromDNSSettings(ctx context.Context, transaction store.Store, accountID string, changedGroupSet map[string]struct{}, groupSet map[string]struct{}) {
+	if len(changedGroupSet) == 0 {
+		return
+	}
+
+	dnsSettings, err := transaction.GetAccountDNSSettings(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to get DNS settings for affected group resolution: %v", err)
+		return
+	}
+
+	for _, gID := range dnsSettings.DisabledManagementGroups {
+		if _, ok := changedGroupSet[gID]; ok {
+			groupSet[gID] = struct{}{}
+		}
+	}
+}
+
+func collectAffectedFromNetworkRouters(ctx context.Context, transaction store.Store, accountID string, changedGroupSet, changedPeerSet map[string]struct{}, groupSet, peerSet map[string]struct{}) {
+	routers, err := transaction.GetNetworkRoutersByAccountID(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to get network routers for affected group resolution: %v", err)
+		return
+	}
+
+	for _, router := range routers {
+		matchedByGroup := routerReferencesGroups(router, changedGroupSet)
+		matchedByPeer := router.Peer != "" && len(changedPeerSet) > 0 && isInSet(router.Peer, changedPeerSet)
+		if !matchedByGroup && !matchedByPeer {
+			continue
+		}
+		addAllToSet(groupSet, router.PeerGroups)
+		if router.Peer != "" {
+			peerSet[router.Peer] = struct{}{}
+		}
+	}
+}
+
+// collectAffectedFromProxyServices handles policies that are synthesized at
+// network-map computation time by Account.InjectProxyPolicies. Those policies
+// connect proxy peers (peer.ProxyMeta.Embedded == true) to service targets and
+// never reach the database, so the other collectors cannot see them.
+func collectAffectedFromProxyServices(ctx context.Context, transaction store.Store, accountID string, changedGroupSet, changedPeerSet map[string]struct{}, peerSet map[string]struct{}) {
+	if len(changedGroupSet) == 0 && len(changedPeerSet) == 0 {
+		return
+	}
+
+	services, proxyByCluster, ok := loadProxyServiceContext(ctx, transaction, accountID)
+	if !ok {
+		return
+	}
+
+	expandedPeerSet := expandChangedPeersWithGroups(ctx, transaction, accountID, changedGroupSet, changedPeerSet)
+
+	for _, svc := range services {
+		if svc == nil {
+			continue
+		}
+		proxyPeers := proxyByCluster[svc.ProxyCluster]
+		if len(proxyPeers) == 0 {
+			continue
+		}
+		if !serviceMatchesChangedPeers(svc, proxyPeers, expandedPeerSet) {
+			continue
+		}
+
+		log.WithContext(ctx).Tracef("collectAffectedFromProxyServices: service %s (cluster=%s) matched; folding %d proxy peers and target peers",
+			svc.ID, svc.ProxyCluster, len(proxyPeers))
+		addServicePeersToSet(svc, proxyPeers, peerSet)
+	}
+}
+
+func loadProxyServiceContext(ctx context.Context, transaction store.Store, accountID string) ([]*rpservice.Service, map[string][]string, bool) {
+	services, err := transaction.GetAccountServices(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to get services for affected group resolution: %v", err)
+		return nil, nil, false
+	}
+	if len(services) == 0 {
+		return nil, nil, false
+	}
+
+	proxyByCluster, err := transaction.GetEmbeddedProxyPeerIDsByCluster(ctx, accountID)
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to get embedded proxy peers for affected group resolution: %v", err)
+		return nil, nil, false
+	}
+	if len(proxyByCluster) == 0 {
+		return nil, nil, false
+	}
+
+	return services, proxyByCluster, true
+}
+
+func expandChangedPeersWithGroups(ctx context.Context, transaction store.Store, accountID string, changedGroupSet, changedPeerSet map[string]struct{}) map[string]struct{} {
+	if len(changedGroupSet) == 0 {
+		return changedPeerSet
+	}
+
+	ids, err := transaction.GetPeerIDsByGroups(ctx, accountID, setToSlice(changedGroupSet))
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to expand changed groups to peers for service resolution: %v", err)
+		return changedPeerSet
+	}
+	if len(ids) == 0 {
+		return changedPeerSet
+	}
+
+	merged := make(map[string]struct{}, len(changedPeerSet)+len(ids))
+	for id := range changedPeerSet {
+		merged[id] = struct{}{}
+	}
+	for _, id := range ids {
+		merged[id] = struct{}{}
+	}
+	return merged
+}
+
+func serviceMatchesChangedPeers(svc *rpservice.Service, proxyPeers []string, changedPeers map[string]struct{}) bool {
+	for _, pid := range proxyPeers {
+		if _, ok := changedPeers[pid]; ok {
+			return true
+		}
+	}
+	for _, target := range svc.Targets {
+		if target.TargetType != rpservice.TargetTypePeer || target.TargetId == "" {
+			continue
+		}
+		if _, ok := changedPeers[target.TargetId]; ok {
+			return true
+		}
+	}
+	return false
+}
+
+func addServicePeersToSet(svc *rpservice.Service, proxyPeers []string, peerSet map[string]struct{}) {
+	for _, pid := range proxyPeers {
+		peerSet[pid] = struct{}{}
+	}
+	for _, target := range svc.Targets {
+		if target.TargetType == rpservice.TargetTypePeer && target.TargetId != "" {
+			peerSet[target.TargetId] = struct{}{}
+		}
+	}
+}
+
+// collectPolicyRouterBridge folds in the routing peers that serve any network
+// resource targeted by the given policies. A policy granting a source access to
+// a resource makes the resource's routing peers serve that source at network-map
+// compute time, so those routing peers must be refreshed alongside the rule's
+// literal groups and peers. The routing peer is reachable only through the
+// resource's network, never through the policy's groups, so it is collected here.
+//
+// Enabled is intentionally not consulted on resources or routers: toggling it is
+// itself a change the routing peer must observe.
+func collectPolicyRouterBridge(ctx context.Context, transaction store.Store, accountID string, groupSet, peerSet map[string]struct{}, policies ...*types.Policy) {
+	resourceIDs := policyDestinationResourceIDs(ctx, transaction, accountID, policies...)
+	if len(resourceIDs) == 0 {
+		return
+	}
+
+	networkIDs := resourceNetworkIDs(ctx, transaction, accountID, resourceIDs)
+	if len(networkIDs) == 0 {
+		return
+	}
+
+	routers, err := transaction.GetNetworkRoutersByAccountID(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to get network routers for policy router bridge: %v", err)
+		return
+	}
+
+	for _, router := range routers {
+		if _, ok := networkIDs[router.NetworkID]; !ok {
+			continue
+		}
+		addAllToSet(groupSet, router.PeerGroups)
+		if router.Peer != "" {
+			peerSet[router.Peer] = struct{}{}
+		}
+	}
+}
+
+// policyDestinationResourceIDs collects the network resource IDs targeted by the
+// policies' destinations, both via destination groups and via DestinationResource.
+func policyDestinationResourceIDs(ctx context.Context, transaction store.Store, accountID string, policies ...*types.Policy) map[string]struct{} {
+	destGroupSet := make(map[string]struct{})
+	resourceIDs := make(map[string]struct{})
+
+	for _, policy := range policies {
+		if policy == nil {
+			continue
+		}
+		for _, rule := range policy.Rules {
+			for _, gID := range rule.Destinations {
+				destGroupSet[gID] = struct{}{}
+			}
+			if rule.DestinationResource.Type != types.ResourceTypePeer && rule.DestinationResource.ID != "" {
+				resourceIDs[rule.DestinationResource.ID] = struct{}{}
+			}
+		}
+	}
+
+	if len(destGroupSet) > 0 {
+		groups, err := transaction.GetGroupsByIDs(ctx, store.LockingStrengthNone, accountID, setToSlice(destGroupSet))
+		if err != nil {
+			log.WithContext(ctx).Errorf("failed to get destination groups for policy router bridge: %v", err)
+		} else {
+			for _, group := range groups {
+				for _, res := range group.Resources {
+					if res.ID != "" {
+						resourceIDs[res.ID] = struct{}{}
+					}
+				}
+			}
+		}
+	}
+
+	return resourceIDs
+}
+
+// resourceNetworkIDs maps the given resource IDs to the set of network IDs that own them.
+func resourceNetworkIDs(ctx context.Context, transaction store.Store, accountID string, resourceIDs map[string]struct{}) map[string]struct{} {
+	resources, err := transaction.GetNetworkResourcesByAccountID(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to get network resources for policy router bridge: %v", err)
+		return nil
+	}
+
+	networkIDs := make(map[string]struct{})
+	for _, resource := range resources {
+		if _, ok := resourceIDs[resource.ID]; ok {
+			networkIDs[resource.NetworkID] = struct{}{}
+		}
+	}
+	return networkIDs
+}
+
+func collectPolicyDirectPeers(policy *types.Policy, peerSet map[string]struct{}) {
+	for _, rule := range policy.Rules {
+		if rule.SourceResource.Type == types.ResourceTypePeer && rule.SourceResource.ID != "" {
+			peerSet[rule.SourceResource.ID] = struct{}{}
+		}
+		if rule.DestinationResource.Type == types.ResourceTypePeer && rule.DestinationResource.ID != "" {
+			peerSet[rule.DestinationResource.ID] = struct{}{}
+		}
+	}
+}
+
+func policyReferencesGroups(policy *types.Policy, groupSet map[string]struct{}) bool {
+	for _, rule := range policy.Rules {
+		if anyInSet(rule.Sources, groupSet) || anyInSet(rule.Destinations, groupSet) {
+			return true
+		}
+	}
+	return false
+}
+
+func policyReferencesDirectPeers(policy *types.Policy, changedSet map[string]struct{}) bool {
+	for _, rule := range policy.Rules {
+		if isDirectPeerInSet(rule.SourceResource, changedSet) || isDirectPeerInSet(rule.DestinationResource, changedSet) {
+			return true
+		}
+	}
+	return false
+}
+
+func isDirectPeerInSet(res types.Resource, set map[string]struct{}) bool {
+	if res.Type != types.ResourceTypePeer || res.ID == "" {
+		return false
+	}
+	_, ok := set[res.ID]
+	return ok
+}
+
+func routeReferencesGroups(r *route.Route, groupSet map[string]struct{}) bool {
+	return anyInSet(r.Groups, groupSet) || anyInSet(r.PeerGroups, groupSet) || anyInSet(r.AccessControlGroups, groupSet)
+}
+
+func routerReferencesGroups(router *routerTypes.NetworkRouter, groupSet map[string]struct{}) bool {
+	return anyInSet(router.PeerGroups, groupSet)
+}
+
+func anyInSet(ids []string, set map[string]struct{}) bool {
+	for _, id := range ids {
+		if _, ok := set[id]; ok {
+			return true
+		}
+	}
+	return false
+}
+
+func isInSet(id string, set map[string]struct{}) bool {
+	_, ok := set[id]
+	return ok
+}
+
+func addAllToSet(set map[string]struct{}, slices ...[]string) {
+	for _, s := range slices {
+		for _, id := range s {
+			set[id] = struct{}{}
+		}
+	}
+}
+
+func toSet(ids []string) map[string]struct{} {
+	set := make(map[string]struct{}, len(ids))
+	for _, id := range ids {
+		set[id] = struct{}{}
+	}
+	return set
+}
+
+func setToSlice(set map[string]struct{}) []string {
+	s := make([]string, 0, len(set))
+	for id := range set {
+		s = append(s, id)
+	}
+	return s
+}

