diff --git a/api/src/main/java/com/cloud/event/EventTypes.java b/api/src/main/java/com/cloud/event/EventTypes.java
index 42395bf89992..f3c3fabc06fd 100644
--- a/api/src/main/java/com/cloud/event/EventTypes.java
+++ b/api/src/main/java/com/cloud/event/EventTypes.java
@@ -854,6 +854,7 @@ public class EventTypes {
     public static final String EVENT_EXTENSION_DELETE = "EXTENSION.DELETE";
     public static final String EVENT_EXTENSION_RESOURCE_REGISTER = "EXTENSION.RESOURCE.REGISTER";
     public static final String EVENT_EXTENSION_RESOURCE_UNREGISTER = "EXTENSION.RESOURCE.UNREGISTER";
+    public static final String EVENT_EXTENSION_RESOURCE_UPDATE = "EXTENSION.RESOURCE.UPDATE";
     public static final String EVENT_EXTENSION_CUSTOM_ACTION_ADD = "EXTENSION.CUSTOM.ACTION.ADD";
     public static final String EVENT_EXTENSION_CUSTOM_ACTION_UPDATE = "EXTENSION.CUSTOM.ACTION.UPDATE";
     public static final String EVENT_EXTENSION_CUSTOM_ACTION_DELETE = "EXTENSION.CUSTOM.ACTION.DELETE";
diff --git a/api/src/main/java/com/cloud/network/Network.java b/api/src/main/java/com/cloud/network/Network.java
index 0846306f70f9..69dffb93ec8d 100644
--- a/api/src/main/java/com/cloud/network/Network.java
+++ b/api/src/main/java/com/cloud/network/Network.java
@@ -207,6 +207,7 @@ public static class Provider {
 
         public static final Provider Nsx = new Provider("Nsx", false);
         public static final Provider Netris = new Provider("Netris", false);
+        public static final Provider NetworkExtension = new Provider("NetworkExtension", false, true);
 
         private final String name;
         private final boolean isExternal;
@@ -250,11 +251,47 @@ public static Provider getProvider(String providerName) {
             return null;
         }
 
+        /** Private constructor for transient (non-registered) providers. */
+        private Provider(String name) {
+            this.name = name;
+            this.isExternal = false;
+            this.needCleanupOnShutdown = true;
+            // intentionally NOT added to supportedProviders
+        }
+
+        /**
+         * Creates a transient (non-registered) {@link Provider} with the given name.
+         *
+         * <p>The new instance is <em>not</em> added to {@code supportedProviders}, so it
+         * will never be returned by {@link #getProvider(String)} and will not pollute the
+         * global provider registry.  Use this for dynamic / extension-backed providers
+         * whose names are only known at runtime (e.g. NetworkOrchestrator extensions).</p>
+         *
+         * @param name the provider name (typically the extension name)
+         * @return a transient {@link Provider} instance with the given name
+         */
+        public static Provider createTransientProvider(String name) {
+            return new Provider(name);
+        }
+
         @Override public String toString() {
             return new ToStringBuilder(this, ToStringStyle.SHORT_PREFIX_STYLE)
                     .append("name", name)
                     .toString();
         }
+
+        @Override
+        public boolean equals(Object obj) {
+            if (this == obj) return true;
+            if (!(obj instanceof Provider)) return false;
+            Provider provider = (Provider) obj;
+            return this.name.equals(provider.name);
+        }
+
+        @Override
+        public int hashCode() {
+            return name.hashCode();
+        }
     }
 
     public static class Capability {
diff --git a/api/src/main/java/com/cloud/network/NetworkModel.java b/api/src/main/java/com/cloud/network/NetworkModel.java
index c212e6319eb4..7e1a07ebeb69 100644
--- a/api/src/main/java/com/cloud/network/NetworkModel.java
+++ b/api/src/main/java/com/cloud/network/NetworkModel.java
@@ -187,6 +187,8 @@ public interface NetworkModel {
 
     boolean canElementEnableIndividualServices(Provider provider);
 
+    boolean canElementEnableIndividualServicesByName(String providerName);
+
     boolean areServicesSupportedInNetwork(long networkId, Service... services);
 
     boolean isNetworkSystem(Network network);
@@ -237,6 +239,18 @@ public interface NetworkModel {
 
     String getDefaultGuestTrafficLabel(long dcId, HypervisorType vmware);
 
+    /**
+     * Resolves a provider name to a {@link Provider} instance.
+     * For known static providers, delegates to {@link Provider#getProvider(String)}.
+     * For dynamically-registered NetworkOrchestrator extension providers whose names
+     * are not in the static registry, returns a transient {@link Provider} with the
+     * given name so callers can still dispatch correctly.
+     *
+     * @param providerName the provider name from {@code ntwk_service_map} or similar
+     * @return a {@link Provider} instance, or {@code null} if not resolvable
+     */
+    Provider resolveProvider(String providerName);
+
     /**
      * @param providerName
      * @return
diff --git a/api/src/main/java/com/cloud/network/NetworkService.java b/api/src/main/java/com/cloud/network/NetworkService.java
index 53692f932a4e..0c684046fd8f 100644
--- a/api/src/main/java/com/cloud/network/NetworkService.java
+++ b/api/src/main/java/com/cloud/network/NetworkService.java
@@ -155,7 +155,7 @@ PhysicalNetwork createPhysicalNetwork(Long zoneId, String vnetRange, String netw
 
     Pair<List<? extends PhysicalNetwork>, Integer> searchPhysicalNetworks(Long id, Long zoneId, String keyword, Long startIndex, Long pageSize, String name);
 
-    PhysicalNetwork updatePhysicalNetwork(Long id, String networkSpeed, List<String> tags, String newVnetRangeString, String state);
+    PhysicalNetwork updatePhysicalNetwork(Long id, String networkSpeed, List<String> tags, String newVnetRangeString, String state, Map<String, String> externalDetails);
 
     boolean deletePhysicalNetwork(Long id);
 
diff --git a/api/src/main/java/com/cloud/network/element/NetworkElement.java b/api/src/main/java/com/cloud/network/element/NetworkElement.java
index cb0fc2fca981..67be7b9ba2e2 100644
--- a/api/src/main/java/com/cloud/network/element/NetworkElement.java
+++ b/api/src/main/java/com/cloud/network/element/NetworkElement.java
@@ -146,4 +146,8 @@ boolean shutdownProviderInstances(PhysicalNetworkServiceProvider provider, Reser
      * @return true/false
      */
     boolean verifyServicesCombination(Set<Service> services);
+
+    default boolean rollingRestartSupported() {
+        return true;
+    }
 }
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/admin/network/UpdatePhysicalNetworkCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/admin/network/UpdatePhysicalNetworkCmd.java
index 6a6264e418ce..1cd3202bf9e8 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/admin/network/UpdatePhysicalNetworkCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/admin/network/UpdatePhysicalNetworkCmd.java
@@ -17,6 +17,7 @@
 package org.apache.cloudstack.api.command.admin.network;
 
 import java.util.List;
+import java.util.Map;
 
 
 import org.apache.cloudstack.api.APICommand;
@@ -53,6 +54,12 @@ public class UpdatePhysicalNetworkCmd extends BaseAsyncCmd {
     @Parameter(name = ApiConstants.VLAN, type = CommandType.STRING, description = "The VLAN for the physical Network")
     private String vlan;
 
+    @Parameter(name = ApiConstants.EXTERNAL_DETAILS,
+            type = CommandType.MAP,
+            description = "Details in key/value pairs to be added to the extension-resource mapping. Use the format externaldetails[i].<key>=<value>. Example: externaldetails[0].endpoint.url=https://example.com",
+            since = "4.23.0")
+    protected Map externalDetails;
+
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////
@@ -77,6 +84,10 @@ public String getVlan() {
         return vlan;
     }
 
+    public Map<String, String> getExternalDetails() {
+        return convertDetailsToMap(externalDetails);
+    }
+
     /////////////////////////////////////////////////////
     /////////////// API Implementation///////////////////
     /////////////////////////////////////////////////////
@@ -88,7 +99,7 @@ public long getEntityOwnerId() {
 
     @Override
     public void execute() {
-        PhysicalNetwork result = _networkService.updatePhysicalNetwork(getId(), getNetworkSpeed(), getTags(), getVlan(), getState());
+        PhysicalNetwork result = _networkService.updatePhysicalNetwork(getId(), getNetworkSpeed(), getTags(), getVlan(), getState(), getExternalDetails());
         if (result != null) {
             PhysicalNetworkResponse response = _responseGenerator.createPhysicalNetworkResponse(result);
             response.setResponseName(getCommandName());
diff --git a/api/src/main/java/org/apache/cloudstack/extension/CustomActionResultResponse.java b/api/src/main/java/org/apache/cloudstack/extension/CustomActionResultResponse.java
index 33ff70fcace5..558340694b8a 100644
--- a/api/src/main/java/org/apache/cloudstack/extension/CustomActionResultResponse.java
+++ b/api/src/main/java/org/apache/cloudstack/extension/CustomActionResultResponse.java
@@ -62,4 +62,12 @@ public Boolean getSuccess() {
     public void setResult(Map<String, String> result) {
         this.result = result;
     }
+
+    public Map<String, String> getResult() {
+        return result;
+    }
+
+    public boolean isSuccess() {
+        return Boolean.TRUE.equals(success);
+    }
 }
diff --git a/api/src/main/java/org/apache/cloudstack/extension/Extension.java b/api/src/main/java/org/apache/cloudstack/extension/Extension.java
index 3068612ed6fe..c1d905718b24 100644
--- a/api/src/main/java/org/apache/cloudstack/extension/Extension.java
+++ b/api/src/main/java/org/apache/cloudstack/extension/Extension.java
@@ -24,7 +24,8 @@
 
 public interface Extension extends InternalIdentity, Identity {
     enum Type {
-        Orchestrator
+        Orchestrator,
+        NetworkOrchestrator
     }
     enum State {
         Enabled, Disabled;
diff --git a/api/src/main/java/org/apache/cloudstack/extension/ExtensionCustomAction.java b/api/src/main/java/org/apache/cloudstack/extension/ExtensionCustomAction.java
index 776b42f671b7..605cc8b6a79c 100644
--- a/api/src/main/java/org/apache/cloudstack/extension/ExtensionCustomAction.java
+++ b/api/src/main/java/org/apache/cloudstack/extension/ExtensionCustomAction.java
@@ -48,7 +48,8 @@
 
 public interface ExtensionCustomAction extends InternalIdentity, Identity {
     enum ResourceType {
-        VirtualMachine(com.cloud.vm.VirtualMachine.class);
+        VirtualMachine(com.cloud.vm.VirtualMachine.class),
+        Network(com.cloud.network.Network.class);
 
         private final Class<?> clazz;
 
diff --git a/api/src/main/java/org/apache/cloudstack/extension/ExtensionHelper.java b/api/src/main/java/org/apache/cloudstack/extension/ExtensionHelper.java
index a01131278a76..2c373988feac 100644
--- a/api/src/main/java/org/apache/cloudstack/extension/ExtensionHelper.java
+++ b/api/src/main/java/org/apache/cloudstack/extension/ExtensionHelper.java
@@ -18,10 +18,99 @@
 package org.apache.cloudstack.extension;
 
 import java.util.List;
+import java.util.Map;
+
+import com.cloud.network.Network.Capability;
+import com.cloud.network.Network.Service;
 
 public interface ExtensionHelper {
     Long getExtensionIdForCluster(long clusterId);
     Extension getExtension(long id);
     Extension getExtensionForCluster(long clusterId);
     List<String> getExtensionReservedResourceDetails(long extensionId);
+
+    /**
+     * Detail key used to store the comma-separated list of network services provided
+     * by a NetworkOrchestrator extension (e.g. {@code "SourceNat,StaticNat,Firewall"}).
+     */
+    String NETWORK_SERVICES_DETAIL_KEY = "network.services";
+
+    /**
+     * Detail key used to store a JSON object mapping each service name to its
+     * CloudStack {@link com.cloud.network.Network.Capability} key/value pairs.
+     * Example: {@code {"SourceNat":{"SupportedSourceNatTypes":"peraccount"}}}.
+     * Used together with {@link #NETWORK_SERVICES_DETAIL_KEY}.
+     */
+    String NETWORK_SERVICE_CAPABILITIES_DETAIL_KEY = "network.service.capabilities";
+
+    Long getExtensionIdForPhysicalNetwork(long physicalNetworkId);
+    Extension getExtensionForPhysicalNetwork(long physicalNetworkId);
+    String getExtensionScriptPath(Extension extension);
+    Map<String, String> getExtensionDetails(long extensionId);
+
+    /**
+     * Finds the extension registered with the given physical network whose name
+     * matches the given provider name (case-insensitive).  Returns {@code null}
+     * if no matching extension is found.
+     *
+     * <p>This is the preferred lookup when multiple extensions are registered on
+     * the same physical network: the provider name stored in
+     * {@code ntwk_service_map} is used to pinpoint the exact extension that
+     * handles a given network.</p>
+     *
+     * @param physicalNetworkId the physical network ID
+     * @param providerName      the provider name (must equal the extension name)
+     * @return the matching {@link Extension}, or {@code null}
+     */
+    Extension getExtensionForPhysicalNetworkAndProvider(long physicalNetworkId, String providerName);
+
+    /**
+     * Returns ALL {@code extension_resource_map_details} (including hidden) for
+     * the specific extension registered on the given physical network.  Used by
+     * {@code NetworkExtensionElement} to inject device credentials into the script
+     * environment for the correct extension when multiple different extensions are
+     * registered on the same physical network.
+     *
+     * @param physicalNetworkId the physical network ID
+     * @param extensionId       the extension ID
+     * @return all key/value details including non-display ones, or an empty map
+     */
+    Map<String, String> getAllResourceMapDetailsForExtensionOnPhysicalNetwork(long physicalNetworkId, long extensionId);
+
+    /**
+     * Returns {@code true} if the given provider name is backed by a
+     * {@code NetworkOrchestrator} extension registered on any physical network.
+     * This is used by {@code NetworkModelImpl} to detect extension-backed providers
+     * that are not in the static {@code s_providerToNetworkElementMap}.
+     *
+     * @param providerName the provider / extension name
+     * @return true if the provider is a NetworkExtension provider
+     */
+    boolean isNetworkExtensionProvider(String providerName);
+
+    /**
+     * List all registered extensions filtered by extension {@link Extension.Type}.
+     * Useful for callers that need to discover available providers of a given
+     * type (e.g. Orchestrator, NetworkOrchestrator).
+     *
+     * @param type extension type to filter by
+     * @return list of matching {@link Extension} instances (empty list if none)
+     */
+    List<Extension> listExtensionsByType(Extension.Type type);
+
+    /**
+     * Returns the effective {@link Service} → ({@link Capability} → value) capabilities
+     * for the given external network provider, looking it up by name on the given
+     * physical network.
+     *
+     * <p>If {@code physicalNetworkId} is {@code null}, the method searches across all
+     * physical networks that have extensions registered and returns the capabilities for
+     * the first matching extension.</p>
+     *
+     * @param physicalNetworkId physical network ID, or {@code null} for offering-level queries
+     * @param providerName      provider / extension name
+     * @return capabilities map, or the default capabilities if no matching extension is found
+     */
+    Map<Service, Map<Capability, String>> getNetworkCapabilitiesForProvider(Long physicalNetworkId, String providerName);
+
 }
diff --git a/api/src/main/java/org/apache/cloudstack/extension/ExtensionResourceMap.java b/api/src/main/java/org/apache/cloudstack/extension/ExtensionResourceMap.java
index 40ebc19eb5e3..604e64a1f894 100644
--- a/api/src/main/java/org/apache/cloudstack/extension/ExtensionResourceMap.java
+++ b/api/src/main/java/org/apache/cloudstack/extension/ExtensionResourceMap.java
@@ -24,7 +24,8 @@
 
 public interface ExtensionResourceMap extends InternalIdentity, Identity {
     enum ResourceType {
-        Cluster
+        Cluster,
+        PhysicalNetwork
     }
 
     long getExtensionId();
diff --git a/api/src/main/java/org/apache/cloudstack/extension/NetworkCustomActionProvider.java b/api/src/main/java/org/apache/cloudstack/extension/NetworkCustomActionProvider.java
new file mode 100644
index 000000000000..3f8754a168bb
--- /dev/null
+++ b/api/src/main/java/org/apache/cloudstack/extension/NetworkCustomActionProvider.java
@@ -0,0 +1,52 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.cloudstack.extension;
+
+import java.util.Map;
+
+import com.cloud.network.Network;
+
+/**
+ * Implemented by network elements that support running custom actions on a
+ * managed network (e.g. NetworkExtensionElement).
+ *
+ * <p>This interface is looked up by {@code ExtensionsManagerImpl} to dispatch
+ * {@code runCustomAction} requests whose resource type is {@code Network}.</p>
+ */
+public interface NetworkCustomActionProvider {
+
+    /**
+     * Returns {@code true} if this provider handles networks whose physical
+     * network has an ExternalNetwork service provider registered.
+     *
+     * @param network the target network
+     * @return {@code true} if this provider can handle the network
+     */
+    boolean canHandleCustomAction(Network network);
+
+    /**
+     * Runs a named custom action against the external network device that
+     * manages the given network.
+     *
+     * @param network    the CloudStack network on which to run the action
+     * @param actionName the action name (e.g. {@code "reboot-device"}, {@code "dump-config"})
+     * @param parameters optional parameters supplied by the caller
+     * @return output from the action script, or {@code null} on failure
+     */
+    String runCustomAction(Network network, String actionName, Map<String, Object> parameters);
+}
diff --git a/api/src/test/java/com/cloud/network/NetworkTest.java b/api/src/test/java/com/cloud/network/NetworkTest.java
new file mode 100644
index 000000000000..9a937a4603d3
--- /dev/null
+++ b/api/src/test/java/com/cloud/network/NetworkTest.java
@@ -0,0 +1,56 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package com.cloud.network;
+
+import org.junit.Test;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+
+
+public class NetworkTest {
+
+    @Test
+    public void testProviderContains() {
+        List<Network.Provider> providers = new ArrayList<>();
+        providers.add(Network.Provider.VirtualRouter);
+
+        // direct instance present
+        assertTrue("List should contain VirtualRouter provider", providers.contains(Network.Provider.VirtualRouter));
+
+        // resolved provider by name (registered provider)
+        Network.Provider resolved = Network.Provider.getProvider("VirtualRouter");
+        assertNotNull("Resolved provider should not be null", resolved);
+        assertTrue("List should contain resolved VirtualRouter provider", providers.contains(resolved));
+
+        // transient provider with same name should be considered equal (equals by name)
+        Network.Provider transientProvider = Network.Provider.createTransientProvider("NetworkExtension");
+        assertFalse("List should not contain the transient provider", providers.contains(transientProvider));
+
+        providers.add(transientProvider);
+        assertTrue("List should contain the transient provider", providers.contains(transientProvider));
+
+        // another transient provider with same name should be considered equal
+        Network.Provider transientProviderNew = Network.Provider.createTransientProvider("NetworkExtension");
+        assertTrue("List should contain the new transient provider with same name", providers.contains(transientProviderNew));
+    }
+}
diff --git a/api/src/test/java/org/apache/cloudstack/extension/CustomActionResultResponseTest.java b/api/src/test/java/org/apache/cloudstack/extension/CustomActionResultResponseTest.java
new file mode 100644
index 000000000000..9b7346f332cb
--- /dev/null
+++ b/api/src/test/java/org/apache/cloudstack/extension/CustomActionResultResponseTest.java
@@ -0,0 +1,92 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.cloudstack.extension;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+
+import java.util.Map;
+
+import org.junit.Before;
+import org.junit.Test;
+
+public class CustomActionResultResponseTest {
+
+    private CustomActionResultResponse response;
+
+    @Before
+    public void setUp() {
+        response = new CustomActionResultResponse();
+    }
+
+    @Test
+    public void getResultReturnsNullByDefault() {
+        assertNull(response.getResult());
+    }
+
+    @Test
+    public void getResultReturnsSetValue() {
+        Map<String, String> result = Map.of("message", "OK", "details", "All good");
+        response.setResult(result);
+        assertEquals(result, response.getResult());
+        assertEquals("OK", response.getResult().get("message"));
+    }
+
+    @Test
+    public void isSuccessReturnsFalseWhenSuccessIsNull() {
+        // success is null by default
+        assertFalse(response.isSuccess());
+    }
+
+    @Test
+    public void isSuccessReturnsFalseWhenSuccessIsFalse() {
+        response.setSuccess(false);
+        assertFalse(response.isSuccess());
+    }
+
+    @Test
+    public void isSuccessReturnsTrueWhenSuccessIsTrue() {
+        response.setSuccess(true);
+        assertTrue(response.isSuccess());
+    }
+
+    @Test
+    public void getSuccessReturnsNullByDefault() {
+        assertNull(response.getSuccess());
+    }
+
+    @Test
+    public void getSuccessReturnsTrueAfterSetSuccessTrue() {
+        response.setSuccess(true);
+        assertTrue(response.getSuccess());
+    }
+
+    @Test
+    public void getSuccessReturnsFalseAfterSetSuccessFalse() {
+        response.setSuccess(false);
+        assertFalse(response.getSuccess());
+    }
+
+    @Test
+    public void setAndGetResultWithNullResult() {
+        response.setResult(null);
+        assertNull(response.getResult());
+    }
+}
diff --git a/api/src/test/java/org/apache/cloudstack/extension/ExtensionCustomActionTest.java b/api/src/test/java/org/apache/cloudstack/extension/ExtensionCustomActionTest.java
index ae4314aa11a8..a6bd49a2d8be 100644
--- a/api/src/test/java/org/apache/cloudstack/extension/ExtensionCustomActionTest.java
+++ b/api/src/test/java/org/apache/cloudstack/extension/ExtensionCustomActionTest.java
@@ -40,6 +40,12 @@ public void testResourceType() {
         assertEquals(com.cloud.vm.VirtualMachine.class, vmType.getAssociatedClass());
     }
 
+    @Test
+    public void testNetworkResourceType() {
+        ExtensionCustomAction.ResourceType networkType = ExtensionCustomAction.ResourceType.Network;
+        assertEquals(com.cloud.network.Network.class, networkType.getAssociatedClass());
+    }
+
     @Test
     public void testParameterTypeSupportsOptions() {
         assertTrue(ExtensionCustomAction.Parameter.Type.STRING.canSupportsOptions());
diff --git a/engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java b/engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
index 2ae228adba94..e123b229b106 100644
--- a/engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
+++ b/engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
@@ -177,6 +177,10 @@
 import com.cloud.network.dao.RemoteAccessVpnDao;
 import com.cloud.network.dao.RemoteAccessVpnVO;
 import com.cloud.network.dao.RouterNetworkDao;
+import org.apache.cloudstack.extension.Extension;
+import org.apache.cloudstack.extension.ExtensionHelper;
+import org.apache.cloudstack.framework.extensions.network.NetworkExtensionElement;
+
 import com.cloud.network.element.AggregatedCommandExecutor;
 import com.cloud.network.element.ConfigDriveNetworkElement;
 import com.cloud.network.element.DhcpServiceProvider;
@@ -368,6 +372,10 @@ public class NetworkOrchestrator extends ManagerBase implements NetworkOrchestra
     private BGPService bgpService;
     @Inject
     private Ipv6GuestPrefixSubnetNetworkMapDao ipv6GuestPrefixSubnetNetworkMapDao;
+    @Inject
+    protected ExtensionHelper extensionHelper;
+    @Inject
+    private NetworkExtensionElement networkExtensionElement;
 
     @Override
     public List<NetworkGuru> getNetworkGurus() {
@@ -461,6 +469,28 @@ public void setDhcpProviders(final List<DhcpServiceProvider> dhcpProviders) {
 
     HashMap<Long, Long> _lastNetworkIdsToFree = new HashMap<>();
 
+    /**
+     * Returns the full list of network elements to iterate when implementing,
+     * shutting down, or otherwise orchestrating a network.
+     *
+     * <p>The base list ({@link #networkElements}, wired by Spring) is extended
+     * at runtime with one transient {@link NetworkExtensionElement} per
+     * registered {@code NetworkOrchestrator} extension.  This keeps the
+     * Spring bean list free from {@code NetworkExtensionElement} and allows
+     * dynamic discovery of extensions without a restart.</p>
+     */
+    private List<NetworkElement> getNetworkElementsIncludingExtensions() {
+        List<Extension> extensions = extensionHelper.listExtensionsByType(Extension.Type.NetworkOrchestrator);
+        if (extensions == null || extensions.isEmpty()) {
+            return networkElements;
+        }
+        List<NetworkElement> combined = new ArrayList<>(networkElements);
+        for (Extension ext : extensions) {
+            combined.add(networkExtensionElement.withProviderName(ext.getName()));
+        }
+        return combined;
+    }
+
     private void updateRouterDefaultDns(final VirtualMachineProfile vmProfile, final NicProfile nicProfile) {
         if (!Type.DomainRouter.equals(vmProfile.getType()) || !nicProfile.isDefaultNic()) {
             return;
@@ -1685,7 +1715,7 @@ public void implementNetworkElementsAndResources(final DeployDestination dest, f
             }
         }
 
-        for (final NetworkElement element : networkElements) {
+        for (final NetworkElement element : getNetworkElementsIncludingExtensions()) {
             if (element instanceof AggregatedCommandExecutor && providersToImplement.contains(element.getProvider())) {
                 ((AggregatedCommandExecutor) element).prepareAggregatedExecution(network, dest);
             }
@@ -1702,7 +1732,7 @@ public void implementNetworkElementsAndResources(final DeployDestination dest, f
                 ex.addProxyObject(_entityMgr.findById(DataCenter.class, network.getDataCenterId()).getUuid());
                 throw ex;
             }
-            for (final NetworkElement element : networkElements) {
+            for (final NetworkElement element : getNetworkElementsIncludingExtensions()) {
                 if (element instanceof AggregatedCommandExecutor && providersToImplement.contains(element.getProvider())) {
                     if (!((AggregatedCommandExecutor) element).completeAggregatedExecution(network, dest)) {
                         logger.warn("Failed to re-program the network as a part of network {} implement due to aggregated commands execution failure!", network);
@@ -1716,7 +1746,7 @@ public void implementNetworkElementsAndResources(final DeployDestination dest, f
             }
             reconfigureAndApplyStaticRouteForVpcVpn(network);
         } finally {
-            for (final NetworkElement element : networkElements) {
+            for (final NetworkElement element : getNetworkElementsIncludingExtensions()) {
                 if (element instanceof AggregatedCommandExecutor && providersToImplement.contains(element.getProvider())) {
                     ((AggregatedCommandExecutor) element).cleanupAggregatedExecution(network, dest);
                 }
@@ -1737,7 +1767,7 @@ private void reconfigureAndApplyStaticRouteForVpcVpn(Network network) {
 
     private void implementNetworkElements(final DeployDestination dest, final ReservationContext context, final Network network, final NetworkOffering offering, final List<Provider> providersToImplement)
             throws ConcurrentOperationException, ResourceUnavailableException, InsufficientCapacityException {
-        for (NetworkElement element : networkElements) {
+        for (NetworkElement element : getNetworkElementsIncludingExtensions()) {
             if (providersToImplement.contains(element.getProvider())) {
                 if (!_networkModel.isProviderEnabledInPhysicalNetwork(_networkModel.getPhysicalNetworkId(network), element.getProvider().getName())) {
                     // The physicalNetworkId will not get translated into a uuid by the response serializer,
@@ -2030,7 +2060,7 @@ public void doInTransactionWithoutResult(TransactionStatus status) {
     @Override
     public void configureUpdateInSequence(Network network) {
         List<Provider> providers = getNetworkProviders(network.getId());
-        for (NetworkElement element : networkElements) {
+        for (NetworkElement element : getNetworkElementsIncludingExtensions()) {
             if (providers.contains(element.getProvider())) {
                 if (element instanceof RedundantResource) {
                     ((RedundantResource) element).configureResource(network);
@@ -2043,7 +2073,7 @@ public void configureUpdateInSequence(Network network) {
     public int getResourceCount(Network network) {
         List<Provider> providers = getNetworkProviders(network.getId());
         int resourceCount = 0;
-        for (NetworkElement element : networkElements) {
+        for (NetworkElement element : getNetworkElementsIncludingExtensions()) {
             if (providers.contains(element.getProvider())) {
                 //currently only one element implements the redundant resource interface
                 if (element instanceof RedundantResource) {
@@ -2074,7 +2104,7 @@ public void configureExtraDhcpOptions(Network network, long nicId) {
     @Override
     public void finalizeUpdateInSequence(Network network, boolean success) {
         List<Provider> providers = getNetworkProviders(network.getId());
-        for (NetworkElement element : networkElements) {
+        for (NetworkElement element : getNetworkElementsIncludingExtensions()) {
             if (providers.contains(element.getProvider())) {
                 //currently only one element implements the redundant resource interface
                 if (element instanceof RedundantResource) {
@@ -2101,7 +2131,7 @@ public void setHypervisorHostname(VirtualMachineProfile vm, DeployDestination de
     }
 
     private void setHypervisorHostnameInNetwork(VirtualMachineProfile vm, DeployDestination dest, Network network, NicProfile profile, boolean migrationSuccessful) {
-        for (final NetworkElement element : networkElements) {
+        for (final NetworkElement element : getNetworkElementsIncludingExtensions()) {
             if (_networkModel.areServicesSupportedInNetwork(network.getId(), Service.UserData) && element instanceof UserDataServiceProvider
                 && (element instanceof ConfigDriveNetworkElement && !migrationSuccessful || element instanceof VirtualRouterElement && migrationSuccessful)) {
                 String errorMsg = String.format("Failed to add hypervisor host name while applying the userdata during the migration of VM %s, " +
@@ -2229,7 +2259,7 @@ public NicProfile prepareNic(final VirtualMachineProfile vmProfile, final Deploy
         updateNic(nic, network, 1);
 
         final List<Provider> providersToImplement = getNetworkProviders(network.getId());
-        for (final NetworkElement element : networkElements) {
+        for (final NetworkElement element : getNetworkElementsIncludingExtensions()) {
             if (providersToImplement.contains(element.getProvider())) {
                 if (!_networkModel.isProviderEnabledInPhysicalNetwork(_networkModel.getPhysicalNetworkId(network), element.getProvider().getName())) {
                     throw new CloudRuntimeException("Service provider " + element.getProvider().getName() + " either doesn't exist or is not enabled in physical network id: "
@@ -2284,7 +2314,7 @@ public void prepareNicForMigration(final VirtualMachineProfile vm, final DeployD
             }
 
             final List<Provider> providersToImplement = getNetworkProviders(network.getId());
-            for (final NetworkElement element : networkElements) {
+            for (final NetworkElement element : getNetworkElementsIncludingExtensions()) {
                 if (providersToImplement.contains(element.getProvider())) {
                     if (!_networkModel.isProviderEnabledInPhysicalNetwork(_networkModel.getPhysicalNetworkId(network), element.getProvider().getName())) {
                         throw new CloudRuntimeException("Service provider " + element.getProvider().getName() + " either doesn't exist or is not enabled in physical network id: "
@@ -2328,7 +2358,7 @@ public void prepareAllNicsForMigration(final VirtualMachineProfile vm, final Dep
                 }
             }
             final List<Provider> providersToImplement = getNetworkProviders(network.getId());
-            for (final NetworkElement element : networkElements) {
+            for (final NetworkElement element : getNetworkElementsIncludingExtensions()) {
                 if (providersToImplement.contains(element.getProvider())) {
                     if (!_networkModel.isProviderEnabledInPhysicalNetwork(_networkModel.getPhysicalNetworkId(network), element.getProvider().getName())) {
                         throw new CloudRuntimeException(String.format("Service provider %s either doesn't exist or is not enabled in physical network: %s",
@@ -2410,7 +2440,7 @@ public void commitNicForMigration(final VirtualMachineProfile src, final Virtual
             }
 
             final List<Provider> providersToImplement = getNetworkProviders(network.getId());
-            for (final NetworkElement element : networkElements) {
+            for (final NetworkElement element : getNetworkElementsIncludingExtensions()) {
                 if (providersToImplement.contains(element.getProvider())) {
                     if (!_networkModel.isProviderEnabledInPhysicalNetwork(_networkModel.getPhysicalNetworkId(network), element.getProvider().getName())) {
                         throw new CloudRuntimeException("Service provider " + element.getProvider().getName() + " either doesn't exist or is not enabled in physical network id: "
@@ -2446,7 +2476,7 @@ public void rollbackNicForMigration(final VirtualMachineProfile src, final Virtu
             }
 
             final List<Provider> providersToImplement = getNetworkProviders(network.getId());
-            for (final NetworkElement element : networkElements) {
+            for (final NetworkElement element : getNetworkElementsIncludingExtensions()) {
                 if (providersToImplement.contains(element.getProvider())) {
                     if (!_networkModel.isProviderEnabledInPhysicalNetwork(_networkModel.getPhysicalNetworkId(network), element.getProvider().getName())) {
                         throw new CloudRuntimeException("Service provider " + element.getProvider().getName() + " either doesn't exist or is not enabled in physical network id: "
@@ -2533,7 +2563,7 @@ public Pair<Network, NicProfile> doInTransaction(final TransactionStatus status)
             final Network network = networkToRelease.first();
             final NicProfile profile = networkToRelease.second();
             final List<Provider> providersToImplement = getNetworkProviders(network.getId());
-            for (final NetworkElement element : networkElements) {
+            for (final NetworkElement element : getNetworkElementsIncludingExtensions()) {
                 if (providersToImplement.contains(element.getProvider())) {
                     logger.debug("Asking {} to release {}", element.getName(), profile);
                     //NOTE: Context appear to never be used in release method
@@ -2596,7 +2626,7 @@ protected void removeNic(final VirtualMachineProfile vm, final NicVO nic) {
          */
         if (nic.getReservationStrategy() == Nic.ReservationStrategy.Create) {
             final List<Provider> providersToImplement = getNetworkProviders(network.getId());
-            for (final NetworkElement element : networkElements) {
+            for (final NetworkElement element : getNetworkElementsIncludingExtensions()) {
                 if (providersToImplement.contains(element.getProvider())) {
                     logger.debug("Asking {} to release {}, according to the reservation strategy {}.", element.getName(), nic, nic.getReservationStrategy());
                     try {
@@ -3311,7 +3341,7 @@ public boolean shutdownNetworkElementsAndResources(final ReservationContext cont
 
         // 2) Shutdown all the network elements
         boolean success = true;
-        for (final NetworkElement element : networkElements) {
+        for (final NetworkElement element : getNetworkElementsIncludingExtensions()) {
             if (providersToShutdown.contains(element.getProvider())) {
                 try {
                     logger.debug("Sending network shutdown to {}", element.getName());
@@ -3422,7 +3452,7 @@ public boolean destroyNetwork(final long networkId, final ReservationContext con
 
         // get providers to destroy
         final List<Provider> providersToDestroy = getNetworkProviders(network.getId());
-        for (final NetworkElement element : networkElements) {
+        for (final NetworkElement element : getNetworkElementsIncludingExtensions()) {
             if (providersToDestroy.contains(element.getProvider())) {
                 try {
                     logger.debug("Sending destroy to {}", element);
@@ -3793,7 +3823,7 @@ public boolean areRoutersRunning(final List<? extends VirtualRouter> routers) {
     public void cleanupNicDhcpDnsEntry(Network network, VirtualMachineProfile vmProfile, NicProfile nicProfile) {
 
         final List<Provider> networkProviders = getNetworkProviders(network.getId());
-        for (final NetworkElement element : networkElements) {
+        for (final NetworkElement element : getNetworkElementsIncludingExtensions()) {
             if (networkProviders.contains(element.getProvider())) {
                 if (!_networkModel.isProviderEnabledInPhysicalNetwork(_networkModel.getPhysicalNetworkId(network), element.getProvider().getName())) {
                     throw new CloudRuntimeException("Service provider " + element.getProvider().getName() + " either doesn't exist or is not enabled in physical network id: "
@@ -3829,7 +3859,7 @@ public void cleanupNicDhcpDnsEntry(Network network, VirtualMachineProfile vmProf
      * @throws InsufficientCapacityException
      */
     private boolean rollingRestartRouters(final NetworkVO network, final NetworkOffering offering, final DeployDestination dest, final ReservationContext context) throws ResourceUnavailableException, ConcurrentOperationException, InsufficientCapacityException {
-        if (!NetworkOrchestrationService.RollingRestartEnabled.value()) {
+        if (!isRollingRestartSupport(network)) {
             if (shutdownNetworkElementsAndResources(context, true, network)) {
                 implementNetworkElementsAndResources(dest, context, network, offering);
                 return true;
@@ -3877,6 +3907,20 @@ private boolean rollingRestartRouters(final NetworkVO network, final NetworkOffe
         return areRoutersRunning(routerDao.findByNetwork(network.getId()));
     }
 
+    private boolean isRollingRestartSupport(final NetworkVO network) {
+        if (!NetworkOrchestrator.RollingRestartEnabled.value()) {
+             return false;
+        }
+        List<NetworkServiceMapVO> services = _ntwkSrvcDao.getServicesInNetwork(network.getId());
+        for (NetworkServiceMapVO service : services) {
+            NetworkElement element = _networkModel.getElementImplementingProvider(service.getProvider());
+            if (element == null || !element.rollingRestartSupported()) {
+                return false;
+            }
+        }
+        return true;
+    }
+
     private void setRestartRequired(final NetworkVO network, final boolean restartRequired) {
         logger.debug("Marking network {} with restartRequired={}", network, restartRequired);
         network.setRestartRequired(restartRequired);
@@ -4438,6 +4482,8 @@ public Map<String, String> finalizeServicesAndProvidersForNetwork(final NetworkO
 
             if (provider == null) {
                 provider = _networkModel.getDefaultUniqueProviderForService(service).getName();
+            } else {
+                provider = _networkModel.resolveProvider(provider).getName();
             }
 
             // check that provider is supported
@@ -4463,7 +4509,7 @@ private List<Provider> getNetworkProviders(final long networkId) {
         final List<String> providerNames = _ntwkSrvcDao.getDistinctProviders(networkId);
         final List<Provider> providers = new ArrayList<>();
         for (final String providerName : providerNames) {
-            providers.add(Network.Provider.getProvider(providerName));
+            providers.add(_networkModel.resolveProvider(providerName));
         }
 
         return providers;
@@ -4629,7 +4675,7 @@ private Map<Service, Set<Provider>> getServiceProvidersMap(final long networkId)
             if (providers == null) {
                 providers = new HashSet<>();
             }
-            providers.add(Provider.getProvider(nsm.getProvider()));
+            providers.add(_networkModel.resolveProvider(nsm.getProvider()));
             map.put(Service.getService(nsm.getService()), providers);
         }
         return map;
@@ -4914,10 +4960,10 @@ public void unmanageNics(VirtualMachineProfile vm) {
 
     @Override
     public void expungeLbVmRefs(List<Long> vmIds, Long batchSize) {
-        if (CollectionUtils.isEmpty(networkElements) || CollectionUtils.isEmpty(vmIds)) {
+        if (CollectionUtils.isEmpty(getNetworkElementsIncludingExtensions()) || CollectionUtils.isEmpty(vmIds)) {
             return;
         }
-        for (NetworkElement element : networkElements) {
+        for (NetworkElement element : getNetworkElementsIncludingExtensions()) {
             if (element instanceof LoadBalancingServiceProvider) {
                 LoadBalancingServiceProvider lbProvider = (LoadBalancingServiceProvider)element;
                 lbProvider.expungeLbVmRefs(vmIds, batchSize);
diff --git a/engine/orchestration/src/test/java/org/apache/cloudstack/engine/orchestration/NetworkOrchestratorTest.java b/engine/orchestration/src/test/java/org/apache/cloudstack/engine/orchestration/NetworkOrchestratorTest.java
index e3989737112d..f03affa07281 100644
--- a/engine/orchestration/src/test/java/org/apache/cloudstack/engine/orchestration/NetworkOrchestratorTest.java
+++ b/engine/orchestration/src/test/java/org/apache/cloudstack/engine/orchestration/NetworkOrchestratorTest.java
@@ -27,6 +27,7 @@
 import java.net.URI;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -35,11 +36,15 @@
 import com.cloud.exception.InsufficientVirtualNetworkCapacityException;
 import com.cloud.network.IpAddressManager;
 import com.cloud.utils.Pair;
+import org.apache.cloudstack.extension.Extension;
+import org.apache.cloudstack.extension.ExtensionHelper;
+import org.apache.cloudstack.framework.extensions.network.NetworkExtensionElement;
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.JUnit4;
+import org.springframework.test.util.ReflectionTestUtils;
 import org.mockito.ArgumentMatchers;
 import org.mockito.MockedStatic;
 import org.mockito.Mockito;
@@ -68,6 +73,7 @@
 import com.cloud.network.dao.PhysicalNetworkVO;
 import com.cloud.network.dao.RouterNetworkDao;
 import com.cloud.network.element.DhcpServiceProvider;
+import com.cloud.network.element.NetworkElement;
 import com.cloud.network.guru.GuestNetworkGuru;
 import com.cloud.network.guru.NetworkGuru;
 import com.cloud.network.vpc.VpcManager;
@@ -105,6 +111,7 @@ public class NetworkOrchestratorTest extends TestCase {
     private String guruName = "GuestNetworkGuru";
     private String dhcpProvider = "VirtualRouter";
     private NetworkGuru guru = mock(NetworkGuru.class);
+    private NetworkExtensionElement networkExtensionElement;
 
     NetworkOfferingVO networkOffering = mock(NetworkOfferingVO.class);
 
@@ -135,6 +142,9 @@ public void setUp() {
         testOrchestrator.routerJoinDao = mock(DomainRouterJoinDao.class);
         testOrchestrator._ipAddrMgr = mock(IpAddressManager.class);
         testOrchestrator._entityMgr = mock(EntityManager.class);
+        testOrchestrator.extensionHelper = mock(ExtensionHelper.class);
+        networkExtensionElement = mock(NetworkExtensionElement.class);
+        ReflectionTestUtils.setField(testOrchestrator, "networkExtensionElement", networkExtensionElement);
         DhcpServiceProvider provider = mock(DhcpServiceProvider.class);
 
         Map<Network.Capability, String> capabilities = new HashMap<Network.Capability, String>();
@@ -1010,4 +1020,63 @@ public void testImportNicWithIP4Address() throws Exception {
             assertEquals("testtag", nicProfile.getName());
         }
     }
+
+    // -----------------------------------------------------------------------
+    // Tests for getNetworkElementsIncludingExtensions
+    // -----------------------------------------------------------------------
+
+    @Test
+    public void getNetworkElementsIncludingExtensionsReturnsBaseListWhenNoExtensions() {
+        when(testOrchestrator.extensionHelper.listExtensionsByType(Extension.Type.NetworkOrchestrator))
+                .thenReturn(Collections.emptyList());
+
+        DhcpServiceProvider dhcpProvider = mock(DhcpServiceProvider.class);
+        List<NetworkElement> elements = new ArrayList<>(List.of(dhcpProvider));
+        testOrchestrator.networkElements = elements;
+
+        @SuppressWarnings("unchecked")
+        List<NetworkElement> result =
+                (List<NetworkElement>) ReflectionTestUtils
+                        .invokeMethod(testOrchestrator, "getNetworkElementsIncludingExtensions");
+        assertNotNull(result);
+        assertEquals(elements.size(), result.size());
+    }
+
+    @Test
+    public void getNetworkElementsIncludingExtensionsAddsExtensionElements() {
+        Extension ext = mock(Extension.class);
+        when(ext.getName()).thenReturn("my-net-ext");
+        when(testOrchestrator.extensionHelper.listExtensionsByType(Extension.Type.NetworkOrchestrator))
+                .thenReturn(List.of(ext));
+
+        NetworkExtensionElement extElement = mock(NetworkExtensionElement.class);
+        when(networkExtensionElement.withProviderName("my-net-ext")).thenReturn(extElement);
+
+        DhcpServiceProvider dhcpProvider = mock(DhcpServiceProvider.class);
+        testOrchestrator.networkElements = new ArrayList<>(List.of(dhcpProvider));
+
+        @SuppressWarnings("unchecked")
+        List<NetworkElement> result =
+                (List<NetworkElement>) ReflectionTestUtils
+                        .invokeMethod(testOrchestrator, "getNetworkElementsIncludingExtensions");
+        assertNotNull(result);
+        assertEquals(2, result.size());
+        assertTrue(result.contains(extElement));
+    }
+
+    @Test
+    public void getNetworkElementsIncludingExtensionsReturnsBaseListWhenExtensionHelperReturnsNull() {
+        when(testOrchestrator.extensionHelper.listExtensionsByType(Extension.Type.NetworkOrchestrator))
+                .thenReturn(null);
+
+        DhcpServiceProvider dhcpProvider = mock(DhcpServiceProvider.class);
+        testOrchestrator.networkElements = new ArrayList<>(List.of(dhcpProvider));
+
+        @SuppressWarnings("unchecked")
+        List<NetworkElement> result =
+                (List<NetworkElement>) ReflectionTestUtils
+                        .invokeMethod(testOrchestrator, "getNetworkElementsIncludingExtensions");
+        assertNotNull(result);
+        assertEquals(1, result.size());
+    }
 }
diff --git a/engine/schema/src/main/java/com/cloud/network/dao/NetworkDaoImpl.java b/engine/schema/src/main/java/com/cloud/network/dao/NetworkDaoImpl.java
index 9f7ffabac930..e2dddeed13c4 100644
--- a/engine/schema/src/main/java/com/cloud/network/dao/NetworkDaoImpl.java
+++ b/engine/schema/src/main/java/com/cloud/network/dao/NetworkDaoImpl.java
@@ -37,7 +37,6 @@
 import com.cloud.network.Network;
 import com.cloud.network.Network.Event;
 import com.cloud.network.Network.GuestType;
-import com.cloud.network.Network.Provider;
 import com.cloud.network.Network.Service;
 import com.cloud.network.Network.State;
 import com.cloud.network.Networks.BroadcastDomainType;
@@ -390,7 +389,7 @@ public void persistNetworkServiceProviders(final long networkId, final Map<Strin
         final TransactionLegacy txn = TransactionLegacy.currentTxn();
         txn.start();
         for (final String service : serviceProviderMap.keySet()) {
-            final NetworkServiceMapVO serviceMap = new NetworkServiceMapVO(networkId, Service.getService(service), Provider.getProvider(serviceProviderMap.get(service)));
+            final NetworkServiceMapVO serviceMap = new NetworkServiceMapVO(networkId, Service.getService(service).getName(), serviceProviderMap.get(service));
             _ntwkSvcMap.persist(serviceMap);
         }
         txn.commit();
diff --git a/engine/schema/src/main/java/com/cloud/network/dao/NetworkServiceMapVO.java b/engine/schema/src/main/java/com/cloud/network/dao/NetworkServiceMapVO.java
index 4e1e9aff4561..65598eda7399 100644
--- a/engine/schema/src/main/java/com/cloud/network/dao/NetworkServiceMapVO.java
+++ b/engine/schema/src/main/java/com/cloud/network/dao/NetworkServiceMapVO.java
@@ -81,6 +81,12 @@ public NetworkServiceMapVO(long networkId, Service service, Provider provider) {
         this.provider = provider.getName();
     }
 
+    public NetworkServiceMapVO(long networkId, String serviceName, String providerName) {
+        this.networkId = networkId;
+        this.service = serviceName;
+        this.provider = providerName;
+    }
+
     @Override
     public String toString() {
         StringBuilder buf = new StringBuilder("[Network Service[");
diff --git a/engine/schema/src/main/java/com/cloud/network/vpc/VpcServiceMapVO.java b/engine/schema/src/main/java/com/cloud/network/vpc/VpcServiceMapVO.java
index 9fa4b505c650..ae156d7d4304 100644
--- a/engine/schema/src/main/java/com/cloud/network/vpc/VpcServiceMapVO.java
+++ b/engine/schema/src/main/java/com/cloud/network/vpc/VpcServiceMapVO.java
@@ -25,8 +25,6 @@
 import javax.persistence.Id;
 import javax.persistence.Table;
 
-import com.cloud.network.Network.Provider;
-import com.cloud.network.Network.Service;
 import com.cloud.utils.db.GenericDao;
 
 @Entity
@@ -72,10 +70,10 @@ public Date getCreated() {
     public VpcServiceMapVO() {
     }
 
-    public VpcServiceMapVO(long vpcId, Service service, Provider provider) {
+    public VpcServiceMapVO(long vpcId, String serviceName, String providerName) {
         this.vpcId = vpcId;
-        this.service = service.getName();
-        this.provider = provider.getName();
+        this.service = serviceName;
+        this.provider = providerName;
     }
 
     @Override
diff --git a/engine/schema/src/main/java/com/cloud/network/vpc/dao/VpcDaoImpl.java b/engine/schema/src/main/java/com/cloud/network/vpc/dao/VpcDaoImpl.java
index 4e13fe4f5d0d..cecdce1aba42 100644
--- a/engine/schema/src/main/java/com/cloud/network/vpc/dao/VpcDaoImpl.java
+++ b/engine/schema/src/main/java/com/cloud/network/vpc/dao/VpcDaoImpl.java
@@ -142,7 +142,7 @@ public void persistVpcServiceProviders(long vpcId, Map<String, List<String>> ser
         txn.start();
         for (String service : serviceProviderMap.keySet()) {
             for (String provider : serviceProviderMap.get(service)) {
-                VpcServiceMapVO serviceMap = new VpcServiceMapVO(vpcId, Network.Service.getService(service), Network.Provider.getProvider(provider));
+                VpcServiceMapVO serviceMap = new VpcServiceMapVO(vpcId, Network.Service.getService(service).getName(), provider);
                 _vpcSvcMap.persist(serviceMap);
             }
         }
diff --git a/engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql b/engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql
index 4cb9eb7cb2c4..0c033c19316d 100644
--- a/engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql
+++ b/engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql
@@ -117,3 +117,7 @@ CALL `cloud`.`IDEMPOTENT_ADD_COLUMN`('cloud.vpc_offerings','conserve_mode', 'tin
 
 --- Disable/enable NICs
 CALL `cloud`.`IDEMPOTENT_ADD_COLUMN`('cloud.nics','enabled', 'TINYINT(1) NOT NULL DEFAULT 1 COMMENT ''Indicates whether the NIC is enabled or not'' ');
+
+-- Increase length of value of extension details from 255 to 4096 to support longer details value
+CALL `cloud`.`IDEMPOTENT_CHANGE_COLUMN`('cloud.extension_details', 'value', 'value', 'VARCHAR(4096)');
+CALL `cloud`.`IDEMPOTENT_CHANGE_COLUMN`('cloud.extension_resource_map_details', 'value', 'value', 'VARCHAR(4096)');
diff --git a/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/api/ListExtensionsCmd.java b/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/api/ListExtensionsCmd.java
index 4426f259380b..1c9efdaca782 100644
--- a/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/api/ListExtensionsCmd.java
+++ b/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/api/ListExtensionsCmd.java
@@ -70,6 +70,17 @@ public class ListExtensionsCmd extends BaseListCmd {
                     + " When no parameters are passed, all the details are returned.")
     private List<String> details;
 
+    @Parameter(name = ApiConstants.TYPE, type = CommandType.STRING, description = "Type of the extension (e.g. Orchestrator, NetworkOrchestrator). Default is Orchestrator if not set")
+    private String type;
+
+    @Parameter(name = ApiConstants.RESOURCE_ID, type = CommandType.STRING,
+            description = "ID of the resource to list registered extensions for (e.g. cluster UUID, physical network UUID)")
+    private String resourceId;
+
+    @Parameter(name = ApiConstants.RESOURCE_TYPE, type = CommandType.STRING,
+            description = "Type of the resource (e.g. Cluster, PhysicalNetwork). Default is Cluster if not set")
+    private String resourceType;
+
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////
@@ -82,6 +93,18 @@ public Long getExtensionId() {
         return extensionId;
     }
 
+    public String getType() {
+        return type;
+    }
+
+    public String getResourceId() {
+        return resourceId;
+    }
+
+    public String getResourceType() {
+        return resourceType;
+    }
+
     public EnumSet<ApiConstants.ExtensionDetails> getDetails() throws InvalidParameterValueException {
         if (CollectionUtils.isEmpty(details)) {
             return EnumSet.of(ApiConstants.ExtensionDetails.all);
diff --git a/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/api/UpdateRegisteredExtensionCmd.java b/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/api/UpdateRegisteredExtensionCmd.java
new file mode 100644
index 000000000000..6c755ecd1a54
--- /dev/null
+++ b/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/api/UpdateRegisteredExtensionCmd.java
@@ -0,0 +1,116 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.cloudstack.framework.extensions.api;
+
+import java.util.EnumSet;
+import java.util.Map;
+
+import javax.inject.Inject;
+
+import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiCommandResourceType;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.response.ExtensionResponse;
+import org.apache.cloudstack.extension.Extension;
+import org.apache.cloudstack.framework.extensions.manager.ExtensionsManager;
+
+import com.cloud.user.Account;
+
+@APICommand(name = "updateRegisteredExtension",
+        description = "Update details for an extension registered with a resource",
+        responseObject = ExtensionResponse.class,
+        responseHasSensitiveInfo = false,
+        entityType = {Extension.class},
+        authorized = {RoleType.Admin},
+        since = "4.23.0")
+public class UpdateRegisteredExtensionCmd extends BaseCmd {
+
+    @Inject
+    ExtensionsManager extensionsManager;
+
+    @Parameter(name = ApiConstants.EXTENSION_ID, type = CommandType.UUID, required = true,
+            entityType = ExtensionResponse.class, description = "ID of the extension")
+    private Long extensionId;
+
+    @Parameter(name = ApiConstants.RESOURCE_ID, type = CommandType.STRING, required = true,
+            description = "ID of the resource where the extension is registered")
+    private String resourceId;
+
+    @Parameter(name = ApiConstants.RESOURCE_TYPE, type = CommandType.STRING, required = true,
+            description = "Type of the resource")
+    private String resourceType;
+
+    @Parameter(name = ApiConstants.DETAILS, type = CommandType.MAP,
+            description = "Details in key/value pairs using format details[i].keyname=keyvalue. Example: details[0].endpoint.url=urlvalue")
+    protected Map details;
+
+    @Parameter(name = ApiConstants.CLEAN_UP_DETAILS,
+            type = CommandType.BOOLEAN,
+            description = "Optional boolean field, which indicates if details should be cleaned up or not " +
+                    "(If set to true, details removed for this registration, details field ignored; " +
+                    "if false or not set, details can be updated through details map)")
+    private Boolean cleanupDetails;
+
+    public Long getExtensionId() {
+        return extensionId;
+    }
+
+    public String getResourceId() {
+        return resourceId;
+    }
+
+    public String getResourceType() {
+        return resourceType;
+    }
+
+    public Map<String, String> getDetails() {
+        return convertDetailsToMap(details);
+    }
+
+    public Boolean isCleanupDetails() {
+        return cleanupDetails;
+    }
+
+    @Override
+    public void execute() throws ServerApiException {
+        Extension extension = extensionsManager.updateRegisteredExtensionWithResource(this);
+        ExtensionResponse response = extensionsManager.createExtensionResponse(extension,
+                EnumSet.of(ApiConstants.ExtensionDetails.all));
+        response.setResponseName(getCommandName());
+        setResponseObject(response);
+    }
+
+    @Override
+    public long getEntityOwnerId() {
+        return Account.ACCOUNT_ID_SYSTEM;
+    }
+
+    @Override
+    public ApiCommandResourceType getApiResourceType() {
+        return ApiCommandResourceType.Extension;
+    }
+
+    @Override
+    public Long getApiResourceId() {
+        return getExtensionId();
+    }
+}
diff --git a/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/dao/ExtensionDao.java b/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/dao/ExtensionDao.java
index 3355457ed25b..9bb47e4869b2 100644
--- a/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/dao/ExtensionDao.java
+++ b/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/dao/ExtensionDao.java
@@ -16,6 +16,9 @@
 // under the License.
 package org.apache.cloudstack.framework.extensions.dao;
 
+import java.util.List;
+
+import org.apache.cloudstack.extension.Extension;
 import org.apache.cloudstack.framework.extensions.vo.ExtensionVO;
 
 import com.cloud.utils.db.GenericDao;
@@ -23,4 +26,6 @@
 public interface ExtensionDao extends GenericDao<ExtensionVO, Long> {
 
     ExtensionVO findByName(String name);
+
+    List<ExtensionVO> listByType(Extension.Type type);
 }
diff --git a/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/dao/ExtensionDaoImpl.java b/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/dao/ExtensionDaoImpl.java
index 8e17199de6ca..ed215aa53d03 100644
--- a/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/dao/ExtensionDaoImpl.java
+++ b/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/dao/ExtensionDaoImpl.java
@@ -17,6 +17,9 @@
 
 package org.apache.cloudstack.framework.extensions.dao;
 
+import java.util.List;
+
+import org.apache.cloudstack.extension.Extension;
 import org.apache.cloudstack.framework.extensions.vo.ExtensionVO;
 
 import com.cloud.utils.db.GenericDaoBase;
@@ -39,7 +42,13 @@ public ExtensionDaoImpl() {
     public ExtensionVO findByName(String name) {
         SearchCriteria<ExtensionVO> sc = AllFieldSearch.create();
         sc.setParameters("name", name);
-
         return findOneBy(sc);
     }
+
+    @Override
+    public List<ExtensionVO> listByType(Extension.Type type) {
+        SearchCriteria<ExtensionVO> sc = AllFieldSearch.create();
+        sc.setParameters("type", type);
+        return listBy(sc);
+    }
 }
diff --git a/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/dao/ExtensionResourceMapDao.java b/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/dao/ExtensionResourceMapDao.java
index 930ef8675531..81da9ecb18fa 100644
--- a/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/dao/ExtensionResourceMapDao.java
+++ b/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/dao/ExtensionResourceMapDao.java
@@ -28,5 +28,9 @@ public interface ExtensionResourceMapDao extends GenericDao<ExtensionResourceMap
 
     ExtensionResourceMapVO findByResourceIdAndType(long resourceId, ExtensionResourceMap.ResourceType resourceType);
 
-    List<Long> listResourceIdsByExtensionIdAndType(long extensionId,ExtensionResourceMap.ResourceType resourceType);
+    List<ExtensionResourceMapVO> listByResourceIdAndType(long resourceId, ExtensionResourceMap.ResourceType resourceType);
+
+    List<Long> listResourceIdsByExtensionIdAndType(long extensionId, ExtensionResourceMap.ResourceType resourceType);
+
+    List<Long> listResourceIdsByType(ExtensionResourceMap.ResourceType resourceType);
 }
diff --git a/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/dao/ExtensionResourceMapDaoImpl.java b/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/dao/ExtensionResourceMapDaoImpl.java
index 6f19ef8b8b66..f81a10211207 100644
--- a/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/dao/ExtensionResourceMapDaoImpl.java
+++ b/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/dao/ExtensionResourceMapDaoImpl.java
@@ -55,6 +55,15 @@ public ExtensionResourceMapVO findByResourceIdAndType(long resourceId,
         return findOneBy(sc);
     }
 
+    @Override
+    public List<ExtensionResourceMapVO> listByResourceIdAndType(long resourceId,
+              ExtensionResourceMap.ResourceType resourceType) {
+        SearchCriteria<ExtensionResourceMapVO> sc = genericSearch.create();
+        sc.setParameters("resourceId", resourceId);
+        sc.setParameters("resourceType", resourceType);
+        return listBy(sc);
+    }
+
     @Override
     public List<Long> listResourceIdsByExtensionIdAndType(long extensionId, ExtensionResourceMap.ResourceType resourceType) {
         GenericSearchBuilder<ExtensionResourceMapVO, Long> sb = createSearchBuilder(Long.class);
@@ -67,4 +76,15 @@ public List<Long> listResourceIdsByExtensionIdAndType(long extensionId, Extensio
         sc.setParameters("resourceType", resourceType);
         return customSearch(sc, null);
     }
+
+    @Override
+    public List<Long> listResourceIdsByType(ExtensionResourceMap.ResourceType resourceType) {
+        GenericSearchBuilder<ExtensionResourceMapVO, Long> sb = createSearchBuilder(Long.class);
+        sb.selectFields(sb.entity().getResourceId());
+        sb.and("resourceType", sb.entity().getResourceType(), SearchCriteria.Op.EQ);
+        sb.done();
+        SearchCriteria<Long> sc = sb.create();
+        sc.setParameters("resourceType", resourceType);
+        return customSearch(sc, null);
+    }
 }
diff --git a/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/manager/ExtensionsManager.java b/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/manager/ExtensionsManager.java
index 1b1a175c5975..cd033badff15 100644
--- a/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/manager/ExtensionsManager.java
+++ b/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/manager/ExtensionsManager.java
@@ -42,6 +42,7 @@
 import org.apache.cloudstack.framework.extensions.api.UnregisterExtensionCmd;
 import org.apache.cloudstack.framework.extensions.api.UpdateCustomActionCmd;
 import org.apache.cloudstack.framework.extensions.api.UpdateExtensionCmd;
+import org.apache.cloudstack.framework.extensions.api.UpdateRegisteredExtensionCmd;
 import org.apache.cloudstack.framework.extensions.command.ExtensionServerActionBaseCommand;
 
 import com.cloud.agent.api.Answer;
@@ -65,6 +66,8 @@ public interface ExtensionsManager extends Manager {
 
     Extension unregisterExtensionWithResource(UnregisterExtensionCmd cmd);
 
+    Extension updateRegisteredExtensionWithResource(UpdateRegisteredExtensionCmd cmd);
+
     Extension updateExtension(UpdateExtensionCmd cmd);
 
     Extension registerExtensionWithResource(RegisterExtensionCmd cmd);
diff --git a/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/manager/ExtensionsManagerImpl.java b/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/manager/ExtensionsManagerImpl.java
index 1422338ddc99..5ee42ca4334e 100644
--- a/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/manager/ExtensionsManagerImpl.java
+++ b/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/manager/ExtensionsManagerImpl.java
@@ -26,6 +26,7 @@
 import java.nio.file.Paths;
 import java.security.InvalidParameterException;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.Comparator;
@@ -61,6 +62,7 @@
 import org.apache.cloudstack.extension.Extension;
 import org.apache.cloudstack.extension.ExtensionCustomAction;
 import org.apache.cloudstack.extension.ExtensionHelper;
+import org.apache.cloudstack.extension.NetworkCustomActionProvider;
 import org.apache.cloudstack.extension.ExtensionResourceMap;
 import org.apache.cloudstack.framework.config.ConfigKey;
 import org.apache.cloudstack.framework.config.Configurable;
@@ -75,6 +77,7 @@
 import org.apache.cloudstack.framework.extensions.api.UnregisterExtensionCmd;
 import org.apache.cloudstack.framework.extensions.api.UpdateCustomActionCmd;
 import org.apache.cloudstack.framework.extensions.api.UpdateExtensionCmd;
+import org.apache.cloudstack.framework.extensions.api.UpdateRegisteredExtensionCmd;
 import org.apache.cloudstack.framework.extensions.command.CleanupExtensionFilesCommand;
 import org.apache.cloudstack.framework.extensions.command.ExtensionRoutingUpdateCommand;
 import org.apache.cloudstack.framework.extensions.command.ExtensionServerActionBaseCommand;
@@ -125,6 +128,19 @@
 import com.cloud.host.dao.HostDetailsDao;
 import com.cloud.hypervisor.ExternalProvisioner;
 import com.cloud.hypervisor.Hypervisor;
+import com.cloud.network.Network;
+import com.cloud.network.Network.Capability;
+import com.cloud.network.Network.Service;
+import com.cloud.network.NetworkModel;
+import com.cloud.network.PhysicalNetworkServiceProvider;
+import com.cloud.network.dao.NetworkDao;
+import com.cloud.network.dao.NetworkServiceMapDao;
+import com.cloud.network.dao.NetworkVO;
+import com.cloud.network.dao.PhysicalNetworkServiceProviderDao;
+import com.cloud.network.dao.PhysicalNetworkServiceProviderVO;
+import com.cloud.network.element.NetworkElement;
+import com.cloud.network.dao.PhysicalNetworkDao;
+import com.cloud.network.dao.PhysicalNetworkVO;
 import com.cloud.org.Cluster;
 import com.cloud.serializer.GsonHelper;
 import com.cloud.storage.dao.VMTemplateDao;
@@ -141,6 +157,10 @@
 import com.cloud.utils.db.SearchCriteria;
 import com.cloud.utils.db.Transaction;
 import com.cloud.utils.db.TransactionCallbackWithException;
+import com.google.gson.JsonArray;
+import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
+import com.google.gson.JsonParser;
 import com.cloud.utils.exception.CloudRuntimeException;
 import com.cloud.vm.VirtualMachine;
 import com.cloud.vm.VirtualMachineManager;
@@ -171,6 +191,12 @@ public class ExtensionsManagerImpl extends ManagerBase implements ExtensionsMana
     @Inject
     ClusterDao clusterDao;
 
+    @Inject
+    PhysicalNetworkDao physicalNetworkDao;
+
+    @Inject
+    PhysicalNetworkServiceProviderDao physicalNetworkServiceProviderDao;
+
     @Inject
     AgentManager agentMgr;
 
@@ -210,6 +236,15 @@ public class ExtensionsManagerImpl extends ManagerBase implements ExtensionsMana
     @Inject
     VMTemplateDao templateDao;
 
+    @Inject
+    NetworkDao networkDao;
+
+    @Inject
+    NetworkServiceMapDao networkServiceMapDao;
+
+    @Inject
+    NetworkModel networkModel;
+
     @Inject
     RoleService roleService;
 
@@ -339,6 +374,39 @@ protected Pair<Boolean, String> getChecksumForExtensionPathOnMSPeer(Extension ex
         return getResultFromAnswersString(answersStr, extension, msHost, "get path checksum");
     }
 