management/server/affected_peers_router_test.go

@@ -0,0 +1,798 @@
+package server
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
+	"github.com/netbirdio/netbird/management/internals/controllers/network_map/update_channel"
+	"github.com/netbirdio/netbird/management/server/groups"
+	"github.com/netbirdio/netbird/management/server/networks"
+	"github.com/netbirdio/netbird/management/server/networks/resources"
+	resourceTypes "github.com/netbirdio/netbird/management/server/networks/resources/types"
+	"github.com/netbirdio/netbird/management/server/networks/routers"
+	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
+	networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
+	"github.com/netbirdio/netbird/management/server/permissions"
+	"github.com/netbirdio/netbird/management/server/store"
+	"github.com/netbirdio/netbird/management/server/types"
+)
+
+// routerScenario captures the topology from the bug report:
+//
+//	network ── router (routing peer) ── resource (in resourceGroup)
+//	independent peer ──(policy: source -> resource)──> resource
+//
+// The routing peer must be refreshed when a policy grants a source peer access
+// to the resource, because the network map connects the source peer to the
+// routing peer at compute time (Account.GetPoliciesForNetworkResource +
+// addNetworksRoutingPeers). The routing peer is NOT a member of the resource
+// group, so static group/peer resolution alone cannot find it.
+type routerScenario struct {
+	manager       *DefaultAccountManager
+	updateManager *update_channel.PeersUpdateManager
+	accountID     string
+	networkID     string
+
+	sourcePeerID  string // independent peer that the policy grants access from
+	sourceGroupID string // group containing the source peer
+
+	routerPeerID      string // peer acting as the routing peer (direct router.Peer)
+	routerGroupPeerID string // peer that is a member of routerPeerGroup
+	routerPeerGroupID string // group used for router.PeerGroups
+
+	resourceID      string // network resource
+	resourceGroupID string // group whose member is the resource (no peers)
+
+	unrelatedPeerID string // peer in no relevant entity
+}
+
+// setupRouterScenario builds the topology above with the default policy removed
+// and channels NOT yet created, so callers control exactly when updates can flow.
+func setupRouterScenario(t *testing.T, directRouterPeer bool) *routerScenario {
+	t.Helper()
+
+	manager, updateManager, err := createManager(t)
+	require.NoError(t, err)
+
+	ctx := context.Background()
+
+	account, err := createAccount(manager, "router_scenario", userID, "")
+	require.NoError(t, err)
+	accountID := account.Id
+
+	// Remove the default policy so AddPeer/CreateGroup don't schedule unrelated updates.
+	policies, err := manager.Store.GetAccountPolicies(ctx, store.LockingStrengthNone, accountID)
+	require.NoError(t, err)
+	for _, p := range policies {
+		require.NoError(t, manager.Store.DeletePolicy(ctx, accountID, p.ID))
+	}
+
+	setupKey, err := manager.CreateSetupKey(ctx, accountID, "rs-key", types.SetupKeyReusable, time.Hour, nil, 999, userID, false, false)
+	require.NoError(t, err)
+
+	sourcePeer := addPeerToAccount(t, manager, accountID, setupKey.Key)
+	routerPeer := addPeerToAccount(t, manager, accountID, setupKey.Key)
+	routerGroupPeer := addPeerToAccount(t, manager, accountID, setupKey.Key)
+	unrelatedPeer := addPeerToAccount(t, manager, accountID, setupKey.Key)
+
+	const (
+		sourceGroupID     = "rs-source-grp"
+		routerPeerGroupID = "rs-router-grp"
+		resourceGroupID   = "rs-resource-grp"
+	)
+
+	for _, g := range []*types.Group{
+		{ID: sourceGroupID, Name: "rs-source", Peers: []string{sourcePeer.ID}},
+		{ID: routerPeerGroupID, Name: "rs-router", Peers: []string{routerGroupPeer.ID}},
+		{ID: resourceGroupID, Name: "rs-resource"}, // intentionally peerless; the resource is its only member
+	} {
+		require.NoError(t, manager.CreateGroup(ctx, accountID, userID, g))
+	}
+
+	permissionsManager := permissions.NewManager(manager.Store)
+	groupsManager := groups.NewManager(manager.Store, permissionsManager, manager)
+	resourcesManager := resources.NewManager(manager.Store, permissionsManager, groupsManager, manager, manager.serviceManager)
+	routersManager := routers.NewManager(manager.Store, permissionsManager, manager)
+	networksManager := networks.NewManager(manager.Store, permissionsManager, resourcesManager, routersManager, manager)
+
+	network, err := networksManager.CreateNetwork(ctx, userID, &networkTypes.Network{
+		ID:        "rs-network",
+		AccountID: accountID,
+		Name:      "rs-network",
+	})
+	require.NoError(t, err)
+
+	resource, err := resourcesManager.CreateResource(ctx, userID, &resourceTypes.NetworkResource{
+		AccountID: accountID,
+		NetworkID: network.ID,
+		Name:      "rs-resource-host",
+		Address:   "10.20.30.0/24",
+		GroupIDs:  []string{resourceGroupID},
+		Enabled:   true,
+	})
+	require.NoError(t, err)
+
+	router := &routerTypes.NetworkRouter{
+		ID:         "rs-router",
+		NetworkID:  network.ID,
+		AccountID:  accountID,
+		Masquerade: true,
+		Metric:     9999,
+		Enabled:    true,
+	}
+	if directRouterPeer {
+		router.Peer = routerPeer.ID
+	} else {
+		router.PeerGroups = []string{routerPeerGroupID}
+	}
+	_, err = routersManager.CreateRouter(ctx, userID, router)
+	require.NoError(t, err)
+
+	return &routerScenario{
+		manager:           manager,
+		updateManager:     updateManager,
+		accountID:         accountID,
+		networkID:         network.ID,
+		sourcePeerID:      sourcePeer.ID,
+		sourceGroupID:     sourceGroupID,
+		routerPeerID:      routerPeer.ID,
+		routerGroupPeerID: routerGroupPeer.ID,
+		routerPeerGroupID: routerPeerGroupID,
+		resourceID:        resource.ID,
+		resourceGroupID:   resourceGroupID,
+		unrelatedPeerID:   unrelatedPeer.ID,
+	}
+}
+
+// routingPeerID returns the peer ID expected to act as router for the scenario.
+func (s *routerScenario) routingPeerID(directRouterPeer bool) string {
+	if directRouterPeer {
+		return s.routerPeerID
+	}
+	return s.routerGroupPeerID
+}
+
+// peerToResourcePolicy builds a policy granting the source group access to the
+// resource, referencing the resource by its group in the rule destination.
+func peerToResourcePolicyByGroup(sourceGroupID, resourceGroupID string) *types.Policy {
+	return &types.Policy{
+		Enabled: true,
+		Name:    "peer-to-resource-by-group",
+		Rules: []*types.PolicyRule{
+			{
+				Enabled:      true,
+				Sources:      []string{sourceGroupID},
+				Destinations: []string{resourceGroupID},
+				Action:       types.PolicyTrafficActionAccept,
+			},
+		},
+	}
+}
+
+// peerToResourcePolicyByResource builds a policy referencing the resource
+// directly via DestinationResource rather than its group.
+func peerToResourcePolicyByResource(sourceGroupID, resourceID string) *types.Policy {
+	return &types.Policy{
+		Enabled: true,
+		Name:    "peer-to-resource-by-resource",
+		Rules: []*types.PolicyRule{
+			{
+				Enabled:             true,
+				Sources:             []string{sourceGroupID},
+				DestinationResource: types.Resource{ID: resourceID, Type: types.ResourceTypeHost},
+				Action:              types.PolicyTrafficActionAccept,
+			},
+		},
+	}
+}
+
+// ---------------------------------------------------------------------------
+// Resolution-level tests: collectPolicyAffectedGroupsAndPeers + resolvePeerIDs.
+//
+// These isolate the resolver from the controller and assert directly on the set
+// of peer IDs the policy path would refresh. They make the gap explicit: the
+// routing peer is expected to be in the affected set but is not.
+// ---------------------------------------------------------------------------
+
+// resolvePolicyAffected mirrors SavePolicy's resolution: collect groups/peers
+// from the policy, then expand to concrete peer IDs.
+func (s *routerScenario) resolvePolicyAffected(ctx context.Context, policy *types.Policy) []string {
+	return s.manager.resolvePolicyAffectedPeers(ctx, s.manager.Store, s.accountID, policy)
+}
+
+func TestAffectedPeers_PolicyToResourceByGroup_IncludesSourcePeer_DirectRouter(t *testing.T) {
+	s := setupRouterScenario(t, true)
+	ctx := context.Background()
+
+	policy := peerToResourcePolicyByGroup(s.sourceGroupID, s.resourceGroupID)
+	affected := s.resolvePolicyAffected(ctx, policy)
+
+	// The source peer is in the source group and must always be present.
+	assert.Contains(t, affected, s.sourcePeerID, "source peer must be affected")
+}
+
+func TestAffectedPeers_PolicyToResourceByGroup_IncludesRoutingPeer_DirectRouter(t *testing.T) {
+	s := setupRouterScenario(t, true)
+	ctx := context.Background()
+
+	policy := peerToResourcePolicyByGroup(s.sourceGroupID, s.resourceGroupID)
+	affected := s.resolvePolicyAffected(ctx, policy)
+
+	// BUG: the direct routing peer serves the resource's subnet to the source
+	// peer, so it must be refreshed when the policy is created. The policy path
+	// only resolves the literal rule groups (source group + resource group);
+	// the resource group has no peer members and the router peer is reachable
+	// only through the network, so it is dropped.
+	assert.Contains(t, affected, s.routerPeerID,
+		"routing peer (router.Peer) serving the resource must be affected by a policy granting access to it")
+}
+
+func TestAffectedPeers_PolicyToResourceByGroup_IncludesRoutingPeer_RouterPeerGroups(t *testing.T) {
+	s := setupRouterScenario(t, false)
+	ctx := context.Background()
+
+	policy := peerToResourcePolicyByGroup(s.sourceGroupID, s.resourceGroupID)
+	affected := s.resolvePolicyAffected(ctx, policy)
+
+	// Same gap when the router is defined via PeerGroups instead of a direct peer.
+	assert.Contains(t, affected, s.routerGroupPeerID,
+		"routing peer (router.PeerGroups member) serving the resource must be affected")
+}
+
+func TestAffectedPeers_PolicyToResourceByDestinationResource_IncludesRoutingPeer_DirectRouter(t *testing.T) {
+	s := setupRouterScenario(t, true)
+	ctx := context.Background()
+
+	policy := peerToResourcePolicyByResource(s.sourceGroupID, s.resourceID)
+	affected := s.resolvePolicyAffected(ctx, policy)
+
+	// When the resource is referenced via DestinationResource, RuleGroups()
+	// returns only the source group and the resource ID is not a peer, so
+	// collectPolicyAffectedGroupsAndPeers yields nothing for the destination at
+	// all. The routing peer is dropped here too.
+	assert.Contains(t, affected, s.routerPeerID,
+		"routing peer must be affected when the resource is referenced via DestinationResource")
+}
+
+func TestAffectedPeers_PolicyToResourceByDestinationResource_IncludesRoutingPeer_RouterPeerGroups(t *testing.T) {
+	s := setupRouterScenario(t, false)
+	ctx := context.Background()
+
+	policy := peerToResourcePolicyByResource(s.sourceGroupID, s.resourceID)
+	affected := s.resolvePolicyAffected(ctx, policy)
+
+	assert.Contains(t, affected, s.routerGroupPeerID,
+		"routing peer (PeerGroups) must be affected when the resource is referenced via DestinationResource")
+}
+
+func TestAffectedPeers_PolicyToResourceWithSourceResourcePeer_IncludesRoutingPeer(t *testing.T) {
+	s := setupRouterScenario(t, true)
+	ctx := context.Background()
+
+	// Source expressed as a direct peer (SourceResource), destination as resource group.
+	policy := &types.Policy{
+		Enabled: true,
+		Name:    "sourceResource-peer-to-resource",
+		Rules: []*types.PolicyRule{
+			{
+				Enabled:        true,
+				SourceResource: types.Resource{ID: s.sourcePeerID, Type: types.ResourceTypePeer},
+				Destinations:   []string{s.resourceGroupID},
+				Action:         types.PolicyTrafficActionAccept,
+			},
+		},
+	}
+	affected := s.resolvePolicyAffected(ctx, policy)
+
+	// The direct source peer IS picked up (collectPolicyAffectedGroupsAndPeers
+	// handles SourceResource peers), but the routing peer is still missing.
+	assert.Contains(t, affected, s.sourcePeerID, "direct source peer must be affected")
+	assert.Contains(t, affected, s.routerPeerID, "routing peer must be affected")
+}
+
+func TestAffectedPeers_PolicyToResource_UnrelatedPeerNotAffected(t *testing.T) {
+	s := setupRouterScenario(t, true)
+	ctx := context.Background()
+
+	policy := peerToResourcePolicyByGroup(s.sourceGroupID, s.resourceGroupID)
+	affected := s.resolvePolicyAffected(ctx, policy)
+
+	// Guard against an over-broad fix: a peer in no relevant entity must never
+	// be pulled in.
+	assert.NotContains(t, affected, s.unrelatedPeerID, "unrelated peer must not be affected")
+}
+
+// ---------------------------------------------------------------------------
+// Control: the resource/router managers DO bridge resource-group -> router.
+// These document the existing (correct) behaviour on the resource side and
+// highlight the asymmetry with the policy side above.
+// ---------------------------------------------------------------------------
+
+func TestAffectedPeers_ResourceSideBridgesToRoutingPeer_DirectRouter(t *testing.T) {
+	s := setupRouterScenario(t, true)
+	ctx := context.Background()
+
+	// A pre-existing policy grants the source group access to the resource.
+	_, err := s.manager.SavePolicy(ctx, s.accountID, userID, peerToResourcePolicyByGroup(s.sourceGroupID, s.resourceGroupID), true)
+	require.NoError(t, err)
+
+	// Drive an update through the resource manager and assert the routing peer
+	// is among the affected set by observing the channel. This path walks
+	// policies whose destinations reference the resource's groups, folds in the
+	// source groups, and loads the network's routers, so it reaches both the
+	// source peer and the routing peer.
+	permissionsManager := permissions.NewManager(s.manager.Store)
+	groupsManager := groups.NewManager(s.manager.Store, permissionsManager, s.manager)
+	rm := resources.NewManager(s.manager.Store, permissionsManager, groupsManager, s.manager, s.manager.serviceManager)
+
+	srcCh := s.updateManager.CreateChannel(ctx, s.sourcePeerID)
+	routerCh := s.updateManager.CreateChannel(ctx, s.routerPeerID)
+	t.Cleanup(func() {
+		s.updateManager.CloseChannel(ctx, s.sourcePeerID)
+		s.updateManager.CloseChannel(ctx, s.routerPeerID)
+	})
+
+	done := make(chan struct{})
+	go func() {
+		peerShouldReceiveUpdate(t, srcCh)
+		peerShouldReceiveUpdate(t, routerCh)
+		close(done)
+	}()
+
+	_, err = rm.UpdateResource(ctx, userID, &resourceTypes.NetworkResource{
+		ID:        s.resourceID,
+		AccountID: s.accountID,
+		NetworkID: s.networkID,
+		Name:      "rs-resource-host",
+		Address:   "10.20.30.0/24",
+		GroupIDs:  []string{s.resourceGroupID},
+		Enabled:   true,
+	})
+	require.NoError(t, err)
+
+	select {
+	case <-done:
+	case <-time.After(peerUpdateTimeout):
+		t.Error("timeout: resource update did not refresh source peer + routing peer")
+	}
+}
+
+// ---------------------------------------------------------------------------
+// End-to-end: reproduce the reported symptom through SavePolicy with channels.
+//
+// Creating the peer->resource policy must wake the routing peer. These fail on
+// the current code because the policy path never resolves the routing peer.
+//
+// IMPORTANT: setup (CreateNetwork/CreateResource/CreateRouter) fires async
+// `go UpdateAffectedPeers` goroutines. Channels are opened and then drained via
+// settleAffectedUpdates before the action under test, so the assertion only
+// observes updates caused by that action and not stragglers from setup. The
+// resolution-level tests above are the timing-free, authoritative proof; these
+// reproduce the operator-visible symptom.
+// ---------------------------------------------------------------------------
+
+// settleAffectedUpdates waits for in-flight async updates to arrive, then drains
+// every given channel so subsequent assertions start from a clean slate.
+func settleAffectedUpdates(chans ...<-chan *network_map.UpdateMessage) {
+	time.Sleep(300 * time.Millisecond)
+	for _, ch := range chans {
+		drainPeerUpdates(ch)
+	}
+}
+
+func TestAffectedPeers_E2E_CreatePolicyToResource_RefreshesRoutingPeer_DirectRouter(t *testing.T) {
+	s := setupRouterScenario(t, true)
+	ctx := context.Background()
+
+	srcCh := s.updateManager.CreateChannel(ctx, s.sourcePeerID)
+	routerCh := s.updateManager.CreateChannel(ctx, s.routerPeerID)
+	unrelatedCh := s.updateManager.CreateChannel(ctx, s.unrelatedPeerID)
+	t.Cleanup(func() {
+		s.updateManager.CloseChannel(ctx, s.sourcePeerID)
+		s.updateManager.CloseChannel(ctx, s.routerPeerID)
+		s.updateManager.CloseChannel(ctx, s.unrelatedPeerID)
+	})
+
+	settleAffectedUpdates(srcCh, routerCh, unrelatedCh)
+
+	done := make(chan struct{})
+	go func() {
+		peerShouldReceiveUpdate(t, srcCh)
+		peerShouldReceiveUpdate(t, routerCh) // FAILS today: routing peer not resolved
+		peerShouldNotReceiveUpdate(t, unrelatedCh)
+		close(done)
+	}()
+
+	_, err := s.manager.SavePolicy(ctx, s.accountID, userID, peerToResourcePolicyByGroup(s.sourceGroupID, s.resourceGroupID), true)
+	require.NoError(t, err)
+
+	select {
+	case <-done:
+	case <-time.After(peerUpdateTimeout):
+		t.Error("timeout: creating peer->resource policy did not refresh the routing peer")
+	}
+}
+
+func TestAffectedPeers_E2E_CreatePolicyToResource_RefreshesRoutingPeer_RouterPeerGroups(t *testing.T) {
+	s := setupRouterScenario(t, false)
+	ctx := context.Background()
+
+	srcCh := s.updateManager.CreateChannel(ctx, s.sourcePeerID)
+	routerCh := s.updateManager.CreateChannel(ctx, s.routerGroupPeerID)
+	t.Cleanup(func() {
+		s.updateManager.CloseChannel(ctx, s.sourcePeerID)
+		s.updateManager.CloseChannel(ctx, s.routerGroupPeerID)
+	})
+
+	settleAffectedUpdates(srcCh, routerCh)
+
+	done := make(chan struct{})
+	go func() {
+		peerShouldReceiveUpdate(t, srcCh)
+		peerShouldReceiveUpdate(t, routerCh) // FAILS today
+		close(done)
+	}()
+
+	_, err := s.manager.SavePolicy(ctx, s.accountID, userID, peerToResourcePolicyByGroup(s.sourceGroupID, s.resourceGroupID), true)
+	require.NoError(t, err)
+
+	select {
+	case <-done:
+	case <-time.After(peerUpdateTimeout):
+		t.Error("timeout: routing peer (PeerGroups) not refreshed on policy create")
+	}
+}
+
+func TestAffectedPeers_E2E_CreatePolicyByDestinationResource_RefreshesRoutingPeer(t *testing.T) {
+	s := setupRouterScenario(t, true)
+	ctx := context.Background()
+
+	srcCh := s.updateManager.CreateChannel(ctx, s.sourcePeerID)
+	routerCh := s.updateManager.CreateChannel(ctx, s.routerPeerID)
+	t.Cleanup(func() {
+		s.updateManager.CloseChannel(ctx, s.sourcePeerID)
+		s.updateManager.CloseChannel(ctx, s.routerPeerID)
+	})
+
+	settleAffectedUpdates(srcCh, routerCh)
+
+	done := make(chan struct{})
+	go func() {
+		peerShouldReceiveUpdate(t, srcCh)
+		peerShouldReceiveUpdate(t, routerCh) // FAILS today
+		close(done)
+	}()
+
+	_, err := s.manager.SavePolicy(ctx, s.accountID, userID, peerToResourcePolicyByResource(s.sourceGroupID, s.resourceID), true)
+	require.NoError(t, err)
+
+	select {
+	case <-done:
+	case <-time.After(peerUpdateTimeout):
+		t.Error("timeout: routing peer not refreshed when policy targets DestinationResource")
+	}
+}
+
+func TestAffectedPeers_E2E_DeletePolicyToResource_RefreshesRoutingPeer(t *testing.T) {
+	s := setupRouterScenario(t, true)
+	ctx := context.Background()
+
+	policy, err := s.manager.SavePolicy(ctx, s.accountID, userID, peerToResourcePolicyByGroup(s.sourceGroupID, s.resourceGroupID), true)
+	require.NoError(t, err)
+
+	srcCh := s.updateManager.CreateChannel(ctx, s.sourcePeerID)
+	routerCh := s.updateManager.CreateChannel(ctx, s.routerPeerID)
+	t.Cleanup(func() {
+		s.updateManager.CloseChannel(ctx, s.sourcePeerID)
+		s.updateManager.CloseChannel(ctx, s.routerPeerID)
+	})
+
+	settleAffectedUpdates(srcCh, routerCh)
+
+	done := make(chan struct{})
+	go func() {
+		peerShouldReceiveUpdate(t, srcCh)
+		peerShouldReceiveUpdate(t, routerCh) // FAILS today: deleting the policy must also refresh the router
+		close(done)
+	}()
+
+	require.NoError(t, s.manager.DeletePolicy(ctx, s.accountID, policy.ID, userID))
+
+	select {
+	case <-done:
+	case <-time.After(peerUpdateTimeout):
+		t.Error("timeout: deleting peer->resource policy did not refresh the routing peer")
+	}
+}
+
+func (s *routerScenario) managers() (resources.Manager, routers.Manager, networks.Manager) {
+	permissionsManager := permissions.NewManager(s.manager.Store)
+	groupsManager := groups.NewManager(s.manager.Store, permissionsManager, s.manager)
+	resourcesManager := resources.NewManager(s.manager.Store, permissionsManager, groupsManager, s.manager, s.manager.serviceManager)
+	routersManager := routers.NewManager(s.manager.Store, permissionsManager, s.manager)
+	networksManager := networks.NewManager(s.manager.Store, permissionsManager, resourcesManager, routersManager, s.manager)
+	return resourcesManager, routersManager, networksManager
+}
+
+type secondTopology struct {
+	networkID       string
+	resourceID      string
+	resourceGroupID string
+	routerPeerID    string
+}
+
+func (s *routerScenario) addSecondTopology(t *testing.T, suffix string) secondTopology {
+	t.Helper()
+	ctx := context.Background()
+	resourcesManager, routersManager, networksManager := s.managers()
+
+	setupKey, err := s.manager.CreateSetupKey(ctx, s.accountID, "rs-key-"+suffix, types.SetupKeyReusable, time.Hour, nil, 999, userID, false, false)
+	require.NoError(t, err)
+	routerPeer := addPeerToAccount(t, s.manager, s.accountID, setupKey.Key)
+
+	resourceGroupID := "rs-resource-grp-" + suffix
+	require.NoError(t, s.manager.CreateGroup(ctx, s.accountID, userID, &types.Group{
+		ID: resourceGroupID, Name: "rs-resource-" + suffix,
+	}))
+
+	network, err := networksManager.CreateNetwork(ctx, userID, &networkTypes.Network{
+		ID:        "rs-network-" + suffix,
+		AccountID: s.accountID,
+		Name:      "rs-network-" + suffix,
+	})
+	require.NoError(t, err)
+
+	resource, err := resourcesManager.CreateResource(ctx, userID, &resourceTypes.NetworkResource{
+		AccountID: s.accountID,
+		NetworkID: network.ID,
+		Name:      "rs-resource-host-" + suffix,
+		Address:   "10.40.50.0/24",
+		GroupIDs:  []string{resourceGroupID},
+		Enabled:   true,
+	})
+	require.NoError(t, err)
+
+	_, err = routersManager.CreateRouter(ctx, userID, &routerTypes.NetworkRouter{
+		NetworkID:  network.ID,
+		AccountID:  s.accountID,
+		Peer:       routerPeer.ID,
+		Masquerade: true,
+		Metric:     9999,
+		Enabled:    true,
+	})
+	require.NoError(t, err)
+
+	return secondTopology{
+		networkID:       network.ID,
+		resourceID:      resource.ID,
+		resourceGroupID: resourceGroupID,
+		routerPeerID:    routerPeer.ID,
+	}
+}
+
+func TestAffectedPeers_E2E_UpdatePolicyRepointResource_RefreshesBothRoutingPeers(t *testing.T) {
+	s := setupRouterScenario(t, true)
+	second := s.addSecondTopology(t, "b")
+	ctx := context.Background()
+
+	policy, err := s.manager.SavePolicy(ctx, s.accountID, userID, peerToResourcePolicyByGroup(s.sourceGroupID, s.resourceGroupID), true)
+	require.NoError(t, err)
+
+	srcCh := s.updateManager.CreateChannel(ctx, s.sourcePeerID)
+	routerACh := s.updateManager.CreateChannel(ctx, s.routerPeerID)
+	routerBCh := s.updateManager.CreateChannel(ctx, second.routerPeerID)
+	t.Cleanup(func() {
+		s.updateManager.CloseChannel(ctx, s.sourcePeerID)
+		s.updateManager.CloseChannel(ctx, s.routerPeerID)
+		s.updateManager.CloseChannel(ctx, second.routerPeerID)
+	})
+
+	settleAffectedUpdates(srcCh, routerACh, routerBCh)
+
+	done := make(chan struct{})
+	go func() {
+		peerShouldReceiveUpdate(t, srcCh)
+		peerShouldReceiveUpdate(t, routerACh)
+		peerShouldReceiveUpdate(t, routerBCh)
+		close(done)
+	}()
+
+	policy.Rules[0].Destinations = []string{second.resourceGroupID}
+	_, err = s.manager.SavePolicy(ctx, s.accountID, userID, policy, false)
+	require.NoError(t, err)
+
+	select {
+	case <-done:
+	case <-time.After(peerUpdateTimeout):
+		t.Error("timeout: re-pointing the policy destination did not refresh both routing peers")
+	}
+}
+
+func TestAffectedPeers_E2E_UpdatePolicyAddSourceGroup_RefreshesRoutingPeer(t *testing.T) {
+	s := setupRouterScenario(t, true)
+	ctx := context.Background()
+
+	const secondSourceGroupID = "rs-source-grp-2"
+	setupKey, err := s.manager.CreateSetupKey(ctx, s.accountID, "rs-key-2", types.SetupKeyReusable, time.Hour, nil, 999, userID, false, false)
+	require.NoError(t, err)
+	secondSourcePeer := addPeerToAccount(t, s.manager, s.accountID, setupKey.Key)
+	require.NoError(t, s.manager.CreateGroup(ctx, s.accountID, userID, &types.Group{
+		ID: secondSourceGroupID, Name: "rs-source-2", Peers: []string{secondSourcePeer.ID},
+	}))
+
+	policy, err := s.manager.SavePolicy(ctx, s.accountID, userID, peerToResourcePolicyByGroup(s.sourceGroupID, s.resourceGroupID), true)
+	require.NoError(t, err)
+
+	newSrcCh := s.updateManager.CreateChannel(ctx, secondSourcePeer.ID)
+	routerCh := s.updateManager.CreateChannel(ctx, s.routerPeerID)
+	t.Cleanup(func() {
+		s.updateManager.CloseChannel(ctx, secondSourcePeer.ID)
+		s.updateManager.CloseChannel(ctx, s.routerPeerID)
+	})
+
+	settleAffectedUpdates(newSrcCh, routerCh)
+
+	done := make(chan struct{})
+	go func() {
+		peerShouldReceiveUpdate(t, newSrcCh)
+		peerShouldReceiveUpdate(t, routerCh)
+		close(done)
+	}()
+
+	policy.Rules[0].Sources = []string{s.sourceGroupID, secondSourceGroupID}
+	_, err = s.manager.SavePolicy(ctx, s.accountID, userID, policy, false)
+	require.NoError(t, err)
+
+	select {
+	case <-done:
+	case <-time.After(peerUpdateTimeout):
+		t.Error("timeout: adding a source group did not refresh the new source peer + routing peer")
+	}
+}
+
+func TestAffectedPeers_E2E_CreatePolicyByDestinationResource_RefreshesRoutingPeer_RouterPeerGroups(t *testing.T) {
+	s := setupRouterScenario(t, false)
+	ctx := context.Background()
+
+	srcCh := s.updateManager.CreateChannel(ctx, s.sourcePeerID)
+	routerCh := s.updateManager.CreateChannel(ctx, s.routerGroupPeerID)
+	t.Cleanup(func() {
+		s.updateManager.CloseChannel(ctx, s.sourcePeerID)
+		s.updateManager.CloseChannel(ctx, s.routerGroupPeerID)
+	})
+
+	settleAffectedUpdates(srcCh, routerCh)
+
+	done := make(chan struct{})
+	go func() {
+		peerShouldReceiveUpdate(t, srcCh)
+		peerShouldReceiveUpdate(t, routerCh)
+		close(done)
+	}()
+
+	_, err := s.manager.SavePolicy(ctx, s.accountID, userID, peerToResourcePolicyByResource(s.sourceGroupID, s.resourceID), true)
+	require.NoError(t, err)
+
+	select {
+	case <-done:
+	case <-time.After(peerUpdateTimeout):
+		t.Error("timeout: DestinationResource policy with PeerGroups router did not refresh the routing peer")
+	}
+}
+
+func TestAffectedPeers_PolicyToResource_IncludesAllRoutingPeersOnNetwork(t *testing.T) {
+	s := setupRouterScenario(t, true)
+	ctx := context.Background()
+
+	_, routersManager, _ := s.managers()
+	setupKey, err := s.manager.CreateSetupKey(ctx, s.accountID, "rs-key-r2", types.SetupKeyReusable, time.Hour, nil, 999, userID, false, false)
+	require.NoError(t, err)
+	secondRouterPeer := addPeerToAccount(t, s.manager, s.accountID, setupKey.Key)
+	_, err = routersManager.CreateRouter(ctx, userID, &routerTypes.NetworkRouter{
+		NetworkID:  s.networkID,
+		AccountID:  s.accountID,
+		Peer:       secondRouterPeer.ID,
+		Masquerade: true,
+		Metric:     9998,
+		Enabled:    true,
+	})
+	require.NoError(t, err)
+
+	affected := s.resolvePolicyAffected(ctx, peerToResourcePolicyByGroup(s.sourceGroupID, s.resourceGroupID))
+
+	assert.Contains(t, affected, s.routerPeerID, "first routing peer must be affected")
+	assert.Contains(t, affected, secondRouterPeer.ID, "second routing peer on the same network must also be affected")
+}
+
+func TestAffectedPeers_PolicyToResource_DisabledRouterStillAffected(t *testing.T) {
+	s := setupRouterScenario(t, true)
+	ctx := context.Background()
+
+	routers, err := s.manager.Store.GetNetworkRoutersByNetID(ctx, store.LockingStrengthNone, s.accountID, s.networkID)
+	require.NoError(t, err)
+	require.Len(t, routers, 1)
+	routers[0].Enabled = false
+	require.NoError(t, s.manager.Store.UpdateNetworkRouter(ctx, routers[0]))
+
+	affected := s.resolvePolicyAffected(ctx, peerToResourcePolicyByGroup(s.sourceGroupID, s.resourceGroupID))
+
+	assert.Contains(t, affected, s.sourcePeerID, "source peer must be affected")
+	assert.Contains(t, affected, s.routerPeerID,
+		"disabled router's peer must still be affected: Enabled must not gate affected-peers")
+}
+
+func TestAffectedPeers_PolicyToResource_DisabledResourceStillAffected(t *testing.T) {
+	s := setupRouterScenario(t, true)
+	ctx := context.Background()
+
+	res, err := s.manager.Store.GetNetworkResourceByID(ctx, store.LockingStrengthNone, s.accountID, s.resourceID)
+	require.NoError(t, err)
+	res.Enabled = false
+	require.NoError(t, s.manager.Store.SaveNetworkResource(ctx, res))
+
+	affected := s.resolvePolicyAffected(ctx, peerToResourcePolicyByGroup(s.sourceGroupID, s.resourceGroupID))
+
+	assert.Contains(t, affected, s.sourcePeerID, "source peer must be affected")
+	assert.Contains(t, affected, s.routerPeerID,
+		"disabled resource must still resolve the routing peer: Enabled must not gate affected-peers")
+}
+
+func TestAffectedPeers_PolicyToResource_DisabledRuleStillAffected(t *testing.T) {
+	s := setupRouterScenario(t, true)
+	ctx := context.Background()
+
+	policy := peerToResourcePolicyByGroup(s.sourceGroupID, s.resourceGroupID)
+	policy.Rules[0].Enabled = false
+
+	affected := s.resolvePolicyAffected(ctx, policy)
+
+	assert.Contains(t, affected, s.routerPeerID,
+		"disabled rule must still resolve the routing peer: Enabled must not gate affected-peers")
+}
+
+func TestAffectedPeers_MultiRulePolicy_IncludesAllRoutingPeers(t *testing.T) {
+	s := setupRouterScenario(t, true)
+	second := s.addSecondTopology(t, "c")
+	ctx := context.Background()
+
+	policy := &types.Policy{
+		Enabled: true,
+		Name:    "multi-rule-two-resources",
+		Rules: []*types.PolicyRule{
+			{
+				Enabled:      true,
+				Sources:      []string{s.sourceGroupID},
+				Destinations: []string{s.resourceGroupID},
+				Action:       types.PolicyTrafficActionAccept,
+			},
+			{
+				Enabled:      true,
+				Sources:      []string{s.sourceGroupID},
+				Destinations: []string{second.resourceGroupID},
+				Action:       types.PolicyTrafficActionAccept,
+			},
+		},
+	}
+
+	affected := s.resolvePolicyAffected(ctx, policy)
+
+	assert.Contains(t, affected, s.routerPeerID, "routing peer for resource A must be affected")
+	assert.Contains(t, affected, second.routerPeerID, "routing peer for resource B must be affected")
+}
+
+func TestAffectedPeers_PolicyToResource_RouterInOtherNetworkNotAffected(t *testing.T) {
+	s := setupRouterScenario(t, true)
+	second := s.addSecondTopology(t, "d")
+	ctx := context.Background()
+
+	affected := s.resolvePolicyAffected(ctx, peerToResourcePolicyByGroup(s.sourceGroupID, s.resourceGroupID))
+
+	assert.Contains(t, affected, s.routerPeerID, "network A's routing peer must be affected")
+	assert.NotContains(t, affected, second.routerPeerID,
+		"a router in an unrelated network must not be affected by a policy that does not target its resource")
+}

management/server/dns.go

@@ -47,8 +47,8 @@ func (am *DefaultAccountManager) SaveDNSSettings(ctx context.Context, accountID
 		return status.NewPermissionDeniedError()
 	}
 
-	var updateAccountPeers bool
 	var eventsToStore []func()
+	var affectedPeerIDs []string
 
 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		if err = validateDNSSettings(ctx, transaction, accountID, dnsSettingsToSave); err != nil {
@@ -63,11 +63,6 @@ func (am *DefaultAccountManager) SaveDNSSettings(ctx context.Context, accountID
 		addedGroups := util.Difference(dnsSettingsToSave.DisabledManagementGroups, oldSettings.DisabledManagementGroups)
 		removedGroups := util.Difference(oldSettings.DisabledManagementGroups, dnsSettingsToSave.DisabledManagementGroups)
 
-		updateAccountPeers, err = areDNSSettingChangesAffectPeers(ctx, transaction, accountID, addedGroups, removedGroups)
-		if err != nil {
-			return err
-		}
-
 		events := am.prepareDNSSettingsEvents(ctx, transaction, accountID, userID, addedGroups, removedGroups)
 		eventsToStore = append(eventsToStore, events...)
 
@@ -75,6 +70,9 @@ func (am *DefaultAccountManager) SaveDNSSettings(ctx context.Context, accountID
 			return err
 		}
 
+		allGroups := slices.Concat(addedGroups, removedGroups)
+		affectedPeerIDs = am.resolvePeerIDs(ctx, transaction, accountID, allGroups, nil)
+
 		return transaction.IncrementNetworkSerial(ctx, accountID)
 	})
 	if err != nil {
@@ -85,8 +83,11 @@ func (am *DefaultAccountManager) SaveDNSSettings(ctx context.Context, accountID
 		storeEvent()
 	}
 
-	if updateAccountPeers {
-		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourceDNSSettings, Operation: types.UpdateOperationUpdate})
+	if len(affectedPeerIDs) > 0 {
+		log.WithContext(ctx).Debugf("SaveDNSSettings: updating %d affected peers: %v", len(affectedPeerIDs), affectedPeerIDs)
+		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
+	} else {
+		log.WithContext(ctx).Tracef("SaveDNSSettings: no affected peers")
 	}
 
 	return nil
@@ -133,20 +134,6 @@ func (am *DefaultAccountManager) prepareDNSSettingsEvents(ctx context.Context, t
 	return eventsToStore
 }
 
-// areDNSSettingChangesAffectPeers checks if the DNS settings changes affect any peers.
-func areDNSSettingChangesAffectPeers(ctx context.Context, transaction store.Store, accountID string, addedGroups, removedGroups []string) (bool, error) {
-	hasPeers, err := anyGroupHasPeersOrResources(ctx, transaction, accountID, addedGroups)
-	if err != nil {
-		return false, err
-	}
-
-	if hasPeers {
-		return true, nil
-	}
-
-	return anyGroupHasPeersOrResources(ctx, transaction, accountID, removedGroups)
-}
-
 // validateDNSSettings validates the DNS settings.
 func validateDNSSettings(ctx context.Context, transaction store.Store, accountID string, settings *types.DNSSettings) error {
 	if len(settings.DisabledManagementGroups) == 0 {

management/server/group.go

@@ -9,15 +9,12 @@ import (
 	"github.com/rs/xid"
 	log "github.com/sirupsen/logrus"
 
-	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/server/activity"
-	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
 	"github.com/netbirdio/netbird/management/server/permissions/modules"
 	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/management/server/util"
-	"github.com/netbirdio/netbird/route"
 	"github.com/netbirdio/netbird/shared/management/status"
 )
 
@@ -79,7 +76,7 @@ func (am *DefaultAccountManager) CreateGroup(ctx context.Context, accountID, use
 	}
 
 	var eventsToStore []func()
-	var updateAccountPeers bool
+	var affectedPeerIDs []string
 
 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		if err = validateNewGroup(ctx, transaction, accountID, newGroup); err != nil {
@@ -91,11 +88,6 @@ func (am *DefaultAccountManager) CreateGroup(ctx context.Context, accountID, use
 		events := am.prepareGroupEvents(ctx, transaction, accountID, userID, newGroup)
 		eventsToStore = append(eventsToStore, events...)
 
-		updateAccountPeers, err = areGroupChangesAffectPeers(ctx, transaction, accountID, []string{newGroup.ID})
-		if err != nil {
-			return err
-		}
-
 		if err := transaction.CreateGroup(ctx, newGroup); err != nil {
 			return status.Errorf(status.Internal, "failed to create group: %v", err)
 		}
@@ -106,6 +98,9 @@ func (am *DefaultAccountManager) CreateGroup(ctx context.Context, accountID, use
 			}
 		}
 
+		groupIDs, directPeerIDs := collectGroupChangeAffectedGroups(ctx, transaction, accountID, []string{newGroup.ID})
+		affectedPeerIDs = am.resolvePeerIDs(ctx, transaction, accountID, groupIDs, directPeerIDs)
+
 		return transaction.IncrementNetworkSerial(ctx, accountID)
 	})
 	if err != nil {
@@ -116,8 +111,11 @@ func (am *DefaultAccountManager) CreateGroup(ctx context.Context, accountID, use
 		storeEvent()
 	}
 
-	if updateAccountPeers {
-		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourceGroup, Operation: types.UpdateOperationCreate})
+	if len(affectedPeerIDs) > 0 {
+		log.WithContext(ctx).Debugf("CreateGroup %s: updating %d affected peers: %v", newGroup.ID, len(affectedPeerIDs), affectedPeerIDs)
+		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
+	} else {
+		log.WithContext(ctx).Tracef("CreateGroup %s: no affected peers", newGroup.ID)
 	}
 
 	return nil
@@ -134,7 +132,7 @@ func (am *DefaultAccountManager) UpdateGroup(ctx context.Context, accountID, use
 	}
 
 	var eventsToStore []func()
-	var updateAccountPeers bool
+	var affectedPeerIDs []string
 
 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		if err = validateNewGroup(ctx, transaction, accountID, newGroup); err != nil {
@@ -165,11 +163,6 @@ func (am *DefaultAccountManager) UpdateGroup(ctx context.Context, accountID, use
 			}
 		}
 
-		updateAccountPeers, err = areGroupChangesAffectPeers(ctx, transaction, accountID, []string{newGroup.ID})
-		if err != nil {
-			return err
-		}
-
 		if err = transaction.UpdateGroup(ctx, newGroup); err != nil {
 			return err
 		}
@@ -178,6 +171,9 @@ func (am *DefaultAccountManager) UpdateGroup(ctx context.Context, accountID, use
 			return err
 		}
 
+		groupIDs, directPeerIDs := collectGroupChangeAffectedGroups(ctx, transaction, accountID, []string{newGroup.ID})
+		affectedPeerIDs = am.resolvePeerIDs(ctx, transaction, accountID, groupIDs, append(directPeerIDs, peersToRemove...))
+
 		return transaction.IncrementNetworkSerial(ctx, accountID)
 	})
 	if err != nil {
@@ -188,8 +184,11 @@ func (am *DefaultAccountManager) UpdateGroup(ctx context.Context, accountID, use
 		storeEvent()
 	}
 
-	if updateAccountPeers {
-		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourceGroup, Operation: types.UpdateOperationUpdate})
+	if len(affectedPeerIDs) > 0 {
+		log.WithContext(ctx).Debugf("UpdateGroup %s: updating %d affected peers: %v", newGroup.ID, len(affectedPeerIDs), affectedPeerIDs)
+		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
+	} else {
+		log.WithContext(ctx).Tracef("UpdateGroup %s: no affected peers", newGroup.ID)
 	}
 
 	return nil
@@ -209,7 +208,6 @@ func (am *DefaultAccountManager) CreateGroups(ctx context.Context, accountID, us
 	}
 
 	var eventsToStore []func()
-	var updateAccountPeers bool
 
 	var globalErr error
 	groupIDs := make([]string, 0, len(groups))
@@ -247,17 +245,17 @@ func (am *DefaultAccountManager) CreateGroups(ctx context.Context, accountID, us
 		}
 	}
 
-	updateAccountPeers, err = areGroupChangesAffectPeers(ctx, am.Store, accountID, groupIDs)
-	if err != nil {
-		return err
-	}
-
 	for _, storeEvent := range eventsToStore {
 		storeEvent()
 	}
 
-	if updateAccountPeers {
-		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourceGroup, Operation: types.UpdateOperationCreate})
+	allGroupIDs, directPeerIDs := collectGroupChangeAffectedGroups(ctx, am.Store, accountID, groupIDs)
+	affectedPeerIDs := am.resolvePeerIDs(ctx, am.Store, accountID, allGroupIDs, directPeerIDs)
+	if len(affectedPeerIDs) > 0 {
+		log.WithContext(ctx).Debugf("CreateGroups %v: updating %d affected peers: %v", groupIDs, len(affectedPeerIDs), affectedPeerIDs)
+		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
+	} else {
+		log.WithContext(ctx).Tracef("CreateGroups %v: no affected peers", groupIDs)
 	}
 
 	return globalErr
@@ -277,7 +275,6 @@ func (am *DefaultAccountManager) UpdateGroups(ctx context.Context, accountID, us
 	}
 
 	var eventsToStore []func()
-	var updateAccountPeers bool
 
 	var globalErr error
 	groupIDs := make([]string, 0, len(groups))
@@ -295,17 +292,17 @@ func (am *DefaultAccountManager) UpdateGroups(ctx context.Context, accountID, us
 		groupIDs = append(groupIDs, newGroup.ID)
 	}
 
-	updateAccountPeers, err = areGroupChangesAffectPeers(ctx, am.Store, accountID, groupIDs)
-	if err != nil {
-		return err
-	}
-
 	for _, storeEvent := range eventsToStore {
 		storeEvent()
 	}
 
-	if updateAccountPeers {
-		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourceGroup, Operation: types.UpdateOperationUpdate})
+	allGroupIDs, directPeerIDs := collectGroupChangeAffectedGroups(ctx, am.Store, accountID, groupIDs)
+	affectedPeerIDs := am.resolvePeerIDs(ctx, am.Store, accountID, allGroupIDs, directPeerIDs)
+	if len(affectedPeerIDs) > 0 {
+		log.WithContext(ctx).Debugf("UpdateGroups %v: updating %d affected peers: %v", groupIDs, len(affectedPeerIDs), affectedPeerIDs)
+		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
+	} else {
+		log.WithContext(ctx).Tracef("UpdateGroups %v: no affected peers", groupIDs)
 	}
 
 	return globalErr
@@ -488,15 +485,10 @@ func (am *DefaultAccountManager) DeleteGroups(ctx context.Context, accountID, us
 
 // GroupAddPeer appends peer to the group
 func (am *DefaultAccountManager) GroupAddPeer(ctx context.Context, accountID, groupID, peerID string) error {
-	var updateAccountPeers bool
+	var affectedPeerIDs []string
 	var err error
 
 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		updateAccountPeers, err = areGroupChangesAffectPeers(ctx, transaction, accountID, []string{groupID})
-		if err != nil {
-			return err
-		}
-
 		if err = transaction.AddPeerToGroup(ctx, accountID, peerID, groupID); err != nil {
 			return err
 		}
@@ -505,14 +497,20 @@ func (am *DefaultAccountManager) GroupAddPeer(ctx context.Context, accountID, gr
 			return err
 		}
 
+		allGroupIDs, directPeerIDs := collectGroupChangeAffectedGroups(ctx, transaction, accountID, []string{groupID})
+		affectedPeerIDs = am.resolvePeerIDs(ctx, transaction, accountID, allGroupIDs, directPeerIDs)
+
 		return transaction.IncrementNetworkSerial(ctx, accountID)
 	})
 	if err != nil {
 		return err
 	}
 
-	if updateAccountPeers {
-		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourceGroup, Operation: types.UpdateOperationUpdate})
+	if len(affectedPeerIDs) > 0 {
+		log.WithContext(ctx).Debugf("GroupAddPeer group=%s peer=%s: updating %d affected peers: %v", groupID, peerID, len(affectedPeerIDs), affectedPeerIDs)
+		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
+	} else {
+		log.WithContext(ctx).Tracef("GroupAddPeer group=%s peer=%s: no affected peers", groupID, peerID)
 	}
 
 	return nil
@@ -521,7 +519,7 @@ func (am *DefaultAccountManager) GroupAddPeer(ctx context.Context, accountID, gr
 // GroupAddResource appends resource to the group
 func (am *DefaultAccountManager) GroupAddResource(ctx context.Context, accountID, groupID string, resource types.Resource) error {
 	var group *types.Group
-	var updateAccountPeers bool
+	var affectedPeerIDs []string
 	var err error
 
 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
@@ -534,23 +532,24 @@ func (am *DefaultAccountManager) GroupAddResource(ctx context.Context, accountID
 			return nil
 		}
 
-		updateAccountPeers, err = areGroupChangesAffectPeers(ctx, transaction, accountID, []string{groupID})
-		if err != nil {
-			return err
-		}
-
 		if err = transaction.UpdateGroup(ctx, group); err != nil {
 			return err
 		}
 
+		allGroupIDs, directPeerIDs := collectGroupChangeAffectedGroups(ctx, transaction, accountID, []string{groupID})
+		affectedPeerIDs = am.resolvePeerIDs(ctx, transaction, accountID, allGroupIDs, directPeerIDs)
+
 		return transaction.IncrementNetworkSerial(ctx, accountID)
 	})
 	if err != nil {
 		return err
 	}
 
-	if updateAccountPeers {
-		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourceGroup, Operation: types.UpdateOperationUpdate})
+	if len(affectedPeerIDs) > 0 {
+		log.WithContext(ctx).Debugf("GroupAddResource group=%s resource=%s: updating %d affected peers: %v", groupID, resource.ID, len(affectedPeerIDs), affectedPeerIDs)
+		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
+	} else {
+		log.WithContext(ctx).Tracef("GroupAddResource group=%s resource=%s: no affected peers", groupID, resource.ID)
 	}
 
 	return nil
@@ -558,14 +557,13 @@ func (am *DefaultAccountManager) GroupAddResource(ctx context.Context, accountID
 
 // GroupDeletePeer removes peer from the group
 func (am *DefaultAccountManager) GroupDeletePeer(ctx context.Context, accountID, groupID, peerID string) error {
-	var updateAccountPeers bool
+	var affectedPeerIDs []string
 	var err error
 
 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		updateAccountPeers, err = areGroupChangesAffectPeers(ctx, transaction, accountID, []string{groupID})
-		if err != nil {
-			return err
-		}
+		// Resolve before removing, so the peer being removed is still included
+		allGroupIDs, directPeerIDs := collectGroupChangeAffectedGroups(ctx, transaction, accountID, []string{groupID})
+		affectedPeerIDs = am.resolvePeerIDs(ctx, transaction, accountID, allGroupIDs, directPeerIDs)
 
 		if err = transaction.RemovePeerFromGroup(ctx, peerID, groupID); err != nil {
 			return err
@@ -581,8 +579,11 @@ func (am *DefaultAccountManager) GroupDeletePeer(ctx context.Context, accountID,
 		return err
 	}
 
-	if updateAccountPeers {
-		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourceGroup, Operation: types.UpdateOperationUpdate})
+	if len(affectedPeerIDs) > 0 {
+		log.WithContext(ctx).Debugf("GroupDeletePeer group=%s peer=%s: updating %d affected peers: %v", groupID, peerID, len(affectedPeerIDs), affectedPeerIDs)
+		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
+	} else {
+		log.WithContext(ctx).Tracef("GroupDeletePeer group=%s peer=%s: no affected peers", groupID, peerID)
 	}
 
 	return nil
@@ -591,7 +592,7 @@ func (am *DefaultAccountManager) GroupDeletePeer(ctx context.Context, accountID,
 // GroupDeleteResource removes resource from the group
 func (am *DefaultAccountManager) GroupDeleteResource(ctx context.Context, accountID, groupID string, resource types.Resource) error {
 	var group *types.Group
-	var updateAccountPeers bool
+	var affectedPeerIDs []string
 	var err error
 
 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
@@ -604,23 +605,24 @@ func (am *DefaultAccountManager) GroupDeleteResource(ctx context.Context, accoun
 			return nil
 		}
 
-		updateAccountPeers, err = areGroupChangesAffectPeers(ctx, transaction, accountID, []string{groupID})
-		if err != nil {
-			return err
-		}
-
 		if err = transaction.UpdateGroup(ctx, group); err != nil {
 			return err
 		}
 
+		allGroupIDs, directPeerIDs := collectGroupChangeAffectedGroups(ctx, transaction, accountID, []string{groupID})
+		affectedPeerIDs = am.resolvePeerIDs(ctx, transaction, accountID, allGroupIDs, directPeerIDs)
+
 		return transaction.IncrementNetworkSerial(ctx, accountID)
 	})
 	if err != nil {
 		return err
 	}
 
-	if updateAccountPeers {
-		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourceGroup, Operation: types.UpdateOperationUpdate})
+	if len(affectedPeerIDs) > 0 {
+		log.WithContext(ctx).Debugf("GroupDeleteResource group=%s resource=%s: updating %d affected peers: %v", groupID, resource.ID, len(affectedPeerIDs), affectedPeerIDs)
+		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
+	} else {
+		log.WithContext(ctx).Tracef("GroupDeleteResource group=%s resource=%s: no affected peers", groupID, resource.ID)
 	}
 
 	return nil
@@ -651,230 +653,3 @@ func validateNewGroup(ctx context.Context, transaction store.Store, accountID st
 
 	return nil
 }
-
-func validateDeleteGroup(ctx context.Context, transaction store.Store, group *types.Group, userID string, flowGroups []string) error {
-	// disable a deleting integration group if the initiator is not an admin service user
-	if group.Issued == types.GroupIssuedIntegration {
-		executingUser, err := transaction.GetUserByUserID(ctx, store.LockingStrengthNone, userID)
-		if err != nil {
-			return status.Errorf(status.Internal, "failed to get user")
-		}
-		if executingUser.Role != types.UserRoleAdmin || !executingUser.IsServiceUser {
-			return status.Errorf(status.PermissionDenied, "only service users with admin power can delete integration group")
-		}
-	}
-
-	if group.IsGroupAll() {
-		return status.Errorf(status.InvalidArgument, "deleting group ALL is not allowed")
-	}
-
-	if len(group.Resources) > 0 {
-		return &GroupLinkError{"network resource", group.Resources[0].ID}
-	}
-
-	if slices.Contains(flowGroups, group.ID) {
-		return &GroupLinkError{"settings", "traffic event logging"}
-	}
-
-	if isLinked, linkedRoute := isGroupLinkedToRoute(ctx, transaction, group.AccountID, group.ID); isLinked {
-		return &GroupLinkError{"route", string(linkedRoute.NetID)}
-	}
-
-	if isLinked, linkedDns := isGroupLinkedToDns(ctx, transaction, group.AccountID, group.ID); isLinked {
-		return &GroupLinkError{"name server groups", linkedDns.Name}
-	}
-
-	if isLinked, linkedPolicy := isGroupLinkedToPolicy(ctx, transaction, group.AccountID, group.ID); isLinked {
-		return &GroupLinkError{"policy", linkedPolicy.Name}
-	}
-
-	if isLinked, linkedSetupKey := isGroupLinkedToSetupKey(ctx, transaction, group.AccountID, group.ID); isLinked {
-		return &GroupLinkError{"setup key", linkedSetupKey.Name}
-	}
-
-	if isLinked, linkedUser := isGroupLinkedToUser(ctx, transaction, group.AccountID, group.ID); isLinked {
-		return &GroupLinkError{"user", linkedUser.Id}
-	}
-
-	if isLinked, linkedRouter := isGroupLinkedToNetworkRouter(ctx, transaction, group.AccountID, group.ID); isLinked {
-		return &GroupLinkError{"network router", linkedRouter.ID}
-	}
-
-	return checkGroupLinkedToSettings(ctx, transaction, group)
-}
-
-// checkGroupLinkedToSettings verifies if a group is linked to any settings in the account.
-func checkGroupLinkedToSettings(ctx context.Context, transaction store.Store, group *types.Group) error {
-	dnsSettings, err := transaction.GetAccountDNSSettings(ctx, store.LockingStrengthNone, group.AccountID)
-	if err != nil {
-		return status.Errorf(status.Internal, "failed to get DNS settings")
-	}
-
-	if slices.Contains(dnsSettings.DisabledManagementGroups, group.ID) {
-		return &GroupLinkError{"disabled DNS management groups", group.Name}
-	}
-
-	settings, err := transaction.GetAccountSettings(ctx, store.LockingStrengthNone, group.AccountID)
-	if err != nil {
-		return status.Errorf(status.Internal, "failed to get account settings")
-	}
-
-	if settings.Extra != nil && slices.Contains(settings.Extra.IntegratedValidatorGroups, group.ID) {
-		return &GroupLinkError{"integrated validator", group.Name}
-	}
-
-	return nil
-}
-
-// isGroupLinkedToRoute checks if a group is linked to any route in the account.
-func isGroupLinkedToRoute(ctx context.Context, transaction store.Store, accountID string, groupID string) (bool, *route.Route) {
-	routes, err := transaction.GetAccountRoutes(ctx, store.LockingStrengthNone, accountID)
-	if err != nil {
-		log.WithContext(ctx).Errorf("error retrieving routes while checking group linkage: %v", err)
-		return false, nil
-	}
-
-	for _, r := range routes {
-		isLinked := slices.Contains(r.Groups, groupID) ||
-			slices.Contains(r.PeerGroups, groupID) ||
-			slices.Contains(r.AccessControlGroups, groupID)
-		if isLinked {
-			return true, r
-		}
-	}
-
-	return false, nil
-}
-
-// isGroupLinkedToPolicy checks if a group is linked to any policy in the account.
-func isGroupLinkedToPolicy(ctx context.Context, transaction store.Store, accountID string, groupID string) (bool, *types.Policy) {
-	policies, err := transaction.GetAccountPolicies(ctx, store.LockingStrengthNone, accountID)
-	if err != nil {
-		log.WithContext(ctx).Errorf("error retrieving policies while checking group linkage: %v", err)
-		return false, nil
-	}
-
-	for _, policy := range policies {
-		for _, rule := range policy.Rules {
-			if slices.Contains(rule.Sources, groupID) || slices.Contains(rule.Destinations, groupID) {
-				return true, policy
-			}
-		}
-	}
-	return false, nil
-}
-
-// isGroupLinkedToDns checks if a group is linked to any nameserver group in the account.
-func isGroupLinkedToDns(ctx context.Context, transaction store.Store, accountID string, groupID string) (bool, *nbdns.NameServerGroup) {
-	nameServerGroups, err := transaction.GetAccountNameServerGroups(ctx, store.LockingStrengthNone, accountID)
-	if err != nil {
-		log.WithContext(ctx).Errorf("error retrieving name server groups while checking group linkage: %v", err)
-		return false, nil
-	}
-
-	for _, dns := range nameServerGroups {
-		for _, g := range dns.Groups {
-			if g == groupID {
-				return true, dns
-			}
-		}
-	}
-
-	return false, nil
-}
-
-// isGroupLinkedToSetupKey checks if a group is linked to any setup key in the account.
-func isGroupLinkedToSetupKey(ctx context.Context, transaction store.Store, accountID string, groupID string) (bool, *types.SetupKey) {
-	setupKeys, err := transaction.GetAccountSetupKeys(ctx, store.LockingStrengthNone, accountID)
-	if err != nil {
-		log.WithContext(ctx).Errorf("error retrieving setup keys while checking group linkage: %v", err)
-		return false, nil
-	}
-
-	for _, setupKey := range setupKeys {
-		if slices.Contains(setupKey.AutoGroups, groupID) {
-			return true, setupKey
-		}
-	}
-	return false, nil
-}
-
-// isGroupLinkedToUser checks if a group is linked to any user in the account.
-func isGroupLinkedToUser(ctx context.Context, transaction store.Store, accountID string, groupID string) (bool, *types.User) {
-	users, err := transaction.GetAccountUsers(ctx, store.LockingStrengthNone, accountID)
-	if err != nil {
-		log.WithContext(ctx).Errorf("error retrieving users while checking group linkage: %v", err)
-		return false, nil
-	}
-
-	for _, user := range users {
-		if slices.Contains(user.AutoGroups, groupID) {
-			return true, user
-		}
-	}
-	return false, nil
-}
-
-// isGroupLinkedToNetworkRouter checks if a group is linked to any network router in the account.
-func isGroupLinkedToNetworkRouter(ctx context.Context, transaction store.Store, accountID string, groupID string) (bool, *routerTypes.NetworkRouter) {
-	routers, err := transaction.GetNetworkRoutersByAccountID(ctx, store.LockingStrengthNone, accountID)
-	if err != nil {
-		log.WithContext(ctx).Errorf("error retrieving network routers while checking group linkage: %v", err)
-		return false, nil
-	}
-
-	for _, router := range routers {
-		if slices.Contains(router.PeerGroups, groupID) {
-			return true, router
-		}
-	}
-	return false, nil
-}
-
-// areGroupChangesAffectPeers checks if any changes to the specified groups will affect peers.
-func areGroupChangesAffectPeers(ctx context.Context, transaction store.Store, accountID string, groupIDs []string) (bool, error) {
-	if len(groupIDs) == 0 {
-		return false, nil
-	}
-
-	dnsSettings, err := transaction.GetAccountDNSSettings(ctx, store.LockingStrengthNone, accountID)
-	if err != nil {
-		return false, err
-	}
-
-	for _, groupID := range groupIDs {
-		if slices.Contains(dnsSettings.DisabledManagementGroups, groupID) {
-			return true, nil
-		}
-		if linked, _ := isGroupLinkedToDns(ctx, transaction, accountID, groupID); linked {
-			return true, nil
-		}
-		if linked, _ := isGroupLinkedToPolicy(ctx, transaction, accountID, groupID); linked {
-			return true, nil
-		}
-		if linked, _ := isGroupLinkedToRoute(ctx, transaction, accountID, groupID); linked {
-			return true, nil
-		}
-		if linked, _ := isGroupLinkedToNetworkRouter(ctx, transaction, accountID, groupID); linked {
-			return true, nil
-		}
-	}
-
-	return false, nil
-}
-
-// anyGroupHasPeersOrResources checks if any of the given groups in the account have peers or resources.
-func anyGroupHasPeersOrResources(ctx context.Context, transaction store.Store, accountID string, groupIDs []string) (bool, error) {
-	groups, err := transaction.GetGroupsByIDs(ctx, store.LockingStrengthNone, accountID, groupIDs)
-	if err != nil {
-		return false, err
-	}
-
-	for _, group := range groups {
-		if group.HasPeers() || group.HasResources() {
-			return true, nil
-		}
-	}
-
-	return false, nil
-}