+    protected List<ExtensionResourceMapDetailsVO> buildExtensionResourceDetailsArray(long extensionResourceMapId,
+            Map<String, String> details) {
+        List<ExtensionResourceMapDetailsVO> detailsList = new ArrayList<>();
+        if (MapUtils.isEmpty(details)) {
+            return detailsList;
+        }
+        for (Map.Entry<String, String> entry : details.entrySet()) {
+            boolean display = !SENSITIVE_DETAIL_KEYS.contains(entry.getKey().toLowerCase());
+            detailsList.add(new ExtensionResourceMapDetailsVO(extensionResourceMapId, entry.getKey(),
+                    entry.getValue(), display));
+        }
+        return detailsList;
+    }
+
+    protected void appendHiddenExtensionResourceDetails(long extensionResourceMapId,
+            List<ExtensionResourceMapDetailsVO> detailsList) {
+        if (CollectionUtils.isEmpty(detailsList)) {
+            return;
+        }
+        Map<String, String> hiddenDetails = extensionResourceMapDetailsDao.listDetailsKeyPairs(extensionResourceMapId, false);
+        if (MapUtils.isEmpty(hiddenDetails)) {
+            return;
+        }
+        Set<String> requestedKeys = detailsList.stream()
+                .map(ExtensionResourceMapDetailsVO::getName)
+                .collect(Collectors.toSet());
+        hiddenDetails.forEach((key, value) -> {
+            if (!requestedKeys.contains(key)) {
+                detailsList.add(new ExtensionResourceMapDetailsVO(extensionResourceMapId, key, value, false));
+            }
+        });
+    }
+
     protected List<ExtensionCustomAction.Parameter> getParametersListFromMap(String actionName, Map parametersMap) {
         if (MapUtils.isEmpty(parametersMap)) {
             return Collections.emptyList();
@@ -370,16 +438,42 @@ protected Extension getExtensionFromResource(ExtensionCustomAction.ResourceType
             VirtualMachine vm = (VirtualMachine) object;
             Pair<Long, Long> clusterHostId = virtualMachineManager.findClusterAndHostIdForVm(vm, false);
             clusterId = clusterHostId.first();
+            if (clusterId == null) {
+                return null;
+            }
+            ExtensionResourceMapVO mapVO =
+                    extensionResourceMapDao.findByResourceIdAndType(clusterId, ExtensionResourceMap.ResourceType.Cluster);
+            if (mapVO == null) {
+                return null;
+            }
+            return extensionDao.findById(mapVO.getExtensionId());
+        } else if (resourceType == ExtensionCustomAction.ResourceType.Network) {
+            Network network = (Network) object;
+            Long physicalNetworkId = network.getPhysicalNetworkId();
+            if (physicalNetworkId == null) {
+                return null;
+            }
+            // Use provider-based lookup: match the network's service-map providers
+            // against extension names registered on the physical network.
+            // This correctly handles multiple different extensions on the same physical network.
+            List<String> providers = networkServiceMapDao.getDistinctProviders(network.getId());
+            if (CollectionUtils.isNotEmpty(providers)) {
+                for (String providerName : providers) {
+                    Extension ext = getExtensionForPhysicalNetworkAndProvider(physicalNetworkId, providerName);
+                    if (ext != null) {
+                        return ext;
+                    }
+                }
+            }
+            // Fallback: return the first extension registered on the physical network
+            List<ExtensionResourceMapVO> maps = extensionResourceMapDao.listByResourceIdAndType(
+                    physicalNetworkId, ExtensionResourceMap.ResourceType.PhysicalNetwork);
+            if (CollectionUtils.isEmpty(maps)) {
+                return null;
+            }
+            return extensionDao.findById(maps.get(0).getExtensionId());
         }
-        if (clusterId == null) {
-            return null;
-        }
-        ExtensionResourceMapVO mapVO =
-                extensionResourceMapDao.findByResourceIdAndType(clusterId, ExtensionResourceMap.ResourceType.Cluster);
-        if (mapVO == null) {
-            return null;
-        }
-        return extensionDao.findById(mapVO.getExtensionId());
+        return null;
     }
 
     protected String getActionMessage(boolean success, ExtensionCustomAction action, Extension extension,
@@ -694,25 +788,68 @@ public List<ExtensionResponse> listExtensions(ListExtensionsCmd cmd) {
         Long id = cmd.getExtensionId();
         String name = cmd.getName();
         String keyword = cmd.getKeyword();
+        String typeStr = cmd.getType();
+        String resourceIdStr = cmd.getResourceId();
+        String resourceTypeStr = cmd.getResourceType();
+
+        // If resourceId + resourceType are specified, return only extensions registered to that resource
+        if (StringUtils.isNotBlank(resourceIdStr) && StringUtils.isNotBlank(resourceTypeStr)) {
+            if (!EnumUtils.isValidEnum(ExtensionResourceMap.ResourceType.class, resourceTypeStr)) {
+                throw new InvalidParameterValueException("Invalid resourcetype: " + resourceTypeStr);
+            }
+            ExtensionResourceMap.ResourceType resType = ExtensionResourceMap.ResourceType.valueOf(resourceTypeStr);
+            // Resolve resourceId to a DB id
+            long resolvedResourceId;
+            if (ExtensionResourceMap.ResourceType.PhysicalNetwork.equals(resType)) {
+                PhysicalNetworkVO pn = physicalNetworkDao.findByUuid(resourceIdStr);
+                if (pn == null) {
+                    try { pn = physicalNetworkDao.findById(Long.parseLong(resourceIdStr)); } catch (NumberFormatException ignored) {}
+                }
+                if (pn == null) throw new InvalidParameterValueException("Invalid physical network ID: " + resourceIdStr);
+                resolvedResourceId = pn.getId();
+            } else {
+                try { resolvedResourceId = Long.parseLong(resourceIdStr); } catch (NumberFormatException e) {
+                    throw new InvalidParameterValueException("Invalid resource ID: " + resourceIdStr);
+                }
+            }
+            List<ExtensionResourceMapVO> maps = extensionResourceMapDao.listByResourceIdAndType(resolvedResourceId, resType);
+            List<ExtensionResponse> responses = new ArrayList<>();
+            for (ExtensionResourceMapVO map : maps) {
+                ExtensionVO ext = extensionDao.findById(map.getExtensionId());
+                if (ext == null) continue;
+                if (typeStr != null && !typeStr.equalsIgnoreCase(ext.getType().name())) continue;
+                if (name != null && !name.equalsIgnoreCase(ext.getName())) continue;
+                responses.add(createExtensionResponse(ext, cmd.getDetails()));
+            }
+            return responses;
+        }
+
         final SearchBuilder<ExtensionVO> sb = extensionDao.createSearchBuilder();
         final Filter searchFilter = new Filter(ExtensionVO.class, "id", false, cmd.getStartIndex(), cmd.getPageSizeVal());
 
         sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
         sb.and("name", sb.entity().getName(), SearchCriteria.Op.EQ);
         sb.and("keyword", sb.entity().getName(), SearchCriteria.Op.LIKE);
+        sb.and("type", sb.entity().getType(), SearchCriteria.Op.EQ);
+        sb.done();
         final SearchCriteria<ExtensionVO> sc = sb.create();
 
         if (id != null) {
             sc.setParameters("id", id);
         }
-
         if (name != null) {
             sc.setParameters("name", name);
         }
-
         if (keyword != null) {
             sc.setParameters("keyword",  "%" + keyword + "%");
         }
+        if (typeStr != null) {
+            Extension.Type type = EnumUtils.getEnum(Extension.Type.class, typeStr);
+            if (type == null) {
+                throw new InvalidParameterValueException("Invalid type: " + typeStr);
+            }
+            sc.setParameters("type", type);
+        }
 
         final Pair<List<ExtensionVO>, Integer> result = extensionDao.searchAndCount(sc, searchFilter);
         List<ExtensionResponse> responses = new ArrayList<>();
@@ -880,19 +1017,108 @@ public Extension registerExtensionWithResource(RegisterExtensionCmd cmd) {
         String resourceType = cmd.getResourceType();
         if (!EnumUtils.isValidEnum(ExtensionResourceMap.ResourceType.class, resourceType)) {
             throw new InvalidParameterValueException(
-                    String.format("Currently only [%s] can be used to register an extension of type Orchestrator",
+                    String.format("Currently only [%s] can be used to register an extension",
                             EnumSet.allOf(ExtensionResourceMap.ResourceType.class)));
         }
+        ExtensionVO extension = extensionDao.findById(extensionId);
+        if (extension == null) {
+            throw new InvalidParameterValueException("Invalid extension specified");
+        }
+        ExtensionResourceMap.ResourceType resType = ExtensionResourceMap.ResourceType.valueOf(resourceType);
+        if (ExtensionResourceMap.ResourceType.PhysicalNetwork.equals(resType)) {
+            PhysicalNetworkVO physicalNetwork = physicalNetworkDao.findByUuid(resourceId);
+            if (physicalNetwork == null) {
+                physicalNetwork = physicalNetworkDao.findById(Long.parseLong(resourceId));
+            }
+            if (physicalNetwork == null) {
+                throw new InvalidParameterValueException("Invalid physical network ID specified");
+            }
+            ExtensionResourceMap extensionResourceMap = registerExtensionWithPhysicalNetwork(physicalNetwork, extension, cmd.getDetails());
+            return extensionDao.findById(extensionResourceMap.getExtensionId());
+        }
         ClusterVO clusterVO = clusterDao.findByUuid(resourceId);
         if (clusterVO == null) {
             throw new InvalidParameterValueException("Invalid cluster ID specified");
         }
+        ExtensionResourceMap extensionResourceMap = registerExtensionWithCluster(clusterVO, extension, cmd.getDetails());
+        return extensionDao.findById(extensionResourceMap.getExtensionId());
+    }
+
+    @Override
+    @ActionEvent(eventType = EventTypes.EVENT_EXTENSION_RESOURCE_UPDATE, eventDescription = "updating extension resource")
+    public Extension updateRegisteredExtensionWithResource(UpdateRegisteredExtensionCmd cmd) {
+        final String resourceId = cmd.getResourceId();
+        final Long extensionId = cmd.getExtensionId();
+        final String resourceType = cmd.getResourceType();
+        final Map<String, String> details = cmd.getDetails();
+        final Boolean cleanupDetails = cmd.isCleanupDetails();
+
+        if (!EnumUtils.isValidEnum(ExtensionResourceMap.ResourceType.class, resourceType)) {
+            throw new InvalidParameterValueException(
+                    String.format("Currently only [%s] can be used to update an extension registration",
+                            EnumSet.allOf(ExtensionResourceMap.ResourceType.class)));
+        }
         ExtensionVO extension = extensionDao.findById(extensionId);
         if (extension == null) {
             throw new InvalidParameterValueException("Invalid extension specified");
         }
-        ExtensionResourceMap extensionResourceMap = registerExtensionWithCluster(clusterVO, extension, cmd.getDetails());
-        return extensionDao.findById(extensionResourceMap.getExtensionId());
+
+        ExtensionResourceMap.ResourceType resType = ExtensionResourceMap.ResourceType.valueOf(resourceType);
+        long resolvedResourceId;
+        if (ExtensionResourceMap.ResourceType.PhysicalNetwork.equals(resType)) {
+            PhysicalNetworkVO physicalNetwork = physicalNetworkDao.findByUuid(resourceId);
+            if (physicalNetwork == null) {
+                try {
+                    physicalNetwork = physicalNetworkDao.findById(Long.parseLong(resourceId));
+                } catch (NumberFormatException ignored) {
+                }
+            }
+            if (physicalNetwork == null) {
+                throw new InvalidParameterValueException("Invalid physical network ID specified");
+            }
+            resolvedResourceId = physicalNetwork.getId();
+        } else {
+            ClusterVO clusterVO = clusterDao.findByUuid(resourceId);
+            if (clusterVO == null) {
+                throw new InvalidParameterValueException("Invalid cluster ID specified");
+            }
+            resolvedResourceId = clusterVO.getId();
+        }
+
+        List<ExtensionResourceMapVO> mappings = extensionResourceMapDao.listByResourceIdAndType(resolvedResourceId, resType);
+        ExtensionResourceMapVO targetMapping = null;
+        if (CollectionUtils.isNotEmpty(mappings)) {
+            for (ExtensionResourceMapVO mapping : mappings) {
+                if (mapping.getExtensionId() == extensionId) {
+                    targetMapping = mapping;
+                    break;
+                }
+            }
+        }
+        if (targetMapping == null) {
+            throw new InvalidParameterValueException(String.format(
+                    "Extension '%s' is not registered with resource %s (%s)",
+                    extension.getName(), resourceId, resourceType));
+        }
+
+        if (Boolean.TRUE.equals(cleanupDetails)) {
+            extensionResourceMapDetailsDao.removeDetails(targetMapping.getId());
+        } else {
+            List<ExtensionResourceMapDetailsVO> detailsList = buildExtensionResourceDetailsArray(targetMapping.getId(), details);
+            if (CollectionUtils.isNotEmpty(detailsList)) {
+                appendHiddenExtensionResourceDetails(targetMapping.getId(), detailsList);
+            }
+            detailsList = detailsList.stream()
+                    .filter(detail -> detail.getValue() != null)
+                    .collect(Collectors.toList());
+            if (CollectionUtils.isNotEmpty(detailsList)) {
+                extensionResourceMapDetailsDao.saveDetails(detailsList);
+            } else {
+                extensionResourceMapDetailsDao.removeDetails(targetMapping.getId());
+            }
+        }
+
+        return extensionDao.findById(extensionId);
     }
 
     @Override
@@ -923,8 +1149,9 @@ public ExtensionResourceMap registerExtensionWithCluster(Cluster cluster, Extens
             List<ExtensionResourceMapDetailsVO> detailsVOList = new ArrayList<>();
             if (MapUtils.isNotEmpty(details)) {
                 for (Map.Entry<String, String> entry : details.entrySet()) {
+                    boolean display = !SENSITIVE_DETAIL_KEYS.contains(entry.getKey().toLowerCase());
                     detailsVOList.add(new ExtensionResourceMapDetailsVO(savedExtensionMap.getId(),
-                            entry.getKey(), entry.getValue()));
+                            entry.getKey(), entry.getValue(), display));
                 }
                 extensionResourceMapDetailsDao.saveDetails(detailsVOList);
             }
@@ -934,6 +1161,247 @@ public ExtensionResourceMap registerExtensionWithCluster(Cluster cluster, Extens
         return result;
     }
 
+    protected ExtensionResourceMap registerExtensionWithPhysicalNetwork(PhysicalNetworkVO physicalNetwork,
+                  Extension extension, Map<String, String> details) {
+        // Only NetworkOrchestrator extensions can be registered with physical networks
+        if (!Extension.Type.NetworkOrchestrator.equals(extension.getType())) {
+            throw new InvalidParameterValueException(String.format(
+                    "Only extensions of type %s can be registered with a physical network. "
+                    + "Extension '%s' is of type %s.",
+                    Extension.Type.NetworkOrchestrator.name(),
+                    extension.getName(), extension.getType().name()));
+        }
+
+        // Block registering the exact same extension twice on the same physical network
+        final ExtensionResourceMap.ResourceType resourceType = ExtensionResourceMap.ResourceType.PhysicalNetwork;
+        List<ExtensionResourceMapVO> existing = extensionResourceMapDao.listByResourceIdAndType(
+                physicalNetwork.getId(), resourceType);
+        if (existing != null) {
+            for (ExtensionResourceMapVO ex : existing) {
+                if (ex.getExtensionId() == extension.getId()) {
+                    throw new CloudRuntimeException(String.format(
+                            "Extension '%s' is already registered with physical network %s",
+                            extension.getName(), physicalNetwork.getId()));
+                }
+            }
+        }
+
+        // Resolve which services this extension provides from its network.services detail
+        Set<String> services = resolveExtensionServices(extension);
+
+        return Transaction.execute((TransactionCallbackWithException<ExtensionResourceMap, CloudRuntimeException>) status -> {
+            // 1. Persist the extension<->physical-network mapping
+            ExtensionResourceMapVO extensionMap = new ExtensionResourceMapVO(extension.getId(),
+                    physicalNetwork.getId(), resourceType);
+            ExtensionResourceMapVO savedExtensionMap = extensionResourceMapDao.persist(extensionMap);
+
+            // 2. Persist device credentials / details
+            List<ExtensionResourceMapDetailsVO> detailsVOList = new ArrayList<>();
+            if (MapUtils.isNotEmpty(details)) {
+                for (Map.Entry<String, String> entry : details.entrySet()) {
+                    boolean display = !SENSITIVE_DETAIL_KEYS.contains(entry.getKey().toLowerCase());
+                    detailsVOList.add(new ExtensionResourceMapDetailsVO(savedExtensionMap.getId(),
+                            entry.getKey(), entry.getValue(), display));
+                }
+                extensionResourceMapDetailsDao.saveDetails(detailsVOList);
+            }
+
+            // 3. Auto-create the NetworkServiceProvider entry for this extension so that
+            //    the services are visible in the UI and in listSupportedNetworkServices.
+            //    The NSP name equals the extension name; state is Enabled by default.
+            PhysicalNetworkServiceProviderVO existingNsp =
+                    physicalNetworkServiceProviderDao.findByServiceProvider(
+                            physicalNetwork.getId(), extension.getName());
+            if (existingNsp == null) {
+                PhysicalNetworkServiceProviderVO nsp =
+                        new PhysicalNetworkServiceProviderVO(physicalNetwork.getId(), extension.getName());
+                applyServicesToNsp(nsp, services);
+                nsp.setState(PhysicalNetworkServiceProvider.State.Enabled);
+                physicalNetworkServiceProviderDao.persist(nsp);
+                logger.info("Auto-created NetworkServiceProvider '{}' (Enabled) for physical network {} "
+                        + "with services {}", extension.getName(), physicalNetwork.getId(), services);
+            }
+
+            return extensionMap;
+        });
+    }
+
+    /**
+     * Resolves the set of network service names declared in the extension's
+     * {@code network.services} detail. Falls back to an empty set if not present
+     */
+    private Set<String> resolveExtensionServices(Extension extension) {
+        Map<String, String> extDetails = extensionDetailsDao.listDetailsKeyPairs(extension.getId());
+        Set<String> parsed = parseServicesFromDetailKeys(extDetails);
+        if (!parsed.isEmpty()) {
+            return parsed;
+        }
+        // Default: the full set of services NetworkExtensionElement supports
+        return new HashSet<>();
+    }
+
+    /**
+     * Resolves the set of service names from the extension detail map.
+     * From {@code network.services} comma-separated key.
+     */
+    @SuppressWarnings("deprecation")
+    private Set<String> parseServicesFromDetailKeys(Map<String, String> extDetails) {
+        if (extDetails == null) {
+            return Collections.emptySet();
+        }
+        // New format: "network.services" = "SourceNat,StaticNat,..."
+        if (extDetails.containsKey(ExtensionHelper.NETWORK_SERVICES_DETAIL_KEY)) {
+            String value = extDetails.get(ExtensionHelper.NETWORK_SERVICES_DETAIL_KEY);
+            if (StringUtils.isNotBlank(value)) {
+                Set<String> services = new HashSet<>();
+                for (String s : value.split(",")) {
+                    String trimmed = s.trim();
+                    if (!trimmed.isEmpty()) {
+                        services.add(trimmed);
+                    }
+                }
+                if (!services.isEmpty()) {
+                    return services;
+                }
+            }
+        }
+
+        return Collections.emptySet();
+    }
+
+    /**
+     * Builds a full {@code Map<Service, Map<Capability, String>>} from the
+     * extension detail map.  From the split keys
+     * {@code network.services} + {@code network.service.capabilities}.
+     */
+    @SuppressWarnings("deprecation")
+    private Map<Service, Map<Capability, String>> buildCapabilitiesFromDetailKeys(
+            Map<String, String> extDetails) {
+        if (extDetails == null) {
+            return new HashMap<>();
+        }
+        // New split format
+        if (extDetails.containsKey(ExtensionHelper.NETWORK_SERVICES_DETAIL_KEY)) {
+            Set<String> serviceNames = parseServicesFromDetailKeys(extDetails);
+            if (!serviceNames.isEmpty()) {
+                JsonObject capsObj = null;
+                if (extDetails.containsKey(ExtensionHelper.NETWORK_SERVICE_CAPABILITIES_DETAIL_KEY)) {
+                    try {
+                        capsObj = JsonParser.parseString(
+                                extDetails.get(ExtensionHelper.NETWORK_SERVICE_CAPABILITIES_DETAIL_KEY))
+                                .getAsJsonObject();
+                    } catch (Exception e) {
+                        logger.warn("Failed to parse network.service.capabilities JSON: {}", e.getMessage());
+                    }
+                }
+                Map<Service, Map<Capability, String>> result = new HashMap<>();
+                for (String svcName : serviceNames) {
+                    Service service = Service.getService(svcName);
+                    if (service == null) {
+                        logger.warn("Unknown network service '{}' in network.services — skipping", svcName);
+                        continue;
+                    }
+                    Map<Capability, String> capMap = new HashMap<>();
+                    if (capsObj != null && capsObj.has(svcName)) {
+                        JsonObject svcCaps = capsObj.getAsJsonObject(svcName);
+                        for (Map.Entry<String, JsonElement> entry : svcCaps.entrySet()) {
+                            Capability cap = Capability.getCapability(entry.getKey());
+                            if (cap != null) {
+                                capMap.put(cap, entry.getValue().getAsString());
+                            }
+                        }
+                    }
+                    result.put(service, capMap);
+                }
+                return result;
+            }
+        }
+
+        return new HashMap<>();
+    }
+
+    /**
+     * Sets the boolean service-provided flags on a {@link PhysicalNetworkServiceProviderVO}
+     * based on a set of service names.
+     */
+    private void applyServicesToNsp(PhysicalNetworkServiceProviderVO nsp, Set<String> services) {
+        nsp.setSourcenatServiceProvided(services.contains("SourceNat"));
+        nsp.setStaticnatServiceProvided(services.contains("StaticNat"));
+        nsp.setPortForwardingServiceProvided(services.contains("PortForwarding"));
+        nsp.setFirewallServiceProvided(services.contains("Firewall"));
+        nsp.setGatewayServiceProvided(services.contains("Gateway"));
+        nsp.setDnsServiceProvided(services.contains("Dns"));
+        nsp.setDhcpServiceProvided(services.contains("Dhcp"));
+        nsp.setUserdataServiceProvided(services.contains("UserData"));
+        nsp.setLbServiceProvided(services.contains("Lb"));
+        nsp.setVpnServiceProvided(services.contains("Vpn"));
+        nsp.setSecuritygroupServiceProvided(services.contains("SecurityGroup"));
+        nsp.setNetworkAclServiceProvided(services.contains("NetworkACL"));
+    }
+
+    /** Keys that are always stored with display=false (sensitive). */
+    private static final Set<String> SENSITIVE_DETAIL_KEYS =
+            Set.of("password", "sshkey");
+
+    /**
+     * Validates that the comma-separated or JSON-array {@code servicesValue} is a
+     * subset of the services declared in the extension's {@code network.services}
+     * Throws {@link InvalidParameterValueException} if any service in the request is not
+     * offered by the extension.
+     */
+    protected void validateNetworkServicesSubset(Extension extension, String servicesValue) {
+        if (StringUtils.isBlank(servicesValue)) {
+            return;
+        }
+        Map<String, String> extDetails = extensionDetailsDao.listDetailsKeyPairs(extension.getId());
+        Set<String> allowedServices = parseServicesFromDetailKeys(extDetails);
+        if (allowedServices.isEmpty()) {
+            // No services declared → accept any
+            return;
+        }
+
+        // Parse the requested services: either comma-separated string or JSON array
+        List<String> requested = parseServicesList(servicesValue);
+        List<String> invalid = requested.stream()
+                .filter(s -> !allowedServices.contains(s))
+                .collect(Collectors.toList());
+        if (!invalid.isEmpty()) {
+            throw new InvalidParameterValueException(String.format(
+                    "The following services are not supported by extension '%s': %s. "
+                    + "Supported services are: %s",
+                    extension.getName(), invalid, allowedServices));
+        }
+    }
+
+    /**
+     * Parses a services list from either a comma-separated string (e.g.
+     * {@code "SourceNat,StaticNat"}) or a JSON array (e.g.
+     * {@code ["SourceNat","StaticNat"]}).
+     */
+    private List<String> parseServicesList(String value) {
+        if (StringUtils.isBlank(value)) {
+            return Collections.emptyList();
+        }
+        value = value.trim();
+        if (value.startsWith("[")) {
+            try {
+                JsonArray arr = JsonParser.parseString(value).getAsJsonArray();
+                List<String> result = new ArrayList<>();
+                for (JsonElement el : arr) {
+                    result.add(el.getAsString().trim());
+                }
+                return result;
+            } catch (Exception e) {
+                // fall through to comma-split
+            }
+        }
+        // Comma-separated
+        return Arrays.stream(value.split(","))
+                .map(String::trim)
+                .filter(s -> !s.isEmpty())
+                .collect(Collectors.toList());
+    }
+
     @Override
     @ActionEvent(eventType = EventTypes.EVENT_EXTENSION_RESOURCE_UNREGISTER, eventDescription = "unregistering extension resource")
     public Extension unregisterExtensionWithResource(UnregisterExtensionCmd cmd) {
@@ -942,10 +1410,15 @@ public Extension unregisterExtensionWithResource(UnregisterExtensionCmd cmd) {
         final String resourceType = cmd.getResourceType();
         if (!EnumUtils.isValidEnum(ExtensionResourceMap.ResourceType.class, resourceType)) {
             throw new InvalidParameterValueException(
-                    String.format("Currently only [%s] can be used to unregister an extension of type Orchestrator",
+                    String.format("Currently only [%s] can be used to unregister an extension",
                             EnumSet.allOf(ExtensionResourceMap.ResourceType.class)));
         }
-        unregisterExtensionWithCluster(resourceId, extensionId);
+        ExtensionResourceMap.ResourceType resType = ExtensionResourceMap.ResourceType.valueOf(resourceType);
+        if (ExtensionResourceMap.ResourceType.PhysicalNetwork.equals(resType)) {
+            unregisterExtensionWithPhysicalNetwork(resourceId, extensionId);
+        } else {
+            unregisterExtensionWithCluster(resourceId, extensionId);
+        }
         return extensionDao.findById(extensionId);
     }
 
@@ -965,6 +1438,55 @@ public void unregisterExtensionWithCluster(Cluster cluster, Long extensionId) {
         }
     }
 
+    protected void unregisterExtensionWithPhysicalNetwork(String resourceId, Long extensionId) {
+        PhysicalNetworkVO physicalNetwork = physicalNetworkDao.findByUuid(resourceId);
+        if (physicalNetwork == null) {
+            try {
+                physicalNetwork = physicalNetworkDao.findById(Long.parseLong(resourceId));
+            } catch (NumberFormatException ignored) {
+            }
+        }
+        if (physicalNetwork == null) {
+            throw new InvalidParameterValueException("Invalid physical network ID specified");
+        }
+        // Find the specific map entry for this extension+physical-network combination
+        List<ExtensionResourceMapVO> existingList = extensionResourceMapDao.listByResourceIdAndType(
+                physicalNetwork.getId(), ExtensionResourceMap.ResourceType.PhysicalNetwork);
+        if (existingList == null || existingList.isEmpty()) {
+            return;
+        }
+        final long physNetId = physicalNetwork.getId();
+        for (ExtensionResourceMapVO existing : existingList) {
+            if (extensionId == null || existing.getExtensionId() == extensionId) {
+                ExtensionVO ext = extensionDao.findById(existing.getExtensionId());
+                if (ext != null) {
+                    List<NetworkVO> networksUsingProvider = networkDao.listByPhysicalNetworkAndProvider(
+                            physNetId, ext.getName());
+                    if (CollectionUtils.isNotEmpty(networksUsingProvider)) {
+                        throw new CloudRuntimeException(String.format(
+                                "Cannot unregister extension '%s' from physical network %s. "
+                                        + "Provider is used by %d existing network(s)",
+                                ext.getName(), physNetId, networksUsingProvider.size()));
+                    }
+                }
+
+                extensionResourceMapDao.remove(existing.getId());
+                extensionResourceMapDetailsDao.removeDetails(existing.getId());
+
+                // Also remove the auto-created NSP for this extension
+                if (ext != null) {
+                    PhysicalNetworkServiceProviderVO nsp =
+                            physicalNetworkServiceProviderDao.findByServiceProvider(physNetId, ext.getName());
+                    if (nsp != null) {
+                        physicalNetworkServiceProviderDao.remove(nsp.getId());
+                        logger.info("Removed NetworkServiceProvider '{}' from physical network {} "
+                                + "on extension unregister", ext.getName(), physNetId);
+                    }
+                }
+            }
+        }
+    }
+
     @Override
     public ExtensionResponse createExtensionResponse(Extension extension,
                  EnumSet<ApiConstants.ExtensionDetails> viewDetails) {
@@ -988,6 +1510,12 @@ public ExtensionResponse createExtensionResponse(Extension extension,
                     Cluster cluster = clusterDao.findById(extensionResourceMapVO.getResourceId());
                     extensionResourceResponse.setId(cluster.getUuid());
                     extensionResourceResponse.setName(cluster.getName());
+                } else if (ExtensionResourceMap.ResourceType.PhysicalNetwork.equals(extensionResourceMapVO.getResourceType())) {
+                    PhysicalNetworkVO pn = physicalNetworkDao.findById(extensionResourceMapVO.getResourceId());
+                    if (pn != null) {
+                        extensionResourceResponse.setId(pn.getUuid());
+                        extensionResourceResponse.setName(pn.getName());
+                    }
                 }
                 Map<String, String> details = extensionResourceMapDetailsDao.listDetailsKeyPairs(
                         extensionResourceMapVO.getId(), true);
@@ -1423,6 +1951,10 @@ public CustomActionResultResponse runCustomAction(RunCustomActionCmd cmd) {
             Pair<Long, Long> clusterAndHostId = virtualMachineManager.findClusterAndHostIdForVm(virtualMachine, false);
             clusterId = clusterAndHostId.first();
             hostId = clusterAndHostId.second();
+        } else if (entity instanceof Network) {
+            // Network custom action: dispatched directly to NetworkCustomActionProvider (no agent)
+            Network network = (Network) entity;
+            return runNetworkCustomAction(network, customActionVO, extensionVO, actionResourceType, cmdParameters);
         }
 
         if (clusterId == null || hostId == null) {
@@ -1499,6 +2031,92 @@ public CustomActionResultResponse runCustomAction(RunCustomActionCmd cmd) {
         return response;
     }
 
+    /**
+     * Executes a custom action for a Network resource by delegating to an
+     * available {@link NetworkCustomActionProvider} (e.g. NetworkExtensionElement).
+     * This path does NOT go through the agent framework.
+     */
+    protected CustomActionResultResponse runNetworkCustomAction(Network network,
+            ExtensionCustomActionVO customActionVO, ExtensionVO extensionVO,
+            ExtensionCustomAction.ResourceType actionResourceType,
+            Map<String, String> cmdParameters) {
+
+        final String actionName = customActionVO.getName();
+        CustomActionResultResponse response = new CustomActionResultResponse();
+        response.setId(customActionVO.getUuid());
+        response.setName(actionName);
+        response.setObjectName("customactionresult");
+        Map<String, String> result = new HashMap<>();
+        response.setSuccess(false);
+        result.put(ApiConstants.MESSAGE, getActionMessage(false, customActionVO, extensionVO, actionResourceType, network));
+
+        // Resolve action parameters
+        List<ExtensionCustomAction.Parameter> actionParameters = null;
+        Pair<Map<String, String>, Map<String, String>> allDetails =
+                extensionCustomActionDetailsDao.listDetailsKeyPairsWithVisibility(customActionVO.getId());
+        if (allDetails.second().containsKey(ApiConstants.PARAMETERS)) {
+            actionParameters = ExtensionCustomAction.Parameter.toListFromJson(
+                    allDetails.second().get(ApiConstants.PARAMETERS));
+        }
+        Map<String, Object> parameters = null;
+        if (CollectionUtils.isNotEmpty(actionParameters)) {
+            parameters = ExtensionCustomAction.Parameter.validateParameterValues(actionParameters, cmdParameters);
+        }
+
+        // Find the provider name for this network (try each service until we find one)
+        String providerName = null;
+        for (Service service : new Service[]{Service.SourceNat, Service.StaticNat,
+                Service.PortForwarding, Service.Firewall, Service.Gateway}) {
+            providerName = networkServiceMapDao.getProviderForServiceInNetwork(network.getId(), service);
+            if (StringUtils.isNotBlank(providerName)) {
+                break;
+            }
+        }
+        if (StringUtils.isBlank(providerName)) {
+            logger.error("No network service provider found for network {}", network.getId());
+            result.put(ApiConstants.DETAILS, "No network service provider found for this network");
+            response.setResult(result);
+            return response;
+        }
+
+        // Get the network element implementing that provider
+        NetworkElement element = networkModel.getElementImplementingProvider(providerName);
+        if (element == null) {
+            logger.error("No NetworkElement found implementing provider '{}' for network {}", providerName, network.getId());
+            result.put(ApiConstants.DETAILS, "No network element found for provider: " + providerName);
+            response.setResult(result);
+            return response;
+        }
+
+        // The element must implement NetworkCustomActionProvider
+        if (!(element instanceof NetworkCustomActionProvider)) {
+            logger.error("Network element '{}' for provider '{}' does not support custom actions",
+                    element.getClass().getSimpleName(), providerName);
+            result.put(ApiConstants.DETAILS, "Provider '" + providerName + "' does not support custom actions");
+            response.setResult(result);
+            return response;
+        }
+
+        NetworkCustomActionProvider provider = (NetworkCustomActionProvider) element;
+        try {
+            if (!provider.canHandleCustomAction(network)) {
+                throw new CloudRuntimeException("Provider '" + providerName + "' cannot handle custom action for this network");
+            }
+            logger.info("Running network custom action '{}' on network {} via {} (provider: {})",
+                    actionName, network.getId(), element.getClass().getSimpleName(), providerName);
+            String output = provider.runCustomAction(network, actionName, parameters);
+            boolean success = output != null;
+            response.setSuccess(success);
+            result.put(ApiConstants.MESSAGE, getActionMessage(success, customActionVO, extensionVO, actionResourceType, network));
+            result.put(ApiConstants.DETAILS, success ? output : "Action failed — check management server logs for details");
+        } catch (Exception e) {
+            logger.error("Network custom action '{}' threw exception: {}", actionName, e.getMessage(), e);
+            result.put(ApiConstants.DETAILS, "Action failed: " + e.getMessage());
+        }
+        response.setResult(result);
+        return response;
+    }
+
     @Override
     public ExtensionCustomActionResponse createCustomActionResponse(ExtensionCustomAction customAction) {
         ExtensionCustomActionResponse response = new ExtensionCustomActionResponse(customAction.getUuid(),
@@ -1608,11 +2226,8 @@ public void updateExtensionResourceMapDetails(long extensionResourceMapId, Map<S
         if (MapUtils.isEmpty(details)) {
             return;
         }
-        List<ExtensionResourceMapDetailsVO> detailsList = new ArrayList<>();
-        for (Map.Entry<String, String> entry : details.entrySet()) {
-            detailsList.add(new ExtensionResourceMapDetailsVO(extensionResourceMapId, entry.getKey(),
-                    entry.getValue()));
-        }
+        List<ExtensionResourceMapDetailsVO> detailsList =
+                buildExtensionResourceDetailsArray(extensionResourceMapId, details);
         extensionResourceMapDetailsDao.saveDetails(detailsList);
     }
 
@@ -1677,6 +2292,26 @@ public List<String> getExtensionReservedResourceDetails(long extensionId) {
         return reservedDetails;
     }
 
+    @Override
+    public Long getExtensionIdForPhysicalNetwork(long physicalNetworkId) {
+        // Returns the first (primary) extension for backward compatibility
+        List<ExtensionResourceMapVO> maps = extensionResourceMapDao.listByResourceIdAndType(physicalNetworkId,
+                ExtensionResourceMap.ResourceType.PhysicalNetwork);
+        if (maps == null || maps.isEmpty()) {
+            return null;
+        }
+        return maps.get(0).getExtensionId();
+    }
+
+    @Override
+    public Extension getExtensionForPhysicalNetwork(long physicalNetworkId) {
+        Long extensionId = getExtensionIdForPhysicalNetwork(physicalNetworkId);
+        if (extensionId == null) {
+            return null;
+        }
+        return extensionDao.findById(extensionId);
+    }
+
     @Override
     public boolean start() {
         long pathStateCheckInterval = PathStateCheckInterval.value();
@@ -1714,6 +2349,7 @@ public List<Class<?>> getCommands() {
         cmds.add(UpdateExtensionCmd.class);
         cmds.add(RegisterExtensionCmd.class);
         cmds.add(UnregisterExtensionCmd.class);
+        cmds.add(UpdateRegisteredExtensionCmd.class);
         return cmds;
     }
 