management/server/group_linkage.go

@@ -0,0 +1,287 @@
+package server
+
+import (
+	"context"
+	"slices"
+
+	log "github.com/sirupsen/logrus"
+
+	nbdns "github.com/netbirdio/netbird/dns"
+	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
+	"github.com/netbirdio/netbird/management/server/store"
+	"github.com/netbirdio/netbird/management/server/types"
+	"github.com/netbirdio/netbird/route"
+	"github.com/netbirdio/netbird/shared/management/status"
+)
+
+func validateDeleteGroup(ctx context.Context, transaction store.Store, group *types.Group, userID string, flowGroups []string) error {
+	// disable a deleting integration group if the initiator is not an admin service user
+	if group.Issued == types.GroupIssuedIntegration {
+		executingUser, err := transaction.GetUserByUserID(ctx, store.LockingStrengthNone, userID)
+		if err != nil {
+			return status.Errorf(status.Internal, "failed to get user")
+		}
+		if executingUser.Role != types.UserRoleAdmin || !executingUser.IsServiceUser {
+			return status.Errorf(status.PermissionDenied, "only service users with admin power can delete integration group")
+		}
+	}
+
+	if group.IsGroupAll() {
+		return status.Errorf(status.InvalidArgument, "deleting group ALL is not allowed")
+	}
+
+	if len(group.Resources) > 0 {
+		return &GroupLinkError{"network resource", group.Resources[0].ID}
+	}
+
+	if slices.Contains(flowGroups, group.ID) {
+		return &GroupLinkError{"settings", "traffic event logging"}
+	}
+
+	if isLinked, linkedRoute := isGroupLinkedToRoute(ctx, transaction, group.AccountID, group.ID); isLinked {
+		return &GroupLinkError{"route", string(linkedRoute.NetID)}
+	}
+
+	if isLinked, linkedDns := isGroupLinkedToDns(ctx, transaction, group.AccountID, group.ID); isLinked {
+		return &GroupLinkError{"name server groups", linkedDns.Name}
+	}
+
+	if isLinked, linkedPolicy := isGroupLinkedToPolicy(ctx, transaction, group.AccountID, group.ID); isLinked {
+		return &GroupLinkError{"policy", linkedPolicy.Name}
+	}
+
+	if isLinked, linkedSetupKey := isGroupLinkedToSetupKey(ctx, transaction, group.AccountID, group.ID); isLinked {
+		return &GroupLinkError{"setup key", linkedSetupKey.Name}
+	}
+
+	if isLinked, linkedUser := isGroupLinkedToUser(ctx, transaction, group.AccountID, group.ID); isLinked {
+		return &GroupLinkError{"user", linkedUser.Id}
+	}
+
+	if isLinked, linkedRouter := isGroupLinkedToNetworkRouter(ctx, transaction, group.AccountID, group.ID); isLinked {
+		return &GroupLinkError{"network router", linkedRouter.ID}
+	}
+
+	return checkGroupLinkedToSettings(ctx, transaction, group)
+}
+
+// checkGroupLinkedToSettings verifies if a group is linked to any settings in the account.
+func checkGroupLinkedToSettings(ctx context.Context, transaction store.Store, group *types.Group) error {
+	dnsSettings, err := transaction.GetAccountDNSSettings(ctx, store.LockingStrengthNone, group.AccountID)
+	if err != nil {
+		return status.Errorf(status.Internal, "failed to get DNS settings")
+	}
+
+	if slices.Contains(dnsSettings.DisabledManagementGroups, group.ID) {
+		return &GroupLinkError{"disabled DNS management groups", group.Name}
+	}
+
+	settings, err := transaction.GetAccountSettings(ctx, store.LockingStrengthNone, group.AccountID)
+	if err != nil {
+		return status.Errorf(status.Internal, "failed to get account settings")
+	}
+
+	if settings.Extra != nil && slices.Contains(settings.Extra.IntegratedValidatorGroups, group.ID) {
+		return &GroupLinkError{"integrated validator", group.Name}
+	}
+
+	return nil
+}
+
+// isGroupLinkedToRoute checks if a group is linked to any route in the account.
+func isGroupLinkedToRoute(ctx context.Context, transaction store.Store, accountID string, groupID string) (bool, *route.Route) {
+	routes, err := transaction.GetAccountRoutes(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		log.WithContext(ctx).Errorf("error retrieving routes while checking group linkage: %v", err)
+		return false, nil
+	}
+
+	for _, r := range routes {
+		isLinked := slices.Contains(r.Groups, groupID) ||
+			slices.Contains(r.PeerGroups, groupID) ||
+			slices.Contains(r.AccessControlGroups, groupID)
+		if isLinked {
+			return true, r
+		}
+	}
+
+	return false, nil
+}
+
+// isGroupLinkedToPolicy checks if a group is linked to any policy in the account.
+func isGroupLinkedToPolicy(ctx context.Context, transaction store.Store, accountID string, groupID string) (bool, *types.Policy) {
+	policies, err := transaction.GetAccountPolicies(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		log.WithContext(ctx).Errorf("error retrieving policies while checking group linkage: %v", err)
+		return false, nil
+	}
+
+	for _, policy := range policies {
+		for _, rule := range policy.Rules {
+			if slices.Contains(rule.Sources, groupID) || slices.Contains(rule.Destinations, groupID) {
+				return true, policy
+			}
+		}
+	}
+	return false, nil
+}
+
+// isGroupLinkedToDns checks if a group is linked to any nameserver group in the account.
+func isGroupLinkedToDns(ctx context.Context, transaction store.Store, accountID string, groupID string) (bool, *nbdns.NameServerGroup) {
+	nameServerGroups, err := transaction.GetAccountNameServerGroups(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		log.WithContext(ctx).Errorf("error retrieving name server groups while checking group linkage: %v", err)
+		return false, nil
+	}
+
+	for _, dns := range nameServerGroups {
+		for _, g := range dns.Groups {
+			if g == groupID {
+				return true, dns
+			}
+		}
+	}
+
+	return false, nil
+}
+
+// isGroupLinkedToSetupKey checks if a group is linked to any setup key in the account.
+func isGroupLinkedToSetupKey(ctx context.Context, transaction store.Store, accountID string, groupID string) (bool, *types.SetupKey) {
+	setupKeys, err := transaction.GetAccountSetupKeys(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		log.WithContext(ctx).Errorf("error retrieving setup keys while checking group linkage: %v", err)
+		return false, nil
+	}
+
+	for _, setupKey := range setupKeys {
+		if slices.Contains(setupKey.AutoGroups, groupID) {
+			return true, setupKey
+		}
+	}
+	return false, nil
+}
+
+// isGroupLinkedToUser checks if a group is linked to any user in the account.
+func isGroupLinkedToUser(ctx context.Context, transaction store.Store, accountID string, groupID string) (bool, *types.User) {
+	users, err := transaction.GetAccountUsers(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		log.WithContext(ctx).Errorf("error retrieving users while checking group linkage: %v", err)
+		return false, nil
+	}
+
+	for _, user := range users {
+		if slices.Contains(user.AutoGroups, groupID) {
+			return true, user
+		}
+	}
+	return false, nil
+}
+
+// isGroupLinkedToNetworkRouter checks if a group is linked to any network router in the account.
+func isGroupLinkedToNetworkRouter(ctx context.Context, transaction store.Store, accountID string, groupID string) (bool, *routerTypes.NetworkRouter) {
+	routers, err := transaction.GetNetworkRoutersByAccountID(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		log.WithContext(ctx).Errorf("error retrieving network routers while checking group linkage: %v", err)
+		return false, nil
+	}
+
+	for _, router := range routers {
+		if slices.Contains(router.PeerGroups, groupID) {
+			return true, router
+		}
+	}
+	return false, nil
+}
+
+// areGroupChangesAffectPeers checks if any changes to the specified groups will affect peers.
+// It fetches each collection once and checks all groupIDs against them in memory.
+func areGroupChangesAffectPeers(ctx context.Context, transaction store.Store, accountID string, groupIDs []string) (bool, error) {
+	if len(groupIDs) == 0 {
+		return false, nil
+	}
+
+	groupSet := make(map[string]struct{}, len(groupIDs))
+	for _, id := range groupIDs {
+		groupSet[id] = struct{}{}
+	}
+
+	if affected, err := dnsSettingsReferenceGroups(ctx, transaction, accountID, groupSet); affected || err != nil {
+		return affected, err
+	}
+	if affected, err := nameServersReferenceGroups(ctx, transaction, accountID, groupSet); affected || err != nil {
+		return affected, err
+	}
+	if affected, err := policiesReferenceGroups(ctx, transaction, accountID, groupSet); affected || err != nil {
+		return affected, err
+	}
+	if affected, err := routesReferenceGroups(ctx, transaction, accountID, groupSet); affected || err != nil {
+		return affected, err
+	}
+	if affected, err := networkRoutersReferenceGroups(ctx, transaction, accountID, groupSet); affected || err != nil {
+		return affected, err
+	}
+
+	return false, nil
+}
+
+func dnsSettingsReferenceGroups(ctx context.Context, transaction store.Store, accountID string, groupSet map[string]struct{}) (bool, error) {
+	dnsSettings, err := transaction.GetAccountDNSSettings(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		return false, err
+	}
+	return anyInSet(dnsSettings.DisabledManagementGroups, groupSet), nil
+}
+
+func nameServersReferenceGroups(ctx context.Context, transaction store.Store, accountID string, groupSet map[string]struct{}) (bool, error) {
+	nameServerGroups, err := transaction.GetAccountNameServerGroups(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		return false, err
+	}
+	for _, ns := range nameServerGroups {
+		if anyInSet(ns.Groups, groupSet) {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
+func policiesReferenceGroups(ctx context.Context, transaction store.Store, accountID string, groupSet map[string]struct{}) (bool, error) {
+	policies, err := transaction.GetAccountPolicies(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		return false, err
+	}
+	for _, policy := range policies {
+		for _, rule := range policy.Rules {
+			if anyInSet(rule.Sources, groupSet) || anyInSet(rule.Destinations, groupSet) {
+				return true, nil
+			}
+		}
+	}
+	return false, nil
+}
+
+func routesReferenceGroups(ctx context.Context, transaction store.Store, accountID string, groupSet map[string]struct{}) (bool, error) {
+	routes, err := transaction.GetAccountRoutes(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		return false, err
+	}
+	for _, r := range routes {
+		if anyInSet(r.Groups, groupSet) || anyInSet(r.PeerGroups, groupSet) || anyInSet(r.AccessControlGroups, groupSet) {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
+func networkRoutersReferenceGroups(ctx context.Context, transaction store.Store, accountID string, groupSet map[string]struct{}) (bool, error) {
+	routers, err := transaction.GetNetworkRoutersByAccountID(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		return false, err
+	}
+	for _, router := range routers {
+		if anyInSet(router.PeerGroups, groupSet) {
+			return true, nil
+		}
+	}
+	return false, nil
+}

management/server/mock_server/account_mock.go

@@ -132,6 +132,8 @@ type MockAccountManager struct {
 
 	AllowSyncFunc                  func(string, uint64) bool
 	UpdateAccountPeersFunc         func(ctx context.Context, accountID string, reason types.UpdateReason)
+	UpdateAffectedPeersFunc        func(ctx context.Context, accountID string, peerIDs []string)
+	BufferUpdateAffectedPeersFunc  func(ctx context.Context, accountID string, peerIDs []string, reason types.UpdateReason)
 	BufferUpdateAccountPeersFunc   func(ctx context.Context, accountID string, reason types.UpdateReason)
 	RecalculateNetworkMapCacheFunc func(ctx context.Context, accountId string) error
 
@@ -209,6 +211,18 @@ func (am *MockAccountManager) UpdateAccountPeers(ctx context.Context, accountID
 	}
 }
 
+func (am *MockAccountManager) UpdateAffectedPeers(ctx context.Context, accountID string, peerIDs []string) {
+	if am.UpdateAffectedPeersFunc != nil {
+		am.UpdateAffectedPeersFunc(ctx, accountID, peerIDs)
+	}
+}
+
+func (am *MockAccountManager) BufferUpdateAffectedPeers(ctx context.Context, accountID string, peerIDs []string, reason types.UpdateReason) {
+	if am.BufferUpdateAffectedPeersFunc != nil {
+		am.BufferUpdateAffectedPeersFunc(ctx, accountID, peerIDs, reason)
+	}
+}
+
 func (am *MockAccountManager) BufferUpdateAccountPeers(ctx context.Context, accountID string, reason types.UpdateReason) {
 	if am.BufferUpdateAccountPeersFunc != nil {
 		am.BufferUpdateAccountPeersFunc(ctx, accountID, reason)

management/server/nameserver.go

@@ -4,10 +4,12 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"slices"
 	"strings"
 	"unicode/utf8"
 
 	"github.com/rs/xid"
+	log "github.com/sirupsen/logrus"
 
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/server/activity"
@@ -57,22 +59,19 @@ func (am *DefaultAccountManager) CreateNameServerGroup(ctx context.Context, acco
 		SearchDomainsEnabled: searchDomainEnabled,
 	}
 
-	var updateAccountPeers bool
+	var affectedPeerIDs []string
 
 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		if err = validateNameServerGroup(ctx, transaction, accountID, newNSGroup); err != nil {
 			return err
 		}
 
-		updateAccountPeers, err = anyGroupHasPeersOrResources(ctx, transaction, accountID, newNSGroup.Groups)
-		if err != nil {
-			return err
-		}
-
 		if err = transaction.SaveNameServerGroup(ctx, newNSGroup); err != nil {
 			return err
 		}
 
+		affectedPeerIDs = am.resolvePeerIDs(ctx, transaction, accountID, newNSGroup.Groups, nil)
+
 		return transaction.IncrementNetworkSerial(ctx, accountID)
 	})
 	if err != nil {
@@ -81,8 +80,11 @@ func (am *DefaultAccountManager) CreateNameServerGroup(ctx context.Context, acco
 
 	am.StoreEvent(ctx, userID, newNSGroup.ID, accountID, activity.NameserverGroupCreated, newNSGroup.EventMeta())
 
-	if updateAccountPeers {
-		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourceNameServerGroup, Operation: types.UpdateOperationCreate})
+	if len(affectedPeerIDs) > 0 {
+		log.WithContext(ctx).Debugf("CreateNameServerGroup %s: updating %d affected peers: %v", newNSGroup.ID, len(affectedPeerIDs), affectedPeerIDs)
+		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
+	} else {
+		log.WithContext(ctx).Tracef("CreateNameServerGroup %s: no affected peers", newNSGroup.ID)
 	}
 
 	return newNSGroup.Copy(), nil
@@ -102,7 +104,7 @@ func (am *DefaultAccountManager) SaveNameServerGroup(ctx context.Context, accoun
 		return status.NewPermissionDeniedError()
 	}
 
-	var updateAccountPeers bool
+	var affectedPeerIDs []string
 
 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		oldNSGroup, err := transaction.GetNameServerGroupByID(ctx, store.LockingStrengthNone, accountID, nsGroupToSave.ID)
@@ -115,15 +117,13 @@ func (am *DefaultAccountManager) SaveNameServerGroup(ctx context.Context, accoun
 			return err
 		}
 
-		updateAccountPeers, err = areNameServerGroupChangesAffectPeers(ctx, transaction, nsGroupToSave, oldNSGroup)
-		if err != nil {
-			return err
-		}
-
 		if err = transaction.SaveNameServerGroup(ctx, nsGroupToSave); err != nil {
 			return err
 		}
 
+		allGroups := slices.Concat(nsGroupToSave.Groups, oldNSGroup.Groups)
+		affectedPeerIDs = am.resolvePeerIDs(ctx, transaction, accountID, allGroups, nil)
+
 		return transaction.IncrementNetworkSerial(ctx, accountID)
 	})
 	if err != nil {
@@ -132,8 +132,11 @@ func (am *DefaultAccountManager) SaveNameServerGroup(ctx context.Context, accoun
 
 	am.StoreEvent(ctx, userID, nsGroupToSave.ID, accountID, activity.NameserverGroupUpdated, nsGroupToSave.EventMeta())
 
-	if updateAccountPeers {
-		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourceNameServerGroup, Operation: types.UpdateOperationUpdate})
+	if len(affectedPeerIDs) > 0 {
+		log.WithContext(ctx).Debugf("SaveNameServerGroup %s: updating %d affected peers: %v", nsGroupToSave.ID, len(affectedPeerIDs), affectedPeerIDs)
+		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
+	} else {
+		log.WithContext(ctx).Tracef("SaveNameServerGroup %s: no affected peers", nsGroupToSave.ID)
 	}
 
 	return nil
@@ -150,7 +153,7 @@ func (am *DefaultAccountManager) DeleteNameServerGroup(ctx context.Context, acco
 	}
 
 	var nsGroup *nbdns.NameServerGroup
-	var updateAccountPeers bool
+	var affectedPeerIDs []string
 
 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		nsGroup, err = transaction.GetNameServerGroupByID(ctx, store.LockingStrengthUpdate, accountID, nsGroupID)
@@ -158,10 +161,7 @@ func (am *DefaultAccountManager) DeleteNameServerGroup(ctx context.Context, acco
 			return err
 		}
 
-		updateAccountPeers, err = anyGroupHasPeersOrResources(ctx, transaction, accountID, nsGroup.Groups)
-		if err != nil {
-			return err
-		}
+		affectedPeerIDs = am.resolvePeerIDs(ctx, transaction, accountID, nsGroup.Groups, nil)
 
 		if err = transaction.DeleteNameServerGroup(ctx, accountID, nsGroupID); err != nil {
 			return err
@@ -175,8 +175,11 @@ func (am *DefaultAccountManager) DeleteNameServerGroup(ctx context.Context, acco
 
 	am.StoreEvent(ctx, userID, nsGroup.ID, accountID, activity.NameserverGroupDeleted, nsGroup.EventMeta())
 
-	if updateAccountPeers {
-		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourceNameServerGroup, Operation: types.UpdateOperationDelete})
+	if len(affectedPeerIDs) > 0 {
+		log.WithContext(ctx).Debugf("DeleteNameServerGroup %s: updating %d affected peers: %v", nsGroupID, len(affectedPeerIDs), affectedPeerIDs)
+		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
+	} else {
+		log.WithContext(ctx).Tracef("DeleteNameServerGroup %s: no affected peers", nsGroupID)
 	}
 
 	return nil
@@ -224,24 +227,6 @@ func validateNameServerGroup(ctx context.Context, transaction store.Store, accou
 	return validateGroups(nameserverGroup.Groups, groups)
 }
 
-// areNameServerGroupChangesAffectPeers checks if the changes in the nameserver group affect the peers.
-func areNameServerGroupChangesAffectPeers(ctx context.Context, transaction store.Store, newNSGroup, oldNSGroup *nbdns.NameServerGroup) (bool, error) {
-	if !newNSGroup.Enabled && !oldNSGroup.Enabled {
-		return false, nil
-	}
-
-	hasPeers, err := anyGroupHasPeersOrResources(ctx, transaction, newNSGroup.AccountID, newNSGroup.Groups)
-	if err != nil {
-		return false, err
-	}
-
-	if hasPeers {
-		return true, nil
-	}
-
-	return anyGroupHasPeersOrResources(ctx, transaction, oldNSGroup.AccountID, oldNSGroup.Groups)
-}
-
 func validateDomainInput(primary bool, domains []string, searchDomainsEnabled bool) error {
 	if !primary && len(domains) == 0 {
 		return status.Errorf(status.InvalidArgument, "nameserver group primary status is false and domains are empty,"+

management/server/networks/manager.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 
 	"github.com/rs/xid"
+	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/netbird/management/server/account"
 	"github.com/netbirdio/netbird/management/server/activity"
@@ -15,7 +16,7 @@ import (
 	"github.com/netbirdio/netbird/management/server/permissions/modules"
 	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/store"
-	serverTypes "github.com/netbirdio/netbird/management/server/types"
+	nbTypes "github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/shared/management/status"
 )
 