@@ -1765,4 +2401,106 @@ protected void runInContext() {
             }
         }
     }
+
+    @Override
+    public String getExtensionScriptPath(Extension extension) {
+        if (extension == null) {
+            return null;
+        }
+        return externalProvisioner.getExtensionPath(extension.getRelativePath());
+    }
+
+    @Override
+    public Map<String, String> getExtensionDetails(long extensionId) {
+        return extensionDetailsDao.listDetailsKeyPairs(extensionId);
+    }
+
+    @Override
+    public Extension getExtensionForPhysicalNetworkAndProvider(long physicalNetworkId, String providerName) {
+        if (StringUtils.isBlank(providerName)) {
+            return null;
+        }
+        List<ExtensionResourceMapVO> maps = extensionResourceMapDao.listByResourceIdAndType(
+                physicalNetworkId, ExtensionResourceMap.ResourceType.PhysicalNetwork);
+        if (maps == null || maps.isEmpty()) {
+            return null;
+        }
+        for (ExtensionResourceMapVO map : maps) {
+            ExtensionVO ext = extensionDao.findById(map.getExtensionId());
+            if (ext != null && providerName.equalsIgnoreCase(ext.getName())) {
+                return ext;
+            }
+        }
+        return null;
+    }
+
+    @Override
+    public Map<String, String> getAllResourceMapDetailsForExtensionOnPhysicalNetwork(long physicalNetworkId, long extensionId) {
+        List<ExtensionResourceMapVO> maps = extensionResourceMapDao.listByResourceIdAndType(
+                physicalNetworkId, ExtensionResourceMap.ResourceType.PhysicalNetwork);
+        if (maps == null || maps.isEmpty()) {
+            return new HashMap<>();
+        }
+        for (ExtensionResourceMapVO map : maps) {
+            if (map.getExtensionId() == extensionId) {
+                Map<String, String> details = extensionResourceMapDetailsDao.listDetailsKeyPairs(map.getId());
+                return details != null ? details : new HashMap<>();
+            }
+        }
+        return new HashMap<>();
+    }
+
+    @Override
+    public boolean isNetworkExtensionProvider(String providerName) {
+        if (StringUtils.isBlank(providerName)) {
+            return false;
+        }
+        List<ExtensionVO> networkOrchExtensions = extensionDao.listByType(Extension.Type.NetworkOrchestrator);
+        if (networkOrchExtensions == null || networkOrchExtensions.isEmpty()) {
+            return false;
+        }
+        return networkOrchExtensions.stream()
+                .anyMatch(ext -> providerName.equalsIgnoreCase(ext.getName()));
+    }
+
+    @Override
+    public List<Extension> listExtensionsByType(Extension.Type type) {
+        if (type == null) {
+            return new ArrayList<>();
+        }
+        List<ExtensionVO> extensions = extensionDao.listByType(type);
+        if (extensions == null || extensions.isEmpty()) {
+            return new ArrayList<>();
+        }
+        return new ArrayList<>(extensions);
+    }
+
+    @Override
+    public Map<Service, Map<Capability, String>> getNetworkCapabilitiesForProvider(Long physicalNetworkId,
+            String providerName) {
+        if (StringUtils.isBlank(providerName)) {
+            return new HashMap<>();
+        }
+        Extension extension = null;
+        if (physicalNetworkId != null) {
+            extension = getExtensionForPhysicalNetworkAndProvider(physicalNetworkId, providerName);
+        }
+        if (extension == null) {
+            // Search across all physical networks
+            List<ExtensionVO> networkOrchExtensions = extensionDao.listByType(Extension.Type.NetworkOrchestrator);
+            if (networkOrchExtensions != null) {
+                for (ExtensionVO ext : networkOrchExtensions) {
+                    if (providerName.equalsIgnoreCase(ext.getName())) {
+                        extension = ext;
+                        break;
+                    }
+                }
+            }
+        }
+        if (extension == null) {
+            return new HashMap<>();
+        }
+        Map<String, String> extDetails = extensionDetailsDao.listDetailsKeyPairs(extension.getId());
+        return buildCapabilitiesFromDetailKeys(extDetails);
+    }
 }
diff --git a/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/network/NetworkExtensionElement.java b/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/network/NetworkExtensionElement.java
new file mode 100644
index 000000000000..aa7e253dfb1a
--- /dev/null
+++ b/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/network/NetworkExtensionElement.java
@@ -0,0 +1,2674 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.framework.extensions.network;
+
+import java.io.File;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.net.InetAddress;
+import java.nio.ByteBuffer;
+import java.nio.file.Files;
+
+import javax.inject.Inject;
+import javax.naming.ConfigurationException;
+
+import com.cloud.agent.api.to.LoadBalancerTO;
+import com.cloud.dc.DataCenter;
+import com.cloud.dc.Vlan;
+import com.cloud.dc.VlanVO;
+import com.cloud.dc.dao.DataCenterDao;
+import com.cloud.dc.dao.VlanDao;
+import com.cloud.deploy.DeployDestination;
+import com.cloud.exception.ConcurrentOperationException;
+import com.cloud.exception.InsufficientCapacityException;
+import com.cloud.exception.ResourceUnavailableException;
+import com.cloud.host.dao.HostDao;
+import com.cloud.hypervisor.Hypervisor;
+import com.cloud.network.IpAddressManager;
+import com.cloud.network.IpAddress;
+import com.cloud.network.Network;
+import com.cloud.network.Network.Capability;
+import com.cloud.network.Network.Provider;
+import com.cloud.network.Network.Service;
+import com.cloud.network.NetworkModel;
+import com.cloud.network.Networks;
+import com.cloud.network.dao.NetworkDetailVO;
+import com.cloud.network.dao.PhysicalNetworkDao;
+import com.cloud.network.dao.PhysicalNetworkVO;
+import com.cloud.network.PhysicalNetworkServiceProvider;
+import com.cloud.network.PublicIpAddress;
+import com.cloud.network.addr.PublicIp;
+import com.cloud.network.dao.FirewallRulesDao;
+import com.cloud.network.dao.IPAddressDao;
+import com.cloud.network.dao.IPAddressVO;
+import com.cloud.network.dao.NetworkDetailsDao;
+import com.cloud.network.dao.NetworkServiceMapDao;
+import com.cloud.network.vpc.dao.VpcDao;
+import com.cloud.network.element.AggregatedCommandExecutor;
+import com.cloud.network.element.DhcpServiceProvider;
+import com.cloud.network.element.DnsServiceProvider;
+import com.cloud.network.element.FirewallServiceProvider;
+import com.cloud.network.element.IpDeployer;
+import com.cloud.network.element.LoadBalancingServiceProvider;
+import com.cloud.network.element.NetworkACLServiceProvider;
+import com.cloud.network.element.NetworkElement;
+import com.cloud.network.element.PortForwardingServiceProvider;
+import com.cloud.network.element.SourceNatServiceProvider;
+import com.cloud.network.element.StaticNatServiceProvider;
+import com.cloud.network.element.UserDataServiceProvider;
+import com.cloud.network.element.VpcProvider;
+import com.cloud.network.vpc.NetworkACLItem;
+import com.cloud.network.vpc.PrivateGateway;
+import com.cloud.network.vpc.StaticRouteProfile;
+import com.cloud.network.vpc.Vpc;
+import com.cloud.network.lb.LoadBalancingRule;
+import com.cloud.network.rules.FirewallRule;
+import com.cloud.network.rules.FirewallRuleVO;
+import com.cloud.network.rules.PortForwardingRule;
+import com.cloud.network.rules.StaticNat;
+import com.cloud.offerings.NetworkOfferingVO;
+import com.cloud.offerings.dao.NetworkOfferingDao;
+import com.cloud.service.ServiceOfferingVO;
+import com.cloud.service.dao.ServiceOfferingDao;
+import com.cloud.storage.dao.GuestOSCategoryDao;
+import com.cloud.storage.dao.GuestOSDao;
+import com.cloud.user.AccountService;
+import com.cloud.uservm.UserVm;
+import com.cloud.offering.NetworkOffering;
+import com.cloud.user.Account;
+import com.cloud.utils.Pair;
+import com.cloud.utils.component.AdapterBase;
+import com.cloud.utils.exception.CloudRuntimeException;
+import com.cloud.vm.Nic;
+import com.cloud.vm.NicProfile;
+import com.cloud.vm.NicVO;
+import com.cloud.vm.ReservationContext;
+import com.cloud.vm.UserVmVO;
+import com.cloud.vm.VirtualMachine;
+import com.cloud.vm.VirtualMachineManager;
+import com.cloud.vm.VirtualMachineProfile;
+import com.cloud.vm.VMInstanceDetailVO;
+import com.cloud.vm.VmDetailConstants;
+import com.cloud.vm.dao.NicDao;
+import com.cloud.vm.dao.UserVmDao;
+import com.cloud.vm.dao.VMInstanceDetailsDao;
+import com.google.gson.Gson;
+import com.google.gson.JsonObject;
+
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
+import org.apache.cloudstack.extension.Extension;
+import org.apache.cloudstack.extension.ExtensionHelper;
+import org.apache.cloudstack.extension.NetworkCustomActionProvider;
+import org.apache.cloudstack.resourcedetail.dao.VpcDetailsDao;
+
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import java.util.stream.Collectors;
+
+
+/**
+ * NetworkExtensionElement is a network plugin that delegates all network
+ * configuration to an external script via a registered {@link Extension} of
+ * type {@code NetworkOrchestrator}.
+ *
+ * <h3>Script invocation model</h3>
+ * The script is called with a command name and optional CLI arguments.
+ * Two JSON blobs are always forwarded as named CLI arguments:
+ * <ul>
+ *   <li>{@value #ARG_PHYSICAL_NETWORK_EXTENSION_DETAILS} {@code <json>} – all
+ *       details stored in {@code extension_resource_map_details} when the
+ *       extension was registered with the physical network (connection info,
+ *       host list, credentials, etc.).  The script owns the schema.</li>
+ *   <li>{@value #ARG_NETWORK_EXTENSION_DETAILS} {@code <json>} – the
+ *       per-network JSON blob stored in {@code network_details} under key
+ *       {@value #NETWORK_DETAIL_EXTENSION_DETAILS}.  Populated by the
+ *       script's {@code ensure-network-device} response and updated on
+ *       failover (e.g. selected host, namespace, segment ID).</li>
+ * </ul>
+ *
+ * <h3>Script resolution</h3>
+ * The script is resolved from the extension path set when the extension was
+ * created.  Lookup order (first match wins):
+ * <ol>
+ *   <li>{@code <extensionPath>/<extensionName>.sh} — preferred convention,
+ *       e.g. for an extension named {@code network-extension} the script is
+ *       {@code network-extension.sh}.</li>
+ *   <li>{@code <extensionPath>} itself, if it is a file and is executable.</li>
+ * </ol>
+ *
+ * <h3>Physical-network extension details</h3>
+ * Any key/value pairs stored in {@code extension_resource_map_details} at
+ * registration time are passed verbatim as a JSON object.  There are no
+ * pre-defined keys — the user and the script agree on the schema.  The only
+ * special treatment is that keys named {@code password} or {@code sshkey} are
+ * redacted in log output.
+ *
+ * <p>Two well-known optional keys control which host network interfaces the
+ * wrapper script uses to create bridges and veth pairs:</p>
+ * <ul>
+ *   <li>{@code guest.network.device} — host NIC for guest (internal) traffic;
+ *       defaults to {@code eth1} when absent.</li>
+ *   <li>{@code public.network.device} — host NIC for public (NAT/external)
+ *       traffic; defaults to {@code eth1} when absent.</li>
+ * </ul>
+ *
+ * <p>Example registration for a KVM-namespace backend:</p>
+ * <pre>
+ *   cmk registerExtension id=&lt;ext-uuid&gt; resourcetype=PhysicalNetwork \
+ *       resourceid=&lt;phys-uuid&gt; \
+ *       details[0].key=hosts                details[0].value=192.168.1.10,192.168.1.11 \
+ *       details[1].key=port                 details[1].value=22 \
+ *       details[2].key=username             details[2].value=root \
+ *       details[3].key=sshkey               details[3].value="$(cat ~/.ssh/id_rsa)" \
+ *       details[4].key=guest.network.device details[4].value=eth1 \
+ *       details[5].key=public.network.device details[5].value=eth1
+ * </pre>
+ *
+ * <h3>Per-network extension details</h3>
+ * On first {@code implement}, the script is called with
+ * {@code ensure-network-device}.  The script selects a host (e.g. from the
+ * {@code hosts} list in the physical-network details), checks it is reachable,
+ * and prints a JSON object to stdout.  CloudStack stores this verbatim in
+ * {@code network_details} under key {@value #NETWORK_DETAIL_EXTENSION_DETAILS}
+ * and forwards it on every subsequent call via
+ * {@value #ARG_NETWORK_EXTENSION_DETAILS}.
+ *
+ * <p>Example per-network details (KVM-namespace backend):</p>
+ * <pre>{"host":"192.168.1.10","namespace":"cs-net-42"}</pre>
+ *
+ * <h3>Network capabilities</h3>
+ * When creating the extension, set detail {@code network.capabilities} to a
+ * JSON object describing the services and their capabilities:
+ * <pre>
+ * {
+ *   "services": ["SourceNat", "StaticNat", "PortForwarding", "Firewall"],
+ *   "capabilities": {
+ *     "SourceNat": { "SupportedSourceNatTypes": "peraccount", "RedundantRouter": "false" }
+ *   }
+ * }
+ * </pre>
+ */
+public class NetworkExtensionElement extends AdapterBase implements
+        NetworkElement, SourceNatServiceProvider, StaticNatServiceProvider,
+        PortForwardingServiceProvider, IpDeployer, NetworkCustomActionProvider,
+        DhcpServiceProvider, DnsServiceProvider, FirewallServiceProvider,
+        UserDataServiceProvider, LoadBalancingServiceProvider,
+        VpcProvider, NetworkACLServiceProvider, AggregatedCommandExecutor {
+
+    private static final Map<Service, Map<Capability, String>> DEFAULT_CAPABILITIES = new HashMap<>();
+
+
+    /**
+     * When non-null, restricts all operations to the extension whose name
+     * matches this provider name.
+     */
+    private String providerName;
+
+    @Inject
+    private NetworkModel networkModel;
+    @Inject
+    private NetworkServiceMapDao ntwkSrvcDao;
+    @Inject
+    private ExtensionHelper extensionHelper;
+    @Inject
+    private NetworkDetailsDao networkDetailsDao;
+    @Inject
+    private IpAddressManager ipAddressManager;
+    @Inject
+    private NetworkOrchestrationService networkManager;
+    @Inject
+    private AccountService accountService;
+    @Inject
+    private PhysicalNetworkDao physicalNetworkDao;
+    @Inject
+    private DataCenterDao dataCenterDao;
+    @Inject
+    private VlanDao vlanDao;
+    @Inject
+    private GuestOSCategoryDao guestOSCategoryDao;
+    @Inject
+    private GuestOSDao guestOSDao;
+    @Inject
+    private HostDao hostDao;
+    @Inject
+    private VMInstanceDetailsDao vmInstanceDetailsDao;
+    @Inject
+    private UserVmDao userVmDao;
+    @Inject
+    private NicDao nicDao;
+    @Inject
+    private NetworkOfferingDao networkOfferingDao;
+    @Inject
+    private ServiceOfferingDao serviceOfferingDao;
+    @Inject
+    private FirewallRulesDao firewallRulesDao;
+    @Inject
+    private IPAddressDao ipAddressDao;
+    @Inject
+    private VpcDao vpcDao;
+    @Inject
+    private VpcDetailsDao vpcDetailsDao;
+
+    // ---- Script argument names ----
+
+    /** CLI argument carrying physical-network extension details as a JSON object. */
+    public static final String ARG_PHYSICAL_NETWORK_EXTENSION_DETAILS = "--physical-network-extension-details";
+
+    /** CLI argument carrying per-network opaque JSON blob. */
+    public static final String ARG_NETWORK_EXTENSION_DETAILS = "--network-extension-details";
+
+    /** CLI argument carrying per-action parameters as a JSON object. */
+    public static final String ARG_ACTION_PARAMS = "--action-params";
+
+    // ---- Network detail key ----
+
+    /**
+     * Key used to persist the per-network JSON blob in {@code network_details}.
+     * The blob is produced by the network-extension.sh's {@code ensure-network-device}
+     * command and may contain any fields the script needs (e.g. selected host,
+     * namespace name, VRF ID, …).
+     */
+    public static final String NETWORK_DETAIL_EXTENSION_DETAILS = "extension.details";
+
+    public String getProviderName() {
+        return providerName;
+    }
+
+    /**
+     * Returns a new {@link NetworkExtensionElement} scoped to {@code providerName},
+     * sharing all injected dependencies with this instance.
+     */
+    public NetworkExtensionElement withProviderName(String providerName) {
+        NetworkExtensionElement copy = new NetworkExtensionElement();
+        copy.networkModel                   = this.networkModel;
+        copy.ntwkSrvcDao                    = this.ntwkSrvcDao;
+        copy.extensionHelper                = this.extensionHelper;
+        copy.networkDetailsDao              = this.networkDetailsDao;
+        copy.ipAddressManager               = this.ipAddressManager;
+        copy.physicalNetworkDao             = this.physicalNetworkDao;
+        copy.dataCenterDao                  = this.dataCenterDao;
+        copy.vlanDao                        = this.vlanDao;
+        copy.guestOSCategoryDao             = this.guestOSCategoryDao;
+        copy.guestOSDao                     = this.guestOSDao;
+        copy.hostDao                        = this.hostDao;
+        copy.vmInstanceDetailsDao           = this.vmInstanceDetailsDao;
+        copy.userVmDao                      = this.userVmDao;
+        copy.nicDao                         = this.nicDao;
+        copy.networkManager                 = this.networkManager;
+        copy.networkOfferingDao             = this.networkOfferingDao;
+        copy.serviceOfferingDao             = this.serviceOfferingDao;
+        copy.accountService                 = this.accountService;
+        copy.firewallRulesDao               = this.firewallRulesDao;
+        copy.ipAddressDao                   = this.ipAddressDao;
+        copy.vpcDao                         = this.vpcDao;
+        copy.vpcDetailsDao                  = this.vpcDetailsDao;
+        copy.providerName                   = providerName;
+
+        logger.debug("NetworkExtensionElement initialised with provider name '{}'", providerName);
+        return copy;
+    }
+
+    // ---- Capabilities ----
+
+    @Override
+    public Map<Service, Map<Capability, String>> getCapabilities() {
+        try {
+            // If this element is scoped to a provider name, prefer capabilities stored
+            // in the extension's "network.capabilities" detail.  The ExtensionHelper
+            // exposes a helper that loads the Service→Capability map from the DB.
+            if (providerName != null && !providerName.isBlank()) {
+                Map<Service, Map<Capability, String>> caps = extensionHelper.getNetworkCapabilitiesForProvider(null, providerName);
+                if (caps != null && !caps.isEmpty()) {
+                    return caps;
+                }
+            }
+        } catch (Exception e) {
+            logger.warn("Failed to load network capabilities from extension details for provider '{}': {}", providerName, e.getMessage());
+        }
+
+        return DEFAULT_CAPABILITIES;
+    }
+
+    @Override
+    public Provider getProvider() {
+        if (providerName != null) {
+            return Provider.createTransientProvider(providerName);
+        }
+        return Provider.NetworkExtension;
+    }
+
+    // ---- Extension / provider resolution ----
+
+    protected Extension resolveExtension(Network network) {
+        Long physicalNetworkId = network.getPhysicalNetworkId();
+        if (physicalNetworkId == null) {
+            logger.warn("Network {} has no physical network — cannot resolve extension", network.getId());
+            return null;
+        }
+        if (providerName != null && !providerName.isBlank()) {
+            Extension ext = extensionHelper.getExtensionForPhysicalNetworkAndProvider(physicalNetworkId, providerName);
+            if (ext != null) {
+                return ext;
+            }
+            logger.warn("No extension found for scoped provider '{}' on physical network {}", providerName, physicalNetworkId);
+        }
+        List<String> providers = ntwkSrvcDao.getDistinctProviders(network.getId());
+        if (providers != null) {
+            for (String p : providers) {
+                Extension ext = extensionHelper.getExtensionForPhysicalNetworkAndProvider(physicalNetworkId, p);
+                if (ext != null) {
+                    return ext;
+                }
+            }
+        }
+        return extensionHelper.getExtensionForPhysicalNetwork(physicalNetworkId);
+    }
+
+    protected boolean canHandle(Network network, Service service) {
+        Long physicalNetworkId = network.getPhysicalNetworkId();
+        if (physicalNetworkId == null) {
+            return false;
+        }
+        if (providerName != null && !providerName.isBlank()) {
+            boolean hasExt = extensionHelper.getExtensionForPhysicalNetworkAndProvider(physicalNetworkId, providerName) != null;
+            if (!hasExt) {
+                return false;
+            }
+            if (service == null) {
+                return true;
+            }
+            List<String> sp = ntwkSrvcDao.getProvidersForServiceInNetwork(network.getId(), service);
+            return sp != null && sp.stream()
+                    .anyMatch(p -> extensionHelper.getExtensionForPhysicalNetworkAndProvider(physicalNetworkId, p) != null);
+        }
+        List<String> providers = ntwkSrvcDao.getDistinctProviders(network.getId());
+        if (providers == null || providers.isEmpty()) {
+            return false;
+        }
+        boolean hasExtProv = providers.stream().anyMatch(
+                p -> extensionHelper.getExtensionForPhysicalNetworkAndProvider(physicalNetworkId, p) != null);
+        if (!hasExtProv) {
+            return false;
+        }
+        if (service == null) {
+            return true;
+        }
+        List<String> sp = ntwkSrvcDao.getProvidersForServiceInNetwork(network.getId(), service);
+        return sp != null && sp.stream()
+                .anyMatch(p -> extensionHelper.getExtensionForPhysicalNetworkAndProvider(physicalNetworkId, p) != null);
+    }
+
+    @Override
+    public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
+        super.configure(name, params);
+        return true;
+    }
+
+    // ---- NetworkElement lifecycle ----
+
+    @Override
+    public boolean implement(Network network, NetworkOffering offering, DeployDestination dest,
+            ReservationContext context) throws ConcurrentOperationException,
+            ResourceUnavailableException, InsufficientCapacityException {
+        if (!canHandle(network, null)) {
+            return false;
+        }
+        logger.info("Implementing network extension for network {} (VLAN {})", network.getId(), network.getBroadcastUri());
+
+        // Step 1: Ensure a network device is selected and its details stored.
+        ensureExtensionDetails(network);
+
+        // Step 2: Allocate the IPs for DHCP/DNS/UserData service if needed
+        String extensionIp = ensureExtensionIp(network);
+
+        String vlanId = getVlanId(network);
+
+        // Build common vpc/network args
+        List<String> vpcArgs = getVpcIdArgs(network);
+
+        // Step 2: Create the network on the device.
+        List<String> implArgs = new ArrayList<>();
+        implArgs.add("--network-id");   implArgs.add(String.valueOf(network.getId()));
+        implArgs.add("--vlan");         implArgs.add(safeStr(vlanId));
+        implArgs.add("--gateway");      implArgs.add(safeStr(network.getGateway()));
+        implArgs.add("--cidr");         implArgs.add(safeStr(network.getCidr()));
+        implArgs.add("--extension-ip"); implArgs.add(safeStr(extensionIp));
+        implArgs.addAll(vpcArgs);
+
+        boolean result = executeScript(network, "implement-network", implArgs.toArray(new String[0]));
+
+        if (!result) {
+            return false;
+        }
+
+        // Step 3: Configure source NAT for both VPC and non-VPC networks for
+        // compatibility (other network-element providers may also implement VPC tiers).
+        // When this is a VPC tier, the script's assign-ip does nothing for source-nat
+        // because VPC source NAT is managed at the VPC level by implementVpc().
+        if (canHandle(network, Service.SourceNat)) {
+            try {
+                if (network.getVpcId() == null) {
+                    // Isolated network: apply the network's own source NAT IP.
+                    Account owner = accountService.getAccount(network.getAccountId());
+                    PublicIpAddress existingIp = networkModel.getSourceNatIpAddressForGuestNetwork(owner, network);
+                    if (existingIp != null) {
+                        applyIps(network, List.of(existingIp), Set.of(Service.SourceNat));
+                    }
+                } else {
+                    // VPC tier: apply the VPC-level source NAT IP (script is a no-op for SNAT).
+                    final PublicIpAddress vpcSourceNatIp = getVpcSourceNatIp(network.getVpcId());
+                    if (vpcSourceNatIp != null) {
+                        applyIps(network, List.of(vpcSourceNatIp), Set.of(Service.SourceNat));
+                    }
+                }
+            } catch (Exception e) {
+                logger.warn("Failed to configure source NAT IP for network {}: {}", network.getId(), e.getMessage(), e);
+            }
+        }
+
+        return true;
+    }
+
+    @Override
+    public boolean prepare(Network network, NicProfile nic, VirtualMachineProfile vm,
+            DeployDestination dest, ReservationContext context)
+            throws ConcurrentOperationException, ResourceUnavailableException, InsufficientCapacityException {
+        // Copy from VirtualRouterElement.java
+        if (vm.getType() != VirtualMachine.Type.User || vm.getHypervisorType() == Hypervisor.HypervisorType.BareMetal) {
+            return false;
+        }
+
+        if (!canHandle(network, null)) {
+            return false;
+        }
+
+        if (!networkModel.isProviderEnabledInPhysicalNetwork(networkModel.getPhysicalNetworkId(network), getProvider().getName())) {
+            return false;
+        }
+
+        final NetworkOfferingVO offering = networkOfferingDao.findById(network.getNetworkOfferingId());
+        implement(network, offering, dest, context);
+
+        return true;
+    }
+
+    @Override
+    public boolean release(Network network, NicProfile nic, VirtualMachineProfile vm,
+            ReservationContext context) throws ConcurrentOperationException, ResourceUnavailableException {
+        return true;
+    }
+
+    @Override
+    public boolean shutdown(Network network, ReservationContext context, boolean cleanup)
+            throws ConcurrentOperationException, ResourceUnavailableException {
+        logger.info("Shutting down network extension for network {}", network.getId());
+        List<String> args = new ArrayList<>();
+        args.add("--network-id"); args.add(String.valueOf(network.getId()));
+        args.add("--vlan");       args.add(safeStr(getVlanId(network)));
+        args.addAll(getVpcIdArgs(network));
+        boolean result = executeScript(network, "shutdown-network", args.toArray(new String[0]));
+        if (result) {
+            // Remove stored per-network extension details (e.g. namespace). For VPC-backed networks
+            // the namespace is named cs-vpc-<vpcId>, stored in the extension details. Removing the
+            // stored details ensures the namespace is deleted/forgotten on shutdown.
+            try {
+                networkDetailsDao.removeDetail(network.getId(), NETWORK_DETAIL_EXTENSION_DETAILS);
+            } catch (Exception e) {
+                logger.warn("Failed to remove network extension details for network {}: {}", network.getId(), e.getMessage());
+            }
+        }
+        return result;
+    }
+
+    @Override
+    public boolean destroy(Network network, ReservationContext context)
+            throws ConcurrentOperationException, ResourceUnavailableException {
+        logger.info("Destroying network extension for network {}", network.getId());
+        List<String> args = new ArrayList<>();
+        args.add("--network-id"); args.add(String.valueOf(network.getId()));
+        args.add("--vlan");       args.add(safeStr(getVlanId(network)));
+        args.addAll(getVpcIdArgs(network));
+        // For both isolated and VPC tier networks, use destroy-network.
+        // For VPC tiers, the script preserves the shared namespace;
+        // the VPC namespace is removed only when shutdownVpc() calls shutdown-vpc.
+        boolean result = executeScript(network, "destroy-network", args.toArray(new String[0]));
+        if (result) {
+            cleanupPlaceholderNicIp(network, context);
+            networkDetailsDao.removeDetail(network.getId(), NETWORK_DETAIL_EXTENSION_DETAILS);
+        }
+        return result;
+    }
+
+    /**
+     * Releases placeholder NIC IPs allocated for DHCP/DNS/UserData extension traffic,
+     * then removes the placeholder NIC record(s) for this network.
+     */
+    protected void cleanupPlaceholderNicIp(Network network, ReservationContext context) {
+        List<NicVO> placeholderNics = nicDao.listPlaceholderNicsByNetworkIdAndVmType(
+                network.getId(), VirtualMachine.Type.DomainRouter);
+        if (placeholderNics == null || placeholderNics.isEmpty()) {
+            return;
+        }
+
+        long userId = accountService.getSystemUser().getId();
+        Account caller = accountService.getSystemAccount();
+        if (context != null && context.getAccount() != null) {
+            caller = context.getAccount();
+        }
+
+        for (NicVO placeholderNic : placeholderNics) {
+            try {
+                String ip = placeholderNic.getIPv4Address();
+                if (ip != null && !ip.isBlank()) {
+                    logger.debug("Cleaning up PlaceHolder IP {} on network {}", ip, network.getId());
+                    IPAddressVO ipAddress = ipAddressDao.findByIpAndSourceNetworkId(network.getId(), ip);
+                    if (ipAddress != null) {
+                        if (Network.GuestType.Shared.equals(network.getGuestType())) {
+                            ipAddressManager.disassociatePublicIpAddress(ipAddress, userId, caller);
+                        } else {
+                            ipAddressManager.markIpAsUnavailable(ipAddress.getId());
+                            ipAddressDao.unassignIpAddress(ipAddress.getId());
+                        }
+                    }
+                }
+            } catch (Exception e) {
+                logger.warn("Failed to release placeholder IP for network {} and nic {}: {}",
+                        network.getId(), placeholderNic.getId(), e.getMessage());
+            }
+
+            try {
+                nicDao.remove(placeholderNic.getId());
+            } catch (Exception e) {
+                logger.warn("Failed to remove placeholder nic {} for network {}: {}",
+                        placeholderNic.getId(), network.getId(), e.getMessage());
+            }
+        }
+    }
+
+    @Override
+    public boolean isReady(PhysicalNetworkServiceProvider provider) {
+        return true;
+    }
+
+    @Override
+    public boolean shutdownProviderInstances(PhysicalNetworkServiceProvider provider, ReservationContext context)
+            throws ConcurrentOperationException, ResourceUnavailableException {
+        return true;
+    }
+
+    @Override
+    public boolean canEnableIndividualServices() {
+        return true;
+    }
+
+    @Override
+    public boolean verifyServicesCombination(Set<Service> services) {
+        return true;
+    }
+
+    // ---- ensure-network-device ----
+
+    /**
+     * Calls the network-extension.sh script with {@code ensure-network-device} before
+     * the first network operation.  The script verifies the previously selected
+     * device is reachable (using the {@code hosts} list in the physical-network
+     * extension details) and performs failover if needed.  The returned JSON is
+     * persisted in {@code network_details} and forwarded to all subsequent calls
+     * via {@value #ARG_NETWORK_EXTENSION_DETAILS}.
+     *
+     * <p>For VPC tier networks the extension details are inherited from the VPC-level
+     * details (stored in {@code vpc_details}) so all tiers in the same VPC share
+     * the same host/namespace binding.  The script's {@code ensure-network-device}
+     * is only called at the VPC level (see {@link #ensureExtensionDetails(Vpc)}).</p>
+     */
+    protected void ensureExtensionDetails(Network network) {
+        if (network.getVpcId() != null) {
+            Vpc vpc = vpcDao.findById(network.getVpcId());
+            ensureExtensionDetails(vpc);
+            return;
+        }
+
+        // Isolated network: run ensure-network-device to select / validate the host.
+        Map<String, String> stored = networkDetailsDao.listDetailsKeyPairs(network.getId());
+        String currentDetails = stored != null
+                ? stored.getOrDefault(NETWORK_DETAIL_EXTENSION_DETAILS, "{}") : "{}";
+
+        logger.info("Ensuring network device for network {} (current={})", network.getId(), currentDetails);
+
+        Extension extension = resolveExtension(network);
+        File scriptFile = resolveScriptFile(network, extension);
+
+        String physicalNetworkDetailsJson = buildPhysicalNetworkDetailsJson(network.getPhysicalNetworkId(), extension);
+
+        List<String> cmdLine = new ArrayList<>();
+        cmdLine.add(scriptFile.getAbsolutePath());
+        cmdLine.add("ensure-network-device");
+        cmdLine.add("--network-id");
+        cmdLine.add(String.valueOf(network.getId()));
+        cmdLine.add("--vlan");
+        cmdLine.add(safeStr(getVlanId(network)));
+        cmdLine.add("--zone-id");
+        cmdLine.add(String.valueOf(network.getDataCenterId()));
+        // Pass VPC ID so the script can derive the correct namespace (cs-net-<vpcId>)
+        if (network.getVpcId() != null) {
+            cmdLine.add("--vpc-id");
+            cmdLine.add(String.valueOf(network.getVpcId()));
+        }
+        cmdLine.add("--current-details");
+        cmdLine.add(currentDetails);
+        cmdLine.add(ARG_PHYSICAL_NETWORK_EXTENSION_DETAILS);
+        cmdLine.add(physicalNetworkDetailsJson);
+        cmdLine.add(ARG_NETWORK_EXTENSION_DETAILS);
+        cmdLine.add(currentDetails);
+
+        try {
+            ProcessBuilder pb = new ProcessBuilder(cmdLine);
+            pb.redirectErrorStream(true);
+            Process process = pb.start();
+            String output = new String(process.getInputStream().readAllBytes()).trim();
+            int exitCode = process.waitFor();
+
+            if (exitCode != 0) {
+                logger.warn("ensure-network-device exited {} for network {} — keeping current details",
+                        exitCode, network.getId());
+                if ("{}".equals(currentDetails)) {
+                    networkDetailsDao.addDetail(network.getId(), NETWORK_DETAIL_EXTENSION_DETAILS, "{}", false);
+                }
+                return;
+            }
+            if (output.isEmpty()) {
+                output = "{}".equals(currentDetails) ? "{}" : currentDetails;
+            }
+            if (!output.equals(currentDetails)) {
+                logger.info("Network device updated for network {}: {}", network.getId(), output);
+                networkDetailsDao.addDetail(network.getId(), NETWORK_DETAIL_EXTENSION_DETAILS, output, false);
+            } else {
+                logger.debug("Network device unchanged for network {}: {}", network.getId(), output);
+            }
+        } catch (Exception e) {
+            logger.warn("Failed ensure-network-device for network {}: {}", network.getId(), e.getMessage());
+            if ("{}".equals(currentDetails)) {
+                networkDetailsDao.addDetail(network.getId(), NETWORK_DETAIL_EXTENSION_DETAILS, "{}", false);
+            }
+        }
+    }
+
+    /*
+    * If the network supports DHCP/DNS/UserData but not SourceNat/Gateway,
+    * an additional IP is needed on the external network to host these services.
+    * This method ensures that IP is allocated and configured on the external network and returns its address.
+     */
+    protected String ensureExtensionIp(Network network) {
+        if (networkModel.isAnyServiceSupportedInNetwork(network.getId(), this.getProvider(),
+                Service.SourceNat, Service.Gateway)) {
+            // Gateway or Source NAT will be configured on the external network
+            return network.getGateway();
+        }
+
+        if (networkModel.isAnyServiceSupportedInNetwork(network.getId(), this.getProvider(),
+                Service.Dhcp, Service.Dns, Service.UserData)) {
+                try {
+                    // An extra IP will be allocated and configured on the external network
+                    Nic placeholderNic = networkModel.getPlaceholderNicForRouter(network, null);
+                    if (placeholderNic == null) {
+                        NetworkDetailVO routerIpDetail = networkDetailsDao.findDetail(network.getId(), ApiConstants.ROUTER_IP);
+                        String routerIp = routerIpDetail != null ? routerIpDetail.getValue() : null;
+                        Account account = accountService.getAccount(network.getAccountId());
+                        String extensionIp = Network.GuestType.Shared.equals(network.getGuestType()) ?
+                                ipAddressManager.assignPublicIpAddress(network.getDataCenterId(), null, account, Vlan.VlanType.DirectAttached, network.getId(), routerIp, false, false).getAddress().toString():
+                                ipAddressManager.acquireGuestIpAddress(network, routerIp);
+                        logger.debug("Saving placeholder nic with ip4 address {} for the network", extensionIp, network);
+                        networkManager.savePlaceholderNic(network, extensionIp, null, VirtualMachine.Type.DomainRouter);
+                        return extensionIp;
+                    }
+                    return placeholderNic.getIPv4Address();
+                } catch (Exception e) {
+                    logger.warn("Failed to acquire extension IP for network {}: {}", network.getId(), e.getMessage());
+                }
+        }
+        return null;
+    }
+
+    // ---- IpDeployer ----
+
+    @Override
+    public boolean applyIps(Network network, List<? extends PublicIpAddress> ipAddress, Set<Service> services)
+            throws ResourceUnavailableException {
+        if (ipAddress == null || ipAddress.isEmpty()) {
+            return true;
+        }
+        logger.info("Applying {} IPs for network {}", ipAddress.size(), network.getId());
+        String vlanId = getVlanId(network);
+
+        for (PublicIpAddress ip : ipAddress) {
+            boolean isSourceNat = ip.isSourceNat();
+            boolean isRevoke = ip.getState() == IpAddress.State.Releasing;
+            String action = isRevoke ? "release-ip" : "assign-ip";
+
+            // Public VLAN tag (e.g. "101") from the IP's VLAN record.
+            String publicVlanTag = safeStr(ip.getVlanTag());
+
+            // Compute public IP gateway and CIDR (from the PublicIpAddress if available)
+            String publicGateway;
+            String publicCidr;
+            try {
+                publicGateway = ip.getGateway();
+                String publicIpStr = ip.getAddress() != null ? ip.getAddress().addr() : null;
+                String publicNetmask = ip.getNetmask();
+                publicCidr = buildCidrFromIpAndNetmask(publicIpStr, publicNetmask);
+            } catch (Exception e) {
+                publicGateway = null;
+                publicCidr = null;
+            }
+
+            List<String> args = new ArrayList<>();
+            args.add("--network-id");         args.add(String.valueOf(network.getId()));
+            args.add("--vlan");               args.add(safeStr(vlanId));
+            args.add("--public-ip");          args.add(ip.getAddress().addr());
+            args.add("--source-nat");         args.add(String.valueOf(isSourceNat));
+            args.add("--gateway");            args.add(safeStr(network.getGateway()));
+            args.add("--cidr");               args.add(safeStr(network.getCidr()));
+            args.add("--public-gateway");     args.add(safeStr(publicGateway));
+            args.add("--public-cidr");        args.add(safeStr(publicCidr));
+            args.add("--public-vlan");        args.add(publicVlanTag);
+            args.addAll(getVpcIdArgs(network));
+
+             boolean result = executeScript(network, action, args.toArray(new String[0]));
+             if (!result) {
+                 throw new ResourceUnavailableException(
+                         "Failed to " + action + " for IP " + ip.getAddress().addr(),
+                         Network.class, network.getId());
+             }
+         }
+         return true;
+     }
+
+    /**
+     * Build a CIDR string from IP address and dotted netmask (or prefix).
+     * Returns "" if either value is null or parsing fails.
+     */
+    private String buildCidrFromIpAndNetmask(String ipStr, String netmaskStr) {
+        if (ipStr == null || ipStr.isEmpty() || netmaskStr == null || netmaskStr.isEmpty()) {
+            return "";
+        }
+        // If netmask is already CIDR (contains '/'), try to return network/prefix
+        if (netmaskStr.contains("/")) {
+            return netmaskStr;
+        }
+        try {
+            InetAddress ip = InetAddress.getByName(ipStr);
+            InetAddress mask = InetAddress.getByName(netmaskStr);
+            int maskInt = ByteBuffer.wrap(mask.getAddress()).getInt();
+            int prefix = Integer.bitCount(maskInt);
+            // Return the provided IP with the calculated prefix so the address retains its host value
+            return ip.getHostAddress() + "/" + prefix;
+        } catch (Exception e) {
+            logger.debug("Failed to compute CIDR from ip/netmask {} {}: {}", ipStr, netmaskStr, e.getMessage());
+            return "";
+        }
+    }
+
+    // ---- StaticNatServiceProvider ----
+
+    @Override
+    public boolean applyStaticNats(Network config, List<? extends StaticNat> rules)
+            throws ResourceUnavailableException {
+        if (rules == null || rules.isEmpty()) {
+            return true;
+        }
+        if (!canHandle(config, Service.StaticNat)) {
+            return false;
+        }
+        logger.info("Applying {} static NAT rules for network {}", rules.size(), config.getId());
+        String vlanId = getVlanId(config);
+        List<String> vpcArgs = getVpcIdArgs(config);
+
+        for (StaticNat rule : rules) {
+            String action = rule.isForRevoke() ? "delete-static-nat" : "add-static-nat";
+            String publicCidr = getPublicCidr(rule.getSourceIpAddressId());
+            String publicVlanTag = getPublicVlanTag(rule.getSourceIpAddressId());
+
+            List<String> args = new ArrayList<>();
+            args.add("--network-id");        args.add(String.valueOf(config.getId()));
+            args.add("--vlan");              args.add(safeStr(vlanId));
+            args.add("--public-ip");         args.add(getIpAddress(rule.getSourceIpAddressId()));
+            args.add("--public-cidr");       args.add(safeStr(publicCidr));
+            args.add("--public-vlan");       args.add(publicVlanTag);
+            args.add("--private-ip");        args.add(safeStr(rule.getDestIpAddress()));
+            args.addAll(vpcArgs);
+            boolean result = executeScript(config, action, args.toArray(new String[0]));
+            if (!result) {
+                throw new ResourceUnavailableException("Failed to " + action + " for static NAT rule",
+                        Network.class, config.getId());
+            }
+        }
+        return true;
+    }
+
+    // ---- PortForwardingServiceProvider ----
+
+    @Override
+    public boolean applyPFRules(Network network, List<PortForwardingRule> rules)
+            throws ResourceUnavailableException {
+        if (rules == null || rules.isEmpty()) {
+            return true;
+        }
+        if (!canHandle(network, Service.PortForwarding)) {
+            return false;
+        }
+        logger.info("Applying {} port forwarding rules for network {}", rules.size(), network.getId());
+        String vlanId = getVlanId(network);
+        List<String> vpcArgs = getVpcIdArgs(network);
+
+        for (PortForwardingRule rule : rules) {
+            boolean isRevoke = rule.getState() == FirewallRule.State.Revoke;
+            String action = isRevoke ? "delete-port-forward" : "add-port-forward";
+            String publicPort  = PortForwardingServiceProvider.getPublicPortRange(rule);
+            String privatePort = PortForwardingServiceProvider.getPrivatePFPortRange(rule);
+            String publicCidr  = getPublicCidr(rule.getSourceIpAddressId());
+            String publicVlanTag = getPublicVlanTag(rule.getSourceIpAddressId());
+
+            List<String> args = new ArrayList<>();
+            args.add("--network-id");        args.add(String.valueOf(network.getId()));
+            args.add("--vlan");              args.add(safeStr(vlanId));
+            args.add("--public-ip");         args.add(getIpAddress(rule.getSourceIpAddressId()));
+            args.add("--public-cidr");       args.add(safeStr(publicCidr));
+            args.add("--public-vlan");       args.add(publicVlanTag);
+            args.add("--public-port");       args.add(safeStr(publicPort));
+            args.add("--private-ip");        args.add(safeStr(rule.getDestinationIpAddress() != null
+                    ? rule.getDestinationIpAddress().addr() : null));
+            args.add("--private-port");      args.add(safeStr(privatePort));
+            args.add("--protocol");          args.add(safeStr(rule.getProtocol()));
+            args.addAll(vpcArgs);
+            boolean result = executeScript(network, action, args.toArray(new String[0]));
+            if (!result) {
+                throw new ResourceUnavailableException("Failed to " + action + " for port forwarding rule",
+                        Network.class, network.getId());
+            }
+        }
+        return true;
+    }
+
+    // ---- Script execution ----
+
+    /**
+     * Executes the network-extension.sh script with the given command and arguments.
+     *
+     * <p>Two JSON blobs are always appended as named CLI arguments:</p>
+     * <ul>
+     *   <li>{@value #ARG_PHYSICAL_NETWORK_EXTENSION_DETAILS} {@code <json>} – all
+     *       {@code extension_resource_map_details} for this extension on the physical
+     *       network.  Sensitive keys (password, sshkey) are included but redacted in
+     *       log output.</li>
+     *   <li>{@value #ARG_NETWORK_EXTENSION_DETAILS} {@code <json>} – the per-network
+     *       JSON blob from {@code network_details} ({@code {}} if not yet set).</li>
+     * </ul>
+     */
+    protected boolean executeScript(Network network, String command, String... args) {
+        Extension extension = resolveExtension(network);
+        File scriptFile = resolveScriptFile(network, extension);
+
+        ensureExtensionDetails(network);
+
+        String physicalNetworkDetailsJson = buildPhysicalNetworkDetailsJson(network.getPhysicalNetworkId(), extension);
+        String networkExtensionDetailsJson = getNetworkExtensionDetailsJson(network);
+
+        // Log the JSON blobs so we can diagnose missing-argument issues in runtime logs
+        logger.debug("Physical network details JSON: {}", physicalNetworkDetailsJson);
+        logger.debug("Network extension details JSON: {}", networkExtensionDetailsJson);
+
+        List<String> cmdLine = new ArrayList<>();
+        cmdLine.add(scriptFile.getAbsolutePath());
+        cmdLine.add(command);
+        cmdLine.addAll(Arrays.asList(args));
+        cmdLine.add(ARG_PHYSICAL_NETWORK_EXTENSION_DETAILS);
+        cmdLine.add(physicalNetworkDetailsJson);
+        cmdLine.add(ARG_NETWORK_EXTENSION_DETAILS);
+        cmdLine.add(networkExtensionDetailsJson);
+
+        logger.debug("Executing network extension script: {}", String.join(" ", cmdLine));
+
+        try {
+            ProcessBuilder pb = new ProcessBuilder(cmdLine);
+            pb.redirectErrorStream(true);
+            Process process = pb.start();
+            byte[] output = process.getInputStream().readAllBytes();
+            int exitCode = process.waitFor();
+
+            String outputStr = new String(output).trim();
+            if (!outputStr.isEmpty()) {
+                logger.debug("Script output: {}", outputStr);
+            }
+            if (exitCode != 0) {
+                logger.error("Network extension script failed with exit code {}: {}", exitCode, outputStr);
+                return false;
+            }
+            return true;
+        } catch (Exception e) {
+            logger.error("Failed to execute network extension script: {}", e.getMessage(), e);
+            throw new CloudRuntimeException("Failed to execute network extension script", e);
+        }
+    }
+
+    /**
+     * Writes a potentially large payload to a temporary file and passes the file path
+     * to the extension script via {@code payloadArgName}. This avoids argv size limits
+     * for multi-MB payloads.
+     */
+    protected boolean executeScriptWithFilePayload(Network network, String command,
+            String payloadArgName, String payload, String... args) {
+        File payloadFile = null;
+        try {
+            payloadFile = File.createTempFile("cs-extnet-" + command + "-", ".payload");
+            Files.writeString(payloadFile.toPath(), payload != null ? payload : "", StandardCharsets.UTF_8);
+
+            List<String> cmdArgs = new ArrayList<>();
+            cmdArgs.addAll(Arrays.asList(args));
+            cmdArgs.add(payloadArgName);
+            cmdArgs.add(payloadFile.getAbsolutePath());
+
+            return executeScript(network, command, cmdArgs.toArray(new String[0]));
+        } catch (Exception e) {
+            throw new CloudRuntimeException(
+                    String.format("Failed preparing payload file for command %s", command), e);
+        } finally {
+            if (payloadFile != null && payloadFile.exists() && !payloadFile.delete()) {
+                payloadFile.deleteOnExit();
+            }
+        }
+    }
+
+    // ---- Detail helpers ----
+
+    /**
+     * Returns all {@code extension_resource_map_details} for the given extension
+     * on the physical network as a plain map, enriched with physical-network
+     * metadata (name, kvmnetworklabel, vmwarenetworklabel, xennetworklabel,
+     * public_kvmnetworklabel) so the wrapper script can derive bridge names and
+     * interface names without extra lookups.
+     */
+    private Map<String, String> buildPhysicalNetworkDetailsMap(Long physicalNetworkId, Extension extension) {
+        Map<String, String> details = new HashMap<>();
+        if (physicalNetworkId == null || extension == null) {
+            return details;
+        }
+        // Start with registered extension_resource_map_details
+        Map<String, String> mapDetails = extensionHelper.getAllResourceMapDetailsForExtensionOnPhysicalNetwork(
+                physicalNetworkId, extension.getId());
+        if (mapDetails != null) {
+            details.putAll(mapDetails);
+        }
+
+        // Enrich with physical-network record fields
+        PhysicalNetworkVO pn = physicalNetworkDao.findById(physicalNetworkId);
+        if (pn != null && pn.getName() != null) {
+            details.put("physicalnetworkname", pn.getName());
+        }
+
+        return details;
+    }
+
+
+    /**
+     * Returns {@code ["--vpc-id", "<vpcId>"]} when the network belongs to a VPC,
+     * or an empty list otherwise.  Appended to every script invocation so the
+     * wrapper script can derive the correct namespace (cs-net-&lt;vpcId&gt;).
+     */
+    private List<String> getVpcIdArgs(Network network) {
+        if (network.getVpcId() != null) {
+            return List.of("--vpc-id", String.valueOf(network.getVpcId()));
+        }
+        return List.of();
+    }
+
+    /**
+     * Serialises the physical-network extension details to a compact JSON object string.
+     */
+    private String buildPhysicalNetworkDetailsJson(Long physicalNetworkId, Extension extension) {
+        return mapToJson(buildPhysicalNetworkDetailsMap(physicalNetworkId, extension));
+    }
+
+    /**
+     * Reads the per-network JSON blob from {@code network_details}
+     * (returns {@code {}} if not yet set).
+     */
+    private String getNetworkExtensionDetailsJson(Network network) {
+        if (network.getVpcId() != null) {
+            return getVpcExtensionDetailsJson(network.getVpcId());
+        } else {
+            Map<String, String> networkDetails = networkDetailsDao.listDetailsKeyPairs(network.getId());
+            return networkDetails != null
+                    ? networkDetails.getOrDefault(NETWORK_DETAIL_EXTENSION_DETAILS, "{}") : "{}";
+        }
+    }
+
+
+    /**
+     * Serialises a {@code Map<String, String>} to a compact JSON object string.
+     * Returns {@code {}} for null or empty maps.
+     */
+    private String mapToJson(Map<String, String> map) {
+        if (map == null || map.isEmpty()) {
+            return "{}";
+        }
+        JsonObject obj = new JsonObject();
+        for (Map.Entry<String, String> entry : map.entrySet()) {
+            if (entry.getValue() != null) {
+                obj.addProperty(entry.getKey(), entry.getValue());
+            }
+        }
+        return new Gson().toJson(obj);
+    }
+
+    // ---- Custom action ----
+
+    @Override
+    public boolean canHandleCustomAction(Network network) {
+        return canHandle(network, null);
+    }
+
+    /**
+     * Runs a custom action on the external network device.
+     * Per-action parameters are passed as a JSON object via
+     * {@value #ARG_ACTION_PARAMS}, e.g.:
+     * <pre>--action-params '{"key1":"value1","key2":"value2"}'</pre>
+     * The wrapper script receives the `--action-params` JSON string and forwards
+     * it unchanged to hook scripts as the `--action-params` CLI argument; hook
+     * scripts should parse the JSON themselves (for example using `jq` or a
+     * small shell/awk parser).
+     */
+    public String runCustomAction(Network network, String actionName, Map<String, Object> parameters) {
+        Extension extension = resolveExtension(network);
+        File scriptFile = resolveScriptFile(network, extension);
+
+        String physicalNetworkDetailsJson = buildPhysicalNetworkDetailsJson(network.getPhysicalNetworkId(), extension);
+        String networkExtensionDetailsJson = getNetworkExtensionDetailsJson(network);
+        String actionParamsJson = buildActionParamsJson(parameters);
+
+        List<String> cmdLine = new ArrayList<>();
+        cmdLine.add(scriptFile.getAbsolutePath());
+        cmdLine.add("custom-action");
+        cmdLine.add("--network-id");
+        cmdLine.add(String.valueOf(network.getId()));
+        cmdLine.add("--action");
+        cmdLine.add(actionName);
+        cmdLine.add(ARG_ACTION_PARAMS);
+        cmdLine.add(actionParamsJson);
+        cmdLine.add(ARG_PHYSICAL_NETWORK_EXTENSION_DETAILS);
+        cmdLine.add(physicalNetworkDetailsJson);
+        cmdLine.add(ARG_NETWORK_EXTENSION_DETAILS);
+        cmdLine.add(networkExtensionDetailsJson);
+
+        logger.info("Running custom action '{}' on network {} (extension: {}, params: {} key(s))",
+                actionName, network.getId(), extension != null ? extension.getName() : "unknown",
+                parameters != null ? parameters.size() : 0);
+
+        try {
+            ProcessBuilder pb = new ProcessBuilder(cmdLine);
+            pb.redirectErrorStream(true);
+            Process process = pb.start();
+            byte[] output = process.getInputStream().readAllBytes();
+            int exitCode = process.waitFor();
+            String outputStr = new String(output).trim();
+
+            logger.debug("Running custom action script: {}", String.join(" ", cmdLine));
+
+            if (exitCode != 0) {
+                logger.error("Custom action '{}' failed (exit {}): {}", actionName, exitCode, outputStr);
+                return null;
+            }
+            logger.info("Custom action '{}' completed successfully", actionName);
+            return outputStr.isEmpty() ? "OK" : outputStr;
+        } catch (Exception e) {
+            logger.error("Failed to execute custom action '{}': {}", actionName, e.getMessage(), e);
+            throw new CloudRuntimeException("Failed to execute custom action: " + actionName, e);
+        }
+    }
+
+    /**
+     * Serialises custom-action parameters to a compact JSON object string.
+     * Returns {@code {}} for null or empty maps.
+     */
+    private String buildActionParamsJson(Map<String, Object> parameters) {
+        if (parameters == null || parameters.isEmpty()) {
+            return "{}";
+        }
+        JsonObject obj = new JsonObject();
+        for (Map.Entry<String, Object> entry : parameters.entrySet()) {
+            obj.addProperty(entry.getKey(),
+                    entry.getValue() != null ? entry.getValue().toString() : "");
+        }
+        return new Gson().toJson(obj);
+    }
+
+    // ---- Script file resolution ----
+
+    /**
+     * Resolves the executable script file from the given extension.
+     *
+     * <p>Lookup order (first match wins):</p>
+     * <ol>
+     *   <li>{@code <extensionPath>/<extensionName>.sh} — preferred convention,
+     *       e.g. for an extension named {@code network-extension} the script is
+     *       {@code network-extension.sh}.</li>
+     *   <li>{@code <extensionPath>} itself, if it is a file and is executable.</li>
+     * </ol>
+     */
+    protected File resolveScriptFile(Network network, Extension extension) {
+        Long physicalNetworkId = network.getPhysicalNetworkId();
+        if (physicalNetworkId == null) {
+            throw new CloudRuntimeException("Network " + network.getId() + " has no physical network");
+        }
+        if (extension == null) {
+            throw new CloudRuntimeException(
+                    "No NetworkOrchestrator extension found for network " + network.getId()
+                    + " on physical network " + physicalNetworkId);
+        }
+        if (!Extension.Type.NetworkOrchestrator.equals(extension.getType())) {
+            throw new CloudRuntimeException("Extension " + extension.getName() + " is not of type NetworkOrchestrator");
+        }
+        if (!Extension.State.Enabled.equals(extension.getState())) {
+            throw new CloudRuntimeException("Extension " + extension.getName() + " is not enabled");
+        }
+        if (!extension.isPathReady()) {
+            throw new CloudRuntimeException("Extension " + extension.getName() + " path is not ready");
+        }
+
+        String extensionPath = extensionHelper.getExtensionScriptPath(extension);
+        if (extensionPath == null) {
+            throw new CloudRuntimeException("Could not resolve path for extension " + extension.getName());
+        }
+
+        File extensionDir = new File(extensionPath);
+
+        // <extensionPath>/<extensionName>.sh  (preferred convention)
+        File namedScript = new File(extensionDir, extension.getName() + ".sh");
+        if (namedScript.exists() && namedScript.canExecute()) {
+            return namedScript;
+        }
+        // <extensionPath> itself is the script file
+        if (extensionDir.isFile() && extensionDir.canExecute()) {
+            return extensionDir;
+        }
+
+        throw new CloudRuntimeException(
+                "No executable script found in extension path " + extensionPath
+                + ". Expected '" + extension.getName() + ".sh' inside the extension directory.");
+    }
+
+    // ---- Helpers ----
+
+    private String getVlanId(Network network) {
+        return network.getBroadcastUri() != null
+                ? Networks.BroadcastDomainType.getValue(network.getBroadcastUri()) : null;
+    }
+
+    private String getIpAddress(Long ipAddressId) {
+        if (ipAddressId == null) {
+            return "";
+        }
+        IpAddress ip = networkModel.getIp(ipAddressId);
+        return ip != null ? ip.getAddress().addr() : "";
+    }
+
+    private String getPublicCidr(Long ipAddressId) {
+        if (ipAddressId == null) {
+            return "";
+        }
+        IpAddress ip = networkModel.getIp(ipAddressId);
+        if (ip.getAddress() == null) {
+            return "";
+        }
+        VlanVO vlan = vlanDao.findById(ip.getVlanId());
+        return buildCidrFromIpAndNetmask(ip.getAddress().addr(), vlan.getVlanNetmask());
+    }
+
+    private String getPublicVlanTag(Long ipAddressId) {
+        if (ipAddressId == null) {
+            return "";
+        }
+        IpAddress ip = networkModel.getIp(ipAddressId);
+        if (ip == null) {
+            return "";
+        }
+        VlanVO vlan = vlanDao.findById(ip.getVlanId());
+        return vlan != null ? safeStr(vlan.getVlanTag()) : "";
+    }
+
+    private String safeStr(String value) {
+        return value != null ? value : "";
+    }
+
+    // ---- DhcpServiceProvider ----
+
+    private String getNetworkDns(final Network network) {
+        final DataCenter dc = dataCenterDao.findById(network.getDataCenterId());
+        Pair<String, String> dnsList = networkModel.getNetworkIp4Dns(network, dc);
+        return dnsList.first() + (dnsList.second() != null ? "," + dnsList.second() : "");
+    }
+
+    @Override
+    public boolean addDhcpEntry(Network network, NicProfile nic, VirtualMachineProfile vm,
+            DeployDestination dest, ReservationContext context)
+            throws ConcurrentOperationException, InsufficientCapacityException, ResourceUnavailableException {
+        if (!canHandle(network, Service.Dhcp)) {
+            return false;
+        }
+        String extensionIp = ensureExtensionIp(network);
+        logger.debug("addDhcpEntry: network={} mac={} ip={}", network.getId(),
+                nic.getMacAddress(), nic.getIPv4Address());
+        List<String> args = new ArrayList<>();
+        args.add("--network-id");   args.add(String.valueOf(network.getId()));
+        args.add("--mac");          args.add(safeStr(nic.getMacAddress()));
+        args.add("--ip");           args.add(safeStr(nic.getIPv4Address()));
+        args.add("--hostname");     args.add(safeStr(vm.getHostName()));
+        args.add("--gateway");      args.add(safeStr(network.getGateway()));
+        args.add("--cidr");         args.add(safeStr(network.getCidr()));
+        args.add("--dns");          args.add(safeStr(getNetworkDns(network)));
+        args.add("--default-nic");  args.add(String.valueOf(nic.isDefaultNic()));
+        args.add("--domain");       args.add(safeStr(network.getNetworkDomain()));
+        args.add("--extension-ip"); args.add(safeStr(extensionIp));
+        args.addAll(getVpcIdArgs(network));
+        return executeScript(network, "add-dhcp-entry", args.toArray(new String[0]));
+    }
+
+    @Override
+    public boolean configDhcpSupportForSubnet(Network network, NicProfile nic, VirtualMachineProfile vm,
+            DeployDestination dest, ReservationContext context)
+            throws ConcurrentOperationException, InsufficientCapacityException, ResourceUnavailableException {
+        if (!canHandle(network, Service.Dhcp)) {
+            return false;
+        }
+        logger.debug("configDhcpSupportForSubnet: network={}", network.getId());
+        String extensionIp = ensureExtensionIp(network);
+        List<String> args = new ArrayList<>();
+        args.add("--network-id");   args.add(String.valueOf(network.getId()));
+        args.add("--gateway");      args.add(safeStr(network.getGateway()));
+        args.add("--cidr");         args.add(safeStr(network.getCidr()));
+        args.add("--dns");          args.add(safeStr(getNetworkDns(network)));
+        args.add("--vlan");         args.add(safeStr(getVlanId(network)));
+        args.add("--domain");       args.add(safeStr(network.getNetworkDomain()));
+        args.add("--extension-ip"); args.add(safeStr(extensionIp));
+        args.addAll(getVpcIdArgs(network));
+        return executeScript(network, "config-dhcp-subnet", args.toArray(new String[0]));
+    }
+
+    @Override
+    public boolean removeDhcpSupportForSubnet(Network network) throws ResourceUnavailableException {
+        if (!canHandle(network, Service.Dhcp)) {
+            return false;
+        }
+        logger.debug("removeDhcpSupportForSubnet: network={}", network.getId());
+        String extensionIp = ensureExtensionIp(network);
+        List<String> args = new ArrayList<>();
+        args.add("--network-id");   args.add(String.valueOf(network.getId()));
+        args.add("--extension-ip"); args.add(safeStr(extensionIp));
+        args.addAll(getVpcIdArgs(network));
+        return executeScript(network, "remove-dhcp-subnet", args.toArray(new String[0]));
+    }
+
+    @Override
+    public boolean setExtraDhcpOptions(Network network, long nicId, Map<Integer, String> dhcpOptions) {
+        if (!canHandle(network, Service.Dhcp)) {
+            return false;
+        }
+        if (dhcpOptions == null || dhcpOptions.isEmpty()) {
+            return true;
+        }
+        logger.debug("setExtraDhcpOptions: network={} nicId={} options={}", network.getId(), nicId, dhcpOptions.size());
+        // Serialise options as a compact JSON object: {"<code>":"<value>", ...}
+        StringBuilder json = new StringBuilder("{");
+        boolean first = true;
+        for (Map.Entry<Integer, String> e : dhcpOptions.entrySet()) {
+            if (!first) json.append(",");
+            json.append("\"").append(e.getKey()).append("\":\"")
+                .append(e.getValue() != null ? e.getValue().replace("\"", "\\\"") : "")
+                .append("\"");
+            first = false;
+        }
+        json.append("}");
+        String extensionIp = ensureExtensionIp(network);
+        List<String> args = new ArrayList<>();
+        args.add("--network-id");   args.add(String.valueOf(network.getId()));
+        args.add("--nic-id");       args.add(String.valueOf(nicId));
+        args.add("--options");      args.add(json.toString());
+        args.add("--extension-ip"); args.add(safeStr(extensionIp));
+        args.addAll(getVpcIdArgs(network));
+        try {
+            return executeScript(network, "set-dhcp-options", args.toArray(new String[0]));
+        } catch (Exception e) {
+            logger.warn("setExtraDhcpOptions failed for network {}: {}", network.getId(), e.getMessage());
+            return false;
+        }
+    }
+
+    @Override
+    public boolean removeDhcpEntry(Network network, NicProfile nic, VirtualMachineProfile vmProfile)
+            throws ResourceUnavailableException {
+        if (!canHandle(network, Service.Dhcp)) {
+            return false;
+        }
+        logger.debug("removeDhcpEntry: network={} mac={} ip={}", network.getId(),
+                nic.getMacAddress(), nic.getIPv4Address());
+        String extensionIp = ensureExtensionIp(network);
+        List<String> args = new ArrayList<>();
+        args.add("--network-id");   args.add(String.valueOf(network.getId()));
+        args.add("--mac");          args.add(safeStr(nic.getMacAddress()));
+        args.add("--ip");           args.add(safeStr(nic.getIPv4Address()));
+        args.add("--extension-ip"); args.add(safeStr(extensionIp));
+        args.addAll(getVpcIdArgs(network));
+        return executeScript(network, "remove-dhcp-entry", args.toArray(new String[0]));
+    }
+
+    // ---- DnsServiceProvider ----
+
+    @Override
+    public boolean addDnsEntry(Network network, NicProfile nic, VirtualMachineProfile vm,
+            DeployDestination dest, ReservationContext context)
+            throws ConcurrentOperationException, InsufficientCapacityException, ResourceUnavailableException {
+        if (!canHandle(network, Service.Dns)) {
+            return false;
+        }
+        String hostname = vm.getHostName();
+        logger.debug("addDnsEntry: network={} hostname={} ip={}", network.getId(),
+                hostname, nic.getIPv4Address());
+        String extensionIp = ensureExtensionIp(network);
+        List<String> args = new ArrayList<>();
+        args.add("--network-id");   args.add(String.valueOf(network.getId()));
+        args.add("--ip");           args.add(safeStr(nic.getIPv4Address()));
+        args.add("--hostname");     args.add(safeStr(hostname));
+        args.add("--extension-ip"); args.add(safeStr(extensionIp));
+        args.addAll(getVpcIdArgs(network));
+        return executeScript(network, "add-dns-entry", args.toArray(new String[0]));
+    }
+
+    @Override
+    public boolean configDnsSupportForSubnet(Network network, NicProfile nic, VirtualMachineProfile vm,
+            DeployDestination dest, ReservationContext context)
+            throws ConcurrentOperationException, InsufficientCapacityException, ResourceUnavailableException {
+        if (!canHandle(network, Service.Dns)) {
+            return false;
+        }
+        logger.debug("configDnsSupportForSubnet: network={}", network.getId());
+        String extensionIp = ensureExtensionIp(network);
+        List<String> args = new ArrayList<>();
+        args.add("--network-id");   args.add(String.valueOf(network.getId()));
+        args.add("--gateway");      args.add(safeStr(network.getGateway()));
+        args.add("--cidr");         args.add(safeStr(network.getCidr()));
+        args.add("--dns");          args.add(safeStr(getNetworkDns(network)));
+        args.add("--vlan");         args.add(safeStr(getVlanId(network)));
+        args.add("--domain");       args.add(safeStr(network.getNetworkDomain()));
+        args.add("--extension-ip"); args.add(safeStr(extensionIp));
+        args.addAll(getVpcIdArgs(network));
+        return executeScript(network, "config-dns-subnet", args.toArray(new String[0]));
+    }
+
+    @Override
+    public boolean removeDnsSupportForSubnet(Network network) throws ResourceUnavailableException {
+        if (!canHandle(network, Service.Dns)) {
+            return false;
+        }
+        logger.debug("removeDnsSupportForSubnet: network={}", network.getId());
+        String extensionIp = ensureExtensionIp(network);
+        List<String> args = new ArrayList<>();
+        args.add("--network-id");   args.add(String.valueOf(network.getId()));
+        args.add("--extension-ip"); args.add(safeStr(extensionIp));
+        args.addAll(getVpcIdArgs(network));
+        return executeScript(network, "remove-dns-subnet", args.toArray(new String[0]));
+    }
+
+    // ---- UserDataServiceProvider ----
+
+    @Override
+    public boolean addPasswordAndUserdata(Network network, NicProfile nic, VirtualMachineProfile profile,
+            DeployDestination dest, ReservationContext context)
+            throws ConcurrentOperationException, InsufficientCapacityException, ResourceUnavailableException {
+        if (!canHandle(network, Service.UserData)) {
+            return false;
+        }
+
+        VirtualMachine vm = profile.getVirtualMachine();
+
+        // SSH public key from VM instance details
+        String sshPublicKey = null;
+        try {
+            VMInstanceDetailVO sshKeyDetail = vmInstanceDetailsDao.findDetail(profile.getId(), VmDetailConstants.SSH_PUBLIC_KEY);
+            if (sshKeyDetail != null) {
+                sshPublicKey = sshKeyDetail.getValue();
+            }
+        } catch (Exception e) {
+            logger.debug("Could not fetch SSH public key for VM {}: {}", profile.getId(), e.getMessage());
+        }
+
+        // Service offering display name
+        String serviceOfferingName = "";
+        try {
+            serviceOfferingName = profile.getServiceOffering().getDisplayText();
+        } catch (Exception e) {
+            logger.debug("Could not fetch service offering for VM {}: {}", profile.getId(), e.getMessage());
+        }
+
+        // Is Windows guest?
+        boolean isWindows = false;
+        try {
+            isWindows = guestOSCategoryDao
+                    .findById(guestOSDao.findById(vm.getGuestOSId()).getCategoryId())
+                    .getName().equalsIgnoreCase("Windows");
+        } catch (Exception e) {
+            logger.debug("Could not determine OS type for VM {}: {}", profile.getId(), e.getMessage());
+        }
+
+        // Hypervisor hostname – prefer dest host, fall back to current host
+        String destHostname = null;
+        try {
+            if (dest != null && dest.getHost() != null) {
+                destHostname = VirtualMachineManager.getHypervisorHostname(dest.getHost().getName());
+            } else if (vm.getHostId() != null) {
+                destHostname = VirtualMachineManager.getHypervisorHostname(
+                        hostDao.findById(vm.getHostId()).getName());
+            }
+        } catch (Exception e) {
+            logger.debug("Could not resolve hypervisor hostname for VM {}: {}", profile.getId(), e.getMessage());
+        }
+
+        // Password from the VM profile parameter (set by UserVmManager before deployment)
+        String password = (String) profile.getParameter(VirtualMachineProfile.Param.VmPassword);
+
+        // Use this NIC's IP — the metadata server in each namespace identifies requesters
+        // by REMOTE_ADDR, which will be the VM's IP on THIS network (not necessarily the
+        // default NIC IP), so we always key metadata by the NIC's IP on this network.
+        String nicIpAddress = nic.getIPv4Address();
+
+        logger.debug("addPasswordAndUserdata: network={} ip={} hasPassword={} hasSshKey={}",
+                network.getId(), nicIpAddress,
+                password != null && !password.isEmpty(),
+                sshPublicKey != null && !sshPublicKey.isEmpty());
+
+        final UserVmVO userVm = userVmDao.findById(vm.getId());
+        if (userVm == null) {
+            throw new CloudRuntimeException("Could not find UserVmVO for VM " + vm.getId());
+        }
+
+        // Generate the full metadata set (userdata, meta-data/*, password) in one go
+        List<String[]> vmData = networkModel.generateVmData(
+                userVm.getUserData(),
+                userVm.getUserDataDetails(),
+                serviceOfferingName,
+                vm.getDataCenterId(),
+                profile.getInstanceName(),
+                profile.getHostName(),
+                profile.getId(),
+                profile.getUuid(),
+                nicIpAddress,
+                sshPublicKey,
+                password,
+                isWindows,
+                destHostname);
+
+        if (vmData == null || vmData.isEmpty()) {
+            logger.debug("addPasswordAndUserdata: no VM data generated for network={} ip={}", network.getId(), nicIpAddress);
+            return true;
+        }
+
+        // Serialise vmData as JSON array.
+        // For the userdata entry CloudStack stores user-data base64-encoded; decode it so the
+        // wrapper writes the actual bytes. All other fields are plain strings. In both cases we
+        // then re-encode with Base64 so the single --vm-data argument is shell-safe.
+        StringBuilder json = new StringBuilder("[");
+        boolean first = true;
+        for (String[] entry : vmData) {
+            String dir     = entry[NetworkModel.CONFIGDATA_DIR];
+            String file    = entry[NetworkModel.CONFIGDATA_FILE];
+            String content = entry.length > NetworkModel.CONFIGDATA_CONTENT
+                    ? entry[NetworkModel.CONFIGDATA_CONTENT] : null;
+            if (content == null) content = "";
+
+            byte[] contentBytes;
+            if (NetworkModel.USERDATA_DIR.equals(dir) && NetworkModel.USERDATA_FILE.equals(file)) {
+                // user-data is stored as base64 in CloudStack DB; decode it for the wrapper
+                try {
+                    contentBytes = Base64.getDecoder().decode(content);
+                } catch (Exception e) {
+                    contentBytes = content.getBytes(StandardCharsets.UTF_8);
+                }
+            } else {
+                contentBytes = content.getBytes(StandardCharsets.UTF_8);
+            }
+
+            if (!first) json.append(",");
+            first = false;
+            json.append("{\"dir\":\"").append(jsonEscape(dir))
+                .append("\",\"file\":\"").append(jsonEscape(file))
+                .append("\",\"content\":\"")
+                .append(Base64.getEncoder().encodeToString(contentBytes))
+                .append("\"}");
+        }
+        json.append("]");
+
+        // Wrap the entire JSON as base64 to avoid any shell quoting / escaping issues
+        String vmDataArg = Base64.getEncoder().encodeToString(
+                json.toString().getBytes(StandardCharsets.UTF_8));
+
+        List<String> args = new ArrayList<>();
+        args.add("--network-id");   args.add(String.valueOf(network.getId()));
+        args.add("--ip");           args.add(safeStr(nicIpAddress));
+        args.add("--gateway");      args.add(safeStr(nic.getIPv4Gateway()));
+        args.add("--extension-ip"); args.add(safeStr(ensureExtensionIp(network)));
+        args.addAll(getVpcIdArgs(network));
+        return executeScriptWithFilePayload(network, "save-vm-data", "--vm-data-file",
+                vmDataArg, args.toArray(new String[0]));
+    }
+
+    @Override
+    public boolean savePassword(Network network, NicProfile nic, VirtualMachineProfile vm)
+            throws ResourceUnavailableException {
+        if (!canHandle(network, Service.UserData)) {
+            return false;
+        }
+        String password = (String) vm.getParameter(VirtualMachineProfile.Param.VmPassword);
+        if (password == null || password.isEmpty()) {
+            return true;
+        }
+        logger.debug("savePassword: network={} ip={}", network.getId(), nic.getIPv4Address());
+        String extensionIp = ensureExtensionIp(network);
+        List<String> args = new ArrayList<>();
+        args.add("--network-id");   args.add(String.valueOf(network.getId()));
+        args.add("--ip");           args.add(safeStr(nic.getIPv4Address()));
+        args.add("--gateway");      args.add(safeStr(nic.getIPv4Gateway()));
+        args.add("--password");     args.add(password);
+        args.add("--extension-ip"); args.add(safeStr(extensionIp));
+        args.addAll(getVpcIdArgs(network));
+        return executeScript(network, "save-password", args.toArray(new String[0]));
+    }
+
+    @Override
+    public boolean saveUserData(Network network, NicProfile nic, VirtualMachineProfile vm)
+            throws ResourceUnavailableException {
+        if (!canHandle(network, Service.UserData)) {
+            return false;
+        }
+        String userData = null;
+        if (vm.getVirtualMachine() instanceof UserVm) {
+            userData = ((UserVm) vm.getVirtualMachine()).getUserData();
+        }
+        if (userData == null || userData.isEmpty()) {
+            return true;
+        }
+        logger.debug("saveUserData: network={} ip={}", network.getId(), nic.getIPv4Address());
+        // userData is stored as base64; pass it directly so the script can decode it
+        String extensionIp = ensureExtensionIp(network);
+        List<String> args = new ArrayList<>();
+        args.add("--network-id");   args.add(String.valueOf(network.getId()));
+        args.add("--ip");           args.add(safeStr(nic.getIPv4Address()));
+        args.add("--gateway");      args.add(safeStr(nic.getIPv4Gateway()));
+        args.add("--userdata");     args.add(userData);
+        args.add("--extension-ip"); args.add(safeStr(extensionIp));
+        args.addAll(getVpcIdArgs(network));
+        return executeScript(network, "save-userdata", args.toArray(new String[0]));
+    }
+
+    @Override
+    public boolean saveSSHKey(Network network, NicProfile nic, VirtualMachineProfile vm,
+            String sshPublicKey) throws ResourceUnavailableException {
+        if (!canHandle(network, Service.UserData)) {
+            return false;
+        }
+        if (sshPublicKey == null || sshPublicKey.isEmpty()) {
+            return true;
+        }
+        logger.debug("saveSSHKey: network={} ip={}", network.getId(), nic.getIPv4Address());
+        // Encode SSH key as base64 to safely pass via CLI
+        String sshKeyBase64 = Base64.getEncoder().encodeToString(sshPublicKey.getBytes(java.nio.charset.StandardCharsets.UTF_8));
+        String extensionIp = ensureExtensionIp(network);
+        List<String> args = new ArrayList<>();
+        args.add("--network-id");   args.add(String.valueOf(network.getId()));
+        args.add("--ip");           args.add(safeStr(nic.getIPv4Address()));
+        args.add("--gateway");      args.add(safeStr(nic.getIPv4Gateway()));
+        args.add("--sshkey");       args.add(sshKeyBase64);
+        args.add("--extension-ip"); args.add(safeStr(extensionIp));
+        args.addAll(getVpcIdArgs(network));
+        return executeScript(network, "save-sshkey", args.toArray(new String[0]));
+    }
+
+    @Override
+    public boolean saveHypervisorHostname(NicProfile nic, Network network, VirtualMachineProfile vm,
+            DeployDestination dest) throws ResourceUnavailableException {
+        if (!canHandle(network, Service.UserData)) {
+            return false;
+        }
+        String hostname = dest != null && dest.getHost() != null ? dest.getHost().getName() : null;
+        if (hostname == null || hostname.isEmpty()) {
+            return true;
+        }
+        logger.debug("saveHypervisorHostname: network={} ip={} host={}", network.getId(),
+                nic.getIPv4Address(), hostname);
+        String extensionIp = ensureExtensionIp(network);
+        List<String> args = new ArrayList<>();
+        args.add("--network-id");          args.add(String.valueOf(network.getId()));
+        args.add("--ip");                  args.add(safeStr(nic.getIPv4Address()));
+        args.add("--gateway");             args.add(safeStr(nic.getIPv4Gateway()));
+        args.add("--hypervisor-hostname"); args.add(hostname);
+        args.add("--extension-ip");        args.add(safeStr(extensionIp));
+        args.addAll(getVpcIdArgs(network));
+        return executeScript(network, "save-hypervisor-hostname", args.toArray(new String[0]));
+    }
+
+    // ---- LoadBalancingServiceProvider ----
+
+    @Override
+    public boolean applyLBRules(Network network, List<LoadBalancingRule> rules)
+            throws ResourceUnavailableException {
+        if (rules == null || rules.isEmpty()) {
+            return true;
+        }
+        if (!canHandle(network, Service.Lb)) {
+            return false;
+        }
+        logger.info("Applying {} LB rules for network {}", rules.size(), network.getId());
+        String vlanId = getVlanId(network);
+        List<String> vpcArgs = getVpcIdArgs(network);
+
+        // Serialise all rules as a JSON array and pass as a single --lb-rules argument
+        StringBuilder json = new StringBuilder("[");
+        boolean firstRule = true;
+        for (LoadBalancingRule rule : rules) {
+            if (!firstRule) json.append(",");
+            firstRule = false;
+            boolean revoke = rule.getState() == FirewallRule.State.Revoke;
+            json.append("{");
+            json.append("\"id\":").append(rule.getId()).append(",");
+            json.append("\"name\":\"").append(jsonEscape(rule.getName())).append("\",");
+            json.append("\"publicIp\":\"").append(jsonEscape(rule.getSourceIp() != null ? rule.getSourceIp().addr() : "")).append("\",");
+            json.append("\"publicPort\":").append(rule.getSourcePortStart()).append(",");
+            json.append("\"privatePort\":").append(rule.getDefaultPortStart()).append(",");
+            json.append("\"protocol\":\"").append(jsonEscape(safeStr(rule.getProtocol()))).append("\",");
+            json.append("\"algorithm\":\"").append(jsonEscape(safeStr(rule.getAlgorithm()))).append("\",");
+            json.append("\"revoke\":").append(revoke).append(",");
+            json.append("\"backends\":[");
+            if (rule.getDestinations() != null) {
+                boolean firstDest = true;
+                for (LoadBalancingRule.LbDestination dest : rule.getDestinations()) {
+                    if (!firstDest) json.append(",");
+                    firstDest = false;
+                    json.append("{");
+                    json.append("\"ip\":\"").append(jsonEscape(dest.getIpAddress())).append("\",");
+                    json.append("\"port\":").append(dest.getDestinationPortStart()).append(",");
+                    json.append("\"revoked\":").append(dest.isRevoked());
+                    json.append("}");
+                }
+            }
+            json.append("]");
+            json.append("}");
+        }
+        json.append("]");
+
+        List<String> args = new ArrayList<>();
+        args.add("--network-id"); args.add(String.valueOf(network.getId()));
+        args.add("--vlan");       args.add(safeStr(vlanId));
+        args.add("--lb-rules");   args.add(json.toString());
+        args.addAll(vpcArgs);
+        boolean result = executeScript(network, "apply-lb-rules", args.toArray(new String[0]));
+        if (!result) {
+            throw new ResourceUnavailableException("Failed to apply LB rules for network " + network.getId(),
+                    Network.class, network.getId());
+        }
+        return true;
+    }
+
+    @Override
+    public boolean validateLBRule(Network network, LoadBalancingRule rule) {
+        // Delegate validation to the external script; accept by default
+        return true;
+    }
+
+    @Override
+    public List<LoadBalancerTO> updateHealthChecks(Network network,
+                                                   List<LoadBalancingRule> lbrules) {
+        // Health-check state updates are not implemented via this path
+        return new ArrayList<>();
+    }
+
+    @Override
+    public boolean handlesOnlyRulesInTransitionState() {
+        return false;
+    }
+
+    /** Escapes a string for embedding in a JSON string literal. */
+    private static String jsonEscape(String s) {
+        if (s == null) return "";
+        return s.replace("\\", "\\\\").replace("\"", "\\\"").replace("\n", "\\n").replace("\r", "\\r");
+    }
+
+    @Override
+    public IpDeployer getIpDeployer(Network network) {
+        // This element itself implements IpDeployer; return this instance.
+        return this;
+    }
+
+    @Override
+    public boolean rollingRestartSupported() {
+        return false;
+    }
+
+    /**
+     * Applies all active firewall rules for a network to the external network device.
+     *
+     * <p>Three categories of rules are handled:</p>
+     * <ol>
+     *   <li><b>Egress rules</b> ({@link FirewallRule.TrafficType#Egress}) — control outbound
+     *       traffic from guest VMs.  The network offering's {@code egressDefaultPolicy} flag
+     *       is consulted:
+     *       <ul>
+     *         <li>{@code true}  (ALLOW by default) — each egress rule becomes a DROP rule;
+     *             a catch-all ACCEPT is appended at the end.</li>
+     *         <li>{@code false} (DENY by default) — each egress rule becomes an ACCEPT rule;
+     *             a catch-all DROP is appended at the end.</li>
+     *       </ul>
+     *   </li>
+     *   <li><b>Ingress rules</b> ({@link FirewallRule.TrafficType#Ingress}) on public IPs
+     *       (static NAT, port-forwarding, LB, …) — control inbound access to a specific
+     *       public IP.  The wrapper script uses {@code conntrack --ctorigdst} to match the
+     *       original pre-DNAT destination, so no private-IP lookup is required and all
+     *       DNAT-based services (static-NAT, port-forwarding, LB) are handled uniformly.</li>
+     *   <li><b>Default egress policy</b> — always conveyed via the JSON payload so the
+     *       script can enforce it even when the explicit rule list is empty.</li>
+     * </ol>
+     *
+     * <p><b>Full-state rebuild semantics:</b>
+     * {@code applyFWRules} is called with a <em>narrow</em> scope — the firewall manager
+     * passes only the rules for one public IP ({@code applyIngressFirewallRules}) or only
+     * the egress rules ({@code applyEgressFirewallRules}) per call.  The script, however,
+     * rebuilds the entire firewall chain from scratch each time it runs.  To avoid wiping
+     * the rules for other IPs on every call, this method ignores the {@code rules} parameter
+     * and instead queries the database for <em>all</em> active (non-revoked, non-System)
+     * {@link FirewallRule.Purpose#Firewall} rules for the network.</p>
+     *
+     * <p>Script command: {@code apply-fw-rules}</p>
+     */
+    @Override
+    public boolean applyFWRules(Network network, List<? extends FirewallRule> rules)
+            throws ResourceUnavailableException {
+        if (!canHandle(network, Service.Firewall)) {
+            return false;
+        }
+
+        // Determine default egress policy from the network offering.
+        // true  = ALLOW (default permissive; explicit rules are deny-rules)
+        // false = DENY  (default restrictive; explicit rules are allow-rules)
+        NetworkOfferingVO offering = networkOfferingDao.findById(network.getNetworkOfferingId());
+        boolean defaultEgressAllow = offering == null || offering.isEgressDefaultPolicy();
+
+        // Load ALL active (non-revoked) firewall rules for this network from the DB.
+        // applyFWRules is called in a narrow scope (only one public IP's ingress rules, or
+        // only egress rules per call), but the script does a full rebuild of the firewall
+        // chain.  Querying the DB ensures every call produces a complete, correct chain.
+        List<FirewallRuleVO> allRules = firewallRulesDao.listByNetworkAndPurposeAndNotRevoked(
+                network.getId(), FirewallRule.Purpose.Firewall);
+        // Skip System-type rules — the default egress policy is already conveyed by
+        // "default_egress_allow".  System rules are transient (not stored in DB), but
+        // guard here anyway in case of future changes.
+        allRules = allRules.stream()
+                .filter(r -> !FirewallRule.FirewallRuleType.System.equals(r.getType()))
+                .collect(Collectors.toList());
+
+        for (FirewallRuleVO r : allRules) {
+            firewallRulesDao.loadSourceCidrs(r);
+            firewallRulesDao.loadDestinationCidrs(r);
+        }
+
+        logger.info("applyFWRules: network={} activeRules={} defaultEgressAllow={}",
+                network.getId(), allRules.size(), defaultEgressAllow);
+
+        // Build JSON payload: { "default_egress_allow": <bool>, "cidr": "...", "rules": [...] }
+        StringBuilder json = new StringBuilder();
+        json.append("{\"default_egress_allow\":").append(defaultEgressAllow).append(",");
+        json.append("\"cidr\":\"").append(jsonEscape(safeStr(network.getCidr()))).append("\",");
+        json.append("\"rules\":[");
+
+        boolean first = true;
+        for (FirewallRuleVO rule : allRules) {
+            if (!first) json.append(",");
+            first = false;
+
+            boolean isEgress = FirewallRule.TrafficType.Egress.equals(rule.getTrafficType());
+
+            json.append("{");
+            json.append("\"id\":").append(rule.getId()).append(",");
+            json.append("\"type\":\"").append(isEgress ? "egress" : "ingress").append("\",");
+            json.append("\"protocol\":\"").append(jsonEscape(safeStr(rule.getProtocol()))).append("\",");
+            if (rule.getSourcePortStart() != null) {
+                json.append("\"portStart\":").append(rule.getSourcePortStart()).append(",");
+            }
+            if (rule.getSourcePortEnd() != null) {
+                json.append("\"portEnd\":").append(rule.getSourcePortEnd()).append(",");
+            }
+            if (rule.getIcmpType() != null) {
+                json.append("\"icmpType\":").append(rule.getIcmpType()).append(",");
+            }
+            if (rule.getIcmpCode() != null) {
+                json.append("\"icmpCode\":").append(rule.getIcmpCode()).append(",");
+            }
+            // For ingress rules include the public IP the rule is associated with.
+            if (!isEgress) {
+                json.append("\"publicIp\":\"")
+                    .append(jsonEscape(getIpAddress(rule.getSourceIpAddressId())))
+                    .append("\",");
+            }
+            // sourceCidrs: for ingress = allowed external source IPs;
+            //              for egress  = allowed VM source IP ranges
+            json.append("\"sourceCidrs\":[");
+            List<String> sourceCidrs = rule.getSourceCidrList();
+            if (sourceCidrs != null && !sourceCidrs.isEmpty()) {
+                boolean firstCidr = true;
+                for (String cidr : sourceCidrs) {
+                    if (!firstCidr) json.append(",");
+                    firstCidr = false;
+                    json.append("\"").append(jsonEscape(cidr)).append("\"");
+                }
+            }
+            json.append("]");
+            // destCidrs: optional destination CIDR filter (meaningful for egress rules)
+            List<String> destCidrs = rule.getDestinationCidrList();
+            json.append(",\"destCidrs\":[");
+            if (destCidrs != null && !destCidrs.isEmpty()) {
+                boolean firstCidr = true;
+                for (String cidr : destCidrs) {
+                    if (!firstCidr) json.append(",");
+                    firstCidr = false;
+                    json.append("\"").append(jsonEscape(cidr)).append("\"");
+                }
+            }
+            json.append("]");
+            json.append("}");
+        }
+        json.append("]}");
+
+        String rulesBase64 = Base64.getEncoder().encodeToString(
+                json.toString().getBytes(StandardCharsets.UTF_8));
+
+        List<String> args = new ArrayList<>();
+        args.add("--network-id");  args.add(String.valueOf(network.getId()));
+        args.add("--vlan");        args.add(safeStr(getVlanId(network)));
+        args.add("--gateway");     args.add(safeStr(network.getGateway()));
+        args.add("--cidr");        args.add(safeStr(network.getCidr()));
+        args.addAll(getVpcIdArgs(network));
+
+        boolean result = executeScriptWithFilePayload(network, "apply-fw-rules", "--fw-rules-file",
+                rulesBase64, args.toArray(new String[0]));
+        if (!result) {
+            throw new ResourceUnavailableException(
+                    "Failed to apply firewall rules for network " + network.getId(),
+                    Network.class, network.getId());
+        }
+        return true;
+    }
+
+    // ---- AggregatedCommandExecutor ----
+
+    /**
+     * Called at the start of a network-restart cycle (before rules are re-programmed).
+     * We have nothing to "start" here — the batch restore is driven by
+     * {@link #completeAggregatedExecution}.
+     */
+    @Override
+    public boolean prepareAggregatedExecution(Network network, DeployDestination dest)
+            throws ResourceUnavailableException {
+        if (!canHandle(network, null)) {
+            return true;
+        }
+        logger.debug("prepareAggregatedExecution: network={}", network.getId());
+        return true;
+    }
+
+    /**
+     * Called after all firewall/NAT/LB rules have been re-applied during a network restart.
+     *
+     * <p>Queries all active User-VM NICs on this network from the database, builds a single
+     * batch JSON payload containing DHCP/DNS/metadata entries for every VM, and sends it to
+     * the wrapper script as a single {@code restore-network} call.  This avoids N script
+     * invocations (one per VM) and instead performs the full restore in one shot.</p>
+     */
+    @Override
+    public boolean completeAggregatedExecution(Network network, DeployDestination dest)
+            throws ResourceUnavailableException {
+        if (!canHandle(network, null)) {
+            return true;
+        }
+
+        logger.info("completeAggregatedExecution: restoring all VM network data for network={}", network.getId());
+
+        boolean dhcpEnabled     = networkModel.areServicesSupportedInNetwork(network.getId(), Service.Dhcp)
+                && networkModel.isProviderSupportServiceInNetwork(network.getId(), Service.Dhcp, getProvider());
+        boolean dnsEnabled      = networkModel.areServicesSupportedInNetwork(network.getId(), Service.Dns)
+                && networkModel.isProviderSupportServiceInNetwork(network.getId(), Service.Dns, getProvider());
+        boolean userdataEnabled = networkModel.areServicesSupportedInNetwork(network.getId(), Service.UserData)
+                && networkModel.isProviderSupportServiceInNetwork(network.getId(), Service.UserData, getProvider());
+
+        if (!dhcpEnabled && !dnsEnabled && !userdataEnabled) {
+            logger.debug("completeAggregatedExecution: no DHCP/DNS/UserData service for network={}, skipping", network.getId());
+            return true;
+        }
+
+        // Query all active User-VM NICs on this network
+        List<NicVO> nics = nicDao.listByNetworkIdAndType(network.getId(), VirtualMachine.Type.User);
+        if (nics == null || nics.isEmpty()) {
+            logger.debug("completeAggregatedExecution: no user VM NICs on network={}, skipping", network.getId());
+            return true;
+        }
+
+        logger.info("completeAggregatedExecution: building batch restore for {} VMs on network={}",
+                nics.size(), network.getId());
+
+        String restoreDataBase64 = buildRestoreNetworkData(network, nics, dhcpEnabled, dnsEnabled, userdataEnabled);
+
+        String extensionIp = ensureExtensionIp(network);
+        List<String> args = new ArrayList<>();
+        args.add("--network-id");    args.add(String.valueOf(network.getId()));
+        args.add("--gateway");       args.add(safeStr(network.getGateway()));
+        args.add("--cidr");          args.add(safeStr(network.getCidr()));
+        args.add("--vlan");          args.add(safeStr(getVlanId(network)));
+        args.add("--extension-ip");  args.add(safeStr(extensionIp));
+        args.add("--dns");           args.add(safeStr(getNetworkDns(network)));
+        args.add("--domain");        args.add(safeStr(network.getNetworkDomain()));
+        args.addAll(getVpcIdArgs(network));
+
+        return executeScriptWithFilePayload(network, "restore-network", "--restore-data-file",
+                restoreDataBase64, args.toArray(new String[0]));
+    }
+
+    /**
+     * Called in the {@code finally} block of the network-restart cycle to clean up any
+     * temporary state created by {@link #prepareAggregatedExecution}.
+     * Nothing to clean up here.
+     */
+    @Override
+    public boolean cleanupAggregatedExecution(Network network, DeployDestination dest)
+            throws ResourceUnavailableException {
+        return true;
+    }
+
+    /**
+     * Builds the base64-encoded JSON payload for {@code restore-network}.
+     *
+     * <p>The JSON structure is:</p>
+     * <pre>
+     * {
+     *   "dhcp_enabled": true,
+     *   "dns_enabled":  true,
+     *   "userdata_enabled": true,
+     *   "vms": [
+     *     {
+     *       "ip":          "10.0.0.10",
+     *       "mac":         "02:00:00:00:00:01",
+     *       "hostname":    "vm-1",
+     *       "default_nic": true,
+     *       "vm_data": [
+     *         { "dir": "userdata", "file": "user-data", "content": "<base64>" },
+     *         { "dir": "meta-data", "file": "instance-id", "content": "<base64>" },
+     *         ...
+     *       ]
+     *     },
+     *     ...
+     *   ]
+     * }
+     * </pre>
+     *
+     * <p>Each {@code vm_data} entry has its {@code content} base64-encoded (the same
+     * encoding used by the per-VM {@code save-vm-data} command), so the wrapper script
+     * can handle both paths with the same decoder.</p>
+     */
+    private String buildRestoreNetworkData(Network network, List<NicVO> nics,
+            boolean dhcpEnabled, boolean dnsEnabled, boolean userdataEnabled) {
+
+        // Precompute service-offering display text keyed by offering ID to avoid repeated DB hits
+        Map<Long, String> offeringNameCache = new HashMap<>();
+
+        StringBuilder json = new StringBuilder("{");
+        json.append("\"dhcp_enabled\":").append(dhcpEnabled).append(",");
+        json.append("\"dns_enabled\":").append(dnsEnabled).append(",");
+        json.append("\"userdata_enabled\":").append(userdataEnabled).append(",");
+        json.append("\"vms\":[");
+
+        boolean firstVm = true;
+        for (NicVO nic : nics) {
+            if (nic.getState() != Nic.State.Reserved && nic.getState() != Nic.State.Allocated) {
+                continue;
+            }
+            if (nic.getIPv4Address() == null || nic.getMacAddress() == null) {
+                continue;
+            }
+
+            Long instanceId = nic.getInstanceId();
+            if (instanceId == null) {
+                continue;
+            }
+
+            UserVmVO userVm = userVmDao.findById(instanceId);
+            if (userVm == null) {
+                continue;
+            }
+
+            // Per-VM data array (only if UserData service is enabled)
+            List<String[]> vmData = null;
+            if (userdataEnabled) {
+                try {
+                    // Service offering display text
+                    String offeringName = offeringNameCache.computeIfAbsent(userVm.getServiceOfferingId(), id -> {
+                        try {
+                            ServiceOfferingVO so = serviceOfferingDao.findById(id);
+                            return so != null ? so.getDisplayText() : "";
+                        } catch (Exception e) {
+                            return "";
+                        }
+                    });
+
+                    // SSH public key
+                    String sshPublicKey = null;
+                    try {
+                        VMInstanceDetailVO sshKeyDetail = vmInstanceDetailsDao.findDetail(instanceId, VmDetailConstants.SSH_PUBLIC_KEY);
+                        if (sshKeyDetail != null) {
+                            sshPublicKey = sshKeyDetail.getValue();
+                        }
+                    } catch (Exception e) {
+                        logger.debug("Could not fetch SSH key for VM {}: {}", instanceId, e.getMessage());
+                    }
+
+                    // Is Windows?
+                    boolean isWindows = false;
+                    try {
+                        isWindows = guestOSCategoryDao
+                                .findById(guestOSDao.findById(userVm.getGuestOSId()).getCategoryId())
+                                .getName().equalsIgnoreCase("Windows");
+                    } catch (Exception ignored) { }
+
+                    // Hypervisor hostname from current host
+                    String destHostname = null;
+                    try {
+                        if (userVm.getHostId() != null) {
+                            destHostname = VirtualMachineManager.getHypervisorHostname(
+                                    hostDao.findById(userVm.getHostId()).getName());
+                        }
+                    } catch (Exception ignored) { }
+
+                    vmData = networkModel.generateVmData(
+                            userVm.getUserData(),
+                            userVm.getUserDataDetails(),
+                            offeringName,
+                            userVm.getDataCenterId(),
+                            userVm.getInstanceName(),
+                            userVm.getHostName(),
+                            userVm.getId(),
+                            userVm.getUuid(),
+                            nic.getIPv4Address(),
+                            sshPublicKey,
+                            null,   // password — not re-issued on restore
+                            isWindows,
+                            destHostname);
+                } catch (Exception e) {
+                    logger.warn("Could not generate vmData for VM {} on network {}: {}", instanceId, network.getId(), e.getMessage());
+                }
+            }
+
+            // Build VM JSON entry
+            if (!firstVm) json.append(",");
+            firstVm = false;
+
+            json.append("{");
+            json.append("\"ip\":\"").append(jsonEscape(nic.getIPv4Address())).append("\",");
+            json.append("\"mac\":\"").append(jsonEscape(nic.getMacAddress())).append("\",");
+            json.append("\"hostname\":\"").append(jsonEscape(safeStr(userVm.getHostName()))).append("\",");
+            json.append("\"default_nic\":").append(nic.isDefaultNic()).append(",");
+            json.append("\"vm_data\":[");
+
+            if (vmData != null && !vmData.isEmpty()) {
+                boolean firstEntry = true;
+                for (String[] entry : vmData) {
+                    String dir     = entry[NetworkModel.CONFIGDATA_DIR];
+                    String file    = entry[NetworkModel.CONFIGDATA_FILE];
+                    String content = entry.length > NetworkModel.CONFIGDATA_CONTENT
+                            ? entry[NetworkModel.CONFIGDATA_CONTENT] : null;
+                    if (content == null) content = "";
+
+                    byte[] contentBytes;
+                    if (NetworkModel.USERDATA_DIR.equals(dir) && NetworkModel.USERDATA_FILE.equals(file)) {
+                        try {
+                            contentBytes = Base64.getDecoder().decode(content);
+                        } catch (Exception e) {
+                            contentBytes = content.getBytes(StandardCharsets.UTF_8);
+                        }
+                    } else {
+                        contentBytes = content.getBytes(StandardCharsets.UTF_8);
+                    }
+
+                    if (!firstEntry) json.append(",");
+                    firstEntry = false;
+                    json.append("{\"dir\":\"").append(jsonEscape(dir))
+                        .append("\",\"file\":\"").append(jsonEscape(file))
+                        .append("\",\"content\":\"")
+                        .append(Base64.getEncoder().encodeToString(contentBytes))
+                        .append("\"}");
+                }
+            }
+
+            json.append("]"); // vm_data
+            json.append("}"); // vm object
+        }
+
+        json.append("]"); // vms
+        json.append("}"); // root
+
+        return Base64.getEncoder().encodeToString(json.toString().getBytes(StandardCharsets.UTF_8));
+    }
+
+    // ---- VpcProvider ----
+
+    /**
+     * Finds the extension + physical-network pair for the given VPC by scanning the
+     * physical networks in the VPC's zone for a registered NetworkOrchestrator extension.
+     * Returns {@code null} when no suitable extension is found.
+     */
+    protected Pair<Long, Extension> resolveExtensionForVpc(Vpc vpc) {
+        List<PhysicalNetworkVO> physNetworks = physicalNetworkDao.listByZone(vpc.getZoneId());
+        if (physNetworks == null || physNetworks.isEmpty()) {
+            return null;
+        }
+        for (PhysicalNetworkVO pn : physNetworks) {
+            Extension ext;
+            if (providerName != null && !providerName.isBlank()) {
+                ext = extensionHelper.getExtensionForPhysicalNetworkAndProvider(pn.getId(), providerName);
+            } else {
+                ext = extensionHelper.getExtensionForPhysicalNetwork(pn.getId());
+            }
+            if (ext != null) {
+                return new Pair<>(pn.getId(), ext);
+            }
+        }
+        return null;
+    }
+
+    /**
+     * Resolves the script file for a VPC-level operation (no network object required).
+     */
+    protected File resolveScriptFileForVpc(Long physicalNetworkId, Extension extension) {
+        if (physicalNetworkId == null) {
+            throw new CloudRuntimeException("No physical network ID for VPC extension");
+        }
+        if (extension == null) {
+            throw new CloudRuntimeException("No extension found for physical network " + physicalNetworkId);
+        }
+        if (!Extension.Type.NetworkOrchestrator.equals(extension.getType())) {
+            throw new CloudRuntimeException("Extension " + extension.getName() + " is not of type NetworkOrchestrator");
+        }
+        if (!Extension.State.Enabled.equals(extension.getState())) {
+            throw new CloudRuntimeException("Extension " + extension.getName() + " is not enabled");
+        }
+        if (!extension.isPathReady()) {
+            throw new CloudRuntimeException("Extension " + extension.getName() + " path is not ready");
+        }
+        String extensionPath = extensionHelper.getExtensionScriptPath(extension);
+        if (extensionPath == null) {
+            throw new CloudRuntimeException("Could not resolve path for extension " + extension.getName());
+        }
+        File extensionDir = new File(extensionPath);
+        File namedScript = new File(extensionDir, extension.getName() + ".sh");
+        if (namedScript.exists() && namedScript.canExecute()) {
+            return namedScript;
+        }
+        if (extensionDir.isFile() && extensionDir.canExecute()) {
+            return extensionDir;
+        }
+        throw new CloudRuntimeException(
+                "No executable script found in extension path " + extensionPath
+                + ". Expected '" + extension.getName() + ".sh'.");
+    }
+
+    /**
+     * Calls {@code ensure-network-device} with VPC-level args (no {@code --network-id}).
+     * The returned JSON is persisted in {@code vpc_details} under key
+     * {@value #NETWORK_DETAIL_EXTENSION_DETAILS}.  VPC tier networks then inherit
+     * these details via {@link #ensureExtensionDetails(Network)}.
+     */
+    protected void ensureExtensionDetails(Vpc vpc) {
+        Map<String, String> stored = vpcDetailsDao.listDetailsKeyPairs(vpc.getId());
+        String currentDetails = stored != null
+                ? stored.getOrDefault(NETWORK_DETAIL_EXTENSION_DETAILS, "{}") : "{}";
+
+        logger.info("Ensuring extension device for VPC {} (current={})", vpc.getId(), currentDetails);
+
+        Pair<Long, Extension> physNetAndExt = resolveExtensionForVpc(vpc);
+        if (physNetAndExt == null) {
+            logger.warn("ensureExtensionDetails(vpc): no extension found for VPC {} zone {}",
+                    vpc.getId(), vpc.getZoneId());
+            return;
+        }
+        Long physicalNetworkId = physNetAndExt.first();
+        Extension extension = physNetAndExt.second();
+        File scriptFile = resolveScriptFileForVpc(physicalNetworkId, extension);
+        String physicalNetworkDetailsJson = buildPhysicalNetworkDetailsJson(physicalNetworkId, extension);
+
+        List<String> cmdLine = new ArrayList<>();
+        cmdLine.add(scriptFile.getAbsolutePath());
+        cmdLine.add("ensure-network-device");
+        cmdLine.add("--vpc-id");
+        cmdLine.add(String.valueOf(vpc.getId()));
+        cmdLine.add("--zone-id");
+        cmdLine.add(String.valueOf(vpc.getZoneId()));
+        cmdLine.add("--current-details");
+        cmdLine.add(currentDetails);
+        cmdLine.add(ARG_PHYSICAL_NETWORK_EXTENSION_DETAILS);
+        cmdLine.add(physicalNetworkDetailsJson);
+        cmdLine.add(ARG_NETWORK_EXTENSION_DETAILS);
+        cmdLine.add(currentDetails);
+
+        try {
+            ProcessBuilder pb = new ProcessBuilder(cmdLine);
+            pb.redirectErrorStream(true);
+            Process process = pb.start();
+            String output = new String(process.getInputStream().readAllBytes()).trim();
+            int exitCode = process.waitFor();
+
+            logger.debug("Ensuring VPC network device script: {}", String.join(" ", cmdLine));
+
+            if (exitCode != 0) {
+                logger.warn("ensure-network-device exited {} for VPC {} — keeping current details",
+                        exitCode, vpc.getId());
+                if ("{}".equals(currentDetails)) {
+                    vpcDetailsDao.addDetail(vpc.getId(), NETWORK_DETAIL_EXTENSION_DETAILS, "{}", false);
+                }
+                return;
+            }
+            if (output.isEmpty()) {
+                output = "{}".equals(currentDetails) ? "{}" : currentDetails;
+            }
+            if (!output.equals(currentDetails)) {
+                logger.info("VPC extension device updated for VPC {}: {}", vpc.getId(), output);
+                vpcDetailsDao.addDetail(vpc.getId(), NETWORK_DETAIL_EXTENSION_DETAILS, output, false);
+            } else {
+                logger.debug("VPC extension device unchanged for VPC {}: {}", vpc.getId(), output);
+            }
+        } catch (Exception e) {
+            logger.warn("Failed ensure-network-device for VPC {}: {}", vpc.getId(), e.getMessage());
+            if ("{}".equals(currentDetails)) {
+                vpcDetailsDao.addDetail(vpc.getId(), NETWORK_DETAIL_EXTENSION_DETAILS, "{}", false);
+            }
+        }
+    }
+
+    /**
+     * Returns the per-VPC extension-details JSON from {@code vpc_details}
+     * (returns {@code {}} if not yet set).
+     */
+    private String getVpcExtensionDetailsJson(long vpcId) {
+        Map<String, String> vpcDetails = vpcDetailsDao.listDetailsKeyPairs(vpcId);
+        return vpcDetails != null
+                ? vpcDetails.getOrDefault(NETWORK_DETAIL_EXTENSION_DETAILS, "{}") : "{}";
+    }
+
+    /**
+     * Executes the extension script for a VPC-level command (no tier network required).
+     * Uses VPC-level details from {@code vpc_details}.
+     */
+    protected boolean executeVpcScript(Vpc vpc, String command, String... args) {
+        Pair<Long, Extension> physNetAndExt = resolveExtensionForVpc(vpc);
+        if (physNetAndExt == null) {
+            logger.warn("executeVpcScript: no extension found for VPC {} zone {}", vpc.getId(), vpc.getZoneId());
+            return false;
+        }
+        Long physicalNetworkId = physNetAndExt.first();
+        Extension extension = physNetAndExt.second();
+        File scriptFile = resolveScriptFileForVpc(physicalNetworkId, extension);
+
+        String physicalNetworkDetailsJson = buildPhysicalNetworkDetailsJson(physicalNetworkId, extension);
+        String vpcExtDetailsJson = getVpcExtensionDetailsJson(vpc.getId());
+
+        logger.debug("Physical network details JSON: {}", physicalNetworkDetailsJson);
+        logger.debug("VPC extension details JSON: {}", vpcExtDetailsJson);
+
+        List<String> cmdLine = new ArrayList<>();
+        cmdLine.add(scriptFile.getAbsolutePath());
+        cmdLine.add(command);
+        cmdLine.addAll(Arrays.asList(args));
+        cmdLine.add(ARG_PHYSICAL_NETWORK_EXTENSION_DETAILS);
+        cmdLine.add(physicalNetworkDetailsJson);
+        cmdLine.add(ARG_NETWORK_EXTENSION_DETAILS);
+        cmdLine.add(vpcExtDetailsJson);
+
+        logger.debug("Executing VPC extension script: {}", String.join(" ", cmdLine));
+
+        try {
+            ProcessBuilder pb = new ProcessBuilder(cmdLine);
+            pb.redirectErrorStream(true);
+            Process process = pb.start();
+            byte[] output = process.getInputStream().readAllBytes();
+            int exitCode = process.waitFor();
+
+            String outputStr = new String(output).trim();
+            if (!outputStr.isEmpty()) {
+                logger.debug("Script output: {}", outputStr);
+            }
+            if (exitCode != 0) {
+                logger.error("VPC extension script {} failed with exit code {}: {}", command, exitCode, outputStr);
+                return false;
+            }
+            return true;
+        } catch (Exception e) {
+            logger.error("Failed to execute VPC extension script {}: {}", command, e.getMessage(), e);
+            throw new CloudRuntimeException("Failed to execute VPC extension script: " + command, e);
+        }
+    }
+
+    protected PublicIpAddress getVpcSourceNatIp(long vpcId) {
+        final List<IPAddressVO> ips = ipAddressDao.listByAssociatedVpc(vpcId, true);
+        if (ips == null || ips.isEmpty()) {
+            return null;
+        }
+        IPAddressVO selected = null;
+        for (final IPAddressVO ip : ips) {
+            if (ip.getState() != IpAddress.State.Releasing) {
+                selected = ip;
+                break;
+            }
+        }
+        if (selected == null) {
+            selected = ips.get(0);
+        }
+
+        final VlanVO vlan = vlanDao.findById(selected.getVlanId());
+        if (vlan == null) {
+            logger.warn("No VLAN found for VPC source NAT IP {} (vpc={})", selected.getAddress(), vpcId);
+            return null;
+        }
+        return PublicIp.createFromAddrAndVlan(selected, vlan);
+    }
+
+    /**
+     * Implements the VPC by:
+     * <ol>
+     *   <li>Calling {@link #ensureExtensionDetails(Vpc)} to select a host and
+     *       save the VPC-level details (does not use any anchor tier network).</li>
+     *   <li>Calling the script's {@code implement-vpc} command to create the VPC
+     *       namespace and VPC-level networking state.</li>
+     *   <li>Applying VPC source NAT if a source-NAT IP already exists (the script's
+     *       {@code assign-ip} sets up the public veth + SNAT rule for the VPC CIDR).</li>
+     * </ol>
+     */
+    @Override
+    public boolean implementVpc(Vpc vpc, DeployDestination dest, ReservationContext context)
+            throws ConcurrentOperationException, ResourceUnavailableException, InsufficientCapacityException {
+
+        // Step 1: Ensure a VPC extension device is selected and details saved at VPC level.
+        ensureExtensionDetails(vpc);
+
+        // Step 2: Create the VPC namespace (no anchor tier network needed).
+        List<String> implArgs = new ArrayList<>();
+        implArgs.add("--vpc-id");  implArgs.add(String.valueOf(vpc.getId()));
+        implArgs.add("--cidr");    implArgs.add(safeStr(vpc.getCidr()));
+
+        // Include source NAT IP if already allocated, so the script can set up the
+        // VPC-level SNAT rule for the entire VPC CIDR.
+        final PublicIpAddress sourceNatIp = getVpcSourceNatIp(vpc.getId());
+        if (sourceNatIp != null) {
+            implArgs.add("--public-ip");      implArgs.add(safeStr(sourceNatIp.getAddress().addr()));
+            implArgs.add("--public-vlan");    implArgs.add(safeStr(getPublicVlanTag(sourceNatIp.getId())));
+            implArgs.add("--public-gateway"); implArgs.add(safeStr(sourceNatIp.getGateway()));
+            implArgs.add("--public-cidr");    implArgs.add(safeStr(getPublicCidr(sourceNatIp.getId())));
+            implArgs.add("--source-nat");     implArgs.add("true");
+        }
+
+        if (!executeVpcScript(vpc, "implement-vpc", implArgs.toArray(new String[0]))) {
+            return false;
+        }
+
+        return true;
+    }
+
+    /**
+     * Shuts down the VPC by:
+     * <ol>
+     *   <li>Calling {@code destroy-network} for each extension-backed VPC tier (removes
+     *       tier resources but preserves the shared VPC namespace).</li>
+     *   <li>Calling {@code shutdown-vpc} to remove the VPC namespace and state after
+     *       all tiers have been cleaned up.</li>
+     * </ol>
+     */
+    @Override
+    public boolean shutdownVpc(Vpc vpc, ReservationContext context)
+            throws ConcurrentOperationException, ResourceUnavailableException {
+        final List<? extends Network> networks = networkModel.listNetworksByVpc(vpc.getId());
+
+        boolean result = true;
+        if (networks != null) {
+            for (final Network network : networks) {
+                if (!canHandle(network, null)) {
+                    continue;
+                }
+
+                final List<String> args = new ArrayList<>();
+                args.add("--network-id"); args.add(String.valueOf(network.getId()));
+                args.add("--vlan");       args.add(safeStr(getVlanId(network)));
+                args.addAll(getVpcIdArgs(network));
+
+                final boolean tierResult = executeScript(network, "destroy-network", args.toArray(new String[0]));
+                result = result && tierResult;
+            }
+        }
+
+        // Remove the VPC namespace and VPC-level details regardless of tier result.
+        List<String> vpcArgs = new ArrayList<>();
+        vpcArgs.add("--vpc-id"); vpcArgs.add(String.valueOf(vpc.getId()));
+        boolean vpcResult = executeVpcScript(vpc, "shutdown-vpc", vpcArgs.toArray(new String[0]));
+        if (vpcResult) {
+            try {
+                vpcDetailsDao.removeDetail(vpc.getId(), NETWORK_DETAIL_EXTENSION_DETAILS);
+            } catch (Exception e) {
+                logger.warn("Failed to remove VPC extension details for VPC {}: {}", vpc.getId(), e.getMessage());
+            }
+        }
+        result = result && vpcResult;
+
+        return result;
+    }
+
+    @Override
+    public boolean createPrivateGateway(PrivateGateway gateway)
+            throws ConcurrentOperationException, ResourceUnavailableException {
+        throw new UnsupportedOperationException("Private gateways are not supported by the network extension element.");
+    }
+
+    /** Private gateways are not supported by the network extension element. */
+    @Override
+    public boolean deletePrivateGateway(PrivateGateway gateway)
+            throws ConcurrentOperationException, ResourceUnavailableException {
+        throw new UnsupportedOperationException("Private gateways are not supported by the network extension element.");
+    }
+
+    /** Static routes are not supported by the network extension element. */
+    @Override
+    public boolean applyStaticRoutes(Vpc vpc, List<StaticRouteProfile> routes)
+            throws ResourceUnavailableException {
+        throw new UnsupportedOperationException("Static routes are not supported by the network extension element.");
+    }
+
+    /** ACL items on private gateways are not supported by the network extension element. */
+    @Override
+    public boolean applyACLItemsToPrivateGw(PrivateGateway gateway, List<? extends NetworkACLItem> rules)
+            throws ResourceUnavailableException {
+        throw new UnsupportedOperationException("ACL items on private gateways are not supported by the network extension element.");
+    }
+
+    @Override
+    public boolean updateVpcSourceNatIp(Vpc vpc, IpAddress address) {
+        if (vpc == null || address == null || address.getAddress() == null) {
+            logger.warn("updateVpcSourceNatIp: invalid input (vpc={}, address={})", vpc, address);
+            return false;
+        }
+
+        final List<String> args = new ArrayList<>();
+        final VlanVO vlan = vlanDao.findById(address.getVlanId());
+        args.add("--vpc-id");         args.add(String.valueOf(vpc.getId()));
+        args.add("--cidr");           args.add(safeStr(vpc.getCidr()));
+        args.add("--public-ip");      args.add(safeStr(address.getAddress().addr()));
+        args.add("--public-vlan");    args.add(safeStr(getPublicVlanTag(address.getId())));
+        args.add("--public-gateway"); args.add(vlan != null ? safeStr(vlan.getVlanGateway()) : "");
+        args.add("--public-cidr");    args.add(safeStr(getPublicCidr(address.getId())));
+        args.add("--source-nat");     args.add("true");
+
+        final boolean result = executeVpcScript(vpc, "update-vpc-source-nat-ip", args.toArray(new String[0]));
+        if (!result) {
+            logger.warn("updateVpcSourceNatIp: failed to update source NAT IP for VPC {} to {}",
+                    vpc.getId(), address.getAddress().addr());
+        }
+        return result;
+    }
+
+    /**
+     * Applies VPC network ACL rules for a VPC tier network via the script's
+     * {@code apply-network-acl} command.  Rules are serialised as a Base64-encoded
+     * JSON array and passed via a temporary payload file.
+     *
+     * <p>Script command: {@code apply-network-acl}</p>
+     */
+    @Override
+    public boolean applyNetworkACLs(Network config, List<? extends NetworkACLItem> rules)
+            throws ResourceUnavailableException {
+        if (!canHandle(config, Service.NetworkACL)) {
+            return true;
+        }
+
+        // Rebuild the ACL chain from all non-revoked rules.
+        List<? extends NetworkACLItem> activeRules = rules == null ? List.of() :
+                rules.stream()
+                     .filter(r -> r.getState() != NetworkACLItem.State.Revoke)
+                     .collect(Collectors.toList());
+
+        logger.info("applyNetworkACLs: network={} activeRules={}", config.getId(), activeRules.size());
+
+        String aclRulesBase64 = buildAclRulesBase64(activeRules);
+
+        List<String> args = new ArrayList<>();
+        args.add("--network-id"); args.add(String.valueOf(config.getId()));
+        args.add("--vlan");       args.add(safeStr(getVlanId(config)));
+        args.add("--gateway");    args.add(safeStr(config.getGateway()));
+        args.add("--cidr");       args.add(safeStr(config.getCidr()));
+        args.addAll(getVpcIdArgs(config));
+
+        boolean result = executeScriptWithFilePayload(config, "apply-network-acl",
+                "--acl-rules-file", aclRulesBase64, args.toArray(new String[0]));
+        if (!result) {
+            throw new ResourceUnavailableException(
+                    "Failed to apply network ACL rules for network " + config.getId(),
+                    Network.class, config.getId());
+        }
+        return true;
+    }
+
+    /**
+     * Re-applies ACL rules for all extension-backed networks in a VPC after a rule reorder.
+     * Calls {@code apply-network-acl} for each affected network with the full ACL item list.
+     */
+    @Override
+    public boolean reorderAclRules(Vpc vpc, List<? extends Network> networks,
+            List<? extends NetworkACLItem> networkACLItems) {
+        if (networks == null || networks.isEmpty()) {
+            return true;
+        }
+
+        List<? extends NetworkACLItem> activeRules = networkACLItems == null ? List.of() :
+                networkACLItems.stream()
+                               .filter(r -> r.getState() != NetworkACLItem.State.Revoke)
+                               .collect(Collectors.toList());
+
+        boolean result = true;
+        for (Network network : networks) {
+            if (!canHandle(network, Service.NetworkACL)) {
+                continue;
+            }
+            try {
+                String aclRulesBase64 = buildAclRulesBase64(activeRules);
+
+                List<String> args = new ArrayList<>();
+                args.add("--network-id"); args.add(String.valueOf(network.getId()));
+                args.add("--vlan");       args.add(safeStr(getVlanId(network)));
+                args.add("--gateway");    args.add(safeStr(network.getGateway()));
+                args.add("--cidr");       args.add(safeStr(network.getCidr()));
+                args.addAll(getVpcIdArgs(network));
+
+                boolean r = executeScriptWithFilePayload(network, "apply-network-acl",
+                        "--acl-rules-file", aclRulesBase64, args.toArray(new String[0]));
+                result = result && r;
+            } catch (Exception e) {
+                logger.warn("reorderAclRules: failed for network {}: {}", network.getId(), e.getMessage());
+                result = false;
+            }
+        }
+        return result;
+    }
+
+    /**
+     * Serialises a list of {@link NetworkACLItem}s to a Base64-encoded JSON array
+     * suitable for passing to the {@code apply-network-acl} script command.
+     * Rules are sorted by their number (priority order).
+     */
+    private String buildAclRulesBase64(List<? extends NetworkACLItem> rules) {
+        StringBuilder json = new StringBuilder("[");
+        boolean first = true;
+        List<? extends NetworkACLItem> sorted = rules.stream()
+                .sorted(java.util.Comparator.comparingInt(NetworkACLItem::getNumber))
+                .collect(Collectors.toList());
+        for (NetworkACLItem rule : sorted) {
+            if (!first) json.append(",");
+            first = false;
+            json.append("{");
+            json.append("\"number\":").append(rule.getNumber()).append(",");
+            json.append("\"action\":\"").append(rule.getAction().name().toLowerCase()).append("\",");
+            json.append("\"trafficType\":\"").append(rule.getTrafficType().name().toLowerCase()).append("\",");
+            json.append("\"protocol\":\"").append(jsonEscape(safeStr(rule.getProtocol()))).append("\"");
+            if (rule.getSourcePortStart() != null) {
+                json.append(",\"portStart\":").append(rule.getSourcePortStart());
+            }
+            if (rule.getSourcePortEnd() != null) {
+                json.append(",\"portEnd\":").append(rule.getSourcePortEnd());
+            }
+            if (rule.getIcmpType() != null) {
+                json.append(",\"icmpType\":").append(rule.getIcmpType());
+            }
+            if (rule.getIcmpCode() != null) {
+                json.append(",\"icmpCode\":").append(rule.getIcmpCode());
+            }
+            json.append(",\"sourceCidrs\":[");
+            List<String> sourceCidrs = rule.getSourceCidrList();
+            if (sourceCidrs != null && !sourceCidrs.isEmpty()) {
+                boolean firstCidr = true;
+                for (String cidr : sourceCidrs) {
+                    if (!firstCidr) json.append(",");
+                    firstCidr = false;
+                    json.append("\"").append(jsonEscape(cidr)).append("\"");
+                }
+            }
+            json.append("]");
+            json.append("}");
+        }
+        json.append("]");
+        return Base64.getEncoder().encodeToString(
+                json.toString().getBytes(StandardCharsets.UTF_8));
+    }
+}
diff --git a/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/network/README.md b/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/network/README.md
new file mode 100644
index 000000000000..964677f261b6
--- /dev/null
+++ b/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/network/README.md
@@ -0,0 +1,1092 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+ -->
+
+# Network Extension Script Protocol
+
+This document describes the complete interface between Apache CloudStack's
+`NetworkExtensionElement` and the external script (Bash, Python, or any
+executable) that implements network services for a custom device.
+
+Any executable that handles the commands listed below can be registered as a
+**NetworkOrchestrator extension** and used as the provider for one or more
+CloudStack network services (DHCP, DNS, UserData, SourceNat, StaticNat,
+PortForwarding, Firewall, Lb, NetworkACL, Gateway).
+
+The reference implementation is the `network-namespace` extension at
+`extensions/network-namespace/`, which uses Linux network namespaces on KVM
+hosts.  Use it as a working example.
+
+---
+
+## Table of Contents
+
+1. [Architecture Overview](#architecture-overview)
+2. [Script Placement Convention](#script-placement-convention)
+3. [CloudStack Setup Steps](#cloudstack-setup-steps)
+4. [Always-present CLI Arguments](#always-present-cli-arguments)
+5. [Shared Arguments Reference](#shared-arguments-reference)
+6. [Command Reference](#command-reference)
+   - [ensure-network-device](#ensure-network-device)
+   - [implement](#implement)
+   - [shutdown](#shutdown)
+   - [destroy](#destroy)
+   - [assign-ip / release-ip](#assign-ip--release-ip)
+   - [add-static-nat / delete-static-nat](#add-static-nat--delete-static-nat)
+   - [add-port-forward / delete-port-forward](#add-port-forward--delete-port-forward)
+   - [apply-fw-rules](#apply-fw-rules)
+   - [add-dhcp-entry / remove-dhcp-entry](#add-dhcp-entry--remove-dhcp-entry)
+   - [config-dhcp-subnet / remove-dhcp-subnet](#config-dhcp-subnet--remove-dhcp-subnet)
+   - [set-dhcp-options](#set-dhcp-options)
+   - [add-dns-entry](#add-dns-entry)
+   - [config-dns-subnet / remove-dns-subnet](#config-dns-subnet--remove-dns-subnet)
+   - [save-vm-data](#save-vm-data)
+   - [save-password](#save-password)
+   - [save-userdata](#save-userdata)
+   - [save-sshkey](#save-sshkey)
+   - [save-hypervisor-hostname](#save-hypervisor-hostname)
+   - [apply-lb-rules](#apply-lb-rules)
+   - [restore-network](#restore-network)
+   - [custom-action](#custom-action)
+7. [Service-to-Command Mapping](#service-to-command-mapping)
+8. [Capabilities Configuration](#capabilities-configuration)
+9. [VPC Networks](#vpc-networks)
+10. [Extension IP](#extension-ip)
+11. [Exit Codes](#exit-codes)
+12. [Minimal Script Skeleton](#minimal-script-skeleton)
+
+---
+
+## Architecture Overview
+
+```
+CloudStack Management Server
+        │
+        │  exec  <extension-path>/<ext-name>.sh  <command>  [args...]
+        │        --physical-network-extension-details '{...}'
+        │        --network-extension-details '{...}'
+        ▼
+   Your Script (Bash / Python / Go / …)
+        │
+        │  configures / queries your device:
+        │    • KVM host over SSH
+        │    • SDN controller REST API
+        │    • Hardware appliance CLI
+        │    • Cloud provider API
+        ▼
+   External Network Device
+```
+
+CloudStack calls the script synchronously (blocking process execution) on the
+**management server** for every network event.  The script is responsible for
+translating those events into configuration changes on the actual device.
+
+The script must:
+
+- **Exit 0** on success.
+- **Exit non-zero** on failure (CloudStack will log the error and may retry).
+- For `ensure-network-device` only, **print a single-line JSON object** to
+  stdout (see [ensure-network-device](#ensure-network-device)).
+
+All other commands must produce no output on stdout (any output is logged at
+DEBUG level and ignored).
+
+---
+
+## Script Placement Convention
+
+CloudStack resolves the executable in this order (first match wins):
+
+1. **`<extensionPath>/<extensionName>.sh`** — preferred convention.
+   Example: extension named `my-sdn` → script at
+   `.../my-sdn/my-sdn.sh`.
+2. **`<extensionPath>` itself**, if it is a regular file and is executable.
+
+The `<extensionPath>` is the `path` field returned by `listExtensions` after
+the extension is created.  CloudStack sets it to:
+
+```
+/usr/share/cloudstack-management/extensions/<extensionName>/
+```
+
+> **Tip:** Your script does not have to live on the management server — it can
+> be a thin proxy that SSHes into a remote appliance.  The
+> `network-namespace.sh` entry-point is exactly that: it SSHes into the target
+> KVM host and calls the wrapper script there.
+
+---
+
+## CloudStack Setup Steps
+
+### Step 1 – Create the Extension
+
+```bash
+cmk createExtension \
+    name=my-sdn \
+    type=NetworkOrchestrator \
+    "details[0].key=network.services" \
+    "details[0].value=SourceNat,StaticNat,PortForwarding,Firewall,Lb,Dhcp,Dns,UserData" \
+    "details[1].key=network.service.capabilities" \
+    "details[1].value=$(cat my-sdn-capabilities.json)"
+```
+
+`network.service.capabilities` is a JSON object — see
+[Capabilities Configuration](#capabilities-configuration).
+
+### Step 2 – Deploy the Script
+
+Copy your executable to the path reported by `listExtensions`:
+
+```bash
+SCRIPT_PATH=$(cmk listExtensions name=my-sdn | jq -r '.[0].path')
+# e.g. /usr/share/cloudstack-management/extensions/my-sdn/
+mkdir -p "${SCRIPT_PATH}"
+cp my-sdn.sh "${SCRIPT_PATH}/my-sdn.sh"
+chmod 755    "${SCRIPT_PATH}/my-sdn.sh"
+```
+
+If you have multiple management servers, deploy the script to **every** one.
+
+### Step 3 – Register the Extension to a Physical Network
+
+```bash
+PHYS_ID=$(cmk listPhysicalNetworks | jq -r '.[0].id')
+EXT_ID=$(cmk listExtensions name=my-sdn | jq -r '.[0].id')
+
+cmk registerExtension \
+    id=${EXT_ID} \
+    resourcetype=PhysicalNetwork \
+    resourceid=${PHYS_ID} \
+    "details[0].key=hosts"    "details[0].value=192.168.1.10,192.168.1.11" \
+    "details[1].key=username" "details[1].value=admin" \
+    "details[2].key=password" "details[2].value=s3cr3t"
+```
+
+Any key/value pairs you pass here will be forwarded to every script
+invocation as `--physical-network-extension-details`.  The schema is entirely
+yours — CloudStack treats it as opaque.
+
+### Step 4 – Enable the Network Service Provider
+
+```bash
+NSP_ID=$(cmk listNetworkServiceProviders physicalnetworkid=${PHYS_ID} \
+         name=my-sdn | jq -r '.[0].id')
+cmk updateNetworkServiceProvider id=${NSP_ID} state=Enabled
+```
+
+### Step 5 – Create a Network Offering
+
+```bash
+cmk createNetworkOffering \
+    name="My-SDN-Offering" \
+    displaytext="My SDN network offering" \
+    guestiptype=Isolated \
+    traffictype=GUEST \
+    supportedservices=Dhcp,Dns,UserData,SourceNat,StaticNat,PortForwarding,Firewall,Lb \
+    "serviceProviderList[Dhcp]=my-sdn" \
+    "serviceProviderList[Dns]=my-sdn" \
+    "serviceProviderList[UserData]=my-sdn" \
+    "serviceProviderList[SourceNat]=my-sdn" \
+    "serviceProviderList[StaticNat]=my-sdn" \
+    "serviceProviderList[PortForwarding]=my-sdn" \
+    "serviceProviderList[Firewall]=my-sdn" \
+    "serviceProviderList[Lb]=my-sdn" \
+    "serviceCapabilityList[SourceNat][SupportedSourceNatTypes]=peraccount"
+cmk updateNetworkOffering id=<offering-id> state=Enabled
+```
+
+---
+
+## Always-present CLI Arguments
+
+Every command invocation appends these two named arguments **after** all
+command-specific arguments:
+
+| Argument | Value |
+|---|---|
+| `--physical-network-extension-details` | JSON object — all key/value pairs registered via `registerExtension` **plus** `physicalnetworkname` (auto-enriched by CloudStack). |
+| `--network-extension-details` | JSON object — the per-network opaque blob last written by `ensure-network-device`; `{}` until the first successful call. |
+
+Example call line built by CloudStack:
+
+```
+/usr/share/cloudstack-management/extensions/my-sdn/my-sdn.sh \
+    implement \
+    --network-id 42 \
+    --vlan 100 \
+    --gateway 10.0.0.1 \
+    --cidr 10.0.0.0/24 \
+    --extension-ip 10.0.0.1 \
+    --physical-network-extension-details '{"hosts":"192.168.1.10","username":"admin","password":"s3cr3t","physicalnetworkname":"net1"}' \
+    --network-extension-details '{"host":"192.168.1.10","device_id":"vrf-42"}'
+```
+
+> **Security note:** `password` and `sshkey` values are present verbatim in
+> `--physical-network-extension-details` but are **redacted** in CloudStack
+> log output.  Treat them as secrets; do not log them in your script either.
+
+---
+
+## Shared Arguments Reference
+
+The following arguments appear in multiple commands.  Descriptions apply
+everywhere they are used.
+
+| Argument | Description |
+|---|---|
+| `--network-id <N>` | CloudStack numeric network ID. |
+| `--vpc-id <N>` | CloudStack numeric VPC ID. Present only for VPC-tier networks. |
+| `--vlan <tag>` | Guest VLAN tag (e.g. `100`). Extracted from the broadcast URI. May be empty for flat networks. |
+| `--gateway <ip>` | Guest network gateway (e.g. `10.0.0.1`). |
+| `--cidr <cidr>` | Guest network CIDR (e.g. `10.0.0.0/24`). |
+| `--extension-ip <ip>` | The IP the extension device uses on the guest side. Equals `--gateway` when SourceNat/Gateway service is provided; otherwise a dedicated allocated IP from the guest subnet (see [Extension IP](#extension-ip)). |
+| `--public-ip <ip>` | A public (floating) IP address. |
+| `--public-cidr <cidr>` | CIDR of the public IP (e.g. `203.0.113.5/24`). |
+| `--public-vlan <tag>` | VLAN tag of the public IP's network segment. |
+| `--public-gateway <ip>` | Gateway of the public IP's network segment. |
+| `--private-ip <ip>` | A VM's private IP address inside the guest network. |
+
+---
+
+## Command Reference
+
+### `ensure-network-device`
+
+**Called:** Before every network operation, automatically by
+`NetworkExtensionElement`.
+
+**Purpose:** Select (or re-validate) the device/host that will handle this
+network.  Perform failover to another host if the current one is unreachable.
+The returned JSON is stored in `network_details` under key `extension.details` and
+forwarded back as `--network-extension-details` on every future call.
+
+**Arguments:**
+
+| Argument | Description |
+|---|---|
+| `--network-id <N>` | Network ID. |
+| `--vlan <tag>` | Guest VLAN. |
+| `--zone-id <N>` | CloudStack zone ID. |
+| `--vpc-id <N>` | VPC ID (optional). |
+| `--current-details <json>` | Previously stored per-network blob (`{}` on first call). |
+| `--physical-network-extension-details <json>` | Physical network details. |
+| `--network-extension-details <json>` | Same as `--current-details`. |
+
+**Stdout:** A single-line JSON object.  CloudStack stores this verbatim.
+You can put any fields your script needs (host selection, device ID, segment
+ID, namespace name, etc.).
+
+```json
+{"host":"192.168.1.10","device_id":"vrf-42","namespace":"cs-net-42"}
+```
+
+**Exit 0:** JSON written to stdout is persisted.  
+**Exit non-zero:** Existing details are kept unchanged; a warning is logged.
+
+---
+
+### `implement`
+
+**Called:** When a network is implemented (first VM deployed, or network
+restart).
+
+**Purpose:** Create / bring up the network segment on the device: create the
+virtual segment (VRF, namespace, VLAN, …), attach the guest interface, and
+configure the gateway.
+
+**Arguments:**
+
+| Argument | Description |
+|---|---|
+| `--network-id <N>` | |
+| `--vlan <tag>` | |
+| `--gateway <ip>` | |
+| `--cidr <cidr>` | |
+| `--extension-ip <ip>` | Device's IP on the guest network. |
+| `--vpc-id <N>` | (optional) |
+
+---
+
+### `shutdown`
+
+**Called:** When a network is shut down (e.g., all VMs removed, before
+deletion).
+
+**Purpose:** Tear down the network segment; release resources.  The
+per-network `extension.details` blob is removed from CloudStack after a successful
+return.
+
+**Arguments:**
+
+| Argument | Description |
+|---|---|
+| `--network-id <N>` | |
+| `--vlan <tag>` | |
+| `--vpc-id <N>` | (optional) |
+
+---
+
+### `destroy`
+
+**Called:** When a network is permanently deleted.
+
+**Purpose:** Same as `shutdown`, but called at hard-delete time.  The
+placeholder NIC IP (if any) and the `extension.details` blob are cleaned up
+automatically by CloudStack after a successful return.
+
+**Arguments:** Identical to `shutdown`.
+
+---
+
+### `assign-ip` / `release-ip`
+
+**Called:** When a public IP is associated with or disassociated from a
+network (source NAT, static NAT, PF, LB allocation).
+
+**Purpose:**  
+- `assign-ip` — attach the public IP to the device; add the necessary routing
+  entry so the device can receive traffic for this IP.  
+- `release-ip` — detach the public IP; remove routing.
+
+**Arguments:**
+
+| Argument | Description |
+|---|---|
+| `--network-id <N>` | |
+| `--vlan <tag>` | Guest VLAN. |
+| `--public-ip <ip>` | The public IP being assigned/released. |
+| `--source-nat <true\|false>` | `true` if this is the source NAT IP. |
+| `--gateway <ip>` | Guest network gateway. |
+| `--cidr <cidr>` | Guest network CIDR. |
+| `--public-gateway <ip>` | Gateway of the public IP's segment. |
+| `--public-cidr <cidr>` | CIDR of the public IP (e.g. `203.0.113.5/24`). |
+| `--public-vlan <tag>` | Public VLAN tag. |
+| `--vpc-id <N>` | (optional) |
+
+---
+
+### `add-static-nat` / `delete-static-nat`
+
+**Called:** When a static NAT rule is created or deleted
+(`enableStaticNat` / `disableStaticNat` API).
+
+**Purpose:** Configure a 1:1 bidirectional NAT mapping between a public IP
+and a VM private IP.
+
+**Arguments:**
+
+| Argument | Description |
+|---|---|
+| `--network-id <N>` | |
+| `--vlan <tag>` | |
+| `--public-ip <ip>` | |
+| `--public-cidr <cidr>` | |
+| `--public-vlan <tag>` | |
+| `--private-ip <ip>` | VM's private IP (DNAT destination). |
+| `--vpc-id <N>` | (optional) |
+
+---
+
+### `add-port-forward` / `delete-port-forward`
+
+**Called:** When a port forwarding rule is created or deleted
+(`createPortForwardingRule` / `deletePortForwardingRule` API).
+
+**Purpose:** Configure a DNAT rule from `public-ip:public-port` to
+`private-ip:private-port`.
+
+**Arguments:**
+
+| Argument | Description |
+|---|---|
+| `--network-id <N>` | |
+| `--vlan <tag>` | |
+| `--public-ip <ip>` | |
+| `--public-cidr <cidr>` | |
+| `--public-vlan <tag>` | |
+| `--public-port <range>` | Port range on the public IP, e.g. `22` or `8080-8090`. |
+| `--private-ip <ip>` | VM's private IP. |
+| `--private-port <range>` | Destination port range on the VM, e.g. `22`. |
+| `--protocol <tcp\|udp>` | |
+| `--vpc-id <N>` | (optional) |
+
+---
+
+### `apply-fw-rules`
+
+**Called:** When any firewall rule is created, deleted, or updated for the
+network (`createFirewallRule`, `deleteFirewallRule`, `updateEgressFirewallRule`
+APIs, and during network restart).
+
+**Purpose:** Rebuild the entire firewall policy for the network from scratch.
+CloudStack calls this with a *narrow* scope (one IP's ingress rules or egress
+rules per call), but the `--fw-rules` payload always contains **all** active
+rules for the network, so a full rebuild is always safe.
+
+**Arguments:**
+
+| Argument | Description |
+|---|---|
+| `--network-id <N>` | |
+| `--vlan <tag>` | |
+| `--gateway <ip>` | |
+| `--cidr <cidr>` | |
+| `--fw-rules <base64>` | Base64-encoded JSON firewall payload (see below). |
+| `--vpc-id <N>` | (optional) |
+
+**`--fw-rules` payload** (decode base64, then parse JSON):
+
+```json
+{
+  "default_egress_allow": true,
+  "cidr": "10.0.0.0/24",
+  "rules": [
+    {
+      "id": 1,
+      "type": "ingress",
+      "protocol": "tcp",
+      "portStart": 22,
+      "portEnd": 22,
+      "publicIp": "203.0.113.5",
+      "sourceCidrs": ["0.0.0.0/0"],
+      "destCidrs": []
+    },
+    {
+      "id": 2,
+      "type": "egress",
+      "protocol": "icmp",
+      "icmpType": -1,
+      "icmpCode": -1,
+      "sourceCidrs": [],
+      "destCidrs": []
+    }
+  ]
+}
+```
+
+| Field | Description |
+|---|---|
+| `default_egress_allow` | `true` = permissive egress by default (explicit rules are deny rules); `false` = restrictive (explicit rules are allow rules). |
+| `cidr` | Guest network CIDR. |
+| `rules[].type` | `"ingress"` or `"egress"`. |
+| `rules[].protocol` | `"tcp"`, `"udp"`, `"icmp"`, `"all"`. |
+| `rules[].portStart` / `portEnd` | TCP/UDP port range (absent for ICMP/all). |
+| `rules[].icmpType` / `icmpCode` | ICMP type/code (`-1` = any; absent for TCP/UDP). |
+| `rules[].publicIp` | For ingress: the public IP the rule applies to. |
+| `rules[].sourceCidrs` | Allowed source IP ranges (ingress: external; egress: VM). |
+| `rules[].destCidrs` | Allowed destination IP ranges (egress only). |
+
+---
+
+### `add-dhcp-entry` / `remove-dhcp-entry`
+
+**Called:** When a VM NIC is reserved (`add`) or released (`remove`) on a
+network whose DHCP service is provided by this extension.
+
+**Purpose:** Add or remove a static DHCP lease for the VM.
+
+**Arguments:**
+
+| Argument | Description |
+|---|---|
+| `--network-id <N>` | |
+| `--mac <addr>` | VM NIC MAC address, e.g. `02:00:00:00:00:01`. |
+| `--ip <ip>` | VM's assigned IP. |
+| `--hostname <name>` | VM hostname. |
+| `--gateway <ip>` | |
+| `--cidr <cidr>` | |
+| `--dns <list>` | Comma-separated DNS server IPs, e.g. `8.8.8.8,8.8.4.4`. |
+| `--default-nic <bool>` | `true` if this is the VM's default NIC. |
+| `--domain <name>` | Network domain suffix (e.g. `cs.example.com`). |
+| `--extension-ip <ip>` | |
+| `--vpc-id <N>` | (optional) |
+
+---
+
+### `config-dhcp-subnet` / `remove-dhcp-subnet`
+
+**Called:** When a shared-network subnet is configured or removed.
+
+**Purpose:** Configure the DHCP scope (pool, gateway, DNS) for a subnet
+without tying it to a specific VM.
+
+**`config-dhcp-subnet` arguments:**
+
+| Argument | Description |
+|---|---|
+| `--network-id <N>` | |
+| `--gateway <ip>` | |
+| `--cidr <cidr>` | |
+| `--dns <list>` | |
+| `--vlan <tag>` | |
+| `--domain <name>` | |
+| `--extension-ip <ip>` | |
+| `--vpc-id <N>` | (optional) |
+
+**`remove-dhcp-subnet` arguments:**
+
+| Argument | Description |
+|---|---|
+| `--network-id <N>` | |
+| `--extension-ip <ip>` | |
+| `--vpc-id <N>` | (optional) |
+
+---
+
+### `set-dhcp-options`
+
+**Called:** When extra DHCP options are set on a NIC
+(`updateNicExtraDhcpOption` API).
+
+**Arguments:**
+
+| Argument | Description |
+|---|---|
+| `--network-id <N>` | |
+| `--nic-id <N>` | CloudStack NIC ID. |
+| `--options <json>` | JSON object `{"<dhcp-code>":"<value>", …}`, e.g. `{"15":"example.com","119":"search.example.com"}`. |
+| `--extension-ip <ip>` | |
+| `--vpc-id <N>` | (optional) |
+
+---
+
+### `add-dns-entry`
+
+**Called:** When a VM NIC is reserved on a network whose DNS service is
+provided by this extension.
+
+**Arguments:**
+
+| Argument | Description |
+|---|---|
+| `--network-id <N>` | |
+| `--ip <ip>` | VM's IP. |
+| `--hostname <name>` | VM hostname. |
+| `--extension-ip <ip>` | |
+| `--vpc-id <N>` | (optional) |
+
+---
+
+### `config-dns-subnet` / `remove-dns-subnet`
+
+**Called:** When a DNS scope is configured or removed for a subnet.
+
+**`config-dns-subnet` arguments:**
+
+| Argument | Description |
+|---|---|
+| `--network-id <N>` | |
+| `--gateway <ip>` | |
+| `--cidr <cidr>` | |
+| `--dns <list>` | |
+| `--vlan <tag>` | |
+| `--domain <name>` | |
+| `--extension-ip <ip>` | |
+| `--vpc-id <N>` | (optional) |
+
+**`remove-dns-subnet` arguments:**
+
+| Argument | Description |
+|---|---|
+| `--network-id <N>` | |
+| `--extension-ip <ip>` | |
+| `--vpc-id <N>` | (optional) |
+
+---
+
+### `save-vm-data`
+
+**Called:** When a VM is deployed or updated with user data, SSH keys, or
+password on a network whose UserData service is provided by this extension.
+
+**Purpose:** Store the complete cloud-init metadata set (user-data,
+meta-data/*, password) for the VM so the metadata HTTP server can serve it.
+
+**Arguments:**
+
+| Argument | Description |
+|---|---|
+| `--network-id <N>` | |
+| `--ip <ip>` | VM's IP. |
+| `--gateway <ip>` | |
+| `--vm-data <base64>` | Base64-encoded JSON array of metadata entries (see below). |
+| `--extension-ip <ip>` | |
+| `--vpc-id <N>` | (optional) |
+
+**`--vm-data` payload** (decode base64, then parse JSON):
+
+```json
+[
+  {"dir":"userdata",   "file":"user-data",       "content":"<base64>"},
+  {"dir":"meta-data",  "file":"instance-id",      "content":"<base64>"},
+  {"dir":"meta-data",  "file":"local-hostname",   "content":"<base64>"},
+  {"dir":"meta-data",  "file":"public-keys/0/openssh-key", "content":"<base64>"},
+  {"dir":"password",   "file":"vm_password",      "content":"<base64>"}
+]
+```
+
+Each `content` field is **base64-encoded** binary (raw bytes for user-data;
+UTF-8 text for all others).  Decode `content` before writing to disk.
+
+Your metadata HTTP server should serve each entry at:
+`http://<extension-ip>/latest/<dir>/<file>`
+
+---
+
+### `save-password`
+
+**Called:** When a password reset is requested for a VM
+(`resetPasswordForVirtualMachine` API).
+
+**Arguments:**
+
+| Argument | Description |
+|---|---|
+| `--network-id <N>` | |
+| `--ip <ip>` | VM's IP. |
+| `--gateway <ip>` | |
+| `--password <pw>` | Plain-text new password. |
+| `--extension-ip <ip>` | |
+| `--vpc-id <N>` | (optional) |
+
+---
+
+### `save-userdata`
+
+**Called:** When a VM's user data is updated
+(`updateVirtualMachine` with `userdata`).
+
+**Arguments:**
+
+| Argument | Description |
+|---|---|
+| `--network-id <N>` | |
+| `--ip <ip>` | VM's IP. |
+| `--gateway <ip>` | |
+| `--userdata <base64>` | Base64-encoded raw user-data bytes. |
+| `--extension-ip <ip>` | |
+| `--vpc-id <N>` | (optional) |
+
+---
+
+### `save-sshkey`
+
+**Called:** When an SSH public key is reset for a VM
+(`resetSSHKeyForVirtualMachine` API).
+
+**Arguments:**
+
+| Argument | Description |
+|---|---|
+| `--network-id <N>` | |
+| `--ip <ip>` | VM's IP. |
+| `--gateway <ip>` | |
+| `--sshkey <base64>` | Base64-encoded SSH public key (UTF-8 text). Decode to get the key string. |
+| `--extension-ip <ip>` | |
+| `--vpc-id <N>` | (optional) |
+
+---
+
+### `save-hypervisor-hostname`
+
+**Called:** When a VM is deployed and UserData service is active.
+
+**Purpose:** Store the hypervisor hostname in the metadata so VMs can identify
+which host they run on (cloud-init `availability-zone` / host detection).
+
+**Arguments:**
+
+| Argument | Description |
+|---|---|
+| `--network-id <N>` | |
+| `--ip <ip>` | VM's IP. |
+| `--gateway <ip>` | |
+| `--hypervisor-hostname <name>` | Hypervisor node hostname. |
+| `--extension-ip <ip>` | |
+| `--vpc-id <N>` | (optional) |
+
+---
+
+### `apply-lb-rules`
+
+**Called:** When a load balancer rule is created, deleted, or its members
+change (`createLoadBalancerRule`, `deleteLoadBalancerRule`,
+`assignToLoadBalancerRule`, `removeFromLoadBalancerRule` APIs).
+
+**Purpose:** Configure the load balancer on the device: create/update/delete
+virtual server → backend pool mappings.
+
+**Arguments:**
+
+| Argument | Description |
+|---|---|
+| `--network-id <N>` | |
+| `--vlan <tag>` | |
+| `--lb-rules <json>` | JSON array of LB rules (see below). **Not** base64 encoded. |
+| `--vpc-id <N>` | (optional) |
+
+**`--lb-rules` format:**
+
+```json
+[
+  {
+    "id":          1,
+    "name":        "lb-web",
+    "publicIp":    "203.0.113.5",
+    "publicPort":  80,
+    "privatePort": 8080,
+    "protocol":    "tcp",
+    "algorithm":   "roundrobin",
+    "revoke":      false,
+    "backends": [
+      {"ip": "10.0.0.10", "port": 8080, "revoked": false},
+      {"ip": "10.0.0.11", "port": 8080, "revoked": true}
+    ]
+  }
+]
+```
+
+| Field | Description |
+|---|---|
+| `revoke` | `true` → delete this rule; `false` → create/update. |
+| `backends[].revoked` | `true` → this backend has been removed from the rule. |
+| `algorithm` | `roundrobin`, `leastconn`, or `source`. |
+| `protocol` | `tcp`, `udp`, or `tcp-proxy`. |
+
+---
+
+### `restore-network`
+
+**Called:** During a `restartNetwork(cleanup=true)` or `restartVPC(cleanup=true)`
+operation, after all rules (firewall/NAT/LB) have been re-applied.
+
+**Purpose:** Batch-restore all DHCP leases, DNS entries, and metadata for
+every VM currently on the network in a single call (instead of N per-VM
+calls).
+
+**Arguments:**
+
+| Argument | Description |
+|---|---|
+| `--network-id <N>` | |
+| `--gateway <ip>` | |
+| `--cidr <cidr>` | |
+| `--vlan <tag>` | |
+| `--extension-ip <ip>` | |
+| `--dns <list>` | |
+| `--domain <name>` | |
+| `--restore-data <base64>` | Base64-encoded JSON restore payload (see below). |
+| `--vpc-id <N>` | (optional) |
+
+**`--restore-data` payload** (decode base64, then parse JSON):
+
+```json
+{
+  "dhcp_enabled":     true,
+  "dns_enabled":      true,
+  "userdata_enabled": true,
+  "vms": [
+    {
+      "ip":          "10.0.0.10",
+      "mac":         "02:00:00:00:00:01",
+      "hostname":    "vm-1",
+      "default_nic": true,
+      "vm_data": [
+        {"dir": "userdata",  "file": "user-data",    "content": "<base64>"},
+        {"dir": "meta-data", "file": "instance-id",  "content": "<base64>"},
+        {"dir": "meta-data", "file": "local-hostname","content": "<base64>"}
+      ]
+    }
+  ]
+}
+```
+
+Each `vm_data[].content` is **base64-encoded** (same as in `save-vm-data`).
+
+---
+
+### `custom-action`
+
+**Called:** Via the `runNetworkCustomAction` API.
+
+**Purpose:** Allows operators to trigger ad-hoc operations on the device
+without defining new CloudStack API calls.
+
+**Arguments:**
+
+| Argument | Description |
+|---|---|
+| `--network-id <N>` | |
+| `--action <name>` | The action name passed by the operator. |
+| `--action-params <json>` | JSON object with arbitrary key/value parameters. |
+| `--physical-network-extension-details <json>` | |
+| `--network-extension-details <json>` | |
+
+**Stdout:** Returned verbatim to the API caller.
+
+---
+
+## Service-to-Command Mapping
+
+| CloudStack Network Service | Commands triggered |
+|---|---|
+| **SourceNat / Gateway** | `assign-ip`, `release-ip` |
+| **StaticNat** | `add-static-nat`, `delete-static-nat` |
+| **PortForwarding** | `add-port-forward`, `delete-port-forward` |
+| **Firewall** | `apply-fw-rules` |
+| **Lb** | `apply-lb-rules` |
+| **Dhcp** | `add-dhcp-entry`, `remove-dhcp-entry`, `config-dhcp-subnet`, `remove-dhcp-subnet`, `set-dhcp-options` |
+| **Dns** | `add-dns-entry`, `config-dns-subnet`, `remove-dns-subnet` |
+| **UserData** | `save-vm-data`, `save-password`, `save-userdata`, `save-sshkey`, `save-hypervisor-hostname` |
+| *(lifecycle — all)* | `ensure-network-device`, `implement`, `shutdown`, `destroy`, `restore-network` |
+| *(operator)* | `custom-action` |
+
+Your script only needs to implement the commands for the services it declares
+in `network.services`.  All other commands can safely be no-ops (exit 0).
+
+---
+
+## Capabilities Configuration
+
+When creating the extension, set `network.service.capabilities` to a JSON
+object keyed by service name.  The values are capability name → value string
+maps.
+
+```json
+{
+  "SourceNat": {
+    "SupportedSourceNatTypes": "peraccount",
+    "RedundantRouter":         "false"
+  },
+  "StaticNat": {
+    "Supported": "true"
+  },
+  "PortForwarding": {
+    "SupportedProtocols": "tcp,udp"
+  },
+  "Firewall": {
+    "TrafficStatistics":       "per public ip",
+    "SupportedProtocols":      "tcp,udp,icmp",
+    "SupportedEgressProtocols":"tcp,udp,icmp,all",
+    "SupportedTrafficDirection":"ingress,egress",
+    "MultipleIps":             "true"
+  },
+  "Lb": {
+    "SupportedLBAlgorithms":       "roundrobin,leastconn,source",
+    "SupportedLBIsolation":        "dedicated",
+    "SupportedProtocols":          "tcp,udp,tcp-proxy",
+    "SupportedStickinessMethods":  "lbcookie,appsession",
+    "LbSchemes":                   "Public",
+    "SslTermination":              "false",
+    "VmAutoScaling":               "false"
+  },
+  "Dhcp": {
+    "DhcpAccrossMultipleSubnets": "true"
+  },
+  "Dns": {
+    "AllowDnsSuffixModification": "true",
+    "ExternalDns":                "true"
+  },
+  "Gateway": {
+    "RedundantRouter": "false"
+  },
+  "NetworkACL": {
+    "SupportedProtocols": "tcp,udp,icmp"
+  },
+  "UserData": {
+    "Supported": "true"
+  }
+}
+```
+
+Only declare services and capabilities your implementation actually supports.
+
+---
+
+## VPC Networks
+
+For networks that belong to a VPC, `--vpc-id <N>` is appended to every
+command.  Use it to share state across all tiers of the same VPC (e.g., a
+single VRF or namespace per VPC instead of per tier).
+
+In `ensure-network-device`, use `--vpc-id` (when present) as the hash key for
+host selection so all tiers of a VPC always land on the same device.
+
+To use this extension as a VPC provider:
+
+1. Create the NetworkOffering with `useVpc=on`.
+2. Create a VpcOffering with the extension as provider.
+
+---
+
+## Extension IP
+
+`--extension-ip` is the IP the device presents on the guest network side:
+
+- **With SourceNat or Gateway service:** equals `--gateway` (the device is the
+  gateway; no separate IP needed).
+- **Without SourceNat/Gateway** (Dhcp/Dns/UserData only, e.g. a shared network
+  helper): CloudStack allocates a dedicated IP from the guest subnet and passes
+  it.  The device must listen on this IP for DHCP, DNS, and metadata (port 80)
+  requests.
+
+---
+
+## Exit Codes
+
+| Exit code | Meaning |
+|---|---|
+| `0` | Success. |
+| Any non-zero | Failure. CloudStack logs the exit code and script output, and treats the operation as failed. |
+
+For SSH-proxy scripts you may use sub-codes for diagnostics (they are logged
+but not interpreted differently by CloudStack):
+
+| Suggested code | Suggested meaning |
+|---|---|
+| `1` | Usage / configuration error. |
+| `2` | SSH connection / authentication failure. |
+| `3` | Remote script returned non-zero. |
+
+---
+
+## Minimal Script Skeleton
+
+The following Bash skeleton handles all commands and can be used as a starting
+point.  Replace each `TODO` block with your device's API calls.
+
+```bash
+#!/bin/bash
+# my-sdn.sh — CloudStack NetworkOrchestrator extension entry-point
+set -euo pipefail
+
+COMMAND="${1:-}"; shift || true
+
+# Parse arguments into an associative array
+declare -A ARGS
+while [[ $# -gt 0 ]]; do
+    case "$1" in
+        --*) ARGS["${1#--}"]="${2:-}"; shift 2 ;;
+        *)   shift ;;
+    esac
+done
+
+# Helpers
+phys()    { echo "${ARGS[physical-network-extension-details]:-{}}"; }
+netdetail(){ echo "${ARGS[network-extension-details]:-{}}"; }
+arg()     { echo "${ARGS[$1]:-}"; }
+
+case "${COMMAND}" in
+
+    ensure-network-device)
+        # TODO: check that the device is reachable; select/validate host
+        # Print per-network JSON to stdout (stored by CloudStack)
+        printf '{"device":"%s"}\n' "$(arg hosts | cut -d, -f1)"
+        ;;
+
+    implement)
+        # TODO: create virtual segment (VRF / VLAN / namespace / …)
+        # TODO: configure gateway IP $(arg extension-ip) on $(arg cidr)
+        ;;
+
+    shutdown|destroy)
+        # TODO: tear down the virtual segment
+        ;;
+
+    assign-ip)
+        # TODO: attach public IP $(arg public-ip) to the device
+        ;;
+
+    release-ip)
+        # TODO: remove public IP $(arg public-ip) from the device
+        ;;
+
+    add-static-nat)
+        # TODO: DNAT $(arg public-ip) → $(arg private-ip)
+        ;;
+
+    delete-static-nat)
+        # TODO: remove DNAT for $(arg public-ip)
+        ;;
+
+    add-port-forward)
+        # TODO: DNAT $(arg public-ip):$(arg public-port) → $(arg private-ip):$(arg private-port)
+        ;;
+
+    delete-port-forward)
+        # TODO: remove the port-forwarding DNAT rule
+        ;;
+
+    apply-fw-rules)
+        # TODO: decode base64 --fw-rules, rebuild firewall policy
+        FW_JSON=$(printf '%s' "$(arg fw-rules)" | base64 -d)
+        # parse $FW_JSON and apply to device
+        ;;
+
+    add-dhcp-entry)
+        # TODO: add static lease mac=$(arg mac) ip=$(arg ip)
+        ;;
+
+    remove-dhcp-entry)
+        # TODO: remove static lease for mac=$(arg mac)
+        ;;
+
+    config-dhcp-subnet|remove-dhcp-subnet) ;;
+
+    set-dhcp-options) ;;
+
+    add-dns-entry)
+        # TODO: add A record hostname=$(arg hostname) ip=$(arg ip)
+        ;;
+
+    config-dns-subnet|remove-dns-subnet) ;;
+
+    save-vm-data)
+        # TODO: decode base64 --vm-data; store metadata for ip=$(arg ip)
+        VM_DATA_JSON=$(printf '%s' "$(arg vm-data)" | base64 -d)
+        ;;
+
+    save-password|save-userdata|save-sshkey|save-hypervisor-hostname) ;;
+
+    apply-lb-rules)
+        # TODO: parse --lb-rules JSON; configure load balancer
+        ;;
+
+    restore-network)
+        # TODO: decode base64 --restore-data; rebuild DHCP/DNS/metadata
+        RESTORE_JSON=$(printf '%s' "$(arg restore-data)" | base64 -d)
+        ;;
+
+    custom-action)
+        # TODO: handle $(arg action) with params $(arg action-params)
+        echo "custom action $(arg action) not implemented"
+        exit 1
+        ;;
+
+    *)
+        echo "Unknown command: ${COMMAND}" >&2
+        exit 1
+        ;;
+esac
+
+exit 0
+```
+
+For a full production implementation see https://github.com/apache/cloudstack-extensions/tree/network-namespace/Network-Namespace:
+- `network-namespace.sh` — management-server entry-point (SSH proxy).
+- `enetwork-namespace-wrapper.sh` — KVM-host wrapper that implements all commands using Linux network namespaces.
diff --git a/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/vo/ExtensionDetailsVO.java b/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/vo/ExtensionDetailsVO.java
index 535a0f703958..546f33b2a1d4 100644
--- a/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/vo/ExtensionDetailsVO.java
+++ b/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/vo/ExtensionDetailsVO.java
@@ -40,7 +40,7 @@ public class ExtensionDetailsVO implements ResourceDetail {
     @Column(name = "name", nullable = false, length = 255)
     private String name;
 