@@ -112,6 +113,14 @@ func (m *managerImpl) UpdateNetwork(ctx context.Context, userID string, network
 	return network, m.store.SaveNetwork(ctx, network)
 }
 
+// networkAffectedPeersData holds data loaded inside the transaction for affected peer resolution.
+type networkAffectedPeersData struct {
+	resourceGroupIDs []string
+	routerPeerGroups []string
+	directPeerIDs    []string
+	policies         []*nbTypes.Policy
+}
+
 func (m *managerImpl) DeleteNetwork(ctx context.Context, accountID, userID, networkID string) error {
 	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Networks, operations.Delete)
 	if err != nil {
@@ -127,13 +136,22 @@ func (m *managerImpl) DeleteNetwork(ctx context.Context, accountID, userID, netw
 	}
 
 	var eventsToStore []func()
+	var affectedData *networkAffectedPeersData
 	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		resources, err := transaction.GetNetworkResourcesByNetID(ctx, store.LockingStrengthUpdate, accountID, networkID)
 		if err != nil {
 			return fmt.Errorf("failed to get resources in network: %w", err)
 		}
 
+		var resourceGroupIDs []string
 		for _, resource := range resources {
+			groups, err := transaction.GetResourceGroups(ctx, store.LockingStrengthNone, accountID, resource.ID)
+			if err == nil {
+				for _, g := range groups {
+					resourceGroupIDs = append(resourceGroupIDs, g.ID)
+				}
+			}
+
 			event, err := m.resourcesManager.DeleteResourceInTransaction(ctx, transaction, accountID, userID, networkID, resource.ID)
 			if err != nil {
 				return fmt.Errorf("failed to delete resource: %w", err)
@@ -141,12 +159,19 @@ func (m *managerImpl) DeleteNetwork(ctx context.Context, accountID, userID, netw
 			eventsToStore = append(eventsToStore, event...)
 		}
 
-		routers, err := transaction.GetNetworkRoutersByNetID(ctx, store.LockingStrengthUpdate, accountID, networkID)
+		netRouters, err := transaction.GetNetworkRoutersByNetID(ctx, store.LockingStrengthUpdate, accountID, networkID)
 		if err != nil {
 			return fmt.Errorf("failed to get routers in network: %w", err)
 		}
 
-		for _, router := range routers {
+		var routerPeerGroups []string
+		var directPeerIDs []string
+		for _, router := range netRouters {
+			routerPeerGroups = append(routerPeerGroups, router.PeerGroups...)
+			if router.Peer != "" {
+				directPeerIDs = append(directPeerIDs, router.Peer)
+			}
+
 			event, err := m.routersManager.DeleteRouterInTransaction(ctx, transaction, accountID, userID, networkID, router.ID)
 			if err != nil {
 				return fmt.Errorf("failed to delete router: %w", err)
@@ -154,6 +179,24 @@ func (m *managerImpl) DeleteNetwork(ctx context.Context, accountID, userID, netw
 			eventsToStore = append(eventsToStore, event)
 		}
 
+		// load policies before deleting so group memberships are still present
+		var policies []*nbTypes.Policy
+		if len(resourceGroupIDs) > 0 {
+			policies, err = transaction.GetAccountPolicies(ctx, store.LockingStrengthNone, accountID)
+			if err != nil {
+				log.WithContext(ctx).Errorf("failed to get policies for affected peers: %v", err)
+			}
+		}
+
+		if len(resourceGroupIDs) > 0 || len(routerPeerGroups) > 0 || len(directPeerIDs) > 0 {
+			affectedData = &networkAffectedPeersData{
+				resourceGroupIDs: resourceGroupIDs,
+				routerPeerGroups: routerPeerGroups,
+				directPeerIDs:    directPeerIDs,
+				policies:         policies,
+			}
+		}
+
 		err = transaction.DeleteNetwork(ctx, accountID, networkID)
 		if err != nil {
 			return fmt.Errorf("failed to delete network: %w", err)
@@ -178,11 +221,111 @@ func (m *managerImpl) DeleteNetwork(ctx context.Context, accountID, userID, netw
 		event()
 	}
 
-	go m.accountManager.UpdateAccountPeers(ctx, accountID, serverTypes.UpdateReason{Resource: serverTypes.UpdateResourceNetwork, Operation: serverTypes.UpdateOperationDelete})
+	if affectedData != nil {
+		affectedPeerIDs := resolveNetworkAffectedPeers(ctx, m.store, accountID, affectedData)
+		if len(affectedPeerIDs) > 0 {
+			log.WithContext(ctx).Debugf("DeleteNetwork %s: updating %d affected peers: %v", networkID, len(affectedPeerIDs), affectedPeerIDs)
+			go m.accountManager.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
+		} else {
+			log.WithContext(ctx).Tracef("DeleteNetwork %s: no affected peers", networkID)
+		}
+	}
 
 	return nil
 }
 
+// resolveNetworkAffectedPeers computes affected peer IDs from preloaded data outside the transaction.
+func resolveNetworkAffectedPeers(ctx context.Context, s store.Store, accountID string, data *networkAffectedPeersData) []string {
+	log.WithContext(ctx).Tracef("resolveNetworkAffectedPeers: routerPeerGroups=%v, resourceGroupIDs=%v, directPeerIDs=%v, policies=%d",
+		data.routerPeerGroups, data.resourceGroupIDs, data.directPeerIDs, len(data.policies))
+	groupSet := make(map[string]struct{})
+
+	for _, gID := range data.routerPeerGroups {
+		groupSet[gID] = struct{}{}
+	}
+
+	if len(data.resourceGroupIDs) > 0 {
+		for _, gID := range data.resourceGroupIDs {
+			groupSet[gID] = struct{}{}
+		}
+		collectPolicySourceGroups(data.policies, data.resourceGroupIDs, groupSet)
+	}
+
+	if len(groupSet) == 0 && len(data.directPeerIDs) == 0 {
+		return nil
+	}
+
+	peerIDs := resolveGroupsAndDirectPeers(ctx, s, accountID, groupSet, data.directPeerIDs)
+
+	log.WithContext(ctx).Tracef("resolveNetworkAffectedPeers: result %d peers: %v", len(peerIDs), peerIDs)
+	return peerIDs
+}
+
+// collectPolicySourceGroups finds policies whose rules reference any of the destination group IDs
+// and adds their source groups to the groupSet.
+func collectPolicySourceGroups(policies []*nbTypes.Policy, destGroupIDs []string, groupSet map[string]struct{}) {
+	destSet := make(map[string]struct{}, len(destGroupIDs))
+	for _, gID := range destGroupIDs {
+		destSet[gID] = struct{}{}
+	}
+
+	for _, policy := range policies {
+		if policy == nil || !policy.Enabled {
+			continue
+		}
+		for _, rule := range policy.Rules {
+			if rule == nil || !rule.Enabled {
+				continue
+			}
+			if ruleMatchesDestinations(rule, destSet) {
+				for _, gID := range rule.Sources {
+					groupSet[gID] = struct{}{}
+				}
+			}
+		}
+	}
+}
+
+// ruleMatchesDestinations checks if a policy rule references any of the destination groups.
+func ruleMatchesDestinations(rule *nbTypes.PolicyRule, destSet map[string]struct{}) bool {
+	for _, gID := range rule.Destinations {
+		if _, ok := destSet[gID]; ok {
+			return true
+		}
+	}
+	return false
+}
+
+// resolveGroupsAndDirectPeers resolves group IDs and direct peer IDs into a deduplicated peer ID list.
+func resolveGroupsAndDirectPeers(ctx context.Context, s store.Store, accountID string, groupSet map[string]struct{}, directPeerIDs []string) []string {
+	groupIDs := make([]string, 0, len(groupSet))
+	for gID := range groupSet {
+		groupIDs = append(groupIDs, gID)
+	}
+
+	peerIDs, err := s.GetPeerIDsByGroups(ctx, accountID, groupIDs)
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to resolve peer IDs: %v", err)
+		return nil
+	}
+
+	if len(directPeerIDs) == 0 {
+		return peerIDs
+	}
+
+	seen := make(map[string]struct{}, len(peerIDs))
+	for _, id := range peerIDs {
+		seen[id] = struct{}{}
+	}
+	for _, id := range directPeerIDs {
+		if _, exists := seen[id]; !exists {
+			peerIDs = append(peerIDs, id)
+			seen[id] = struct{}{}
+		}
+	}
+	return peerIDs
+}
+
 func NewManagerMock() Manager {
 	return &mockManager{}
 }

management/server/networks/resources/manager.go

@@ -114,45 +114,11 @@ func (m *managerImpl) CreateResource(ctx context.Context, userID string, resourc
 	}
 
 	var eventsToStore []func()
+	var affectedData *resourceAffectedPeersData
 	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		_, err = transaction.GetNetworkResourceByName(ctx, store.LockingStrengthNone, resource.AccountID, resource.Name)
-		if err == nil {
-			return status.Errorf(status.InvalidArgument, "resource with name %s already exists", resource.Name)
-		}
-
-		network, err := transaction.GetNetworkByID(ctx, store.LockingStrengthUpdate, resource.AccountID, resource.NetworkID)
-		if err != nil {
-			return fmt.Errorf("failed to get network: %w", err)
-		}
-
-		err = transaction.SaveNetworkResource(ctx, resource)
-		if err != nil {
-			return fmt.Errorf("failed to save network resource: %w", err)
-		}
-
-		event := func() {
-			m.accountManager.StoreEvent(ctx, userID, resource.ID, resource.AccountID, activity.NetworkResourceCreated, resource.EventMeta(network))
-		}
-		eventsToStore = append(eventsToStore, event)
-
-		res := nbtypes.Resource{
-			ID:   resource.ID,
-			Type: nbtypes.ResourceType(resource.Type.String()),
-		}
-		for _, groupID := range resource.GroupIDs {
-			event, err := m.groupsManager.AddResourceToGroupInTransaction(ctx, transaction, resource.AccountID, userID, groupID, &res)
-			if err != nil {
-				return fmt.Errorf("failed to add resource to group: %w", err)
-			}
-			eventsToStore = append(eventsToStore, event)
-		}
-
-		err = transaction.IncrementNetworkSerial(ctx, resource.AccountID)
-		if err != nil {
-			return fmt.Errorf("failed to increment network serial: %w", err)
-		}
-
-		return nil
+		var txErr error
+		eventsToStore, affectedData, txErr = m.createResourceInTransaction(ctx, transaction, userID, resource)
+		return txErr
 	})
 	if err != nil {
 		return nil, fmt.Errorf("failed to create network resource: %w", err)
@@ -162,11 +128,60 @@ func (m *managerImpl) CreateResource(ctx context.Context, userID string, resourc
 		event()
 	}
 
-	go m.accountManager.UpdateAccountPeers(ctx, resource.AccountID, nbtypes.UpdateReason{Resource: nbtypes.UpdateResourceNetworkResource, Operation: nbtypes.UpdateOperationCreate})
+	if affectedPeerIDs := m.resolveResourceAffectedPeers(ctx, resource.AccountID, affectedData); len(affectedPeerIDs) > 0 {
+		log.WithContext(ctx).Debugf("CreateResource %s: updating %d affected peers: %v", resource.ID, len(affectedPeerIDs), affectedPeerIDs)
+		go m.accountManager.UpdateAffectedPeers(ctx, resource.AccountID, affectedPeerIDs)
+	} else {
+		log.WithContext(ctx).Tracef("CreateResource %s: no affected peers", resource.ID)
+	}
 
 	return resource, nil
 }
 
+func (m *managerImpl) createResourceInTransaction(ctx context.Context, transaction store.Store, userID string, resource *types.NetworkResource) ([]func(), *resourceAffectedPeersData, error) {
+	_, err := transaction.GetNetworkResourceByName(ctx, store.LockingStrengthNone, resource.AccountID, resource.Name)
+	if err == nil {
+		return nil, nil, status.Errorf(status.InvalidArgument, "resource with name %s already exists", resource.Name)
+	}
+
+	network, err := transaction.GetNetworkByID(ctx, store.LockingStrengthUpdate, resource.AccountID, resource.NetworkID)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to get network: %w", err)
+	}
+
+	if err = transaction.SaveNetworkResource(ctx, resource); err != nil {
+		return nil, nil, fmt.Errorf("failed to save network resource: %w", err)
+	}
+
+	var eventsToStore []func()
+	eventsToStore = append(eventsToStore, func() {
+		m.accountManager.StoreEvent(ctx, userID, resource.ID, resource.AccountID, activity.NetworkResourceCreated, resource.EventMeta(network))
+	})
+
+	res := nbtypes.Resource{
+		ID:   resource.ID,
+		Type: nbtypes.ResourceType(resource.Type.String()),
+	}
+	for _, groupID := range resource.GroupIDs {
+		event, err := m.groupsManager.AddResourceToGroupInTransaction(ctx, transaction, resource.AccountID, userID, groupID, &res)
+		if err != nil {
+			return nil, nil, fmt.Errorf("failed to add resource to group: %w", err)
+		}
+		eventsToStore = append(eventsToStore, event)
+	}
+
+	if err = transaction.IncrementNetworkSerial(ctx, resource.AccountID); err != nil {
+		return nil, nil, fmt.Errorf("failed to increment network serial: %w", err)
+	}
+
+	affectedData, err := loadResourceAffectedPeersData(ctx, transaction, resource.AccountID, resource.NetworkID, resource.GroupIDs)
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to load affected peers data: %v", err)
+	}
+
+	return eventsToStore, affectedData, nil
+}
+
 func (m *managerImpl) GetResource(ctx context.Context, accountID, userID, networkID, resourceID string) (*types.NetworkResource, error) {
 	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Networks, operations.Read)
 	if err != nil {
@@ -207,6 +222,7 @@ func (m *managerImpl) UpdateResource(ctx context.Context, userID string, resourc
 	resource.Prefix = prefix
 
 	var eventsToStore []func()
+	var affectedData *resourceAffectedPeersData
 	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		network, err := transaction.GetNetworkByID(ctx, store.LockingStrengthUpdate, resource.AccountID, resource.NetworkID)
 		if err != nil {
@@ -232,6 +248,15 @@ func (m *managerImpl) UpdateResource(ctx context.Context, userID string, resourc
 			return fmt.Errorf("failed to get network resource: %w", err)
 		}
 
+		oldGroups, err := m.groupsManager.GetResourceGroupsInTransaction(ctx, transaction, store.LockingStrengthNone, oldResource.AccountID, oldResource.ID)
+		if err != nil {
+			return fmt.Errorf("failed to get old resource groups: %w", err)
+		}
+		var oldGroupIDs []string
+		for _, g := range oldGroups {
+			oldGroupIDs = append(oldGroupIDs, g.ID)
+		}
+
 		err = transaction.SaveNetworkResource(ctx, resource)
 		if err != nil {
 			return fmt.Errorf("failed to save network resource: %w", err)
@@ -247,6 +272,11 @@ func (m *managerImpl) UpdateResource(ctx context.Context, userID string, resourc
 			m.accountManager.StoreEvent(ctx, userID, resource.ID, resource.AccountID, activity.NetworkResourceUpdated, resource.EventMeta(network))
 		})
 
+		affectedData, err = loadResourceAffectedPeersData(ctx, transaction, resource.AccountID, resource.NetworkID, append(resource.GroupIDs, oldGroupIDs...))
+		if err != nil {
+			log.WithContext(ctx).Errorf("failed to load affected peers data: %v", err)
+		}
+
 		err = transaction.IncrementNetworkSerial(ctx, resource.AccountID)
 		if err != nil {
 			return fmt.Errorf("failed to increment network serial: %w", err)
@@ -270,7 +300,12 @@ func (m *managerImpl) UpdateResource(ctx context.Context, userID string, resourc
 		}
 	}()
 
-	go m.accountManager.UpdateAccountPeers(ctx, resource.AccountID, nbtypes.UpdateReason{Resource: nbtypes.UpdateResourceNetworkResource, Operation: nbtypes.UpdateOperationUpdate})
+	if affectedPeerIDs := m.resolveResourceAffectedPeers(ctx, resource.AccountID, affectedData); len(affectedPeerIDs) > 0 {
+		log.WithContext(ctx).Debugf("UpdateResource %s: updating %d affected peers: %v", resource.ID, len(affectedPeerIDs), affectedPeerIDs)
+		go m.accountManager.UpdateAffectedPeers(ctx, resource.AccountID, affectedPeerIDs)
+	} else {
+		log.WithContext(ctx).Tracef("UpdateResource %s: no affected peers", resource.ID)
+	}
 
 	return resource, nil
 }
@@ -331,7 +366,22 @@ func (m *managerImpl) DeleteResource(ctx context.Context, accountID, userID, net
 	}
 
 	var events []func()
+	var affectedData *resourceAffectedPeersData
 	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		groups, err := m.groupsManager.GetResourceGroupsInTransaction(ctx, transaction, store.LockingStrengthNone, accountID, resourceID)
+		if err != nil {
+			return fmt.Errorf("failed to get resource groups: %w", err)
+		}
+		var resourceGroupIDs []string
+		for _, g := range groups {
+			resourceGroupIDs = append(resourceGroupIDs, g.ID)
+		}
+
+		affectedData, err = loadResourceAffectedPeersData(ctx, transaction, accountID, networkID, resourceGroupIDs)
+		if err != nil {
+			log.WithContext(ctx).Errorf("failed to load affected peers data: %v", err)
+		}
+
 		events, err = m.DeleteResourceInTransaction(ctx, transaction, accountID, userID, networkID, resourceID)
 		if err != nil {
 			return fmt.Errorf("failed to delete resource: %w", err)
@@ -352,7 +402,12 @@ func (m *managerImpl) DeleteResource(ctx context.Context, accountID, userID, net
 		event()
 	}
 
-	go m.accountManager.UpdateAccountPeers(ctx, accountID, nbtypes.UpdateReason{Resource: nbtypes.UpdateResourceNetworkResource, Operation: nbtypes.UpdateOperationDelete})
+	if affectedPeerIDs := m.resolveResourceAffectedPeers(ctx, accountID, affectedData); len(affectedPeerIDs) > 0 {
+		log.WithContext(ctx).Debugf("DeleteResource %s: updating %d affected peers: %v", resourceID, len(affectedPeerIDs), affectedPeerIDs)
+		go m.accountManager.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
+	} else {
+		log.WithContext(ctx).Tracef("DeleteResource %s: no affected peers", resourceID)
+	}
 
 	return nil
 }
@@ -399,6 +454,151 @@ func (m *managerImpl) DeleteResourceInTransaction(ctx context.Context, transacti
 	return eventsToStore, nil
 }
 
+// resourceAffectedPeersData holds data loaded inside a transaction for affected peer resolution.
+type resourceAffectedPeersData struct {
+	resourceGroupIDs  []string
+	policies          []*nbtypes.Policy
+	routerPeerGroups  []string
+	routerDirectPeers []string
+}
+
+// loadResourceAffectedPeersData loads the data needed to determine affected peers within a transaction.
+func loadResourceAffectedPeersData(ctx context.Context, transaction store.Store, accountID, networkID string, resourceGroupIDs []string) (*resourceAffectedPeersData, error) {
+	if len(resourceGroupIDs) == 0 {
+		return &resourceAffectedPeersData{}, nil
+	}
+
+	policies, err := transaction.GetAccountPolicies(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get policies: %w", err)
+	}
+
+	routers, err := transaction.GetNetworkRoutersByNetID(ctx, store.LockingStrengthNone, accountID, networkID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get routers: %w", err)
+	}
+
+	var routerPeerGroups []string
+	var routerDirectPeers []string
+	for _, router := range routers {
+		if !router.Enabled {
+			continue
+		}
+		routerPeerGroups = append(routerPeerGroups, router.PeerGroups...)
+		if router.Peer != "" {
+			routerDirectPeers = append(routerDirectPeers, router.Peer)
+		}
+	}
+
+	return &resourceAffectedPeersData{
+		resourceGroupIDs:  resourceGroupIDs,
+		policies:          policies,
+		routerPeerGroups:  routerPeerGroups,
+		routerDirectPeers: routerDirectPeers,
+	}, nil
+}
+
+// resolveResourceAffectedPeers computes affected peer IDs from preloaded data outside the transaction.
+func (m *managerImpl) resolveResourceAffectedPeers(ctx context.Context, accountID string, data *resourceAffectedPeersData) []string {
+	if data == nil {
+		return nil
+	}
+
+	log.WithContext(ctx).Tracef("resolveResourceAffectedPeers: resourceGroupIDs=%v, routerPeerGroups=%v, routerDirectPeers=%v, policies=%d",
+		data.resourceGroupIDs, data.routerPeerGroups, data.routerDirectPeers, len(data.policies))
+
+	groupSet := make(map[string]struct{})
+	directPeerIDs := collectResourcePolicySourceGroups(data.policies, data.resourceGroupIDs, groupSet)
+
+	for _, gID := range data.routerPeerGroups {
+		groupSet[gID] = struct{}{}
+	}
+	directPeerIDs = append(directPeerIDs, data.routerDirectPeers...)
+
+	if len(groupSet) == 0 && len(directPeerIDs) == 0 {
+		return nil
+	}
+
+	peerIDs := resolveGroupsAndDirectPeers(ctx, m.store, accountID, groupSet, directPeerIDs)
+
+	log.WithContext(ctx).Tracef("resolveResourceAffectedPeers: result %d peers: %v", len(peerIDs), peerIDs)
+	return peerIDs
+}
+
+// collectResourcePolicySourceGroups finds policies whose rules reference the resource destination groups,
+// adds their source groups to groupSet, and returns any direct peer IDs from source resources.
+func collectResourcePolicySourceGroups(policies []*nbtypes.Policy, destGroupIDs []string, groupSet map[string]struct{}) []string {
+	destSet := make(map[string]struct{}, len(destGroupIDs))
+	for _, gID := range destGroupIDs {
+		destSet[gID] = struct{}{}
+	}
+
+	var directPeerIDs []string
+	for _, policy := range policies {
+		if policy == nil || !policy.Enabled {
+			continue
+		}
+		directPeerIDs = collectSourcesFromPolicyRules(policy.Rules, destSet, groupSet, directPeerIDs)
+	}
+	return directPeerIDs
+}
+
+func collectSourcesFromPolicyRules(rules []*nbtypes.PolicyRule, destSet map[string]struct{}, groupSet map[string]struct{}, directPeerIDs []string) []string {
+	for _, rule := range rules {
+		if rule == nil || !rule.Enabled {
+			continue
+		}
+		if !ruleMatchesDestinations(rule, destSet) {
+			continue
+		}
+		for _, gID := range rule.Sources {
+			groupSet[gID] = struct{}{}
+		}
+		if rule.SourceResource.Type == nbtypes.ResourceTypePeer && rule.SourceResource.ID != "" {
+			directPeerIDs = append(directPeerIDs, rule.SourceResource.ID)
+		}
+	}
+	return directPeerIDs
+}
+
+func ruleMatchesDestinations(rule *nbtypes.PolicyRule, destSet map[string]struct{}) bool {
+	for _, gID := range rule.Destinations {
+		if _, ok := destSet[gID]; ok {
+			return true
+		}
+	}
+	return false
+}
+
+func resolveGroupsAndDirectPeers(ctx context.Context, s store.Store, accountID string, groupSet map[string]struct{}, directPeerIDs []string) []string {
+	groupIDs := make([]string, 0, len(groupSet))
+	for gID := range groupSet {
+		groupIDs = append(groupIDs, gID)
+	}
+
+	peerIDs, err := s.GetPeerIDsByGroups(ctx, accountID, groupIDs)
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to resolve peer IDs: %v", err)
+		return nil
+	}
+
+	if len(directPeerIDs) == 0 {
+		return peerIDs
+	}
+
+	seen := make(map[string]struct{}, len(peerIDs))
+	for _, id := range peerIDs {
+		seen[id] = struct{}{}
+	}
+	for _, id := range directPeerIDs {
+		if _, exists := seen[id]; !exists {
+			peerIDs = append(peerIDs, id)
+			seen[id] = struct{}{}
+		}
+	}
+	return peerIDs
+}
+
 func NewManagerMock() Manager {
 	return &mockManager{}
 }

management/server/networks/routers/manager.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 
 	"github.com/rs/xid"
+	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/netbird/management/server/account"
 	"github.com/netbirdio/netbird/management/server/activity"
@@ -15,7 +16,7 @@ import (
 	"github.com/netbirdio/netbird/management/server/permissions/modules"
 	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/store"
-	serverTypes "github.com/netbirdio/netbird/management/server/types"
+	nbtypes "github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/shared/management/status"
 )
 