-    @Column(name = "value", nullable = false, length = 255)
+    @Column(name = "value", nullable = false, length = 4096)
     private String value;
 
     @Column(name = "display")
diff --git a/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/vo/ExtensionResourceMapDetailsVO.java b/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/vo/ExtensionResourceMapDetailsVO.java
index 5cb6f7b85114..c2b23f1eee04 100644
--- a/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/vo/ExtensionResourceMapDetailsVO.java
+++ b/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/vo/ExtensionResourceMapDetailsVO.java
@@ -40,7 +40,7 @@ public class ExtensionResourceMapDetailsVO implements ResourceDetail {
     @Column(name = "name", nullable = false, length = 255)
     private String name;
 
-    @Column(name = "value", nullable = false, length = 255)
+    @Column(name = "value", nullable = false, length = 4096)
     private String value;
 
     @Column(name = "display")
diff --git a/framework/extensions/src/main/resources/META-INF/cloudstack/core/spring-framework-extensions-core-context.xml b/framework/extensions/src/main/resources/META-INF/cloudstack/core/spring-framework-extensions-core-context.xml
index 9d44d8ff7f3d..ee5e98630140 100644
--- a/framework/extensions/src/main/resources/META-INF/cloudstack/core/spring-framework-extensions-core-context.xml
+++ b/framework/extensions/src/main/resources/META-INF/cloudstack/core/spring-framework-extensions-core-context.xml
@@ -33,4 +33,7 @@
     <bean id="ExtensionsManager" class="org.apache.cloudstack.framework.extensions.manager.ExtensionsManagerImpl" />
     <bean id="ExtensionCustomActionDaoImpl" class="org.apache.cloudstack.framework.extensions.dao.ExtensionCustomActionDaoImpl" />
     <bean id="ExtensionCustomActionDetailsDaoImpl" class="org.apache.cloudstack.framework.extensions.dao.ExtensionCustomActionDetailsDaoImpl" />
+    <bean id="networkExtension" class="org.apache.cloudstack.framework.extensions.network.NetworkExtensionElement">
+        <property name="name" value="NetworkExtension" />
+    </bean>
 </beans>
diff --git a/framework/extensions/src/test/java/org/apache/cloudstack/framework/extensions/api/ListExtensionsCmdTest.java b/framework/extensions/src/test/java/org/apache/cloudstack/framework/extensions/api/ListExtensionsCmdTest.java
index 1ca601293a37..fe5979663548 100644
--- a/framework/extensions/src/test/java/org/apache/cloudstack/framework/extensions/api/ListExtensionsCmdTest.java
+++ b/framework/extensions/src/test/java/org/apache/cloudstack/framework/extensions/api/ListExtensionsCmdTest.java
@@ -18,6 +18,7 @@
 package org.apache.cloudstack.framework.extensions.api;
 
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
 
 import java.util.Arrays;
@@ -89,4 +90,44 @@ public void testGetDetailsWithInvalidValueThrowsException() {
         setPrivateField("details", detailsList);
         cmd.getDetails();
     }
+
+    // -----------------------------------------------------------------------
+    // Tests for new getters: type, resourceId, resourceType
+    // -----------------------------------------------------------------------
+
+    @Test
+    public void testGetTypeReturnsValueWhenSet() {
+        setPrivateField("type", "NetworkOrchestrator");
+        assertEquals("NetworkOrchestrator", cmd.getType());
+    }
+
+    @Test
+    public void testGetTypeReturnsNullWhenUnset() {
+        setPrivateField("type", null);
+        assertNull(cmd.getType());
+    }
+
+    @Test
+    public void testGetResourceIdReturnsValueWhenSet() {
+        setPrivateField("resourceId", "pnet-uuid-123");
+        assertEquals("pnet-uuid-123", cmd.getResourceId());
+    }
+
+    @Test
+    public void testGetResourceIdReturnsNullWhenUnset() {
+        setPrivateField("resourceId", null);
+        assertNull(cmd.getResourceId());
+    }
+
+    @Test
+    public void testGetResourceTypeReturnsValueWhenSet() {
+        setPrivateField("resourceType", "PhysicalNetwork");
+        assertEquals("PhysicalNetwork", cmd.getResourceType());
+    }
+
+    @Test
+    public void testGetResourceTypeReturnsNullWhenUnset() {
+        setPrivateField("resourceType", null);
+        assertNull(cmd.getResourceType());
+    }
 }
diff --git a/framework/extensions/src/test/java/org/apache/cloudstack/framework/extensions/api/UpdateRegisteredExtensionCmdTest.java b/framework/extensions/src/test/java/org/apache/cloudstack/framework/extensions/api/UpdateRegisteredExtensionCmdTest.java
new file mode 100644
index 000000000000..023820237f47
--- /dev/null
+++ b/framework/extensions/src/test/java/org/apache/cloudstack/framework/extensions/api/UpdateRegisteredExtensionCmdTest.java
@@ -0,0 +1,160 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.cloudstack.framework.extensions.api;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+import static org.mockito.Mockito.any;
+import static org.mockito.Mockito.doNothing;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+import java.util.EnumSet;
+import java.util.Map;
+
+import org.apache.cloudstack.api.ApiCommandResourceType;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.response.ExtensionResponse;
+import org.apache.cloudstack.extension.Extension;
+import org.apache.cloudstack.framework.extensions.manager.ExtensionsManager;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mockito;
+import org.springframework.test.util.ReflectionTestUtils;
+
+import com.cloud.user.Account;
+
+public class UpdateRegisteredExtensionCmdTest {
+
+    private UpdateRegisteredExtensionCmd cmd;
+    private ExtensionsManager extensionsManager;
+
+    @Before
+    public void setUp() {
+        cmd = Mockito.spy(new UpdateRegisteredExtensionCmd());
+        extensionsManager = mock(ExtensionsManager.class);
+        ReflectionTestUtils.setField(cmd, "extensionsManager", extensionsManager);
+    }
+
+    @Test
+    public void extensionIdReturnsNullWhenUnset() {
+        ReflectionTestUtils.setField(cmd, "extensionId", null);
+        assertNull(cmd.getExtensionId());
+    }
+
+    @Test
+    public void extensionIdReturnsValueWhenSet() {
+        Long extensionId = 42L;
+        ReflectionTestUtils.setField(cmd, "extensionId", extensionId);
+        assertEquals(extensionId, cmd.getExtensionId());
+    }
+
+    @Test
+    public void cleanupDetailsReturnsNullWhenUnset() {
+        ReflectionTestUtils.setField(cmd, "cleanupDetails", null);
+        assertNull(cmd.isCleanupDetails());
+    }
+
+    @Test
+    public void cleanupDetailsReturnsTrueWhenSet() {
+        ReflectionTestUtils.setField(cmd, "cleanupDetails", true);
+        assertTrue(cmd.isCleanupDetails());
+    }
+
+    @Test
+    public void cleanupDetailsReturnsFalseWhenSetToFalse() {
+        ReflectionTestUtils.setField(cmd, "cleanupDetails", false);
+        assertFalse(cmd.isCleanupDetails());
+    }
+
+    @Test
+    public void getEntityOwnerIdReturnsSystemAccountId() {
+        assertEquals(Account.ACCOUNT_ID_SYSTEM, cmd.getEntityOwnerId());
+    }
+
+    @Test
+    public void getApiResourceTypeReturnsExtension() {
+        assertEquals(ApiCommandResourceType.Extension, cmd.getApiResourceType());
+    }
+
+    @Test
+    public void getApiResourceIdReturnsExtensionId() {
+        Long extensionId = 99L;
+        ReflectionTestUtils.setField(cmd, "extensionId", extensionId);
+        assertEquals(extensionId, cmd.getApiResourceId());
+    }
+
+    @Test
+    public void resourceIdReturnsValueWhenSet() {
+        String resourceId = "resource-123";
+        ReflectionTestUtils.setField(cmd, "resourceId", resourceId);
+        assertEquals(resourceId, cmd.getResourceId());
+    }
+
+    @Test
+    public void resourceTypeReturnsValueWhenSet() {
+        String resourceType = "PhysicalNetwork";
+        ReflectionTestUtils.setField(cmd, "resourceType", resourceType);
+        assertEquals(resourceType, cmd.getResourceType());
+    }
+
+    @Test
+    public void detailsReturnsEmptyMapWhenUnset() {
+        ReflectionTestUtils.setField(cmd, "details", null);
+        Map<String, String> details = cmd.getDetails();
+        assertNotNull(details);
+        assertTrue(details.isEmpty());
+    }
+
+    @Test
+    public void executeSetsExtensionResponseWhenManagerSucceeds() {
+        Extension extension = mock(Extension.class);
+        ExtensionResponse response = mock(ExtensionResponse.class);
+        when(extensionsManager.updateRegisteredExtensionWithResource(cmd)).thenReturn(extension);
+        when(extensionsManager.createExtensionResponse(extension, EnumSet.of(ApiConstants.ExtensionDetails.all)))
+                .thenReturn(response);
+
+        doNothing().when(cmd).setResponseObject(any());
+
+        cmd.execute();
+
+        verify(extensionsManager).updateRegisteredExtensionWithResource(cmd);
+        verify(extensionsManager).createExtensionResponse(extension, EnumSet.of(ApiConstants.ExtensionDetails.all));
+        verify(cmd).setResponseObject(response);
+    }
+
+    @Test
+    public void executeThrowsServerApiExceptionWhenManagerFails() {
+        when(extensionsManager.updateRegisteredExtensionWithResource(cmd))
+                .thenThrow(new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to update registered extension"));
+
+        try {
+            cmd.execute();
+            fail("Expected ServerApiException");
+        } catch (ServerApiException e) {
+            assertEquals("Failed to update registered extension", e.getDescription());
+        }
+    }
+}
diff --git a/framework/extensions/src/test/java/org/apache/cloudstack/framework/extensions/dao/ExtensionResourceMapDaoImplTest.java b/framework/extensions/src/test/java/org/apache/cloudstack/framework/extensions/dao/ExtensionResourceMapDaoImplTest.java
index 76a0175e7576..9b389411ba81 100644
--- a/framework/extensions/src/test/java/org/apache/cloudstack/framework/extensions/dao/ExtensionResourceMapDaoImplTest.java
+++ b/framework/extensions/src/test/java/org/apache/cloudstack/framework/extensions/dao/ExtensionResourceMapDaoImplTest.java
@@ -83,4 +83,55 @@ public void listResourceIdsByExtensionIdAndTypeReturnsCorrectIds() {
         when(dao.listResourceIdsByExtensionIdAndType(1L, ExtensionResourceMap.ResourceType.Cluster)).thenReturn(expectedIds);
         assertEquals(expectedIds, dao.listResourceIdsByExtensionIdAndType(1L, ExtensionResourceMap.ResourceType.Cluster));
     }
+
+    // -----------------------------------------------------------------------
+    // Tests for new methods: listByResourceIdAndType, listResourceIdsByType
+    // -----------------------------------------------------------------------
+
+    @Test
+    public void listByResourceIdAndTypeReturnsEmptyListWhenNoMatch() {
+        when(dao.listByResourceIdAndType(999L, ExtensionResourceMap.ResourceType.PhysicalNetwork)).thenReturn(List.of());
+        assertTrue(dao.listByResourceIdAndType(999L, ExtensionResourceMap.ResourceType.PhysicalNetwork).isEmpty());
+    }
+
+    @Test
+    public void listByResourceIdAndTypeReturnsMatchingEntries() {
+        ExtensionResourceMapVO map1 = new ExtensionResourceMapVO();
+        map1.setResourceId(42L);
+        map1.setResourceType(ExtensionResourceMap.ResourceType.PhysicalNetwork);
+        ExtensionResourceMapVO map2 = new ExtensionResourceMapVO();
+        map2.setResourceId(42L);
+        map2.setResourceType(ExtensionResourceMap.ResourceType.PhysicalNetwork);
+        List<ExtensionResourceMapVO> expected = List.of(map1, map2);
+        when(dao.listByResourceIdAndType(42L, ExtensionResourceMap.ResourceType.PhysicalNetwork)).thenReturn(expected);
+        List<ExtensionResourceMapVO> result = dao.listByResourceIdAndType(42L, ExtensionResourceMap.ResourceType.PhysicalNetwork);
+        assertEquals(2, result.size());
+        assertEquals(expected, result);
+    }
+
+    @Test
+    public void listByResourceIdAndTypeDifferentiatesResourceTypes() {
+        ExtensionResourceMapVO clusterMap = new ExtensionResourceMapVO();
+        clusterMap.setResourceType(ExtensionResourceMap.ResourceType.Cluster);
+        when(dao.listByResourceIdAndType(10L, ExtensionResourceMap.ResourceType.Cluster)).thenReturn(List.of(clusterMap));
+        when(dao.listByResourceIdAndType(10L, ExtensionResourceMap.ResourceType.PhysicalNetwork)).thenReturn(List.of());
+
+        assertEquals(1, dao.listByResourceIdAndType(10L, ExtensionResourceMap.ResourceType.Cluster).size());
+        assertTrue(dao.listByResourceIdAndType(10L, ExtensionResourceMap.ResourceType.PhysicalNetwork).isEmpty());
+    }
+
+    @Test
+    public void listResourceIdsByTypeReturnsEmptyListWhenNoMatch() {
+        when(dao.listResourceIdsByType(ExtensionResourceMap.ResourceType.PhysicalNetwork)).thenReturn(List.of());
+        assertTrue(dao.listResourceIdsByType(ExtensionResourceMap.ResourceType.PhysicalNetwork).isEmpty());
+    }
+
+    @Test
+    public void listResourceIdsByTypeReturnsMatchingIds() {
+        List<Long> expectedIds = List.of(5L, 10L, 15L);
+        when(dao.listResourceIdsByType(ExtensionResourceMap.ResourceType.PhysicalNetwork)).thenReturn(expectedIds);
+        List<Long> result = dao.listResourceIdsByType(ExtensionResourceMap.ResourceType.PhysicalNetwork);
+        assertEquals(3, result.size());
+        assertEquals(expectedIds, result);
+    }
 }
diff --git a/framework/extensions/src/test/java/org/apache/cloudstack/framework/extensions/manager/ExtensionsManagerImplTest.java b/framework/extensions/src/test/java/org/apache/cloudstack/framework/extensions/manager/ExtensionsManagerImplTest.java
index ff3fce06b006..7356bffb5a95 100644
--- a/framework/extensions/src/test/java/org/apache/cloudstack/framework/extensions/manager/ExtensionsManagerImplTest.java
+++ b/framework/extensions/src/test/java/org/apache/cloudstack/framework/extensions/manager/ExtensionsManagerImplTest.java
@@ -37,6 +37,7 @@
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.mockStatic;
 import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
@@ -62,6 +63,7 @@
 import org.apache.cloudstack.extension.CustomActionResultResponse;
 import org.apache.cloudstack.extension.Extension;
 import org.apache.cloudstack.extension.ExtensionCustomAction;
+import org.apache.cloudstack.extension.ExtensionHelper;
 import org.apache.cloudstack.extension.ExtensionResourceMap;
 import org.apache.cloudstack.framework.extensions.api.AddCustomActionCmd;
 import org.apache.cloudstack.framework.extensions.api.CreateExtensionCmd;
@@ -74,6 +76,7 @@
 import org.apache.cloudstack.framework.extensions.api.UnregisterExtensionCmd;
 import org.apache.cloudstack.framework.extensions.api.UpdateCustomActionCmd;
 import org.apache.cloudstack.framework.extensions.api.UpdateExtensionCmd;
+import org.apache.cloudstack.framework.extensions.api.UpdateRegisteredExtensionCmd;
 import org.apache.cloudstack.framework.extensions.command.CleanupExtensionFilesCommand;
 import org.apache.cloudstack.framework.extensions.command.ExtensionServerActionBaseCommand;
 import org.apache.cloudstack.framework.extensions.command.GetExtensionPathChecksumCommand;
@@ -87,6 +90,7 @@
 import org.apache.cloudstack.framework.extensions.vo.ExtensionCustomActionDetailsVO;
 import org.apache.cloudstack.framework.extensions.vo.ExtensionCustomActionVO;
 import org.apache.cloudstack.framework.extensions.vo.ExtensionDetailsVO;
+import org.apache.cloudstack.framework.extensions.vo.ExtensionResourceMapDetailsVO;
 import org.apache.cloudstack.framework.extensions.vo.ExtensionResourceMapVO;
 import org.apache.cloudstack.framework.extensions.vo.ExtensionVO;
 import org.apache.cloudstack.utils.identity.ManagementServerNode;
@@ -94,6 +98,7 @@
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
+import org.mockito.ArgumentCaptor;
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
 import org.mockito.MockedStatic;
@@ -122,6 +127,16 @@
 import com.cloud.host.dao.HostDetailsDao;
 import com.cloud.hypervisor.ExternalProvisioner;
 import com.cloud.hypervisor.Hypervisor;
+import com.cloud.network.Network;
+import com.cloud.network.NetworkModel;
+import com.cloud.network.dao.NetworkDao;
+import com.cloud.network.dao.NetworkServiceMapDao;
+import com.cloud.network.dao.NetworkVO;
+import com.cloud.network.dao.PhysicalNetworkDao;
+import com.cloud.network.dao.PhysicalNetworkServiceProviderDao;
+import com.cloud.network.dao.PhysicalNetworkVO;
+import com.cloud.network.element.NetworkElement;
+import org.apache.cloudstack.extension.NetworkCustomActionProvider;
 import com.cloud.org.Cluster;
 import com.cloud.serializer.GsonHelper;
 import com.cloud.storage.dao.VMTemplateDao;
@@ -138,7 +153,7 @@
 import com.cloud.vm.VmDetailConstants;
 import com.cloud.vm.dao.VMInstanceDao;
 