@@ -90,6 +91,7 @@ func (m *managerImpl) CreateRouter(ctx context.Context, userID string, router *t
 	}
 
 	var network *networkTypes.Network
+	var affectedData *routerAffectedPeersData
 	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		network, err = transaction.GetNetworkByID(ctx, store.LockingStrengthNone, router.AccountID, router.NetworkID)
 		if err != nil {
@@ -112,6 +114,11 @@ func (m *managerImpl) CreateRouter(ctx context.Context, userID string, router *t
 			return fmt.Errorf("failed to increment network serial: %w", err)
 		}
 
+		affectedData, err = loadRouterAffectedPeersData(ctx, transaction, router.AccountID, router.NetworkID, router.PeerGroups, router.Peer)
+		if err != nil {
+			log.WithContext(ctx).Errorf("failed to load affected peers data: %v", err)
+		}
+
 		return nil
 	})
 	if err != nil {
@@ -120,7 +127,12 @@ func (m *managerImpl) CreateRouter(ctx context.Context, userID string, router *t
 
 	m.accountManager.StoreEvent(ctx, userID, router.ID, router.AccountID, activity.NetworkRouterCreated, router.EventMeta(network))
 
-	go m.accountManager.UpdateAccountPeers(ctx, router.AccountID, serverTypes.UpdateReason{Resource: serverTypes.UpdateResourceNetworkRouter, Operation: serverTypes.UpdateOperationCreate})
+	if affectedPeerIDs := m.resolveRouterAffectedPeers(ctx, router.AccountID, affectedData); len(affectedPeerIDs) > 0 {
+		log.WithContext(ctx).Debugf("CreateRouter %s: updating %d affected peers: %v", router.ID, len(affectedPeerIDs), affectedPeerIDs)
+		go m.accountManager.UpdateAffectedPeers(ctx, router.AccountID, affectedPeerIDs)
+	} else {
+		log.WithContext(ctx).Tracef("CreateRouter %s: no affected peers", router.ID)
+	}
 
 	return router, nil
 }
@@ -156,36 +168,11 @@ func (m *managerImpl) UpdateRouter(ctx context.Context, userID string, router *t
 	}
 
 	var network *networkTypes.Network
+	var affectedData *routerAffectedPeersData
 	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		network, err = transaction.GetNetworkByID(ctx, store.LockingStrengthNone, router.AccountID, router.NetworkID)
-		if err != nil {
-			return fmt.Errorf("failed to get network: %w", err)
-		}
-
-		existing, err := transaction.GetNetworkRouterByID(ctx, store.LockingStrengthUpdate, router.AccountID, router.ID)
-		if err != nil {
-			return fmt.Errorf("failed to get network router: %w", err)
-		}
-
-		if existing.AccountID != router.AccountID {
-			return status.NewNetworkRouterNotFoundError(router.ID)
-		}
-
-		if existing.NetworkID != router.NetworkID {
-			return status.NewRouterNotPartOfNetworkError(router.ID, router.NetworkID)
-		}
-
-		err = transaction.UpdateNetworkRouter(ctx, router)
-		if err != nil {
-			return fmt.Errorf("failed to update network router: %w", err)
-		}
-
-		err = transaction.IncrementNetworkSerial(ctx, router.AccountID)
-		if err != nil {
-			return fmt.Errorf("failed to increment network serial: %w", err)
-		}
-
-		return nil
+		var txErr error
+		network, affectedData, txErr = m.updateRouterInTransaction(ctx, transaction, router)
+		return txErr
 	})
 	if err != nil {
 		return nil, err
@@ -193,11 +180,61 @@ func (m *managerImpl) UpdateRouter(ctx context.Context, userID string, router *t
 
 	m.accountManager.StoreEvent(ctx, userID, router.ID, router.AccountID, activity.NetworkRouterUpdated, router.EventMeta(network))
 
-	go m.accountManager.UpdateAccountPeers(ctx, router.AccountID, serverTypes.UpdateReason{Resource: serverTypes.UpdateResourceNetworkRouter, Operation: serverTypes.UpdateOperationUpdate})
+	if affectedPeerIDs := m.resolveRouterAffectedPeers(ctx, router.AccountID, affectedData); len(affectedPeerIDs) > 0 {
+		log.WithContext(ctx).Debugf("UpdateRouter %s: updating %d affected peers: %v", router.ID, len(affectedPeerIDs), affectedPeerIDs)
+		go m.accountManager.UpdateAffectedPeers(ctx, router.AccountID, affectedPeerIDs)
+	} else {
+		log.WithContext(ctx).Tracef("UpdateRouter %s: no affected peers", router.ID)
+	}
 
 	return router, nil
 }
 
+func (m *managerImpl) updateRouterInTransaction(ctx context.Context, transaction store.Store, router *types.NetworkRouter) (*networkTypes.Network, *routerAffectedPeersData, error) {
+	network, err := transaction.GetNetworkByID(ctx, store.LockingStrengthNone, router.AccountID, router.NetworkID)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to get network: %w", err)
+	}
+
+	existing, err := transaction.GetNetworkRouterByID(ctx, store.LockingStrengthUpdate, router.AccountID, router.ID)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to get network router: %w", err)
+	}
+
+	if existing.AccountID != router.AccountID {
+		return nil, nil, status.NewNetworkRouterNotFoundError(router.ID)
+	}
+
+	if existing.NetworkID != router.NetworkID {
+		return nil, nil, status.NewRouterNotPartOfNetworkError(router.ID, router.NetworkID)
+	}
+
+	allPeerGroups := append([]string{}, router.PeerGroups...)
+	allPeerGroups = append(allPeerGroups, existing.PeerGroups...)
+	var directPeers []string
+	if router.Peer != "" {
+		directPeers = append(directPeers, router.Peer)
+	}
+	if existing.Peer != "" {
+		directPeers = append(directPeers, existing.Peer)
+	}
+
+	if err = transaction.UpdateNetworkRouter(ctx, router); err != nil {
+		return nil, nil, fmt.Errorf("failed to update network router: %w", err)
+	}
+
+	if err = transaction.IncrementNetworkSerial(ctx, router.AccountID); err != nil {
+		return nil, nil, fmt.Errorf("failed to increment network serial: %w", err)
+	}
+
+	affectedData, err := loadRouterAffectedPeersData(ctx, transaction, router.AccountID, router.NetworkID, allPeerGroups, directPeers...)
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to load affected peers data: %v", err)
+	}
+
+	return network, affectedData, nil
+}
+
 func (m *managerImpl) DeleteRouter(ctx context.Context, accountID, userID, networkID, routerID string) error {
 	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Networks, operations.Delete)
 	if err != nil {
@@ -208,7 +245,19 @@ func (m *managerImpl) DeleteRouter(ctx context.Context, accountID, userID, netwo
 	}
 
 	var event func()
+	var affectedData *routerAffectedPeersData
 	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		router, err := transaction.GetNetworkRouterByID(ctx, store.LockingStrengthNone, accountID, routerID)
+		if err != nil {
+			return fmt.Errorf("failed to get router: %w", err)
+		}
+
+		// load before delete so group memberships are still present
+		affectedData, err = loadRouterAffectedPeersData(ctx, transaction, accountID, networkID, router.PeerGroups, router.Peer)
+		if err != nil {
+			log.WithContext(ctx).Errorf("failed to load affected peers data: %v", err)
+		}
+
 		event, err = m.DeleteRouterInTransaction(ctx, transaction, accountID, userID, networkID, routerID)
 		if err != nil {
 			return fmt.Errorf("failed to delete network router: %w", err)
@@ -227,7 +276,12 @@ func (m *managerImpl) DeleteRouter(ctx context.Context, accountID, userID, netwo
 
 	event()
 
-	go m.accountManager.UpdateAccountPeers(ctx, accountID, serverTypes.UpdateReason{Resource: serverTypes.UpdateResourceNetworkRouter, Operation: serverTypes.UpdateOperationDelete})
+	if affectedPeerIDs := m.resolveRouterAffectedPeers(ctx, accountID, affectedData); len(affectedPeerIDs) > 0 {
+		log.WithContext(ctx).Debugf("DeleteRouter %s: updating %d affected peers: %v", routerID, len(affectedPeerIDs), affectedPeerIDs)
+		go m.accountManager.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
+	} else {
+		log.WithContext(ctx).Tracef("DeleteRouter %s: no affected peers", routerID)
+	}
 
 	return nil
 }
@@ -259,6 +313,153 @@ func (m *managerImpl) DeleteRouterInTransaction(ctx context.Context, transaction
 	return event, nil
 }
 
+// routerAffectedPeersData holds data loaded inside a transaction for affected peer resolution.
+type routerAffectedPeersData struct {
+	routerPeerGroups []string
+	directPeerIDs    []string
+	resourceGroupIDs []string
+	policies         []*nbtypes.Policy
+}
+
+// loadRouterAffectedPeersData loads the data needed to determine affected peers within a transaction.
+func loadRouterAffectedPeersData(ctx context.Context, transaction store.Store, accountID, networkID string, routerPeerGroups []string, directPeers ...string) (*routerAffectedPeersData, error) {
+	var directPeerIDs []string
+	for _, p := range directPeers {
+		if p != "" {
+			directPeerIDs = append(directPeerIDs, p)
+		}
+	}
+
+	if len(routerPeerGroups) == 0 && len(directPeerIDs) == 0 {
+		return &routerAffectedPeersData{}, nil
+	}
+
+	resources, err := transaction.GetNetworkResourcesByNetID(ctx, store.LockingStrengthNone, accountID, networkID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get network resources: %w", err)
+	}
+
+	var resourceGroupIDs []string
+	for _, resource := range resources {
+		if !resource.Enabled {
+			continue
+		}
+		groups, err := transaction.GetResourceGroups(ctx, store.LockingStrengthNone, accountID, resource.ID)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get groups for resource %s: %w", resource.ID, err)
+		}
+		for _, g := range groups {
+			resourceGroupIDs = append(resourceGroupIDs, g.ID)
+		}
+	}
+
+	var policies []*nbtypes.Policy
+	if len(resourceGroupIDs) > 0 {
+		policies, err = transaction.GetAccountPolicies(ctx, store.LockingStrengthNone, accountID)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get policies: %w", err)
+		}
+	}
+
+	return &routerAffectedPeersData{
+		routerPeerGroups: routerPeerGroups,
+		directPeerIDs:    directPeerIDs,
+		resourceGroupIDs: resourceGroupIDs,
+		policies:         policies,
+	}, nil
+}
+
+// resolveRouterAffectedPeers computes affected peer IDs from preloaded data outside the transaction.
+func (m *managerImpl) resolveRouterAffectedPeers(ctx context.Context, accountID string, data *routerAffectedPeersData) []string {
+	if data == nil {
+		return nil
+	}
+
+	log.WithContext(ctx).Tracef("resolveRouterAffectedPeers: routerPeerGroups=%v, directPeerIDs=%v, resourceGroupIDs=%v, policies=%d",
+		data.routerPeerGroups, data.directPeerIDs, data.resourceGroupIDs, len(data.policies))
+	groupSet := make(map[string]struct{})
+
+	for _, gID := range data.routerPeerGroups {
+		groupSet[gID] = struct{}{}
+	}
+
+	if len(data.resourceGroupIDs) > 0 {
+		collectPolicySourceGroups(data.policies, data.resourceGroupIDs, groupSet)
+	}
+
+	if len(groupSet) == 0 && len(data.directPeerIDs) == 0 {
+		return nil
+	}
+
+	peerIDs := resolveGroupsAndDirectPeers(ctx, m.store, accountID, groupSet, data.directPeerIDs)
+
+	log.WithContext(ctx).Tracef("resolveRouterAffectedPeers: result %d peers: %v", len(peerIDs), peerIDs)
+	return peerIDs
+}
+
+// collectPolicySourceGroups finds policies whose rules reference any of the destination group IDs
+// and adds their source groups to the groupSet.
+func collectPolicySourceGroups(policies []*nbtypes.Policy, destGroupIDs []string, groupSet map[string]struct{}) {
+	destSet := make(map[string]struct{}, len(destGroupIDs))
+	for _, gID := range destGroupIDs {
+		destSet[gID] = struct{}{}
+	}
+
+	for _, policy := range policies {
+		if policy == nil || !policy.Enabled {
+			continue
+		}
+		for _, rule := range policy.Rules {
+			if rule == nil || !rule.Enabled {
+				continue
+			}
+			if ruleMatchesDestinations(rule, destSet) {
+				for _, gID := range rule.Sources {
+					groupSet[gID] = struct{}{}
+				}
+			}
+		}
+	}
+}
+
+func ruleMatchesDestinations(rule *nbtypes.PolicyRule, destSet map[string]struct{}) bool {
+	for _, gID := range rule.Destinations {
+		if _, ok := destSet[gID]; ok {
+			return true
+		}
+	}
+	return false
+}
+
+func resolveGroupsAndDirectPeers(ctx context.Context, s store.Store, accountID string, groupSet map[string]struct{}, directPeerIDs []string) []string {
+	groupIDs := make([]string, 0, len(groupSet))
+	for gID := range groupSet {
+		groupIDs = append(groupIDs, gID)
+	}
+
+	peerIDs, err := s.GetPeerIDsByGroups(ctx, accountID, groupIDs)
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to resolve peer IDs: %v", err)
+		return nil
+	}
+
+	if len(directPeerIDs) == 0 {
+		return peerIDs
+	}
+
+	seen := make(map[string]struct{}, len(peerIDs))
+	for _, id := range peerIDs {
+		seen[id] = struct{}{}
+	}
+	for _, id := range directPeerIDs {
+		if _, exists := seen[id]; !exists {
+			peerIDs = append(peerIDs, id)
+			seen[id] = struct{}{}
+		}
+	}
+	return peerIDs
+}
+
 func NewManagerMock() Manager {
 	return &mockManager{}
 }

management/server/peer.go

@@ -120,19 +120,23 @@ func (am *DefaultAccountManager) MarkPeerConnected(ctx context.Context, peerPubK
 	}
 
 	if expired {
-		if err = am.networkMapController.OnPeersUpdated(ctx, accountID, []string{peer.ID}); err != nil {
+		changedPeerIDs := []string{peer.ID}
+		affectedPeerIDs := am.resolveAffectedPeersForPeerChanges(ctx, am.Store, accountID, changedPeerIDs)
+		err = am.networkMapController.OnPeersUpdated(ctx, accountID, changedPeerIDs, affectedPeerIDs)
+		if err != nil {
 			return fmt.Errorf("notify network map controller of peer update: %w", err)
 		}
 	}
 
 	// An embedded proxy peer flipping to connected is the trigger for
 	// SynthesizePrivateServiceZones to emit DNS A records pointing at its
-	// tunnel IP. Without an account-wide netmap recompute, user peers keep
-	// the stale synth (or no synth at all on first connect) until some
-	// other change pokes the controller. Fire OnPeersUpdated so the
-	// buffered recompute fans the new state out to every peer.
+	// tunnel IP. Fan the change out to every peer that has a synthesized
+	// policy or DNS-record edge from this proxy peer; otherwise their
+	// synth state stays stale until some other change pokes the controller.
 	if peer.ProxyMeta.Embedded {
-		if err := am.networkMapController.OnPeersUpdated(ctx, accountID, []string{peer.ID}); err != nil {
+		changedPeerIDs := []string{peer.ID}
+		affectedPeerIDs := am.resolveAffectedPeersForPeerChanges(ctx, am.Store, accountID, changedPeerIDs)
+		if err := am.networkMapController.OnPeersUpdated(ctx, accountID, changedPeerIDs, affectedPeerIDs); err != nil {
 			log.WithContext(ctx).Warnf("notify network map controller of embedded proxy %s connect: %v", peer.ID, err)
 		}
 	}
@@ -174,11 +178,12 @@ func (am *DefaultAccountManager) MarkPeerDisconnected(ctx context.Context, peerP
 	am.metrics.AccountManagerMetrics().CountPeerStatusUpdate(telemetry.PeerStatusDisconnect, telemetry.PeerStatusApplied)
 
 	// Symmetric with MarkPeerConnected: when an embedded proxy peer goes
-	// offline, drive an account-wide netmap recompute so the synthesized
-	// DNS records that pointed at it are pulled. Without this the records
-	// linger client-side at TTL until something else triggers a refresh.
+	// offline, refresh the peers that had synthesized records pointing at
+	// it so they pull the stale entries instead of waiting out TTL.
 	if peer.ProxyMeta.Embedded {
-		if err := am.networkMapController.OnPeersUpdated(ctx, accountID, []string{peer.ID}); err != nil {
+		changedPeerIDs := []string{peer.ID}
+		affectedPeerIDs := am.resolveAffectedPeersForPeerChanges(ctx, am.Store, accountID, changedPeerIDs)
+		if err := am.networkMapController.OnPeersUpdated(ctx, accountID, changedPeerIDs, affectedPeerIDs); err != nil {
 			log.WithContext(ctx).Warnf("notify network map controller of embedded proxy %s disconnect: %v", peer.ID, err)
 		}
 	}
@@ -345,7 +350,10 @@ func (am *DefaultAccountManager) UpdatePeer(ctx context.Context, accountID, user
 		}
 	}
 
-	err = am.networkMapController.OnPeersUpdated(ctx, accountID, []string{peer.ID})
+	changedPeerIDs := []string{peer.ID}
+	affectedPeerIDs := am.resolveAffectedPeersForPeerChanges(ctx, am.Store, accountID, changedPeerIDs)
+	affectedPeerIDs = append(affectedPeerIDs, peer.ID)
+	err = am.networkMapController.OnPeersUpdated(ctx, accountID, changedPeerIDs, affectedPeerIDs)
 	if err != nil {
 		return nil, fmt.Errorf("notify network map controller of peer update: %w", err)
 	}
@@ -503,6 +511,7 @@ func (am *DefaultAccountManager) DeletePeer(ctx context.Context, accountID, peer
 	var peer *nbpeer.Peer
 	var settings *types.Settings
 	var eventsToStore []func()
+	var affectedPeerIDs []string
 
 	serviceID, err := am.serviceManager.GetServiceIDByTargetID(ctx, accountID, peerID)
 	if err != nil {
@@ -527,6 +536,8 @@ func (am *DefaultAccountManager) DeletePeer(ctx context.Context, accountID, peer
 			return err
 		}
 
+		affectedPeerIDs = am.resolveAffectedPeersForPeerChanges(ctx, transaction, accountID, []string{peerID})
+
 		eventsToStore, err = deletePeers(ctx, am, transaction, accountID, userID, []*nbpeer.Peer{peer}, settings)
 		if err != nil {
 			return fmt.Errorf("failed to delete peer: %w", err)
@@ -550,7 +561,7 @@ func (am *DefaultAccountManager) DeletePeer(ctx context.Context, accountID, peer
 		log.WithContext(ctx).Errorf("failed to delete peer %s from integrated validator: %v", peerID, err)
 	}
 
-	if err = am.networkMapController.OnPeersDeleted(ctx, accountID, []string{peerID}); err != nil {
+	if err = am.networkMapController.OnPeersDeleted(ctx, accountID, []string{peerID}, affectedPeerIDs); err != nil {
 		log.WithContext(ctx).Errorf("failed to delete peer %s from network map: %v", peerID, err)
 	}
 
@@ -923,7 +934,9 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 		am.StoreEvent(ctx, opEvent.InitiatorID, opEvent.TargetID, opEvent.AccountID, opEvent.Activity, opEvent.Meta)
 	}
 
-	if err := am.networkMapController.OnPeersAdded(ctx, accountID, []string{newPeer.ID}); err != nil {
+	changedPeerIDs := []string{newPeer.ID}
+	affectedPeerIDs := am.resolveAffectedPeersForPeerChanges(ctx, am.Store, accountID, changedPeerIDs)
+	if err := am.networkMapController.OnPeersAdded(ctx, accountID, changedPeerIDs, affectedPeerIDs); err != nil {
 		log.WithContext(ctx).Errorf("failed to update network map cache for peer %s: %v", newPeer.ID, err)
 	}
 
@@ -1011,7 +1024,9 @@ func (am *DefaultAccountManager) SyncPeer(ctx context.Context, sync types.PeerSy
 	}
 
 	if isStatusChanged || sync.UpdateAccountPeers || ipv6CapabilityChanged || (updated && (len(postureChecks) > 0 || versionChanged)) {
-		err = am.networkMapController.OnPeersUpdated(ctx, accountID, []string{peer.ID})
+		changedPeerIDs := []string{peer.ID}
+		affectedPeerIDs := am.resolveAffectedPeersForPeerChanges(ctx, am.Store, accountID, changedPeerIDs)
+		err = am.networkMapController.OnPeersUpdated(ctx, accountID, changedPeerIDs, affectedPeerIDs)
 		if err != nil {
 			return nil, nil, nil, 0, fmt.Errorf("notify network map controller of peer update: %w", err)
 		}
@@ -1141,7 +1156,9 @@ func (am *DefaultAccountManager) LoginPeer(ctx context.Context, login types.Peer
 	}
 
 	if updateRemotePeers || isStatusChanged || ipv6CapabilityChanged || (isPeerUpdated && len(postureChecks) > 0) {
-		err = am.networkMapController.OnPeersUpdated(ctx, accountID, []string{peer.ID})
+		changedPeerIDs := []string{peer.ID}
+		affectedPeerIDs := am.resolveAffectedPeersForPeerChanges(ctx, am.Store, accountID, changedPeerIDs)
+		err = am.networkMapController.OnPeersUpdated(ctx, accountID, changedPeerIDs, affectedPeerIDs)
 		if err != nil {
 			return nil, nil, nil, fmt.Errorf("notify network map controller of peer update: %w", err)
 		}
@@ -1406,6 +1423,64 @@ func (am *DefaultAccountManager) UpdateAccountPeers(ctx context.Context, account
 	_ = am.networkMapController.UpdateAccountPeers(ctx, accountID, reason)
 }
 