-@RunWith(MockitoJUnitRunner.class)
+@RunWith(MockitoJUnitRunner.Silent.class)
 public class ExtensionsManagerImplTest {
 
     @Spy
@@ -185,6 +200,17 @@ public class ExtensionsManagerImplTest {
     private RoleService roleService;
     @Mock
     private AccountService accountService;
+    @Mock
+    private PhysicalNetworkDao physicalNetworkDao;
+    @Mock
+    private NetworkDao networkDao;
+    @Mock
+    private NetworkServiceMapDao networkServiceMapDao;
+    @Mock
+    private NetworkModel networkModel;
+
+    @Mock
+    private PhysicalNetworkServiceProviderDao physicalNetworkServiceProviderDao;
 
     @Before
     public void setUp() {
@@ -290,14 +316,6 @@ public void getExtensionFromResourceReturnsNullIfEntityNotFound() {
         assertNull(extensionsManager.getExtensionFromResource(ExtensionCustomAction.ResourceType.VirtualMachine, "uuid"));
     }
 
-    @Test
-    public void getActionMessageReturnsDefaultOnBlank() {
-        ExtensionCustomAction action = mock(ExtensionCustomAction.class);
-        Extension ext = mock(Extension.class);
-        when(action.getSuccessMessage()).thenReturn(null);
-        String msg = extensionsManager.getActionMessage(true, action, ext, ExtensionCustomAction.ResourceType.VirtualMachine, null);
-        assertTrue(msg.contains("Successfully completed"));
-    }
 
     @Test
     public void getActionMessageReturnsDefaultMessageForSuccessWithoutCustomMessage() {
@@ -343,14 +361,6 @@ public void getActionMessageReturnsCustomFailureMessage() {
         assertEquals("Custom failure message", result);
     }
 
-    @Test
-    public void getActionMessageHandlesNullActionMessage() {
-        ExtensionCustomAction action = mock(ExtensionCustomAction.class);
-        when(action.getSuccessMessage()).thenReturn(null);
-        Extension extension = mock(Extension.class);
-        String result = extensionsManager.getActionMessage(true, action, extension, ExtensionCustomAction.ResourceType.VirtualMachine, null);
-        assertTrue(result.contains("Successfully completed"));
-    }
 
     @Test
     public void getFilteredExternalDetailsReturnsFilteredMap() {
@@ -381,26 +391,6 @@ public void sendExtensionPathNotReadyAlertDoesNotCallsAlertManager() {
                 anyLong(), anyLong(), anyString(), anyString());
     }
 
-    @Test
-    public void updateExtensionPathReadyUpdatesWhenStateDiffers() {
-        Extension ext = mock(Extension.class);
-        when(ext.getId()).thenReturn(1L);
-        when(ext.isPathReady()).thenReturn(false);
-        ExtensionVO vo = mock(ExtensionVO.class);
-        when(extensionDao.createForUpdate(1L)).thenReturn(vo);
-        when(extensionDao.update(1L, vo)).thenReturn(true);
-        extensionsManager.updateExtensionPathReady(ext, true);
-        verify(extensionDao).update(1L, vo);
-    }
-
-    @Test
-    public void disableExtensionUpdatesState() {
-        ExtensionVO vo = mock(ExtensionVO.class);
-        when(extensionDao.createForUpdate(1L)).thenReturn(vo);
-        when(extensionDao.update(1L, vo)).thenReturn(true);
-        extensionsManager.disableExtension(1L);
-        verify(extensionDao).update(1L, vo);
-    }
 
     @Test
     public void getExtensionFromResourceReturnsExtensionForValidResource() {
@@ -558,41 +548,29 @@ public void getExtensionsPathReturnsProvisionerPath() {
         assertEquals("/tmp/extensions", extensionsManager.getExtensionsPath());
     }
 
-    @Test
-    public void getExtensionIdForClusterReturnsNullIfNoMap() {
-        when(extensionResourceMapDao.findByResourceIdAndType(anyLong(), any())).thenReturn(null);
-        assertNull(extensionsManager.getExtensionIdForCluster(1L));
-    }
-
-    @Test
-    public void getExtensionIdForClusterReturnsIdIfMapExists() {
-        ExtensionResourceMapVO map = mock(ExtensionResourceMapVO.class);
-        when(map.getExtensionId()).thenReturn(5L);
-        when(extensionResourceMapDao.findByResourceIdAndType(anyLong(), any())).thenReturn(map);
-        assertEquals(Long.valueOf(5L), extensionsManager.getExtensionIdForCluster(1L));
-    }
 
     @Test
-    public void getExtensionReturnsExtension() {
-        ExtensionVO ext = mock(ExtensionVO.class);
-        when(extensionDao.findById(1L)).thenReturn(ext);
-        assertEquals(ext, extensionsManager.getExtension(1L));
-    }
-
-    @Test
-    public void getExtensionForClusterReturnsNullIfNoId() {
-        when(extensionResourceMapDao.findByResourceIdAndType(anyLong(), any())).thenReturn(null);
-        assertNull(extensionsManager.getExtensionForCluster(1L));
+    public void checkExtensionPathSyncUpdatesReadyWhenStateDiffers() {
+        Extension ext = mock(Extension.class);
+        when(ext.getName()).thenReturn("ext");
+        when(ext.getRelativePath()).thenReturn("entry.sh");
+        when(ext.isPathReady()).thenReturn(false);
+        ExtensionVO vo = mock(ExtensionVO.class);
+        when(extensionDao.createForUpdate(1L)).thenReturn(vo);
+        when(extensionDao.update(1L, vo)).thenReturn(true);
+        extensionsManager.checkExtensionPathState(ext, Collections.emptyList());
+        verify(extensionsManager).updateExtensionPathReady(ext, false);
     }
 
     @Test
-    public void getExtensionForClusterReturnsExtensionIfIdExists() {
-        ExtensionResourceMapVO map = mock(ExtensionResourceMapVO.class);
-        when(map.getExtensionId()).thenReturn(5L);
-        when(extensionResourceMapDao.findByResourceIdAndType(anyLong(), any())).thenReturn(map);
-        ExtensionVO ext = mock(ExtensionVO.class);
-        when(extensionDao.findById(5L)).thenReturn(ext);
-        assertEquals(ext, extensionsManager.getExtensionForCluster(1L));
+    public void checkExtensionPathSyncUpdatesReadyWhenStateUnchanged() {
+        Extension ext = mock(Extension.class);
+        when(ext.getName()).thenReturn("ext");
+        when(ext.getRelativePath()).thenReturn("entry.sh");
+        when(ext.isPathReady()).thenReturn(true);
+        when(externalProvisioner.getChecksumForExtensionPath("ext", "entry.sh")).thenReturn("checksum123");
+        extensionsManager.checkExtensionPathState(ext, Collections.emptyList());
+        verify(extensionsManager, times(1)).updateExtensionPathReady(any(), anyBoolean());
     }
 
     @Test
@@ -1024,13 +1002,6 @@ public void testDeleteExtension_Success() {
         verify(extensionDao).remove(1L);
     }
 
-    @Test
-    public void testRegisterExtensionWithResource_InvalidResourceType() {
-        RegisterExtensionCmd cmd = mock(RegisterExtensionCmd.class);
-        when(cmd.getResourceType()).thenReturn("InvalidType");
-
-        assertThrows(InvalidParameterValueException.class, () -> extensionsManager.registerExtensionWithResource(cmd));
-    }
 
     @Test
     public void registerExtensionWithResourceRegistersSuccessfullyForValidResourceType() {
@@ -1063,8 +1034,6 @@ public void registerExtensionWithResourceThrowsForMissingExtension() {
         RegisterExtensionCmd cmd = mock(RegisterExtensionCmd.class);
         when(cmd.getResourceType()).thenReturn(ExtensionResourceMap.ResourceType.Cluster.name());
         when(cmd.getResourceId()).thenReturn(UUID.randomUUID().toString());
-        ClusterVO clusterVO = mock(ClusterVO.class);
-        when(clusterDao.findByUuid(anyString())).thenReturn(clusterVO);
         extensionsManager.registerExtensionWithResource(cmd);
     }
 
@@ -1139,6 +1108,159 @@ public void unregisterExtensionWithClusterHandlesMissingMappingGracefully() {
         verify(extensionResourceMapDao, never()).remove(anyLong());
     }
 
+    @Test
+    public void unregisterExtensionWithResourceThrowsWhenProviderUsedByExistingNetworks() {
+        UnregisterExtensionCmd cmd = mock(UnregisterExtensionCmd.class);
+        when(cmd.getResourceType()).thenReturn(ExtensionResourceMap.ResourceType.PhysicalNetwork.name());
+        when(cmd.getResourceId()).thenReturn("physnet-uuid");
+        when(cmd.getExtensionId()).thenReturn(1L);
+
+        PhysicalNetworkVO physicalNetwork = mock(PhysicalNetworkVO.class);
+        when(physicalNetwork.getId()).thenReturn(42L);
+        when(physicalNetworkDao.findByUuid("physnet-uuid")).thenReturn(physicalNetwork);
+
+        ExtensionResourceMapVO existing = mock(ExtensionResourceMapVO.class);
+        when(existing.getExtensionId()).thenReturn(1L);
+        when(extensionResourceMapDao.listByResourceIdAndType(42L, ExtensionResourceMap.ResourceType.PhysicalNetwork))
+                .thenReturn(List.of(existing));
+
+        ExtensionVO extension = mock(ExtensionVO.class);
+        when(extension.getName()).thenReturn("extnet-provider");
+        when(extensionDao.findById(1L)).thenReturn(extension);
+
+        NetworkVO network = mock(NetworkVO.class);
+        when(networkDao.listByPhysicalNetworkAndProvider(42L, "extnet-provider")).thenReturn(List.of(network));
+
+        assertThrows(CloudRuntimeException.class, () -> extensionsManager.unregisterExtensionWithResource(cmd));
+        verify(extensionResourceMapDao, never()).remove(anyLong());
+    }
+
+    @Test
+    public void updateRegisteredExtensionWithResourceUpdatesDetailsForExistingMapping() {
+        UpdateRegisteredExtensionCmd cmd = mock(UpdateRegisteredExtensionCmd.class);
+        when(cmd.getResourceType()).thenReturn(ExtensionResourceMap.ResourceType.PhysicalNetwork.name());
+        when(cmd.getResourceId()).thenReturn("physnet-uuid");
+        when(cmd.getExtensionId()).thenReturn(1L);
+        when(cmd.getDetails()).thenReturn(Map.of("username", "root", "hosts", "10.10.10.10"));
+        when(cmd.isCleanupDetails()).thenReturn(false);
+
+        ExtensionVO extension = mock(ExtensionVO.class);
+        when(extension.getName()).thenReturn("extnet-provider");
+        when(extensionDao.findById(1L)).thenReturn(extension);
+
+        PhysicalNetworkVO physicalNetwork = mock(PhysicalNetworkVO.class);
+        when(physicalNetwork.getId()).thenReturn(42L);
+        when(physicalNetworkDao.findByUuid("physnet-uuid")).thenReturn(physicalNetwork);
+
+        ExtensionResourceMapVO existing = mock(ExtensionResourceMapVO.class);
+        when(existing.getExtensionId()).thenReturn(1L);
+        when(existing.getId()).thenReturn(100L);
+        when(extensionResourceMapDao.listByResourceIdAndType(42L, ExtensionResourceMap.ResourceType.PhysicalNetwork))
+                .thenReturn(List.of(existing));
+
+        Extension result = extensionsManager.updateRegisteredExtensionWithResource(cmd);
+
+        assertEquals(extension, result);
+        verify(extensionResourceMapDetailsDao, never()).removeDetails(anyLong());
+        verify(extensionResourceMapDetailsDao).saveDetails(any());
+    }
+
+    @Test
+    public void updateRegisteredExtensionWithResourceCleanupDetailsFirstThenSaveRequested() {
+        UpdateRegisteredExtensionCmd cmd = mock(UpdateRegisteredExtensionCmd.class);
+        when(cmd.getResourceType()).thenReturn(ExtensionResourceMap.ResourceType.PhysicalNetwork.name());
+        when(cmd.getResourceId()).thenReturn("physnet-uuid");
+        when(cmd.getExtensionId()).thenReturn(1L);
+        when(cmd.getDetails()).thenReturn(Map.of("username", "root", "password", "secret"));
+        when(cmd.isCleanupDetails()).thenReturn(true);
+
+        ExtensionVO extension = mock(ExtensionVO.class);
+        when(extensionDao.findById(1L)).thenReturn(extension);
+
+        PhysicalNetworkVO physicalNetwork = mock(PhysicalNetworkVO.class);
+        when(physicalNetwork.getId()).thenReturn(42L);
+        when(physicalNetworkDao.findByUuid("physnet-uuid")).thenReturn(physicalNetwork);
+
+        ExtensionResourceMapVO existing = mock(ExtensionResourceMapVO.class);
+        when(existing.getExtensionId()).thenReturn(1L);
+        when(existing.getId()).thenReturn(100L);
+        when(extensionResourceMapDao.listByResourceIdAndType(42L, ExtensionResourceMap.ResourceType.PhysicalNetwork))
+                .thenReturn(List.of(existing));
+
+        extensionsManager.updateRegisteredExtensionWithResource(cmd);
+
+        verify(extensionResourceMapDetailsDao).removeDetails(100L);
+        verify(extensionResourceMapDetailsDao, never()).saveDetails(any());
+    }
+
+    @Test
+    @SuppressWarnings("unchecked")
+    public void updateRegisteredExtensionWithResourceStoresSensitiveDetailsWithDisplayFalse() {
+        UpdateRegisteredExtensionCmd cmd = mock(UpdateRegisteredExtensionCmd.class);
+        when(cmd.getResourceType()).thenReturn(ExtensionResourceMap.ResourceType.PhysicalNetwork.name());
+        when(cmd.getResourceId()).thenReturn("physnet-uuid");
+        when(cmd.getExtensionId()).thenReturn(1L);
+        when(cmd.getDetails()).thenReturn(Map.of("username", "root", "password", "newSecret"));
+        when(cmd.isCleanupDetails()).thenReturn(false);
+
+        ExtensionVO extension = mock(ExtensionVO.class);
+        when(extensionDao.findById(1L)).thenReturn(extension);
+
+        PhysicalNetworkVO physicalNetwork = mock(PhysicalNetworkVO.class);
+        when(physicalNetwork.getId()).thenReturn(42L);
+        when(physicalNetworkDao.findByUuid("physnet-uuid")).thenReturn(physicalNetwork);
+
+        ExtensionResourceMapVO existing = mock(ExtensionResourceMapVO.class);
+        when(existing.getExtensionId()).thenReturn(1L);
+        when(existing.getId()).thenReturn(100L);
+        when(extensionResourceMapDao.listByResourceIdAndType(42L, ExtensionResourceMap.ResourceType.PhysicalNetwork))
+                .thenReturn(List.of(existing));
+        extensionsManager.updateRegisteredExtensionWithResource(cmd);
+
+        ArgumentCaptor<List<ExtensionResourceMapDetailsVO>> captor = ArgumentCaptor.forClass(List.class);
+        verify(extensionResourceMapDetailsDao).saveDetails(captor.capture());
+        verify(extensionResourceMapDetailsDao, never()).removeDetails(anyLong());
+        List<ExtensionResourceMapDetailsVO> savedDetails = captor.getValue();
+
+        ExtensionResourceMapDetailsVO passwordDetail = savedDetails.stream()
+                .filter(detail -> "password".equals(detail.getName()))
+                .findFirst()
+                .orElse(null);
+        assertNotNull(passwordDetail);
+        assertFalse(passwordDetail.isDisplay());
+        assertEquals("newSecret", passwordDetail.getValue());
+    }
+
+    @Test
+    @SuppressWarnings("unchecked")
+    public void registerExtensionWithClusterStoresSensitiveDetailsWithDisplayFalse() {
+        Cluster cluster = mock(Cluster.class);
+        when(cluster.getId()).thenReturn(12L);
+        when(cluster.getName()).thenReturn("cluster-12");
+        when(cluster.getHypervisorType()).thenReturn(Hypervisor.HypervisorType.External);
+
+        Extension extension = mock(Extension.class);
+        when(extension.getId()).thenReturn(5L);
+
+        ExtensionResourceMapVO persistedMap = mock(ExtensionResourceMapVO.class);
+        when(persistedMap.getId()).thenReturn(120L);
+        when(extensionResourceMapDao.persist(any())).thenReturn(persistedMap);
+
+        extensionsManager.registerExtensionWithCluster(cluster, extension,
+                Map.of("username", "admin", "password", "s3cr3t"));
+
+        ArgumentCaptor<List<ExtensionResourceMapDetailsVO>> captor = ArgumentCaptor.forClass(List.class);
+        verify(extensionResourceMapDetailsDao).saveDetails(captor.capture());
+        List<ExtensionResourceMapDetailsVO> savedDetails = captor.getValue();
+
+        ExtensionResourceMapDetailsVO passwordDetail = savedDetails.stream()
+                .filter(detail -> "password".equals(detail.getName()))
+                .findFirst()
+                .orElse(null);
+        assertNotNull(passwordDetail);
+        assertFalse(passwordDetail.isDisplay());
+    }
+
     @Test
     public void testCreateExtensionResponse_BasicFields() {
         Extension extension = mock(Extension.class);
@@ -2218,4 +2340,509 @@ public void addInbuiltExtensionReservedResourceDetailsAddedDetails() {
         assertEquals(reservedResourceDetails.size(), entry.getValue().size());
         assertTrue(reservedResourceDetails.containsAll(entry.getValue()));
     }
+
+    // -----------------------------------------------------------------------
+    // Tests for ExtensionHelper methods (external network device support)
+    // -----------------------------------------------------------------------
+
+    @Test
+    public void getExtensionForPhysicalNetworkReturnsExtensionWhenRegistered() {
+        long physNetId = 10L;
+        long extensionId = 5L;
+        ExtensionResourceMapVO mapVO = mock(ExtensionResourceMapVO.class);
+        when(mapVO.getExtensionId()).thenReturn(extensionId);
+        when(extensionResourceMapDao.listByResourceIdAndType(physNetId,
+                ExtensionResourceMap.ResourceType.PhysicalNetwork)).thenReturn(List.of(mapVO));
+        ExtensionVO ext = mock(ExtensionVO.class);
+        when(extensionDao.findById(extensionId)).thenReturn(ext);
+
+        Extension result = extensionsManager.getExtensionForPhysicalNetwork(physNetId);
+
+        assertNotNull(result);
+        assertEquals(ext, result);
+    }
+
+    @Test
+    public void getExtensionForPhysicalNetworkReturnsNullWhenNotRegistered() {
+        long physNetId = 10L;
+        when(extensionResourceMapDao.listByResourceIdAndType(physNetId,
+                ExtensionResourceMap.ResourceType.PhysicalNetwork)).thenReturn(Collections.emptyList());
+
+        Extension result = extensionsManager.getExtensionForPhysicalNetwork(physNetId);
+
+        assertNull(result);
+    }
+
+
+    // Helper: a mock object that is both a NetworkElement and a NetworkCustomActionProvider
+    interface MockNetworkElement extends NetworkElement, NetworkCustomActionProvider {}
+
+    @Test
+    public void runNetworkCustomActionSucceeds() {
+        Network network = mock(Network.class);
+        when(network.getId()).thenReturn(5L);
+        when(network.getName()).thenReturn("test-net");
+
+        ExtensionCustomActionVO actionVO = mock(ExtensionCustomActionVO.class);
+        when(actionVO.getUuid()).thenReturn("action-uuid");
+        when(actionVO.getName()).thenReturn("reboot-device");
+        when(actionVO.getId()).thenReturn(1L);
+        when(actionVO.getSuccessMessage()).thenReturn(null);
+        when(actionVO.getErrorMessage()).thenReturn(null);
+
+        ExtensionVO extensionVO = mock(ExtensionVO.class);
+        when(extensionVO.getName()).thenReturn("my-extnet");
+
+        Pair<Map<String, String>, Map<String, String>> details = new Pair<>(new HashMap<>(), new HashMap<>());
+        when(extensionCustomActionDetailsDao.listDetailsKeyPairsWithVisibility(1L)).thenReturn(details);
+
+        // networkServiceMapDao returns provider name for SourceNat
+        when(networkServiceMapDao.getProviderForServiceInNetwork(eq(5L), any())).thenReturn("my-extnet");
+
+        // element implements both NetworkElement and NetworkCustomActionProvider
+        MockNetworkElement element = mock(MockNetworkElement.class);
+        when(element.canHandleCustomAction(eq(network))).thenReturn(true);
+        when(element.runCustomAction(eq(network), eq("reboot-device"), any())).thenReturn("OK: bridge bounced");
+        when(networkModel.getElementImplementingProvider("my-extnet")).thenReturn(element);
+
+        CustomActionResultResponse resp = extensionsManager.runNetworkCustomAction(
+                network, actionVO, extensionVO,
+                ExtensionCustomAction.ResourceType.Network, new HashMap<>());
+
+        assertTrue(resp.isSuccess());
+        assertEquals("OK: bridge bounced", resp.getResult().get(ApiConstants.DETAILS));
+    }
+
+    @Test
+    public void runNetworkCustomActionFailsWhenNoProvider() {
+        Network network = mock(Network.class);
+        when(network.getId()).thenReturn(5L);
+        when(network.getName()).thenReturn("test-net");
+
+        ExtensionCustomActionVO actionVO = mock(ExtensionCustomActionVO.class);
+        when(actionVO.getUuid()).thenReturn("action-uuid");
+        when(actionVO.getName()).thenReturn("dump-config");
+        when(actionVO.getId()).thenReturn(2L);
+        when(actionVO.getSuccessMessage()).thenReturn(null);
+        when(actionVO.getErrorMessage()).thenReturn(null);
+
+        ExtensionVO extensionVO = mock(ExtensionVO.class);
+        when(extensionVO.getName()).thenReturn("my-extnet");
+
+        Pair<Map<String, String>, Map<String, String>> details = new Pair<>(new HashMap<>(), new HashMap<>());
+        when(extensionCustomActionDetailsDao.listDetailsKeyPairsWithVisibility(2L)).thenReturn(details);
+
+        // No provider found for any service
+        when(networkServiceMapDao.getProviderForServiceInNetwork(eq(5L), any())).thenReturn(null);
+
+        CustomActionResultResponse resp = extensionsManager.runNetworkCustomAction(
+                network, actionVO, extensionVO,
+                ExtensionCustomAction.ResourceType.Network, new HashMap<>());
+
+        assertFalse(resp.isSuccess());
+        assertTrue(resp.getResult().get(ApiConstants.DETAILS).contains("No network service provider"));
+    }
+
+    // -----------------------------------------------------------------------
+    // Tests for getExtensionFromResource with Network resource type
+    // -----------------------------------------------------------------------
+
+    @Test
+    public void getExtensionFromResourceReturnsExtensionForNetworkWithProviderMatch() {
+        Network network = mock(Network.class);
+        when(network.getId()).thenReturn(10L);
+        when(network.getPhysicalNetworkId()).thenReturn(5L);
+        when(entityManager.findByUuid(eq(Network.class), eq("net-uuid"))).thenReturn(network);
+
+        List<String> providers = List.of("my-ext-provider");
+        when(networkServiceMapDao.getDistinctProviders(10L)).thenReturn(providers);
+
+        ExtensionVO ext = mock(ExtensionVO.class);
+        doReturn(ext).when(extensionsManager).getExtensionForPhysicalNetworkAndProvider(5L, "my-ext-provider");
+
+        Extension result = extensionsManager.getExtensionFromResource(ExtensionCustomAction.ResourceType.Network, "net-uuid");
+        assertEquals(ext, result);
+    }
+
+    @Test
+    public void getExtensionFromResourceFallsBackToFirstMappingForNetwork() {
+        Network network = mock(Network.class);
+        when(network.getId()).thenReturn(10L);
+        when(network.getPhysicalNetworkId()).thenReturn(5L);
+        when(entityManager.findByUuid(eq(Network.class), eq("net-uuid"))).thenReturn(network);
+
+        when(networkServiceMapDao.getDistinctProviders(10L)).thenReturn(Collections.emptyList());
+
+        ExtensionResourceMapVO mapVO = mock(ExtensionResourceMapVO.class);
+        when(mapVO.getExtensionId()).thenReturn(99L);
+        when(extensionResourceMapDao.listByResourceIdAndType(5L, ExtensionResourceMap.ResourceType.PhysicalNetwork))
+                .thenReturn(List.of(mapVO));
+        ExtensionVO ext = mock(ExtensionVO.class);
+        when(extensionDao.findById(99L)).thenReturn(ext);
+
+        Extension result = extensionsManager.getExtensionFromResource(ExtensionCustomAction.ResourceType.Network, "net-uuid");
+        assertEquals(ext, result);
+    }
+
+    @Test
+    public void getExtensionFromResourceReturnsNullForNetworkWithNullPhysicalNetworkId() {
+        Network network = mock(Network.class);
+        when(network.getId()).thenReturn(10L);
+        when(network.getPhysicalNetworkId()).thenReturn(null);
+        when(entityManager.findByUuid(eq(Network.class), eq("net-uuid"))).thenReturn(network);
+
+        Extension result = extensionsManager.getExtensionFromResource(ExtensionCustomAction.ResourceType.Network, "net-uuid");
+        assertNull(result);
+    }
+
+    // -----------------------------------------------------------------------
+    // Tests for listExtensions with resourceId + resourceType (PhysicalNetwork)
+    // -----------------------------------------------------------------------
+
+    @Test
+    public void listExtensionsWithPhysicalNetworkResourceReturnsFilteredExtensions() {
+        ListExtensionsCmd cmd = mock(ListExtensionsCmd.class);
+        when(cmd.getResourceId()).thenReturn("pnet-uuid");
+        when(cmd.getResourceType()).thenReturn(ExtensionResourceMap.ResourceType.PhysicalNetwork.name());
+        when(cmd.getExtensionId()).thenReturn(null);
+        when(cmd.getName()).thenReturn(null);
+        when(cmd.getType()).thenReturn(null);
+        when(cmd.getDetails()).thenReturn(null);
+
+        PhysicalNetworkVO physNet = mock(PhysicalNetworkVO.class);
+        when(physNet.getId()).thenReturn(42L);
+        when(physicalNetworkDao.findByUuid("pnet-uuid")).thenReturn(physNet);
+
+        ExtensionResourceMapVO mapVO = mock(ExtensionResourceMapVO.class);
+        when(mapVO.getExtensionId()).thenReturn(100L);
+        when(extensionResourceMapDao.listByResourceIdAndType(42L, ExtensionResourceMap.ResourceType.PhysicalNetwork))
+                .thenReturn(List.of(mapVO));
+
+        ExtensionVO ext = mock(ExtensionVO.class);
+        when(ext.getType()).thenReturn(Extension.Type.NetworkOrchestrator);
+        when(extensionDao.findById(100L)).thenReturn(ext);
+
+        ExtensionResponse resp = mock(ExtensionResponse.class);
+        doReturn(resp).when(extensionsManager).createExtensionResponse(eq(ext), any());
+
+        List<ExtensionResponse> result = extensionsManager.listExtensions(cmd);
+        assertEquals(1, result.size());
+        assertEquals(resp, result.get(0));
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void listExtensionsWithInvalidResourceTypeThrows() {
+        ListExtensionsCmd cmd = mock(ListExtensionsCmd.class);
+        when(cmd.getResourceId()).thenReturn("resource-uuid");
+        when(cmd.getResourceType()).thenReturn("InvalidType");
+        when(cmd.getExtensionId()).thenReturn(null);
+        when(cmd.getName()).thenReturn(null);
+        when(cmd.getType()).thenReturn(null);
+
+        extensionsManager.listExtensions(cmd);
+    }
+
+    // -----------------------------------------------------------------------
+    // Tests for registerExtensionWithPhysicalNetwork
+    // -----------------------------------------------------------------------
+
+    @Test
+    public void registerExtensionWithPhysicalNetworkSucceeds() {
+        RegisterExtensionCmd cmd = mock(RegisterExtensionCmd.class);
+        when(cmd.getResourceType()).thenReturn(ExtensionResourceMap.ResourceType.PhysicalNetwork.name());
+        when(cmd.getResourceId()).thenReturn("pnet-uuid");
+        when(cmd.getExtensionId()).thenReturn(1L);
+        when(cmd.getDetails()).thenReturn(null);
+
+        ExtensionVO extension = mock(ExtensionVO.class);
+        when(extension.getType()).thenReturn(Extension.Type.NetworkOrchestrator);
+        when(extension.getName()).thenReturn("my-ext");
+        when(extension.getId()).thenReturn(1L);
+        when(extensionDao.findById(1L)).thenReturn(extension);
+
+        PhysicalNetworkVO physNet = mock(PhysicalNetworkVO.class);
+        when(physNet.getId()).thenReturn(42L);
+        when(physicalNetworkDao.findByUuid("pnet-uuid")).thenReturn(physNet);
+
+        when(extensionResourceMapDao.listByResourceIdAndType(42L, ExtensionResourceMap.ResourceType.PhysicalNetwork))
+                .thenReturn(Collections.emptyList());
+        when(extensionDetailsDao.listDetailsKeyPairs(1L)).thenReturn(Collections.emptyMap());
+
+        ExtensionResourceMapVO savedMap = mock(ExtensionResourceMapVO.class);
+        when(extensionResourceMapDao.persist(any())).thenReturn(savedMap);
+
+        when(physicalNetworkServiceProviderDao.findByServiceProvider(42L, "my-ext")).thenReturn(null);
+
+        Extension result = extensionsManager.registerExtensionWithResource(cmd);
+        assertEquals(extension, result);
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void registerExtensionWithPhysicalNetworkFailsForNonNetworkOrchestratorType() {
+        RegisterExtensionCmd cmd = mock(RegisterExtensionCmd.class);
+        when(cmd.getResourceType()).thenReturn(ExtensionResourceMap.ResourceType.PhysicalNetwork.name());
+        when(cmd.getResourceId()).thenReturn("pnet-uuid");
+        when(cmd.getExtensionId()).thenReturn(1L);
+
+        ExtensionVO extension = mock(ExtensionVO.class);
+        when(extension.getType()).thenReturn(Extension.Type.Orchestrator);
+        when(extension.getName()).thenReturn("orch-ext");
+        when(extensionDao.findById(1L)).thenReturn(extension);
+
+        PhysicalNetworkVO physNet = mock(PhysicalNetworkVO.class);
+        when(physNet.getId()).thenReturn(42L);
+        when(physicalNetworkDao.findByUuid("pnet-uuid")).thenReturn(physNet);
+
+        extensionsManager.registerExtensionWithResource(cmd);
+    }
+
+    // -----------------------------------------------------------------------
+    // Tests for getExtensionIdForPhysicalNetwork
+    // -----------------------------------------------------------------------
+
+    @Test
+    public void getExtensionIdForPhysicalNetworkReturnsIdWhenMapped() {
+        ExtensionResourceMapVO mapVO = mock(ExtensionResourceMapVO.class);
+        when(mapVO.getExtensionId()).thenReturn(55L);
+        when(extensionResourceMapDao.listByResourceIdAndType(10L, ExtensionResourceMap.ResourceType.PhysicalNetwork))
+                .thenReturn(List.of(mapVO));
+
+        Long result = extensionsManager.getExtensionIdForPhysicalNetwork(10L);
+        assertEquals(Long.valueOf(55L), result);
+    }
+
+    @Test
+    public void getExtensionIdForPhysicalNetworkReturnsNullWhenNotMapped() {
+        when(extensionResourceMapDao.listByResourceIdAndType(10L, ExtensionResourceMap.ResourceType.PhysicalNetwork))
+                .thenReturn(Collections.emptyList());
+
+        Long result = extensionsManager.getExtensionIdForPhysicalNetwork(10L);
+        assertNull(result);
+    }
+
+    // -----------------------------------------------------------------------
+    // Tests for getExtensionForPhysicalNetworkAndProvider
+    // -----------------------------------------------------------------------
+
+    @Test
+    public void getExtensionForPhysicalNetworkAndProviderReturnsMatchingExtension() {
+        ExtensionResourceMapVO mapVO = mock(ExtensionResourceMapVO.class);
+        when(mapVO.getExtensionId()).thenReturn(10L);
+        when(extensionResourceMapDao.listByResourceIdAndType(5L, ExtensionResourceMap.ResourceType.PhysicalNetwork))
+                .thenReturn(List.of(mapVO));
+
+        ExtensionVO ext = mock(ExtensionVO.class);
+        when(ext.getName()).thenReturn("MyExt");
+        when(extensionDao.findById(10L)).thenReturn(ext);
+
+        Extension result = extensionsManager.getExtensionForPhysicalNetworkAndProvider(5L, "myext");
+        assertEquals(ext, result);
+    }
+
+    @Test
+    public void getExtensionForPhysicalNetworkAndProviderReturnsNullWhenNameDoesNotMatch() {
+        ExtensionResourceMapVO mapVO = mock(ExtensionResourceMapVO.class);
+        when(mapVO.getExtensionId()).thenReturn(10L);
+        when(extensionResourceMapDao.listByResourceIdAndType(5L, ExtensionResourceMap.ResourceType.PhysicalNetwork))
+                .thenReturn(List.of(mapVO));
+
+        ExtensionVO ext = mock(ExtensionVO.class);
+        when(ext.getName()).thenReturn("OtherExt");
+        when(extensionDao.findById(10L)).thenReturn(ext);
+
+        Extension result = extensionsManager.getExtensionForPhysicalNetworkAndProvider(5L, "myext");
+        assertNull(result);
+    }
+
+    @Test
+    public void getExtensionForPhysicalNetworkAndProviderReturnsNullForNullProviderName() {
+        Extension result = extensionsManager.getExtensionForPhysicalNetworkAndProvider(5L, null);
+        assertNull(result);
+    }
+
+    // -----------------------------------------------------------------------
+    // Tests for getAllResourceMapDetailsForExtensionOnPhysicalNetwork
+    // -----------------------------------------------------------------------
+
+    @Test
+    public void getAllResourceMapDetailsForExtensionOnPhysicalNetworkReturnsDetails() {
+        ExtensionResourceMapVO mapVO = mock(ExtensionResourceMapVO.class);
+        when(mapVO.getExtensionId()).thenReturn(10L);
+        when(mapVO.getId()).thenReturn(100L);
+        when(extensionResourceMapDao.listByResourceIdAndType(5L, ExtensionResourceMap.ResourceType.PhysicalNetwork))
+                .thenReturn(List.of(mapVO));
+        when(extensionResourceMapDetailsDao.listDetailsKeyPairs(100L))
+                .thenReturn(Map.of("host", "192.168.1.1"));
+
+        Map<String, String> result = extensionsManager.getAllResourceMapDetailsForExtensionOnPhysicalNetwork(5L, 10L);
+        assertEquals("192.168.1.1", result.get("host"));
+    }
+
+    @Test
+    public void getAllResourceMapDetailsForExtensionOnPhysicalNetworkReturnsEmptyWhenNoMapping() {
+        when(extensionResourceMapDao.listByResourceIdAndType(5L, ExtensionResourceMap.ResourceType.PhysicalNetwork))
+                .thenReturn(Collections.emptyList());
+
+        Map<String, String> result = extensionsManager.getAllResourceMapDetailsForExtensionOnPhysicalNetwork(5L, 10L);
+        assertTrue(result.isEmpty());
+    }
+
+    // -----------------------------------------------------------------------
+    // Tests for isNetworkExtensionProvider
+    // -----------------------------------------------------------------------
+
+    @Test
+    public void isNetworkExtensionProviderReturnsTrueWhenProviderMatchesExtension() {
+        ExtensionVO ext = mock(ExtensionVO.class);
+        when(ext.getName()).thenReturn("my-ext");
+        when(extensionDao.listByType(Extension.Type.NetworkOrchestrator)).thenReturn(List.of(ext));
+
+        assertTrue(extensionsManager.isNetworkExtensionProvider("my-ext"));
+    }
+
+    @Test
+    public void isNetworkExtensionProviderReturnsFalseWhenNoMatch() {
+        when(extensionDao.listByType(Extension.Type.NetworkOrchestrator)).thenReturn(Collections.emptyList());
+        assertFalse(extensionsManager.isNetworkExtensionProvider("unknown"));
+    }
+
+    @Test
+    public void isNetworkExtensionProviderReturnsFalseForNullProvider() {
+        assertFalse(extensionsManager.isNetworkExtensionProvider(null));
+    }
+
+    // -----------------------------------------------------------------------
+    // Tests for listExtensionsByType
+    // -----------------------------------------------------------------------
+
+    @Test
+    public void listExtensionsByTypeReturnsExtensionsForType() {
+        ExtensionVO ext = mock(ExtensionVO.class);
+        when(extensionDao.listByType(Extension.Type.NetworkOrchestrator)).thenReturn(List.of(ext));
+
+        List<Extension> result = extensionsManager.listExtensionsByType(Extension.Type.NetworkOrchestrator);
+        assertEquals(1, result.size());
+        assertEquals(ext, result.get(0));
+    }
+
+    @Test
+    public void listExtensionsByTypeReturnsEmptyForNullType() {
+        List<Extension> result = extensionsManager.listExtensionsByType(null);
+        assertTrue(result.isEmpty());
+    }
+
+    @Test
+    public void listExtensionsByTypeReturnsEmptyWhenNoExtensions() {
+        when(extensionDao.listByType(Extension.Type.NetworkOrchestrator)).thenReturn(Collections.emptyList());
+        List<Extension> result = extensionsManager.listExtensionsByType(Extension.Type.NetworkOrchestrator);
+        assertTrue(result.isEmpty());
+    }
+
+    // -----------------------------------------------------------------------
+    // Tests for getNetworkCapabilitiesForProvider
+    // -----------------------------------------------------------------------
+
+    @Test
+    public void getNetworkCapabilitiesForProviderReturnsCapabilitiesFromExtensionDetails() {
+        long physNetId = 10L;
+        String providerName = "my-ext";
+
+        ExtensionVO ext = mock(ExtensionVO.class);
+        when(ext.getId()).thenReturn(5L);
+        doReturn(ext).when(extensionsManager).getExtensionForPhysicalNetworkAndProvider(physNetId, providerName);
+
+        when(extensionDetailsDao.listDetailsKeyPairs(5L)).thenReturn(Map.of(
+                ExtensionHelper.NETWORK_SERVICES_DETAIL_KEY,
+                "SourceNat,StaticNat"));
+
+        Map<Network.Service, Map<Network.Capability, String>> result =
+                extensionsManager.getNetworkCapabilitiesForProvider(physNetId, providerName);
+        assertNotNull(result);
+        assertTrue(result.containsKey(Network.Service.SourceNat));
+    }
+
+    @Test
+    public void getNetworkCapabilitiesForProviderReturnsEmptyMapForNullProvider() {
+        Map<Network.Service, Map<Network.Capability, String>> result =
+                extensionsManager.getNetworkCapabilitiesForProvider(10L, null);
+        assertTrue(result.isEmpty());
+    }
+
+    // -----------------------------------------------------------------------
+    // Tests for validateNetworkServicesSubset
+    // -----------------------------------------------------------------------
+
+    @Test
+    public void validateNetworkServicesSubsetDoesNothingForBlankServices() {
+        Extension ext = mock(Extension.class);
+        extensionsManager.validateNetworkServicesSubset(ext, "");
+        // no exception expected
+    }
+
+    @Test
+    public void validateNetworkServicesSubsetDoesNothingWhenAllowedIsEmpty() {
+        Extension ext = mock(Extension.class);
+        when(ext.getId()).thenReturn(1L);
+        when(extensionDetailsDao.listDetailsKeyPairs(1L)).thenReturn(Collections.emptyMap());
+        extensionsManager.validateNetworkServicesSubset(ext, "SourceNat");
+        // no exception - when no services declared, accept any
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void validateNetworkServicesSubsetThrowsForUnsupportedService() {
+        Extension ext = mock(Extension.class);
+        when(ext.getId()).thenReturn(1L);
+        when(ext.getName()).thenReturn("my-ext");
+        when(extensionDetailsDao.listDetailsKeyPairs(1L)).thenReturn(Map.of(
+                ExtensionHelper.NETWORK_SERVICES_DETAIL_KEY,
+                "SourceNat,Firewall"));
+        extensionsManager.validateNetworkServicesSubset(ext, "StaticNat");
+    }
+
+    @Test
+    public void validateNetworkServicesSubsetDoesNothingForValidSubset() {
+        Extension ext = mock(Extension.class);
+        when(ext.getId()).thenReturn(1L);
+        when(extensionDetailsDao.listDetailsKeyPairs(1L)).thenReturn(Map.of(
+                ExtensionHelper.NETWORK_SERVICES_DETAIL_KEY,
+                "SourceNat,Firewall,StaticNat"));
+        extensionsManager.validateNetworkServicesSubset(ext, "SourceNat,Firewall");
+        // no exception expected
+    }
+
+    @Test
+    public void runNetworkCustomActionFailsWhenProviderReturnsNull() {
+        Network network = mock(Network.class);
+        when(network.getId()).thenReturn(5L);
+        when(network.getName()).thenReturn("test-net");
+
+        ExtensionCustomActionVO actionVO = mock(ExtensionCustomActionVO.class);
+        when(actionVO.getUuid()).thenReturn("action-uuid");
+        when(actionVO.getName()).thenReturn("unknown-action");
+        when(actionVO.getId()).thenReturn(3L);
+        when(actionVO.getSuccessMessage()).thenReturn(null);
+        when(actionVO.getErrorMessage()).thenReturn(null);
+
+        ExtensionVO extensionVO = mock(ExtensionVO.class);
+        when(extensionVO.getName()).thenReturn("my-extnet");
+
+        Pair<Map<String, String>, Map<String, String>> details = new Pair<>(new HashMap<>(), new HashMap<>());
+        when(extensionCustomActionDetailsDao.listDetailsKeyPairsWithVisibility(3L)).thenReturn(details);
+
+        // networkServiceMapDao returns provider name
+        when(networkServiceMapDao.getProviderForServiceInNetwork(eq(5L), any())).thenReturn("my-extnet");
+
+        // element implements both NetworkElement and NetworkCustomActionProvider but action returns null
+        MockNetworkElement element = mock(MockNetworkElement.class);
+        when(element.runCustomAction(eq(network), eq("unknown-action"), any())).thenReturn(null);
+        when(networkModel.getElementImplementingProvider("my-extnet")).thenReturn(element);
+
+        CustomActionResultResponse resp = extensionsManager.runNetworkCustomAction(
+                network, actionVO, extensionVO,
+                ExtensionCustomAction.ResourceType.Network, new HashMap<>());
+
+        assertFalse(resp.isSuccess());
+        assertTrue(resp.getResult().get(ApiConstants.DETAILS).contains("Action failed"));
+    }
+
 }
diff --git a/plugins/network-elements/juniper-contrail/src/test/java/org/apache/cloudstack/network/contrail/management/ManagementServerMock.java b/plugins/network-elements/juniper-contrail/src/test/java/org/apache/cloudstack/network/contrail/management/ManagementServerMock.java
index 2107850c36be..906c7e4ff0b9 100644
--- a/plugins/network-elements/juniper-contrail/src/test/java/org/apache/cloudstack/network/contrail/management/ManagementServerMock.java
+++ b/plugins/network-elements/juniper-contrail/src/test/java/org/apache/cloudstack/network/contrail/management/ManagementServerMock.java
@@ -328,7 +328,7 @@ private void locatePhysicalNetwork() {
             }
         }
         if (_znet.getState() != PhysicalNetwork.State.Enabled) {
-            _znet = _networkService.updatePhysicalNetwork(_znet.getId(), null, null, null, PhysicalNetwork.State.Enabled.toString());
+            _znet = _networkService.updatePhysicalNetwork(_znet.getId(), null, null, null, PhysicalNetwork.State.Enabled.toString(), null);
         }
 
         // Ensure that the physical network supports Guest traffic.
diff --git a/server/src/main/java/com/cloud/api/ApiDBUtils.java b/server/src/main/java/com/cloud/api/ApiDBUtils.java
index 1d00e9ec16ba..3f5596793492 100644
--- a/server/src/main/java/com/cloud/api/ApiDBUtils.java
+++ b/server/src/main/java/com/cloud/api/ApiDBUtils.java
@@ -1559,6 +1559,10 @@ public static boolean canElementEnableIndividualServices(Provider serviceProvide
         return s_networkModel.canElementEnableIndividualServices(serviceProvider);
     }
 
+    public static boolean canElementEnableIndividualServicesByName(String providerName) {
+        return s_networkModel.canElementEnableIndividualServicesByName(providerName);
+    }
+
     public static Pair<Long, Boolean> getDomainNetworkDetails(long networkId) {
         NetworkDomainVO map = s_networkDomainDao.getDomainNetworkMapByNetworkId(networkId);
 
diff --git a/server/src/main/java/com/cloud/api/ApiResponseHelper.java b/server/src/main/java/com/cloud/api/ApiResponseHelper.java
index 11ac3d639e99..73ad886aab56 100644
--- a/server/src/main/java/com/cloud/api/ApiResponseHelper.java
+++ b/server/src/main/java/com/cloud/api/ApiResponseHelper.java
@@ -548,6 +548,8 @@ public class ApiResponseHelper implements ResponseGenerator, ResourceIdSupport {
     ResourceIconManager resourceIconManager;
     @Inject
     AsyncJobDao asyncJobDao;
+    @Inject
+    NetworkModel networkModel;
 
     public static String getPrettyDomainPath(String path) {
         if (path == null) {
@@ -3302,7 +3304,7 @@ public ProviderResponse createNetworkServiceProviderResponse(PhysicalNetworkServ
         }
         response.setServices(services);
 
-        Provider serviceProvider = Provider.getProvider(result.getProviderName());
+        Provider serviceProvider = networkModel.resolveProvider(result.getProviderName());
         boolean canEnableIndividualServices = ApiDBUtils.canElementEnableIndividualServices(serviceProvider);
         response.setCanEnableIndividualServices(canEnableIndividualServices);
 
diff --git a/server/src/main/java/com/cloud/configuration/ConfigurationManagerImpl.java b/server/src/main/java/com/cloud/configuration/ConfigurationManagerImpl.java
index 6da5dda967d0..60a01764d8ab 100644
--- a/server/src/main/java/com/cloud/configuration/ConfigurationManagerImpl.java
+++ b/server/src/main/java/com/cloud/configuration/ConfigurationManagerImpl.java
@@ -7268,7 +7268,7 @@ public NetworkOffering createNetworkOffering(final NetworkOfferingBaseCmd cmd) {
                     }
                     for (final String prvNameStr : svcPrv.get(serviceStr)) {
                         // check if provider is supported
-                        final Network.Provider provider = Network.Provider.getProvider(prvNameStr);
+                        final Network.Provider provider = _networkModel.resolveProvider(prvNameStr);
                         if (provider == null) {
                             throw new InvalidParameterValueException("Invalid service provider: " + prvNameStr);
                         }
@@ -7954,7 +7954,7 @@ protected void validateNtwkOffDetails(final Map<Detail, String> details, final M
                 // 1) Vaidate the detail values - have to match the lb provider
                 // name
                 final String providerStr = details.get(detail);
-                if (Network.Provider.getProvider(providerStr) == null) {
+                if (_networkModel.resolveProvider(providerStr) == null) {
                     throw new InvalidParameterValueException("Invalid value " + providerStr + " for the detail " + detail);
                 }
                 if (serviceProviderMap.get(Service.Lb) != null) {
diff --git a/server/src/main/java/com/cloud/network/NetworkModelImpl.java b/server/src/main/java/com/cloud/network/NetworkModelImpl.java
index 07305c0e6418..35c11ec70020 100644
--- a/server/src/main/java/com/cloud/network/NetworkModelImpl.java
+++ b/server/src/main/java/com/cloud/network/NetworkModelImpl.java
@@ -99,6 +99,8 @@
 import com.cloud.network.element.NetworkElement;
 import com.cloud.network.element.UserDataServiceProvider;
 import com.cloud.network.router.VirtualRouter;
+import org.apache.cloudstack.extension.ExtensionHelper;
+import org.apache.cloudstack.framework.extensions.network.NetworkExtensionElement;
 import com.cloud.network.rules.FirewallRule.Purpose;
 import com.cloud.network.rules.FirewallRuleVO;
 import com.cloud.network.rules.dao.PortForwardingRulesDao;
@@ -234,6 +236,11 @@ public void setNetworkElements(List<NetworkElement> networkElements) {
     private NetworkService _networkService;
     @Inject
     TungstenGuestNetworkIpAddressDao tungstenGuestNetworkIpAddressDao;
+    @Inject
+    ExtensionHelper extensionHelper;
+    @Inject
+    private NetworkExtensionElement networkExtensionElement;
+
 
     private final HashMap<String, NetworkOfferingVO> _systemNetworks = new HashMap<String, NetworkOfferingVO>(5);
 
@@ -262,15 +269,39 @@ public NetworkModelImpl() {
     public NetworkElement getElementImplementingProvider(String providerName) {
         String elementName = s_providerToNetworkElementMap.get(providerName);
         NetworkElement element = AdapterBase.getAdapterByName(networkElements, elementName);
+        if (element == null && extensionHelper.isNetworkExtensionProvider(providerName)) {
+            // Provider is an extension-backed external network provider.
+            // Initialize a copy of NetworkExtensionElement
+            if (networkExtensionElement != null) {
+                element = networkExtensionElement.withProviderName(providerName);
+            }
+        }
         return element;
     }
 
+    /**
+     * Returns the effective network capabilities for an extension-backed external
+     * network provider on the given physical network.
+     *
+     * @param physicalNetworkId physical network ID (may be null for offering-level queries)
+     * @param providerName      provider / extension name
+     * @return per-provider capabilities, or empty map if not found
+     */
+    protected Map<Service, Map<Capability, String>> getExternalProviderCapabilities(
+            Long physicalNetworkId, String providerName) {
+        return extensionHelper.getNetworkCapabilitiesForProvider(physicalNetworkId, providerName);
+    }
+
     @Override
     public List<Service> getElementServices(Provider provider) {
         NetworkElement element = getElementImplementingProvider(provider.getName());
         if (element == null) {
             throw new InvalidParameterValueException("Unable to find the Network Element implementing the Service Provider '" + provider.getName() + "'");
         }
+        if (extensionHelper.isNetworkExtensionProvider(provider.getName())) {
+            Map<Service, Map<Capability, String>> caps = getExternalProviderCapabilities(null, provider.getName());
+            return new ArrayList<Service>(caps.keySet());
+        }
         return new ArrayList<Service>(element.getCapabilities().keySet());
     }
 
@@ -283,6 +314,24 @@ public boolean canElementEnableIndividualServices(Provider provider) {
         return element.canEnableIndividualServices();
     }
 
+    @Override
+    public boolean canElementEnableIndividualServicesByName(String providerName) {
+        if (providerName == null) {
+            return false;
+        }
+        // Try resolve to enum Provider first
+        Provider provider = resolveProvider(providerName);
+        if (provider != null) {
+            try {
+                return canElementEnableIndividualServices(provider);
+            } catch (Exception e) {
+                logger.debug("canElementEnableIndividualServices failed for provider {}: {}", providerName, e.getMessage());
+            }
+        }
+        // Unknown provider: be conservative and return false
+        return false;
+    }
+
     Set<Purpose> getPublicIpPurposeInRules(PublicIpAddress ip, boolean includeRevoked, boolean includingFirewall) {
         Set<Purpose> result = new HashSet<Purpose>();
         List<FirewallRuleVO> rules = null;
@@ -435,8 +484,11 @@ Map<Service, Set<Provider>> getServiceProvidersMap(long networkId) {
             if (providers == null) {
                 providers = new HashSet<Provider>();
             }
-            providers.add(Provider.getProvider(nsm.getProvider()));
-            map.put(Service.getService(nsm.getService()), providers);
+            Provider provider = resolveProvider(nsm.getProvider());
+            if (provider != null) {
+                providers.add(provider);
+                map.put(Service.getService(nsm.getService()), providers);
+            }
         }
         return map;
     }
@@ -481,16 +533,45 @@ Map<Provider, Set<Service>> getProviderServicesMap(long networkId) {
         Map<Provider, Set<Service>> map = new HashMap<Provider, Set<Service>>();
         List<NetworkServiceMapVO> nsms = _ntwkSrvcDao.getServicesInNetwork(networkId);
         for (NetworkServiceMapVO nsm : nsms) {
-            Set<Service> services = map.get(Provider.getProvider(nsm.getProvider()));
+            Provider provider = resolveProvider(nsm.getProvider());
+            if (provider == null) {
+                continue;
+            }
+            Set<Service> services = map.get(provider);
             if (services == null) {
                 services = new HashSet<Service>();
             }
             services.add(Service.getService(nsm.getService()));
-            map.put(Provider.getProvider(nsm.getProvider()), services);
+            map.put(provider, services);
         }
         return map;
     }
 
+    /**
+     * Resolves a provider name to a {@link Provider} instance.
+     *
+     * <p>For well-known providers, returns the static constant from
+     * {@link Provider#getProvider(String)}.  For dynamic NetworkOrchestrator
+     * extension providers (whose names are not in the static registry), returns
+     * a transient {@link Provider} with the given name so that the caller can
+     * still dispatch to the correct {@link NetworkExtensionElement} via
+     * {@link #getElementImplementingProvider(String)}.</p>
+     *
+     * @param providerName the provider name from {@code ntwk_service_map}
+     * @return a {@link Provider} instance, or {@code null} if not resolvable
+     */
+    @Override
+    public Provider resolveProvider(String providerName) {
+        Provider provider = Provider.getProvider(providerName);
+        if (provider == null && extensionHelper.isNetworkExtensionProvider(providerName)) {
+            // Dynamic extension-backed provider: create a transient Provider that preserves
+            // the actual extension name.  getElementImplementingProvider() handles this name
+            // by detecting it as an extension provider and returning NetworkExtensionElement.
+            provider = Provider.createTransientProvider(providerName);
+        }
+        return provider;
+    }
+
     @Override
     public Map<Provider, ArrayList<PublicIpAddress>> getProviderToIpList(Network network, Map<PublicIpAddress, Set<Service>> ipToServices) {
         NetworkOffering offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
@@ -694,11 +775,21 @@ public Map<Service, Map<Capability, String>> getNetworkCapabilities(long network
 
         // list all services of this networkOffering
         List<NetworkServiceMapVO> servicesMap = _ntwkSrvcDao.getServicesInNetwork(networkId);
+
+        // Resolve the physical network once for external provider lookups
+        NetworkVO network = _networksDao.findById(networkId);
+        Long physicalNetworkId = network != null ? network.getPhysicalNetworkId() : null;
+
         for (NetworkServiceMapVO instance : servicesMap) {
             Service service = Service.getService(instance.getService());
             NetworkElement element = getElementImplementingProvider(instance.getProvider());
             if (element != null) {
-                Map<Service, Map<Capability, String>> elementCapabilities = element.getCapabilities();
+                Map<Service, Map<Capability, String>> elementCapabilities;
+                if (extensionHelper.isNetworkExtensionProvider(instance.getProvider()) && physicalNetworkId != null) {
+                    elementCapabilities = getExternalProviderCapabilities(physicalNetworkId, instance.getProvider());
+                } else {
+                    elementCapabilities = element.getCapabilities();
+                }
                 if (elementCapabilities != null) {
                     networkCapabilities.put(service, elementCapabilities.get(service));
                 }
@@ -724,10 +815,15 @@ public Map<Capability, String> getNetworkServiceCapabilities(long networkId, Ser
 
         NetworkElement element = getElementImplementingProvider(provider);
         if (element != null) {
-            Map<Service, Map<Capability, String>> elementCapabilities = element.getCapabilities();
-            ;
+            Map<Service, Map<Capability, String>> elementCapabilities;
+            if (extensionHelper.isNetworkExtensionProvider(provider)) {
+                elementCapabilities = getExternalProviderCapabilities(null, provider);
+            } else {
+                elementCapabilities = element.getCapabilities();
+            }
 
             if (elementCapabilities == null || !elementCapabilities.containsKey(service)) {
+                // TBD: We should be sending providerId and not the offering object itself.
                 throw new UnsupportedServiceException("Service " + service.getName() + " is not supported by the element=" + element.getName() +
                     " implementing Provider=" + provider);
             }
@@ -758,12 +854,22 @@ public Map<Capability, String> getNetworkOfferingServiceCapabilities(NetworkOffe
         // we have to calculate capabilities for all of them
         String provider = providers.get(0);
 
+        // Check if this is an extension-backed external network provider first.
+        // These providers are not in the static s_providerToNetworkElementMap so
+        // we resolve their capabilities from the extension details directly.
+        if (extensionHelper.isNetworkExtensionProvider(provider)) {
+            Map<Service, Map<Capability, String>> extCaps = getExternalProviderCapabilities(null, provider);
+            if (extCaps != null && extCaps.containsKey(service)) {
+                return extCaps.get(service);
+            }
+            return serviceCapabilities;
+        }
+
         // FIXME we return the capabilities of the first provider of the service - what if we have multiple providers
         // for same Service?
         NetworkElement element = getElementImplementingProvider(provider);
         if (element != null) {
             Map<Service, Map<Capability, String>> elementCapabilities = element.getCapabilities();
-            ;
 
             if (elementCapabilities == null || !elementCapabilities.containsKey(service)) {
                 // TBD: We should be sending providerId and not the offering object itself.
@@ -979,7 +1085,6 @@ public  boolean isSharedNetworkWithoutServices (long networkId) {
         return false;
     }
 
-
     @Override
     public boolean areServicesSupportedByNetworkOffering(long networkOfferingId, Service... services) {
         return (_ntwkOfferingSrvcDao.areServicesSupportedByNetworkOffering(networkOfferingId, services));
@@ -1161,7 +1266,7 @@ public Map<Service, Set<Provider>> getNetworkOfferingServiceProvidersMap(long ne
             if (providers == null) {
                 providers = new HashSet<Provider>();
             }
-            providers.add(Provider.getProvider(instance.getProvider()));
+            providers.add(resolveProvider(instance.getProvider()));
             serviceProviderMap.put(Service.getService(service), providers);
         }
 
@@ -1201,9 +1306,76 @@ public List<? extends Provider> listSupportedNetworkServiceProviders(String serv
             }
         }
 
+        // Also include extension-backed NetworkExtension providers registered in
+        // physical_network_service_providers whose provider name matches a registered
+        // NetworkOrchestrator extension (detected via extensionHelper.isNetworkExtensionProvider).
+        //
+        // We use _pNSPDao.listBy(physNetId) to enumerate all NSP entries, then check
+        // each provider name against the extension registry.  This avoids a separate
+        // pass over all physical-network/extension combinations.
+        // resolveProvider() creates a transient Provider (not added to the static list)
+        // for extension names that are not in the built-in registry.
+        try {
+            List<PhysicalNetworkVO> physNets = _physicalNetworkDao.listAll();
+            if (physNets != null) {
+                // Use a set to avoid adding the same provider name twice (multiple phys-nets)
+                Set<String> addedExtProviders = new HashSet<>();
+                for (PhysicalNetworkVO physNet : physNets) {
+                    List<com.cloud.network.dao.PhysicalNetworkServiceProviderVO> nsps =
+                            _pNSPDao.listBy(physNet.getId());
+                    if (nsps == null) continue;
+                    for (PhysicalNetworkServiceProviderVO nsp : nsps) {
+                        String provName = nsp.getProviderName();
+                        if (provName == null || addedExtProviders.contains(provName)) continue;
+                        if (!extensionHelper.isNetworkExtensionProvider(provName)) continue;
+
+                        // Filter by service if requested: check the NSP's service flags
+                        if (service != null && !isServiceProvidedByNsp(nsp, service)) continue;
+
+                        // Resolve or create a transient Provider for the extension name.
+                        Provider extProvider = resolveProvider(provName);
+                        if (extProvider == null) continue;
+                        supportedProviders.add(extProvider);
+                        addedExtProviders.add(provName);
+                    }
+                }
+            }
+        } catch (Exception e) {
+            logger.debug("Failed to include extension-backed providers in listSupportedNetworkServiceProviders: {}", e.getMessage());
+        }
+
         return new ArrayList<Provider>(supportedProviders);
     }
 
+    /**
+     * Returns {@code true} if the given {@link com.cloud.network.dao.PhysicalNetworkServiceProviderVO}
+     * has its service flag set for {@code service}.
+     *
+     * <p>This is used by {@link #listSupportedNetworkServiceProviders} to filter extension-backed
+     * providers (looked up via {@link com.cloud.network.dao.PhysicalNetworkServiceProviderDao#listBy})
+     * without having to query each extension's capability JSON.</p>
+     */
+    private boolean isServiceProvidedByNsp(
+            PhysicalNetworkServiceProviderVO nsp, Service service) {
+        if (service == null) {
+            return true;
+        }
+        if (service == Service.Dhcp)          return nsp.isDhcpServiceProvided();
+        if (service == Service.Dns)           return nsp.isDnsServiceProvided();
+        if (service == Service.Firewall)      return nsp.isFirewallServiceProvided();
+        if (service == Service.Gateway)       return nsp.isGatewayServiceProvided();
+        if (service == Service.Lb)            return nsp.isLbServiceProvided();
+        if (service == Service.PortForwarding) return nsp.isPortForwardingServiceProvided();
+        if (service == Service.SecurityGroup) return nsp.isSecuritygroupServiceProvided();
+        if (service == Service.SourceNat)     return nsp.isSourcenatServiceProvided();
+        if (service == Service.StaticNat)     return nsp.isStaticnatServiceProvided();
+        if (service == Service.UserData)      return nsp.isUserdataServiceProvided();
+        if (service == Service.Vpn)           return nsp.isVpnServiceProvided();
+        if (service == Service.NetworkACL)    return nsp.isNetworkAclServiceProvided();
+        // Unknown service: fall back to true so extension-backed providers are not filtered out
+        return true;
+    }
+
     @Override
     public Provider getDefaultUniqueProviderForService(String serviceName) {
         List<? extends Provider> providers = listSupportedNetworkServiceProviders(serviceName);
@@ -1540,13 +1712,19 @@ public void canProviderSupportServices(Map<Provider, Set<Service>> providersMap)
                 throw new InvalidParameterValueException("Unable to find the Network Element implementing the Service Provider '" + provider.getName() + "'");
             }
 
+            // For external network providers, get per-provider capabilities
+            final boolean isExternal = extensionHelper.isNetworkExtensionProvider(provider.getName());
+            Map<Service, Map<Capability, String>> providerCaps = isExternal
+                    ? getExternalProviderCapabilities(null, provider.getName())
+                    : element.getCapabilities();
+
             Set<Service> enabledServices = new HashSet<Service>();
             enabledServices.addAll(providersMap.get(provider));
 
             if (enabledServices != null && !enabledServices.isEmpty()) {
-                if (!element.canEnableIndividualServices()) {
+                if (!element.canEnableIndividualServices() && !isExternal) {
                     Set<Service> requiredServices = new HashSet<Service>();
-                    requiredServices.addAll(element.getCapabilities().keySet());
+                    requiredServices.addAll(providerCaps.keySet());
 
                     if (requiredServices.contains(Network.Service.Gateway)) {
                         requiredServices.remove(Network.Service.Gateway);
@@ -1580,7 +1758,7 @@ public void canProviderSupportServices(Map<Provider, Set<Service>> providersMap)
                 List<String> serviceList = new ArrayList<String>();
                 for (Service service : enabledServices) {
                     // check if the service is provided by this Provider
-                    if (!element.getCapabilities().containsKey(service)) {
+                    if (!providerCaps.containsKey(service)) {
                         throw new UnsupportedServiceException(provider.getName() + " Provider cannot provide service " + service.getName());
                     }
                     serviceList.add(service.getName());
@@ -1655,18 +1833,32 @@ public boolean checkIpForService(IpAddress userIp, Service service, Long network
         return true;
     }
 
+
     @Override
     public boolean providerSupportsCapability(Set<Provider> providers, Service service, Capability cap) {
         for (Provider provider : providers) {
             NetworkElement element = getElementImplementingProvider(provider.getName());
             if (element != null) {
-                Map<Service, Map<Capability, String>> elementCapabilities = element.getCapabilities();
+                boolean isExtProvider = extensionHelper.isNetworkExtensionProvider(provider.getName());
+                Map<Service, Map<Capability, String>> elementCapabilities = isExtProvider
+                        ? getExternalProviderCapabilities(null, provider.getName())
+                        : element.getCapabilities();
                 if (elementCapabilities == null || !elementCapabilities.containsKey(service)) {
+                    if (isExtProvider) {
+                        // Extension provider with no declared capabilities for this service —
+                        // treat as "service supported but capability not constrained"
+                        return false;
+                    }
                     throw new UnsupportedServiceException("Service " + service.getName() + " is not supported by the element=" + element.getName() +
                             " implementing Provider=" + provider.getName());
                 }
                 Map<Capability, String> serviceCapabilities = elementCapabilities.get(service);
                 if (serviceCapabilities == null || serviceCapabilities.isEmpty()) {
+                    if (isExtProvider) {
+                        // Extension provider declared the service but without specific capability
+                        // constraints — treat as "capability not constrained, not explicitly supported"
+                        return false;
+                    }
                     throw new UnsupportedServiceException("Service " + service.getName() + " doesn't have capabilites for element=" + element.getName() +
                             " implementing Provider=" + provider.getName());
                 }
@@ -1686,19 +1878,36 @@ public void checkCapabilityForProvider(Set<Provider> providers, Service service,
         for (Provider provider : providers) {
             NetworkElement element = getElementImplementingProvider(provider.getName());
             if (element != null) {
-                Map<Service, Map<Capability, String>> elementCapabilities = element.getCapabilities();
+                boolean isExtProvider = extensionHelper.isNetworkExtensionProvider(provider.getName());
+                Map<Service, Map<Capability, String>> elementCapabilities = isExtProvider
+                        ? getExternalProviderCapabilities(null, provider.getName())
+                        : element.getCapabilities();
                 if (elementCapabilities == null || !elementCapabilities.containsKey(service)) {
+                    if (isExtProvider) {
+                        // Extension provider with no declared capabilities for this service —
+                        // treat as supported without constraints; skip the capability check.
+                        continue;
+                    }
                     throw new UnsupportedServiceException("Service " + service.getName() + " is not supported by the element=" + element.getName() +
                         " implementing Provider=" + provider.getName());
                 }
                 Map<Capability, String> serviceCapabilities = elementCapabilities.get(service);
                 if (serviceCapabilities == null || serviceCapabilities.isEmpty()) {
+                    if (isExtProvider) {
+                        // Extension provider declared the service without capability constraints —
+                        // accept any capability value (the extension handles it at runtime).
+                        continue;
+                    }
                     throw new UnsupportedServiceException("Service " + service.getName() + " doesn't have capabilities for element=" + element.getName() +
                         " implementing Provider=" + provider.getName());
                 }
 