+// UpdateAffectedPeers updates only the specified peers that belong to an account.
+func (am *DefaultAccountManager) UpdateAffectedPeers(ctx context.Context, accountID string, peerIDs []string) {
+	ctx = context.WithoutCancel(ctx)
+	log.WithContext(ctx).Tracef("UpdateAffectedPeers: %d peers for account %s", len(peerIDs), accountID)
+	_ = am.networkMapController.UpdateAffectedPeers(ctx, accountID, peerIDs)
+}
+
+// resolvePeerIDs resolves group IDs and direct peer IDs into a deduplicated peer ID list.
+func (am *DefaultAccountManager) resolvePeerIDs(ctx context.Context, s store.Store, accountID string, groupIDs []string, directPeerIDs []string) []string {
+	peerIDs, err := s.GetPeerIDsByGroups(ctx, accountID, groupIDs)
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to resolve peer IDs by groups: %v", err)
+		return nil
+	}
+
+	if len(directPeerIDs) == 0 {
+		log.WithContext(ctx).Tracef("resolvePeerIDs: groups=%v -> %d peers: %v", groupIDs, len(peerIDs), peerIDs)
+		return peerIDs
+	}
+
+	seen := make(map[string]struct{}, len(peerIDs))
+	for _, id := range peerIDs {
+		seen[id] = struct{}{}
+	}
+	for _, id := range directPeerIDs {
+		if _, exists := seen[id]; !exists {
+			peerIDs = append(peerIDs, id)
+			seen[id] = struct{}{}
+		}
+	}
+
+	log.WithContext(ctx).Tracef("resolvePeerIDs: groups=%v + directPeers=%v -> %d peers: %v", groupIDs, directPeerIDs, len(peerIDs), peerIDs)
+	return peerIDs
+}
+
+// BufferUpdateAffectedPeers accumulates peer IDs and flushes them after the buffer interval.
+func (am *DefaultAccountManager) BufferUpdateAffectedPeers(ctx context.Context, accountID string, peerIDs []string, reason types.UpdateReason) {
+	_ = am.networkMapController.BufferUpdateAffectedPeers(ctx, accountID, peerIDs, reason)
+}
+
+// resolveAffectedPeersForPeerChanges resolves changed peer IDs into the full set of affected peer IDs.
+func (am *DefaultAccountManager) resolveAffectedPeersForPeerChanges(ctx context.Context, s store.Store, accountID string, changedPeerIDs []string) []string {
+	groupIDs, err := s.GetGroupIDsByPeerIDs(ctx, accountID, changedPeerIDs)
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to get group IDs for changed peers: %v", err)
+		return nil
+	}
+
+	log.WithContext(ctx).Tracef("resolveAffectedPeersForPeerChanges: changedPeers=%v -> groups=%v", changedPeerIDs, groupIDs)
+
+	// Single pass: find entities referencing the changed groups OR the changed peers directly
+	allGroupIDs, directPeerIDs := collectPeerChangeAffectedGroups(ctx, s, accountID, groupIDs, changedPeerIDs)
+	result := am.resolvePeerIDs(ctx, s, accountID, allGroupIDs, directPeerIDs)
+
+	log.WithContext(ctx).Tracef("resolveAffectedPeersForPeerChanges: changedPeers=%v -> %d affected peers", changedPeerIDs, len(result))
+	return result
+}
+
 func (am *DefaultAccountManager) BufferUpdateAccountPeers(ctx context.Context, accountID string, reason types.UpdateReason) {
 	_ = am.networkMapController.BufferUpdateAccountPeers(ctx, accountID, reason)
 }

management/server/peer_test.go

@@ -1855,7 +1855,7 @@ func TestPeerAccountPeersUpdate(t *testing.T) {
 	t.Run("adding peer to unlinked group", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg) //
+			peerShouldNotReceiveUpdate(t, updMsg)
 			close(done)
 		}()
 
@@ -1880,7 +1880,7 @@ func TestPeerAccountPeersUpdate(t *testing.T) {
 	t.Run("deleting peer with unlinked group", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldNotReceiveUpdate(t, updMsg)
 			close(done)
 		}()
 
@@ -2018,7 +2018,10 @@ func TestPeerAccountPeersUpdate(t *testing.T) {
 		}
 	})
 
-	// Adding peer to group linked with route should update account peers and send peer update
+	// drain any buffered updates from previous subtests
+	drainPeerUpdates(updMsg)
+
+	// Adding peer to group linked with route should update peers in that group, not unrelated peers
 	t.Run("adding peer to group linked with route", func(t *testing.T) {
 		route := nbroute.Route{
 			ID:          "testingRoute1",
@@ -2042,7 +2045,7 @@ func TestPeerAccountPeersUpdate(t *testing.T) {
 
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldNotReceiveUpdate(t, updMsg)
 			close(done)
 		}()
 
@@ -2059,16 +2062,16 @@ func TestPeerAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(peerUpdateTimeout):
-			t.Error("timeout waiting for peerShouldReceiveUpdate")
+		case <-time.After(time.Second):
+			t.Error("timeout waiting for peerShouldNotReceiveUpdate")
 		}
 	})
 
-	// Deleting peer with linked group to route should update account peers and send peer update
+	// Deleting peer with linked group to route should update peers in that group, not unrelated peers
 	t.Run("deleting peer with linked group to route", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldNotReceiveUpdate(t, updMsg)
 			close(done)
 		}()
 
@@ -2077,12 +2080,12 @@ func TestPeerAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(peerUpdateTimeout):
-			t.Error("timeout waiting for peerShouldReceiveUpdate")
+		case <-time.After(time.Second):
+			t.Error("timeout waiting for peerShouldNotReceiveUpdate")
 		}
 	})
 
-	// Adding peer to group linked with name server group should update account peers and send peer update
+	// Adding peer to group linked with name server group should update peers in that group, not unrelated peers
 	t.Run("adding peer to group linked with name server group", func(t *testing.T) {
 		_, err = manager.CreateNameServerGroup(
 			context.Background(), account.Id, "nsGroup", "nsGroup", []nbdns.NameServer{{
@@ -2097,7 +2100,7 @@ func TestPeerAccountPeersUpdate(t *testing.T) {
 
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldNotReceiveUpdate(t, updMsg)
 			close(done)
 		}()
 
@@ -2114,16 +2117,16 @@ func TestPeerAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(peerUpdateTimeout):
-			t.Error("timeout waiting for peerShouldReceiveUpdate")
+		case <-time.After(time.Second):
+			t.Error("timeout waiting for peerShouldNotReceiveUpdate")
 		}
 	})
 
-	// Deleting peer with linked group to name server group should update account peers and send peer update
+	// Deleting peer with linked group to name server group should update peers in that group, not unrelated peers
 	t.Run("deleting peer with linked group to route", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldNotReceiveUpdate(t, updMsg)
 			close(done)
 		}()
 
@@ -2132,8 +2135,8 @@ func TestPeerAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(peerUpdateTimeout):
-			t.Error("timeout waiting for peerShouldReceiveUpdate")
+		case <-time.After(time.Second):
+			t.Error("timeout waiting for peerShouldNotReceiveUpdate")
 		}
 	})
 }

management/server/policy.go

@@ -5,7 +5,7 @@ import (
 	_ "embed"
 
 	"github.com/rs/xid"
-	"github.com/sirupsen/logrus"
+	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/netbird/management/server/permissions/modules"
 	"github.com/netbirdio/netbird/management/server/permissions/operations"
@@ -45,44 +45,37 @@ func (am *DefaultAccountManager) SavePolicy(ctx context.Context, accountID, user
 	}
 
 	var isUpdate = policy.ID != ""
-	var updateAccountPeers bool
+	var existingPolicy *types.Policy
 	var action = activity.PolicyAdded
 	var unchanged bool
+	var affectedPeerIDs []string
 
 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		existingPolicy, err := validatePolicy(ctx, transaction, accountID, policy)
+		existingPolicy, err = validatePolicy(ctx, transaction, accountID, policy)
 		if err != nil {
 			return err
 		}
 
 		if isUpdate {
 			if policy.Equal(existingPolicy) {
-				logrus.WithContext(ctx).Tracef("policy update skipped because equal to stored one - policy id %s", policy.ID)
+				log.WithContext(ctx).Tracef("policy update skipped because equal to stored one - policy id %s", policy.ID)
 				unchanged = true
 				return nil
 			}
 
 			action = activity.PolicyUpdated
 
-			updateAccountPeers, err = arePolicyChangesAffectPeersWithExisting(ctx, transaction, policy, existingPolicy)
-			if err != nil {
-				return err
-			}
-
 			if err = transaction.SavePolicy(ctx, policy); err != nil {
 				return err
 			}
 		} else {
-			updateAccountPeers, err = arePolicyChangesAffectPeers(ctx, transaction, policy)
-			if err != nil {
-				return err
-			}
-
 			if err = transaction.CreatePolicy(ctx, policy); err != nil {
 				return err
 			}
 		}
 
+		affectedPeerIDs = am.resolvePolicyAffectedPeers(ctx, transaction, accountID, policy, existingPolicy)
+
 		return transaction.IncrementNetworkSerial(ctx, accountID)
 	})
 	if err != nil {
@@ -95,12 +88,11 @@ func (am *DefaultAccountManager) SavePolicy(ctx context.Context, accountID, user
 
 	am.StoreEvent(ctx, userID, policy.ID, accountID, action, policy.EventMeta())
 
-	if updateAccountPeers {
-		policyOp := types.UpdateOperationCreate
-		if isUpdate {
-			policyOp = types.UpdateOperationUpdate
-		}
-		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourcePolicy, Operation: policyOp})
+	if len(affectedPeerIDs) > 0 {
+		log.WithContext(ctx).Tracef("SavePolicy %s: updating %d affected peers: %v", policy.ID, len(affectedPeerIDs), affectedPeerIDs)
+		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
+	} else {
+		log.WithContext(ctx).Tracef("SavePolicy %s: no affected peers", policy.ID)
 	}
 
 	return policy, nil
@@ -117,7 +109,7 @@ func (am *DefaultAccountManager) DeletePolicy(ctx context.Context, accountID, po
 	}
 
 	var policy *types.Policy
-	var updateAccountPeers bool
+	var affectedPeerIDs []string
 
 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		policy, err = transaction.GetPolicyByID(ctx, store.LockingStrengthUpdate, accountID, policyID)
@@ -125,10 +117,7 @@ func (am *DefaultAccountManager) DeletePolicy(ctx context.Context, accountID, po
 			return err
 		}
 
-		updateAccountPeers, err = arePolicyChangesAffectPeers(ctx, transaction, policy)
-		if err != nil {
-			return err
-		}
+		affectedPeerIDs = am.resolvePolicyAffectedPeers(ctx, transaction, accountID, policy)
 
 		if err = transaction.DeletePolicy(ctx, accountID, policyID); err != nil {
 			return err
@@ -142,8 +131,11 @@ func (am *DefaultAccountManager) DeletePolicy(ctx context.Context, accountID, po
 
 	am.StoreEvent(ctx, userID, policyID, accountID, activity.PolicyRemoved, policy.EventMeta())
 
-	if updateAccountPeers {
-		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourcePolicy, Operation: types.UpdateOperationDelete})
+	if len(affectedPeerIDs) > 0 {
+		log.WithContext(ctx).Debugf("DeletePolicy %s: updating %d affected peers: %v", policyID, len(affectedPeerIDs), affectedPeerIDs)
+		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
+	} else {
+		log.WithContext(ctx).Tracef("DeletePolicy %s: no affected peers", policyID)
 	}
 
 	return nil
@@ -162,44 +154,41 @@ func (am *DefaultAccountManager) ListPolicies(ctx context.Context, accountID, us
 	return am.Store.GetAccountPolicies(ctx, store.LockingStrengthNone, accountID)
 }
 
-// arePolicyChangesAffectPeers checks if a policy (being created or deleted) will affect any associated peers.
-func arePolicyChangesAffectPeers(ctx context.Context, transaction store.Store, policy *types.Policy) (bool, error) {
-	for _, rule := range policy.Rules {
-		if rule.SourceResource.Type != "" || rule.DestinationResource.Type != "" {
-			return true, nil
+// collectPolicyAffectedGroupsAndPeers returns group IDs and direct peer IDs from the given policies.
+func collectPolicyAffectedGroupsAndPeers(ctx context.Context, policies ...*types.Policy) (groupIDs []string, directPeerIDs []string) {
+	for _, policy := range policies {
+		if policy == nil {
+			continue
+		}
+		ruleGroups := policy.RuleGroups()
+		log.WithContext(ctx).Tracef("collectPolicyAffectedGroupsAndPeers: policy %s (%s) ruleGroups=%v", policy.ID, policy.Name, ruleGroups)
+		groupIDs = append(groupIDs, ruleGroups...)
+		for _, rule := range policy.Rules {
+			if rule.SourceResource.Type == types.ResourceTypePeer && rule.SourceResource.ID != "" {
+				log.WithContext(ctx).Tracef("collectPolicyAffectedGroupsAndPeers: policy %s rule %s direct source peer %s", policy.ID, rule.ID, rule.SourceResource.ID)
+				directPeerIDs = append(directPeerIDs, rule.SourceResource.ID)
+			}
+			if rule.DestinationResource.Type == types.ResourceTypePeer && rule.DestinationResource.ID != "" {
+				log.WithContext(ctx).Tracef("collectPolicyAffectedGroupsAndPeers: policy %s rule %s direct destination peer %s", policy.ID, rule.ID, rule.DestinationResource.ID)
+				directPeerIDs = append(directPeerIDs, rule.DestinationResource.ID)
+			}
 		}
 	}
-
-	return anyGroupHasPeersOrResources(ctx, transaction, policy.AccountID, policy.RuleGroups())
+	log.WithContext(ctx).Tracef("collectPolicyAffectedGroupsAndPeers: result groupIDs=%v, directPeerIDs=%v", groupIDs, directPeerIDs)
+	return
 }
 
-func arePolicyChangesAffectPeersWithExisting(ctx context.Context, transaction store.Store, policy *types.Policy, existingPolicy *types.Policy) (bool, error) {
-	if !policy.Enabled && !existingPolicy.Enabled {
-		return false, nil
-	}
+// resolvePolicyAffectedPeers resolves the peers affected by the given policies into
+// a deduplicated peer ID list. It combines the policies' literal rule groups and
+// direct peers with the routing peers that serve any targeted network resource.
+func (am *DefaultAccountManager) resolvePolicyAffectedPeers(ctx context.Context, transaction store.Store, accountID string, policies ...*types.Policy) []string {
+	groupIDs, directPeerIDs := collectPolicyAffectedGroupsAndPeers(ctx, policies...)
 
-	for _, rule := range existingPolicy.Rules {
-		if rule.SourceResource.Type != "" || rule.DestinationResource.Type != "" {
-			return true, nil
-		}
-	}
+	groupSet := toSet(groupIDs)
+	peerSet := toSet(directPeerIDs)
+	collectPolicyRouterBridge(ctx, transaction, accountID, groupSet, peerSet, policies...)
 
-	hasPeers, err := anyGroupHasPeersOrResources(ctx, transaction, policy.AccountID, existingPolicy.RuleGroups())
-	if err != nil {
-		return false, err
-	}
-
-	if hasPeers {
-		return true, nil
-	}
-
-	for _, rule := range policy.Rules {
-		if rule.SourceResource.Type != "" || rule.DestinationResource.Type != "" {
-			return true, nil
-		}
-	}
-
-	return anyGroupHasPeersOrResources(ctx, transaction, policy.AccountID, policy.RuleGroups())
+	return am.resolvePeerIDs(ctx, transaction, accountID, setToSlice(groupSet), setToSlice(peerSet))
 }
 
 // validatePolicy validates the policy and its rules. For updates it returns

management/server/policy_test.go

@@ -1319,12 +1319,14 @@ func TestPolicyAccountPeersUpdate(t *testing.T) {
 		}
 	})
 
-	// Updating disabled policy with destination and source groups containing peers should not update account's peers
-	// or send peer update
+	// Updating disabled policy with destination and source groups containing peers should still update account's peers
+	// because affected peer resolution does not filter by policy enabled state
 	t.Run("updating disabled policy with source and destination groups with peers", func(t *testing.T) {
+		drainPeerUpdates(updMsg)
+
 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg)
 			close(done)
 		}()
 
@@ -1335,8 +1337,8 @@ func TestPolicyAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
-			t.Error("timeout waiting for peerShouldNotReceiveUpdate")
+		case <-time.After(peerUpdateTimeout):
+			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})
 

management/server/posture_checks.go

@@ -5,13 +5,13 @@ import (
 	"slices"
 
 	"github.com/rs/xid"
+	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/permissions/modules"
 	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/posture"
 	"github.com/netbirdio/netbird/management/server/store"
-	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/shared/management/status"
 )
 
@@ -41,9 +41,9 @@ func (am *DefaultAccountManager) SavePostureChecks(ctx context.Context, accountI
 		return nil, status.NewPermissionDeniedError()
 	}
 
-	var updateAccountPeers bool
 	var isUpdate = postureChecks.ID != ""
 	var action = activity.PostureCheckCreated
+	var affectedPeerIDs []string
 
 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		if err = validatePostureChecks(ctx, transaction, accountID, postureChecks); err != nil {
@@ -51,12 +51,10 @@ func (am *DefaultAccountManager) SavePostureChecks(ctx context.Context, accountI
 		}
 
 		if isUpdate {
-			updateAccountPeers, err = arePostureCheckChangesAffectPeers(ctx, transaction, accountID, postureChecks.ID)
-			if err != nil {
-				return err
-			}
-
 			action = activity.PostureCheckUpdated
+
+			groupIDs, directPeerIDs := collectPostureCheckAffectedGroupsAndPeers(ctx, transaction, accountID, postureChecks.ID)
+			affectedPeerIDs = am.resolvePeerIDs(ctx, transaction, accountID, groupIDs, directPeerIDs)
 		}
 
 		postureChecks.AccountID = accountID
@@ -76,12 +74,11 @@ func (am *DefaultAccountManager) SavePostureChecks(ctx context.Context, accountI
 
 	am.StoreEvent(ctx, userID, postureChecks.ID, accountID, action, postureChecks.EventMeta())
 
-	if updateAccountPeers {
-		postureOp := types.UpdateOperationCreate
-		if isUpdate {
-			postureOp = types.UpdateOperationUpdate
-		}
-		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourcePostureCheck, Operation: postureOp})
+	if len(affectedPeerIDs) > 0 {
+		log.WithContext(ctx).Debugf("SavePostureChecks %s: updating %d affected peers: %v", postureChecks.ID, len(affectedPeerIDs), affectedPeerIDs)
+		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
+	} else {
+		log.WithContext(ctx).Tracef("SavePostureChecks %s: no affected peers", postureChecks.ID)
 	}
 
 	return postureChecks, nil
@@ -137,27 +134,25 @@ func (am *DefaultAccountManager) ListPostureChecks(ctx context.Context, accountI
 	return am.Store.GetAccountPostureChecks(ctx, store.LockingStrengthNone, accountID)
 }
 
-// arePostureCheckChangesAffectPeers checks if the changes in posture checks are affecting peers.
-func arePostureCheckChangesAffectPeers(ctx context.Context, transaction store.Store, accountID, postureCheckID string) (bool, error) {
+// collectPostureCheckAffectedGroupsAndPeers returns group IDs and peer IDs from policies referencing the posture check.
+func collectPostureCheckAffectedGroupsAndPeers(ctx context.Context, transaction store.Store, accountID, postureCheckID string) (groupIDs []string, directPeerIDs []string) {
 	policies, err := transaction.GetAccountPolicies(ctx, store.LockingStrengthNone, accountID)
 	if err != nil {
-		return false, err
+		log.WithContext(ctx).Errorf("failed to get policies for posture check affected peers resolution: %v", err)
+		return nil, nil
 	}
 
 	for _, policy := range policies {
 		if slices.Contains(policy.SourcePostureChecks, postureCheckID) {
-			hasPeers, err := anyGroupHasPeersOrResources(ctx, transaction, accountID, policy.RuleGroups())
-			if err != nil {
-				return false, err
-			}
-
-			if hasPeers {
-				return true, nil
-			}
+			log.WithContext(ctx).Tracef("collectPostureCheckAffectedGroupsAndPeers: posture check %s referenced by policy %s (%s)", postureCheckID, policy.ID, policy.Name)
+			gIDs, pIDs := collectPolicyAffectedGroupsAndPeers(ctx, policy)
+			groupIDs = append(groupIDs, gIDs...)
+			directPeerIDs = append(directPeerIDs, pIDs...)
 		}
 	}
 
-	return false, nil
+	log.WithContext(ctx).Tracef("collectPostureCheckAffectedGroupsAndPeers: postureCheck=%s -> groupIDs=%v, directPeerIDs=%v", postureCheckID, groupIDs, directPeerIDs)
+	return groupIDs, directPeerIDs
 }
 
 // validatePostureChecks validates the posture checks.

management/server/posture_checks_test.go

@@ -503,21 +503,20 @@ func TestArePostureCheckChangesAffectPeers(t *testing.T) {
 	require.NoError(t, err, "failed to save policy")
 
 	t.Run("posture check exists and is linked to policy with peers", func(t *testing.T) {
-		result, err := arePostureCheckChangesAffectPeers(context.Background(), manager.Store, account.Id, postureCheckA.ID)
-		require.NoError(t, err)
-		assert.True(t, result)
+		groupIDs, _ := collectPostureCheckAffectedGroupsAndPeers(context.Background(), manager.Store, account.Id, postureCheckA.ID)
+		assert.NotEmpty(t, groupIDs)
 	})
 
 	t.Run("posture check exists but is not linked to any policy", func(t *testing.T) {
-		result, err := arePostureCheckChangesAffectPeers(context.Background(), manager.Store, account.Id, postureCheckB.ID)
-		require.NoError(t, err)
-		assert.False(t, result)
+		groupIDs, directPeerIDs := collectPostureCheckAffectedGroupsAndPeers(context.Background(), manager.Store, account.Id, postureCheckB.ID)
+		assert.Empty(t, groupIDs)
+		assert.Empty(t, directPeerIDs)
 	})
 
 	t.Run("posture check does not exist", func(t *testing.T) {
-		result, err := arePostureCheckChangesAffectPeers(context.Background(), manager.Store, account.Id, "unknown")
-		require.NoError(t, err)
-		assert.False(t, result)
+		groupIDs, directPeerIDs := collectPostureCheckAffectedGroupsAndPeers(context.Background(), manager.Store, account.Id, "unknown")
+		assert.Empty(t, groupIDs)
+		assert.Empty(t, directPeerIDs)
 	})
 
 	t.Run("posture check is linked to policy with no peers in source groups", func(t *testing.T) {
@@ -526,9 +525,8 @@ func TestArePostureCheckChangesAffectPeers(t *testing.T) {
 		_, err = manager.SavePolicy(context.Background(), account.Id, adminUserID, policy, true)
 		require.NoError(t, err, "failed to update policy")
 