                 String value = serviceCapabilities.get(cap);
                 if (value == null || value.isEmpty()) {
+                    if (isExtProvider) {
+                        // Capability not explicitly declared for this extension — accept it.
+                        continue;
+                    }
                     throw new UnsupportedServiceException("Service " + service.getName() + " doesn't have capability " + cap.getName() + " for element=" +
                         element.getName() + " implementing Provider=" + provider.getName());
                 }
@@ -1953,7 +2162,7 @@ public List<Provider> getNtwkOffDistinctProviders(long ntkwOffId) {
         List<String> providerNames = _ntwkOfferingSrvcDao.getDistinctProviders(ntkwOffId);
         List<Provider> providers = new ArrayList<Provider>();
         for (String providerName : providerNames) {
-            providers.add(Network.Provider.getProvider(providerName));
+            providers.add(resolveProvider(providerName));
         }
 
         return providers;
@@ -2255,7 +2464,7 @@ private List<Provider> getNetworkProviders(long networkId) {
         Map<String, Provider> providers = new HashMap<String, Provider>();
         for (String providerName : providerNames) {
             if (!providers.containsKey(providerName)) {
-                providers.put(providerName, Network.Provider.getProvider(providerName));
+                providers.put(providerName, resolveProvider(providerName));
             }
         }
 
diff --git a/server/src/main/java/com/cloud/network/NetworkServiceImpl.java b/server/src/main/java/com/cloud/network/NetworkServiceImpl.java
index 24526e1aee0d..811b47cc90d1 100644
--- a/server/src/main/java/com/cloud/network/NetworkServiceImpl.java
+++ b/server/src/main/java/com/cloud/network/NetworkServiceImpl.java
@@ -68,6 +68,8 @@
 import org.apache.cloudstack.api.response.AcquirePodIpCmdResponse;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
+import org.apache.cloudstack.extension.ExtensionResourceMap;
+import org.apache.cloudstack.framework.extensions.manager.ExtensionsManager;
 import org.apache.cloudstack.framework.config.ConfigKey;
 import org.apache.cloudstack.framework.config.Configurable;
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
@@ -400,6 +402,8 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService, C
     @Inject
     NetworkDetailsDao _networkDetailsDao;
     @Inject
+    ExtensionsManager extensionsManager;
+    @Inject
     LoadBalancerDao _loadBalancerDao;
     @Inject
     NetworkMigrationManager _networkMigrationManager;
@@ -3069,8 +3073,8 @@ public IpAddress getIp(String ipAddress) {
 
     protected boolean providersConfiguredForExternalNetworking(Collection<String> providers) {
         for (String providerStr : providers) {
-            Provider provider = Network.Provider.getProvider(providerStr);
-            if (provider.isExternal()) {
+            Provider provider = _networkModel.resolveProvider(providerStr);
+            if (provider != null && provider.isExternal()) {
                 return true;
             }
         }
@@ -4372,7 +4376,7 @@ public Pair<List<? extends PhysicalNetwork>, Integer> searchPhysicalNetworks(Lon
     @Override
     @DB
     @ActionEvent(eventType = EventTypes.EVENT_PHYSICAL_NETWORK_UPDATE, eventDescription = "updating physical network", async = true)
-    public PhysicalNetwork updatePhysicalNetwork(Long id, String networkSpeed, List<String> tags, String newVnetRange, String state) {
+    public PhysicalNetwork updatePhysicalNetwork(Long id, String networkSpeed, List<String> tags, String newVnetRange, String state, Map<String, String> externalDetails) {
 
         // verify input parameters
         PhysicalNetworkVO network = _physicalNetworkDao.findById(id);
@@ -4426,6 +4430,29 @@ public PhysicalNetwork updatePhysicalNetwork(Long id, String networkSpeed, List<
             addOrRemoveVnets(listOfRanges, network);
         }
         _physicalNetworkDao.update(id, network);
+
+        // If external details provided, and an extension is registered on this physical network,
+        // update the extension_resource_map_details accordingly.
+        try {
+            if (externalDetails != null && !externalDetails.isEmpty()) {
+                Pair<Boolean, ExtensionResourceMap> needDetailsUpdateMapPair =
+                        extensionsManager.extensionResourceMapDetailsNeedUpdate(id,
+                                ExtensionResourceMap.ResourceType.PhysicalNetwork, externalDetails);
+                if (Boolean.TRUE.equals(needDetailsUpdateMapPair.first())) {
+                    ExtensionResourceMap extensionResourceMap = needDetailsUpdateMapPair.second();
+                    if (extensionResourceMap == null) {
+                        throw new InvalidParameterValueException(
+                                String.format("Physical network: %s is not registered with any extension, details cannot be updated",
+                                        network.getId()));
+                    }
+                    extensionsManager.updateExtensionResourceMapDetails(extensionResourceMap.getId(), externalDetails);
+                }
+            }
+        } catch (Exception e) {
+            // Log warning but don't fail the update
+            logger.warn("Failed to update external details for physical network {}: {}", id, e.getMessage());
+        }
+
         return network;
 
     }
@@ -5098,7 +5125,7 @@ public List<? extends Service> listNetworkServices(String providerName) {
 
         Provider provider = null;
         if (providerName != null) {
-            provider = Network.Provider.getProvider(providerName);
+            provider = _networkModel.resolveProvider(providerName);
             if (provider == null) {
                 throw new InvalidParameterValueException("Invalid Network Service Provider=" + providerName);
             }
@@ -5135,7 +5162,7 @@ public PhysicalNetworkServiceProvider addProviderToPhysicalNetwork(Long physical
         }
 
         if (providerName != null) {
-            Provider provider = Network.Provider.getProvider(providerName);
+            Provider provider = _networkModel.resolveProvider(providerName);
             if (provider == null) {
                 throw new InvalidParameterValueException("Invalid Network Service Provider=" + providerName);
             }
diff --git a/server/src/main/java/com/cloud/network/as/AutoScaleManagerImpl.java b/server/src/main/java/com/cloud/network/as/AutoScaleManagerImpl.java
index 805ac4aed86c..752db6d32390 100644
--- a/server/src/main/java/com/cloud/network/as/AutoScaleManagerImpl.java
+++ b/server/src/main/java/com/cloud/network/as/AutoScaleManagerImpl.java
@@ -1468,7 +1468,7 @@ public Counter createCounter(CreateCounterCmd cmd) {
         }
 
         // Validate Provider
-        Network.Provider provider = Network.Provider.getProvider(cmd.getProvider());
+        Network.Provider provider = networkModel.resolveProvider(cmd.getProvider());
         if (provider == null) {
             throw new InvalidParameterValueException("The Provider " + cmd.getProvider() + " does not exist; Unable to create Counter");
         }
@@ -1537,7 +1537,7 @@ public List<? extends Counter> listCounters(ListCountersCmd cmd) {
         }
         String providerStr = cmd.getProvider();
         if (providerStr != null) {
-            Network.Provider provider = Network.Provider.getProvider(providerStr);
+            Network.Provider provider = networkModel.resolveProvider(providerStr);
             if (provider == null) {
                 throw new InvalidParameterValueException("The Provider " + providerStr + " does not exist; Unable to list Counter");
             }
diff --git a/server/src/main/java/com/cloud/network/firewall/FirewallManagerImpl.java b/server/src/main/java/com/cloud/network/firewall/FirewallManagerImpl.java
index 779d26d51f1c..e996bfab273a 100644
--- a/server/src/main/java/com/cloud/network/firewall/FirewallManagerImpl.java
+++ b/server/src/main/java/com/cloud/network/firewall/FirewallManagerImpl.java
@@ -69,9 +69,11 @@
 import com.cloud.network.dao.IPAddressDao;
 import com.cloud.network.dao.IPAddressVO;
 import com.cloud.network.dao.NetworkDao;
+import com.cloud.network.dao.NetworkServiceMapDao;
 import com.cloud.network.dao.NetworkVO;
 import com.cloud.network.element.FirewallServiceProvider;
 import com.cloud.network.element.NetworkACLServiceProvider;
+import com.cloud.network.element.NetworkElement;
 import com.cloud.network.element.PortForwardingServiceProvider;
 import com.cloud.network.element.StaticNatServiceProvider;
 import com.cloud.network.rules.FirewallManager;
@@ -150,6 +152,9 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
     EntityManager entityManager;
     @Inject
     NsxProviderDao nsxProviderDao;
+    @Inject
+    NetworkServiceMapDao networkServiceMapDao;
+
     List<FirewallServiceProvider> _firewallElements;
 
     List<PortForwardingServiceProvider> _pfElements;
@@ -617,12 +622,25 @@ public void validateFirewallRule(Account caller, IPAddressVO ipAddress, Integer
             String supportedProtocols;
             String supportedTrafficTypes = null;
             if (purpose == FirewallRule.Purpose.Firewall) {
-                supportedTrafficTypes = caps.get(Capability.SupportedTrafficDirection).toLowerCase();
+                String supportedTrafficTypesStr = caps.get(Capability.SupportedTrafficDirection);
+                if (supportedTrafficTypesStr == null) {
+                    throw new CloudRuntimeException("Supported traffic direction capability is not defined for Firewall service");
+                }
+                supportedTrafficTypes = supportedTrafficTypesStr.toLowerCase();
             }
 
             if (purpose == FirewallRule.Purpose.Firewall && trafficType == FirewallRule.TrafficType.Egress) {
+                // throw an exception if cap is not found
+                String supportedProtocolsStr = caps.get(Capability.SupportedEgressProtocols);
+                if (supportedProtocolsStr == null) {
+                    throw new CloudRuntimeException("Supported egress protocols capability is not defined for Firewall service");
+                }
                 supportedProtocols = caps.get(Capability.SupportedEgressProtocols).toLowerCase();
             } else {
+                String supportedProtocolsStr = caps.get(Capability.SupportedProtocols);
+                if (supportedProtocolsStr == null) {
+                    throw new CloudRuntimeException("Supported protocols capability is not defined for " + purpose + " service");
+                }
                 supportedProtocols = caps.get(Capability.SupportedProtocols).toLowerCase();
             }
 
@@ -700,18 +718,34 @@ public boolean applyRules(Network network, Purpose purpose, List<? extends Firew
                 if (handled)
                     break;
             }
+            if (!handled) {
+                // Get provider name and get the element by provider name (it could be an external provider)
+                String fwProviderName = networkServiceMapDao.getProviderForServiceInNetwork(network.getId(), Service.Firewall);
+                if (fwProviderName != null) {
+                    NetworkElement element = _networkModel.getElementImplementingProvider(fwProviderName);
+                    handled = ((FirewallServiceProvider) element).applyFWRules(network, rules);
+                }
+            }
             break;
         case PortForwarding:
-                for (PortForwardingServiceProvider element : _pfElements) {
+            for (PortForwardingServiceProvider element : _pfElements) {
                 Network.Provider provider = element.getProvider();
                 boolean  isPfProvider = _networkModel.isProviderSupportServiceInNetwork(network.getId(), Service.PortForwarding, provider);
                 if (!isPfProvider) {
                     continue;
                 }
-                    handled = element.applyPFRules(network, (List<PortForwardingRule>)rules);
+                handled = element.applyPFRules(network, (List<PortForwardingRule>)rules);
                 if (handled)
                     break;
             }
+            if (!handled) {
+                // Get provider name and get the element by provider name (it could be an external provider)
+                String pfProviderName = networkServiceMapDao.getProviderForServiceInNetwork(network.getId(), Service.PortForwarding);
+                if (pfProviderName != null) {
+                    NetworkElement element = _networkModel.getElementImplementingProvider(pfProviderName);
+                    handled = ((PortForwardingServiceProvider) element).applyPFRules(network, (List<PortForwardingRule>) rules);
+                }
+            }
             break;
             /*        case NetworkACL:
             for (NetworkACLServiceProvider element: _networkAclElements) {
@@ -726,7 +760,7 @@ public boolean applyRules(Network network, Purpose purpose, List<? extends Firew
             }
             break;*/
         default:
-                assert (false) : "Unexpected fall through in applying rules to the network elements";
+            assert (false) : "Unexpected fall through in applying rules to the network elements";
             logger.error("FirewallManager cannot process rules of type " + purpose);
             throw new CloudRuntimeException("FirewallManager cannot process rules of type " + purpose);
         }
diff --git a/server/src/main/java/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java b/server/src/main/java/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
index 5f00261f3290..eba71c576400 100644
--- a/server/src/main/java/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
+++ b/server/src/main/java/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
@@ -119,6 +119,7 @@
 import com.cloud.network.dao.NetworkVO;
 import com.cloud.network.dao.SslCertVO;
 import com.cloud.network.element.LoadBalancingServiceProvider;
+import com.cloud.network.element.NetworkElement;
 import com.cloud.network.lb.LoadBalancingRule.LbAutoScalePolicy;
 import com.cloud.network.lb.LoadBalancingRule.LbAutoScaleVmGroup;
 import com.cloud.network.lb.LoadBalancingRule.LbAutoScaleVmProfile;
@@ -2049,6 +2050,14 @@ protected boolean applyLbRules(Network network, List<LoadBalancingRule> rules) t
             if (handled)
                 break;
         }
+        if (!handled) {
+            // Get provider name and get the element by provider name (it could be an external provider)
+            String lbProviderName = _ntwkSrvcDao.getProviderForServiceInNetwork(network.getId(), Service.Lb);
+            if (lbProviderName != null) {
+                NetworkElement element = _networkModel.getElementImplementingProvider(lbProviderName);
+                handled = ((LoadBalancingServiceProvider) element).applyLBRules(network, rules);
+            }
+        }
         return handled;
     }
 
diff --git a/server/src/main/java/com/cloud/network/vpc/NetworkACLManagerImpl.java b/server/src/main/java/com/cloud/network/vpc/NetworkACLManagerImpl.java
index b6dfdbac0be2..6b499bbd1fe4 100644
--- a/server/src/main/java/com/cloud/network/vpc/NetworkACLManagerImpl.java
+++ b/server/src/main/java/com/cloud/network/vpc/NetworkACLManagerImpl.java
@@ -33,8 +33,10 @@
 import com.cloud.network.Network.Service;
 import com.cloud.network.NetworkModel;
 import com.cloud.network.dao.NetworkDao;
+import com.cloud.network.dao.NetworkServiceMapDao;
 import com.cloud.network.dao.NetworkVO;
 import com.cloud.network.element.NetworkACLServiceProvider;
+import com.cloud.network.element.NetworkElement;
 import com.cloud.network.element.VpcProvider;
 import com.cloud.network.vpc.NetworkACLItem.State;
 import com.cloud.network.vpc.dao.NetworkACLDao;
@@ -75,6 +77,8 @@ public class NetworkACLManagerImpl extends ManagerBase implements NetworkACLMana
     private MessageBus _messageBus;
     @Inject
     private ResourceTagDao resourceTagDao;
+    @Inject
+    NetworkServiceMapDao networkServiceMapDao;
 
     private List<NetworkACLServiceProvider> _networkAclElements;
 
@@ -442,12 +446,23 @@ public boolean applyACLItemsToNetwork(final long networkId, final List<NetworkAC
             logger.debug("Applying NetworkACL for network: {} with Network ACL service provider", network);
             handled = element.applyNetworkACLs(network, rules);
             if (handled) {
-                // publish message on message bus, so that network elements implementing distributed routing
-                // capability can act on the event
-                _messageBus.publish(_name, "Network_ACL_Replaced", PublishScope.LOCAL, network);
                 break;
             }
         }
+        if (!foundProvider) {
+            // Get provider name and get the element by provider name (it could be an external provider)
+            String aclProviderName = networkServiceMapDao.getProviderForServiceInNetwork(network.getId(), Service.NetworkACL);
+            if (aclProviderName != null) {
+                foundProvider = true;
+                NetworkElement element = _networkModel.getElementImplementingProvider(aclProviderName);
+                handled = ((NetworkACLServiceProvider) element).applyNetworkACLs(network, rules);
+            }
+        }
+        if (handled) {
+            // publish message on message bus, so that network elements implementing distributed routing
+            // capability can act on the event
+            _messageBus.publish(_name, "Network_ACL_Replaced", PublishScope.LOCAL, network);
+        }
         if (!foundProvider) {
             logger.debug("Unable to find NetworkACL service provider for network: {}", network);
         }
diff --git a/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java b/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java
index 1203404c4940..3ba560d2a88f 100644
--- a/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java
+++ b/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java
@@ -64,6 +64,8 @@
 import org.apache.cloudstack.api.command.user.vpc.UpdateVPCCmd;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
+import org.apache.cloudstack.extension.Extension;
+import org.apache.cloudstack.extension.ExtensionHelper;
 import org.apache.cloudstack.framework.config.ConfigKey;
 import org.apache.cloudstack.framework.config.Configurable;
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
@@ -329,6 +331,8 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
     Site2SiteVpnConnectionDao site2SiteVpnConnectionDao;
     @Inject
     Site2SiteCustomerGatewayDao site2SiteCustomerGatewayDao;
+    @Inject
+    ExtensionHelper extensionHelper;
 
     private final ScheduledExecutorService _executor = Executors.newScheduledThreadPool(1, new NamedThreadFactory("VpcChecker"));
     private List<VpcProvider> vpcElements = null;
@@ -701,7 +705,7 @@ public VpcOffering createVpcOffering(final String name, final String displayText
                     final Set<Provider> providers = new HashSet<Provider>();
                     for (final String prvNameStr : serviceEntry.getValue()) {
                         // check if provider is supported
-                        final Network.Provider provider = Network.Provider.getProvider(prvNameStr);
+                        final Network.Provider provider = _ntwkModel.resolveProvider(prvNameStr);
                         if (provider == null) {
                             throw new InvalidParameterValueException("Invalid service provider: " + prvNameStr);
                         }
@@ -1248,12 +1252,18 @@ public Map<Service, Set<Provider>> getVpcOffSvcProvidersMap(final long vpcOffId)
 
         for (final VpcOfferingServiceMapVO instance : map) {
             final Service service = Service.getService(instance.getService());
+            if (service == null) {
+                continue;
+            }
             Set<Provider> providers;
             providers = serviceProviderMap.get(service);
             if (providers == null) {
                 providers = new HashSet<Provider>();
             }
-            providers.add(Provider.getProvider(instance.getProvider()));
+            final Provider provider = _ntwkModel.resolveProvider(instance.getProvider());
+            if (provider != null) {
+                providers.add(provider);
+            }
             serviceProviderMap.put(service, providers);
         }
 
@@ -1844,6 +1854,8 @@ private Map<String, List<String>> finalizeServicesAndProvidersForVpc(final long
             if (provider == null) {
                 // Default to VPCVirtualRouter
                 provider = Provider.VPCVirtualRouter.getName();
+            } else {
+                provider = _ntwkModel.resolveProvider(provider).getName();
             }
 
             if (!_ntwkModel.isProviderEnabledInZone(zoneId, provider)) {
@@ -2027,9 +2039,12 @@ private boolean checkAndUpdateRouterSourceNatIp(Vpc vpc, String sourceNatIp) {
         if (! userIps.isEmpty()) {
             try {
                 _ipAddrMgr.updateSourceNatIpAddress(requestedIp, userIps);
-                if (isVpcForProvider(Provider.Nsx, vpc) || isVpcForProvider(Provider.Netris, vpc)) {
+                if (isVpcForProvider(Provider.Nsx, vpc) || isVpcForProvider(Provider.Netris, vpc)
+                        || isVpcForProvider(Provider.NetworkExtension, vpc)) {
                     boolean isForNsx = _vpcOffSvcMapDao.isProviderForVpcOffering(Provider.Nsx, vpc.getVpcOfferingId());
-                    String providerName = isForNsx ? Provider.Nsx.getName() : Provider.Netris.getName();
+                    boolean isForNetris = _vpcOffSvcMapDao.isProviderForVpcOffering(Provider.Netris, vpc.getVpcOfferingId());
+                    String providerName = isForNsx ? Provider.Nsx.getName()
+                            : (isForNetris ? Provider.Netris.getName() : Provider.NetworkExtension.getName());
                     VpcProvider providerElement = (VpcProvider) _ntwkModel.getElementImplementingProvider(providerName);
                     if (Objects.nonNull(providerElement)) {
                         providerElement.updateVpcSourceNatIp(vpc, requestedIp);
@@ -2503,7 +2518,8 @@ public void validateNtwkOffForVpc(final NetworkOffering guestNtwkOff, final List
         // 1) in current release, only vpc provider is supported by Vpc offering
         final List<Provider> providers = _ntwkModel.getNtwkOffDistinctProviders(guestNtwkOff.getId());
         for (final Provider provider : providers) {
-            if (!supportedProviders.contains(provider)) {
+            if (!supportedProviders.contains(provider)
+                    && !extensionHelper.isNetworkExtensionProvider(provider.getName())) {
                 throw new InvalidParameterValueException("Provider of type " + provider.getName() + " is not supported for network offerings that can be used in VPC");
             }
         }
@@ -2610,17 +2626,32 @@ private void CheckAccountsAccess(Vpc vpc, Account networkAccount) {
     }
 
     public List<VpcProvider> getVpcElements() {
+        // Static providers (VPCVirtualRouter, JuniperContrailVpcRouter) are initialized once.
         if (vpcElements == null) {
             vpcElements = new ArrayList<VpcProvider>();
-            vpcElements.add((VpcProvider) _ntwkModel.getElementImplementingProvider(Provider.VPCVirtualRouter.getName()));
-            vpcElements.add((VpcProvider) _ntwkModel.getElementImplementingProvider(Provider.JuniperContrailVpcRouter.getName()));
+            final NetworkElement vpcVirtualRouter = _ntwkModel.getElementImplementingProvider(Provider.VPCVirtualRouter.getName());
+            if (vpcVirtualRouter instanceof VpcProvider) {
+                vpcElements.add((VpcProvider) vpcVirtualRouter);
+            }
+
+            final NetworkElement contrailVpcRouter = _ntwkModel.getElementImplementingProvider(Provider.JuniperContrailVpcRouter.getName());
+            if (contrailVpcRouter instanceof VpcProvider) {
+                vpcElements.add((VpcProvider) contrailVpcRouter);
+            }
         }
 
-        if (vpcElements == null) {
-            throw new CloudRuntimeException("Failed to initialize vpc elements");
+        // Extension-backed providers are re-fetched every call so that dynamically
+        // registered extensions are picked up without requiring a server restart.
+        final List<VpcProvider> result = new ArrayList<>(vpcElements);
+        for (final Extension extension : extensionHelper.listExtensionsByType(Extension.Type.NetworkOrchestrator)) {
+            final String providerName = extension.getName();
+            final NetworkElement element = _ntwkModel.getElementImplementingProvider(providerName);
+            if (element instanceof VpcProvider) {
+                result.add((VpcProvider) element);
+            }
         }
 
-        return vpcElements;
+        return result;
     }
 
     @Override
@@ -3929,7 +3960,7 @@ private List<Provider> getVpcProviders(final long vpcId) {
         final Map<String, Provider> providers = new HashMap<String, Provider>();
         for (final String providerName : providerNames) {
             if (!providers.containsKey(providerName)) {
-                providers.put(providerName, Network.Provider.getProvider(providerName));
+                providers.put(providerName, _ntwkModel.resolveProvider(providerName));
             }
         }
 
diff --git a/server/src/test/java/com/cloud/network/MockNetworkModelImpl.java b/server/src/test/java/com/cloud/network/MockNetworkModelImpl.java
index b5e081e043be..3f2f3b6e955e 100644
--- a/server/src/test/java/com/cloud/network/MockNetworkModelImpl.java
+++ b/server/src/test/java/com/cloud/network/MockNetworkModelImpl.java
@@ -400,6 +400,16 @@ public boolean canElementEnableIndividualServices(Provider provider) {
         return false;
     }
 
+    @Override
+    public boolean canElementEnableIndividualServicesByName(String providerName) {
+        return false;
+    }
+
+    @Override
+    public Provider resolveProvider(String providerName) {
+        return Provider.getProvider(providerName);
+    }
+
     /* (non-Javadoc)
      * @see com.cloud.network.NetworkModel#areServicesSupportedInNetwork(long, com.cloud.network.Network.Service[])
      */
diff --git a/server/src/test/java/com/cloud/network/NetworkModelImplTest.java b/server/src/test/java/com/cloud/network/NetworkModelImplTest.java
index b6f2ff65b9fa..4a027b2ae2d8 100644
--- a/server/src/test/java/com/cloud/network/NetworkModelImplTest.java
+++ b/server/src/test/java/com/cloud/network/NetworkModelImplTest.java
@@ -18,6 +18,9 @@
 
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.assertEquals;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.doReturn;
 import static org.mockito.Mockito.mock;
@@ -54,6 +57,9 @@
 import com.cloud.network.dao.NetworkServiceMapDao;
 import com.cloud.network.dao.NetworkServiceMapVO;
 import com.cloud.network.dao.NetworkVO;
+import com.cloud.network.dao.PhysicalNetworkDao;
+import com.cloud.network.dao.PhysicalNetworkServiceProviderDao;
+import com.cloud.network.dao.PhysicalNetworkServiceProviderVO;
 import com.cloud.network.element.NetworkElement;
 import com.cloud.network.element.VpcVirtualRouterElement;
 import com.cloud.network.vpc.VpcVO;
@@ -66,6 +72,8 @@
 import com.cloud.vm.Nic;
 import com.cloud.vm.NicProfile;
 import com.cloud.vm.VirtualMachine;
+import org.apache.cloudstack.extension.ExtensionHelper;
+import org.apache.cloudstack.framework.extensions.network.NetworkExtensionElement;
 
 @RunWith(MockitoJUnitRunner.class)
 public class NetworkModelImplTest {
@@ -80,6 +88,17 @@ public class NetworkModelImplTest {
     private NetworkDao _networksDao;
     @Inject
     private NetworkOfferingServiceMapDao networkOfferingServiceMapDao;
+    @Mock
+    private ExtensionHelper extensionHelper;
+
+    @Mock
+    private NetworkExtensionElement networkExtensionElement;
+
+    @Mock
+    private PhysicalNetworkDao physicalNetworkDao;
+
+    @Mock
+    private PhysicalNetworkServiceProviderDao physicalNetworkServiceProviderDao;
 
     @Spy
     @InjectMocks
@@ -96,6 +115,11 @@ public void setUp() {
         networkModel._networkOfferingDao = networkOfferingDao;
         networkModel._ntwkSrvcDao = networkServiceMapDao;
         networkModel._ntwkOfferingSrvcDao = networkOfferingServiceMapDao;
+        ReflectionTestUtils.setField(networkModel, "extensionHelper", extensionHelper);
+        ReflectionTestUtils.setField(networkModel, "networkExtensionElement", networkExtensionElement);
+        ReflectionTestUtils.setField(networkModel, "_physicalNetworkDao", physicalNetworkDao);
+        ReflectionTestUtils.setField(networkModel, "_pNSPDao", physicalNetworkServiceProviderDao);
+        Mockito.lenient().when(extensionHelper.isNetworkExtensionProvider(Mockito.anyString())).thenReturn(false);
     }
 
     private void prepareMocks(boolean isIp6, Network network, DataCenter zone, VpcVO vpc,
@@ -242,8 +266,8 @@ public void testGetProviderToIpList() {
         networkOfferingVO.setForVpc(true);
         Network network = new NetworkVO();
         List<NetworkServiceMapVO> networkServiceMapVOs = new ArrayList<>();
-        networkServiceMapVOs.add(new NetworkServiceMapVO(15L, Network.Service.Firewall, Network.Provider.VPCVirtualRouter));
-        networkServiceMapVOs.add(new NetworkServiceMapVO(15L, Network.Service.SourceNat, Network.Provider.VPCVirtualRouter));
+        networkServiceMapVOs.add(new NetworkServiceMapVO(15L, Network.Service.Firewall.getName(), Network.Provider.VPCVirtualRouter.getName()));
+        networkServiceMapVOs.add(new NetworkServiceMapVO(15L, Network.Service.SourceNat.getName(), Network.Provider.VPCVirtualRouter.getName()));
         NetworkElement element = new VpcVirtualRouterElement();
 
         ReflectionTestUtils.setField(networkModel, "networkElements", List.of(element));
@@ -273,4 +297,116 @@ public void getNicProfile_validInputs_returnsNicProfile() {
 
         assertNotNull(result);
     }
+
+    // -----------------------------------------------------------------------
+    // Tests for getElementImplementingProvider with extension provider
+    // -----------------------------------------------------------------------
+
+    @Test
+    public void getElementImplementingProviderReturnsExtensionElementForExtensionProvider() {
+        String providerName = "my-ext-provider";
+        // Provider is not in the static map, so element would be null
+        ReflectionTestUtils.setField(networkModel, "networkElements", new ArrayList<>());
+        when(extensionHelper.isNetworkExtensionProvider(providerName)).thenReturn(true);
+        NetworkExtensionElement mockElement = mock(NetworkExtensionElement.class);
+        when(networkExtensionElement.withProviderName(providerName)).thenReturn(mockElement);
+
+        NetworkElement result = networkModel.getElementImplementingProvider(providerName);
+        // When the element is a NetworkExtensionElement (which is a NetworkElement), result should not be null
+        assertNotNull(result);
+    }
+
+    @Test
+    public void getElementImplementingProviderReturnsNullForUnknownNonExtensionProvider() {
+        String providerName = "unknown-provider";
+        ReflectionTestUtils.setField(networkModel, "networkElements", new ArrayList<>());
+        when(extensionHelper.isNetworkExtensionProvider(providerName)).thenReturn(false);
+
+        NetworkElement result = networkModel.getElementImplementingProvider(providerName);
+        assertNull(result);
+    }
+
+    // -----------------------------------------------------------------------
+    // Tests for resolveProvider
+    // -----------------------------------------------------------------------
+
+    @Test
+    public void resolveProviderReturnsKnownProvider() {
+        Network.Provider result = networkModel.resolveProvider(Network.Provider.VirtualRouter.getName());
+        assertNotNull(result);
+        assertEquals(Network.Provider.VirtualRouter, result);
+    }
+
+    @Test
+    public void resolveProviderReturnsTransientProviderForExtensionProvider() {
+        String extensionName = "my-ext-network-provider";
+        when(extensionHelper.isNetworkExtensionProvider(extensionName)).thenReturn(true);
+
+        Network.Provider result = networkModel.resolveProvider(extensionName);
+        assertNotNull(result);
+        assertEquals(extensionName, result.getName());
+    }
+
+    @Test
+    public void resolveProviderReturnsNullForUnknownNonExtensionProvider() {
+        String providerName = "totally-unknown";
+        when(extensionHelper.isNetworkExtensionProvider(providerName)).thenReturn(false);
+
+        Network.Provider result = networkModel.resolveProvider(providerName);
+        assertNull(result);
+    }
+
+    // -----------------------------------------------------------------------
+    // Tests for canElementEnableIndividualServicesByName
+    // -----------------------------------------------------------------------
+
+    @Test
+    public void canElementEnableIndividualServicesByNameReturnsFalseForNullProvider() {
+        assertFalse(networkModel.canElementEnableIndividualServicesByName(null));
+    }
+
+    @Test
+    public void canElementEnableIndividualServicesByNameReturnsFalseForUnknownProvider() {
+        when(extensionHelper.isNetworkExtensionProvider("unknown")).thenReturn(false);
+        assertFalse(networkModel.canElementEnableIndividualServicesByName("unknown"));
+    }
+
+    // -----------------------------------------------------------------------
+    // Tests for getExternalProviderCapabilities
+    // -----------------------------------------------------------------------
+
+    @Test
+    public void getExternalProviderCapabilitiesCallsExtensionHelper() {
+        Map<Network.Service, Map<Network.Capability, String>> caps = new HashMap<>();
+        when(extensionHelper.getNetworkCapabilitiesForProvider(10L, "my-ext")).thenReturn(caps);
+
+        Map<Network.Service, Map<Network.Capability, String>> result =
+                networkModel.getExternalProviderCapabilities(10L, "my-ext");
+        assertEquals(caps, result);
+    }
+
+    // -----------------------------------------------------------------------
+    // Tests for isServiceProvidedByNsp (via listSupportedNetworkServiceProviders)
+    // -----------------------------------------------------------------------
+
+    @Test
+    public void listSupportedNetworkServiceProvidersIncludesExtensionBackedProviders() {
+        com.cloud.network.dao.PhysicalNetworkVO physNet = mock(com.cloud.network.dao.PhysicalNetworkVO.class);
+        when(physNet.getId()).thenReturn(1L);
+        when(physicalNetworkDao.listAll()).thenReturn(List.of(physNet));
+
+        PhysicalNetworkServiceProviderVO nsp = mock(PhysicalNetworkServiceProviderVO.class);
+        when(nsp.getProviderName()).thenReturn("my-ext");
+        when(physicalNetworkServiceProviderDao.listBy(1L)).thenReturn(List.of(nsp));
+        when(extensionHelper.isNetworkExtensionProvider("my-ext")).thenReturn(true);
+
+        // networkElements is empty so no standard providers found
+        ReflectionTestUtils.setField(networkModel, "networkElements", new ArrayList<>());
+
+        // We call with null service to test the inclusion path (parameter is service name String)
+        List<? extends Network.Provider> result = networkModel.listSupportedNetworkServiceProviders(null);
+
+        boolean found = result.stream().anyMatch(p -> "my-ext".equalsIgnoreCase(p.getName()));
+        assertTrue("Extension-backed provider should be included", found);
+    }
 }
diff --git a/server/src/test/java/com/cloud/network/NetworkServiceImplTest.java b/server/src/test/java/com/cloud/network/NetworkServiceImplTest.java
index 51b2dad3decd..15cdb8f1a518 100644
--- a/server/src/test/java/com/cloud/network/NetworkServiceImplTest.java
+++ b/server/src/test/java/com/cloud/network/NetworkServiceImplTest.java
@@ -47,7 +47,9 @@
 import org.apache.cloudstack.api.command.user.network.UpdateNetworkCmd;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
+import org.apache.cloudstack.extension.ExtensionResourceMap;
 import org.apache.cloudstack.framework.config.ConfigKey;
+import org.apache.cloudstack.framework.extensions.manager.ExtensionsManager;
 import org.apache.cloudstack.network.RoutedIpv4Manager;
 import org.junit.After;
 import org.junit.Assert;
@@ -238,6 +240,9 @@ public class NetworkServiceImplTest {
     @Mock
     private NsxProviderDao nsxProviderDao;
 
+    @Mock
+    ExtensionsManager extensionsManager;
+
     private static Date beforeDate;
 
     private static Date afterDate;
@@ -322,6 +327,7 @@ public void setup() throws Exception {
         service.networkHelper = networkHelper;
         service._ipAddrMgr = ipAddressManagerMock;
         service.nsxProviderDao = nsxProviderDao;
+        ReflectionTestUtils.setField(service, "extensionsManager", extensionsManager);
         callContextMocked = Mockito.mockStatic(CallContext.class);
         CallContext callContextMock = Mockito.mock(CallContext.class);
         callContextMocked.when(CallContext::current).thenReturn(callContextMock);
@@ -1330,4 +1336,67 @@ public void addProjectNetworksConditionToSearch_includesSpecificProjectWhenProje
         Mockito.verify(accountJoin).addAnd("type", SearchCriteria.Op.EQ, Account.Type.PROJECT);
         Mockito.verify(sc).addAnd("id", SearchCriteria.Op.SC, accountJoin);
     }
+
+    // -----------------------------------------------------------------------
+    // Tests for updatePhysicalNetwork extension external details handling
+    // -----------------------------------------------------------------------
+
+    @Test
+    public void updatePhysicalNetworkUpdatesExtensionResourceMapDetailsWhenDetailsProvided() {
+        Long physNetId = 100L;
+        PhysicalNetworkVO physNet = Mockito.mock(PhysicalNetworkVO.class);
+        Mockito.when(physicalNetworkDao.findById(physNetId)).thenReturn(physNet);
+        Mockito.when(physicalNetworkDao.update(Mockito.anyLong(), any())).thenReturn(true);
+
+        Map<String, String> externalDetails = Map.of("host", "10.0.0.1", "port", "443");
+
+        ExtensionResourceMap resourceMap = Mockito.mock(ExtensionResourceMap.class);
+        Mockito.when(resourceMap.getId()).thenReturn(50L);
+        Pair<Boolean, ExtensionResourceMap> pair =
+                new Pair<>(true, resourceMap);
+        Mockito.when(extensionsManager.extensionResourceMapDetailsNeedUpdate(physNetId,
+                ExtensionResourceMap.ResourceType.PhysicalNetwork, externalDetails))
+                .thenReturn(pair);
+
+        service.updatePhysicalNetwork(physNetId, null, null, null, null, externalDetails);
+
+        Mockito.verify(extensionsManager).updateExtensionResourceMapDetails(50L, externalDetails);
+    }
+
+    @Test
+    public void updatePhysicalNetworkDoesNotUpdateExtensionWhenNoDetailsChange() {
+        Long physNetId = 101L;
+        PhysicalNetworkVO physNet = Mockito.mock(PhysicalNetworkVO.class);
+        Mockito.when(physicalNetworkDao.findById(physNetId)).thenReturn(physNet);
+        Mockito.when(physicalNetworkDao.update(Mockito.anyLong(), any())).thenReturn(true);
+
+        Map<String, String> externalDetails = Map.of("host", "10.0.0.2");
+
+        Pair<Boolean, ExtensionResourceMap> pair =
+                new Pair<>(false, null);
+        Mockito.when(extensionsManager.extensionResourceMapDetailsNeedUpdate(physNetId,
+                ExtensionResourceMap.ResourceType.PhysicalNetwork, externalDetails))
+                .thenReturn(pair);
+
+        service.updatePhysicalNetwork(physNetId, null, null, null, null, externalDetails);
+
+        Mockito.verify(extensionsManager, Mockito.never()).updateExtensionResourceMapDetails(Mockito.anyLong(), any());
+    }
+
+    @Test
+    public void updatePhysicalNetworkLogsWarningWhenExtensionUpdateFailsButDoesNotThrow() {
+        Long physNetId = 102L;
+        PhysicalNetworkVO physNet = Mockito.mock(PhysicalNetworkVO.class);
+        Mockito.when(physicalNetworkDao.findById(physNetId)).thenReturn(physNet);
+        Mockito.when(physicalNetworkDao.update(Mockito.anyLong(), any())).thenReturn(true);
+
+        Map<String, String> externalDetails = Map.of("host", "10.0.0.3");
+
+        Mockito.when(extensionsManager.extensionResourceMapDetailsNeedUpdate(physNetId,
+                ExtensionResourceMap.ResourceType.PhysicalNetwork, externalDetails))
+                .thenThrow(new RuntimeException("Test exception"));
+
+        // Should not throw
+        service.updatePhysicalNetwork(physNetId, null, null, null, null, externalDetails);
+    }
 }
diff --git a/server/src/test/java/com/cloud/network/UpdatePhysicalNetworkTest.java b/server/src/test/java/com/cloud/network/UpdatePhysicalNetworkTest.java
index ae70d137b0da..4ecae8052018 100644
--- a/server/src/test/java/com/cloud/network/UpdatePhysicalNetworkTest.java
+++ b/server/src/test/java/com/cloud/network/UpdatePhysicalNetworkTest.java
@@ -61,7 +61,7 @@ public void updatePhysicalNetworkTest() {
         when(_datacenterDao.findById(anyLong())).thenReturn(datacentervo);
         when(_physicalNetworkDao.update(anyLong(), any(physicalNetworkVO.getClass()))).thenReturn(true);
         when(_datacenterVnetDao.listVnetsByPhysicalNetworkAndDataCenter(anyLong(), anyLong())).thenReturn(existingRange);
-        networkService.updatePhysicalNetwork(1l, null, null, "524-524,525-530", null);
+        networkService.updatePhysicalNetwork(1l, null, null, "524-524,525-530", null, null);
         txn.close("updatePhysicalNetworkTest");
         verify(physicalNetworkVO).setVnet(argumentCaptor.capture());
         assertEquals("524-530", argumentCaptor.getValue());
diff --git a/server/src/test/java/com/cloud/network/as/AutoScaleManagerImplTest.java b/server/src/test/java/com/cloud/network/as/AutoScaleManagerImplTest.java
index 215a0e784bc6..ebdbbc85171d 100644
--- a/server/src/test/java/com/cloud/network/as/AutoScaleManagerImplTest.java
+++ b/server/src/test/java/com/cloud/network/as/AutoScaleManagerImplTest.java
@@ -423,6 +423,8 @@ public void setUp() {
         when(conditionDao.findById(any())).thenReturn(conditionMock);
         when(conditionDao.persist(any(ConditionVO.class))).thenReturn(conditionMock);
 
+        when(networkModel.resolveProvider(counterProvider)).thenReturn(Network.Provider.VirtualRouter);
+
         when(accountManager.finalizeOwner(nullable(Account.class), nullable(String.class), nullable(Long.class), nullable(Long.class))).thenReturn(account);
         Mockito.doNothing().when(accountManager).checkAccess(Mockito.any(Account.class), Mockito.isNull(), Mockito.anyBoolean(), Mockito.any());
 
diff --git a/server/src/test/java/com/cloud/network/element/ConfigDriveNetworkElementTest.java b/server/src/test/java/com/cloud/network/element/ConfigDriveNetworkElementTest.java
index 0aab5afce4a5..336f9990c12b 100644
--- a/server/src/test/java/com/cloud/network/element/ConfigDriveNetworkElementTest.java
+++ b/server/src/test/java/com/cloud/network/element/ConfigDriveNetworkElementTest.java
@@ -62,6 +62,8 @@
 import com.google.common.collect.Maps;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
+import org.apache.cloudstack.extension.ExtensionHelper;
+import org.springframework.test.util.ReflectionTestUtils;
 import org.apache.cloudstack.engine.subsystem.api.storage.DataStore;
 import org.apache.cloudstack.engine.subsystem.api.storage.DataStoreManager;
 import org.apache.cloudstack.engine.subsystem.api.storage.EndPoint;
@@ -151,6 +153,7 @@ public class ConfigDriveNetworkElementTest {
     @Mock private CallContext callContextMock;
     @Mock private DomainVO domainVO;
     @Mock private NetworkOrchestrationService _networkOrchestrationService;
+    @Mock private ExtensionHelper extensionHelper;
 
     @Spy @InjectMocks
     private ConfigDriveNetworkElement _configDrivesNetworkElement = new ConfigDriveNetworkElement();
@@ -202,6 +205,8 @@ public void setUp() throws NoSuchFieldException, IllegalAccessException {
         doReturn(_configDrivesNetworkElement.getProvider().getName()).when(_ntwkSrvcDao).getProviderForServiceInNetwork(NETWORK_ID, Network.Service.UserData);
 
         _networkModel.setNetworkElements(Arrays.asList(_configDrivesNetworkElement));
+        ReflectionTestUtils.setField(_networkModel, "extensionHelper", extensionHelper);
+        Mockito.lenient().when(extensionHelper.isNetworkExtensionProvider(Mockito.anyString())).thenReturn(false);
         _networkModel.start();
 
     }
diff --git a/server/src/test/java/com/cloud/network/firewall/FirewallManagerImplTest.java b/server/src/test/java/com/cloud/network/firewall/FirewallManagerImplTest.java
new file mode 100644
index 000000000000..f1f653363a4a
--- /dev/null
+++ b/server/src/test/java/com/cloud/network/firewall/FirewallManagerImplTest.java
@@ -0,0 +1,178 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package com.cloud.network.firewall;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+import java.util.Collections;
+import java.util.List;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.Spy;
+import org.mockito.junit.MockitoJUnitRunner;
+import org.springframework.test.util.ReflectionTestUtils;
+
+import com.cloud.exception.ResourceUnavailableException;
+import com.cloud.network.Network;
+import com.cloud.network.NetworkModel;
+import com.cloud.network.dao.NetworkServiceMapDao;
+import com.cloud.network.element.FirewallServiceProvider;
+import com.cloud.network.element.NetworkElement;
+import com.cloud.network.element.PortForwardingServiceProvider;
+import com.cloud.network.rules.FirewallRule;
+import com.cloud.network.rules.PortForwardingRule;
+
+@RunWith(MockitoJUnitRunner.Silent.class)
+public class FirewallManagerImplTest {
+
+    interface MockFwElement extends NetworkElement, FirewallServiceProvider {}
+    interface MockPfElement extends NetworkElement, PortForwardingServiceProvider {}
+
+    @Spy
+    @InjectMocks
+    private FirewallManagerImpl firewallManager;
+
+    @Mock
+    private NetworkModel _networkModel;
+
+    @Mock
+    private NetworkServiceMapDao networkServiceMapDao;
+
+    @Before
+    public void setUp() {
+        ReflectionTestUtils.setField(firewallManager, "_firewallElements", Collections.emptyList());
+        ReflectionTestUtils.setField(firewallManager, "_pfElements", Collections.emptyList());
+        ReflectionTestUtils.setField(firewallManager, "_staticNatElements", Collections.emptyList());
+        ReflectionTestUtils.setField(firewallManager, "_networkAclElements", Collections.emptyList());
+    }
+
+    // -----------------------------------------------------------------------
+    // Tests for applyRules with extension-backed Firewall provider
+    // -----------------------------------------------------------------------
+
+    @Test
+    public void applyRulesFirewallHandledByExtensionProvider() throws ResourceUnavailableException {
+        Network network = mock(Network.class);
+        when(network.getId()).thenReturn(1L);
+
+        FirewallRule rule = mock(FirewallRule.class);
+        List<? extends FirewallRule> rules = List.of(rule);
+
+        // No standard firewall elements handle it
+        String extProviderName = "my-ext-fw-provider";
+        when(networkServiceMapDao.getProviderForServiceInNetwork(1L, Network.Service.Firewall))
+                .thenReturn(extProviderName);
+
+        // The element implementing the provider is both NetworkElement and FirewallServiceProvider
+        MockFwElement element = mock(MockFwElement.class);
+        when(element.applyFWRules(eq(network), any())).thenReturn(true);
+        when(_networkModel.getElementImplementingProvider(extProviderName)).thenReturn(element);
+
+        boolean result = firewallManager.applyRules(network, FirewallRule.Purpose.Firewall, rules);
+        assertTrue(result);
+        verify(element).applyFWRules(eq(network), any());
+    }
+
+    @Test
+    public void applyRulesFirewallReturnsFalseWhenNoExtensionProviderFound() throws ResourceUnavailableException {
+        Network network = mock(Network.class);
+        when(network.getId()).thenReturn(2L);
+
+        FirewallRule rule = mock(FirewallRule.class);
+        List<? extends FirewallRule> rules = List.of(rule);
+
+        // No standard provider and no extension provider found
+        when(networkServiceMapDao.getProviderForServiceInNetwork(2L, Network.Service.Firewall))
+                .thenReturn(null);
+
+        boolean result = firewallManager.applyRules(network, FirewallRule.Purpose.Firewall, rules);
+        assertFalse(result);
+        verify(_networkModel, never()).getElementImplementingProvider(any());
+    }
+
+    // -----------------------------------------------------------------------
+    // Tests for applyRules with extension-backed PortForwarding provider
+    // -----------------------------------------------------------------------
+
+    @Test
+    public void applyRulesPortForwardingHandledByExtensionProvider() throws ResourceUnavailableException {
+        Network network = mock(Network.class);
+        when(network.getId()).thenReturn(3L);
+
+        PortForwardingRule rule = mock(PortForwardingRule.class);
+        @SuppressWarnings("unchecked")
+        List<PortForwardingRule> rules = List.of(rule);
+
+        String extProviderName = "my-ext-pf-provider";
+        when(networkServiceMapDao.getProviderForServiceInNetwork(3L, Network.Service.PortForwarding))
+                .thenReturn(extProviderName);
+
+        MockPfElement element = mock(MockPfElement.class);
+        when(element.applyPFRules(eq(network), any())).thenReturn(true);
+        when(_networkModel.getElementImplementingProvider(extProviderName)).thenReturn(element);
+
+        boolean result = firewallManager.applyRules(network, FirewallRule.Purpose.PortForwarding, rules);
+        assertTrue(result);
+        verify(element).applyPFRules(eq(network), any());
+    }
+
+    @Test
+    public void applyRulesPortForwardingReturnsFalseWhenNoExtensionProviderFound() throws ResourceUnavailableException {
+        Network network = mock(Network.class);
+        when(network.getId()).thenReturn(4L);
+
+        PortForwardingRule rule = mock(PortForwardingRule.class);
+        List<? extends FirewallRule> rules = List.of(rule);
+
+        when(networkServiceMapDao.getProviderForServiceInNetwork(4L, Network.Service.PortForwarding))
+                .thenReturn(null);
+
+        boolean result = firewallManager.applyRules(network, FirewallRule.Purpose.PortForwarding, rules);
+        assertFalse(result);
+    }
+
+    // -----------------------------------------------------------------------
+    // Tests for StaticNat (handled by Firewall elements)
+    // -----------------------------------------------------------------------
+
+    @Test
+    public void applyRulesStaticNatReturnsFalseWhenNoProviderFound() throws ResourceUnavailableException {
+        Network network = mock(Network.class);
+        when(network.getId()).thenReturn(5L);
+
+        FirewallRule rule = mock(FirewallRule.class);
+        List<? extends FirewallRule> rules = List.of(rule);
+
+        when(networkServiceMapDao.getProviderForServiceInNetwork(5L, Network.Service.Firewall))
+                .thenReturn(null);
+
+        boolean result = firewallManager.applyRules(network, FirewallRule.Purpose.StaticNat, rules);
+        assertFalse(result);
+    }
+}
diff --git a/server/src/test/java/com/cloud/network/vpc/NetworkACLManagerTest.java b/server/src/test/java/com/cloud/network/vpc/NetworkACLManagerTest.java
index 651d7cb6aef3..09d3ebd762da 100644
--- a/server/src/test/java/com/cloud/network/vpc/NetworkACLManagerTest.java
+++ b/server/src/test/java/com/cloud/network/vpc/NetworkACLManagerTest.java
@@ -68,7 +68,6 @@
 import static org.mockito.ArgumentMatchers.anyLong;
 import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.ArgumentMatchers.nullable;
-import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
 @RunWith(SpringJUnit4ClassRunner.class)
@@ -92,6 +91,8 @@ public class NetworkACLManagerTest extends TestCase {
     @Inject
     NetworkModel _networkModel;
     @Inject
+    NetworkServiceMapDao networkServiceMapDao;
+    @Inject
     List<NetworkACLServiceProvider> _networkAclElements;
     @Inject
     VpcService _vpcSvc;
@@ -169,8 +170,7 @@ public void driveTestApplyNetworkACL(final boolean result, final boolean applyNe
         final List<NetworkVO> networks = new ArrayList<>();
         networks.add(network);
 
-        NetworkServiceMapDao ntwkSrvcDao = mock(NetworkServiceMapDao.class);
-        when(ntwkSrvcDao.canProviderSupportServiceInNetwork(anyLong(), eq(Network.Service.NetworkACL), nullable(Network.Provider.class))).thenReturn(true);
+        when(networkServiceMapDao.canProviderSupportServiceInNetwork(anyLong(), eq(Network.Service.NetworkACL), nullable(Network.Provider.class))).thenReturn(true);
         Mockito.when(_networkDao.listByAclId(anyLong())).thenReturn(networks);
         Mockito.when(_networkDao.findById(anyLong())).thenReturn(network);
         Mockito.when(networkOfferingDao.isIpv6Supported(anyLong())).thenReturn(false);
@@ -277,6 +277,11 @@ public NetworkModel networkModel() {
             return Mockito.mock(NetworkModel.class);
         }
 
+        @Bean
+        public NetworkServiceMapDao networkServiceMapDao() {
+            return Mockito.mock(NetworkServiceMapDao.class);
+        }
+
         @Bean
         public VpcManager vpcManager() {
             return Mockito.mock(VpcManager.class);
diff --git a/server/src/test/java/com/cloud/network/vpc/VpcManagerImplTest.java b/server/src/test/java/com/cloud/network/vpc/VpcManagerImplTest.java
index 3d3bfbdf162a..26f5500eadd3 100644
--- a/server/src/test/java/com/cloud/network/vpc/VpcManagerImplTest.java
+++ b/server/src/test/java/com/cloud/network/vpc/VpcManagerImplTest.java
@@ -43,6 +43,7 @@
 import com.cloud.network.dao.IPAddressVO;
 import com.cloud.network.dao.NetworkDao;
 import com.cloud.network.element.NetworkElement;
+import com.cloud.network.element.VpcProvider;
 import com.cloud.network.router.CommandSetupHelper;
 import com.cloud.network.router.NetworkHelper;
 import com.cloud.network.router.VirtualRouter;
@@ -72,6 +73,8 @@
 import org.apache.cloudstack.api.command.user.vpc.UpdateVPCCmd;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
+import org.apache.cloudstack.extension.Extension;
+import org.apache.cloudstack.extension.ExtensionHelper;
 import org.apache.cloudstack.framework.config.ConfigKey;
 import org.apache.cloudstack.network.Ipv4GuestSubnetNetworkMap;
 import org.apache.cloudstack.network.RoutedIpv4Manager;
@@ -90,6 +93,7 @@
 import java.lang.reflect.Field;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
@@ -99,6 +103,7 @@
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyBoolean;
 import static org.mockito.ArgumentMatchers.anyInt;
@@ -247,14 +252,21 @@ private void overrideDefaultConfigValue(final ConfigKey configKey, final String
     @Test
     public void getVpcOffSvcProvidersMapForEmptyServiceTest() {
         long vpcOffId = 1L;
+        VpcOfferingServiceMapVO svcMap = mock(VpcOfferingServiceMapVO.class);
+        Mockito.when(svcMap.getService()).thenReturn(Service.SourceNat.getName());
+        Mockito.when(svcMap.getProvider()).thenReturn(Provider.VPCVirtualRouter.getName());
+        Mockito.when(networkModel.resolveProvider(Provider.VPCVirtualRouter.getName()))
+               .thenReturn(Provider.VPCVirtualRouter);
         List<VpcOfferingServiceMapVO> list = new ArrayList<VpcOfferingServiceMapVO>();
-        list.add(mock(VpcOfferingServiceMapVO.class));
+        list.add(svcMap);
         Mockito.when(manager._vpcOffSvcMapDao.listByVpcOffId(vpcOffId)).thenReturn(list);
 
         Map<Service, Set<Provider>> map = manager.getVpcOffSvcProvidersMap(vpcOffId);
 
         assertNotNull(map);
         assertEquals(map.size(), 1);
+        assertTrue(map.containsKey(Service.SourceNat));
+        assertTrue(map.get(Service.SourceNat).contains(Provider.VPCVirtualRouter));
     }
 
     protected Map<String, String> createFakeCapabilityInputMap() {
@@ -600,4 +612,49 @@ public void testIsNetworkOnVpcEnabledConserveModeVpcNetworkConserveMode() {
         Assert.assertTrue(manager.isNetworkOnVpcEnabledConserveMode(network));
     }
 
+    // -----------------------------------------------------------------------
+    // Tests for getVpcElements with extension-backed NetworkOrchestrator
+    // -----------------------------------------------------------------------
+
+    @Test
+    public void getVpcElementsIncludesExtensionBackedVpcProvider() {
+        manager.setVpcElements(null);
+
+        Mockito.when(networkModel.getElementImplementingProvider(Provider.VPCVirtualRouter.getName())).thenReturn(null);
+        Mockito.when(networkModel.getElementImplementingProvider(Provider.JuniperContrailVpcRouter.getName())).thenReturn(null);
+
+        Extension ext = mock(Extension.class);
+        Mockito.when(ext.getName()).thenReturn("my-vpc-ext");
+
+        ExtensionHelper extHelper = mock(ExtensionHelper.class);
+        Mockito.when(extHelper.listExtensionsByType(Extension.Type.NetworkOrchestrator))
+                .thenReturn(List.of(ext));
+        manager.extensionHelper = extHelper;
+
+        // The element for the extension also implements VpcProvider
+        VpcProvider vpcProviderElement = mock(VpcProvider.class);
+        Mockito.when(networkModel.getElementImplementingProvider("my-vpc-ext")).thenReturn((NetworkElement) vpcProviderElement);
+
+        List<VpcProvider> result = manager.getVpcElements();
+        Assert.assertNotNull(result);
+        Assert.assertTrue(result.contains(vpcProviderElement));
+    }
+
+    @Test
+    public void getVpcElementsReturnsEmptyListWhenNoStaticNorExtensionProviders() {
+        manager.setVpcElements(null);
+
+        Mockito.when(networkModel.getElementImplementingProvider(Provider.VPCVirtualRouter.getName())).thenReturn(null);
+        Mockito.when(networkModel.getElementImplementingProvider(Provider.JuniperContrailVpcRouter.getName())).thenReturn(null);
+
+        ExtensionHelper extHelper = mock(ExtensionHelper.class);
+        Mockito.when(extHelper.listExtensionsByType(Extension.Type.NetworkOrchestrator))
+                .thenReturn(Collections.emptyList());
+        manager.extensionHelper = extHelper;
+
+        List<VpcProvider> result = manager.getVpcElements();
+        Assert.assertNotNull(result);
+        Assert.assertTrue(result.isEmpty());
+    }
+
 }
diff --git a/server/src/test/java/com/cloud/vpc/MockNetworkManagerImpl.java b/server/src/test/java/com/cloud/vpc/MockNetworkManagerImpl.java
index 3b120b88db45..01fb7e3be91e 100644
--- a/server/src/test/java/com/cloud/vpc/MockNetworkManagerImpl.java
+++ b/server/src/test/java/com/cloud/vpc/MockNetworkManagerImpl.java
@@ -345,7 +345,7 @@ public Pair<List<? extends PhysicalNetwork>, Integer> searchPhysicalNetworks(Lon
      * @see com.cloud.network.NetworkService#updatePhysicalNetwork(java.lang.Long, java.lang.String, java.util.List, java.lang.String, java.lang.String)
      */
     @Override
-    public PhysicalNetwork updatePhysicalNetwork(Long id, String networkSpeed, List<String> tags, String newVnetRangeString, String state) {
+    public PhysicalNetwork updatePhysicalNetwork(Long id, String networkSpeed, List<String> tags, String newVnetRangeString, String state, Map<String, String> externalDetails) {
         // TODO Auto-generated method stub
         return null;
     }
diff --git a/server/src/test/java/com/cloud/vpc/MockNetworkModelImpl.java b/server/src/test/java/com/cloud/vpc/MockNetworkModelImpl.java
index b9423daaeebb..83f3fda383c8 100644
--- a/server/src/test/java/com/cloud/vpc/MockNetworkModelImpl.java
+++ b/server/src/test/java/com/cloud/vpc/MockNetworkModelImpl.java
@@ -411,6 +411,15 @@ public boolean canElementEnableIndividualServices(Provider provider) {
         return false;
     }
 