-		result, err := arePostureCheckChangesAffectPeers(context.Background(), manager.Store, account.Id, postureCheckA.ID)
-		require.NoError(t, err)
-		assert.True(t, result)
+		groupIDs, _ := collectPostureCheckAffectedGroupsAndPeers(context.Background(), manager.Store, account.Id, postureCheckA.ID)
+		assert.NotEmpty(t, groupIDs)
 	})
 
 	t.Run("posture check is linked to policy with no peers in destination groups", func(t *testing.T) {
@@ -537,9 +535,8 @@ func TestArePostureCheckChangesAffectPeers(t *testing.T) {
 		_, err = manager.SavePolicy(context.Background(), account.Id, adminUserID, policy, true)
 		require.NoError(t, err, "failed to update policy")
 
-		result, err := arePostureCheckChangesAffectPeers(context.Background(), manager.Store, account.Id, postureCheckA.ID)
-		require.NoError(t, err)
-		assert.True(t, result)
+		groupIDs, _ := collectPostureCheckAffectedGroupsAndPeers(context.Background(), manager.Store, account.Id, postureCheckA.ID)
+		assert.NotEmpty(t, groupIDs)
 	})
 
 	t.Run("posture check is linked to policy but no peers in groups", func(t *testing.T) {
@@ -547,9 +544,9 @@ func TestArePostureCheckChangesAffectPeers(t *testing.T) {
 		err = manager.UpdateGroup(context.Background(), account.Id, adminUserID, groupA)
 		require.NoError(t, err, "failed to save groups")
 
-		result, err := arePostureCheckChangesAffectPeers(context.Background(), manager.Store, account.Id, postureCheckA.ID)
-		require.NoError(t, err)
-		assert.False(t, result)
+		// The collector returns groups even if they have no peers — the groups are still referenced
+		groupIDs, _ := collectPostureCheckAffectedGroupsAndPeers(context.Background(), manager.Store, account.Id, postureCheckA.ID)
+		assert.NotEmpty(t, groupIDs)
 	})
 
 	t.Run("posture check is linked to policy with non-existent group", func(t *testing.T) {
@@ -558,8 +555,10 @@ func TestArePostureCheckChangesAffectPeers(t *testing.T) {
 		_, err = manager.SavePolicy(context.Background(), account.Id, adminUserID, policy, true)
 		require.NoError(t, err, "failed to update policy")
 
-		result, err := arePostureCheckChangesAffectPeers(context.Background(), manager.Store, account.Id, postureCheckA.ID)
-		require.NoError(t, err)
-		assert.False(t, result)
+		// Non-existent groups are filtered out during SavePolicy validation,
+		// so the saved policy has empty Sources/Destinations
+		groupIDs, directPeerIDs := collectPostureCheckAffectedGroupsAndPeers(context.Background(), manager.Store, account.Id, postureCheckA.ID)
+		assert.Empty(t, groupIDs)
+		assert.Empty(t, directPeerIDs)
 	})
 }

management/server/route.go

@@ -8,6 +8,7 @@ import (
 	"unicode/utf8"
 
 	"github.com/rs/xid"
+	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/permissions/modules"
@@ -147,7 +148,7 @@ func (am *DefaultAccountManager) CreateRoute(ctx context.Context, accountID stri
 	}
 
 	var newRoute *route.Route
-	var updateAccountPeers bool
+	var affectedPeerIDs []string
 
 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		newRoute = &route.Route{
@@ -173,15 +174,13 @@ func (am *DefaultAccountManager) CreateRoute(ctx context.Context, accountID stri
 			return err
 		}
 
-		updateAccountPeers, err = areRouteChangesAffectPeers(ctx, transaction, newRoute)
-		if err != nil {
-			return err
-		}
-
 		if err = transaction.SaveRoute(ctx, newRoute); err != nil {
 			return err
 		}
 
+		groupIDs, directPeerIDs := collectRouteAffectedGroupsAndPeers(ctx, newRoute)
+		affectedPeerIDs = am.resolvePeerIDs(ctx, transaction, accountID, groupIDs, directPeerIDs)
+
 		return transaction.IncrementNetworkSerial(ctx, accountID)
 	})
 	if err != nil {
@@ -190,8 +189,11 @@ func (am *DefaultAccountManager) CreateRoute(ctx context.Context, accountID stri
 
 	am.StoreEvent(ctx, userID, string(newRoute.ID), accountID, activity.RouteCreated, newRoute.EventMeta())
 
-	if updateAccountPeers {
-		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourceRoute, Operation: types.UpdateOperationCreate})
+	if len(affectedPeerIDs) > 0 {
+		log.WithContext(ctx).Debugf("CreateRoute %s: updating %d affected peers: %v", newRoute.ID, len(affectedPeerIDs), affectedPeerIDs)
+		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
+	} else {
+		log.WithContext(ctx).Tracef("CreateRoute %s: no affected peers", newRoute.ID)
 	}
 
 	return newRoute, nil
@@ -208,8 +210,7 @@ func (am *DefaultAccountManager) SaveRoute(ctx context.Context, accountID, userI
 	}
 
 	var oldRoute *route.Route
-	var oldRouteAffectsPeers bool
-	var newRouteAffectsPeers bool
+	var affectedPeerIDs []string
 
 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		if err = validateRoute(ctx, transaction, accountID, routeToSave); err != nil {
@@ -221,21 +222,15 @@ func (am *DefaultAccountManager) SaveRoute(ctx context.Context, accountID, userI
 			return err
 		}
 
-		oldRouteAffectsPeers, err = areRouteChangesAffectPeers(ctx, transaction, oldRoute)
-		if err != nil {
-			return err
-		}
-
-		newRouteAffectsPeers, err = areRouteChangesAffectPeers(ctx, transaction, routeToSave)
-		if err != nil {
-			return err
-		}
 		routeToSave.AccountID = accountID
 
 		if err = transaction.SaveRoute(ctx, routeToSave); err != nil {
 			return err
 		}
 
+		groupIDs, directPeerIDs := collectRouteAffectedGroupsAndPeers(ctx, routeToSave, oldRoute)
+		affectedPeerIDs = am.resolvePeerIDs(ctx, transaction, accountID, groupIDs, directPeerIDs)
+
 		return transaction.IncrementNetworkSerial(ctx, accountID)
 	})
 	if err != nil {
@@ -244,8 +239,11 @@ func (am *DefaultAccountManager) SaveRoute(ctx context.Context, accountID, userI
 
 	am.StoreEvent(ctx, userID, string(routeToSave.ID), accountID, activity.RouteUpdated, routeToSave.EventMeta())
 
-	if oldRouteAffectsPeers || newRouteAffectsPeers {
-		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourceRoute, Operation: types.UpdateOperationUpdate})
+	if len(affectedPeerIDs) > 0 {
+		log.WithContext(ctx).Debugf("SaveRoute %s: updating %d affected peers: %v", routeToSave.ID, len(affectedPeerIDs), affectedPeerIDs)
+		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
+	} else {
+		log.WithContext(ctx).Tracef("SaveRoute %s: no affected peers", routeToSave.ID)
 	}
 
 	return nil
@@ -261,19 +259,17 @@ func (am *DefaultAccountManager) DeleteRoute(ctx context.Context, accountID stri
 		return status.NewPermissionDeniedError()
 	}
 
-	var route *route.Route
-	var updateAccountPeers bool
+	var rt *route.Route
+	var affectedPeerIDs []string
 
 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		route, err = transaction.GetRouteByID(ctx, store.LockingStrengthUpdate, accountID, string(routeID))
+		rt, err = transaction.GetRouteByID(ctx, store.LockingStrengthUpdate, accountID, string(routeID))
 		if err != nil {
 			return err
 		}
 
-		updateAccountPeers, err = areRouteChangesAffectPeers(ctx, transaction, route)
-		if err != nil {
-			return err
-		}
+		groupIDs, directPeerIDs := collectRouteAffectedGroupsAndPeers(ctx, rt)
+		affectedPeerIDs = am.resolvePeerIDs(ctx, transaction, accountID, groupIDs, directPeerIDs)
 
 		if err = transaction.DeleteRoute(ctx, accountID, string(routeID)); err != nil {
 			return err
@@ -285,10 +281,13 @@ func (am *DefaultAccountManager) DeleteRoute(ctx context.Context, accountID stri
 		return fmt.Errorf("failed to delete route %s: %w", routeID, err)
 	}
 
-	am.StoreEvent(ctx, userID, string(route.ID), accountID, activity.RouteRemoved, route.EventMeta())
+	am.StoreEvent(ctx, userID, string(rt.ID), accountID, activity.RouteRemoved, rt.EventMeta())
 
-	if updateAccountPeers {
-		am.UpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourceRoute, Operation: types.UpdateOperationDelete})
+	if len(affectedPeerIDs) > 0 {
+		log.WithContext(ctx).Debugf("DeleteRoute %s: updating %d affected peers: %v", routeID, len(affectedPeerIDs), affectedPeerIDs)
+		am.UpdateAffectedPeers(ctx, accountID, affectedPeerIDs)
+	} else {
+		log.WithContext(ctx).Tracef("DeleteRoute %s: no affected peers", routeID)
 	}
 
 	return nil
@@ -377,23 +376,23 @@ func getPlaceholderIP() netip.Prefix {
 	return netip.PrefixFrom(netip.AddrFrom4([4]byte{192, 0, 2, 0}), 32)
 }
 
-// areRouteChangesAffectPeers checks if a given route affects peers by determining
-// if it has a routing peer, distribution, or peer groups that include peers.
-func areRouteChangesAffectPeers(ctx context.Context, transaction store.Store, route *route.Route) (bool, error) {
-	if route.Peer != "" {
-		return true, nil
+// collectRouteAffectedGroupsAndPeers returns group IDs and direct peer IDs from the given routes.
+func collectRouteAffectedGroupsAndPeers(ctx context.Context, routes ...*route.Route) (groupIDs []string, directPeerIDs []string) {
+	for _, r := range routes {
+		if r == nil {
+			continue
+		}
+		log.WithContext(ctx).Tracef("collectRouteAffectedGroupsAndPeers: route %s groups=%v peerGroups=%v accessControlGroups=%v peer=%q",
+			r.ID, r.Groups, r.PeerGroups, r.AccessControlGroups, r.Peer)
+		groupIDs = append(groupIDs, r.Groups...)
+		groupIDs = append(groupIDs, r.PeerGroups...)
+		groupIDs = append(groupIDs, r.AccessControlGroups...)
+		if r.Peer != "" {
+			directPeerIDs = append(directPeerIDs, r.Peer)
+		}
 	}
-
-	hasPeers, err := anyGroupHasPeersOrResources(ctx, transaction, route.AccountID, route.Groups)
-	if err != nil {
-		return false, err
-	}
-
-	if hasPeers {
-		return true, nil
-	}
-
-	return anyGroupHasPeersOrResources(ctx, transaction, route.AccountID, route.PeerGroups)
+	log.WithContext(ctx).Tracef("collectRouteAffectedGroupsAndPeers: result groupIDs=%v, directPeerIDs=%v", groupIDs, directPeerIDs)
+	return
 }
 
 // GetRoutesByPrefixOrDomains return list of routes by account and route prefix

management/server/route_test.go

@@ -1962,8 +1962,10 @@ func TestRouteAccountPeersUpdate(t *testing.T) {
 
 	})
 
-	// Creating a route with no routing peer and having peers in groups should update account peers and send peer update
+	// Creating a route with no routing peer and having peers in groups that don't include peer1 should not send peer1 an update
 	t.Run("creating a route with peers in  PeerGroups and Groups", func(t *testing.T) {
+		drainPeerUpdates(updMsg)
+
 		route := route.Route{
 			ID:          "testingRoute2",
 			Network:     netip.MustParsePrefix("192.0.2.0/32"),
@@ -1979,7 +1981,7 @@ func TestRouteAccountPeersUpdate(t *testing.T) {
 
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldNotReceiveUpdate(t, updMsg)
 			close(done)
 		}()
 
@@ -1992,8 +1994,8 @@ func TestRouteAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(peerUpdateTimeout):
-			t.Error("timeout waiting for peerShouldReceiveUpdate")
+		case <-time.After(time.Second):
+			t.Error("timeout waiting for peerShouldNotReceiveUpdate")
 		}
 
 	})

management/server/store/sql_store.go

@@ -265,7 +265,8 @@ func (s *SqlStore) AcquireGlobalLock(ctx context.Context) (unlock func()) {
 	return unlock
 }
 
-// Deprecated: Full account operations are no longer supported
+// Deprecated: Full
+// account operations are no longer supported
 func (s *SqlStore) SaveAccount(ctx context.Context, account *types.Account) error {
 	start := time.Now()
 	defer func() {
@@ -4894,6 +4895,64 @@ func (s *SqlStore) GetPeersByGroupIDs(ctx context.Context, accountID string, gro
 	return peers, nil
 }
 
+func (s *SqlStore) GetPeerIDsByGroups(ctx context.Context, accountID string, groupIDs []string) ([]string, error) {
+	if len(groupIDs) == 0 {
+		return nil, nil
+	}
+
+	var peerIDs []string
+	result := s.db.Model(&types.GroupPeer{}).
+		Select("DISTINCT peer_id").
+		Where("account_id = ? AND group_id IN ?", accountID, groupIDs).
+		Pluck("peer_id", &peerIDs)
+	if result.Error != nil {
+		return nil, status.Errorf(status.Internal, "failed to get peer IDs by groups: %s", result.Error)
+	}
+
+	return peerIDs, nil
+}
+
+func (s *SqlStore) GetGroupIDsByPeerIDs(ctx context.Context, accountID string, peerIDs []string) ([]string, error) {
+	if len(peerIDs) == 0 {
+		return nil, nil
+	}
+
+	var groupIDs []string
+	result := s.db.Model(&types.GroupPeer{}).
+		Select("DISTINCT group_id").
+		Where("account_id = ? AND peer_id IN ?", accountID, peerIDs).
+		Pluck("group_id", &groupIDs)
+	if result.Error != nil {
+		return nil, status.Errorf(status.Internal, "failed to get group IDs by peers: %s", result.Error)
+	}
+
+	return groupIDs, nil
+}
+
+// GetEmbeddedProxyPeerIDsByCluster returns peer IDs of all embedded proxy peers
+// in the account, grouped by their ProxyCluster. The map is nil when no embedded
+// proxy peers exist.
+func (s *SqlStore) GetEmbeddedProxyPeerIDsByCluster(ctx context.Context, accountID string) (map[string][]string, error) {
+	type row struct {
+		ID      string
+		Cluster string
+	}
+	var rows []row
+	result := s.db.Model(&nbpeer.Peer{}).
+		Select("id, proxy_meta_cluster AS cluster").
+		Where("account_id = ? AND proxy_meta_embedded = ?", accountID, true).
+		Scan(&rows)
+	if result.Error != nil {
+		return nil, status.Errorf(status.Internal, "failed to get embedded proxy peers: %s", result.Error)
+	}
+
+	out := make(map[string][]string, len(rows))
+	for _, r := range rows {
+		out[r.Cluster] = append(out[r.Cluster], r.ID)
+	}
+	return out, nil
+}
+
 func (s *SqlStore) GetUserIDByPeerKey(ctx context.Context, lockStrength LockingStrength, peerKey string) (string, error) {
 	tx := s.db
 	if lockStrength != LockingStrengthNone {

management/server/store/store.go

@@ -162,6 +162,9 @@ type Store interface {
 	GetPeerByID(ctx context.Context, lockStrength LockingStrength, accountID string, peerID string) (*nbpeer.Peer, error)
 	GetPeersByIDs(ctx context.Context, lockStrength LockingStrength, accountID string, peerIDs []string) (map[string]*nbpeer.Peer, error)
 	GetPeersByGroupIDs(ctx context.Context, accountID string, groupIDs []string) ([]*nbpeer.Peer, error)
+	GetPeerIDsByGroups(ctx context.Context, accountID string, groupIDs []string) ([]string, error)
+	GetGroupIDsByPeerIDs(ctx context.Context, accountID string, peerIDs []string) ([]string, error)
+	GetEmbeddedProxyPeerIDsByCluster(ctx context.Context, accountID string) (map[string][]string, error)
 	GetAccountPeersWithExpiration(ctx context.Context, lockStrength LockingStrength, accountID string) ([]*nbpeer.Peer, error)
 	GetAccountPeersWithInactivity(ctx context.Context, lockStrength LockingStrength, accountID string) ([]*nbpeer.Peer, error)
 	GetAllEphemeralPeers(ctx context.Context, lockStrength LockingStrength) ([]*nbpeer.Peer, error)

management/server/store/store_mock.go

@@ -1925,6 +1925,51 @@ func (mr *MockStoreMockRecorder) GetPeersByGroupIDs(ctx, accountID, groupIDs int
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetPeersByGroupIDs", reflect.TypeOf((*MockStore)(nil).GetPeersByGroupIDs), ctx, accountID, groupIDs)
 }
 
+// GetPeerIDsByGroups mocks base method.
+func (m *MockStore) GetPeerIDsByGroups(ctx context.Context, accountID string, groupIDs []string) ([]string, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetPeerIDsByGroups", ctx, accountID, groupIDs)
+	ret0, _ := ret[0].([]string)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetPeerIDsByGroups indicates an expected call of GetPeerIDsByGroups.
+func (mr *MockStoreMockRecorder) GetPeerIDsByGroups(ctx, accountID, groupIDs interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetPeerIDsByGroups", reflect.TypeOf((*MockStore)(nil).GetPeerIDsByGroups), ctx, accountID, groupIDs)
+}
+
+// GetGroupIDsByPeerIDs mocks base method.
+func (m *MockStore) GetGroupIDsByPeerIDs(ctx context.Context, accountID string, peerIDs []string) ([]string, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetGroupIDsByPeerIDs", ctx, accountID, peerIDs)
+	ret0, _ := ret[0].([]string)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetGroupIDsByPeerIDs indicates an expected call of GetGroupIDsByPeerIDs.
+func (mr *MockStoreMockRecorder) GetGroupIDsByPeerIDs(ctx, accountID, peerIDs interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetGroupIDsByPeerIDs", reflect.TypeOf((*MockStore)(nil).GetGroupIDsByPeerIDs), ctx, accountID, peerIDs)
+}
+
+// GetEmbeddedProxyPeerIDsByCluster mocks base method.
+func (m *MockStore) GetEmbeddedProxyPeerIDsByCluster(ctx context.Context, accountID string) (map[string][]string, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetEmbeddedProxyPeerIDsByCluster", ctx, accountID)
+	ret0, _ := ret[0].(map[string][]string)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetEmbeddedProxyPeerIDsByCluster indicates an expected call of GetEmbeddedProxyPeerIDsByCluster.
+func (mr *MockStoreMockRecorder) GetEmbeddedProxyPeerIDsByCluster(ctx, accountID interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetEmbeddedProxyPeerIDsByCluster", reflect.TypeOf((*MockStore)(nil).GetEmbeddedProxyPeerIDsByCluster), ctx, accountID)
+}
+
 // GetPeersByIDs mocks base method.
 func (m *MockStore) GetPeersByIDs(ctx context.Context, lockStrength LockingStrength, accountID string, peerIDs []string) (map[string]*peer.Peer, error) {
 	m.ctrl.T.Helper()

management/server/user.go

@@ -1157,7 +1157,8 @@ func (am *DefaultAccountManager) expireAndUpdatePeers(ctx context.Context, accou
 		}
 	}
 
-	err = am.networkMapController.OnPeersUpdated(ctx, accountID, peerIDs)
+	affectedPeerIDs := am.resolveAffectedPeersForPeerChanges(ctx, am.Store, accountID, peerIDs)
+	err = am.networkMapController.OnPeersUpdated(ctx, accountID, peerIDs, affectedPeerIDs)
 	if err != nil {
 		return fmt.Errorf("notify network map controller of peer update: %w", err)
 	}
@@ -1273,6 +1274,7 @@ func (am *DefaultAccountManager) deleteRegularUser(ctx context.Context, accountI
 	var userPeers []*nbpeer.Peer
 	var targetUser *types.User
 	var settings *types.Settings
+	var affectedPeerIDs []string
 	var err error
 
 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
@@ -1293,6 +1295,14 @@ func (am *DefaultAccountManager) deleteRegularUser(ctx context.Context, accountI
 
 		if len(userPeers) > 0 {
 			updateAccountPeers = true
+
+			var peerIDs []string
+			for _, peer := range userPeers {
+				peerIDs = append(peerIDs, peer.ID)
+			}
+			// Resolve before delete so group memberships are still present.
+			affectedPeerIDs = am.resolveAffectedPeersForPeerChanges(ctx, transaction, accountID, peerIDs)
+
 			addPeerRemovedEvents, err = deletePeers(ctx, am, transaction, accountID, targetUserInfo.ID, userPeers, settings)
 			if err != nil {
 				return fmt.Errorf("failed to delete user peers: %w", err)
@@ -1316,7 +1326,7 @@ func (am *DefaultAccountManager) deleteRegularUser(ctx context.Context, accountI
 			log.WithContext(ctx).Errorf("failed to delete peer %s from integrated validator: %v", peer.ID, err)
 		}
 	}
-	if err := am.networkMapController.OnPeersDeleted(ctx, accountID, peerIDs); err != nil {
+	if err := am.networkMapController.OnPeersDeleted(ctx, accountID, peerIDs, affectedPeerIDs); err != nil {
 		log.WithContext(ctx).Errorf("failed to delete peers %s from network map: %v", peerIDs, err)
 	}
 

management/server/user_test.go

@@ -846,7 +846,7 @@ func TestUser_DeleteUser_regularUser(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	networkMapControllerMock := network_map.NewMockController(ctrl)
 	networkMapControllerMock.EXPECT().
-		OnPeersDeleted(gomock.Any(), gomock.Any(), gomock.Any()).
+		OnPeersDeleted(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).
 		Return(nil)
 
 	permissionsManager := permissions.NewManager(store)
@@ -962,7 +962,7 @@ func TestUser_DeleteUser_RegularUsers(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	networkMapControllerMock := network_map.NewMockController(ctrl)
 	networkMapControllerMock.EXPECT().
-		OnPeersDeleted(gomock.Any(), gomock.Any(), gomock.Any()).
+		OnPeersDeleted(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).
 		Return(nil).
 		AnyTimes()
 
@@ -1531,11 +1531,14 @@ func TestUserAccountPeersUpdate(t *testing.T) {
 		}
 	})
 
+	// drain any buffered updates from previous subtests
+	drainPeerUpdates(updMsg)
+
 	// deleting user with no linked peers should not update account peers and not send peer update
 	t.Run("deleting user with no linked peers", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldReceiveUpdate(t, updMsg)
+			peerShouldNotReceiveUpdate(t, updMsg)
 			close(done)
 		}()
 
@@ -2022,7 +2025,7 @@ func TestUser_Operations_WithEmbeddedIDP(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	networkMapControllerMock := network_map.NewMockController(ctrl)
 	networkMapControllerMock.EXPECT().
-		OnPeersDeleted(gomock.Any(), gomock.Any(), gomock.Any()).
+		OnPeersDeleted(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).
 		Return(nil).
 		AnyTimes()