+    @Override
+    public Provider resolveProvider(String providerName) {
+        return Provider.getProvider(providerName);
+    }
+    @Override
+    public boolean canElementEnableIndividualServicesByName(String providerName) {
+        return false;
+    }
+
     /* (non-Javadoc)
      * @see com.cloud.network.NetworkModel#areServicesSupportedInNetwork(long, com.cloud.network.Network.Service[])
      */
diff --git a/test/integration/smoke/test_network_extension_namespace.py b/test/integration/smoke/test_network_extension_namespace.py
new file mode 100644
index 000000000000..f4c4e9da9ccf
--- /dev/null
+++ b/test/integration/smoke/test_network_extension_namespace.py
@@ -0,0 +1,2588 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+"""Support module for the NetworkExtension smoke tests.
+
+**Do not run this file directly.**  Tests are discovered and executed through
+``test_network_extension_namespace.py``, which exposes the test class under a
+discoverable name.
+
+This module provides:
+  * Module-level constants (script names, URLs, capabilities JSON).
+  * Helper functions (_download_script, _ensure_scripts_downloaded, etc.).
+  * Deployer classes (MgmtServerDeployer, KvmHostDeployer).
+  * Base test class ``_TestNetworkExtensionNamespace`` (underscore = not
+    collected directly by nose/Marvin).
+
+Renamed from ``test_network_extension_provider.py``.  The canonical test file
+is ``test_network_extension_namespace.py``.
+"""
+import json
+import logging
+import os
+import random
+import shutil
+import stat
+import subprocess
+import tempfile
+import time
+import urllib.parse
+
+from marvin.cloudstackTestCase import cloudstackTestCase
+from marvin.cloudstackAPI import (listPhysicalNetworks,
+                                  listTrafficTypes,
+                                  listManagementServers,
+                                  listNetworkServiceProviders,
+                                  updateNetworkServiceProvider,
+                                  deleteNetworkServiceProvider,
+                                  createFirewallRule,
+                                  deleteFirewallRule,
+                                  listPublicIpAddresses)
+from marvin.lib.base import (Account,
+                             Extension,
+                             ExtensionCustomAction,
+                             LoadBalancerRule,
+                             Network,
+                             NetworkACL,
+                             NetworkACLList,
+                             NetworkOffering,
+                             NATRule,
+                             PublicIPAddress,
+                             ServiceOffering,
+                             SSHKeyPair,
+                             StaticNATRule,
+                             Template,
+                             VirtualMachine,
+                             VPC,
+                             VpcOffering)
+from marvin.lib.common import (get_domain, get_zone, get_template)
+from marvin.lib.utils import cleanup_resources, random_gen
+from marvin.sshClient import SshClient
+from nose.plugins.attrib import attr
+
+_multiprocess_shared_ = True
+
+# The file names of the scripts to deploy on the management server and KVM hosts.
+SCRIPT_FILENAME       = 'network-namespace-wrapper.sh'
+ENTRY_POINT_FILENAME  = 'network-namespace.sh'
+
+# Remote URLs to download the scripts from
+_GITHUB_BASE = (
+    'https://raw.githubusercontent.com/apache/cloudstack-extensions'
+    '/refs/heads/network-namespace/Network-Namespace/'
+)
+WRAPPER_SCRIPT_URL     = _GITHUB_BASE + SCRIPT_FILENAME
+ENTRY_POINT_SCRIPT_URL = _GITHUB_BASE + ENTRY_POINT_FILENAME
+
+# Local cache paths (downloaded once, reused across test methods)
+_THIS_DIR = os.path.dirname(os.path.abspath(__file__))
+_SCRIPT_CACHE_DIR = os.path.join(tempfile.gettempdir(), 'cs-extnet-script-cache')
+WRAPPER_SCRIPT_LOCAL     = os.path.join(_SCRIPT_CACHE_DIR, SCRIPT_FILENAME)
+ENTRY_POINT_SCRIPT_LOCAL = os.path.join(_SCRIPT_CACHE_DIR, ENTRY_POINT_FILENAME)
+
+# Network services — comma-separated list of all services this extension supports.
+# Tests select a subset when creating NetworkOfferings.
+NETWORK_SERVICES = (
+    "Dhcp,Dns,UserData,"
+    "SourceNat,StaticNat,PortForwarding,Firewall,Lb,NetworkACL"
+)
+
+# Per-service capabilities JSON object (no "services" wrapper).
+NETWORK_SERVICE_CAPABILITIES_JSON = json.dumps({
+    "Lb": {
+        "SupportedLBAlgorithms": "roundrobin,leastconn,source",
+        "SupportedLBIsolation": "dedicated",
+        "SupportedProtocols": "tcp,udp,tcp-proxy",
+        "SupportedStickinessMethods": "lbcookie,appsession",
+        "LbSchemes": "Public",
+        "SslTermination": "false",
+        "VmAutoScaling": "false"
+    },
+    "Firewall": {
+        "TrafficStatistics": "per public ip",
+        "SupportedProtocols": "tcp,udp,icmp",
+        "SupportedEgressProtocols": "tcp,udp,icmp,all",
+        "SupportedTrafficDirection": "ingress,egress",
+        "MultipleIps": "true"
+    },
+    "Dns": {
+        "AllowDnsSuffixModification": "true",
+        "ExternalDns": "true"
+    },
+    "Dhcp": {
+        "DhcpAccrossMultipleSubnets": "true"
+    },
+    "Gateway": {
+        "RedundantRouter": "false"
+    },
+    "SourceNat": {
+        "SupportedSourceNatTypes": "peraccount",
+        "RedundantRouter": "false"
+    },
+    "StaticNat": {
+        "Supported": "true"
+    },
+    "PortForwarding": {
+        "SupportedProtocols": "tcp,udp"
+    },
+    "UserData": {
+        "Supported": "true"
+    },
+    "NetworkACL": {
+        "SupportedProtocols": "tcp,udp,icmp"
+    }
+})
+
+
+# ---------------------------------------------------------------------------
+# Script download helpers
+# ---------------------------------------------------------------------------
+
+def _download_script(url, dest_path):
+    """Download *url* to *dest_path* via curl or wget and make it executable."""
+    os.makedirs(os.path.dirname(dest_path), exist_ok=True)
+    log = logging.getLogger('cs-extnet')
+    log.info("Downloading %s -> %s", url, dest_path)
+    for cmd in (['curl', '-fsSL', url, '-o', dest_path],
+                ['wget', '-q',    url, '-O', dest_path]):
+        if subprocess.run(cmd, check=False).returncode == 0:
+            os.chmod(dest_path, stat.S_IRWXU | stat.S_IRGRP | stat.S_IXGRP |
+                     stat.S_IROTH | stat.S_IXOTH)
+            return dest_path
+    raise RuntimeError("Failed to download %s with curl and wget" % url)
+
+
+def _ensure_scripts_downloaded():
+    """Download both scripts from GitHub if not already cached.
+
+    If GitHub is unreachable the function falls back to the corresponding
+    scripts in the local source tree so that tests can run offline:
+      * wrapper      → extensions/network-namespace/network-namespace-wrapper.sh
+      * entry point  → extensions/network-namespace/network-namespace.sh
+
+    Returns (wrapper_path, entry_point_path).
+    """
+    _src_root = os.path.normpath(
+        os.path.join(os.path.dirname(os.path.abspath(__file__)),
+                     '..', '..', '..'))
+
+    try:
+        _download_script(WRAPPER_SCRIPT_URL, WRAPPER_SCRIPT_LOCAL)
+    except Exception:
+        # Offline fallback: deploy the source-tree implementation.
+        _local_impl = os.path.join(
+            _src_root, 'extensions', 'network-namespace',
+            'network-namespace-wrapper.sh')
+        if os.path.exists(_local_impl):
+            os.makedirs(os.path.dirname(WRAPPER_SCRIPT_LOCAL),
+                        exist_ok=True)
+            shutil.copy2(_local_impl, WRAPPER_SCRIPT_LOCAL)
+            os.chmod(WRAPPER_SCRIPT_LOCAL,
+                     stat.S_IRWXU | stat.S_IRGRP | stat.S_IXGRP |
+                     stat.S_IROTH | stat.S_IXOTH)
+            logging.getLogger('cs-extnet').info(
+                "Offline fallback: using local %s as %s",
+                _local_impl, WRAPPER_SCRIPT_LOCAL)
+        else:
+            raise
+
+    try:
+        _download_script(ENTRY_POINT_SCRIPT_URL, ENTRY_POINT_SCRIPT_LOCAL)
+    except Exception:
+        _local_ep = os.path.join(
+            _src_root, 'extensions', 'network-namespace',
+            'network-namespace.sh')
+        if os.path.exists(_local_ep):
+            os.makedirs(os.path.dirname(ENTRY_POINT_SCRIPT_LOCAL),
+                        exist_ok=True)
+            shutil.copy2(_local_ep, ENTRY_POINT_SCRIPT_LOCAL)
+            os.chmod(ENTRY_POINT_SCRIPT_LOCAL,
+                     stat.S_IRWXU | stat.S_IRGRP | stat.S_IXGRP |
+                     stat.S_IROTH | stat.S_IXOTH)
+            logging.getLogger('cs-extnet').info(
+                "Offline fallback: using local %s as %s",
+                _local_ep, ENTRY_POINT_SCRIPT_LOCAL)
+        else:
+            raise
+
+    return WRAPPER_SCRIPT_LOCAL, ENTRY_POINT_SCRIPT_LOCAL
+
+
+# ---------------------------------------------------------------------------
+# KVM host discovery helpers (from Marvin config)
+# ---------------------------------------------------------------------------
+
+def _get_kvm_hosts_from_config(config):
+    """Return list of host dicts for all KVM hosts in the Marvin config.
+
+    Each entry: {"ip": .., "username": .., "password": ..}
+    """
+    hosts = []
+    try:
+        for zone in config.__dict__.get("zones", []):
+            for pod in zone.__dict__.get("pods", []):
+                for cluster in pod.__dict__.get("clusters", []):
+                    for h in cluster.__dict__.get("hosts", []):
+                        if hasattr(h, '__dict__'):
+                            h = h.__dict__
+                        url = h.get("url", "")
+                        if not url.startswith('http://') and not url.startswith('https://'):
+                            url = 'http://' + url
+                        parsed = urllib.parse.urlparse(url)
+                        ip = parsed.hostname or ''
+                        if not ip:
+                            continue
+                        hosts.append({
+                            "ip":       ip,
+                            "username": h.get("username", "root"),
+                            "password": h.get("password", ""),
+                        })
+    except Exception as e:
+        logging.getLogger('cs-extnet').warning(
+            "Could not read KVM hosts from config: %s", e)
+    return hosts
+
+
+# ---------------------------------------------------------------------------
+# SSH helper
+# ---------------------------------------------------------------------------
+
+def _ssh_copy_file(host_ip, host_port, username, password, local_path, remote_path):
+    """Transfer *local_path* to *remote_path* on *host_ip* via SshClient."""
+    ssh = SshClient(host_ip, int(host_port), username, password)
+    ssh.execute("mkdir -p '%s'" % os.path.dirname(remote_path))
+    # Use SFTP upload to avoid very large shell arguments for script content.
+    ssh.scp(local_path, remote_path)
+    ssh.execute("chmod 755 '%s'" % remote_path)
+
+
+# ---------------------------------------------------------------------------
+# MgmtServerDeployer  – deploys network-namespace.sh to the management server
+# ---------------------------------------------------------------------------
+
+class MgmtServerDeployer:
+    """Copies network-namespace.sh to the management server via SSH."""
+
+    def __init__(self, mgt_details, logger=None):
+        self.ip     = mgt_details.get("mgtSvrIp", "localhost")
+        self.port   = 22
+        self.user   = mgt_details.get("user", "root")
+        self.passwd = mgt_details.get("passwd", "")
+        self.logger = logger or logging.getLogger('MgmtServerDeployer')
+
+    def copy_file(self, local_path, remote_path, mode='0755'):
+        _ssh_copy_file(self.ip, self.port, self.user, self.passwd,
+                       local_path, remote_path)
+        self.logger.info("Copied %s -> %s on mgmt %s",
+                         local_path, remote_path, self.ip)
+
+    def remove_file(self, remote_path):
+        try:
+            SshClient(self.ip, self.port, self.user, self.passwd).execute(
+                "rm -f '%s'" % remote_path)
+        except Exception as e:
+            self.logger.warning("Could not remove %s: %s", remote_path, e)
+
+
+# ---------------------------------------------------------------------------
+# KvmHostDeployer  – deploys network-namespace-wrapper.sh to KVM hosts
+# ---------------------------------------------------------------------------
+
+class KvmHostDeployer:
+    """Copies the KVM wrapper script to all KVM hosts via SSH.
+
+    *dest_path* is the absolute path on each KVM host where the wrapper
+    script is installed.  This path differs from the management-server
+    entry-point path:
+      management server: /usr/share/cloudstack-management/extensions/<name>/<name>.sh
+      KVM host (wrapper): /etc/cloudstack/extensions/<name>/<name>-wrapper.sh
+    """
+
+    def __init__(self, config_hosts=None, logger=None, dest_path=None):
+        self.config_hosts    = config_hosts or []
+        self.logger          = logger or logging.getLogger('KvmHostDeployer')
+        self._deployed_hosts = []
+        self._dest_path      = dest_path
+
+    def deploy(self):
+        """Deploy wrapper to all configured hosts. Returns list of deployed IPs."""
+        wrapper_path, _ = _ensure_scripts_downloaded()
+        self._deployed_hosts = []
+        if not self.config_hosts:
+            self.logger.warning("No KVM hosts configured — wrapper not deployed")
+            return []
+        for h in self.config_hosts:
+            ip       = h.get('ip', '')
+            username = h.get('username', 'root')
+            password = h.get('password', '')
+            if not ip:
+                continue
+            self.logger.info("Deploying wrapper to KVM host %s at %s",
+                             ip, self._dest_path)
+            try:
+                _ssh_copy_file(ip, 22, username, password,
+                               wrapper_path, self._dest_path)
+                self.logger.info("Deployed wrapper to %s at %s",
+                                 ip, self._dest_path)
+                self._deployed_hosts.append(ip)
+            except Exception as e:
+                self.logger.warning("Failed deploying to %s: %s", ip, e)
+        return self._deployed_hosts
+
+    def host_ips_csv(self):
+        """Return comma-separated IP list of all configured hosts."""
+        return ','.join(h.get('ip', '') for h in self.config_hosts if h.get('ip'))
+
+    def remove_file(self, remote_path):
+        """Remove wrapper script from all deployed KVM hosts."""
+        if not self._deployed_hosts:
+            self.logger.debug("No KVM hosts deployed — skipping remove_file")
+            return
+        for h in self.config_hosts:
+            ip       = h.get('ip', '')
+            username = h.get('username', 'root')
+            password = h.get('password', '')
+            if not ip or ip not in self._deployed_hosts:
+                continue
+            try:
+                SshClient(ip, 22, username, password).execute(
+                    "rm -f '%s'" % remote_path)
+                self.logger.info("Removed %s from KVM host %s", remote_path, ip)
+            except Exception as e:
+                self.logger.warning("Could not remove %s from %s: %s",
+                                   remote_path, ip, e)
+
+
+# ---------------------------------------------------------------------------
+# Test class
+# ---------------------------------------------------------------------------
+
+class TestNetworkExtensionNamespace(cloudstackTestCase):
+    """Smoke tests for the NetworkExtension plugin.
+
+    Not discovered directly — exposed as ``TestNetworkExtensionNamespace``
+    through ``test_network_extension_namespace.py``.
+
+    Covers:
+      test_01 — NSP state transitions (Disabled/Enabled/Disabled)
+      test_02 — network.services / network.service.capabilities details stored correctly
+      test_03 — extension enable/disable and delete restriction
+      test_04 — DHCP/DNS/UserData: cloud-init VM on a shared network reaches Running state
+      test_05 — full isolated lifecycle: static NAT, PF, LB, restart
+                (all with SSH connectivity verification via keypair)
+      test_06 — VPC multi-tier + VPC restart with SSH verification
+      test_07 — VPC Network ACL testing with multiple tiers and traffic rules
+      test_08 — custom-action smoke for Policy-Based Routing (PBR) actions
+      test_09 — VPC source NAT IP update without VPC restart
+    """
+
+    @staticmethod
+    def _custom_action_details(resp):
+        """Extract best-effort details text from runCustomAction response."""
+        if resp is None:
+            return ""
+        result = getattr(resp, 'result', None)
+        if isinstance(result, dict):
+            return result.get('details', '') or ''
+        if hasattr(result, '__dict__'):
+            return getattr(result, 'details', '') or ''
+        return ''
+
+    @classmethod
+    def setUpClass(cls):
+        testClient = super(TestNetworkExtensionNamespace, cls).getClsTestClient()
+        cls.apiclient     = testClient.getApiClient()
+        cls.services      = testClient.getParsedTestDataConfig()
+        cls.zone          = get_zone(cls.apiclient, testClient.getZoneForTests())
+        cls.domain        = get_domain(cls.apiclient)
+        cls.mgtSvrDetails = cls.config.__dict__["mgtSvr"][0].__dict__
+        # All management servers — entry-point script is deployed to every one.
+        cls.all_mgt_svr_details = [
+            mgt.__dict__ if hasattr(mgt, '__dict__') else mgt
+            for mgt in cls.config.__dict__.get("mgtSvr", [])
+        ] or [cls.mgtSvrDetails]
+        cls.hv            = testClient.getHypervisorInfo()
+        cls._cleanup      = []
+        cls.tmp_files     = []
+        cls.keypair       = None
+
+        cls.logger = logging.getLogger("TestNetworkExtensionNamespace")
+        cls.stream_handler = logging.StreamHandler()
+        cls.logger.setLevel(logging.DEBUG)
+        cls.logger.addHandler(cls.stream_handler)
+
+        cls.logger.info("Management servers (from config): %s",
+                         [m.get("mgtSvrIp", "?") for m in cls.all_mgt_svr_details])
+
+        # Supplement / override management server list via listManagementServers API.
+        # All mgmt servers are assumed to share the same SSH credentials as the
+        # first entry in the Marvin config (mgtSvr[0]).
+        try:
+            ms_cmd = listManagementServers.listManagementServersCmd()
+            api_mgmt_servers = cls.apiclient.listManagementServers(ms_cmd)
+            if api_mgmt_servers:
+                base_creds = dict(cls.mgtSvrDetails)
+                api_mgt_details = []
+                for ms in api_mgmt_servers:
+                    ip = (getattr(ms, 'ipaddress', None)
+                          or getattr(ms, 'ip', None)
+                          or getattr(ms, 'hostname', None))
+                    if ip:
+                        entry = dict(base_creds)
+                        entry['mgtSvrIp'] = ip
+                        api_mgt_details.append(entry)
+                if api_mgt_details:
+                    cls.all_mgt_svr_details = api_mgt_details
+                    cls.logger.info(
+                        "Management servers (from listManagementServers API): %s",
+                        [d.get('mgtSvrIp') for d in api_mgt_details])
+        except Exception as _ms_err:
+            cls.logger.warning(
+                "Could not retrieve management servers via listManagementServers "
+                "API (%s); using config-provided list", _ms_err)
+
+        # KVM host credentials from Marvin config
+        cls.kvm_host_configs = _get_kvm_hosts_from_config(cls.config)
+        cls.logger.info("KVM hosts from config: %s",
+                        [h['ip'] for h in cls.kvm_host_configs if h.get('ip')])
+
+        # ---- Cloud-init template (Ubuntu 22.04) ----
+        # Used for hardware tests that verify actual SSH connectivity.
+        # Falls back to the default test template when the cloud-init entry
+        # is absent from the services config (e.g. on simulator).
+        try:
+            tpl_data = (cls.services
+                        .get("test_templates_cloud_init", {})
+                        .get(cls.hv.lower()))
+            if tpl_data:
+                cls.logger.info("Registering cloud-init template for %s", cls.hv)
+                tpl = Template.register(
+                    cls.apiclient,
+                    tpl_data,
+                    zoneid=cls.zone.id,
+                    hypervisor=cls.hv,
+                )
+                tpl.download(cls.apiclient)
+                cls._cleanup.append(tpl)
+                cls.template = tpl
+                cls.logger.info("Cloud-init template registered: %s", tpl.id)
+            else:
+                cls.logger.info("No cloud-init template for %s; using default",
+                                cls.hv)
+                cls.template = get_template(cls.apiclient, cls.zone.id, cls.hv)
+        except Exception as e:
+            cls.logger.warning("Cloud-init template registration failed: %s; "
+                               "falling back to default", e)
+            cls.template = get_template(cls.apiclient, cls.zone.id, cls.hv)
+
+        # ---- Download wrapper scripts from GitHub ----
+        try:
+            _ensure_scripts_downloaded()
+            cls.logger.info("Scripts cached: %s  %s",
+                            WRAPPER_SCRIPT_LOCAL, ENTRY_POINT_SCRIPT_LOCAL)
+        except Exception as e:
+            cls.logger.warning("Could not download scripts from GitHub: %s", e)
+
+    @classmethod
+    def tearDownClass(cls):
+        super(TestNetworkExtensionNamespace, cls).tearDownClass()
+        for tmp_file in cls.tmp_files:
+            try:
+                os.remove(tmp_file)
+            except Exception:
+                pass
+
+    def setUp(self):
+        self.cleanup           = []
+        self.provider_id       = None
+        self.physical_network  = None
+        self.extension         = None
+        self.extension_path    = None
+        self.mgmt_deployer     = None
+        self._mgmt_script_path = None
+        self._all_mgmt_deployers = []
+        self.kvm_deployer      = None
+        self._ssh_private_key_file = None
+
+    def tearDown(self):
+        #self._safe_teardown()
+        try:
+            cleanup_resources(self.apiclient, self.cleanup)
+        except Exception as e:
+            self.logger.warning("cleanup_resources error: %s", e)
+
+    # ------------------------------------------------------------------
+    # CloudStack API helpers
+    # ------------------------------------------------------------------
+
+    def _get_physical_network(self):
+        """Return the physical network with Guest traffic type in the test zone."""
+        cmd = listPhysicalNetworks.listPhysicalNetworksCmd()
+        cmd.zoneid = self.zone.id
+        pns = self.apiclient.listPhysicalNetworks(cmd)
+        self.assertIsInstance(pns, list)
+        self.assertGreater(len(pns), 0)
+
+        for pn in pns:
+            tt_cmd = listTrafficTypes.listTrafficTypesCmd()
+            tt_cmd.physicalnetworkid = pn.id
+            traffic_types = self.apiclient.listTrafficTypes(tt_cmd)
+            if traffic_types:
+                for tt in traffic_types:
+                    if getattr(tt, 'traffictype', '').lower() == 'guest':
+                        self.logger.info(
+                            "Selected physical network with Guest traffic: "
+                            "%s (%s)", pn.name, pn.id)
+                        return pn
+
+        self.logger.info("No physical network with Guest traffic found; "
+                         "using first: %s (%s)", pns[0].name, pns[0].id)
+        return pns[0]
+
+    def _find_provider(self, phys_net_id, name):
+        cmd = listNetworkServiceProviders.listNetworkServiceProvidersCmd()
+        cmd.physicalnetworkid = phys_net_id
+        cmd.name = name
+        providers = self.apiclient.listNetworkServiceProviders(cmd)
+        return providers[0] if isinstance(providers, list) and providers else None
+
+    def _update_provider_state(self, provider_id, state):
+        cmd = updateNetworkServiceProvider.updateNetworkServiceProviderCmd()
+        cmd.id    = provider_id
+        cmd.state = state
+        return self.apiclient.updateNetworkServiceProvider(cmd)
+
+    def _delete_provider(self, provider_id):
+        cmd = deleteNetworkServiceProvider.deleteNetworkServiceProviderCmd()
+        cmd.id = provider_id
+        self.apiclient.deleteNetworkServiceProvider(cmd)
+
+    # ------------------------------------------------------------------
+    # Script deployment helpers
+    # ------------------------------------------------------------------
+
+    def _deploy_scripts(self):
+        """Deploy scripts to all management servers and all KVM hosts.
+
+        The entry-point (network-namespace.sh) is deployed to every management
+        server at ``self.extension_path`` (the path CloudStack assigned to the
+        extension, e.g.
+        ``/usr/share/cloudstack-management/extensions/<name>/<name>.sh``).
+
+        The KVM wrapper (network-namespace-wrapper.sh) is deployed to each KVM
+        host at a *different* path derived from the extension name:
+        ``/etc/cloudstack/extensions/<name>/<name>-wrapper.sh``
+
+        The entry-point script uses the same derivation at runtime (see
+        DEFAULT_SCRIPT_PATH in network-namespace.sh) so that it always calls
+        the correct wrapper on the remote KVM host.
+        """
+        wrapper_src, entry_point_src = _ensure_scripts_downloaded()
+
+        self._mgmt_script_path = (self.extension_path or "").strip().rstrip('/')
+
+        # Deploy entry-point to ALL management servers.
+        # all_mgt_svr_details is collected once in setUpClass from
+        # cls.config.__dict__["mgtSvr"] so every server in a HA pair is covered.
+        self._all_mgmt_deployers = []
+        for mgt_details in self.all_mgt_svr_details:
+            deployer = MgmtServerDeployer(mgt_details, logger=self.logger)
+            deployer.copy_file(entry_point_src, self._mgmt_script_path)
+            self.logger.info("Entry-point deployed to mgmt %s at %s",
+                             mgt_details.get("mgtSvrIp", "?"),
+                             self._mgmt_script_path)
+            self._all_mgmt_deployers.append(deployer)
+
+        # Keep mgmt_deployer pointing at the primary server for backward-compat
+        self.mgmt_deployer = (self._all_mgmt_deployers[0]
+                              if self._all_mgmt_deployers
+                              else MgmtServerDeployer(self.mgtSvrDetails,
+                                                      logger=self.logger))
+
+        # Derive the wrapper destination path on KVM hosts from the extension path:
+        #   mgmt:  .../extensions/<name>/<name>.sh
+        #   kvm:   /etc/cloudstack/extensions/<name>/<name>-wrapper.sh
+        ext_dir_name   = os.path.basename(os.path.dirname(self._mgmt_script_path))
+        script_basename = os.path.splitext(
+            os.path.basename(self._mgmt_script_path))[0]
+        kvm_wrapper_path = "/etc/cloudstack/extensions/%s/%s-wrapper.sh" % (
+            ext_dir_name, script_basename)
+
+        self.kvm_deployer = KvmHostDeployer(
+            config_hosts=self.kvm_host_configs,
+            logger=self.logger,
+            dest_path=kvm_wrapper_path,
+        )
+        deployed = self.kvm_deployer.deploy()
+        self.logger.info(
+            "KVM wrapper deployed to %d host(s) at %s: %s",
+            len(deployed), kvm_wrapper_path, deployed)
+
+    def _cleanup_mgmt_script(self):
+        if self._mgmt_script_path:
+            all_deployers = getattr(self, '_all_mgmt_deployers', None) or []
+            if all_deployers:
+                for deployer in all_deployers:
+                    deployer.remove_file(self._mgmt_script_path)
+            elif self.mgmt_deployer:
+                self.mgmt_deployer.remove_file(self._mgmt_script_path)
+            self._mgmt_script_path = None
+
+    def _cleanup_kvm_script(self):
+        """Remove KVM wrapper script from all deployed KVM hosts."""
+        if self.kvm_deployer and self.kvm_deployer._dest_path:
+            self.kvm_deployer.remove_file(self.kvm_deployer._dest_path)
+
+    # ------------------------------------------------------------------
+    # Teardown helper
+    # ------------------------------------------------------------------
+
+    def _safe_teardown(self):
+        """Best-effort cleanup of extension/NSP/scripts."""
+        if self.extension and self.physical_network:
+            try:
+                self.extension.unregister(self.apiclient,
+                                          self.physical_network.id,
+                                          'PhysicalNetwork')
+            except Exception:
+                pass
+        if self.provider_id:
+            for fn in (lambda: self._update_provider_state(self.provider_id, 'Disabled'),
+                       lambda: self._delete_provider(self.provider_id)):
+                try:
+                    fn()
+                except Exception:
+                    pass
+            self.provider_id = None
+        if self.extension:
+            try:
+                self.extension.delete(self.apiclient,
+                                      unregisterresources=False,
+                                      removeactions=False)
+            except Exception:
+                pass
+            self.extension = None
+        self._cleanup_mgmt_script()
+        self._cleanup_kvm_script()
+
+    # ------------------------------------------------------------------
+    # SSH helpers (provider-agnostic — no KVM namespace checks)
+    # ------------------------------------------------------------------
+
+    def _verify_vm_ssh_access(self, ip, port=22, timeout=30, retries=10):
+        """Return True if SSH to *ip*:*port* succeeds using the active keypair.
+
+        The VM is expected to run Ubuntu 22.04 (cloud-init) with username
+        ``ubuntu``.  Returns False if no keypair is available or if the
+        connection fails.
+        """
+        key_file = self._ssh_private_key_file
+        if not key_file and self.keypair:
+            key_file = getattr(self.keypair, 'private_key_file', None)
+
+        if not key_file:
+            self.logger.warning("No SSH keypair available; returning False")
+            return False
+        try:
+            ssh = SshClient(
+                ip, int(port), "ubuntu", None,
+                keyPairFiles=key_file,
+                timeout=timeout,
+                retries=retries,
+            )
+            out = ssh.execute("echo EXTNET_SSH_OK")
+            return any("EXTNET_SSH_OK" in line for line in out)
+        except Exception as e:
+            self.logger.warning("SSH to %s:%s failed: %s", ip, port, e)
+            return False
+
+    def _assert_vm_ssh_accessible(self, ip, port=22, msg=None):
+        """Assert that SSH to *ip*:*port* succeeds."""
+        result = self._verify_vm_ssh_access(ip, port)
+        self.assertTrue(
+            result,
+            msg or "SSH to %s:%s should be accessible" % (ip, port))
+
+    def _assert_vm_ssh_not_accessible(self, ip, port=22, msg=None):
+        """Assert that SSH to *ip*:*port* fails (uses short timeout)."""
+        result = self._verify_vm_ssh_access(ip, port, timeout=5, retries=1)
+        self.assertFalse(
+            result,
+            msg or "SSH to %s:%s should NOT be accessible" % (ip, port))
+
+    def _create_firewall_rule_for_ssh(self, ipaddressid):
+        """Create an ingress TCP/22 firewall rule on *ipaddressid*.
+
+        Returns the created rule ID.
+        """
+        cmd = createFirewallRule.createFirewallRuleCmd()
+        cmd.ipaddressid = ipaddressid
+        cmd.protocol    = 'TCP'
+        cmd.startport   = 22
+        cmd.endport     = 22
+        cmd.cidrlist    = ['0.0.0.0/0']
+        rule = self.apiclient.createFirewallRule(cmd)
+        self.assertIsNotNone(rule, "createFirewallRule returned None")
+        self.logger.info("FW rule (TCP/22) created: id=%s on ipaddressid=%s",
+                         rule.id, ipaddressid)
+        return rule.id
+
+    def _delete_firewall_rule(self, fw_rule_id):
+        """Delete a firewall rule by ID (best-effort, warns on failure)."""
+        if not fw_rule_id:
+            return
+        cmd = deleteFirewallRule.deleteFirewallRuleCmd()
+        cmd.id = fw_rule_id
+        try:
+            self.apiclient.deleteFirewallRule(cmd)
+            self.logger.info("FW rule %s deleted", fw_rule_id)
+        except Exception as e:
+            self.logger.warning("Could not delete FW rule %s: %s", fw_rule_id, e)
+
+    def _get_source_nat_ip(self, network_id):
+        """Return the source NAT public IP object for *network_id*, or None."""
+        cmd = listPublicIpAddresses.listPublicIpAddressesCmd()
+        cmd.networkid   = network_id
+        cmd.issourcenat = True
+        try:
+            result = self.apiclient.listPublicIpAddresses(cmd)
+            if isinstance(result, list) and result:
+                return result[0]
+        except Exception as e:
+            self.logger.warning("_get_source_nat_ip(%s): %s", network_id, e)
+        return None
+
+    def _list_vpc_public_ips(self, vpc_id):
+        """Return all public IP objects associated with *vpc_id*."""
+        cmd = listPublicIpAddresses.listPublicIpAddressesCmd()
+        cmd.vpcid = vpc_id
+        cmd.listall = True
+        try:
+            result = self.apiclient.listPublicIpAddresses(cmd)
+            if isinstance(result, list):
+                return result
+        except Exception as e:
+            self.logger.warning("_list_vpc_public_ips(%s): %s", vpc_id, e)
+        return []
+
+    def _wait_for_vpc_source_nat_ip(self, vpc_id, expected_ip=None,
+                                    retries=24, interval=5):
+        """Wait until one source-NAT IP exists for the VPC (and optionally matches expected_ip)."""
+        for _ in range(retries):
+            ips = self._list_vpc_public_ips(vpc_id)
+            src = [ip for ip in ips if getattr(ip, 'issourcenat', False)]
+            if len(src) == 1:
+                current_ip = getattr(src[0], 'ipaddress', None)
+                if expected_ip is None or current_ip == expected_ip:
+                    return src[0]
+            time.sleep(interval)
+        return None
+
+    # ------------------------------------------------------------------
+    # KVM host prerequisite check (test_04 / test_05 / test_06)
+    # ------------------------------------------------------------------
+
+    def _check_kvm_host_prerequisites(self, tools=None):
+        """Verify that each configured KVM host has the required tools installed.
+
+        Checks for the presence of every tool in *tools* (default:
+        ``['arping', 'dnsmasq', 'haproxy']``) on each host in
+        ``self.kvm_host_configs`` via SSH.  The test is skipped (via
+        ``skipTest``) if any tool is absent from any reachable host.
+
+        Hosts that cannot be reached over SSH are logged as warnings and
+        excluded from the check — the connectivity failure will surface
+        naturally when the test later tries to deploy scripts.
+        """
+        if tools is None:
+            tools = ['arping', 'dnsmasq', 'haproxy']
+        if not self.kvm_host_configs:
+            self.skipTest("No KVM hosts configured — skipping prerequisite check")
+
+        missing_per_host = {}
+        for h in self.kvm_host_configs:
+            ip = h.get('ip', '')
+            if not ip:
+                continue
+            username = h.get('username', 'root')
+            password = h.get('password', '')
+            try:
+                ssh = SshClient(ip, 22, username, password)
+                missing_tools = []
+                for tool in tools:
+                    # Try both `command -v` (bash built-in) and `which`
+                    out = ssh.execute(
+                        "command -v {t} 2>/dev/null || which {t} 2>/dev/null"
+                        " || echo MISSING_{t}".format(t=tool))
+                    found = any(
+                        line.strip() and 'MISSING_' + tool not in line
+                        for line in out
+                    )
+                    if not found:
+                        missing_tools.append(tool)
+                if missing_tools:
+                    missing_per_host[ip] = missing_tools
+                    self.logger.warning(
+                        "KVM host %s is missing prerequisite(s): %s",
+                        ip, ', '.join(missing_tools))
+                else:
+                    self.logger.info(
+                        "KVM host %s: all prerequisites present (%s)",
+                        ip, ', '.join(tools))
+            except Exception as e:
+                self.logger.warning(
+                    "Could not check prerequisites on KVM host %s: %s", ip, e)
+
+        if missing_per_host:
+            detail = "; ".join(
+                "%s missing %s" % (ip, ', '.join(t))
+                for ip, t in missing_per_host.items()
+            )
+            self.skipTest(
+                "Skipping test — required tools not installed on KVM host(s): "
+                + detail)
+
+    # ------------------------------------------------------------------
+    # Extension + NSP + offering setup helper (shared by tests 04-06)
+    # ------------------------------------------------------------------
+
+    def _setup_extension_nsp_offering(self, ext_name_prefix,
+                                      supported_services=None,
+                                      guestiptype="Isolated",
+                                      for_vpc=False):
+        """Create extension, deploy scripts, register to physical network,
+        enable NSP, and optionally create a NetworkOffering.
+
+        *supported_services* is a comma-separated list of CloudStack service names.
+
+        *guestiptype* controls the guest IP type for the NetworkOffering:
+        ``"Isolated"`` (default) or ``"Shared"``.
+
+        *for_vpc* — when ``True`` the NetworkOffering creation step is skipped.
+        VPC tests create their own VPC tier offering in the test body after this
+        helper returns, so creating a generic isolated offering here would be
+        wasteful and misleading.  ``(None, ext_name)`` is returned in that case.
+
+        Sets ``self.physical_network``, ``self.extension``,
+        ``self.extension_path``, ``self.provider_id``,
+        ``self.kvm_deployer``, ``self.mgmt_deployer``.
+
+        Returns ``(nw_offering, ext_name)``.  *nw_offering* is ``None`` when
+        *for_vpc* is ``True``.  Skips when no KVM hosts are available.
+        """
+        _svc = supported_services
+        self.physical_network = self._get_physical_network()
+
+        ext_name = "%s-%s" % (ext_name_prefix, random_gen())
+        self.extension = Extension.create(
+            self.apiclient,
+            name=ext_name,
+            type='NetworkOrchestrator',
+            details=[
+                {"network.services": NETWORK_SERVICES},
+                {"network.service.capabilities": NETWORK_SERVICE_CAPABILITIES_JSON},
+            ]
+        )
+        self.assertIsNotNone(self.extension)
+        self.assertEqual('Enabled', self.extension.state)
+
+        ext_list = Extension.list(self.apiclient, id=self.extension.id)
+        self.assertTrue(ext_list and len(ext_list) > 0)
+        self.extension_path = ext_list[0].path
+        self.assertIsNotNone(self.extension_path)
+        self.logger.info("Extension '%s' created, path=%s",
+                         ext_name, self.extension_path)
+
+        # Deploy scripts
+        self._deploy_scripts()
+        kvm_hosts_csv = self.kvm_deployer.host_ips_csv()
+        if not kvm_hosts_csv:
+            self.skipTest("No KVM hosts available — skipping")
+
+        # Register extension to physical network
+        register_details = [
+            {"hosts": kvm_hosts_csv},
+            {"username": self.kvm_host_configs[0].get('username', 'root')},
+            {"password": self.kvm_host_configs[0].get('password', '')},
+        ]
+
+        self.extension.register(
+            self.apiclient,
+            self.physical_network.id,
+            'PhysicalNetwork',
+            details=register_details
+        )
+        self.logger.info("Extension registered, hosts=%s", kvm_hosts_csv)
+
+        # Enable NSP
+        provider = self._find_provider(self.physical_network.id, ext_name)
+        self.assertIsNotNone(provider,
+                             "NSP '%s' not found after registration" % ext_name)
+        self.provider_id = provider.id
+        if provider.state != 'Enabled':
+            self._update_provider_state(provider.id, 'Enabled')
+        self.assertEqual('Enabled',
+                         self._find_provider(self.physical_network.id,
+                                             ext_name).state)
+        self.logger.info("NSP '%s' enabled", ext_name)
+
+        # Create NetworkOffering — skipped for VPC tests because the caller
+        # creates a VPC tier offering separately after this helper returns.
+        if for_vpc:
+            self.logger.info(
+                "for_vpc=True: skipping isolated NetworkOffering creation "
+                "(VPC tier offering will be created in the test body)")
+            return None, ext_name
+
+        _provider_map = {s.strip(): ext_name for s in _svc.split(',')}
+        offering_params = {
+            "name":              "ExtNet-Offering-%s" % random_gen(),
+            "displaytext":       "ExtNet test offering",
+            "guestiptype":       guestiptype,
+            "traffictype":       "GUEST",
+            "supportedservices": _svc,
+            "serviceProviderList": _provider_map,
+        }
+        if guestiptype == "Shared":
+            # CloudStack requires shared guest offerings to explicitly allow
+            # caller-specified IP ranges.
+            offering_params["specifyIpRanges"] = True
+        if guestiptype == "Isolated" and "SourceNat" in _svc:
+            offering_params["serviceCapabilityList"] = {
+                "SourceNat": {"SupportedSourceNatTypes": "peraccount"},
+            }
+        nw_offering = NetworkOffering.create(self.apiclient, offering_params)
+        self.cleanup.append(nw_offering)
+        nw_offering.update(self.apiclient, state='Enabled')
+        self.logger.info("NetworkOffering '%s' enabled (services: %s)",
+                         nw_offering.name, _svc)
+
+        return nw_offering, ext_name
+
+    def _create_account_keypair(self, account, name_suffix=""):
+        """Create an SSH keypair scoped to *account* and save private key file."""
+        try:
+            kp_name = "extnet-%s-%s" % (name_suffix or random_gen(), random_gen())
+            kp = SSHKeyPair.create(
+                self.apiclient,
+                name=kp_name,
+                account=account.name,
+                domainid=account.domainid,
+            )
+
+            pkfile = os.path.join(tempfile.gettempdir(), kp.name)
+            with open(pkfile, "w+") as fh:
+                fh.write(kp.privatekey)
+            os.chmod(pkfile, 0o400)
+
+            self.tmp_files.append(pkfile)
+            kp.private_key_file = pkfile
+            self._ssh_private_key_file = pkfile
+            self.logger.info("Account keypair '%s' written to %s", kp.name, pkfile)
+            return kp
+        except Exception as e:
+            self.logger.warning("Could not create account keypair: %s", e)
+            return None
+
+    def _create_account_network_vm(self, nw_offering, name_suffix="",
+                                   network_params=None):
+        """Create an account, an isolated network, and deploy a cloud-init VM.
+
+        The VM is deployed with an account-scoped SSH keypair so that SSH
+        access can be tested directly.  Username is ``ubuntu``.
+
+        Returns ``(account, network, vm)``.
+        """
+        suffix = name_suffix or random_gen()
+
+        account = Account.create(
+            self.apiclient,
+            self.services["account"],
+            admin=True,
+            domainid=self.domain.id
+        )
+        self.cleanup.append(account)
+
+        net_params = {
+            "name":        "extnet-net-%s" % suffix,
+            "displaytext": "ExtNet test network %s" % suffix,
+        }
+        if network_params:
+            net_params.update(network_params)
+
+        network = Network.create(
+            self.apiclient,
+            net_params,
+            accountid=account.name,
+            domainid=account.domainid,
+            networkofferingid=nw_offering.id,
+            zoneid=self.zone.id
+        )
+        self.cleanup.insert(0, network)
+        self.assertIsNotNone(network)
+        self.logger.info("Network created: %s (%s)", network.name, network.id)
+
+        svc_offering = ServiceOffering.list(self.apiclient, issystem=False)[0]
+
+        vm_cfg = {
+            "displayname": "extnet-vm-%s" % suffix,
+            "name":        "extnet-vm-%s" % suffix,
+            "zoneid":      self.zone.id,
+        }
+        vm_kwargs = dict(
+            accountid=account.name,
+            domainid=account.domainid,
+            serviceofferingid=svc_offering.id,
+            templateid=self.template.id,
+            networkids=[network.id],
+        )
+        account_keypair = self._create_account_keypair(account, suffix)
+        if account_keypair:
+            vm_kwargs["keypair"] = account_keypair.name
+
+        vm = VirtualMachine.create(self.apiclient, vm_cfg, **vm_kwargs)
+        self.cleanup.insert(0, vm)
+        self.assertIsNotNone(vm)
+        self.logger.info("VM deployed: %s (%s)", vm.name, vm.id)
+
+        return account, network, vm
+
+    def _teardown_extension(self):
+        """Ordered teardown: disable NSP → delete provider → unregister
+        extension → delete extension → remove mgmt script."""
+        self._update_provider_state(self.provider_id, 'Disabled')
+        self._delete_provider(self.provider_id)
+        self.provider_id = None
+
+        self.extension.unregister(self.apiclient,
+                                  self.physical_network.id, 'PhysicalNetwork')
+        self.extension.delete(self.apiclient,
+                              unregisterresources=False, removeactions=False)
+        self.extension        = None
+        self.physical_network = None
+        self._cleanup_mgmt_script()
+        self._cleanup_kvm_script()
+
+    # ------------------------------------------------------------------
+    # Tests — API-only (no KVM / no SSH)
+    # ------------------------------------------------------------------
+
+    @attr(tags=["advanced", "smoke"], required_hardware="false")
+    def test_01_provider_state_transitions(self):
+        """NSP state machine: Disabled → Enabled → Disabled → Deleted."""
+        pn = self._get_physical_network()
+        self.physical_network = pn
+
+        ext_name = "extnet-nsp-" + random_gen()
+        self.extension = Extension.create(
+            self.apiclient,
+            name=ext_name,
+            type='NetworkOrchestrator',
+            details=[
+                {"network.services": NETWORK_SERVICES},
+                {"network.service.capabilities": NETWORK_SERVICE_CAPABILITIES_JSON},
+            ]
+        )
+        self.extension.register(self.apiclient, pn.id, 'PhysicalNetwork')
+
+        provider = self._find_provider(pn.id, ext_name)
+        self.assertIsNotNone(provider)
+        self.provider_id = provider.id
+
+        # Normalise to Disabled first
+        if provider.state == 'Enabled':
+            self._update_provider_state(provider.id, 'Disabled')
+        self.assertEqual('Disabled', self._find_provider(pn.id, ext_name).state)
+
+        self._update_provider_state(provider.id, 'Enabled')
+        self.assertEqual('Enabled', self._find_provider(pn.id, ext_name).state)
+        self.logger.info("NSP enabled OK")
+
+        self._update_provider_state(provider.id, 'Disabled')
+        self.assertEqual('Disabled', self._find_provider(pn.id, ext_name).state)
+        self.logger.info("NSP disabled OK")
+
+        self._teardown_extension()
+        self.logger.info("test_01 PASSED")
+
+    @attr(tags=["advanced", "smoke"], required_hardware="false")
+    def test_02_extension_capabilities_detail(self):
+        """Verify network.services and network.service.capabilities details are stored and retrievable via API."""
+        svc_caps_json = json.dumps({
+            "SourceNat": {"SupportedSourceNatTypes": "peraccount"}
+        })
+        ext = Extension.create(
+            self.apiclient,
+            name="extnet-caps-" + random_gen(),
+            type='NetworkOrchestrator',
+            details=[
+                {"network.services": "SourceNat"},
+                {"network.service.capabilities": svc_caps_json},
+            ]
+        )
+        self.cleanup.append(ext)
+        ext_list = Extension.list(self.apiclient, id=ext.id)
+        self.assertTrue(ext_list and len(ext_list) > 0)
+        ext_obj = ext_list[0]
+        if hasattr(ext_obj, 'details') and ext_obj.details:
+            d = (ext_obj.details.__dict__
+                 if not isinstance(ext_obj.details, dict)
+                 else ext_obj.details)
+            self.assertIn("network.services", d)
+            self.assertIn("SourceNat", d["network.services"].split(","))
+            self.assertIn("network.service.capabilities", d)
+            stored_caps = json.loads(d["network.service.capabilities"])
+            self.assertIn("SourceNat", stored_caps)
+        self.logger.info("test_02 PASSED")
+
+    @attr(tags=["advanced", "smoke"], required_hardware="false")
+    def test_03_extension_enable_disable_and_delete_restriction(self):
+        """Extension enable/disable; deletion blocked while registered."""
+        pn = self._get_physical_network()
+        self.physical_network = pn
+
+        ext_name = "extnet-lifecycle-" + random_gen()
+        self.extension = Extension.create(
+            self.apiclient,
+            name=ext_name,
+            type='NetworkOrchestrator',
+            details=[
+                {"network.services": NETWORK_SERVICES},
+                {"network.service.capabilities": NETWORK_SERVICE_CAPABILITIES_JSON},
+            ]
+        )
+        self.assertIsNotNone(self.extension)
+        self.assertEqual('Enabled', self.extension.state,
+                         "Extension should be Enabled by default")
+
+        self.extension.update(self.apiclient, state='Disabled')
+        ext_list = Extension.list(self.apiclient, id=self.extension.id)
+        self.assertEqual('Disabled', ext_list[0].state)
+        self.logger.info("Extension disabled OK")
+
+        self.extension.update(self.apiclient, state='Enabled')
+        ext_list = Extension.list(self.apiclient, id=self.extension.id)
+        self.assertEqual('Enabled', ext_list[0].state)
+        self.logger.info("Extension re-enabled OK")
+
+        self.extension.register(self.apiclient, pn.id, 'PhysicalNetwork')
+        self.logger.info("Extension registered to physical network %s", pn.id)
+
+        # Deletion while registered must fail
+        try:
+            self.extension.delete(self.apiclient,
+                                  unregisterresources=False, removeactions=False)
+            self.fail("Expected error when deleting extension while registered")
+        except Exception as e:
+            self.logger.info("Expected error when deleting while registered: %s",
+                             e)
+
+        self.extension.unregister(self.apiclient, pn.id, 'PhysicalNetwork')
+        self.extension.delete(self.apiclient,
+                              unregisterresources=False, removeactions=False)
+        self.extension        = None
+        self.physical_network = None
+        self.logger.info("test_03 PASSED")
+
+    # ------------------------------------------------------------------
+    # Tests — hardware required
+    # ------------------------------------------------------------------
+
+    @attr(tags=["advanced", "smoke"], required_hardware="true")
+    def test_04_dhcp_dns_userdata(self):
+        """DHCP / DNS / UserData: cloud-init VM on a shared network reaches Running state.
+
+        Creates a shared network with the extension providing Dhcp, Dns,
+        and UserData services.  Deploys a VM with the cloud-init template.
+        Verifies the VM reaches Running state, which implies it received a
+        DHCP address from the extension.  No SSH verification is performed.
+
+        Steps:
+          1. Set up extension + NSP + offering (Dhcp, Dns, UserData) with
+             guestiptype=Shared.
+          2. Create account + shared network + cloud-init VM.
+          3. Assert VM state == Running.
+          4. Teardown.
+        """
+        self._check_kvm_host_prerequisites(['arping', 'dnsmasq', 'haproxy'])
+        svc = "Dhcp,Dns,UserData"
+        nw_offering, _ext_name = self._setup_extension_nsp_offering(
+            "extnet-dhcp", supported_services=svc, guestiptype="Shared")
+
+        # Shared offerings with specifyIpRanges=True require explicit range.
+        third_octet = random.randint(32, 220)
+        shared_params = {
+            "gateway": "172.31.%d.1" % third_octet,
+            "netmask": "255.255.255.0",
+            "startip": "172.31.%d.10" % third_octet,
+            "endip": "172.31.%d.200" % third_octet,
+        }
+
+        account, network, vm = self._create_account_network_vm(
+            nw_offering, name_suffix="dhcp", network_params=shared_params)
+
+        # Verify VM is in Running state — DHCP must have worked
+        self.assertEqual(
+            'Running', vm.state,
+            "VM should be in Running state after deploy (implies DHCP worked)")
+        self.logger.info("VM %s is Running — DHCP/DNS/UserData path exercised",
+                         vm.name)
+
+        # Cleanup
+        vm.delete(self.apiclient, expunge=True)
+        self.cleanup = [o for o in self.cleanup if o != vm]
+        network.delete(self.apiclient)
+        self.cleanup = [o for o in self.cleanup if o != network]
+        self._teardown_extension()
+        self.logger.info("test_04 PASSED")
+
+    @attr(tags=["advanced", "smoke"], required_hardware="true")
+    def test_05_isolated_network_full_lifecycle(self):
+        """Full isolated-network lifecycle with SSH connectivity verification.
+
+        Uses a single cloud-init VM (Ubuntu 22.04, SSH keypair, username
+        ``ubuntu``) throughout.
+
+        Sub-tests in order
+        ------------------
+        A. Static NAT
+             allocate IP → enable static NAT → create FW rule (TCP/22)
+             → assert SSH works → disable static NAT → assert SSH fails
+        B. Port forwarding (22→22)
+             allocate IP → create PF rule → create FW rule (TCP/22)
+             → assert SSH works → delete PF rule → assert SSH fails
+        C. Load balancer (haproxy, round-robin TCP/22)
+             allocate IP → create LB rule → assign VM → create FW rule
+             → assert SSH works → remove VM from LB → delete LB rule
+        D. Network restart
+             allocate IP → create PF rule → create FW rule
+             → assert SSH works (baseline)
+             → restartNetwork(cleanup=True)
+             → assert SSH works (namespace rebuilt, rules reapplied)
+        """
+        self._check_kvm_host_prerequisites(['arping', 'dnsmasq', 'haproxy'])
+        # ---- Setup ----
+        svc = "SourceNat,StaticNat,PortForwarding,Firewall,Lb,UserData,Dhcp,Dns"
+        nw_offering, _ext_name = self._setup_extension_nsp_offering(
+            "extnet-isolated", supported_services=svc)
+        account, network, vm = self._create_account_network_vm(
+            nw_offering, name_suffix="iso")
+
+        # ==============================================================
+        # A. Static NAT
+        #
+        # StaticNATRule.enable() does NOT auto-create a firewall rule, so we
+        # must create one explicitly.  StaticNATRule.disable() internally
+        # calls revokeFirewallRulesForIp(), which cascade-deletes our rule,
+        # so no explicit _delete_firewall_rule() is needed afterwards.
+        # ==============================================================
+        self.logger.info("--- Sub-test A: Static NAT ---")
+        snat_ip_obj = PublicIPAddress.create(
+            self.apiclient,
+            accountid=account.name,
+            zoneid=self.zone.id,
+            domainid=account.domainid,
+            networkid=network.id
+        )
+        snat_ip    = snat_ip_obj.ipaddress.ipaddress
+        snat_ip_id = snat_ip_obj.ipaddress.id
+
+        StaticNATRule.enable(self.apiclient,
+                             ipaddressid=snat_ip_id,
+                             virtualmachineid=vm.id,
+                             networkid=network.id)
+        self.logger.info("Static NAT enabled on %s", snat_ip)
+        # Explicit FW rule required — static NAT does not auto-create one
+        self._create_firewall_rule_for_ssh(snat_ip_id)
+
+        self._assert_vm_ssh_accessible(
+            snat_ip, 22,
+            "SSH via static NAT %s:22 should succeed" % snat_ip)
+        self.logger.info("Verified: SSH works via static NAT %s", snat_ip)
+
+        # disable() cascades revokeFirewallRulesForIp() — deletes the FW rule
+        StaticNATRule.disable(self.apiclient, ipaddressid=snat_ip_id)
+        self.logger.info("Static NAT disabled on %s", snat_ip)
+        self._assert_vm_ssh_not_accessible(
+            snat_ip, 22,
+            "SSH via %s:22 should fail after static NAT disabled" % snat_ip)
+        self.logger.info("Verified: SSH fails after static NAT disabled")
+        snat_ip_obj.delete(self.apiclient)
+
+        # ==============================================================
+        # B. Port forwarding
+        #
+        # NATRule.create() passes openFirewall=True (default for non-VPC),
+        # so CloudStack automatically creates a TCP/22 FW rule with
+        # relatedRuleId=pf_rule.id.  pf_rule.delete() cascade-removes it.
+        # Do NOT call _create_firewall_rule_for_ssh() — that would conflict
+        # with the auto-created rule.
+        # ==============================================================
+        self.logger.info("--- Sub-test B: Port forwarding ---")
+        pf_ip_obj = PublicIPAddress.create(
+            self.apiclient,
+            accountid=account.name,
+            zoneid=self.zone.id,
+            domainid=account.domainid,
+            networkid=network.id
+        )
+        pf_ip    = pf_ip_obj.ipaddress.ipaddress
+        pf_ip_id = pf_ip_obj.ipaddress.id
+
+        pf_rule = NATRule.create(
+            self.apiclient, vm,
+            {"privateport": 22, "publicport": 22, "protocol": "TCP"},
+            ipaddressid=pf_ip_id,
+            networkid=network.id
+        )
+        self.assertIsNotNone(pf_rule)
+        self.logger.info("PF rule created: %s:22 → VM:22 (FW rule auto-created)",
+                         pf_ip)
+
+        self._assert_vm_ssh_accessible(
+            pf_ip, 22,
+            "SSH via PF %s:22 should succeed" % pf_ip)
+        self.logger.info("Verified: SSH works via port forwarding %s", pf_ip)
+
+        # delete() cascades revokeRelatedFirewallRule() — removes auto FW rule
+        pf_rule.delete(self.apiclient)
+        self.logger.info("PF rule deleted on %s", pf_ip)
+        self._assert_vm_ssh_not_accessible(
+            pf_ip, 22,
+            "SSH via %s:22 should fail after PF rule deleted" % pf_ip)
+        self.logger.info("Verified: SSH fails after PF rule deleted")
+        pf_ip_obj.delete(self.apiclient)
+
+        # ==============================================================
+        # C. Load balancer (haproxy)
+        #
+        # LoadBalancerRule.create() also uses openFirewall=True by default,
+        # auto-creating a TCP/22 FW rule.  lb_rule.delete() cascades it.
+        # ==============================================================
+        self.logger.info("--- Sub-test C: Load balancer ---")
+        lb_ip_obj = PublicIPAddress.create(
+            self.apiclient,
+            accountid=account.name,
+            zoneid=self.zone.id,
+            domainid=account.domainid,
+            networkid=network.id
+        )
+        lb_ip    = lb_ip_obj.ipaddress.ipaddress
+        lb_ip_id = lb_ip_obj.ipaddress.id
+
+        lb_rule = LoadBalancerRule.create(
+            self.apiclient,
+            {"name":        "lb-ssh-%s" % random_gen(),
+             "alg":         "roundrobin",
+             "privateport": 22,
+             "publicport":  22},
+            ipaddressid=lb_ip_id,
+            accountid=account.name,
+            networkid=network.id,
+            domainid=account.domainid
+        )
+        self.assertIsNotNone(lb_rule)
+        lb_rule.assign(self.apiclient, vms=[vm])
+        self.logger.info("LB rule created, VM assigned: %s:22 (FW rule auto-created)",
+                         lb_ip)
+
+        self._assert_vm_ssh_accessible(
+            lb_ip, 22,
+            "SSH via LB %s:22 should succeed (haproxy required on KVM hosts)"
+            % lb_ip)
+        self.logger.info("Verified: SSH works via haproxy LB %s", lb_ip)
+
+        lb_rule.remove(self.apiclient, vms=[vm])
+        lb_rule.delete(self.apiclient)
+        lb_ip_obj.delete(self.apiclient)
+        self.logger.info("LB rule deleted")
+
+        # ==============================================================
+        # D. Network restart (cleanup=True)
+        #
+        # NATRule.create() auto-creates the TCP/22 FW rule.
+        # After network restart both the PF rule and the FW rule must be
+        # re-applied by the extension, so SSH should work again.
+        # ==============================================================
+        self.logger.info("--- Sub-test D: Network restart ---")
+        rst_ip_obj = PublicIPAddress.create(
+            self.apiclient,
+            accountid=account.name,
+            zoneid=self.zone.id,
+            domainid=account.domainid,
+            networkid=network.id
+        )
+        rst_ip    = rst_ip_obj.ipaddress.ipaddress
+        rst_ip_id = rst_ip_obj.ipaddress.id
+
+        rst_pf = NATRule.create(
+            self.apiclient, vm,
+            {"privateport": 22, "publicport": 22, "protocol": "TCP"},
+            ipaddressid=rst_ip_id,
+            networkid=network.id
+        )
+        self._assert_vm_ssh_accessible(
+            rst_ip, 22,
+            "SSH via %s:22 should work before restart" % rst_ip)
+        self.logger.info("Baseline SSH verified before restart")
+
+        self.logger.info("Restarting network %s (cleanup=True) ...", network.id)
+        network.restart(self.apiclient, cleanup=True)
+        self.logger.info("Network restart completed")
+
+        self._assert_vm_ssh_accessible(
+            rst_ip, 22,
+            "SSH via %s:22 should work after network restart" % rst_ip)
+        self.logger.info("Verified: SSH restored after restart")
+
+        rst_pf.delete(self.apiclient)
+        rst_ip_obj.delete(self.apiclient)
+
+        # ---- Final cleanup ----
+        vm.delete(self.apiclient, expunge=True)
+        self.cleanup = [o for o in self.cleanup if o != vm]
+        network.delete(self.apiclient)
+        self.cleanup = [o for o in self.cleanup if o != network]
+        self._teardown_extension()
+        self.logger.info("test_05 PASSED")
+
+    @attr(tags=["advanced", "smoke"], required_hardware="true")
+    def test_06_vpc_multi_tier_and_restart(self):
+        """VPC multi-tier + VPC restart with SSH connectivity verification.
+
+        Creates two VPC tier networks backed by the extension, deploys a
+        VM in each tier, and verifies SSH access independently.
+
+        Sub-tests in order
+        ------------------
+        A. Baseline connectivity (before VPC restart)
+             tier-1 PF :22 → VM1          — assert SSH works
+             tier-2 LB :22 → VM2          — assert SSH works
+             tier-1 static NAT :22 → VM1  — enable, create FW rule,
+                                            assert SSH works
+        B. VPC restart (cleanup=True)
+             assert SSH still works via tier-1 PF, tier-2 LB, and
+             tier-1 static NAT after the namespace is rebuilt
+        C. Static NAT teardown (after VPC restart)
+             disable static NAT → assert SSH fails → delete IP
+        D. Partial delete
+             delete tier-1 VM + network → assert tier-2 VM still accessible
+        E. Final delete
+             delete tier-2 VM + network, VPC, teardown extension
+
+        The VPC tier network offering uses ``useVpc=on`` as required by
+        CloudStack for VPC-associated tier networks.
+        """
+        self._check_kvm_host_prerequisites(['arping', 'dnsmasq', 'haproxy'])
+        # ---- Setup: extension + NSP only (no isolated offering for VPC tests) ----
+        svc = "SourceNat,StaticNat,PortForwarding,Lb,UserData,Dhcp,Dns,NetworkACL"
+        _nw_offering, ext_name = self._setup_extension_nsp_offering(
+            "extnet-vpc", supported_services=svc, for_vpc=True)
+
+        # ---- VPC tier network offering (useVpc=on) ----
+        vpc_tier_svc = "SourceNat,StaticNat,PortForwarding,Lb,UserData,Dhcp,Dns,NetworkACL"
+        _tier_prov   = {s.strip(): ext_name for s in vpc_tier_svc.split(',')}
+        vpc_tier_offering = NetworkOffering.create(self.apiclient, {
+            "name":              "ExtNet-VPCTier-%s" % random_gen(),
+            "displaytext":       "ExtNet VPC tier offering",
+            "guestiptype":       "Isolated",
+            "traffictype":       "GUEST",
+            "availability":      "Optional",
+            "useVpc":            "on",
+            "supportedservices": vpc_tier_svc,
+            "serviceProviderList": _tier_prov,
+            "serviceCapabilityList": {
+                "SourceNat": {"SupportedSourceNatTypes": "peraccount"},
+            },
+        })
+        self.cleanup.append(vpc_tier_offering)
+        vpc_tier_offering.update(self.apiclient, state='Enabled')
+        self.logger.info("VPC tier offering '%s' enabled", vpc_tier_offering.name)
+
+        # ---- VPC offering ----
+        vpc_svc  = "SourceNat,StaticNat,PortForwarding,Lb,UserData,Dhcp,Dns,NetworkACL"
+        _vpc_prov = {s.strip(): ext_name for s in vpc_svc.split(',')}
+        vpc_offering = VpcOffering.create(self.apiclient, {
+            "name":              "ExtNet-VPC-%s" % random_gen(),
+            "displaytext":       "ExtNet VPC offering",
+            "supportedservices": vpc_svc,
+            "serviceProviderList": _vpc_prov,
+        })
+        self.cleanup.append(vpc_offering)
+        vpc_offering.update(self.apiclient, state='Enabled')
+        self.logger.info("VPC offering '%s' enabled", vpc_offering.name)
+
+        # ---- Account ----
+        suffix  = random_gen()
+        account = Account.create(
+            self.apiclient,
+            self.services["account"],
+            admin=True,
+            domainid=self.domain.id
+        )
+        self.cleanup.append(account)
+        account_keypair = self._create_account_keypair(account, suffix)
+
+        # ---- VPC ----
+        vpc = VPC.create(
+            self.apiclient,
+            {"name":        "extnet-vpc-%s" % suffix,
+             "displaytext": "ExtNet VPC %s" % suffix,
+             "cidr":        "10.1.0.0/16"},
+            vpcofferingid=vpc_offering.id,
+            zoneid=self.zone.id,
+            account=account.name,
+            domainid=account.domainid
+        )
+        self.cleanup.insert(0, vpc)
+        self.logger.info("VPC created: %s (%s)", vpc.name, vpc.id)
+
+        # ---- Tier 1 ----
+        tier1 = Network.create(
+            self.apiclient,
+            {"name":        "tier1-%s" % suffix,
+             "displaytext": "Tier 1 %s" % suffix},
+            accountid=account.name,
+            domainid=account.domainid,
+            networkofferingid=vpc_tier_offering.id,
+            zoneid=self.zone.id,
+            vpcid=vpc.id,
+            gateway="10.1.1.1",
+            netmask="255.255.255.0"
+        )
+        self.cleanup.insert(0, tier1)
+        self.logger.info("Tier 1 created: %s (%s)", tier1.name, tier1.id)
+
+        # ---- Tier 2 ----
+        tier2 = Network.create(
+            self.apiclient,
+            {"name":        "tier2-%s" % suffix,
+             "displaytext": "Tier 2 %s" % suffix},
+            accountid=account.name,
+            domainid=account.domainid,
+            networkofferingid=vpc_tier_offering.id,
+            zoneid=self.zone.id,
+            vpcid=vpc.id,
+            gateway="10.1.2.1",
+            netmask="255.255.255.0"
+        )
+        self.cleanup.insert(0, tier2)
+        self.logger.info("Tier 2 created: %s (%s)", tier2.name, tier2.id)
+
+        svc_offering = ServiceOffering.list(self.apiclient, issystem=False)[0]
+
+        # ---- VM in tier 1 ----
+        vm1_cfg = {"displayname": "vm1-%s" % suffix,
+                   "name":        "vm1-%s" % suffix,
+                   "zoneid":      self.zone.id}
+        vm1_kw  = dict(accountid=account.name,
+                       domainid=account.domainid,
+                       serviceofferingid=svc_offering.id,
+                       templateid=self.template.id,
+                       networkids=[tier1.id])
+        if account_keypair:
+            vm1_kw["keypair"] = account_keypair.name
+        vm1 = VirtualMachine.create(self.apiclient, vm1_cfg, **vm1_kw)
+        self.cleanup.insert(0, vm1)
+        self.logger.info("VM1 deployed in tier 1: %s (%s)", vm1.name, vm1.id)
+
+        # ---- VM in tier 2 ----
+        vm2_cfg = {"displayname": "vm2-%s" % suffix,
+                   "name":        "vm2-%s" % suffix,
+                   "zoneid":      self.zone.id}
+        vm2_kw  = dict(accountid=account.name,
+                       domainid=account.domainid,
+                       serviceofferingid=svc_offering.id,
+                       templateid=self.template.id,
+                       networkids=[tier2.id])
+        if account_keypair:
+            vm2_kw["keypair"] = account_keypair.name
+        vm2 = VirtualMachine.create(self.apiclient, vm2_cfg, **vm2_kw)
+        self.cleanup.insert(0, vm2)
+        self.logger.info("VM2 deployed in tier 2: %s (%s)", vm2.name, vm2.id)
+
+        # ---- Tier 1: PF rule ----
+        pf_ip1 = PublicIPAddress.create(
+            self.apiclient,
+            accountid=account.name,
+            zoneid=self.zone.id,
+            domainid=account.domainid,
+            networkid=tier1.id,
+            vpcid=vpc.id
+        )
+        pf_rule1 = NATRule.create(
+            self.apiclient, vm1,
+            {"privateport": 22, "publicport": 22, "protocol": "TCP"},
+            ipaddressid=pf_ip1.ipaddress.id,
+            networkid=tier1.id
+        )
+        tier1_pf_ip = pf_ip1.ipaddress.ipaddress
+        self.logger.info("Tier 1 PF: %s:22 → VM1:22", tier1_pf_ip)
+
+        # ---- Tier 2: LB rule ----
+        lb_ip2 = PublicIPAddress.create(
+            self.apiclient,
+            accountid=account.name,
+            zoneid=self.zone.id,
+            domainid=account.domainid,
+            networkid=tier2.id,
+            vpcid=vpc.id
+        )
+        lb_rule2 = LoadBalancerRule.create(
+            self.apiclient,
+            {"name":        "vpc-lb-ssh-%s" % random_gen(),
+             "alg":         "roundrobin",
+             "privateport": 22,
+             "publicport":  22},
+            ipaddressid=lb_ip2.ipaddress.id,
+            accountid=account.name,
+            networkid=tier2.id,
+            domainid=account.domainid
+        )
+        self.assertIsNotNone(lb_rule2)
+        lb_rule2.assign(self.apiclient, vms=[vm2])
+        tier2_lb_ip = lb_ip2.ipaddress.ipaddress
+        self.logger.info("Tier 2 LB: %s:22 → VM2:22", tier2_lb_ip)
+
+        # ---- Tier 1: Static NAT (allocated BEFORE restart) ----
+        snat_ip1_obj = PublicIPAddress.create(
+            self.apiclient,
+            accountid=account.name,
+            zoneid=self.zone.id,
+            domainid=account.domainid,
+            networkid=tier1.id,
+            vpcid=vpc.id
+        )
+        snat_ip1    = snat_ip1_obj.ipaddress.ipaddress
+        snat_ip1_id = snat_ip1_obj.ipaddress.id
+        StaticNATRule.enable(
+            self.apiclient,
+            ipaddressid=snat_ip1_id,
+            virtualmachineid=vm1.id,
+            networkid=tier1.id
+        )
+        self.logger.info("Static NAT enabled on tier-1: %s → VM1", snat_ip1)
+
+        # ==============================================================
+        # A. Baseline connectivity — BEFORE VPC restart
+        # ==============================================================
+        self.logger.info("--- Sub-test A: Baseline connectivity (before restart) ---")
+
+        self._assert_vm_ssh_accessible(
+            tier1_pf_ip, 22,
+            "SSH to tier-1 VM via PF (%s) should succeed before restart"
+            % tier1_pf_ip)
+        self.logger.info("Verified: SSH to tier-1 VM works via PF (before restart)")
+
+        self._assert_vm_ssh_accessible(
+            tier2_lb_ip, 22,
+            "SSH to tier-2 VM via LB (%s) should succeed before restart"
+            % tier2_lb_ip)
+        self.logger.info("Verified: SSH to tier-2 VM works via LB (before restart)")
+
+        self._assert_vm_ssh_accessible(
+            snat_ip1, 22,
+            "SSH to tier-1 VM via static NAT (%s) should succeed before restart"
+            % snat_ip1)
+        self.logger.info("Verified: SSH to tier-1 VM works via static NAT (before restart)")
+
+        # ==============================================================
+        # B. VPC restart (cleanup=True)
+        #    Re-verify all three access methods after the namespace is rebuilt.
+        # ==============================================================
+        self.logger.info("--- Sub-test B: VPC restart (cleanup=True) ---")
+        self.logger.info("Restarting VPC %s (cleanup=True) ...", vpc.id)
+        vpc.restart(self.apiclient, cleanup=True)
+        self.logger.info("VPC restart completed")
+
+        self._assert_vm_ssh_accessible(
+            tier1_pf_ip, 22,
+            "SSH to tier-1 VM via PF must work after VPC restart")
+        self.logger.info("Verified: SSH to tier-1 VM works via PF (after restart)")
+
+        self._assert_vm_ssh_accessible(
+            tier2_lb_ip, 22,
+            "SSH to tier-2 VM via LB must work after VPC restart")
+        self.logger.info("Verified: SSH to tier-2 VM works via LB (after restart)")
+
+        self._assert_vm_ssh_accessible(
+            snat_ip1, 22,
+            "SSH to tier-1 VM via static NAT must work after VPC restart")
+        self.logger.info("Verified: SSH to tier-1 VM works via static NAT (after restart)")
+
+        # ==============================================================
+        # C. Disable static NAT (after VPC restart)
+        # ==============================================================
+        self.logger.info("--- Sub-test C: Disable static NAT (after restart) ---")
+        StaticNATRule.disable(self.apiclient, ipaddressid=snat_ip1_id)
+        self.logger.info("Static NAT disabled on tier-1 %s", snat_ip1)
+        self._assert_vm_ssh_not_accessible(
+            snat_ip1, 22,
+            "SSH via tier-1 %s:22 should fail after static NAT disabled" % snat_ip1)
+        self.logger.info("Verified: SSH fails after static NAT disabled")
+        snat_ip1_obj.delete(self.apiclient)
+
+        # ==============================================================
+        # D. Partial delete: tier-1 — tier-2 must remain accessible
+        # ==============================================================
+        self.logger.info("--- Sub-test D: Delete tier-1, verify tier-2 intact ---")
+        pf_rule1.delete(self.apiclient)
+        pf_ip1.delete(self.apiclient)
+        vm1.delete(self.apiclient, expunge=True)
+        self.cleanup = [o for o in self.cleanup if o != vm1]
+        tier1.delete(self.apiclient)
+        self.cleanup = [o for o in self.cleanup if o != tier1]
+        self.logger.info("Tier 1 VM + network deleted")
+
+        # Tier 2 must remain accessible — cmd_destroy() on tier-1 must not
+        # delete tier-2's public veth (fixed via .tier ownership tracking).
+        self._assert_vm_ssh_accessible(
+            tier2_lb_ip, 22,
+            "SSH to tier-2 VM via LB must still work after tier-1 deleted")
+        self.logger.info("Verified: tier-2 VM still accessible via LB after tier-1 deleted")
+
+        # ==============================================================
+        # E. Final delete: tier-2, VPC
+        # ==============================================================
+        lb_rule2.remove(self.apiclient, vms=[vm2])
+        lb_rule2.delete(self.apiclient)
+        lb_ip2.delete(self.apiclient)
+        vm2.delete(self.apiclient, expunge=True)
+        self.cleanup = [o for o in self.cleanup if o != vm2]
+        tier2.delete(self.apiclient)
+        self.cleanup = [o for o in self.cleanup if o != tier2]
+        self.logger.info("Tier 2 VM + network deleted")
+
+        vpc.delete(self.apiclient)
+        self.cleanup = [o for o in self.cleanup if o != vpc]
+
+        self._teardown_extension()
+        self.logger.info("test_06 PASSED")
+
+    @attr(tags=["advanced", "smoke"], required_hardware="true")
+    def test_07_vpc_network_acl(self):
+        """VPC Network ACL testing with multiple tiers and traffic rules.
+
+        Creates two VPC tiers with distinct network ACL lists and verifies that
+        ACL rules are correctly applied:
+          - Inbound rules from public network (via port forwarding)
+          - Egress rules between VPC tiers (via ping)
+
+        Sub-tests in order
+        ------------------
+        A. Setup: Create two tiers with different ACL lists
+              tier1 (acl1): Allow ICMP from anywhere, Deny SSH
+              tier2 (acl2): Allow ICMP and SSH from anywhere
+        B. Deploy VMs and verify ACLs block SSH to tier1, allow ICMP to both tiers
+        C. Test inter-tier ICMP communication between VMs
+        D. Verify SSH only works on tier2 (where ACL permits it)
+        E. Cleanup
+
+        The test uses ICMP (ping) to verify inter-tier connectivity and SSH
+        attempts to verify ACL rules are enforced on ingress traffic.
+        """
+        self._check_kvm_host_prerequisites(['arping', 'dnsmasq', 'haproxy'])
+
+        # ---- Setup: extension + NSP (supporting NetworkACL) ----
+        svc = "SourceNat,StaticNat,PortForwarding,Lb,UserData,Dhcp,Dns,NetworkACL"
+        _nw_offering, ext_name = self._setup_extension_nsp_offering(
+            "extnet-acl", supported_services=svc, for_vpc=True)
+
+        # ---- VPC tier network offering (useVpc=on, with NetworkACL support) ----
+        vpc_tier_svc = "SourceNat,StaticNat,PortForwarding,Lb,UserData,Dhcp,Dns,NetworkACL"
+        _tier_prov   = {s.strip(): ext_name for s in vpc_tier_svc.split(',')}
+        vpc_tier_offering = NetworkOffering.create(self.apiclient, {
+            "name":              "ExtNet-VPCTier-ACL-%s" % random_gen(),
+            "displaytext":       "ExtNet VPC tier offering with ACL",
+            "guestiptype":       "Isolated",
+            "traffictype":       "GUEST",
+            "availability":      "Optional",
+            "useVpc":            "on",
+            "supportedservices": vpc_tier_svc,
+            "serviceProviderList": _tier_prov,
+            "serviceCapabilityList": {
+                "SourceNat": {"SupportedSourceNatTypes": "peraccount"},
+            },
+        })
+        self.cleanup.append(vpc_tier_offering)
+        vpc_tier_offering.update(self.apiclient, state='Enabled')
+        self.logger.info("VPC tier offering '%s' enabled", vpc_tier_offering.name)
+
+        # ---- VPC offering ----
+        vpc_svc  = "SourceNat,StaticNat,PortForwarding,Lb,UserData,Dhcp,Dns,NetworkACL"
+        _vpc_prov = {s.strip(): ext_name for s in vpc_svc.split(',')}
+        vpc_offering = VpcOffering.create(self.apiclient, {
+            "name":              "ExtNet-VPC-ACL-%s" % random_gen(),
+            "displaytext":       "ExtNet VPC offering with ACL",
+            "supportedservices": vpc_svc,
+            "serviceProviderList": _vpc_prov,
+        })
+        self.cleanup.append(vpc_offering)
+        vpc_offering.update(self.apiclient, state='Enabled')
+        self.logger.info("VPC offering '%s' enabled", vpc_offering.name)
+
+        # ---- Account ----
+        suffix  = random_gen()
+        account = Account.create(
+            self.apiclient,
+            self.services["account"],
+            admin=True,
+            domainid=self.domain.id
+        )
+        self.cleanup.append(account)
+        account_keypair = self._create_account_keypair(account, suffix)
+
+        # ---- VPC ----
+        vpc = VPC.create(
+            self.apiclient,
+            {"name":        "extnet-vpc-acl-%s" % suffix,
+             "displaytext": "ExtNet VPC ACL %s" % suffix,
+             "cidr":        "10.2.0.0/16"},
+            vpcofferingid=vpc_offering.id,
+            zoneid=self.zone.id,
+            account=account.name,
+            domainid=account.domainid
+        )
+        self.cleanup.insert(0, vpc)
+        self.logger.info("VPC created: %s (%s)", vpc.name, vpc.id)
+
+        # ---- Network ACL Lists ----
+        # ACL1: Restrict to ICMP only (deny SSH)
+        acl1 = NetworkACLList.create(
+            self.apiclient,
+            {"name": "acl1-icmp-only-%s" % suffix,
+             "description": "ACL1 for tier1 - ICMP only"},
+            vpcid=vpc.id
+        )
+        self.cleanup.insert(0, acl1)
+        self.logger.info("ACL1 created: %s (ICMP only)", acl1.id)
+
+        # ACL2: Allow ICMP and SSH
+        acl2 = NetworkACLList.create(
+            self.apiclient,
+            {"name": "acl2-icmp-ssh-%s" % suffix,
+             "description": "ACL2 for tier2 - ICMP and SSH allowed"},
+            vpcid=vpc.id
+        )
+        self.cleanup.insert(0, acl2)
+        self.logger.info("ACL2 created: %s (ICMP and SSH)", acl2.id)
+
+        # ---- Tier 1 with ACL1 (ICMP only) ----
+        tier1 = Network.create(
+            self.apiclient,
+            {"name":        "tier1-acl-%s" % suffix,
+             "displaytext": "Tier 1 ACL %s" % suffix},
+            accountid=account.name,
+            domainid=account.domainid,
+            networkofferingid=vpc_tier_offering.id,
+            zoneid=self.zone.id,
+            vpcid=vpc.id,
+            gateway="10.2.1.1",
+            netmask="255.255.255.0"
+        )
+        self.cleanup.insert(0, tier1)
+        self.logger.info("Tier 1 created: %s (%s)", tier1.name, tier1.id)
+
+        # ---- Tier 2 with ACL2 (ICMP + SSH) ----
+        tier2 = Network.create(
+            self.apiclient,
+            {"name":        "tier2-acl-%s" % suffix,
+             "displaytext": "Tier 2 ACL %s" % suffix},
+            accountid=account.name,
+            domainid=account.domainid,
+            networkofferingid=vpc_tier_offering.id,
+            zoneid=self.zone.id,
+            vpcid=vpc.id,
+            gateway="10.2.2.1",
+            netmask="255.255.255.0"
+        )
+        self.cleanup.insert(0, tier2)
+        self.logger.info("Tier 2 created: %s (%s)", tier2.name, tier2.id)
+
+        svc_offering = ServiceOffering.list(self.apiclient, issystem=False)[0]
+
+        # ---- VM in tier 1 ----
+        vm1_cfg = {"displayname": "vm1-acl-%s" % suffix,
+                   "name":        "vm1-acl-%s" % suffix,
+                   "zoneid":      self.zone.id}
+        vm1_kw  = dict(accountid=account.name,
+                       domainid=account.domainid,
+                       serviceofferingid=svc_offering.id,
+                       templateid=self.template.id,
+                       networkids=[tier1.id])
+        if account_keypair:
+            vm1_kw["keypair"] = account_keypair.name
+        vm1 = VirtualMachine.create(self.apiclient, vm1_cfg, **vm1_kw)
+        self.cleanup.insert(0, vm1)
+        self.logger.info("VM1 deployed in tier 1: %s (%s)", vm1.name, vm1.id)
+
+        # ---- VM in tier 2 ----
+        vm2_cfg = {"displayname": "vm2-acl-%s" % suffix,
+                   "name":        "vm2-acl-%s" % suffix,
+                   "zoneid":      self.zone.id}
+        vm2_kw  = dict(accountid=account.name,
+                       domainid=account.domainid,
+                       serviceofferingid=svc_offering.id,
+                       templateid=self.template.id,
+                       networkids=[tier2.id])
+        if account_keypair:
+            vm2_kw["keypair"] = account_keypair.name
+        vm2 = VirtualMachine.create(self.apiclient, vm2_cfg, **vm2_kw)
+        self.cleanup.insert(0, vm2)
+        self.logger.info("VM2 deployed in tier 2: %s (%s)", vm2.name, vm2.id)
+
+        # Get VM IPs for later use
+        vm1_networks = VirtualMachine.list(self.apiclient, id=vm1.id)[0].nic
+        vm1_ip = None
+        for nic in vm1_networks:
+            if nic.networkid == tier1.id:
+                vm1_ip = nic.ipaddress
+        self.assertIsNotNone(vm1_ip, "VM1 should have IP in tier1")
+        self.logger.info("VM1 IP in tier1: %s", vm1_ip)
+
+        vm2_networks = VirtualMachine.list(self.apiclient, id=vm2.id)[0].nic
+        vm2_ip = None
+        for nic in vm2_networks:
+            if nic.networkid == tier2.id:
+                vm2_ip = nic.ipaddress
+        self.assertIsNotNone(vm2_ip, "VM2 should have IP in tier2")
+        self.logger.info("VM2 IP in tier2: %s", vm2_ip)
+
+        # ==============================================================
+        # A. Setup ACL rules
+        # ==============================================================
+        self.logger.info("--- Sub-test A: Setting up ACL rules ---")
+
+        # ACL1 rules: ICMP allowed, SSH denied (ingress), ICMP allowed (egress)
+        # Rule numbers must be unique per ACL list (across ingress+egress).
+        # Ingress rule: Allow ICMP
+        NetworkACL.create(
+            self.apiclient,
+            {"protocol": "ICMP", "icmptype": -1, "icmpcode": -1,
+             "traffictype": "Ingress", "aclid": acl1.id,
+             "cidrlist": ["0.0.0.0/0"], "action": "Allow", "number": 10},
+            networkid=tier1.id
+        )
+        self.logger.info("ACL1 Ingress rule: ICMP Allow")
+
+        # Ingress rule: Deny SSH
+        NetworkACL.create(
+            self.apiclient,
+            {"protocol": "TCP", "startport": 22, "endport": 22,
+             "traffictype": "Ingress", "aclid": acl1.id,
+             "cidrlist": ["0.0.0.0/0"], "action": "Deny", "number": 20},
+            networkid=tier1.id
+        )
+        self.logger.info("ACL1 Ingress rule: SSH Deny")
+
+        # Egress rule: Allow all
+        NetworkACL.create(
+            self.apiclient,
+            {"protocol": "All", "traffictype": "Egress", "aclid": acl1.id,
+             "cidrlist": ["0.0.0.0/0"], "action": "Allow", "number": 30},
+            networkid=tier1.id
+        )
+        self.logger.info("ACL1 Egress rule: All Allow")
+
+        # ACL2 rules: ICMP and SSH allowed (ingress), All allowed (egress)
+        # Ingress rule: Allow ICMP
+        NetworkACL.create(
+            self.apiclient,
+            {"protocol": "ICMP", "icmptype": -1, "icmpcode": -1,
+             "traffictype": "Ingress", "aclid": acl2.id,
+             "cidrlist": ["0.0.0.0/0"], "action": "Allow", "number": 10},
+            networkid=tier2.id
+        )
+        self.logger.info("ACL2 Ingress rule: ICMP Allow")
+
+        # Ingress rule: Allow SSH
+        NetworkACL.create(
+            self.apiclient,
+            {"protocol": "TCP", "startport": 22, "endport": 22,
+             "traffictype": "Ingress", "aclid": acl2.id,
+             "cidrlist": ["0.0.0.0/0"], "action": "Allow", "number": 20},
+            networkid=tier2.id
+        )
+        self.logger.info("ACL2 Ingress rule: SSH Allow")
+
+        # Egress rule: Allow all
+        NetworkACL.create(
+            self.apiclient,
+            {"protocol": "All", "traffictype": "Egress", "aclid": acl2.id,
+             "cidrlist": ["0.0.0.0/0"], "action": "Allow", "number": 30},
+            networkid=tier2.id
+        )
+        self.logger.info("ACL2 Egress rule: All Allow")
+
+        # Apply the ACL lists to the tier networks
+        tier1.replaceACLList(self.apiclient, acl1.id)
+        self.logger.info("Applied ACL1 (deny SSH) to tier1")
+        tier2.replaceACLList(self.apiclient, acl2.id)
+        self.logger.info("Applied ACL2 (allow SSH) to tier2")
+
+        # ==============================================================
+        # B. Test Public IP access with ACL enforcement (via PF)
+        # ==============================================================
+        self.logger.info("--- Sub-test B: Test public IP access with ACLs ---")
+
+        # Create public IP and PF for tier1 (should block SSH due to ACL1)
+        ip1 = PublicIPAddress.create(
+            self.apiclient,
+            accountid=account.name,
+            zoneid=self.zone.id,
+            domainid=account.domainid,
+            networkid=tier1.id,
+            vpcid=vpc.id
+        )
+        tier1_public_ip = ip1.ipaddress.ipaddress
+        self.logger.info("Tier1 public IP allocated: %s", tier1_public_ip)
+
+        pf_rule1 = NATRule.create(
+            self.apiclient, vm1,
+            {"privateport": 22, "publicport": 22, "protocol": "TCP"},
+            ipaddressid=ip1.ipaddress.id,
+            networkid=tier1.id,
+            vpcid=vpc.id
+        )
+        self.assertIsNotNone(pf_rule1)
+        self.logger.info("Tier1 PF rule created: %s:22 → VM1:22", tier1_public_ip)
+
+        # SSH to tier1 should fail due to ACL denying SSH
+        self._assert_vm_ssh_not_accessible(
+            tier1_public_ip, 22,
+            "SSH to tier1 %s should FAIL (ACL denies SSH)" % tier1_public_ip)
+        self.logger.info("Verified: SSH to tier1 correctly blocked by ACL")
+
+        # Create public IP and PF for tier2 (should allow SSH due to ACL2)
+        ip2 = PublicIPAddress.create(
+            self.apiclient,
+            accountid=account.name,
+            zoneid=self.zone.id,
+            domainid=account.domainid,
+            networkid=tier2.id,
+            vpcid=vpc.id
+        )
+        tier2_public_ip = ip2.ipaddress.ipaddress
+        self.logger.info("Tier2 public IP allocated: %s", tier2_public_ip)
+
+        pf_rule2 = NATRule.create(
+            self.apiclient, vm2,
+            {"privateport": 22, "publicport": 22, "protocol": "TCP"},
+            ipaddressid=ip2.ipaddress.id,
+            networkid=tier2.id,
+            vpcid=vpc.id
+        )
+        self.assertIsNotNone(pf_rule2)
+        self.logger.info("Tier2 PF rule created: %s:22 → VM2:22", tier2_public_ip)
+
+        # SSH to tier2 should succeed due to ACL allowing SSH
+        self._assert_vm_ssh_accessible(
+            tier2_public_ip, 22,
+            "SSH to tier2 %s should succeed (ACL allows SSH)" % tier2_public_ip)
+        self.logger.info("Verified: SSH to tier2 correctly allowed by ACL")
+
+        # ==============================================================
+        # C. Test inter-tier ICMP communication
+        # ==============================================================
+        self.logger.info("--- Sub-test C: Test inter-tier ICMP (ping) ---")
+
+        # From VM2 (tier2), ping VM1 (tier1) — should succeed (both allow ICMP egress)
+        # This tests that the ACL egress rules work and inter-tier routing is OK
+        try:
+            ssh_vm2 = SshClient(
+                tier2_public_ip, 22, "ubuntu", None,
+                keyPairFiles=self._ssh_private_key_file,
+                timeout=30, retries=10
+            )
+            out = ssh_vm2.execute("ping -c 3 %s 2>&1 | tail -5" % vm1_ip)
+            ping_result = "\n".join(out)
+            # Check if ping succeeded (look for "3 packets transmitted" or similar)
+            if "transmitted" in ping_result.lower():
+                self.logger.info("Ping from VM2 to VM1 output:\n%s", ping_result)
+                if "0 received" not in ping_result.lower():
+                    self.logger.info("Verified: Inter-tier ping succeeded (ICMP egress rule allows it)")
+                else:
+                    self.logger.warning("Ping packets were transmitted but all lost")
+            else:
+                self.logger.warning("Could not determine ping result from: %s", ping_result)
+        except Exception as e:
+            self.logger.warning("Could not execute ping test: %s", e)
+
+        # ==============================================================
+        # D. Additional SSH verification
+        # ==============================================================
+        self.logger.info("--- Sub-test D: Additional SSH verification ---")
+
+        # Re-verify tier2 SSH works after ACL rules are fully active
+        self._assert_vm_ssh_accessible(
+            tier2_public_ip, 22,
+            "SSH to tier2 should still work (ACL permits SSH)")
+        self.logger.info("Verified: SSH to tier2 confirmed working")
+
+        # ==============================================================
+        # E. Cleanup
+        # ==============================================================
+        self.logger.info("--- Sub-test E: Cleanup ---")
+        pf_rule1.delete(self.apiclient)
+        ip1.delete(self.apiclient)
+        pf_rule2.delete(self.apiclient)
+        ip2.delete(self.apiclient)
+
+        vm1.delete(self.apiclient, expunge=True)
+        self.cleanup = [o for o in self.cleanup if o != vm1]
+        vm2.delete(self.apiclient, expunge=True)
+        self.cleanup = [o for o in self.cleanup if o != vm2]
+        tier1.delete(self.apiclient)
+        self.cleanup = [o for o in self.cleanup if o != tier1]
+        tier2.delete(self.apiclient)
+        self.cleanup = [o for o in self.cleanup if o != tier2]
+
+        vpc.delete(self.apiclient)
+        self.cleanup = [o for o in self.cleanup if o != vpc]
+
+        self._teardown_extension()
+        self.logger.info("test_07 PASSED")
+
+    @attr(tags=["advanced", "smoke"], required_hardware="true")
+    def test_08_custom_action_policy_based_routing(self):
+        """Custom-action smoke test for PBR lifecycle helpers.
+
+        Verifies that network custom actions can create/list/delete:
+          - routing tables
+          - routes per table
+          - policy rules
+        """
+        self._check_kvm_host_prerequisites(['ip', 'arping', 'dnsmasq', 'haproxy'])
+
+        svc = "SourceNat,PortForwarding,Dhcp,Dns,UserData"
+        nw_offering, _ext_name = self._setup_extension_nsp_offering(
+            "extnet-pbr", supported_services=svc)
+        _account, network, vm = self._create_account_network_vm(
+            nw_offering, name_suffix="pbr")
+
+        # Use a unique table name to avoid collisions with stale test state.
+        table_name = "app-%s" % random.randint(100, 999)
+        route_cidr = "172.30.%d.0/24" % random.randint(1, 200)
+
+        actions = []
+        try:
+            def _mk_action(name, parameters = []):
+                a = ExtensionCustomAction.create(
+                    self.apiclient,
+                    extensionid=self.extension.id,
+                    enabled=True,
+                    name=name,
+                    description="PBR smoke: %s" % name,
+                    resourcetype='Network',
+                    parameters=parameters
+                )
+                actions.append(a)
+                return a
+
+            act_create_table = _mk_action("pbr-create-table", parameters=[
+                {"name": "table-id", "type": "STRING", "required": True},
+                {"name": "table-name", "type": "STRING", "required": True},
+            ])
+            act_delete_table = _mk_action("pbr-delete-table", parameters=[
+                {"name": "table-name", "type": "STRING", "required": True},
+            ])
+            act_list_tables  = _mk_action("pbr-list-tables")
+            act_add_route    = _mk_action("pbr-add-route", parameters=[
+                {"name": "table", "type": "STRING", "required": True},
+                {"name": "route", "type": "STRING", "required": True},
+            ])
+            act_delete_route = _mk_action("pbr-delete-route", parameters=[
+                {"name": "table", "type": "STRING", "required": True},
+                {"name": "route", "type": "STRING", "required": True},
+            ])
+            act_list_routes  = _mk_action("pbr-list-routes", parameters=[
+                {"name": "table", "type": "STRING", "required": False},
+            ])
+            act_add_rule     = _mk_action("pbr-add-rule", parameters=[
+                {"name": "table", "type": "STRING", "required": True},
+                {"name": "rule", "type": "STRING", "required": True},
+            ])
+            act_delete_rule  = _mk_action("pbr-delete-rule", parameters=[
+                {"name": "table", "type": "STRING", "required": True},
+                {"name": "rule", "type": "STRING", "required": True},
+            ])
+            act_list_rules   = _mk_action("pbr-list-rules", parameters=[
+                {"name": "table", "type": "STRING", "required": False},
+            ])
+
+            # 1) Create and list routing table
+            out = act_create_table.run(
+                self.apiclient,
+                resourceid=network.id,
+                parameters=[{"table-id": "100", "table-name": table_name}],
+            )
+            self.assertTrue(getattr(out, 'success', False), "pbr-create-table should succeed")
+
+            out = act_list_tables.run(self.apiclient, resourceid=network.id)
+            self.assertTrue(getattr(out, 'success', False), "pbr-list-tables should succeed")
+            self.assertIn(table_name, self._custom_action_details(out))
+
+            # 2) Add and list route in table
+            out = act_add_route.run(
+                self.apiclient,
+                resourceid=network.id,
+                parameters=[{"table": table_name, "route": "blackhole %s" % route_cidr}],
+            )
+            self.assertTrue(getattr(out, 'success', False), "pbr-add-route should succeed")
+
+            out = act_list_routes.run(
+                self.apiclient,
+                resourceid=network.id,
+                parameters=[{"table": table_name}],
+            )
+            self.assertTrue(getattr(out, 'success', False), "pbr-list-routes should succeed")
+            self.assertIn(route_cidr, self._custom_action_details(out))
+
+            # 3) Add and list policy rule
+            out = act_add_rule.run(
+                self.apiclient,
+                resourceid=network.id,
+                parameters=[{"table": table_name, "rule": "to %s" % route_cidr}],
+            )
+            self.assertTrue(getattr(out, 'success', False), "pbr-add-rule should succeed")
+
+            out = act_list_rules.run(
+                self.apiclient,
+                resourceid=network.id,
+                parameters=[{"table": table_name}],
+            )
+            self.assertTrue(getattr(out, 'success', False), "pbr-list-rules should succeed")
+            self.assertIn(table_name, self._custom_action_details(out))
+
+            # 4) Delete policy rule, route, and table
+            out = act_delete_rule.run(
+                self.apiclient,
+                resourceid=network.id,
+                parameters=[{"table": table_name, "rule": "to %s" % route_cidr}],
+            )
+            self.assertTrue(getattr(out, 'success', False), "pbr-delete-rule should succeed")
+
+            out = act_delete_route.run(
+                self.apiclient,
+                resourceid=network.id,
+                parameters=[{"table": table_name, "route": "blackhole %s" % route_cidr}],
+            )
+            self.assertTrue(getattr(out, 'success', False), "pbr-delete-route should succeed")
+
+            out = act_delete_table.run(
+                self.apiclient,
+                resourceid=network.id,
+                parameters=[{"table-name": table_name}],
+            )
+            self.assertTrue(getattr(out, 'success', False), "pbr-delete-table should succeed")
+
+            self.logger.info("test_08 PASSED")
+        finally:
+            for action in actions:
+                try:
+                    action.delete(self.apiclient)
+                except Exception:
+                    pass
+            vm.delete(self.apiclient, expunge=True)
+            self.cleanup = [o for o in self.cleanup if o != vm]
+            network.delete(self.apiclient)
+            self.cleanup = [o for o in self.cleanup if o != network]
+            self._teardown_extension()
+
+    @attr(tags=["advanced", "smoke"], required_hardware="true")
+    def test_09_vpc_source_nat_ip_update(self):
+        """Update VPC source NAT IP and verify old/new source NAT flags flip correctly."""
+        self._check_kvm_host_prerequisites(['arping'])
+
+        svc = "SourceNat,StaticNat,PortForwarding,Lb,UserData,Dhcp,Dns,NetworkACL"
+        _nw_offering, ext_name = self._setup_extension_nsp_offering(
+            "extnet-vpc-snat-update", supported_services=svc, for_vpc=True)
+
+        suffix = random_gen()
+        account = None
+        vpc = None
+        tier = None
+        vm = None
+        ip1 = None
+        ip2 = None
+        pf_rule = None
+        lb_rule = None
+        static_nat_enabled = False
+        try:
+            # VPC tier network offering (useVpc=on)
+            _tier_prov = {s.strip(): ext_name for s in svc.split(',')}
+            vpc_tier_offering = NetworkOffering.create(self.apiclient, {
+                "name":              "ExtNet-VPCTier-SNAT-%s" % random_gen(),
+                "displaytext":       "ExtNet VPC tier offering for source NAT update",
+                "guestiptype":       "Isolated",
+                "traffictype":       "GUEST",
+                "availability":      "Optional",
+                "useVpc":            "on",
+                "supportedservices": svc,
+                "serviceProviderList": _tier_prov,
+                "serviceCapabilityList": {
+                    "SourceNat": {"SupportedSourceNatTypes": "peraccount"},
+                },
+            })
+            self.cleanup.append(vpc_tier_offering)
+            vpc_tier_offering.update(self.apiclient, state='Enabled')
+
+            # VPC offering
+            _vpc_prov = {s.strip(): ext_name for s in svc.split(',')}
+            vpc_offering = VpcOffering.create(self.apiclient, {
+                "name":              "ExtNet-VPC-SNAT-%s" % random_gen(),
+                "displaytext":       "ExtNet VPC offering for source NAT update",
+                "supportedservices": svc,
+                "serviceProviderList": _vpc_prov,
+            })
+            self.cleanup.append(vpc_offering)
+            vpc_offering.update(self.apiclient, state='Enabled')
+
+            account = Account.create(
+                self.apiclient,
+                self.services["account"],
+                admin=True,
+                domainid=self.domain.id
+            )
+            self.cleanup.append(account)
+            account_keypair = self._create_account_keypair(account, suffix)
+
+            vpc = VPC.create(
+                self.apiclient,
+                {"name":        "extnet-vpc-snat-%s" % suffix,
+                 "displaytext": "ExtNet VPC SNAT %s" % suffix,
+                 "cidr":        "10.3.0.0/16"},
+                vpcofferingid=vpc_offering.id,
+                zoneid=self.zone.id,
+                account=account.name,
+                domainid=account.domainid
+            )
+            self.cleanup.insert(0, vpc)
+
+            tier = Network.create(
+                self.apiclient,
+                {"name":        "tier-snat-%s" % suffix,
+                 "displaytext": "Tier SNAT %s" % suffix},
+                accountid=account.name,
+                domainid=account.domainid,
+                networkofferingid=vpc_tier_offering.id,
+                zoneid=self.zone.id,
+                vpcid=vpc.id,
+                gateway="10.3.1.1",
+                netmask="255.255.255.0"
+            )
+            self.cleanup.insert(0, tier)
+
+            # Create a vm instance in the tier, so that the vpc and tier are implemented on the backend and have their source NAT IPs allocated.
+            svc_offering = ServiceOffering.list(self.apiclient, issystem=False)[0]
+            vm_cfg = {"displayname": "vm-snat-%s" % suffix,
+                      "name":        "vm-snat-%s" % suffix,
+                      "zoneid":      self.zone.id}
+            vm_kw  = dict(accountid=account.name,
+                          domainid=account.domainid,
+                          serviceofferingid=svc_offering.id,
+                          templateid=self.template.id,
+                          networkids=[tier.id])
+            if account_keypair:
+                vm_kw["keypair"] = account_keypair.name
+            vm = VirtualMachine.create(self.apiclient, vm_cfg, **vm_kw)
+            self.cleanup.insert(0, vm)
+
+            # Wait for the VPC's auto-assigned source NAT IP (CloudStack assigns
+            # one automatically when the VPC is first used; it is NOT necessarily
+            # the first manually-allocated IP).
+            src_before = self._wait_for_vpc_source_nat_ip(vpc.id)
+            self.assertIsNotNone(src_before,
+                                 "A source NAT IP should already exist for the VPC")
+            src_before_addr = getattr(src_before, 'ipaddress', None)
+            self.logger.info("Initial source NAT IP: %s", src_before_addr)
+
+            # Allocate ip1 and ip2 as candidates for the updated source NAT.
+            ip1 = PublicIPAddress.create(
+                self.apiclient,
+                accountid=account.name,
+                zoneid=self.zone.id,
+                domainid=account.domainid,
+                networkid=tier.id,
+                vpcid=vpc.id
+            )
+            ip1_addr = ip1.ipaddress.ipaddress
+
+            ip2 = PublicIPAddress.create(
+                self.apiclient,
+                accountid=account.name,
+                zoneid=self.zone.id,
+                domainid=account.domainid,
+                networkid=tier.id,
+                vpcid=vpc.id
+            )
+            ip2_addr = ip2.ipaddress.ipaddress
+
+            # Use ip1 for static NAT (SSH/22) and verify ingress connectivity.
+            StaticNATRule.enable(
+                self.apiclient,
+                ip1.ipaddress.id,
+                vm.id,
+                networkid=tier.id
+            )
+            static_nat_enabled = True
+
+            # Use ip2 for both PF and LB on different public ports.
+            pf_port = 2222
+            lb_port = 2223
+            pf_rule = NATRule.create(
+                self.apiclient,
+                vm,
+                {"privateport": 22, "publicport": pf_port, "protocol": "TCP"},
+                ipaddressid=ip2.ipaddress.id,
+                networkid=tier.id,
+                vpcid=vpc.id
+            )
+            self.assertIsNotNone(pf_rule, "Port forwarding rule should be created on ip2")
+
+            lb_rule = LoadBalancerRule.create(
+                self.apiclient,
+                {
+                    "name": "lb-ssh-%s" % suffix,
+                    "alg": "roundrobin",
+                    "privateport": 22,
+                    "publicport": lb_port,
+                    "protocol": "TCP",
+                },
+                ipaddressid=ip2.ipaddress.id,
+                accountid=account.name,
+                domainid=account.domainid,
+                networkid=tier.id,
+                vpcid=vpc.id
+            )
+            self.assertIsNotNone(lb_rule, "Load balancer rule should be created on ip2")
+            lb_rule.assign(self.apiclient, [vm])
+
+            # Validate all inbound paths before source NAT migration.
+            self._assert_vm_ssh_accessible(
+                ip1_addr, 22,
+                "Static NAT SSH on ip1 should work before source NAT update")
+            self._assert_vm_ssh_accessible(
+                ip2_addr, pf_port,
+                "Port forwarding SSH on ip2 should work before source NAT update")
+            self._assert_vm_ssh_accessible(
+                ip2_addr, lb_port,
+                "Load balancer SSH on ip2 should work before source NAT update")
+
+            ip3 = PublicIPAddress.create(
+                self.apiclient,
+                accountid=account.name,
+                zoneid=self.zone.id,
+                domainid=account.domainid,
+                networkid=tier.id,
+                vpcid=vpc.id
+            )
+            ip3_addr = ip3.ipaddress.ipaddress
+
+            self.logger.info("Updating VPC source NAT IP to %s", ip3_addr)
+            update_resp = vpc.update(self.apiclient, sourcenatipaddress=ip3_addr)
+            self.assertIsNotNone(update_resp,
+                                 "updateVPC should return a response")
+
+            src_after = self._wait_for_vpc_source_nat_ip(vpc.id, expected_ip=ip3_addr)
+            self.assertIsNotNone(src_after,
+                                 "Updated source NAT IP should be %s" % ip3_addr)
+
+            all_vpc_ips = self._list_vpc_public_ips(vpc.id)
+            self.assertEqual(len(all_vpc_ips), 4,
+                                    "VPC should have four public IPs")
+
+            by_addr = {getattr(x, 'ipaddress', None): x for x in all_vpc_ips}
+            self.assertIn(src_before_addr, by_addr,
+                          "Original source NAT IP must remain allocated to VPC")
+            self.assertIn(ip1_addr, by_addr, "Static NAT IP must remain allocated to VPC")
+            self.assertIn(ip2_addr, by_addr, "New source NAT IP must remain allocated to VPC")
+
+            src_ips = [x for x in all_vpc_ips if getattr(x, 'issourcenat', False)]
+            self.assertEqual(1, len(src_ips),
+                             "Exactly one VPC public IP must be marked source NAT")
+            self.assertEqual(ip3_addr, getattr(src_ips[0], 'ipaddress', None),
+                             "Source NAT IP should switch to the requested IP")
+            self.assertFalse(getattr(by_addr[src_before_addr], 'issourcenat', False),
+                             "Original source NAT IP must be unset after update")
+            self.assertTrue(getattr(by_addr[ip3_addr], 'issourcenat', False),
+                            "Requested source NAT IP must be marked source NAT")
+
+            # Validate all inbound paths still work after source NAT migration.
+            self._assert_vm_ssh_accessible(
+                ip1_addr, 22,
+                "Static NAT SSH on ip1 should work after source NAT update")
+            self._assert_vm_ssh_accessible(
+                ip2_addr, pf_port,
+                "Port forwarding SSH on ip2 should work after source NAT update")
+            self._assert_vm_ssh_accessible(
+                ip2_addr, lb_port,
+                "Load balancer SSH on ip2 should work after source NAT update")
+
+            self.logger.info("test_09 PASSED")
+        finally:
+            try:
+                if lb_rule and vm:
+                    lb_rule.remove(self.apiclient, [vm])
+            except Exception:
+                pass
+            try:
+                if lb_rule:
+                    lb_rule.delete(self.apiclient)
+            except Exception:
+                pass
+            try:
+                if pf_rule:
+                    pf_rule.delete(self.apiclient)
+            except Exception:
+                pass
+            try:
+                if static_nat_enabled and ip1:
+                    StaticNATRule.disable(self.apiclient, ip1.ipaddress.id)
+            except Exception:
+                pass
+            try:
+                if ip1:
+                    ip1.delete(self.apiclient)
+            except Exception:
+                pass
+            try:
+                if ip2:
+                    ip2.delete(self.apiclient)
+            except Exception:
+                pass
+            try:
+                if vm:
+                    vm.delete(self.apiclient, expunge=True)
+                    self.cleanup = [o for o in self.cleanup if o != vm]
+            except Exception:
+                pass
+            try:
+                if tier:
+                    tier.delete(self.apiclient)
+                    self.cleanup = [o for o in self.cleanup if o != tier]
+            except Exception:
+                pass
+            try:
+                if vpc:
+                    vpc.delete(self.apiclient)
+                    self.cleanup = [o for o in self.cleanup if o != vpc]
+            except Exception:
+                pass
+            try:
+                self._teardown_extension()
+            except Exception:
+                pass
diff --git a/ui/public/locales/en.json b/ui/public/locales/en.json
index 2a6b7316b70e..eea21cde04aa 100644
--- a/ui/public/locales/en.json
+++ b/ui/public/locales/en.json
@@ -241,6 +241,7 @@
 "label.action.unmanage.volume": "Unmanage Volume",
 "label.action.unmanage.volumes": "Unmanage Volumes",
 "label.action.unregister.extension.resource": "Unregister extension resource",
+"label.action.update.extension.resource": "Update extension resource details",
 "label.action.update.host": "Update Host",
 "label.action.update.security.groups": "Update security groups",
 "label.action.update.offering.access": "Update offering access",
@@ -4170,6 +4171,8 @@
 "message.validate.min": "Please enter a value greater than or equal to {0}.",
 "message.action.delete.object.storage": "Please confirm that you want to delete this Object Store",
 "message.action.unregister.extension.resource": "Please confirm that you want to unregister extension with this resource",
+"message.action.update.extension.resource": "Update the extension resource registration details",
+"message.success.update.extension.resource": "Successfully updated extension resource registration",
 "message.bgp.peers.null": "Please note, if no BGP peers are selected, the VR will connect to <br> (1) dedicated BGP peers the owner can access, if the owner has dedicated BGP peers and account setting use.system.bgp.peers is set to false; <br> (2) all BGP peers the owner can access, otherwise.<br>",
 "message.bucket.delete": "Please confirm that you want to delete this Bucket",
 "migrate.from": "Migrate from",
@@ -4232,5 +4235,21 @@
 "Compute*Month": "Compute * Month",
 "GB*Month": "GB * Month",
 "IP*Month": "IP * Month",
-"Policy*Month": "Policy * Month"
+"Policy*Month": "Policy * Month",
+"ExternalNetwork": "External Network",
+"label.external.network": "External Network",
+"label.external.network.provider": "External Network Provider",
+"label.extension": "Extension",
+"label.services": "Services",
+"label.add.external.network.provider": "Add External Network Provider",
+"label.not.added": "Not Added",
+"label.refresh": "Refresh",
+"label.run.action": "Run Action",
+"label.enable.provider": "Enable Provider",
+"label.disable.provider": "Disable Provider",
+"label.external.network.service": "External Network Service",
+"message.confirm.disable.external.network.provider": "Are you sure you want to disable the External Network provider?",
+"message.no.network.orchestrator.extensions": "No NetworkOrchestrator extensions found. Please create one first via createExtension API.",
+"message.extension.services.from.capabilities": "Services are derived automatically from the extension's network.capabilities detail.",
+"message.select.extension": "Please select an extension."
 }
diff --git a/ui/src/config/section/extension.js b/ui/src/config/section/extension.js
index 5904abae30b6..8a8d8081c35d 100644
--- a/ui/src/config/section/extension.js
+++ b/ui/src/config/section/extension.js
@@ -45,7 +45,7 @@ export default {
     return fields
   },
   details: ['name', 'description', 'id', 'type', 'details', 'path', 'pathready', 'isuserdefined', 'orchestratorrequirespreparevm', 'reservedresourcedetails', 'created'],
-  filters: ['orchestrator'],
+  filters: ['orchestrator', 'networkorchestrator'],
   tabs: [{
     name: 'details',
     component: shallowRef(defineAsyncComponent(() => import('@/components/view/DetailsTab.vue')))
diff --git a/ui/src/config/section/infra/phynetworks.js b/ui/src/config/section/infra/phynetworks.js
index 0863eff6ec0b..9b7a0a83f7f3 100644
--- a/ui/src/config/section/infra/phynetworks.js
+++ b/ui/src/config/section/infra/phynetworks.js
@@ -94,7 +94,7 @@ export default {
       icon: 'edit-outlined',
       label: 'label.update.physical.network',
       dataView: true,
-      args: ['vlan', 'tags']
+      args: ['vlan', 'tags', 'externaldetails']
     },
     {
       api: 'addTrafficType',
diff --git a/ui/src/config/section/network.js b/ui/src/config/section/network.js
index 37cdd0c8b98a..ad308824da22 100644
--- a/ui/src/config/section/network.js
+++ b/ui/src/config/section/network.js
@@ -202,6 +202,20 @@ export default {
             }
           }
         },
+        {
+          api: 'runCustomAction',
+          icon: 'thunderbolt-outlined',
+          label: 'label.run.action',
+          dataView: true,
+          show: (record) => {
+            return 'runCustomAction' in store.getters.apis &&
+              'listCustomActions' in store.getters.apis &&
+              record.service && record.service.some(s =>
+              s.provider && s.provider.some(p => p.name === 'ExternalNetwork'))
+          },
+          popup: true,
+          component: shallowRef(defineAsyncComponent(() => import('@/views/extension/RunCustomAction.vue')))
+        },
         {
           api: 'deleteNetwork',
           icon: 'delete-outlined',
diff --git a/ui/src/views/extension/AddCustomAction.vue b/ui/src/views/extension/AddCustomAction.vue
index f74255fa8de3..7c1de26b5048 100644
--- a/ui/src/views/extension/AddCustomAction.vue
+++ b/ui/src/views/extension/AddCustomAction.vue
@@ -34,8 +34,25 @@
             api="listExtensions"
             :apiParams="extensionsApiParams"
             resourceType="extension"
+            @change-option="updateResourceTypeByExtension"
             defaultIcon="appstore-add-outlined" />
       </a-form-item>
+      <a-form-item name="resourcetype" ref="resourcetype">
+        <template #label>
+          <tooltip-label :title="$t('label.resourcetype')" :tooltip="apiParams.resourcetype.description"/>
+        </template>
+        <a-select
+          v-model:value="form.resourcetype"
+          :placeholder="apiParams.resourcetype.description"
+          optionFilterProp="label"
+          :filterOption="(input, option) => {
+            return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0
+          }" >
+          <a-select-option v-for="opt in resourceTypeOptions" :key="opt" :label="opt">
+            {{ opt }}
+          </a-select-option>
+        </a-select>
+      </a-form-item>
       <a-form-item name="name" ref="name">
         <template #label>
           <tooltip-label :title="$t('label.name')" :tooltip="apiParams.name.description"/>
@@ -152,6 +169,7 @@ export default {
   data () {
     return {
       roleTypes: [],
+      resourceTypeOptions: ['VirtualMachine', 'Network'],
       loading: false
     }
   },
@@ -165,6 +183,7 @@ export default {
     this.initForm()
     if (this.extension) {
       this.form.extensionid = this.extension.id
+      this.updateResourceTypeByExtension(this.extension)
     }
     this.roleTypes = this.$fetchCustomActionRoleTypes()
   },
@@ -173,13 +192,30 @@ export default {
       this.formRef = ref()
       this.form = reactive({
         enabled: true,
-        timeout: 5
+        timeout: 5,
+        resourcetype: 'VirtualMachine'
       })
       this.rules = reactive({
         extensionid: [{ required: true, message: `${this.$t('message.error.select')}` }],
-        name: [{ required: true, message: `${this.$t('message.error.name')}` }]
+        name: [{ required: true, message: `${this.$t('message.error.name')}` }],
+        resourcetype: [{ required: true, message: `${this.$t('message.error.select')}` }]
       })
     },
+    updateResourceTypeByExtension (selectedExtension) {
+      const type = selectedExtension?.type
+      if (type === 'NetworkOrchestrator') {
+        this.resourceTypeOptions = ['Network']
+        this.form.resourcetype = 'Network'
+      } else if (type === 'Orchestrator') {
+        this.resourceTypeOptions = ['VirtualMachine']
+        this.form.resourcetype = 'VirtualMachine'
+      } else {
+        this.resourceTypeOptions = ['VirtualMachine', 'Network']
+        if (!this.form.resourcetype) {
+          this.form.resourcetype = 'VirtualMachine'
+        }
+      }
+    },
     handleSubmit (e) {
       e.preventDefault()
       if (this.loading) return
@@ -189,6 +225,7 @@ export default {
         const params = {
           extensionid: values.extensionid || this.extension.id,
           name: values.name,
+          resourcetype: values.resourcetype,
           enabled: values.enabled
         }
         const keys = ['description', 'allowedroletypes', 'successmessage', 'errormessage', 'timeout']
diff --git a/ui/src/views/extension/CreateExtension.vue b/ui/src/views/extension/CreateExtension.vue
index 3baae81174e9..fc2e8c237fdb 100644
--- a/ui/src/views/extension/CreateExtension.vue
+++ b/ui/src/views/extension/CreateExtension.vue
@@ -162,7 +162,7 @@ export default {
     },
     fetchExtensionTypes () {
       this.extensionTypes = []
-      const extensionTypesList = ['Orchestrator']
+      const extensionTypesList = ['Orchestrator', 'NetworkOrchestrator']
       extensionTypesList.forEach((item) => {
         this.extensionTypes.push({
           id: item,
diff --git a/ui/src/views/extension/ExtensionResourcesTab.vue b/ui/src/views/extension/ExtensionResourcesTab.vue
index c69c79306c8f..503c06629c05 100644
--- a/ui/src/views/extension/ExtensionResourcesTab.vue
+++ b/ui/src/views/extension/ExtensionResourcesTab.vue
@@ -34,6 +34,13 @@
           {{ text && $toLocaleDate(text) }}
         </template>
         <template v-if="column.key === 'actions'">
+          <span style="margin-right: 5px">
+            <tooltip-button
+              :tooltip="$t('label.action.update.extension.resource')"
+              type="default"
+              icon="edit-outlined"
+              @onClick="openUpdateModal(record)" />
+          </span>
           <span style="margin-right: 5px">
             <a-popconfirm
               v-if="'unregisterExtension' in $store.getters.apis"
@@ -59,6 +66,20 @@
           :data-map="record.details" />
       </template>
     </a-table>
+    <a-modal
+      v-if="updateModalVisible"
+      :visible="updateModalVisible"
+      :width="600"
+      :title="$t('label.action.update.extension.resource')"
+      :closable="true"
+      :footer="null"
+      @cancel="closeUpdateModal">
+      <update-registered-extension
+        :resource="resource"
+        :extension-resource="selectedResource"
+        @refresh-data="handleRefreshData"
+        @close-action="closeUpdateModal" />
+    </a-modal>
   </div>
 </template>
 
@@ -67,13 +88,16 @@ import { postAPI } from '@/api'
 import eventBus from '@/config/eventBus'
 import ObjectListTable from '@/components/view/ObjectListTable.vue'
 import TooltipButton from '@/components/widgets/TooltipButton'
+import UpdateRegisteredExtension from '@/views/extension/UpdateRegisteredExtension'
 
 export default {
   name: 'ExtensionResourcesTab',
   components: {
     ObjectListTable,
-    TooltipButton
+    TooltipButton,
+    UpdateRegisteredExtension
   },
+  inject: ['parentFetchData'],
   props: {
     resource: {
       type: Object,
@@ -103,7 +127,9 @@ export default {
           title: this.$t('label.actions')
         }
       ],
-      unregisterLoading: false
+      unregisterLoading: false,
+      updateModalVisible: false,
+      selectedResource: null
     }
   },
   computed: {
@@ -112,13 +138,27 @@ export default {
     }
   },
   methods: {
+    openUpdateModal (record) {
+      this.selectedResource = record
+      this.updateModalVisible = true
+    },
+    closeUpdateModal () {
+      this.updateModalVisible = false
+      this.selectedResource = null
+    },
+    handleRefreshData () {
+      if (this.parentFetchData) {
+        this.parentFetchData()
+      }
+    },
     unregisterExtension (record) {
       const params = {
         extensionid: this.resource.id,
         resourceid: record.id,
         resourcetype: record.type
       }
-      postAPI('unregisterExtension', params).then(json => {
+      this.unregisterLoading = true
+      postAPI('unregisterExtension', params).then(() => {
         eventBus.emit('async-job-complete', null)
         this.$notification.success({
           message: this.$t('label.unregister.extension'),
@@ -127,7 +167,7 @@ export default {
       }).catch(error => {
         this.$notifyError(error)
       }).finally(() => {
-        this.deleteLoading = false
+        this.unregisterLoading = false
       })
     }
   }
diff --git a/ui/src/views/extension/RegisterExtension.vue b/ui/src/views/extension/RegisterExtension.vue
index f856c181f8cd..393e465c62b6 100644
--- a/ui/src/views/extension/RegisterExtension.vue
+++ b/ui/src/views/extension/RegisterExtension.vue
@@ -120,7 +120,7 @@ export default {
     },
     fetchExtensionResourceTypes () {
       this.resourceTypes = []
-      const resourceTypesList = ['Cluster']
+      const resourceTypesList = ['Cluster', 'PhysicalNetwork']
       resourceTypesList.forEach((item) => {
         this.resourceTypes.push({
           id: item,
diff --git a/ui/src/views/extension/UpdateRegisteredExtension.vue b/ui/src/views/extension/UpdateRegisteredExtension.vue
new file mode 100644
index 000000000000..d1aa39942cc1
--- /dev/null
+++ b/ui/src/views/extension/UpdateRegisteredExtension.vue
@@ -0,0 +1,131 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+<template>
+  <div class="form-layout" v-ctrl-enter="handleSubmit">
+    <a-form
+      :ref="formRef"
+      :model="form"
+      :loading="loading"
+      layout="vertical"
+      @finish="handleSubmit">
+      <a-form-item name="details" ref="details">
+        <template #label>
+          <tooltip-label :title="$t('label.details')" :tooltip="$t('message.add.extension.resource.details')"/>
+        </template>
+        <div style="margin-bottom: 10px">{{ $t('message.add.extension.resource.details') }}</div>
+        <details-input
+          v-model:value="form.details" />
+      </a-form-item>
+      <div :span="24" class="action-button">
+        <a-button @click="closeAction">{{ $t('label.cancel') }}</a-button>
+        <a-button :loading="loading" ref="submit" type="primary" @click="handleSubmit">{{ $t('label.ok') }}</a-button>
+      </div>
+    </a-form>
+  </div>
+</template>
+
+<script>
+import { ref, reactive, toRaw } from 'vue'
+import { postAPI } from '@/api'
+import TooltipLabel from '@/components/widgets/TooltipLabel'
+import DetailsInput from '@/components/widgets/DetailsInput'
+
+export default {
+  name: 'UpdateRegisteredExtension',
+  components: {
+    TooltipLabel,
+    DetailsInput
+  },
+  props: {
+    resource: {
+      type: Object,
+      required: true
+    },
+    extensionResource: {
+      type: Object,
+      required: true
+    }
+  },
+  data () {
+    return {
+      loading: false
+    }
+  },
+  created () {
+    this.initForm()
+  },
+  methods: {
+    initForm () {
+      this.formRef = ref()
+      this.form = reactive({
+        details: this.extensionResource.details ? { ...this.extensionResource.details } : {}
+      })
+    },
+    handleSubmit (e) {
+      e.preventDefault()
+      if (this.loading) return
+      this.formRef.value.validate().then(() => {
+        const values = toRaw(this.form)
+        this.loading = true
+        const params = {
+          extensionid: this.resource.id,
+          resourceid: this.extensionResource.id,
+          resourcetype: this.extensionResource.type
+        }
+        if (values.details && Object.keys(values.details).length > 0) {
+          Object.entries(values.details).forEach(([key, value]) => {
+            params['details[0].' + key] = value
+          })
+        } else {
+          params.cleanupdetails = true
+        }
+        postAPI('updateRegisteredExtension', params).then(() => {
+          this.$emit('refresh-data')
+          this.$notification.success({
+            message: this.$t('label.action.update.extension.resource'),
+            description: this.$t('message.success.update.extension.resource')
+          })
+          this.closeAction()
+        }).catch(error => {
+          this.$notification.error({
+            message: this.$t('message.request.failed'),
+            description: (error.response && error.response.headers && error.response.headers['x-description']) || error.message,
+            duration: 0
+          })
+        }).finally(() => {
+          this.loading = false
+        })
+      }).catch(error => {
+        this.$notifyError(error)
+      })
+    },
+    closeAction () {
+      this.$emit('close-action')
+    }
+  }
+}
+</script>
+
+<style scoped lang="less">
+.form-layout {
+  width: 80vw;
+  @media (min-width: 600px) {
+    width: 550px;
+  }
+}
+</style>
diff --git a/ui/src/views/infra/network/ServiceProvidersTab.vue b/ui/src/views/infra/network/ServiceProvidersTab.vue
index f659ce1f0167..dd5941f01e61 100644
--- a/ui/src/views/infra/network/ServiceProvidersTab.vue
+++ b/ui/src/views/infra/network/ServiceProvidersTab.vue
@@ -18,10 +18,21 @@
 <template>
   <div>
     <a-spin :spinning="fetchLoading">
+      <!-- Add Extension Provider button: only shown when extension is registered but NSP not yet created -->
+      <a-button
+        v-if="isExtensionTab && !nsps[tabKey]"
+        :disabled="!('addNetworkServiceProvider' in $store.getters.apis)"
+        type="dashed"
+        style="width: 100%; margin-bottom: 12px;"
+        @click="handleAddExternalNetworkProvider">
+        <template #icon><plus-outlined /></template>
+        {{ $t('label.add.external.network.provider') }}
+      </a-button>
       <a-tabs
         :tabPosition="device === 'mobile' ? 'top' : 'left'"
         :animated="false"
         @change="onTabChange">
+        <!-- Hardcoded NSP tabs -->
         <a-tab-pane
           class="custom-tab-pane"
           v-for="item in hardcodedNsps"
@@ -41,8 +52,67 @@
             :zoneId="resource.zoneid"
             :tabKey="tabKey"/>
         </a-tab-pane>
+        <!-- Dynamic extension-based provider tabs (one per registered NetworkOrchestrator extension) -->
+        <a-tab-pane
+          class="custom-tab-pane"
+          v-for="ext in registeredExtensions"
+          :key="ext.name">
+          <template #tab>
+            <span>
+              {{ ext.name }}
+              <status :text="nsps[ext.name] ? nsps[ext.name].state : $t('label.not.added')" style="margin-bottom: 6px; margin-left: 6px" />
+            </span>
+          </template>
+          <provider-item
+            v-if="tabKey === ext.name"
+            :loading="loading"
+            :itemNsp="extensionNspItem(ext.name)"
+            :nsp="nsps[ext.name]"
+            :resourceId="resource.id"
+            :zoneId="resource.zoneid"
+            :tabKey="tabKey"/>
+        </a-tab-pane>
       </a-tabs>
     </a-spin>
+
+    <!-- Add External Network Provider modal: selects extension (services come from extension capabilities) -->
+    <a-modal
+      :visible="showAddExtNetProviderModal"
+      :title="$t('label.add.external.network.provider')"
+      :maskClosable="false"
+      :footer="null"
+      @cancel="showAddExtNetProviderModal = false">
+      <a-spin :spinning="extensionProviderLoading">
+        <a-form layout="vertical">
+          <a-form-item :label="$t('label.extension')">
+            <a-select
+              v-model:value="extNetProviderForm.extensionId"
+              showSearch
+              optionFilterProp="label"
+              :filterOption="(input, option) => option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0">
+              <a-select-option
+                v-for="ext in availableExtensions"
+                :key="ext.id"
+                :value="ext.id"
+                :label="ext.name">
+                {{ ext.name }} <span style="color: #aaa">({{ ext.state }})</span>
+              </a-select-option>
+            </a-select>
+            <div v-if="availableExtensions.length === 0" style="color: #faad14; margin-top: 4px;">
+              {{ $t('message.no.network.orchestrator.extensions') }}
+            </div>
+            <div v-else style="color: #8c8c8c; font-size: 12px; margin-top: 4px;">
+              {{ $t('message.extension.services.from.capabilities') }}
+            </div>
+          </a-form-item>
+          <div class="action-button">
+            <a-button @click="showAddExtNetProviderModal = false">{{ $t('label.cancel') }}</a-button>
+            <a-button type="primary" :disabled="!extNetProviderForm.extensionId" @click="handleAddExtNetProvider">{{ $t('label.ok') }}</a-button>
+          </div>
+        </a-form>
+      </a-spin>
+    </a-modal>
+
     <div v-if="showFormAction">
       <keep-alive v-if="currentAction.component">
         <a-modal
@@ -170,10 +240,20 @@ export default {
       actionLoading: false,
       showFormAction: false,
       currentAction: {},
-      tabKey: 'BaremetalDhcpProvider'
+      tabKey: 'BaremetalDhcpProvider',
+      showAddExtNetProviderModal: false,
+      extensionProviderLoading: false,
+      availableExtensions: [],
+      extNetProviderForm: {
+        extensionId: null
+      },
+      registeredExtensions: []
     }
   },
   computed: {
+    isExtensionTab () {
+      return this.registeredExtensions.some(ext => ext.name === this.tabKey)
+    },
     hardcodedNsps () {
       return [
         {
@@ -848,7 +928,7 @@ export default {
               listView: true,
               label: 'label.enable.provider',
               confirm: 'message.confirm.enable.provider',
-              show: (record) => { return (record && record.id && record.state === 'Disabled') },
+              show: (record) => { return record && record.id && record.state === 'Disabled' },
               mapping: {
                 state: {
                   value: (record) => { return 'Enabled' }
@@ -1143,11 +1223,106 @@ export default {
       this.form = reactive({})
       this.rules = reactive({})
     },
+    handleAddExternalNetworkProvider () {
+      // Open the extension picker modal — services come from extension capabilities
+      this.extNetProviderForm = { extensionId: null }
+      this.extensionProviderLoading = true
+      this.showAddExtNetProviderModal = true
+      getAPI('listExtensions', { type: 'NetworkOrchestrator' }).then(json => {
+        this.availableExtensions = (json.listextensionsresponse && json.listextensionsresponse.extension) || []
+        if (this.availableExtensions.length > 0) {
+          this.extNetProviderForm.extensionId = this.availableExtensions[0].id
+        }
+      }).catch(error => {
+        this.$notifyError(error)
+      }).finally(() => {
+        this.extensionProviderLoading = false
+      })
+    },
+    _updateServicesFromExtension (extensionId) {
+      // No longer needed — services are derived from extension capabilities server-side
+    },
+    async handleAddExtNetProvider () {
+      if (this.extensionProviderLoading) return
+      const extensionId = this.extNetProviderForm.extensionId
+      if (!extensionId) {
+        this.$message.error(this.$t('message.select.extension'))
+        return
+      }
+      const ext = this.availableExtensions.find(e => e.id === extensionId)
+      const extName = ext ? ext.name : ''
+      if (!extName) {
+        this.$message.error(this.$t('message.select.extension'))
+        return
+      }
+
+      this.extensionProviderLoading = true
+      try {
+        // registerExtension auto-creates the NSP (Enabled) with services from network.capabilities
+        await postAPI('registerExtension', {
+          extensionid: extensionId,
+          resourceid: this.resource.id,
+          resourcetype: 'PhysicalNetwork'
+        })
+        this.$message.success(this.$t('label.add.external.network.provider') + ': ' + extName)
+        this.showAddExtNetProviderModal = false
+        this.fetchData()
+      } catch (error) {
+        this.$notifyError(error)
+      } finally {
+        this.extensionProviderLoading = false
+      }
+    },
     fetchData () {
       if (!this.resource || !('id' in this.resource)) {
         return
       }
       this.fetchServiceProvider()
+      this.fetchRegisteredExtensions()
+    },
+    fetchRegisteredExtensions () {
+      // Load NetworkOrchestrator extensions registered to this physical network
+      getAPI('listExtensions', {
+        type: 'NetworkOrchestrator',
+        resourceid: this.resource.id,
+        resourcetype: 'PhysicalNetwork'
+      }).then(json => {
+        this.registeredExtensions = (json.listextensionsresponse && json.listextensionsresponse.extension) || []
+      }).catch(() => {
+        this.registeredExtensions = []
+      })
+    },
+    extensionNspItem (extName) {
+      // Build a ProviderItem-compatible itemNsp descriptor for extension-backed NSPs.
+      // Mirrors the structure of hardcoded entries in hardcodedNsps.
+      return {
+        title: extName,
+        details: ['name', 'state', 'id', 'physicalnetworkid', 'servicelist'],
+        actions: [
+          {
+            api: 'updateNetworkServiceProvider',
+            icon: 'play-circle-outlined',
+            listView: true,
+            label: 'label.enable.provider',
+            confirm: 'message.confirm.enable.provider',
+            show: (record) => record && record.id && record.state === 'Disabled',
+            mapping: {
+              state: { value: () => 'Enabled' }
+            }
+          },
+          {
+            api: 'updateNetworkServiceProvider',
+            icon: 'stop-outlined',
+            listView: true,
+            label: 'label.disable.provider',
+            confirm: 'message.confirm.disable.provider',
+            show: (record) => record && record.id && record.state === 'Enabled',
+            mapping: {
+              state: { value: () => 'Disabled' }
+            }
+          }
+        ]
+      }
     },
     fetchServiceProvider (name) {
       this.fetchLoading = true
diff --git a/ui/src/views/infra/network/providers/ProviderListView.vue b/ui/src/views/infra/network/providers/ProviderListView.vue
index ced682aeaac3..141ab57aa525 100644
--- a/ui/src/views/infra/network/providers/ProviderListView.vue
+++ b/ui/src/views/infra/network/providers/ProviderListView.vue
@@ -25,7 +25,7 @@
       :loading="loading"
       :columns="listCols"
       :dataSource="dataSource"
-      :rowKey="record => record.id || record.name || record.nvpdeviceid || record.resourceid"
+      :rowKey="record => record.id || record.name || record.nvpdeviceid || record.resourceid || record.physicalnetworkid"
       :pagination="false"
       :scroll="scrollable">
       <template #bodyCell="{ column, text, record }">
@@ -67,6 +67,7 @@
               <span v-else-if="resource.name==='CiscoVnmc' && title==='listCiscoAsa1000vResources'">
                 {{ $t('label.delete.ciscoasa1000v') }}
               </span>
+              <!-- External network device UI removed: use extension registration details instead -->
             </template>
             <tooltip-button
               v-if="resource.name==='Ovs'"
@@ -86,6 +87,12 @@
               @onClick="onDelete(record)"/>
           </a-tooltip>
         </template>
+        <template v-if="column.key === 'details'">
+          <span v-if="text && typeof text === 'object'">
+            <a-tag v-for="(val, key) in text" :key="key" style="margin-bottom: 2px;">{{ key }}: {{ val }}</a-tag>
+          </span>
+          <span v-else>{{ text }}</span>
+        </template>
         <template v-if="column.key === 'lbdevicestate'">
           <status :text="text ? text : ''" displayText />
         </template>
@@ -269,6 +276,7 @@ export default {
           name = record.hostname
           params.resourceid = record.resourceid
           break
+        // ExternalNetwork provider action removed; use extension registration/unregister instead
         default:
           break
       }
diff --git a/ui/src/views/offering/AddNetworkOffering.vue b/ui/src/views/offering/AddNetworkOffering.vue
index d1bbb0f7304f..e87780e4992a 100644
--- a/ui/src/views/offering/AddNetworkOffering.vue
+++ b/ui/src/views/offering/AddNetworkOffering.vue
@@ -60,10 +60,10 @@
             <a-radio-button value="isolated">
               {{ $t('label.isolated') }}
             </a-radio-button>
-            <a-radio-button value="l2" v-if="form.provider !== 'NSX' && form.provider !== 'Netris'">
+            <a-radio-button value="l2" v-if="form.provider !== 'NSX' && form.provider !== 'Netris' && !isExternalNetworkProvider">
               {{ $t('label.l2') }}
             </a-radio-button>
-            <a-radio-button value="shared" v-if="form.provider !== 'NSX' && form.provider !== 'Netris'">
+            <a-radio-button value="shared" v-if="form.provider !== 'NSX' && form.provider !== 'Netris' && !isExternalNetworkProvider">
               {{ $t('label.shared') }}
             </a-radio-button>
           </a-radio-group>
@@ -138,7 +138,16 @@
                 <a-select-option key="" >{{ }}</a-select-option>
                 <a-select-option :value="'NSX'" :label="$t('label.nsx')"> {{ $t('label.nsx') }} </a-select-option>
                 <a-select-option :value="'Netris'" :label="$t('label.netris')"> {{ $t('label.netris') }} </a-select-option>
-              </a-select>
+                <!-- Dynamic extension-based providers registered to guest physical networks.
+                     The value is the extension/NSP name so the provider is correctly resolved. -->
+                <a-select-option
+                  v-for="ext in availableExtensionProviders"
+                  :key="ext.name"
+                  :value="ext.name"
+                  :label="ext.name">
+                  {{ ext.name }} <span style="color: #aaa">({{ $t('label.external.network.provider') }})</span>
+                </a-select-option>
+            </a-select>
             </a-form-item>
           </a-col>
         </a-row>
@@ -208,7 +217,7 @@
         </a-form-item>
         <a-row :gutter="12">
           <a-col :md="12" :lg="12">
-            <a-form-item name="promiscuousmode" ref="promiscuousmode" v-if="form.provider !== 'NSX' && form.provider !== 'Netris'">
+            <a-form-item name="promiscuousmode" ref="promiscuousmode" v-if="form.provider !== 'NSX' && form.provider !== 'Netris' && !isExternalNetworkProvider">
               <template #label>
                 <tooltip-label :title="$t('label.promiscuousmode')" :tooltip="$t('message.network.offering.promiscuous.mode')"/>
               </template>
@@ -303,8 +312,8 @@
                   <CheckBoxSelectPair
                     :resourceKey="item.name"
                     :checkBoxLabel="item.description"
-                    :forExternalNetProvider="form.provider === 'NSX' || form.provider === 'Netris'"
-                    :defaultCheckBoxValue="form.provider === 'NSX' || form.provider === 'Netris'"
+                    :forExternalNetProvider="form.provider === 'NSX' || form.provider === 'Netris' || isExternalNetworkProvider"
+                    :defaultCheckBoxValue="form.provider === 'NSX' || form.provider === 'Netris' || isExternalNetworkProvider"
                     :selectOptions="!supportedServiceLoading ? item.provider: []"
                     @handle-checkselectpair-change="handleSupportedServiceChange"/>
                 </a-list-item>
@@ -669,8 +678,20 @@ export default {
         description: 'Netris',
         enabled: true
       },
+      externalNetworkProviderObj: {
+        name: '',
+        description: 'External Network',
+        enabled: true
+      },
       nsxSupportedServicesMap: {},
-      netrisSupportedServicesMap: {}
+      netrisSupportedServicesMap: {},
+      externalNetworkSupportedServicesMap: {},
+      availableExtensionProviders: []
+    }
+  },
+  computed: {
+    isExternalNetworkProvider () {
+      return this.availableExtensionProviders.some(e => e.name === this.provider)
     }
   },
   beforeCreate () {
@@ -732,6 +753,30 @@ export default {
       this.fetchServiceOfferingData()
       this.fetchIpv6NetworkOfferingConfiguration()
       this.fetchRoutedNetworkConfiguration()
+      this.fetchExtensionProviders()
+    },
+    fetchExtensionProviders () {
+      // Load NetworkOrchestrator extensions that are registered to at least one
+      // physical network (i.e. have a corresponding NetworkServiceProvider entry).
+      // Only these can be selected as a provider when creating a network offering.
+      getAPI('listExtensions', { type: 'NetworkOrchestrator', state: 'Enabled' }).then(json => {
+        const allExts = (json.listextensionsresponse && json.listextensionsresponse.extension) || []
+        if (allExts.length === 0) {
+          this.availableExtensionProviders = []
+          return
+        }
+        // Filter to those which have at least one matching NSP (nsp name == extension name)
+        getAPI('listNetworkServiceProviders', {}).then(nspJson => {
+          const nsps = (nspJson.listnetworkserviceprovidersresponse && nspJson.listnetworkserviceprovidersresponse.networkserviceprovider) || []
+          const nspNames = new Set(nsps.map(n => n.name))
+          this.availableExtensionProviders = allExts.filter(e => nspNames.has(e.name))
+        }).catch(() => {
+          // Fallback: show all enabled extensions
+          this.availableExtensionProviders = allExts
+        })
+      }).catch(() => {
+        this.availableExtensionProviders = []
+      })
     },
     isAdmin () {
       return isAdmin()
@@ -906,7 +951,7 @@ export default {
       this.supportedServiceLoading = true
       var supportedServices = this.supportedServices
       var self = this
-      if (this.provider !== 'NSX' && this.provider !== 'Netris') {
+      if (this.provider !== 'NSX' && this.provider !== 'Netris' && !this.isExternalNetworkProvider) {
         if (this.networkmode === 'ROUTED' && this.guestType === 'isolated') {
           supportedServices = supportedServices.filter(service => {
             return !['SourceNat', 'StaticNat', 'Lb', 'PortForwarding', 'Vpn'].includes(service.name)
@@ -943,6 +988,8 @@ export default {
             return Object.keys(this.nsxSupportedServicesMap).includes(svc.name)
           } else if (this.provider === 'Netris') {
             return Object.keys(this.netrisSupportedServicesMap).includes(svc.name)
+          } else if (this.isExternalNetworkProvider) {
+            return Object.keys(this.externalNetworkSupportedServicesMap).includes(svc.name)
           }
         })
         supportedServices = supportedServices.map(svc => {
@@ -951,6 +998,8 @@ export default {
               svc.provider = [this.NSX]
             } else if (this.provider === 'Netris') {
               svc.provider = [this.Netris]
+            } else if (this.isExternalNetworkProvider) {
+              svc.provider = [this.externalNetworkProviderObj]
             }
           } else {
             if (this.forVpc) {
@@ -1029,9 +1078,46 @@ export default {
           ...(this.forVpc && { NetworkACL: this.Netris }),
           ...(!this.forVpc && { Firewall: this.Netris })
         }
+      } else if (this.isExternalNetworkProvider) {
+        // Extension-backed provider: services come from the extension's network.capabilities.
+        // this.provider is the extension name (= NSP name)
+        const extProviderObj = {
+          name: this.provider,
+          description: this.provider,
+          enabled: true
+        }
+        const svcMap = { Dhcp: this.VR, Dns: this.VR, UserData: this.VR }
+        // Infer services from the selected extension's network.capabilities detail
+        const extDef = this.availableExtensionProviders.find(e => e.name === this.provider)
+        const services = this._getExtensionServices(extDef)
+        if (services.length > 0) {
+          services.forEach(svc => {
+            if (!['Dhcp', 'Dns', 'UserData'].includes(svc)) {
+              svcMap[svc] = extProviderObj
+            }
+          })
+        } else {
+          // Default services if no capabilities declared
+          svcMap.SourceNat = extProviderObj
+          svcMap.StaticNat = extProviderObj
+          svcMap.PortForwarding = extProviderObj
+          svcMap.Firewall = extProviderObj
+          svcMap.Gateway = extProviderObj
+        }
+        this.externalNetworkSupportedServicesMap = svcMap
+        this.externalNetworkProviderObj = extProviderObj
       }
       this.fetchSupportedServiceData()
     },
+    _getExtensionServices (extDef) {
+      if (!extDef || !extDef.details || !extDef.details['network.capabilities']) return []
+      try {
+        const caps = JSON.parse(extDef.details['network.capabilities'])
+        return (caps && caps.services) ? caps.services : []
+      } catch (e) {
+        return []
+      }
+    },
     handleForNetworkModeChange (networkMode) {
       this.networkmode = networkMode
       this.fetchSupportedServiceData()
diff --git a/ui/src/views/offering/AddVpcOffering.vue b/ui/src/views/offering/AddVpcOffering.vue
index 509109c91c26..7c91961c0555 100644
--- a/ui/src/views/offering/AddVpcOffering.vue
+++ b/ui/src/views/offering/AddVpcOffering.vue
@@ -86,6 +86,15 @@
                 <a-select-option key="" >{{ }}</a-select-option>
                 <a-select-option :value="'NSX'" :label="$t('label.nsx')"> {{ $t('label.nsx') }} </a-select-option>
                 <a-select-option :value="'Netris'" :label="$t('label.netris')"> {{ $t('label.netris') }} </a-select-option>
+                <!-- Dynamic extension-based providers registered to guest physical networks.
+                     The value is the extension/NSP name for correct provider resolution. -->
+                <a-select-option
+                  v-for="ext in availableExtensionProviders"
+                  :key="ext.name"
+                  :value="ext.name"
+                  :label="ext.name">
+                  {{ ext.name }} <span style="color: #aaa">({{ $t('label.external.network.provider') }})</span>
+                </a-select-option>
               </a-select>
             </a-form-item>
           </a-col>
@@ -152,8 +161,8 @@
                   <CheckBoxSelectPair
                     :resourceKey="item.name"
                     :checkBoxLabel="item.description"
-                    :forExternalNetProvider="form.provider === 'NSX' || form.provider === 'Netris'"
-                    :defaultCheckBoxValue="form.provider === 'NSX' || form.provider === 'Netris'"
+                    :forExternalNetProvider="form.provider === 'NSX' || form.provider === 'Netris' || isExternalNetworkProvider"
+                    :defaultCheckBoxValue="form.provider === 'NSX' || form.provider === 'Netris' || isExternalNetworkProvider"
                     :selectOptions="item.provider"
                     @handle-checkselectpair-change="handleSupportedServiceChange"/>
                 </a-list-item>
@@ -337,9 +346,22 @@ export default {
         enabled: true
       },
       nsxSupportedServicesMap: {},
+      externalNetworkProviderObj: {
+        name: '',
+        description: 'External Network',
+        enabled: true
+      },
+      externalNetworkSupportedServicesMap: {},
+      availableExtensionProviders: [],
       conservemode: false
     }
   },
+  computed: {
+    isExternalNetworkProvider () {
+      const selectedProvider = this.form?.provider || this.provider
+      return this.availableExtensionProviders.some(e => e.name === selectedProvider)
+    }
+  },
   beforeCreate () {
     this.apiParams = this.$getApiParams('createVPCOffering')
   },
@@ -384,6 +406,25 @@ export default {
       this.fetchSupportedServiceData()
       this.fetchIpv6NetworkOfferingConfiguration()
       this.fetchRoutedNetworkConfiguration()
+      this.fetchExtensionProviders()
+    },
+    fetchExtensionProviders () {
+      getAPI('listExtensions', { type: 'NetworkOrchestrator', state: 'Enabled' }).then(json => {
+        const allExts = (json.listextensionsresponse && json.listextensionsresponse.extension) || []
+        if (allExts.length === 0) {
+          this.availableExtensionProviders = []
+          return
+        }
+        getAPI('listNetworkServiceProviders', {}).then(nspJson => {
+          const nsps = (nspJson.listnetworkserviceprovidersresponse && nspJson.listnetworkserviceprovidersresponse.networkserviceprovider) || []
+          const nspNames = new Set(nsps.map(n => n.name))
+          this.availableExtensionProviders = allExts.filter(e => nspNames.has(e.name))
+        }).catch(() => {
+          this.availableExtensionProviders = allExts
+        })
+      }).catch(() => {
+        this.availableExtensionProviders = []
+      })
     },
     isAdmin () {
       return isAdmin()
@@ -433,7 +474,18 @@ export default {
     },
     fetchSupportedServiceData () {
       var services = []
-      if (this.provider === 'NSX') {
+      if (this.isExternalNetworkProvider) {
+        const serviceMap = this._buildExternalVpcServiceMap()
+        Object.keys(serviceMap).forEach(serviceName => {
+          services.push({
+            name: serviceName,
+            enabled: true,
+            provider: Array.isArray(serviceMap[serviceName])
+              ? serviceMap[serviceName]
+              : [serviceMap[serviceName]]
+          })
+        })
+      } else if (this.provider === 'NSX') {
         services.push({
           name: 'Dhcp',
           enabled: true,
@@ -624,9 +676,76 @@ export default {
       if (this.provider === 'NSX') {
         this.form.nsxsupportlb = true
         this.handleNsxLbService(true)
+      } else if (this.isExternalNetworkProvider) {
+        this._buildExternalVpcServiceMap()
       }
       this.fetchSupportedServiceData()
     },
+    _getExtensionServices (extDef) {
+      if (!extDef || !extDef.details) {
+        return []
+      }
+
+      const capsJson = extDef.details['network.capabilities']
+      if (capsJson) {
+        try {
+          const caps = JSON.parse(capsJson)
+          if (caps && Array.isArray(caps.services)) {
+            return caps.services
+          }
+        } catch (e) {
+          // Ignore malformed capabilities and fallback to network.services.
+        }
+      }
+
+      const servicesCsv = extDef.details['network.services']
+      if (servicesCsv && typeof servicesCsv === 'string') {
+        return servicesCsv.split(',').map(x => x.trim()).filter(x => x.length > 0)
+      }
+      return []
+    },
+    _buildExternalVpcServiceMap () {
+      const selectedProvider = this.form?.provider || this.provider
+      const extProviderObj = {
+        name: selectedProvider,
+        description: selectedProvider,
+        enabled: true
+      }
+      const extWithFallbackProviders = [
+        { name: selectedProvider },
+        { name: 'VpcVirtualRouter' },
+        { name: 'ConfigDrive' }
+      ]
+      const serviceMap = {
+        Dhcp: extWithFallbackProviders,
+        Dns: extWithFallbackProviders,
+        UserData: extWithFallbackProviders
+      }
+
+      const extDef = this.availableExtensionProviders.find(e => e.name === selectedProvider)
+      const services = this._getExtensionServices(extDef)
+      const allowedVpcServices = new Set([
+        'Gateway', 'Lb', 'StaticNat', 'SourceNat', 'NetworkACL', 'PortForwarding', 'Vpn'
+      ])
+
+      services.forEach(service => {
+        if (allowedVpcServices.has(service)) {
+          serviceMap[service] = [{ name: selectedProvider }]
+        }
+      })
+
+      // Fallback for older extensions that only declare partial details.
+      if (Object.keys(serviceMap).length <= 3) {
+        serviceMap.SourceNat = [{ name: selectedProvider }]
+        serviceMap.StaticNat = [{ name: selectedProvider }]
+        serviceMap.PortForwarding = [{ name: selectedProvider }]
+        serviceMap.NetworkACL = [{ name: selectedProvider }]
+      }
+
+      this.externalNetworkProviderObj = extProviderObj
+      this.externalNetworkSupportedServicesMap = serviceMap
+      return serviceMap
+    },
     handleNsxLbService (supportLb) {
       console.log(supportLb)
       if (!supportLb) {